From 73be71fba8d2e985dc9da6379a9823db0aa26e5b Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Wed, 20 Aug 2025 13:15:30 +0200 Subject: [PATCH] fix: sops + modularize a bit more --- home/bash.nix | 1 + home/gunalx.nix | 1 - hosts/legolas/configuration.nix | 45 +++------------- modules/gunalx.nix | 11 ++++ modules/nix.nix | 94 +++++++++++++++++++++++++++++++++ modules/sound.nix | 26 +++++++++ secrets/nixos.pub | 1 + secrets/secrets.yaml | 39 ++++++++++++++ secrets/sops.nix | 28 ++++++++++ 9 files changed, 207 insertions(+), 39 deletions(-) create mode 100644 modules/gunalx.nix create mode 100644 modules/nix.nix create mode 100644 modules/sound.nix create mode 100644 secrets/nixos.pub create mode 100644 secrets/secrets.yaml create mode 100644 secrets/sops.nix diff --git a/home/bash.nix b/home/bash.nix index 71e8399..7009766 100644 --- a/home/bash.nix +++ b/home/bash.nix @@ -20,6 +20,7 @@ "la" = "eza -la"; "tree" = "eza -T"; "neofetch" = "fastfetch"; + "htop" = "btm"; }; historyControl = ["ignoredups" "ignorespace" "erasedups"]; historyIgnore = [ "ls" "cd" "exit" "cd .." ".." "la"]; diff --git a/home/gunalx.nix b/home/gunalx.nix index 267da9b..cddd72a 100644 --- a/home/gunalx.nix +++ b/home/gunalx.nix @@ -14,7 +14,6 @@ home.packages = with pkgs; [ bottom - htop fastfetch eza ripgrep diff --git a/hosts/legolas/configuration.nix b/hosts/legolas/configuration.nix index de4baea..9baaceb 100644 --- a/hosts/legolas/configuration.nix +++ b/hosts/legolas/configuration.nix @@ -10,20 +10,15 @@ ./hardware-configuration.nix ../../modules/boot.nix ../../modules/displaymanager.nix + ../../modules/nix.nix + ../../secrets/sops.nix + ../../modules/sound.nix + ../../modules/gunalx.nix ]; - networking.hostName = "legolas"; # Define your hostname. - - # Configure network connections interactively with nmcli or nmtui. + networking.hostName = "legolas"; networking.networkmanager.enable = true; - - # Set your time zone. time.timeZone = "Europe/Amsterdam"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; @@ -31,9 +26,6 @@ services.xserver.enable = true; services.xserver.videoDrivers = ["modesetting"]; - programs.niri.enable = true; - - # Configure keymap in X11 # services.xserver.xkb.layout = "us"; # services.xserver.xkb.options = "eurosign:e,caps:escape"; @@ -41,33 +33,14 @@ # Enable CUPS to print documents. # services.printing.enable = true; - # Enable sound. - # services.pulseaudio.enable = true; - # OR - services.pipewire = { - enable = true; - pulse.enable = true; - }; - - # Enable touchpad support (enabled default in most desktopManager). services.libinput.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.gunalx = { - isNormalUser = true; - extraGroups = [ "wheel" "tss" "networking" ]; # Enable ‘sudo’ for the user. - packages = with pkgs; [ - tree - ]; - }; - programs.firefox.enable = true; # List packages installed in system profile. # You can use https://search.nixos.org/ to find more packages (and options). environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget + vim alacritty foot firefox @@ -82,7 +55,6 @@ # enableSSHSupport = true; # }; - # List services that you want to enable: # Enable the OpenSSH daemon. # services.openssh.enable = true; @@ -93,10 +65,7 @@ # Or disable the firewall altogether. # networking.firewall.enable = false; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/modules/gunalx.nix b/modules/gunalx.nix new file mode 100644 index 0000000..f1a3a2d --- /dev/null +++ b/modules/gunalx.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ ]; + users.users.gunalx = { + isNormalUser = true; + extraGroups = [ "wheel" "tss" "networking" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ + ]; + }; +} diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..b125256 --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,94 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ ]; + + system.rebuild.enableNg = true; + + nixpkgs.config.allowUnfree = true; + nixpkgs.config.permittedInsecurePackages = [ + # example "python3.11-youtube-dl-2021.12.17" + ]; + sops.secrets."github/api" = { + mode = "0444"; + group = "root"; + }; + + nix = { + extraOptions = lib.mkDefault '' + builders-use-substitutes = true + !include ${config.sops.secrets."github/api".path} + ''; + settings = { + trusted-users = [ "gunalx" "root" ]; + experimental-features = [ "nix-command" "flakes" ]; + substituters = [ + "https://cache.nixos.org/" + "https://cuda-maintainers.cachix.org" + "https://nix-community.cachix.org" + "https://nixos-rocm.cachix.org" + "https://nixpkgs-unfree.cachix.org" + ]; + + trusted-public-keys = [ + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixos-rocm.cachix.org-1:VEpsf7pRIijjd8csKjFNBGzkBqOmw8H9PRmgAq14LnE=" + "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs=" + ]; + }; + + + buildMachines = [ + { hostName = "localhost"; + system = "x86_64-linux"; + maxJobs = 4; + speedFactor = 8000; + supportedFeatures = [ ]; + mandatoryFeatures = [ ]; + } + { hostName = "aragon"; + system = "x86_64-linux"; + # if the builder supports building for multiple architectures, + # replace the previous line by, e.g., + # systems = ["x86_64-linux" "aarch64-linux"]; + maxJobs = 6; + speedFactor = 6001; + supportedFeatures = [ ]; + mandatoryFeatures = [ ]; + } + { hostName = "galadriel"; + system = "x86_64-linux"; + maxJobs = 4; + speedFactor = 4001; + supportedFeatures = [ "cuda" ]; + mandatoryFeatures = [ ]; + } + { hostName = "bolle.pbsds.net"; + system = "x86_64-linux"; + maxJobs = 6; + speedFactor = 6000; + } + { hostName = "garp.pbsds.net"; + system = "x86_64-linux"; + maxJobs = 4; + # i7-6700 + speedFactor = 4000; + } + + ]; + distributedBuilds = true; + }; + + + system.autoUpgrade = { + enable = true; + flake = "https://git.pvv.ntnu.no/adriangl/nix-dotfiles-v2.git"; + flags = [ + #"--no-write-lock-file" + "--print-build-logs" # -L + ]; + }; + + +} diff --git a/modules/sound.nix b/modules/sound.nix new file mode 100644 index 0000000..7b85f29 --- /dev/null +++ b/modules/sound.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ ]; + + + services.pulseaudio.enable = lib.mkdefault false; + security.rtkit.enable = lib.mkdefault true; + services.pipewire = lib.mkdefault { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + }; + + environment.systemPackages = with pkgs; [ + pavucontrol + wireplumber + easyeffects + ]; + + programs.dconf.enable = lib.mkDefault true; #needed for easyeffects for some reason + +} diff --git a/secrets/nixos.pub b/secrets/nixos.pub new file mode 100644 index 0000000..76f0696 --- /dev/null +++ b/secrets/nixos.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..72f545b --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,39 @@ +#ENC[AES256_GCM,data:dz8znC0Os5eA4nUkoqaMVw==,iv:cx8HN12ClwwUZxn2/6mc1Q5Eh2XBIRsrhG/ETRf0cnw=,tag:AuGmWa+LM9dcfVlAs1CuOw==,type:comment] +#ENC[AES256_GCM,data:7kh9f2LAKp46UTh8LmDqvK8xOhHO9mVUD2yzLg4LRR2WU98EpztHmDcHKOF0AG60NsndYaw1en5efU0x/NVAzfdTVPJA2apDs3vtAlzGjvv593Snwb2wa4iK0tM0beMyGvzkSEPs8HOuSLvNpLHWaB1xlC0=,iv:eBoUwZfMPhBnT2+jWqT/EGh/CVNK5qiYeaspFf1VJxY=,tag:nEcuwi2nnACadGR8zw63HA==,type:comment] +acme: + certs: ENC[AES256_GCM,data:L9v0y/T4Vq+fZt5U8YAcyxtvMzv8w+gCwk2z5N027cYiuauuNFYDQ4WV5bTfDL1cSjp30oYvGTlgn3+8s9MA8xqaPJytCNNClRK4isvZKP1YdiVwKdxTg814LDzgPoZsyErSHb+MvgMEUpONifRxFJ7n1HHqcyfeXpV1Bx0=,iv:dnct9KU24ZVaQThA6rTTClRjT+vTi4aD+7UV+oiqoVU=,tag:vTMcHHexHVST3r4wiiTuXA==,type:str] +github: + api: ENC[AES256_GCM,data:QYXx+9QxXJ4WwDp6FsaSmrngs/+hBugGD8L6ZdiAgu/1/RW/ip1IEC52g49N70PGh545fAone3IiZJKGxqHeitSxTFv111cmTL4dq5s1yXEwUrsrll8n6rEVMJeHnPeAhz8MNYNxJuIfwugp7XlT61v2f/ylNVa77ZubSdNa5w==,iv:Cdnlb8LFQgsWnjEl+eQUHYIiVpXFabb70FFtnWDfIl8=,tag:vzzfJlQFQBncjLJvmFxuzw==,type:str] +nginx: + defaultpass: ENC[AES256_GCM,data:kbWRuL4GiHjOoy4bvDZN9etrnP9mm3Sc5+ltxXzFzU5G1cbHAa6Si9zzhoA67/MXXvOQ1mp31rQpV1K/WsrxGaajFdHgVYGUJB/RaZfZfg1THF5qvqR7vdOiVRWSIalzGMOSUyJTNg2dgQMbymVbmc/k/vZjkjjsI3oze7oN/NZnQ7nolGybQ6W8DCTRzHi5x20/zTJdXNmJf450az9sWOw7i1A6Avg2pPZ9t2N0WyuIcy1MsQICs7PE4ztrxIF82IsFLQNj6LmXXRQaZ9dCF/3h3yyNShfjgI2owYMmrRJssZCdF5dOPq+HVCEfE3jYBFcAWrvCCnYBczCx+WGl+5sQbfJtZdcDGw1bRw41I71h/W4micjo6W5XbeHVx+Rd,iv:h6gn2VKancyy6dZlON99zjRj4smArwt6I4a3PRjGfZ8=,tag:F++P/Qhh+uUUhBJYp3rGvA==,type:str] +qbittorrent: + interfaceAddress: ENC[AES256_GCM,data:GsDv+UB07bQGh/DISw==,iv:Hn1zGJweLj5jy8sk4aN9rob/6kfzo7iLXPgaLBIMSVs=,tag:fbKSrAIOqTsnCCI1DBUZkA==,type:str] +miniflux: + adminCredentialsFile: ENC[AES256_GCM,data:FPcdTiJqbI6MloU9JqAYPABoD/odegXks+JyEeCri8hOV0dPMd0TNDV8fN1bbIiJ4llzaclZbjl0HKM=,iv:5fd3O008aP34+7lGlG8vBPAIdmEjFPoneH+rJ6d9TI0=,tag:HKOHjGLiAIDBR54HJv9teA==,type:str] +openvpn: + galadriel: + config: ENC[AES256_GCM,data:f9uDYNLHP63oee5lGMPsmZ76f80n51eYxd3hvF5ZhPGtCspBEOMLHRonTSEril1wKCT3i1DWR967lWTdjJs6KOpoX5JqKz2Qj9tkpXS5jnHZAf0JQg1l7jmf9/a2OKJparVCFJyNPTN5mzl3gGOyDGe0TIT+ZtP8/PCWsQNjB89Crd/kHSSAmIUb2fcNXEkxs6XwgsBAlhbR69e+06NYaRyX5ydVV/kDekx+ixpx2bIqMQqIdEk358RLCauP3wAh1FoqTTJ2eqLcDhuPySFol9cLCInWnColNdyb/0+czrEa4DiLrbFVXx7bUVwjd9rb+eoajC1e09d41aJkVHG1LxlSRjq1sBlI3v3E1vaUBJWegZBROEpqEOCKfHSagkmaanaBv/KMq1MFmXJ1MzyskDJb9MdNFKRQBjQLwBXnURts/Yj9ChrT51z+/bwItxt8XmlwIEgL65F/8h1+bUJGOi27ZAvfkixflff0ELYSPvQI+N1vFlF9QP6AmIFxF2SdmOSlYzTYIz0+LMejLltCEUdU2qdlZ0a9DuYlsxvnZ75JgWXviw==,iv:C2Zb1DLTMlsEqQ5/UUrpT9k5Z51YYGu3SUcu1F20ydc=,tag:wGkQ7LWgCfy0K3zM38JxHQ==,type:str] + ca: ENC[AES256_GCM,data:ENXxKPwrssp1dZtiWNEwbZGapNTMmDVHtKW/59D3yb1EqLINkHOd2gfQldUDwNbUnSh2nOvt69Uv4Tivqlep5LpSB4rGH1idbxtyWpjKCiaieuNggJ4oc5w4JuJyhJykJmHiYkwCgdaF635AKINKiOPB0j7obcASm7f7NWPuacSAMQLruVMMw9XeVeoHMGnO/Rta+Bdv43aYJD8RFqSywfPyY2LhxXBIs+of7ENXG/CF+kSOH9GCwRl4Gd4vdTxgwfm4xGa8u1dtobgYwNhhO+KaRUd3aFV4V9cVKA2rPH9shUOi6/CIe30vciHg9+ziq6l0QniM7kQlK7iBLZm6ml0ehHCLZpetgfWFYU3uJhWmrKYR67MEfmfZVmp1TykOjmlHihbCzRshsb3aktnGyhNqeWb3qPeeaAM1QtgbKIGn7/dWm64eubAGrdIfSyxT0MOaZa+j2Oo1mFjhqFJrt/bUtESodbY9ix1pbY6byi6ncRT+HK58aVwIg/JEiuvRR7Zee9dsnz91yIHnTm2yabwBZek1D+SytfIA/60WI2O/1Rc8u6oWRy4TSzRLGy6QgQiJNW1IDw6WWSTuKEIMSQb8MZbldq8xH2miwAisVceRasqH1+EHTz4DF5gUFjUrQhyCF3ae21JdT0ihz9TRDTsxva7zRqOvqtugDkzN1gqeNg33WnKP5egeK9iqVjAxhA49qnpqoCC8Y75ZgqSa3bN5EeBpZbK7bwjDpWjQBzEERZDUjk/BxA9zzYlDXoB9z6VHUXdSjFmhZHjR+96EG86YARliIjesiW1Ap/rfHBYXbGdE+N6mnnPcJbc3XekAC+2VkXDMk3EczkfQsvUmQTxiHk03Uftv4NKt148FbH30UXEsqdtFMxaqONefLKzwQp/COKArc6BR+nCu8zVmMOV7Ge/CrvjTZLfsTeNuRf2ay650C8WawpDP7ZjPNVtVH46iVUjfzaJn7UdYKuUTnkaOnw1BHj1rZiI/yzMoGWZOW5Uo3Fn664N6BXksazRi/fEA817XxT+PcrAxeVV1O5XpOIGvaJ1imHkVM0etGKMqOZmwYliLnjdvj6lOhb9e2FNDNRYTsKatcazL+3bPpKCvTCd/Rbs/Rs2//Ti+EzRwoWlKuuWk4K26QCAjaNRYVVdem7DCBdknZMs1QHaGHEughQTdyhd6SDR8ZP/wrCaR9JEM8Rfx6/1QMYBHWFR5Vtt3srD3jgrWRmB1EBTz1BuROjW/uUhrOKA3EGZPltqHk1Uph0ZZP6vJzyKy48ev7bZZNst5NDu/lh/+yEZd+ZurFErdzGQEL1SpDl3jtkzrO54HQdcTJEPdPpKAAFdi6oKsbi46lXKVwk+8i6Itxr+lejcv7UiZyimiZ8cncwP1SxYo3kJs1UwXFSGgea2fxG+qoLbpOZddz3q5hNFfdxwDDTINoynHzKhH/iFLo8QnyvduXzfwNaUW7OT/XkIIdnMFlqUVpA/d1omV3vPiEzmNlwPRPyg/5ZlFQOUTb5XNxmekIa28NFJVAfrWGrfIrhS/rFZ2BQ2TUVyj5QhecQPpWlkm0f/1xoCKQb6h1TFSi4+gjmEQm13GAl+/hNPmw0biSuiSFAIbxqU7Bgc3OyxXk+7Z8mGFbi3qJx2X9w0g0LLemA9vDl4++gQv/WPZPV5XYxKlcV9kg2/s4kjcbqs6AwDMqfoIWjJnLGU0/DBzZVUT2EBaA+VGL2wEtuLbyiJLDaiBl+hFqQDVcfWKWszAbkBy2LKw7NqwQuPTo57X+a15Tlj+r9h9vg+hO6Ca5sct3m1Mb7IANcCCwqacuBuJ8QdePxaloMjOqhfx8QflBxFu1+27t1ooWKazILoqL1zlandJE9aKjGrSDmOMBiG5CMJRm1ZkfvhQ0pv89cKb/f4/q0VyQCtvE8wA7o6JZ9bqDtvr52W8QiZf01Ow9yLi2YH/q7vvU5eycsmvqvR+0CrBCfoMFvVGxtDcAeyq1MJo+uvtTrfT7rRQfcSeE5b05+lPopDNDEmNij9CKIiIJwuws4tApltaSSegVYiBTjEXtGOyKhHbKgiR988iFP77PyxV1eKeeUXO/M+uJKsIYZvcyKb+UYndZKuRrMfGI1aj39DRoHmjiNCOEkxTBUeOy99J/wUP/r7onx7jlhMNIvJa1NlW/LWm4bLMcxl3No6/KOYBNiZSiJaGJpXzPRN8Ez/4B9hVOPuL73j/SAAn2OqhkYT/fV/wHnRGCOhgxLlV5MfYb6iubUdV19ti3gY7R6ib4ms3Bvma/NVQJCYcbhx+kOmye7W3P3eFeXysyfrj/4er+EX5QnlcXhdhrmvLm9TGMDUwLqGNIGPSAjfTS24lxconXWJ6WjGoW4tJhl6DPJrHWOTQdTmC7RId3g6L946/cqeMIWz+qTkQRVTg8Ea5xytIop6AYPprr6HPehfGYOkO3EbFg8ikX7jGhuA44R9BEzopHsRQr5+5ZGj3iw0bLvnaqXcrtv9rckLhajGbpIQ86MX5FwHND4AXYN/Tfe70j92J9NpOos8m0+g0OCtuyxV+aZPBfBz5CHlNZgIrDYlN6wu+O1WTzPF/lIPbibjFAdOayFwIcmr6RwmDKO9k/hd3D8mClRgpqaFO8+kXaxwiu7xagMipCoi3V9X+2YcU7EGIzKiTTPm0hxBJebUWrPT4wjr9RyUTgJx6deq3T5hXD8ULY6xLEmKkRsqVhWjpmsxsqkgcNNU3mGzdkrZEScMgeRO3dDtNs34Dv8MeerDnpnPeF8W2Tp6TkcA5TPi+gPmsRTVK8gMZKsAt+YaQR99vXhQR0JL7a3b1mIiX+drbxDM3Xw4jYG58R68YlP0ANtYAXgOWlTQlJods/b7QODbW9RKSm4kgExjwpa00H72BY7Rj1UFmezj00WG4qzwNmGyA4PS5zoS9i/rZ5yFYqFbsEU1kozt21o3rgVktx9BxwyEMAS3FcQolanythcvsLJzBqe1pA6jDdjVGrCEf+0yMpjYFiYEkogGK,iv:1PfKLDXQTyg5CanOFnYQ5TIlHMTjEFfUYL8+Zw0xdrw=,tag:gXjfagkBh8FX5wZd4LlLLg==,type:str] + cert: ENC[AES256_GCM,data:w90+WMeDkL3q5ex9n34fM+Efute3iizc0a6HOw2Pma9BpgaLL1NJ7bczjrNaI/9D12d3SAP1/BeONTEyXUDGAvfmJTx5/ZMX4+TWF8yrPPkdm5yQ58Aqkz3Cu5ntgm4xRxPnD5O2Qo1EQuBQlUpnwWqITmeUTmAGT3JYgAobN5Bkjn3h/d0XPnu+5f4jBVSTDFOW4WeJP1WdcYGtpnEj70wTotngoTMwLOKYDGppgoHG5sAxigGeXx5cPvwqecbqOZ5p6FJwCK6iiPGmopWsFgSrA+1ES5P4x0S9q/O3R5+XfqRh21Hjvc7G95J4HWA6LxdDutVl5yS/BQWgBAM4fso/tbIbwFEiNRD3zswa/1nHGTyHisCPJUgaZTS/s3KOL74VoaKl+Upsb0C48yMKJIrL8F3LDF5OjihUWcWX/e0gOJZ+rpPaNv2Qc12TNM6cy0TorxA78fyM9zStgvumi3HjHZ7ZVeMimfraNVT4qTcWXcXrDbfGORxAZlrpKwT8HWdGkGyB3GK9l3KW0nkt0VZJT+SPAII3dimRASc7X1ECTOTgHImE/a4GnlMzg3ik+3HRV/5absZwx3tkUpBtMBUXV4+HA8WXRUeWaGgg2sybC2C7X4l1ChefepVa0JbzLMt1X2vbp+UMeGWbV4lv2V5qlXrQOEBnSwQz4kc0bMoQxSh/p3kohWMtviRuWRq99K9eHsQyD3U59rs9d98E9DIwdH2/8N0/XricaXnSOHErjUTTSSTXfPawJ2bfKMjOAfOkuCHIyFqeQsLElQnR51lzS2jJV6OhEDwVEWElPsvRBxTpafSL0RD90iO39Wbn7FTTBSbzf6YnJNpLu7YG/jysiLcf3zVjarsk648WcXMnCb7Geemqn3voRrJMdKA79sZPNl6jkNi/Jbs/+MPK1VS3v2kLr64lQPctfUaWSL4OGrHRdrO4RVdO3CaDI2H5ylUVoKZmy6LXCj9mQjmvKrK8l9ehrVg0i7O39V0qNP06D5wm/KmfYQtIhAlXy5r8cVR2B4klaxfcG+O/JuIROB1udmNAVz5SkHVTBkLGzlvmV5XAHOVE5+7SRf+ncLtKHoQ6lVGJSSfdgFgqjjQnWKcICvkLL9mtWl7cEPxGg8NlLjLwEExmn1XUa99QZmLDlxFyiJZ8FlSQOngoGkA2ZmT9m8531orzzIUudImnxeiiVpZeTmxL+xKo2He0YBDnAIa+SCzJcM8KaNttVrs7Gc8Jdl1q2HZK8j/dEc31zC0gG+7lODwa9Ce+Lguu+ffsspaAwhmHA5qJElFP5gzBeUfmqDM4YJGPthPxpZCkOePQ6KcZGys1DuaMKfoOuBnFKhAoyP32dgnn8XAHmloCGaVxNbZi0kZZlY7YpubleJlDlib781EDc8WXXokiLSlVyKgstQ+tSO2MtdaEJ4ZWZ4V7p++MQQuFof0GCwNbPUabAuhqsX+6X7Q2LiS3Lakz4PUn1BSKsxWMS1C0GEoY5VBHXxukIbCWoRLCqBQAwjDDLYfUIUp7Y32Nwl0ZK7KqiYyj9ORNe8keBnWZKDHB9kjSnP4C5HQnyoe/fTL4v2mSHDeixS2DH0S83JmV8FxAQm67YWC7WBJzNZL577MQlIOArGGIAx7O5/o0sG1LxAz4/Aa+IAteebPmyqtXW4zmv0CC6H2HGq3WuPvZreSXOcMUOUpWwWsyloh6oZVTMqUHXjRvEL3B5DHGV9RFIBOAETkEP30xfl0FR5QXiavbZ+JoGt7NX+qu5rZ/u6Qx56URJ3cu2LzcGmb77cdcFKHV86f/rXdbAlr+OnqO0cXE6g5NhPr9u8j7Sxm/zTIwCVLod2coCnr/HhL0CF6f73IVWYadaXNP/tnOUYe3yEJv63IMYPQh//aOZG2BSuDxznQH1NnwNoa68lPzauK2UHHV1F/f7GEIPZJE7n+Dy5ai7Ysba91Hbv11rLXQHDypzUkj2mp6VIrC4I+FSKEGorbAXspJhuDnX1Q7mm8GOD8NxZb+rQmZOYRf+UG1z6gdpNwAlwk2bO6SeW0QCBBr0YbAAFA95uOuRpDphLQ4y/jcrKR11cWPetgtzBBIZRMT3ixq3As/MED542VffQtsQOAeUkMNz0UIMm0xIMlV/reC/woZwBLp60bhjlkwJP4bh7+6dsH9KF8ZS8jYn502MZpOTmhHJ9CxE8xVs7OSTkJTaDGkoisyaZ6jfwm18Jl4MkVjXXt0A5PrMYfOt2CbRjYS+BjUQIFZb46EWoWiPt6LV9YMaBv9IQ59ZQo02Nn4ZC9/J3MD7SZH5fWr+OJWaKPFiaFpTCyDJ8kDGq5i995X3vvKTJY8lOeBO1eFMnFe/RFyLylvGDST75P+SfG9HbT4hlR7+x9YDioZhR9FgnM7rts4pSzMZENlG7vPuzfmaTAOWxlL5F1TgaZoOnzOlc69PAPtRiLiigadRTRolDnJlFTHlQa5qby0ARvcvT2eWQGnoGCa4aDlPzPM+1pu6VwT9SkpHXR7O3HTcMZO/HZIUe93qVeZQ93WkkFl+BIlWGBAzTYJwKoEBvPY0lrP9FkLyMOLuq4BBf4RaP0lplBt9CczE0qriWhR5w48QyIv5pJRgyLU7hqOUs7WeKenNMohAy4lKiz/Njr4jXImZmY7mcuoMw27FbW+jzXlImr0QvjTpjhx4INb7iQOZTSXpm+B0jcKmxXtC3jmoT5jAks7UbXIi4VgQs2fF0Ypn77D0IIAlRh3UKr7Qd779vzHfDJAN/uqrlstzyCoLirkcLDacp1fYfmF89w+1GTKvPYKUw64fqRjGFLc/CYpLA0THP7GL3PSZo1RGl9nawm4mAX0OrE+BzVpblReAMVmxezGkV7+CYBZiHRJK5rr4kK/0lxauZb02H9MvmTVCpk36s4Mrs56HQX20sfFrW6EUQqDjrdicEEXYMTPu8tYeGgKJr2Oqin/3GEIR0BhHwh3pTjzPAn9Nh78BQFvCNVTHg24NB6SfZFWjhVMZM4qSvZeCoOoYerPDxTjq7jItzqLPhX8s/u83D2AHzHRNgsKt7NBnOOBtPL9hKSXsK5IsDhXMS1U89atiyE7E6TCIE52+32ufJgbcqhc0u03GWPk6KW+ZofEnxbVpvBsJ9+tj3j3G5ogoGxDnUshrA+9tGCqgOGA0FZo4qOhYGu14uOFL8GJpgdEECnsBAM9soz5,iv:46DOOjh6yun/FfespTsPgQdN7/z6EVDUEY2V3OJQXwk=,tag:mAicNQoXQFcUE0d4A7Frrg==,type:str] + userkey: ENC[AES256_GCM,data:qaJIx3uJPnRf/ZN3PUj8CdbIDZYwfDHG4APWlQTUBHtJqYZbP+sLVFmpvgCD+yFgomghLeeDCt+Hm7ti+XYjLRciDPZQb/CAlsdgQW7JbsGA2Sdfj5wwn+vF0F0BLO0hORcB4VW2cY62yuf3koS6IbgXeHRVmLe4hmTftZ2ILZm/nPdjsG2sktLklORG26h/zaLX8fe/+2E9kFu8swyFxI3b+2xDkbm8/jsYSN08sL6L/kCaRlmITISMzVOodrms2FYv7oYnKsyq8ABBnpYECRJheukWNIzcFiJ6+QQwqJUCiJvdJ2Hu60LHgSP20plm5SJ631KBEK8NelwRUhpWe0WBiTfilcmwGJUhADtOIaDIO5r6Ou/OfZupPUEQtg0XhElwWiwqnnnMA//POUxMRQ7mxbhZU9XA2BAHv+RH2SUq7IEgTYkOps4zEWk48yyCI7338hB6DOZs2lR/yWkfR/JtDF3HM8RqLVDB3b9BypkWwfXh/M1RlK4XHid0gv575rQXe507mCAb4KJ82RJSbQ213974e8jXRdMtERM4ZujcP0hfeqxj5vrKLRqVgyLDH3Lz7c9eYhUVS/JN2HC3t/BPdN5J9LJud4r1VLYR01Ru5U+IDqOi71T5jiASndrc+QQa1mulEGLIWj/2c8oe2S0p2EU+P6V5RSrqLRuYGpvCcMOs7ydzKBd3oHBMY/VDhpbKlZEw/Kofbs+Easuz5zBlLlPxc0O+AttNlfsSgxuTD5/NiUKT9+TsToSrBZQiBDKvgDpQjZsq2Clw7ZAvFNrPNTiu0sU7YCe4xO9gQ7RIcXzI6S1B1eoHAbnfv7lKE0VvxRCsfngK8Kp/NccXIsNfDCZ/1x7/WHmq9wr5XmWqY41rf1LFeouQFwydjI5iPp4jHwUzPkiGBkkaOdkb8Ovjjy4urMekTiyO5JKJUJCmtZiSj2DHCOBWm6nRQOFCenLHD6ls2NeUpqqsA2wna5DVn0EPvpaPIkmrdIqHh8d85+N9C8UbYDwAnEFvqcAIlFDWj/tUWVUyfWLRl0JSc1wQFzXavJUaLhhLfP0Gh3n5/ayALGLrLwAeUWQz+tLu7oTs27PaEbQknyPvBczG4I/usAzpdlzr4VfdKWfvdjWST1c5ZCPl4qS8T9+/5jOE1+g/y3kcZED9qjFXdnVpoSJfLx+3cY59inv2LMAnavY++zEV1SWIwKFgAgJoYR4hCKANySWY8kBxCDcRjdBno2rAM3xLfU6I1sLb0lm+6LBswOEqHTb9E20u8RXum9JUI/6iauhJHmfoyMLVvhD5XQyolbQ5n/r1qq5LOjsKWGMvo/AeosBwcAY3u67xyvNnNgrd29SBwOYyGYNKG0jyhg7HDfHFIpSDzfAI4IOyhs44cPGFoN759+Y0BNLjW1mqDiWpErvSaNc4zH2cr2fSCaGpEBbf6q3hMh4tRQJayxVSEeD2emO69UNBd4jCkHo4vaK6D9aSBEcpWR2SQM0c968zDcdmOTajsLzPYoIyaOgWFAIs+9A6f8eyqlhDfWIxp6e1fVY8sCFotZaDXRqb9/umCy0IqNQChuKYcB5oB/hvwwMMuTE+4Q4Dd7RXfW8ZMAZz3Z1bqimVhFeVXDkyT+8DXMf2166bLxxwxpxSCPd3XmmOSUiNKysTHykh5MKaPjEyTl7xgvbhqZ16k0pvkh+z5Op1NcU2tm6W+/FL1JV83KnsjC1jAdwMEeFn+0MAFXTBARAG+qAb3pGowYz/wNSsvf93a3JTANA609opK/7MK84h5n7M6TulRBw5Phnw0HUdio5SJ7DBRPr4kYGgVTMwWzxfOY3lDF/fnsqTOjGWxUoLrRXrZ8aaAHWaUYFzx52SW3J3rczRBWTC0jUUEVs7cslfR7N7VGvEXV9p9TuJOsfAyvFyseRIh66Uwi9Pwq+QBOadUttcT+iBgz72BEPwuIAcKre+ShoxE9cHGrtpvlgi7eDSlI1bZ7km+8j0TWryzKLK8P9N4MhspwRO/zGXiErAOoBe4MaBvMvjGCgCRFgnLypoDoeHeoLO1WvgskKUhHXIZV/02nBhhnxPUmJjzsqp722aDztxWKU1VX6lHooRFgpMRzOymD7XVxfZNyDrxuf0VJluIzZlFCzGpswgGnxocs0hFgTMePzhoMx2XnU9d6NM3hl1fOCCwV7Be8KjahNRc5qGChPS4kLzEyvsWHD7EiKK2gCYS0ysiPTNxKrcC9JFXqR7iX1QSQ8W5Sy5IBWYZWuBNj0STJ4J9VXImEaOnWnkNLcncwQh1Ty8OTDX15jeC7/ltfQ6KVjPj3iPs8cEADnOW7ez91vtXOg4dFhjuLAylipQYFIaUpjJOwNQuEcp121LKR1YXHeLRI4y2Cvw9ZL9HXZbB8yQR5/NNba2PScDjfg05ZhFb4yFfcrT+OOrvO6ej1mX4qPzK4X4Sxzi+c632Xi98I/L6rKE5WCLg0dXPUhy4YwD495ZoCFfT5hzNHrNjeCGG03mVC4qLTcopwyn4TlcN+SnZEzI9kVvTwOhtW2J9ol1GNjiGsmfDq9I/+jOfALFQgA/nFVyqBi14pui9yhno6WDyPGifDeKsoNBoZq63lQ/exxGzTH/sPRqeumAUWU81n3/4FLcknH1ssucMC73scO5S4+lzpF89PFCV5Qnkcghzu+vEC5/Z0roU+jQL+wPpjnq1QAuX94TX0iLVozSmcPfFwv4PyzqiCRK7dbk8TtTQlqdM+elzKzKbQkUQXvY2vGTyKnZxJjrwHx71QuEYMfu3QqO7v5XUJSayON1o/RcfQdwfxenLaLOzXYPVod2eylalY7vXKtJOclz0OsCHVL/IAs2p+qvnBhDi2LcBKFgYRgI9ZrOFWGBvk2hzNjieQtM/a9BAcAjzR8jNTgBYqTQWIuloJEjd+KtRC7S4qFVSwp5E+2eFD3QpBaf+TFuDCvSteWpHZSXIrrLEGAichsWVHK09KKGsFPb//S2bEIrHeMYwPbDZ4JFR5YzUJTnfuHFCAGxsL4qali4ZA8BlTEp675TwJ47FWpS349/10di0DbIm7+eeQUVv4obn9sk0st1tDHS5kWsWQq587t52OFuqwXZv+GdEMn/jfo4F4dEF61DbkXtMzMs0/DU9x60m0pp41LvJQsm7GyGjvtUV0ltD5n8lF40pmVZnrcrQb/VSd2mLZbkTl8K+1J2rDnel2vf5DcUSysTha8o+g0X4fqMeGnIot71ZS7bqtzYzACQukMYkSxqE/vnalxN2G4cmP0RCSwb4YhOdgsKjqUwEr560xv5M58RSMW92cFC59CHtu4G7rPyvuA9Bp6lJnxsRAfPB57QF4aqYg0VpBTpP4MHdeVuG7v7REATjyexnjuli5BSx9540nHgjrcMVcSVkcNcIykAJsHVk4PJZ01o5Ycmubvw3fHvt9OKyxY2Y7CLQpVcSwgfp4KOLnUe3+88fLfMUfg3V4rVjiriivqHVKx0aMKqkW1Od6fT5nZAd6h5rMxLWDU2U++wUcc/lfRK+J2GgY+r6MmBb1qRajW8VS3ms7e/RylxzHpaU/meUTFiFxop4iCCwBn3IjgFtZWcn+8eERkQQ0wZfuz8u5Lfy0uPQoaRhoHPXtBZQEWuQd/MIGKaetHU85XRu/1HYvQ4V5+Elu12D8idTCennGv6gqIOFZBhS1CCKbPtzTmYuV9JlmbMNhQthwuxKKbZoXhI+GNDggPMxkkmhxGChj4X2NymV7u3Yqrr1FnNGTMcuBJ10+BDeNNY9KV4MZCKH//rRjUxVEgiln0EEGFTeA/WSyG8wu72maDu2OvcfoNH3KkYYJ7JqSzvZ8raVMiWSx9nkAN18xRWxWIz4wNndrk963Ol4rwxymVcXDE9/Qrz27MAZmNhrEaF4qsut7VDLxWvnrcWCIXddNPFcqgU1IQVF48U7WAGgTFDJdDEp+Q33FNIbo70koN0KLE8ot0jIqWuwBFhA5fI7NSv5cEIOueTcD2p3J2snBebQbRtsDtu8mJBunYPqcvP3YH9xiDJkdiij/g21Wtb7FY/WPP1uVt8RJu51kxTw9VZJLLQqisk1usn3kAKM+m3gQAKpbgiFmfjb3pif3nHTCi+tRAM4hGX2VWHY8F/iaTCAZpSyd34SD6OqYIzh83nchwyaMOU9QrrOIG7Vbrd923/AMBcFVaZnQB4eGNIe6fnEiet67kb6g0yxHNKyORM0+fg9INbywzT1MzjbjozvNw5JEHm49C2J/oWcyGDW13XtQXw8uvCBVEqXpz4baNng7Xzge5WwBLTlF2+hh136npAE62aHkNZyy0E3Fa1V6ludI//BcnZ4jqYEO0/w5SA9wYFT6Aun9ltRpq60VZnYc1Jr2A=,iv:kR5g0wvCQ3NGAqviN1jvqscgAYrGzHLqhooIljtJ+gg=,tag:Z+U5Wn4U5ADIxjdfI37cBA==,type:str] + tlscrypt: ENC[AES256_GCM,data:zG12fAsc9/LcxO0eGx4ytjHm07BMnf5aBHlfTtif4noCXcPAx5xunhJCOaWEoTobwOEpdgXoZzQcJa7EW6N/4kEnGzk8gfSl+BFswO6LEoqzYJb4sfy2qJJQrjUNxsI9yib+OCgb4DQ94apdvVG/dVypdMQrw+x+xg8K+hdZ5LZWdZLKKcBxHKeHoZ+lt/gJNv3BbtQP6Vy+1biWxjdHy1YfvLm+iqaJfi3/9HV8YAi/iePoY+rNNtc8GlaUp/HrHfmCFF4EBWuFr2knQ5t8bx7sHGlhdcTIyHJwNQdCUIsyVqckhxDulLM8luuGJZsiulkdK2f4NSpa6CPYZPWPHQ2BfSnugBEjbWrF2RQT3eOLAEJBS9YSV1/nvHA/lU2ymf0PBzzXhE9Ms0twecrS8Ql/qRbWSqiQNzHv/P7k5i5E8iw4zqaUtir7gpu3AkC2GxMVuQfowiruZGPi6i2YbDzgaBi5fZJAosWQHvZXnVApqFqzWXCzw4ACXlMI6MZ1rb3Ut9wEDXHGMRhhcWmHDsCO6I4/EphDfLiexYeVHKB++MLilXaUa6wXN0yGefj+NC3Am5YQRwR3rd4KrjXOrbKWELoIkyYrGWkZ5w5O5fC4Z+h8jxPjng/lNM3JAzREgKcw+0IcY5q3/bRXWGMScVm5qqc9LXozhWU9gghQOhbcb4NYFob8yczTJT8IdA6D72N4pAm+524DMjTPRiAi1KQInICeZp2mILvT5aUgTEXtj+iwyqyo+io3ffOjQdHa9HU2IrZKmoapkvEOsFHm3L63uY1T92/Han8=,iv:cjIKuwyLtXT5Wg/VzinC2Lf5EysoxsgnEsHei/+Yum8=,tag:b5LKO8urIBC7BJgyfs5kWw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14cpm59h7hx8gr54hrn4uxu4xnrp9wy3f2kdxvy6xwuyxsfg8g9zs8z5e77 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YW5Ob0RscXBCODV2d3Z0 + TFVVMVQwdTZKZWZDZzNHOXZobThRZ3lyOHlZCnhWQTB5aVd5enBXYUtaYWprT1B1 + ZHhndW1vcHExYlAyTXpXWEYrSjhxaUEKLS0tIDRodGpsSS9rZzlOeWMxOTRhVnBF + OHNBdXMzZTN0VEVTYkVSbUVRYmo3eUUKvRiPgmrCCK1F5QoSHlV89C2MPl5FvU5i + z61NMJu68UEDsDu8qNRaW3aqpT+1GYsr1evi5imzNwr0qTM2oRwkFQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-15T01:14:16Z" + mac: ENC[AES256_GCM,data:4hqXQvlmPKuPkQEcUIpTEUudVknNVNjXjP8pB2UPnPmnr79nLWy/ZOzAcpSob1XNHyB7We5neBUEDYO56PjOM9C022XdZfaqXUC931uqLqo1iLQupApCphf/HR5bwDayv63Mr1Ys9MBdhCrYtlfy4iPiEdlpfDhLuD268EM8x0w=,iv:rgzgkB+5r/xDrN4i8O1f6CXyGxF7Peo+24kkQf96yf4=,tag:TZPaNEEYxFZ0m1CRbPQ0kA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops.nix b/secrets/sops.nix new file mode 100644 index 0000000..7e6707a --- /dev/null +++ b/secrets/sops.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: +{ + environment.systemPackages = [ + pkgs.ssh-to-age + pkgs.sops + ]; + + # This will add secrets.yaml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + # sops.defaultSopsFile = "/etc/nixos/nix-dotfiles/secrets/secrets.yaml"; + sops = { + defaultSopsFile = ./secrets.yaml; + validateSopsFiles = false; + + # This will automaticx-sopsally import SSH keys as age keys + age.sshKeyPaths = [ + "/etc/ssh/nixos" + "/root/.ssh/nixos" + ]; + #This is using an age key that is expected to already be in the filesystem + age.keyFile = "/var/lib/sops-nix/key.txt"; + #age.keyFile = "/root/.config/sops/age/key.txt"; + age.generateKey = true; + # This is the actual specification of the secrets. + #secrets."myservice/my_subdir/my_secret" = {}; + }; +}