chase/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve secrets management with sops-nix

Browse Source
This commit is contained in:
chase
2025-06-08 14:49:47 -04:00
parent 034b693380
commit 1988d45fbf
5 changed files with 54 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.sops.yaml Normal file
View File

@@ -0,0 +1,11 @@
keys:
- &users:
- &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
- &hosts:
- &anzu age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *chase
- *anzu

12
hosts/anzu/configuration.nix
View File

@@ -18,5 +18,17 @@
]; ];
}; };
# Mount SMB share
fileSystems."/mnt/share" = {
device = "//haruko/share";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
username = "chase";
password = "$(cat ${config.sops.secrets."smb-password".path})";
in ["${automount_opts},username=${username},password=${password},uid=1000,gid=100"];
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

9
hosts/anzu/hardware-configuration.nix
View File

@@ -40,15 +40,6 @@
{device = "/dev/disk/by-uuid/dd48a14e-2c90-465b-81a3-661d31ebf39f";} {device = "/dev/disk/by-uuid/dd48a14e-2c90-465b-81a3-661d31ebf39f";}
]; ];
# Mount SMB share
fileSystems."/mnt/share" = {
device = "//haruko/share";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

15
nixos/base.nix
View File

@@ -116,6 +116,21 @@
vimAlias = true; vimAlias = true;
}; };
sops = {
defaultSopsFile = ../secrets.yaml;
validateSopsFiles = false;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
secrets = {
smb-password = {};
};
# List packages installed in system profile. # List packages installed in system profile.
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
alejandra alejandra

16
secrets.yaml Normal file
View File

@@ -0,0 +1,16 @@
smb-password: ENC[AES256_GCM,data:LgxYSOZhj5DwvTwAoF0cLJezxYQ=,iv:is3PWEgvWmbFc39npdjD9qYrMo76wWAczZlo7LCoNf0=,tag:vanjCeI01KaL5STCSwxM/g==,type:str]
sops:
age:
- recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UjJDeGRGT2tmM0l5empp
T25YQ2RZakFEQXFIOWJRWEo2OGhURzIyTEdBCjgvU3JxSHlldFQyUWMvSndoQ24r
Njk5YjlFc3pnaVJ3VkdhSm81T3FZeTAKLS0tIFZWdjFaN1BxaXpnc25lcDgrQ1gv
TkVHWWFVS1NMa3Q4c1NnK2xhZDdTaGMKFapQQONKJ04excJXhWzmKYe6UefYAmD6
QT6EOlUKZZhEE49rFeih0ZMtEzbFeP1fq8DxyRD+ditlAUIyCi4Uqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-08T17:56:04Z"
mac: ENC[AES256_GCM,data:fFVK7hOu5MnZ8XKv+J3cOcHHNAdx+3L/HidlgRuCrI4KTMnkK+17MThF7xNblERQtMlb2qgz/I7A/4+GcaH/Whrgynduy+Bc6g7GlzZBnT7EhASt/TjMurqqH3AXcdFHiG2K7zhDYH4ssu8aPIDYpw2gCytQPNgqWkRjygkLrDo=,iv:E1Hh35wGOiiNMNFhRns48wtTMxe8mdj/ueU4nxYO8Ug=,tag:5OqmX0f2tSVdgqkEHjA60w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2