Add sops-nix

2025-12-05 23:57:46 +00:00 · 2025-01-17 20:46:50 +00:00 · 2025-01-17 20:46:50 +00:00 · 967becfdc9
commit 967becfdc9
parent 49e796631b
10 changed files with 100 additions and 94 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 use nix
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,6 @@
 # nixos-rebuild buildvm --flake .#
 result
 *.qcow2
 # direnv
 .direnv
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,8 @@
 keys:
  - &muon age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
 creation_rules:
  - path_regex: modules/nixos/sops/secrets.ya?ml$
    key_groups:
    - age:
      - *muon
--- a/flake.lock
+++ b/flake.lock
@ -133,24 +133,6 @@
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -165,9 +147,9 @@
        "type": "github"
      }
    },
-    "flake-utils_3": {
+    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1681202837,
@ -183,7 +165,7 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
+    "flake-utils_3": {
      "inputs": {
        "systems": [
          "stylix",
@ -204,21 +186,6 @@
        "type": "github"
      }
    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
        "owner": "lf-",
        "repo": "flakey-profile",
        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
        "type": "github"
      },
      "original": {
        "owner": "lf-",
        "repo": "flakey-profile",
        "type": "github"
      }
    },
    "fromYaml": {
      "flake": false,
      "locked": {
@ -346,45 +313,10 @@
        "type": "github"
      }
    },
    "lix": {
      "flake": false,
      "locked": {
        "lastModified": 1729298361,
        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
        "flake-utils": "flake-utils",
        "flakey-profile": "flakey-profile",
        "lix": "lix",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1732605668,
        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
        "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
      }
    },
    "nix-alien": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
        "nix-filter": "nix-filter",
        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs"
@ -442,7 +374,7 @@
    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
@ -526,13 +458,33 @@
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "lix-module": "lix-module",
        "nix-alien": "nix-alien",
        "nix-minecraft": "nix-minecraft",
        "nixpkgs": "nixpkgs_3",
        "sops-nix": "sops-nix",
        "stylix": "stylix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1736808430,
        "narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "stylix": {
      "inputs": {
        "base16": "base16",
@ -541,12 +493,12 @@
        "base16-vim": "base16-vim",
        "firefox-gnome-theme": "firefox-gnome-theme",
        "flake-compat": "flake-compat_3",
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_4",
-        "systems": "systems_4",
+        "systems": "systems_3",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-tmux": "tinted-tmux",
@ -611,21 +563,6 @@
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "tinted-foot": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -5,6 +5,9 @@
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    stylix.url = "github:danth/stylix";
    nix-minecraft.url = "git+https://codeberg.org/nix-astral/nix-minecraft.git";
    nix-alien.url = "github:thiagokokada/nix-alien";
--- a/modules/nixos/core/user.nix
+++ b/modules/nixos/core/user.nix
@ -9,9 +9,8 @@
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      initialPassword = "changeme";
-      shell = if config.programs.zsh.enable
+      hashedPasswordFile = config.sops.secrets.muon-password.path;
-        then pkgs.zsh
+      shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
        else pkgs.bash;
    };
  };
 }
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -5,6 +5,7 @@
    ./desktop
    ./theme
    ./server
    ./sops
    # </3
    ./unfree
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@ -0,0 +1,20 @@
 { pkgs, lib, config, inputs, system, ... }:
 let cfg = config.mods;
 in {
  # options.mods.home.file = lib.mkOption {
  #   description = "home-manager configuration file";
  # };
  # config = {
  # };
  #
  imports = [ inputs.sops-nix.nixosModules.sops ];
  sops = {
    age.keyFile = "/home/muon/.config/sops/age/keys.txt";
    defaultSopsFile = ./secrets.yaml;
    secrets.muon-password = { };
  };
 }
--- a/modules/nixos/sops/secrets.yaml
+++ b/modules/nixos/sops/secrets.yaml
@ -0,0 +1,21 @@
 muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1XIMJR1Vgn/f1uo62bu4a/bknAR5gEBfd/cSRUTdBBxd7Lec2k3fxQg==,iv:j1JTzyfjcKEqh+PK5tyCWBMV7MpwvIG9MJ9eiajksxM=,tag:ZcSEVBW1UOCvE40yIsaBFQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4czNjbDZ4aDFsVjVZdmRU
            bVpVWDh5MnN6U2dWSjJlbWN4QmdJN21lNWxFCmI4aTBFL2lkNlZCbldza0h6U0Z1
            K1JsbW9raEZscFVvbXNzeTlQMXJwaDAKLS0tIG0yaHF5MTdyZVg3R3ZNWk1tRDFa
            YXdkR3V3Y25XSks2Y2lsZXJXR2lKUFUKHB6YzHlCj6x5Ron+NwLUi0iFYlVGPaYM
            bRoIx0S9huJwHI3sNNaiuCVg+H0Mctfw4VFfeefoVYDr3o72wBRIkw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-01-17T20:33:28Z"
    mac: ENC[AES256_GCM,data:f0BoA4bG64g1WPcLl9Qd2G3VbA5L5+VTK2/+nxcklQZrDzsr2gOQXK8WpiccuZ0CyU1UaLhSTAEfMb9N2sA3MISGikPyWYFQVA/TM+wfaDCnrnEgbuvtBuEMpNp54bwgF4ME2h9k3e3HcJlNze65z52je3tBCxe6siYEKVgB3yg=,iv:VC8BaJLS46yXCZL1gmSrElmqLM/L+sCqTuUkhhvYUBc=,tag:aK164Iq91mUOx8yVyUZN2Q==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1,13 @@
 { pkgs ? import <nixpkgs> { }, ... }: {
  default = pkgs.mkShell {
    NIX_CONFIG =
      "extra-experimental-features = nix-command flakes ca-derivations";
    nativeBuildInputs = with pkgs; [
      nix
      git
      sops
      age
    ];
  };
 }