Improve secrets management with sops-nix

2025-06-08 14:49:47 -04:00
parent 034b693380
commit 1988d45fbf
5 changed files with 54 additions and 9 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+    - &users:
+      - &chase age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
+    - &hosts:
+      - &anzu age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
+creation_rules:
+    - path_regex: secrets.yaml$
+      key_groups:
+        - age:
+          - *chase
+          - *anzu
--- a/hosts/anzu/configuration.nix
+++ b/hosts/anzu/configuration.nix
@@ -18,5 +18,17 @@
    ];
  };

+  # Mount SMB share
+  fileSystems."/mnt/share" = {
+    device = "//haruko/share";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
+      username = "chase";
+      password = "$(cat ${config.sops.secrets."smb-password".path})";
+    in ["${automount_opts},username=${username},password=${password},uid=1000,gid=100"];
+  };
+
+
  system.stateVersion = "24.11";
 }
--- a/hosts/anzu/hardware-configuration.nix
+++ b/hosts/anzu/hardware-configuration.nix
@@ -40,15 +40,6 @@
    {device = "/dev/disk/by-uuid/dd48a14e-2c90-465b-81a3-661d31ebf39f";}
  ];

-  # Mount SMB share
-  fileSystems."/mnt/share" = {
-    device = "//haruko/share";
-    fsType = "cifs";
-    options = let
-      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
-    in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
-  };
-
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
--- a/nixos/base.nix
+++ b/nixos/base.nix
@@ -116,6 +116,21 @@
    vimAlias = true;
  };

+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+
+  secrets = {
+    smb-password = {};
+  };
+
  # List packages installed in system profile.
  environment.systemPackages = with pkgs; [
    alejandra
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -0,0 +1,16 @@
+smb-password: ENC[AES256_GCM,data:LgxYSOZhj5DwvTwAoF0cLJezxYQ=,iv:is3PWEgvWmbFc39npdjD9qYrMo76wWAczZlo7LCoNf0=,tag:vanjCeI01KaL5STCSwxM/g==,type:str]
+sops:
+    age:
+        - recipient: age19uwxm2gynhjl9m90gckrkh76m9hjut44ak6d8969y4swhz8ypyeqvfcaas
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UjJDeGRGT2tmM0l5empp
+            T25YQ2RZakFEQXFIOWJRWEo2OGhURzIyTEdBCjgvU3JxSHlldFQyUWMvSndoQ24r
+            Njk5YjlFc3pnaVJ3VkdhSm81T3FZeTAKLS0tIFZWdjFaN1BxaXpnc25lcDgrQ1gv
+            TkVHWWFVS1NMa3Q4c1NnK2xhZDdTaGMKFapQQONKJ04excJXhWzmKYe6UefYAmD6
+            QT6EOlUKZZhEE49rFeih0ZMtEzbFeP1fq8DxyRD+ditlAUIyCi4Uqw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-08T17:56:04Z"
+    mac: ENC[AES256_GCM,data:fFVK7hOu5MnZ8XKv+J3cOcHHNAdx+3L/HidlgRuCrI4KTMnkK+17MThF7xNblERQtMlb2qgz/I7A/4+GcaH/Whrgynduy+Bc6g7GlzZBnT7EhASt/TjMurqqH3AXcdFHiG2K7zhDYH4ssu8aPIDYpw2gCytQPNgqWkRjygkLrDo=,iv:E1Hh35wGOiiNMNFhRns48wtTMxe8mdj/ueU4nxYO8Ug=,tag:5OqmX0f2tSVdgqkEHjA60w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2