sckova/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add sops-nix

Browse source
This commit is contained in:
Sean Kovacs 2026-04-03 10:30:18 -04:00
commit 330087d4ff
Signed by: sckova
GPG key ID: 00F325187C68651A
12 changed files with 130 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.sops.yaml Normal file
View file

@ -0,0 +1,17 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
# for a more complex example.
keys:
- &admin_sckova 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A
- &user_sckova age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka
- &host_peach age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_sckova
age:
- *user_sckova
- *host_peach

21
flake.lock generated
View file

@ -483,9 +483,30 @@
"noctalia": "noctalia",
"nur": "nur",
"openmw": "openmw",
"sops-nix": "sops-nix",
"tt-schemes": "tt-schemes"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1774910634,
"narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

13
flake.nix
View file

@ -17,6 +17,11 @@
flake = false;
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -63,6 +68,7 @@
apple-silicon,
base16,
tt-schemes,
sops-nix,
home-manager,
niri,
noctalia,
@ -151,13 +157,13 @@
"podman"
"pipewire"
];
hashedPassword = "$6$bvwRUFaJNMpH8rm3$FGDWFN6tBScJ/2DynAjnlZE8JRfyADN78d6c4GawxpAjyNLNE/AjQzMA09tLRqpKX7WnN5PIUZLAm2bT9/RbG0";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCn/eXMq04vcXNqGVzlZOw2C2dQYBqzWsoigdFW09XqC2WPaGljbAIayzaD7Q1tIlPGGy10+nipAXAk1CHAnrQ2KSg4v/SwFphF48V3joeQmideC4vo0EIQEQibbMtj3oFezqRcRZINl/1hr4t0myZ3zkoTjh3HCkqJEMGUdArDMEVPA5mwcKSLsyshW9LMG/3C9YKKPU1/lVsoeDkj8AVZA0srhkApuRKF0IVu8KoPd6ldvSWgpQ1iuQ+MEMSeOUJytieBkzeY9zEVePaQ86oIMDUzqq8OTN37RyShiJKPskKyj12rJI2eFtI/viGaj8P6/yvKqMp3F4kAsPAuvMLLAIYCNa+139rDpkkIKB6lVtgq0jnJGRywaYXGIRyExNcVAr8I9wrNnNN2M4whVeYBxfLMzKZ+VvfK39AaGvnzPuFDLqUC87sN4c/1KZQo+TCtlaxcYvqowWylw5JHUt8uwFcO/dUebQxxAv8EdyPZGJ/54y19PsTbu9KyxSc2gIU= sckova"
];
};
}
./options.nix
./sops.nix
./system
./system/searxng
./system/games
@ -167,8 +173,8 @@
./system/hosts/${hostname}
./hardware/${hostname}
niri.nixosModules.niri
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
noctalia.nixosModules.default
{
home-manager = {
useGlobalPkgs = true;
@ -177,6 +183,7 @@
imports = [
./home
./options.nix
./sops.nix
./home/sckova
./home/sckova/apps
./home/sckova/games
@ -187,6 +194,7 @@
];
};
sharedModules = [
sops-nix.homeManagerModules.sops
base16.nixosModule
(
{ config, ... }:
@ -205,6 +213,7 @@
};
};
}
noctalia.nixosModules.default
]
++ extraModules;
};

2
home/sckova/default.nix
View file

@ -5,4 +5,6 @@
username = "sckova";
email = "kovacsmillio@gmail.com";
};
sops.age.keyFile = "/home/sckova/.config/sops/age/keys.txt";
}

16
home/sckova/services/systemd.nix
View file

@ -1,7 +1,6 @@
{
config,
pkgs,
lib,
...
}:
{
@ -11,16 +10,11 @@
XCURSOR_PATH = config.userOptions.cursor.path;
};
xdg.configFile."rclone/synology.conf".text = ''
sops.templates."synology.conf".content = ''
[synology]
type = sftp
user = sckova
type = smb
host = nas.taila30609.ts.net
key_file = ~/.ssh/key
shell_type = unix
root = home
md5sum_command = "${pkgs.coreutils}/bin/md5sum";
sha1sum_command = "${pkgs.coreutils}/bin/sha1sum";
pass = ${config.sops.placeholder.rclone_synology}
'';
systemd.user.services.synology-mount = {
@ -48,11 +42,11 @@
# Mount rclone in foreground
${pkgs.rclone}/bin/rclone \
--config=$HOME/.config/rclone/synology.conf \
--config=${config.sops.templates."synology.conf".path} \
--ignore-checksum \
--log-level INFO \
--rc --rc-serve \
mount "synology:" "$HOME/Synology"
mount "synology:home" "$HOME/Synology"
''}";
ExecStop = "/run/wrappers/bin/fusermount -uz %h/Synology/%i";
StandardOutput = "journal";

1
home/sckova/terminal/default.nix
View file

@ -66,6 +66,7 @@
};
core.pager = "${pkgs.bat}/bin/bat";
commit.gpgsign = true;
init.defaultBranch = "main";
};
};
bat = {

2
home/sckova/terminal/neovim.nix
View file

@ -5,7 +5,7 @@
...
}:
{
home.sessionVariables.EDITOR = lib.mkForce "kitty nvim";
home.sessionVariables.EDITOR = lib.mkForce "nvim";
programs.nixvim = {
enable = true;

42
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
#ENC[AES256_GCM,data:TggQPAlRHvMKs5nMF7arHHoXjj6+1c0n1DuIS5UFXuRob9E2AHn3JCObcPW/IH0JOcg=,iv:PFDAr1ZQMu158TglCPFqK548LfOtYHT+7zon83JN8IY=,tag:72fhZeqDG7yK+pv1k330zA==,type:comment]
searxng_secret: ENC[AES256_GCM,data:j/PY84sAXdcP/WaekjhT+wYDa1Q9OBWchrAUKpW7ygSEMqbiIx5i/bmjyqjifnZqKvy/hgF/SA2ZbFKsQ5jjpQ==,iv:8Sv9WTjO+Vkrgmd+V6l7vdMPPtjBVkWfeG/DRsbhQYE=,tag:jc3HWlyAUUmkzZMnv8Kbmw==,type:str]
#ENC[AES256_GCM,data:HBJEtuvZUeUD51q8/d+d6lQ4Yke1RfHDqo4P9l21mbvF2rrHp0KRNH0=,iv:cNpmj145TKmF/bNQN3wFeAXoqWkLxu0bqvEhydRQZcs=,tag:x02R5lfpYUMZw3eSRA5MIA==,type:comment]
rclone_synology: ENC[AES256_GCM,data:2k9aYyXMDDYt740VUUvvTSUQ+ybK3PIkBetqw5wmCXYEumk=,iv:J3ZFY3iX7OHoriJNHbmCYHglwNeh+T1UP9q608wAXGU=,tag:QmyVZQiQzBhoB9jkOiruhw==,type:str]
#ENC[AES256_GCM,data:CvsKAAXJQWM8t5bc0eInokZr,iv:YpEJYqyDNGydfrUBoLeUyJsnai/jMAo0PojRmpVPmN8=,tag:9DoQE+Wic5OnWcGIZNFsIg==,type:comment]
sckova_password: ENC[AES256_GCM,data:JgXq8TyCGI072g==,iv:kPme4bkmAfj+np32LoAcDWoQA2qFnTdqnyTSwB2TvBk=,tag:hAPQ+dWW+7QstyEdvSvpGw==,type:str]
sops:
age:
- recipient: age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK09BZUN6aUhIQ0oyOU9N
UW5SWXJoUEJ1U2NLNnl3UjFFajd1U3MwUnpvCjhYa1RES3RSTTVURVU2bVp5b3A1
dWVxRHQ1bGh5QUlxRmNhSXRnUDRUa1EKLS0tIHlnUFZDem9mdWFVNDNCQjM0OWND
OGF4VjkyTGt5ckl1T2RLRm8rUFUxQlUKSviKzkL/JLy/JTaKXCi5+hr5Cy6dtu+S
qOhPWCFcNVM6TaJnFNEik6r39E0+C6qmkzdxN1KLjLYzg+DEcxAOnA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeW5WcG5jY3loVUl0RG9o
RUxKWmtLcnF3djE2MEoxMTVtVlNJMkJFNmpBCnhjL25TaUl1ZHpIK3c3OW5lcFNS
MFg2eXRPVjRxUHdiMEVrNCs5SGhWMjQKLS0tIHVscFNybnROUTQrRlRYa3FuWkhs
RFExdjVKRi9aMFNWQzBORmFyanNVdWMKUcQ3h7pCLCIi7PaITuAGxv3qLyypDHhY
1HqXGNP82Xyu4coc6jWQ85dMvRfMkYar6zDNvJmPqHptiHfbDFcVTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-03T13:51:22Z"
mac: ENC[AES256_GCM,data:jQtzEZWE6csGTQE939UAl3xA6ecqLD4aGRqw7KF7GqW0w3FTfC59uel1xM2Nl91Bg42TzYsO9WB3rox5daFAcUgoQE0TNMAbH+w/vkVc3NoJHrWQlV69j8zUAAiNgbAx30l1MIjLS/zJ6Xlt+jkj4FtPfK0d84V/O2KwCBAJ+uM=,iv:+u3muRmMuZJUcUNHJDOqzytxgK60YxxmawwQeUTm9aU=,tag:mR8lTA7dgfOqYqUvCAuYFQ==,type:str]
pgp:
- created_at: "2026-04-03T02:14:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DrD+TWkWMG9QSAQdAE1QnXASnQihE7xyQxHo48Dq5VBVG15vuyhPDeEPJsEsw
/oG3t56luiap+vilspLHdxzILvyHQfPpkEOlGvI4TD19t3gIKCOKDTHxMk8BW6p8
0lwBgKcqEZdEIHDj84CnG/6/9uK9ycuWiFN4PoTlrE10j+WVnFod1qHLV4ixbomE
kY50t/LrML5Q/oiqUrUk6h9+QrNPfpJ2ei06vpy23PYzrs43MLbAScWvyu9H+A==
=j6c/
-----END PGP MESSAGE-----
fp: 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A
unencrypted_suffix: _unencrypted
version: 3.12.2

7
sops-example.yaml Normal file
View file

@ -0,0 +1,7 @@
# nix-shell -p openssl --run 'openssl rand -hex 32'
searxng_secret:
# echo 'secretpassword' | rclone obscure -
rclone_synology:
# sckova's password
sckova_password:

16
sops.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
lib,
pkgs,
...
}:
{
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets = {
searxng_secret = { };
rclone_synology = { };
};
};
}

3
system/default.nix
View file

@ -14,6 +14,9 @@
email = "kovacsmillio@gmail.com";
};
sops.secrets.sckova_password.neededForUsers = true;
users.users.sckova.hashedPasswordFile = config.sops.secrets.sckova_password.path;
boot = {
plymouth.enable = true;
plymouth.logo = "${pkgs.nixos-icons}/share/icons/hicolor/64x64/apps/nix-snowflake-white.png";

10
system/searxng/default.nix
View file

@ -1,21 +1,19 @@
{
lib,
pkgs,
config,
...
}:
{
sops.templates."searxng.env".content = ''
SEARXNG_SECRET=${config.sops.placeholder.searxng_secret}
'';
services.searx = {
enable = true;
redisCreateLocally = true;
environmentFile = config.sops.templates."searxng.env".path;
settings = {
server = {
secret_key = lib.removeSuffix "\n" (
builtins.readFile (
pkgs.runCommand "gen-key" { buildInputs = [ pkgs.openssl ]; } "openssl rand -hex 32 > $out"
)
);
port = 5364;
bind_address = "127.0.0.1";
};