ICH HABE SOPS-NIX ANGEMACHT.
That was some headbreaker. A path in nix is not a string, quotes are not good. See sops.defaultSopsFile. This was a very important last puzzle piece. Finally.
This commit is contained in:
parent
6427cf36d8
commit
8106fbb14d
7 changed files with 118 additions and 21 deletions
7
.sops.yaml
Normal file
7
.sops.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
keys:
|
||||
- &primary age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8
|
||||
creation_rules:
|
||||
- path_regex: secrets/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *primary
|
|
@ -7,7 +7,7 @@
|
|||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes"];
|
||||
|
@ -80,6 +80,7 @@
|
|||
xkb.options = "compose:ralt";
|
||||
};
|
||||
|
||||
# sops.defaultSopsFile = "/home/muhh/nix-config/secrets/secrets.yaml";
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
users.users.muhh = {
|
||||
isNormalUser = true;
|
||||
|
|
70
flake.lock
70
flake.lock
|
@ -138,11 +138,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710499337,
|
||||
"narHash": "sha256-FsPpFFw59MFU+E1PD6t9K9it17DaV5nU/+mWEkfS2YE=",
|
||||
"lastModified": 1710714957,
|
||||
"narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "ca922258e1682b435e632a5ca1910bbbed835345",
|
||||
"rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -160,11 +160,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710281778,
|
||||
"narHash": "sha256-bvWr9vvBrAxb44kHM3H3cY/uQg+4pYP1BM/Nu3e/7V8=",
|
||||
"lastModified": 1710714957,
|
||||
"narHash": "sha256-eZCxuF58YWgaJMMRrn8oRkwRhxooe5kBS/s2wRVr9PA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "49a266d2ca59df8a03249550e73a54626181b65d",
|
||||
"rev": "7b3fca5adcf6c709874a8f2e0c364fe9c58db989",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -181,11 +181,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710281379,
|
||||
"narHash": "sha256-uFo9hxt982L3nFJeweW4Gip2esiGrIQlbvEGrNTh4AY=",
|
||||
"lastModified": 1710717205,
|
||||
"narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "d9ea313bc4851670dc99c5cc979cb79750e7d670",
|
||||
"rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -196,11 +196,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1710272261,
|
||||
"narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",
|
||||
"lastModified": 1710631334,
|
||||
"narHash": "sha256-rL5LSYd85kplL5othxK5lmAtjyMOBg390sGBTb3LRMM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",
|
||||
"rev": "c75037bbf9093a2acb617804ee46320d6d1fea5a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -209,6 +209,22 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1710628718,
|
||||
"narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixvim": {
|
||||
"inputs": {
|
||||
"devshell": "devshell",
|
||||
|
@ -222,11 +238,11 @@
|
|||
"pre-commit-hooks": "pre-commit-hooks"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710491356,
|
||||
"narHash": "sha256-DeMiM/lgf8HqeAcDU26EeMaoU0phB8mY2RVYBtpvZN0=",
|
||||
"lastModified": 1710764166,
|
||||
"narHash": "sha256-sn9+jsAxmSTKX5C31xTDqwGc+IAlz4Q5n+eVE+MRrZk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixvim",
|
||||
"rev": "9f7c78852f37126244b43e71e5158cdc3d70ad0a",
|
||||
"rev": "f876a0a2e9abc8945e312e6587b1f78d466de184",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -267,7 +283,29 @@
|
|||
"inputs": {
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixvim": "nixvim"
|
||||
"nixvim": "nixvim",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710644594,
|
||||
"narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -12,6 +12,10 @@
|
|||
url = "github:nix-community/nixvim";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = {
|
||||
|
@ -19,6 +23,7 @@
|
|||
nixpkgs,
|
||||
home-manager,
|
||||
nixvim,
|
||||
sops-nix,
|
||||
...
|
||||
} @ inputs: let
|
||||
inherit (self) outputs;
|
||||
|
@ -29,7 +34,10 @@
|
|||
nixosConfigurations = {
|
||||
muhhStar = lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [ ./configuration.nix ];
|
||||
modules = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
./configuration.nix
|
||||
];
|
||||
};
|
||||
};
|
||||
homeConfigurations = {
|
||||
|
@ -43,6 +51,7 @@
|
|||
};
|
||||
modules = [
|
||||
inputs.nixvim.homeManagerModules.nixvim
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
./home.nix
|
||||
];
|
||||
};
|
||||
|
|
17
home.nix
17
home.nix
|
@ -2,6 +2,9 @@
|
|||
{
|
||||
home.username = "muhh";
|
||||
home.homeDirectory = "/home/muhh";
|
||||
home.activation.setupEtc = config.lib.dag.entryAfter [ "writeBoundary" ] ''
|
||||
/run/current-system/sw/bin/systemctl start --user sops-nix
|
||||
'';
|
||||
home.packages = with pkgs; [
|
||||
# # It is sometimes useful to fine-tune packages, for example, by applying
|
||||
# # overrides. You can do that directly here, just don't forget the
|
||||
|
@ -25,6 +28,7 @@
|
|||
neovide
|
||||
(nerdfonts.override { fonts = [ "Iosevka" ]; })
|
||||
obsidian
|
||||
powertop
|
||||
qutebrowser
|
||||
solargraph
|
||||
tmux
|
||||
|
@ -249,6 +253,7 @@
|
|||
ignorecase = true;
|
||||
number = true;
|
||||
relativenumber = true;
|
||||
ruler = true;
|
||||
shiftwidth = 2;
|
||||
smartcase = true;
|
||||
tabstop = 2;
|
||||
|
@ -281,9 +286,7 @@
|
|||
closeIfLastWindow = true;
|
||||
};
|
||||
nix.enable = true;
|
||||
noice = {
|
||||
enable = true;
|
||||
};
|
||||
noice.enable = true;
|
||||
notify.enable = true;
|
||||
nvim-autopairs.enable = true;
|
||||
nvim-colorizer.enable = true;
|
||||
|
@ -358,6 +361,14 @@
|
|||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
|
||||
defaultSopsFile = ./secrets/secrets.yaml;
|
||||
secrets = {
|
||||
just_a_test = {};
|
||||
};
|
||||
};
|
||||
|
||||
wayland.windowManager = {
|
||||
sway = {
|
||||
enable = true;
|
||||
|
|
21
secrets/secrets.yaml
Normal file
21
secrets/secrets.yaml
Normal file
|
@ -0,0 +1,21 @@
|
|||
just_a_test: ENC[AES256_GCM,data:HDhSG6BejOadBaeW,iv:idSJWRevqi4h/gaTREOt5tGfamRcxSUSmaelgyZUmu0=,tag:jo5lugFHpdjGeo/RtN86DA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1awjelu4fqh5jyc49p3sujn0wc7zdz9xmj2aajaz7mp5fkwwtj4uqyp8fl8
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVG1iNURjT0IzcEJzZllI
|
||||
dk5XZWpvN2kzRnJFYVFXbW0wZXJwU0YyV0VzCkxEbVcyOHUzREFyTlh5emZNN0lE
|
||||
bHp1T1JXUCtIZ1pUa3d5ZHNUanBTM1UKLS0tIEF2Q2hTcWZmdU1DNFl4SGVzUXJR
|
||||
aHFLbEp5TjRlSzdvVkpEdU5RZ2RKUlUK1/GYeQir6dDprPMJrKI+4tBJokKc8Azz
|
||||
+pnBPXwXhAHIHXjKv88trcRkmFraOYkAu4lVpdyt/4FtbtvFvouBgw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-18T19:19:57Z"
|
||||
mac: ENC[AES256_GCM,data:EusDIuYetHRL0I5b4Oqe7zfHV085/uQkrB4W/mApC+/ypaSKMkXrGBbhfj5tgveTVmXpaItK+WG/ynDptS0nQVsVOh4WCsuyGkltQsy3fLc0BxiIyr7qVBY2JccQO1Ssn83BXGEn3bhiBChFXLz7++/yEQtJrGqkF4lzCskJ8xQ=,iv:sEdyHOOe9tcJP7TG5CGOCw87HUE+d6lLL6Ypnx76yUw=,tag:JK/SPy+nQj3GdSsN6WttBg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
10
sops.nix
Normal file
10
sops.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ inputs, pkgs, ... }: {
|
||||
# imports = [
|
||||
# inputs.sops.homeManagerModules.sops
|
||||
# ];
|
||||
|
||||
home.packages = with pkgs; [
|
||||
sops
|
||||
];
|
||||
|
||||
}
|
Loading…
Reference in a new issue