diff --git a/.sops.yaml b/.sops.yaml index 392790d..3ce6a9b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -20,7 +20,7 @@ keys: # https://github.com/getsops/sops/pull/1123 # https://github.com/getsops/sops#key-groups creation_rules: # global - - path_regex: secrets/default.yaml$ + - path_regex: secrets/common.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -54,7 +54,7 @@ creation_rules: - *user_pbsds_nord - *user_pbsds_bjarte # sopp only - - path_regex: secrets/sopp(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/sopp/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -62,7 +62,7 @@ creation_rules: - *user_pbsds_bjarte - *host_sopp # nox only - - path_regex: secrets/noximilien(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/noximilien/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -70,7 +70,7 @@ creation_rules: - *user_pbsds_bjarte - *host_nox # bolle only - - path_regex: secrets/bolle(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/bolle/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -78,7 +78,7 @@ creation_rules: - *user_pbsds_bjarte - *host_bolle # garp only - - path_regex: secrets/garp(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/garp/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -86,7 +86,7 @@ creation_rules: - *user_pbsds_bjarte - *host_garp # eple only - - path_regex: secrets/eple(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/eple/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -94,7 +94,7 @@ creation_rules: - *user_pbsds_bjarte - *host_eple # nord only - - path_regex: secrets/nord(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/nord/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -102,7 +102,7 @@ creation_rules: - *user_pbsds_bjarte - *host_nord # bjarte only - - path_regex: secrets/bjarte(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/bjarte/secrets.yaml key_groups: - age: - *user_pbsds_sopp @@ -110,7 +110,7 @@ creation_rules: - *user_pbsds_bjarte - *host_bjarte # brumlebasse only - - path_regex: secrets/brumle(basse)?(/[^/]+)?\.yaml$ + - path_regex: hosts/nixos/brumlebasse/secrets.yaml key_groups: - age: - *user_pbsds_sopp diff --git a/flake.nix b/flake.nix index 74953b9..10acb4e 100644 --- a/flake.nix +++ b/flake.nix @@ -157,28 +157,12 @@ imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ ./base.nix "${self}/hosts/nixos/${hostname}/configuration.nix" - inputs.sops-nix.nixosModules.sops + ./secrets inputs.home-manager.nixosModule #inputs.nix-index-database.nixosModules.nix-index # TODO: fix? ] ++ modules ++ extra-modules; #++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work - sops.defaultSopsFile = ./secrets/default.yaml; - #sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml; - #sops.secrets = let # TODO: importYAML does not exist - # file = ./secrets/${hostname}.yaml; - # exists = builtins.pathExists file; - # yaml = lib.removeAttrs (lib.importYAML file) ["sops"]; - # secrets = lib.attrNames yaml; # TODO: recurse - #in - # if !exists then {} else lib.mkMerge (lib.forEach secrets (secret: - # lib.mkIf (config.sops.secrets ? secret) { - # "${secret}".sopsFile = file; - # } - # )); - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; home-manager.useGlobalPkgs = true; # go brrr, reuse overrides home-manager.extraSpecialArgs = { diff --git a/hosts/nixos/noximilien/configuration.nix b/hosts/nixos/noximilien/configuration.nix index 697a7e8..34ccefe 100644 --- a/hosts/nixos/noximilien/configuration.nix +++ b/hosts/nixos/noximilien/configuration.nix @@ -106,7 +106,7 @@ #networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat - sops.secrets.flexget.sopsFile = ../../../secrets/${config.networking.hostName}.yaml; + sops.secrets.flexget.sopsFile = ./secrets.yaml; # TODO: remove? Move to where relevant? nixpkgs.overlays = [ diff --git a/secrets/noximilien.yaml b/hosts/nixos/noximilien/secrets.yaml similarity index 100% rename from secrets/noximilien.yaml rename to hosts/nixos/noximilien/secrets.yaml diff --git a/secrets/default.yaml b/secrets/common.yaml similarity index 100% rename from secrets/default.yaml rename to secrets/common.yaml diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..66733c6 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,24 @@ +{ config, inputs ,... }: +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + sops.defaultSopsFile = ./common.yaml; + #sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml; + #sops.secrets = let # TODO: importYAML does not exist + # file = ./secrets/${hostname}.yaml; + # exists = builtins.pathExists file; + # yaml = lib.removeAttrs (lib.importYAML file) ["sops"]; + # secrets = lib.attrNames yaml; # TODO: recurse + #in + # if !exists then {} else lib.mkMerge (lib.forEach secrets (secret: + # lib.mkIf (config.sops.secrets ? secret) { + # "${secret}".sopsFile = file; + # } + # )); +}