From 1988d45fbf780e2a1fa991295b006ce7d9f0a93b Mon Sep 17 00:00:00 2001 From: chase Date: Sun, 8 Jun 2025 14:49:47 -0400 Subject: [PATCH] Improve secrets management with `sops-nix` --- .sops.yaml | 11 +++++++++++ hosts/anzu/configuration.nix | 12 ++++++++++++ hosts/anzu/hardware-configuration.nix | 9 --------- nixos/base.nix | 15 +++++++++++++++ secrets.yaml | 16 ++++++++++++++++ 5 files changed, 54 insertions(+), 9 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..331d0ab --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &users: + - &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas + - &hosts: + - &anzu age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *chase + - *anzu diff --git a/hosts/anzu/configuration.nix b/hosts/anzu/configuration.nix index 3e885a7..8872f37 100644 --- a/hosts/anzu/configuration.nix +++ b/hosts/anzu/configuration.nix @@ -18,5 +18,17 @@ ]; }; + # Mount SMB share + fileSystems."/mnt/share" = { + device = "//haruko/share"; + fsType = "cifs"; + options = let + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users"; + username = "chase"; + password = "$(cat ${config.sops.secrets."smb-password".path})"; + in ["${automount_opts},username=${username},password=${password},uid=1000,gid=100"]; + }; + + system.stateVersion = "24.11"; } diff --git a/hosts/anzu/hardware-configuration.nix b/hosts/anzu/hardware-configuration.nix index bea2def..035c1b5 100644 --- a/hosts/anzu/hardware-configuration.nix +++ b/hosts/anzu/hardware-configuration.nix @@ -40,15 +40,6 @@ {device = "/dev/disk/by-uuid/dd48a14e-2c90-465b-81a3-661d31ebf39f";} ]; - # Mount SMB share - fileSystems."/mnt/share" = { - device = "//haruko/share"; - fsType = "cifs"; - options = let - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users"; - in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; - }; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/nixos/base.nix b/nixos/base.nix index 2967dc4..55e358b 100644 --- a/nixos/base.nix +++ b/nixos/base.nix @@ -116,6 +116,21 @@ vimAlias = true; }; + sops = { + defaultSopsFile = ../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; + + secrets = { + smb-password = {}; + }; + # List packages installed in system profile. environment.systemPackages = with pkgs; [ alejandra diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..91d1c04 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,16 @@ +smb-password: ENC[AES256_GCM,data:LgxYSOZhj5DwvTwAoF0cLJezxYQ=,iv:is3PWEgvWmbFc39npdjD9qYrMo76wWAczZlo7LCoNf0=,tag:vanjCeI01KaL5STCSwxM/g==,type:str] +sops: + age: + - recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UjJDeGRGT2tmM0l5empp + T25YQ2RZakFEQXFIOWJRWEo2OGhURzIyTEdBCjgvU3JxSHlldFQyUWMvSndoQ24r + Njk5YjlFc3pnaVJ3VkdhSm81T3FZeTAKLS0tIFZWdjFaN1BxaXpnc25lcDgrQ1gv + TkVHWWFVS1NMa3Q4c1NnK2xhZDdTaGMKFapQQONKJ04excJXhWzmKYe6UefYAmD6 + QT6EOlUKZZhEE49rFeih0ZMtEzbFeP1fq8DxyRD+ditlAUIyCi4Uqw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-08T17:56:04Z" + mac: ENC[AES256_GCM,data:fFVK7hOu5MnZ8XKv+J3cOcHHNAdx+3L/HidlgRuCrI4KTMnkK+17MThF7xNblERQtMlb2qgz/I7A/4+GcaH/Whrgynduy+Bc6g7GlzZBnT7EhASt/TjMurqqH3AXcdFHiG2K7zhDYH4ssu8aPIDYpw2gCytQPNgqWkRjygkLrDo=,iv:E1Hh35wGOiiNMNFhRns48wtTMxe8mdj/ueU4nxYO8Ug=,tag:5OqmX0f2tSVdgqkEHjA60w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2