Add sops-nix

2025-12-06 08:07:45 +00:00 · 2025-01-17 20:46:50 +00:00 · 2025-01-17 20:46:50 +00:00 · 967becfdc9
commit 967becfdc9
parent 49e796631b
10 changed files with 100 additions and 94 deletions
--- a/modules/nixos/core/user.nix
+++ b/modules/nixos/core/user.nix
@ -9,9 +9,8 @@
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      initialPassword = "changeme";
-      shell = if config.programs.zsh.enable
-        then pkgs.zsh
-        else pkgs.bash;
+      hashedPasswordFile = config.sops.secrets.muon-password.path;
+      shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
    };
  };
 }
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -5,6 +5,7 @@
    ./desktop
    ./theme
    ./server
+    ./sops

    # </3
    ./unfree
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@ -0,0 +1,20 @@
+{ pkgs, lib, config, inputs, system, ... }:
+let cfg = config.mods;
+
+in {
+  # options.mods.home.file = lib.mkOption {
+  #   description = "home-manager configuration file";
+  # };
+
+  # config = {
+
+  # };
+  #
+
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+  sops = {
+    age.keyFile = "/home/muon/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets.muon-password = { };
+  };
+}
--- a/modules/nixos/sops/secrets.yaml
+++ b/modules/nixos/sops/secrets.yaml
@ -0,0 +1,21 @@
+muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1XIMJR1Vgn/f1uo62bu4a/bknAR5gEBfd/cSRUTdBBxd7Lec2k3fxQg==,iv:j1JTzyfjcKEqh+PK5tyCWBMV7MpwvIG9MJ9eiajksxM=,tag:ZcSEVBW1UOCvE40yIsaBFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4czNjbDZ4aDFsVjVZdmRU
+            bVpVWDh5MnN6U2dWSjJlbWN4QmdJN21lNWxFCmI4aTBFL2lkNlZCbldza0h6U0Z1
+            K1JsbW9raEZscFVvbXNzeTlQMXJwaDAKLS0tIG0yaHF5MTdyZVg3R3ZNWk1tRDFa
+            YXdkR3V3Y25XSks2Y2lsZXJXR2lKUFUKHB6YzHlCj6x5Ron+NwLUi0iFYlVGPaYM
+            bRoIx0S9huJwHI3sNNaiuCVg+H0Mctfw4VFfeefoVYDr3o72wBRIkw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-17T20:33:28Z"
+    mac: ENC[AES256_GCM,data:f0BoA4bG64g1WPcLl9Qd2G3VbA5L5+VTK2/+nxcklQZrDzsr2gOQXK8WpiccuZ0CyU1UaLhSTAEfMb9N2sA3MISGikPyWYFQVA/TM+wfaDCnrnEgbuvtBuEMpNp54bwgF4ME2h9k3e3HcJlNze65z52je3tBCxe6siYEKVgB3yg=,iv:VC8BaJLS46yXCZL1gmSrElmqLM/L+sCqTuUkhhvYUBc=,tag:aK164Iq91mUOx8yVyUZN2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2