From 5408a5ee19952ab43f7e34ad3fd5ea8adf3d9a63 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sun, 26 Feb 2023 01:02:01 +0100 Subject: [PATCH] use the sops home manager module --- .sops.yaml | 13 +++++-- flake.nix | 3 +- secrets/rouven.yaml | 45 +++++++++++++++++++++++ secrets/thinkpad.yaml | 9 +---- users/rouven/fixes.nix | 6 --- users/rouven/modules/accounts/default.nix | 15 ++++++-- users/rouven/modules/default.nix | 1 + users/rouven/modules/sops/default.nix | 8 ++++ 8 files changed, 79 insertions(+), 21 deletions(-) create mode 100644 secrets/rouven.yaml create mode 100644 users/rouven/modules/sops/default.nix diff --git a/.sops.yaml b/.sops.yaml index 62edb02..25a6033 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,17 +1,24 @@ keys: - - &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + - &yubi 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + - &rouven age1l80slr486r82csm758q2a32j2e2qdxdyxgh46um6thsjv08la9sq7475p6 - &thinkpad age1pwdahgk2yty9w8cw5ht90mral76h0ndp3vkp93xm4g0cttjlsvgqn8vlys - &nuc age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00 creation_rules: - path_regex: secrets/thinkpad\.yaml$ key_groups: - pgp: - - *rouven + - *yubi age: - *thinkpad + - path_regex: secrets/rouven\.yaml$ + key_groups: + - pgp: + - *yubi + age: + - *rouven - path_regex: secrets/nuc\.yaml$ key_groups: - pgp: - - *rouven + - *yubi age: - *nuc diff --git a/flake.nix b/flake.nix index c0c5781..06c0110 100644 --- a/flake.nix +++ b/flake.nix @@ -33,9 +33,10 @@ home-manager.extraSpecialArgs = attrs; home-manager.users.rouven = { imports = [ - nix-colors.homeManagerModule + nix-colors.homeManagerModules.default hyprland.homeManagerModules.default nixvim.homeManagerModules.nixvim + sops-nix.homeManagerModules.sops ]; config = { colorScheme = nix-colors.colorSchemes.dracula; diff --git a/secrets/rouven.yaml b/secrets/rouven.yaml new file mode 100644 index 0000000..3ff72dd --- /dev/null +++ b/secrets/rouven.yaml @@ -0,0 +1,45 @@ +email: + tu-dresden: ENC[AES256_GCM,data:bd5/rb4V60COzzCqych3Hfw=,iv:PUNE9amHlTc9PRST1LUpG1w/tOmP/VMOs3+3Zu3rLWw=,tag:iIc7yrrBC4iDkaRAD4nuVw==,type:str] + rfive: ENC[AES256_GCM,data:j51G8LkEu3e3HPhZVTrBDsjJkDGIMZ3PPw==,iv:FtcO97LF57h4p8ZyvZPQ7gsLlQUyg+RzyIPlPYhLYK0=,tag:XbDBwcvWAlbuLvvV0I+2LA==,type:str] + google: ENC[AES256_GCM,data:044yUHWp8PvtTytFwfCAhg==,iv:nRWzcxXCogombevZQxYsMuLL4us1kv6WKfChRphLR48=,tag:fnHxnweczc5bElK8kGa6rw==,type:str] + ifsr: ENC[AES256_GCM,data:debmpTL+VYNE3InslDyV0FW1sKjBFA==,iv:ZKwyOMsfQivesFoEJeDCNnPzOgwlP0xmJ0GNsA57njM=,tag:CJZhWTb2MfsR+rv2VY6Xmw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1l80slr486r82csm758q2a32j2e2qdxdyxgh46um6thsjv08la9sq7475p6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1N1elJjb2c4OTAzMEs0 + cDg4NXBtZW9OLzZGV2ZFeEdlcDhCeGpRTkJnCmdKU01ISnZWdTZqc01MR3lqSWRG + YmVSSVJ0b05GWGFVamtUbkRUNm1pZ2sKLS0tIERPNXlNZkdmbmZadVIwRWZpV1BM + N08rUm1KNCtOaHlYVnFZUFViZnNHeUkKvQTAtOKQqCJP54eV6bxxCWX5CKACPJQP + MBkKw0jbgjBI4SuDdPQVaXE0gEllJPjENUjqXGVatYbhBStbIraZQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-25T23:44:24Z" + mac: ENC[AES256_GCM,data:OxfIyFsDaMRkCcafcfETLRUP0Riw7XXqz8/aLrF9/gSFYUix5SlqGCFqT1+GyhjIewQK88oe3AjVeKwuuFjqgXVEh2/4+rLIOvHaW1z+Io9QSdU7ReNRK3KtwRbnZuB2grwt5UXNmSFUntdfIiF33wsKpMFAAJRStFFVwt6fMyc=,iv:oDsZt3T7yFNutmTX6BNL4FCckz09pdORZxDvLRWE4eI=,tag:Y2Yi+tiKOUYOGF/iLfjhJg==,type:str] + pgp: + - created_at: "2023-02-25T23:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAzUXo8ZPJwGLARAAja+e+NQECvY7Pq8jVEvrTDZVWtywNXUhWIHaoA6dQG0y + gbl4rTnOGEaTQbLZuT6HMHvu20ejgu48Xw34phKjw4S0nTL8PKH/euaQPPGt0qIS + NEClOSPE+1l2UN7DbK/ViNNpPePi/ApM0dvc+Kmywy7vlDXT39JNWb/bHIpl95vK + 4LQ1oL1hQ8thRnVa8vhyEGx89eAKNV7+b8rhMAAwai83TBMZK8p/HS9PegXDYRPA + ZReBbuWD4za89jWQyKSJZul2sDwfnrih+FLyCZp1BHyUIoi96ysFH1NrX8mQ/LgO + 8G4q0593DJ/M9ergP3RngjIJ6xj/ZS2ggaFeE3H/YD9R8DV/QtjrnIzwpLPKyxmi + hX6/VGHYghpRNonsB4IJZSyqTNJAdkqQE6DN3xIxw25j49i90C+5pAn3YYvc/Pac + O8Ra0kfh6ELxG9DdmJr3mWj+Co3L7mjD/q6Np5YRWwKcT4VLLBJaIobeE7FH+6DC + Ti2hzz5Zj9wAH6KB8VjtjXUGguaH1Dx5H26w+pdkwFlBaDXg3V7UXrAxhN7DoV8a + pvjO7bRIMdOfCVLXs+z3QjUY++kMK1zfO1vek3JSt9p0d9QQ5zez9ddqE12BMEJ1 + rdm5IZEY52zqohXQ4MgC61beE8KEGvGA4EqI4XUBQFLLLKUP63u6liiJ4qODR2TS + UQGzV/RwExLowpG03J0te1EavWwLiGC+Nrq51ycWCAJOMsJ4ANcMsYfvxuVUQSaT + xrS8y7eZ8gZWNy3toaZK39bns4dBVKs9XtVWatsycx4REw== + =pj83 + -----END PGP MESSAGE----- + fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/thinkpad.yaml b/secrets/thinkpad.yaml index 3079e37..aeba6f9 100644 --- a/secrets/thinkpad.yaml +++ b/secrets/thinkpad.yaml @@ -5,11 +5,6 @@ wireguard: dorm: private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str] preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str] -email: - tu-dresden: ENC[AES256_GCM,data:JRSfF2tnZX6NRPXFdJE5c7Q=,iv:phOzSD2XUcnvSneKtmMmB5zYrnXcZL1PzsurWLsy9gA=,tag:sxC5hLb7Rd4j5/mEi8Zu6A==,type:str] - rfive: ENC[AES256_GCM,data:noHhc37RxE/UZtTcllCb0r57ke7mauZNpQ==,iv:kbhXBDcRigSxbPyQu5HS8xG+WfehEYNi+uGC6lcvHEw=,tag:CPHmf85Fr54P8zj/dShazg==,type:str] - google: ENC[AES256_GCM,data:MObdBDErPOyPISOoc8zlQA==,iv:cPJgKjHR838Pm4O+WI52ZO4v4ds4GU351oU0HDSDfsg=,tag:dy+ApExgn26+3Osu5B2kaQ==,type:str] - ifsr: ENC[AES256_GCM,data:cJT5du8Jwy+rh286H55P2bEIIPtNpg==,iv:1qYzIqSWJ68GTGfl0x0YRZMPQAGAmibI1GKfdDWOrO4=,tag:sbHPs81bL88Ns75Mu+OUnQ==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +20,8 @@ sops: d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ 39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-16T20:53:53Z" - mac: ENC[AES256_GCM,data:mcQexhVzXr28XF6KyN9MckSpD03q5tJl/IgL1CCeyvBRY4TkxBuTMKld22R9pp46StMfg16A2j2voTc546ayribLgIfn78wxa0sraaYoir+/xaF697EoO8UfthHPdmd8DHru7yoOFx0F4k2jNHGSIEi+FNrflUu+L8PxZ7Kyzms=,iv:HKW9WpufHCpUNSM048g2djj+h1vwB+gnL84hZH1LuJw=,tag:6Hj9ua1wsIvlsIvn5eOvXw==,type:str] + lastmodified: "2023-02-25T23:26:47Z" + mac: ENC[AES256_GCM,data:nfRwekR/4/trVfZfo0PAPp9aW/9ETHnMYLruACC0JjSTLa6Bfs1nCLwu+ylVX2dPD9LIZZRa9aKKSkCRYJxnqIW/uCs+RMWn+FDq9Cg35tbyEUaBIkhFz09LsSLfZKodqBrVjOGgxgTFfzn075EU0nCho3PRpUesMdIpX9PhTfM=,iv:FJ+rAPTmNXDrAguUJScZnHJ3SOH6/Znx2Mliz+eoR2M=,tag:Fc3CGH9KaPchGH0i9VY1Wg==,type:str] pgp: - created_at: "2023-02-16T20:53:51Z" enc: |- diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index a8a3c92..aa5b56f 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -1,11 +1,5 @@ { config, pkgs, ... }: { - # email passwords - sops.secrets."email/tu-dresden".owner = "rouven"; - sops.secrets."email/rfive".owner = "rouven"; - sops.secrets."email/google".owner = "rouven"; - sops.secrets."email/ifsr".owner = "rouven"; - # generate system completions programs.zsh.enable = true; diff --git a/users/rouven/modules/accounts/default.nix b/users/rouven/modules/accounts/default.nix index 111c2df..82bd5d6 100644 --- a/users/rouven/modules/accounts/default.nix +++ b/users/rouven/modules/accounts/default.nix @@ -3,12 +3,19 @@ let gpg-default-key = "116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09"; in { + sops.secrets = { + "email/rfive" = {}; + "email/tu-dresden" = {}; + "email/ifsr" = {}; + "email/google" = {}; + }; home.packages = with pkgs; [ imv w3m urlview ]; services.mbsync.enable = true; + systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ]; programs = { neomutt = { enable = true; @@ -37,7 +44,7 @@ in gpg.key = gpg-default-key; realName = "Rouven Seifert"; userName = address; - passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/rfive"; + passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/rfive"; imap = { host = "pro1.mail.ovh.net"; port = 993; @@ -96,7 +103,7 @@ in gpg.key = gpg-default-key; realName = "Rouven Seifert"; userName = "rose159e"; - passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/tu-dresden"; + passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/tu-dresden"; imap = { host = "msx.tu-dresden.de"; port = 993; @@ -160,7 +167,7 @@ in gpg.key = gpg-default-key; realName = "Rouven Seifert"; userName = "rouven.seifert"; - passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/ifsr"; + passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/ifsr"; imap = { host = "mail.ifsr.de"; port = 143; @@ -220,7 +227,7 @@ in address = "seifertrouven@gmail.com"; realName = "Rouven Seifert"; userName = address; - passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/google"; + passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/google"; imap = { host = "imap.gmail.com"; port = 993; diff --git a/users/rouven/modules/default.nix b/users/rouven/modules/default.nix index d09c311..7a2f1be 100644 --- a/users/rouven/modules/default.nix +++ b/users/rouven/modules/default.nix @@ -10,6 +10,7 @@ ./hyprland ./neovim ./qutebrowser + ./sops ./ssh ./tmux ./vifm diff --git a/users/rouven/modules/sops/default.nix b/users/rouven/modules/sops/default.nix new file mode 100644 index 0000000..0f87d67 --- /dev/null +++ b/users/rouven/modules/sops/default.nix @@ -0,0 +1,8 @@ +{ config, ... }: +{ + sops = { + age.sshKeyPaths = [ "/home/${config.home.username}/.ssh/id_ed25519" ]; + age.generateKey = false; + defaultSopsFile = ../../../../secrets/${config.home.username}.yaml; + }; +}