diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d79df70 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/configuration.nix b/configuration.nix index 9b34ba3..2dde205 100644 --- a/configuration.nix +++ b/configuration.nix @@ -7,7 +7,7 @@ { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + ./hardware-configuration.nix ]; nix.settings.experimental-features = [ "nix-command" "flakes"]; @@ -80,6 +80,7 @@ xkb.options = "compose:ralt"; }; + # sops.defaultSopsFile = "/home/muhh/nix-config/secrets/secrets.yaml"; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.muhh = { isNormalUser = true; diff --git a/flake.lock b/flake.lock index 694ae1d..5d38673 100644 --- a/flake.lock +++ b/flake.lock @@ -138,11 +138,11 @@ ] }, "locked": { - "lastModified": 1710499337, - "narHash": "sha256-FsPpFFw59MFU+E1PD6t9K9it17DaV5nU/+mWEkfS2YE=", + "lastModified": 1710714957, + "narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=", "owner": "nix-community", "repo": "home-manager", - "rev": "ca922258e1682b435e632a5ca1910bbbed835345", + "rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989", "type": "github" }, "original": { @@ -160,11 +160,11 @@ ] }, "locked": { - "lastModified": 1710281778, - "narHash": "sha256-bvWr9vvBrAxb44kHM3H3cY/uQg+4pYP1BM/Nu3e/7V8=", + "lastModified": 1710714957, + "narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=", "owner": "nix-community", "repo": "home-manager", - "rev": "49a266d2ca59df8a03249550e73a54626181b65d", + "rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1710281379, - "narHash": "sha256-uFo9hxt982L3nFJeweW4Gip2esiGrIQlbvEGrNTh4AY=", + "lastModified": 1710717205, + "narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "d9ea313bc4851670dc99c5cc979cb79750e7d670", + "rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3", "type": "github" }, "original": { @@ -196,11 +196,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710272261, - "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=", + "lastModified": 1710631334, + "narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2", + "rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a", "type": "github" }, "original": { @@ -209,6 +209,22 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710628718, + "narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "devshell": "devshell", @@ -222,11 +238,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1710491356, - "narHash": "sha256-DeMiM/lgf8HqeAcDU26EeMaoU0phB8mY2RVYBtpvZN0=", + "lastModified": 1710764166, + "narHash": "sha256-sn9+jsAxmSTKX5C31xTDqwGc+IAlz4Q5n+eVE+MRrZk=", "owner": "nix-community", "repo": "nixvim", - "rev": "9f7c78852f37126244b43e71e5158cdc3d70ad0a", + "rev": "f876a0a2e9abc8945e312e6587b1f78d466de184", "type": "github" }, "original": { @@ -267,7 +283,29 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nixvim": "nixvim" + "nixvim": "nixvim", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1710644594, + "narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index db47f51..2d4cfa7 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,10 @@ url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -19,6 +23,7 @@ nixpkgs, home-manager, nixvim, + sops-nix, ... } @ inputs: let inherit (self) outputs; @@ -29,7 +34,10 @@ nixosConfigurations = { muhhStar = lib.nixosSystem { inherit system; - modules = [ ./configuration.nix ]; + modules = [ + inputs.sops-nix.nixosModules.sops + ./configuration.nix + ]; }; }; homeConfigurations = { @@ -43,6 +51,7 @@ }; modules = [ inputs.nixvim.homeManagerModules.nixvim + inputs.sops-nix.homeManagerModules.sops ./home.nix ]; }; diff --git a/home.nix b/home.nix index 49f6c3b..3a22c7f 100644 --- a/home.nix +++ b/home.nix @@ -2,6 +2,9 @@ { home.username = "muhh"; home.homeDirectory = "/home/muhh"; + home.activation.setupEtc = config.lib.dag.entryAfter [ "writeBoundary" ] '' + /run/current-system/sw/bin/systemctl start --user sops-nix + ''; home.packages = with pkgs; [ # # It is sometimes useful to fine-tune packages, for example, by applying # # overrides. You can do that directly here, just don't forget the @@ -25,6 +28,7 @@ neovide (nerdfonts.override { fonts = [ "Iosevka" ]; }) obsidian + powertop qutebrowser solargraph tmux @@ -249,6 +253,7 @@ ignorecase = true; number = true; relativenumber = true; + ruler = true; shiftwidth = 2; smartcase = true; tabstop = 2; @@ -281,9 +286,7 @@ closeIfLastWindow = true; }; nix.enable = true; - noice = { - enable = true; - }; + noice.enable = true; notify.enable = true; nvim-autopairs.enable = true; nvim-colorizer.enable = true; @@ -358,6 +361,14 @@ }; }; + sops = { + age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; + defaultSopsFile = ./secrets/secrets.yaml; + secrets = { + just_a_test = {}; + }; + }; + wayland.windowManager = { sway = { enable = true; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..b56cd80 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,21 @@ +just_a_test: ENC[AES256_GCM,data:HDhSG6BejOadBaeW,iv:idSJWRevqi4h/gaTREOt5tGfamRcxSUSmaelgyZUmu0=,tag:jo5lugFHpdjGeo/RtN86DA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVG1iNURjT0IzcEJzZllI + dk5XZWpvN2kzRnJFYVFXbW0wZXJwU0YyV0VzCkxEbVcyOHUzREFyTlh5emZNN0lE + bHp1T1JXUCtIZ1pUa3d5ZHNUanBTM1UKLS0tIEF2Q2hTcWZmdU1DNFl4SGVzUXJR + aHFLbEp5TjRlSzdvVkpEdU5RZ2RKUlUK1/GYeQir6dDprPMJrKI+4tBJokKc8Azz + +pnBPXwXhAHIHXjKv88trcRkmFraOYkAu4lVpdyt/4FtbtvFvouBgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-18T19:19:57Z" + mac: ENC[AES256_GCM,data:EusDIuYetHRL0I5b4Oqe7zfHV085/uQkrB4W/mApC+/ypaSKMkXrGBbhfj5tgveTVmXpaItK+WG/ynDptS0nQVsVOh4WCsuyGkltQsy3fLc0BxiIyr7qVBY2JccQO1Ssn83BXGEn3bhiBChFXLz7++/yEQtJrGqkF4lzCskJ8xQ=,iv:sEdyHOOe9tcJP7TG5CGOCw87HUE+d6lLL6Ypnx76yUw=,tag:JK/SPy+nQj3GdSsN6WttBg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/sops.nix b/sops.nix new file mode 100644 index 0000000..6826f50 --- /dev/null +++ b/sops.nix @@ -0,0 +1,10 @@ +{ inputs, pkgs, ... }: { + # imports = [ + # inputs.sops.homeManagerModules.sops + # ]; + + home.packages = with pkgs; [ + sops + ]; + +}