ICH HABE SOPS-NIX ANGEMACHT.

That was some headbreaker. A path in nix is not a string, quotes are not
good. See sops.defaultSopsFile.

This was a very important last puzzle piece. Finally.
This commit is contained in:
Markus Heurung 2024-03-18 20:29:06 +01:00
parent 6427cf36d8
commit 8106fbb14d
7 changed files with 118 additions and 21 deletions

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &primary age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

View file

@ -7,7 +7,7 @@
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./hardware-configuration.nix
];
nix.settings.experimental-features = [ "nix-command" "flakes"];
@ -80,6 +80,7 @@
xkb.options = "compose:ralt";
};
# sops.defaultSopsFile = "/home/muhh/nix-config/secrets/secrets.yaml";
# Define a user account. Don't forget to set a password with passwd.
users.users.muhh = {
isNormalUser = true;

View file

@ -138,11 +138,11 @@
]
},
"locked": {
"lastModified": 1710499337,
"narHash": "sha256-FsPpFFw59MFU+E1PD6t9K9it17DaV5nU/+mWEkfS2YE=",
"lastModified": 1710714957,
"narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ca922258e1682b435e632a5ca1910bbbed835345",
"rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989",
"type": "github"
},
"original": {
@ -160,11 +160,11 @@
]
},
"locked": {
"lastModified": 1710281778,
"narHash": "sha256-bvWr9vvBrAxb44kHM3H3cY/uQg+4pYP1BM/Nu3e/7V8=",
"lastModified": 1710714957,
"narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "49a266d2ca59df8a03249550e73a54626181b65d",
"rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989",
"type": "github"
},
"original": {
@ -181,11 +181,11 @@
]
},
"locked": {
"lastModified": 1710281379,
"narHash": "sha256-uFo9hxt982L3nFJeweW4Gip2esiGrIQlbvEGrNTh4AY=",
"lastModified": 1710717205,
"narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "d9ea313bc4851670dc99c5cc979cb79750e7d670",
"rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
"type": "github"
},
"original": {
@ -196,11 +196,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1710272261,
"narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",
"lastModified": 1710631334,
"narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",
"rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a",
"type": "github"
},
"original": {
@ -209,6 +209,22 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710628718,
"narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": {
"inputs": {
"devshell": "devshell",
@ -222,11 +238,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1710491356,
"narHash": "sha256-DeMiM/lgf8HqeAcDU26EeMaoU0phB8mY2RVYBtpvZN0=",
"lastModified": 1710764166,
"narHash": "sha256-sn9+jsAxmSTKX5C31xTDqwGc+IAlz4Q5n+eVE+MRrZk=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "9f7c78852f37126244b43e71e5158cdc3d70ad0a",
"rev": "f876a0a2e9abc8945e312e6587b1f78d466de184",
"type": "github"
},
"original": {
@ -267,7 +283,29 @@
"inputs": {
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"nixvim": "nixvim"
"nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1710644594,
"narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {

View file

@ -12,6 +12,10 @@
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
@ -19,6 +23,7 @@
nixpkgs,
home-manager,
nixvim,
sops-nix,
...
} @ inputs: let
inherit (self) outputs;
@ -29,7 +34,10 @@
nixosConfigurations = {
muhhStar = lib.nixosSystem {
inherit system;
modules = [ ./configuration.nix ];
modules = [
inputs.sops-nix.nixosModules.sops
./configuration.nix
];
};
};
homeConfigurations = {
@ -43,6 +51,7 @@
};
modules = [
inputs.nixvim.homeManagerModules.nixvim
inputs.sops-nix.homeManagerModules.sops
./home.nix
];
};

View file

@ -2,6 +2,9 @@
{
home.username = "muhh";
home.homeDirectory = "/home/muhh";
home.activation.setupEtc = config.lib.dag.entryAfter [ "writeBoundary" ] ''
/run/current-system/sw/bin/systemctl start --user sops-nix
'';
home.packages = with pkgs; [
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
@ -25,6 +28,7 @@
neovide
(nerdfonts.override { fonts = [ "Iosevka" ]; })
obsidian
powertop
qutebrowser
solargraph
tmux
@ -249,6 +253,7 @@
ignorecase = true;
number = true;
relativenumber = true;
ruler = true;
shiftwidth = 2;
smartcase = true;
tabstop = 2;
@ -281,9 +286,7 @@
closeIfLastWindow = true;
};
nix.enable = true;
noice = {
enable = true;
};
noice.enable = true;
notify.enable = true;
nvim-autopairs.enable = true;
nvim-colorizer.enable = true;
@ -358,6 +361,14 @@
};
};
sops = {
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
defaultSopsFile = ./secrets/secrets.yaml;
secrets = {
just_a_test = {};
};
};
wayland.windowManager = {
sway = {
enable = true;

21
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,21 @@
just_a_test: ENC[AES256_GCM,data:HDhSG6BejOadBaeW,iv:idSJWRevqi4h/gaTREOt5tGfamRcxSUSmaelgyZUmu0=,tag:jo5lugFHpdjGeo/RtN86DA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVG1iNURjT0IzcEJzZllI
dk5XZWpvN2kzRnJFYVFXbW0wZXJwU0YyV0VzCkxEbVcyOHUzREFyTlh5emZNN0lE
bHp1T1JXUCtIZ1pUa3d5ZHNUanBTM1UKLS0tIEF2Q2hTcWZmdU1DNFl4SGVzUXJR
aHFLbEp5TjRlSzdvVkpEdU5RZ2RKUlUK1/GYeQir6dDprPMJrKI+4tBJokKc8Azz
+pnBPXwXhAHIHXjKv88trcRkmFraOYkAu4lVpdyt/4FtbtvFvouBgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-18T19:19:57Z"
mac: ENC[AES256_GCM,data:EusDIuYetHRL0I5b4Oqe7zfHV085/uQkrB4W/mApC+/ypaSKMkXrGBbhfj5tgveTVmXpaItK+WG/ynDptS0nQVsVOh4WCsuyGkltQsy3fLc0BxiIyr7qVBY2JccQO1Ssn83BXGEn3bhiBChFXLz7++/yEQtJrGqkF4lzCskJ8xQ=,iv:sEdyHOOe9tcJP7TG5CGOCw87HUE+d6lLL6Ypnx76yUw=,tag:JK/SPy+nQj3GdSsN6WttBg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

10
sops.nix Normal file
View file

@ -0,0 +1,10 @@
{ inputs, pkgs, ... }: {
# imports = [
# inputs.sops.homeManagerModules.sops
# ];
home.packages = with pkgs; [
sops
];
}