From 330087d4ffc6814314fa300960c160d0a692fe21 Mon Sep 17 00:00:00 2001 From: Sean Kovacs Date: Fri, 3 Apr 2026 10:30:18 -0400 Subject: [PATCH] add sops-nix --- .sops.yaml | 17 +++++++++++++ flake.lock | 21 ++++++++++++++++ flake.nix | 13 ++++++++-- home/sckova/default.nix | 2 ++ home/sckova/services/systemd.nix | 16 ++++-------- home/sckova/terminal/default.nix | 1 + home/sckova/terminal/neovim.nix | 2 +- secrets/secrets.yaml | 42 ++++++++++++++++++++++++++++++++ sops-example.yaml | 7 ++++++ sops.nix | 16 ++++++++++++ system/default.nix | 3 +++ system/searxng/default.nix | 10 +++----- 12 files changed, 130 insertions(+), 20 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/secrets.yaml create mode 100644 sops-example.yaml create mode 100644 sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..29d2689 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,17 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml +# for a more complex example. +keys: + - &admin_sckova 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A + - &user_sckova age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka + - &host_peach age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_sckova + age: + - *user_sckova + - *host_peach diff --git a/flake.lock b/flake.lock index 8713751..e30e694 100644 --- a/flake.lock +++ b/flake.lock @@ -483,9 +483,30 @@ "noctalia": "noctalia", "nur": "nur", "openmw": "openmw", + "sops-nix": "sops-nix", "tt-schemes": "tt-schemes" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1774910634, + "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 85670e8..55809e3 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,11 @@ flake = false; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -63,6 +68,7 @@ apple-silicon, base16, tt-schemes, + sops-nix, home-manager, niri, noctalia, @@ -151,13 +157,13 @@ "podman" "pipewire" ]; - hashedPassword = "$6$bvwRUFaJNMpH8rm3$FGDWFN6tBScJ/2DynAjnlZE8JRfyADN78d6c4GawxpAjyNLNE/AjQzMA09tLRqpKX7WnN5PIUZLAm2bT9/RbG0"; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCn/eXMq04vcXNqGVzlZOw2C2dQYBqzWsoigdFW09XqC2WPaGljbAIayzaD7Q1tIlPGGy10+nipAXAk1CHAnrQ2KSg4v/SwFphF48V3joeQmideC4vo0EIQEQibbMtj3oFezqRcRZINl/1hr4t0myZ3zkoTjh3HCkqJEMGUdArDMEVPA5mwcKSLsyshW9LMG/3C9YKKPU1/lVsoeDkj8AVZA0srhkApuRKF0IVu8KoPd6ldvSWgpQ1iuQ+MEMSeOUJytieBkzeY9zEVePaQ86oIMDUzqq8OTN37RyShiJKPskKyj12rJI2eFtI/viGaj8P6/yvKqMp3F4kAsPAuvMLLAIYCNa+139rDpkkIKB6lVtgq0jnJGRywaYXGIRyExNcVAr8I9wrNnNN2M4whVeYBxfLMzKZ+VvfK39AaGvnzPuFDLqUC87sN4c/1KZQo+TCtlaxcYvqowWylw5JHUt8uwFcO/dUebQxxAv8EdyPZGJ/54y19PsTbu9KyxSc2gIU= sckova" ]; }; } ./options.nix + ./sops.nix ./system ./system/searxng ./system/games @@ -167,8 +173,8 @@ ./system/hosts/${hostname} ./hardware/${hostname} niri.nixosModules.niri + sops-nix.nixosModules.sops home-manager.nixosModules.home-manager - noctalia.nixosModules.default { home-manager = { useGlobalPkgs = true; @@ -177,6 +183,7 @@ imports = [ ./home ./options.nix + ./sops.nix ./home/sckova ./home/sckova/apps ./home/sckova/games @@ -187,6 +194,7 @@ ]; }; sharedModules = [ + sops-nix.homeManagerModules.sops base16.nixosModule ( { config, ... }: @@ -205,6 +213,7 @@ }; }; } + noctalia.nixosModules.default ] ++ extraModules; }; diff --git a/home/sckova/default.nix b/home/sckova/default.nix index f507113..6513c7e 100644 --- a/home/sckova/default.nix +++ b/home/sckova/default.nix @@ -5,4 +5,6 @@ username = "sckova"; email = "kovacsmillio@gmail.com"; }; + + sops.age.keyFile = "/home/sckova/.config/sops/age/keys.txt"; } diff --git a/home/sckova/services/systemd.nix b/home/sckova/services/systemd.nix index 5e1d681..ab47600 100644 --- a/home/sckova/services/systemd.nix +++ b/home/sckova/services/systemd.nix @@ -1,7 +1,6 @@ { config, pkgs, - lib, ... }: { @@ -11,16 +10,11 @@ XCURSOR_PATH = config.userOptions.cursor.path; }; - xdg.configFile."rclone/synology.conf".text = '' + sops.templates."synology.conf".content = '' [synology] - type = sftp - user = sckova + type = smb host = nas.taila30609.ts.net - key_file = ~/.ssh/key - shell_type = unix - root = home - md5sum_command = "${pkgs.coreutils}/bin/md5sum"; - sha1sum_command = "${pkgs.coreutils}/bin/sha1sum"; + pass = ${config.sops.placeholder.rclone_synology} ''; systemd.user.services.synology-mount = { @@ -48,11 +42,11 @@ # Mount rclone in foreground ${pkgs.rclone}/bin/rclone \ - --config=$HOME/.config/rclone/synology.conf \ + --config=${config.sops.templates."synology.conf".path} \ --ignore-checksum \ --log-level INFO \ --rc --rc-serve \ - mount "synology:" "$HOME/Synology" + mount "synology:home" "$HOME/Synology" ''}"; ExecStop = "/run/wrappers/bin/fusermount -uz %h/Synology/%i"; StandardOutput = "journal"; diff --git a/home/sckova/terminal/default.nix b/home/sckova/terminal/default.nix index e87624e..a230d8d 100644 --- a/home/sckova/terminal/default.nix +++ b/home/sckova/terminal/default.nix @@ -66,6 +66,7 @@ }; core.pager = "${pkgs.bat}/bin/bat"; commit.gpgsign = true; + init.defaultBranch = "main"; }; }; bat = { diff --git a/home/sckova/terminal/neovim.nix b/home/sckova/terminal/neovim.nix index 4284b61..3610d8e 100644 --- a/home/sckova/terminal/neovim.nix +++ b/home/sckova/terminal/neovim.nix @@ -5,7 +5,7 @@ ... }: { - home.sessionVariables.EDITOR = lib.mkForce "kitty nvim"; + home.sessionVariables.EDITOR = lib.mkForce "nvim"; programs.nixvim = { enable = true; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..7d9466c --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,42 @@ +#ENC[AES256_GCM,data:TggQPAlRHvMKs5nMF7arHHoXjj6+1c0n1DuIS5UFXuRob9E2AHn3JCObcPW/IH0JOcg=,iv:PFDAr1ZQMu158TglCPFqK548LfOtYHT+7zon83JN8IY=,tag:72fhZeqDG7yK+pv1k330zA==,type:comment] +searxng_secret: ENC[AES256_GCM,data:j/PY84sAXdcP/WaekjhT+wYDa1Q9OBWchrAUKpW7ygSEMqbiIx5i/bmjyqjifnZqKvy/hgF/SA2ZbFKsQ5jjpQ==,iv:8Sv9WTjO+Vkrgmd+V6l7vdMPPtjBVkWfeG/DRsbhQYE=,tag:jc3HWlyAUUmkzZMnv8Kbmw==,type:str] +#ENC[AES256_GCM,data:HBJEtuvZUeUD51q8/d+d6lQ4Yke1RfHDqo4P9l21mbvF2rrHp0KRNH0=,iv:cNpmj145TKmF/bNQN3wFeAXoqWkLxu0bqvEhydRQZcs=,tag:x02R5lfpYUMZw3eSRA5MIA==,type:comment] +rclone_synology: ENC[AES256_GCM,data:2k9aYyXMDDYt740VUUvvTSUQ+ybK3PIkBetqw5wmCXYEumk=,iv:J3ZFY3iX7OHoriJNHbmCYHglwNeh+T1UP9q608wAXGU=,tag:QmyVZQiQzBhoB9jkOiruhw==,type:str] +#ENC[AES256_GCM,data:CvsKAAXJQWM8t5bc0eInokZr,iv:YpEJYqyDNGydfrUBoLeUyJsnai/jMAo0PojRmpVPmN8=,tag:9DoQE+Wic5OnWcGIZNFsIg==,type:comment] +sckova_password: ENC[AES256_GCM,data:JgXq8TyCGI072g==,iv:kPme4bkmAfj+np32LoAcDWoQA2qFnTdqnyTSwB2TvBk=,tag:hAPQ+dWW+7QstyEdvSvpGw==,type:str] +sops: + age: + - recipient: age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK09BZUN6aUhIQ0oyOU9N + UW5SWXJoUEJ1U2NLNnl3UjFFajd1U3MwUnpvCjhYa1RES3RSTTVURVU2bVp5b3A1 + dWVxRHQ1bGh5QUlxRmNhSXRnUDRUa1EKLS0tIHlnUFZDem9mdWFVNDNCQjM0OWND + OGF4VjkyTGt5ckl1T2RLRm8rUFUxQlUKSviKzkL/JLy/JTaKXCi5+hr5Cy6dtu+S + qOhPWCFcNVM6TaJnFNEik6r39E0+C6qmkzdxN1KLjLYzg+DEcxAOnA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeW5WcG5jY3loVUl0RG9o + RUxKWmtLcnF3djE2MEoxMTVtVlNJMkJFNmpBCnhjL25TaUl1ZHpIK3c3OW5lcFNS + MFg2eXRPVjRxUHdiMEVrNCs5SGhWMjQKLS0tIHVscFNybnROUTQrRlRYa3FuWkhs + RFExdjVKRi9aMFNWQzBORmFyanNVdWMKUcQ3h7pCLCIi7PaITuAGxv3qLyypDHhY + 1HqXGNP82Xyu4coc6jWQ85dMvRfMkYar6zDNvJmPqHptiHfbDFcVTw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T13:51:22Z" + mac: ENC[AES256_GCM,data:jQtzEZWE6csGTQE939UAl3xA6ecqLD4aGRqw7KF7GqW0w3FTfC59uel1xM2Nl91Bg42TzYsO9WB3rox5daFAcUgoQE0TNMAbH+w/vkVc3NoJHrWQlV69j8zUAAiNgbAx30l1MIjLS/zJ6Xlt+jkj4FtPfK0d84V/O2KwCBAJ+uM=,iv:+u3muRmMuZJUcUNHJDOqzytxgK60YxxmawwQeUTm9aU=,tag:mR8lTA7dgfOqYqUvCAuYFQ==,type:str] + pgp: + - created_at: "2026-04-03T02:14:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DrD+TWkWMG9QSAQdAE1QnXASnQihE7xyQxHo48Dq5VBVG15vuyhPDeEPJsEsw + /oG3t56luiap+vilspLHdxzILvyHQfPpkEOlGvI4TD19t3gIKCOKDTHxMk8BW6p8 + 0lwBgKcqEZdEIHDj84CnG/6/9uK9ycuWiFN4PoTlrE10j+WVnFod1qHLV4ixbomE + kY50t/LrML5Q/oiqUrUk6h9+QrNPfpJ2ei06vpy23PYzrs43MLbAScWvyu9H+A== + =j6c/ + -----END PGP MESSAGE----- + fp: 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/sops-example.yaml b/sops-example.yaml new file mode 100644 index 0000000..23baaf7 --- /dev/null +++ b/sops-example.yaml @@ -0,0 +1,7 @@ +# nix-shell -p openssl --run 'openssl rand -hex 32' +searxng_secret: +# echo 'secretpassword' | rclone obscure - +rclone_synology: +# sckova's password +sckova_password: + diff --git a/sops.nix b/sops.nix new file mode 100644 index 0000000..73c5fe1 --- /dev/null +++ b/sops.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + secrets = { + searxng_secret = { }; + rclone_synology = { }; + }; + }; +} diff --git a/system/default.nix b/system/default.nix index c6c6b5f..0f96e81 100755 --- a/system/default.nix +++ b/system/default.nix @@ -14,6 +14,9 @@ email = "kovacsmillio@gmail.com"; }; + sops.secrets.sckova_password.neededForUsers = true; + users.users.sckova.hashedPasswordFile = config.sops.secrets.sckova_password.path; + boot = { plymouth.enable = true; plymouth.logo = "${pkgs.nixos-icons}/share/icons/hicolor/64x64/apps/nix-snowflake-white.png"; diff --git a/system/searxng/default.nix b/system/searxng/default.nix index 9aed6d4..e908f80 100644 --- a/system/searxng/default.nix +++ b/system/searxng/default.nix @@ -1,21 +1,19 @@ { lib, - pkgs, config, ... }: { + sops.templates."searxng.env".content = '' + SEARXNG_SECRET=${config.sops.placeholder.searxng_secret} + ''; services.searx = { enable = true; redisCreateLocally = true; + environmentFile = config.sops.templates."searxng.env".path; settings = { server = { - secret_key = lib.removeSuffix "\n" ( - builtins.readFile ( - pkgs.runCommand "gen-key" { buildInputs = [ pkgs.openssl ]; } "openssl rand -hex 32 > $out" - ) - ); port = 5364; bind_address = "127.0.0.1"; };