rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 05:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

use the sops home manager module

Browse source
This commit is contained in:
Rouven Seifert 2023-02-26 01:02:01 +01:00
parent a06384c5d3
commit 5408a5ee19
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
8 changed files with 79 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.sops.yaml
View file

@ -1,17 +1,24 @@
keys: keys:
- &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - &yubi 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
- &rouven age1l80slr486r82csm758q2a32j2e2qdxdyxgh46um6thsjv08la9sq7475p6
- &thinkpad age1pwdahgk2yty9w8cw5ht90mral76h0ndp3vkp93xm4g0cttjlsvgqn8vlys - &thinkpad age1pwdahgk2yty9w8cw5ht90mral76h0ndp3vkp93xm4g0cttjlsvgqn8vlys
- &nuc age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00 - &nuc age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00
creation_rules: creation_rules:
- path_regex: secrets/thinkpad\.yaml$ - path_regex: secrets/thinkpad\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *rouven - *yubi
age: age:
- *thinkpad - *thinkpad
- path_regex: secrets/rouven\.yaml$
key_groups:
- pgp:
- *yubi
age:
- *rouven
- path_regex: secrets/nuc\.yaml$ - path_regex: secrets/nuc\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *rouven - *yubi
age: age:
- *nuc - *nuc

3
flake.nix
View file

@ -33,9 +33,10 @@
home-manager.extraSpecialArgs = attrs; home-manager.extraSpecialArgs = attrs;
home-manager.users.rouven = { home-manager.users.rouven = {
imports = [ imports = [
nix-colors.homeManagerModule nix-colors.homeManagerModules.default
hyprland.homeManagerModules.default hyprland.homeManagerModules.default
nixvim.homeManagerModules.nixvim nixvim.homeManagerModules.nixvim
sops-nix.homeManagerModules.sops
]; ];
config = { config = {
colorScheme = nix-colors.colorSchemes.dracula; colorScheme = nix-colors.colorSchemes.dracula;

45
secrets/rouven.yaml Normal file
View file

@ -0,0 +1,45 @@
email:
tu-dresden: ENC[AES256_GCM,data:bd5/rb4V60COzzCqych3Hfw=,iv:PUNE9amHlTc9PRST1LUpG1w/tOmP/VMOs3+3Zu3rLWw=,tag:iIc7yrrBC4iDkaRAD4nuVw==,type:str]
rfive: ENC[AES256_GCM,data:j51G8LkEu3e3HPhZVTrBDsjJkDGIMZ3PPw==,iv:FtcO97LF57h4p8ZyvZPQ7gsLlQUyg+RzyIPlPYhLYK0=,tag:XbDBwcvWAlbuLvvV0I+2LA==,type:str]
google: ENC[AES256_GCM,data:044yUHWp8PvtTytFwfCAhg==,iv:nRWzcxXCogombevZQxYsMuLL4us1kv6WKfChRphLR48=,tag:fnHxnweczc5bElK8kGa6rw==,type:str]
ifsr: ENC[AES256_GCM,data:debmpTL+VYNE3InslDyV0FW1sKjBFA==,iv:ZKwyOMsfQivesFoEJeDCNnPzOgwlP0xmJ0GNsA57njM=,tag:CJZhWTb2MfsR+rv2VY6Xmw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1l80slr486r82csm758q2a32j2e2qdxdyxgh46um6thsjv08la9sq7475p6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1N1elJjb2c4OTAzMEs0
cDg4NXBtZW9OLzZGV2ZFeEdlcDhCeGpRTkJnCmdKU01ISnZWdTZqc01MR3lqSWRG
YmVSSVJ0b05GWGFVamtUbkRUNm1pZ2sKLS0tIERPNXlNZkdmbmZadVIwRWZpV1BM
N08rUm1KNCtOaHlYVnFZUFViZnNHeUkKvQTAtOKQqCJP54eV6bxxCWX5CKACPJQP
MBkKw0jbgjBI4SuDdPQVaXE0gEllJPjENUjqXGVatYbhBStbIraZQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-25T23:44:24Z"
mac: ENC[AES256_GCM,data:OxfIyFsDaMRkCcafcfETLRUP0Riw7XXqz8/aLrF9/gSFYUix5SlqGCFqT1+GyhjIewQK88oe3AjVeKwuuFjqgXVEh2/4+rLIOvHaW1z+Io9QSdU7ReNRK3KtwRbnZuB2grwt5UXNmSFUntdfIiF33wsKpMFAAJRStFFVwt6fMyc=,iv:oDsZt3T7yFNutmTX6BNL4FCckz09pdORZxDvLRWE4eI=,tag:Y2Yi+tiKOUYOGF/iLfjhJg==,type:str]
pgp:
- created_at: "2023-02-25T23:44:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAzUXo8ZPJwGLARAAja+e+NQECvY7Pq8jVEvrTDZVWtywNXUhWIHaoA6dQG0y
gbl4rTnOGEaTQbLZuT6HMHvu20ejgu48Xw34phKjw4S0nTL8PKH/euaQPPGt0qIS
NEClOSPE+1l2UN7DbK/ViNNpPePi/ApM0dvc+Kmywy7vlDXT39JNWb/bHIpl95vK
4LQ1oL1hQ8thRnVa8vhyEGx89eAKNV7+b8rhMAAwai83TBMZK8p/HS9PegXDYRPA
ZReBbuWD4za89jWQyKSJZul2sDwfnrih+FLyCZp1BHyUIoi96ysFH1NrX8mQ/LgO
8G4q0593DJ/M9ergP3RngjIJ6xj/ZS2ggaFeE3H/YD9R8DV/QtjrnIzwpLPKyxmi
hX6/VGHYghpRNonsB4IJZSyqTNJAdkqQE6DN3xIxw25j49i90C+5pAn3YYvc/Pac
O8Ra0kfh6ELxG9DdmJr3mWj+Co3L7mjD/q6Np5YRWwKcT4VLLBJaIobeE7FH+6DC
Ti2hzz5Zj9wAH6KB8VjtjXUGguaH1Dx5H26w+pdkwFlBaDXg3V7UXrAxhN7DoV8a
pvjO7bRIMdOfCVLXs+z3QjUY++kMK1zfO1vek3JSt9p0d9QQ5zez9ddqE12BMEJ1
rdm5IZEY52zqohXQ4MgC61beE8KEGvGA4EqI4XUBQFLLLKUP63u6liiJ4qODR2TS
UQGzV/RwExLowpG03J0te1EavWwLiGC+Nrq51ycWCAJOMsJ4ANcMsYfvxuVUQSaT
xrS8y7eZ8gZWNy3toaZK39bns4dBVKs9XtVWatsycx4REw==
=pj83
-----END PGP MESSAGE-----
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
unencrypted_suffix: _unencrypted
version: 3.7.3

9
secrets/thinkpad.yaml
View file

@ -5,11 +5,6 @@ wireguard:
dorm: dorm:
private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str] private: ENC[AES256_GCM,data:l2SEIEoljGLrEDWEVdfJiVdLafyAmlR4wKzKtz/xsLL6kEGveK/dgsDvjiU=,iv:5YktJB0g/2Agd+0+synPjZUsxxa5JPorFn975Vr/PF4=,tag:c6CmppUVMcjrip4YraBurQ==,type:str]
preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str] preshared: ENC[AES256_GCM,data:sb6vHcYO6c+m2jegangICr3v2toTFdSwt/rgCKD7q4UB/qR8U5CaAEjQdXY=,iv:QwQbNxx4+xTL14ID10bS7HWxKWzkoMSV6wHu8qytbEU=,tag:ozsK2gqayY56uOTGZtCNqQ==,type:str]
email:
tu-dresden: ENC[AES256_GCM,data:JRSfF2tnZX6NRPXFdJE5c7Q=,iv:phOzSD2XUcnvSneKtmMmB5zYrnXcZL1PzsurWLsy9gA=,tag:sxC5hLb7Rd4j5/mEi8Zu6A==,type:str]
rfive: ENC[AES256_GCM,data:noHhc37RxE/UZtTcllCb0r57ke7mauZNpQ==,iv:kbhXBDcRigSxbPyQu5HS8xG+WfehEYNi+uGC6lcvHEw=,tag:CPHmf85Fr54P8zj/dShazg==,type:str]
google: ENC[AES256_GCM,data:MObdBDErPOyPISOoc8zlQA==,iv:cPJgKjHR838Pm4O+WI52ZO4v4ds4GU351oU0HDSDfsg=,tag:dy+ApExgn26+3Osu5B2kaQ==,type:str]
ifsr: ENC[AES256_GCM,data:cJT5du8Jwy+rh286H55P2bEIIPtNpg==,iv:1qYzIqSWJ68GTGfl0x0YRZMPQAGAmibI1GKfdDWOrO4=,tag:sbHPs81bL88Ns75Mu+OUnQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -25,8 +20,8 @@ sops:
d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ d1J5UHJDYjlZWEV1aEVDSmxhWDB0anMKMNzyd465AdMyX0o9NxF+hcLyROcd8xoJ
39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q== 39K5xIDzcqpu6HfoZk1kZ/TT1DS2Xiw0rDuJHWdfpnS8zNe6DL3a7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-16T20:53:53Z" lastmodified: "2023-02-25T23:26:47Z"
mac: ENC[AES256_GCM,data:mcQexhVzXr28XF6KyN9MckSpD03q5tJl/IgL1CCeyvBRY4TkxBuTMKld22R9pp46StMfg16A2j2voTc546ayribLgIfn78wxa0sraaYoir+/xaF697EoO8UfthHPdmd8DHru7yoOFx0F4k2jNHGSIEi+FNrflUu+L8PxZ7Kyzms=,iv:HKW9WpufHCpUNSM048g2djj+h1vwB+gnL84hZH1LuJw=,tag:6Hj9ua1wsIvlsIvn5eOvXw==,type:str] mac: ENC[AES256_GCM,data:nfRwekR/4/trVfZfo0PAPp9aW/9ETHnMYLruACC0JjSTLa6Bfs1nCLwu+ylVX2dPD9LIZZRa9aKKSkCRYJxnqIW/uCs+RMWn+FDq9Cg35tbyEUaBIkhFz09LsSLfZKodqBrVjOGgxgTFfzn075EU0nCho3PRpUesMdIpX9PhTfM=,iv:FJ+rAPTmNXDrAguUJScZnHJ3SOH6/Znx2Mliz+eoR2M=,tag:Fc3CGH9KaPchGH0i9VY1Wg==,type:str]
pgp: pgp:
- created_at: "2023-02-16T20:53:51Z" - created_at: "2023-02-16T20:53:51Z"
enc: |- enc: |-

6
users/rouven/fixes.nix
View file

@ -1,11 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
# email passwords
sops.secrets."email/tu-dresden".owner = "rouven";
sops.secrets."email/rfive".owner = "rouven";
sops.secrets."email/google".owner = "rouven";
sops.secrets."email/ifsr".owner = "rouven";
# generate system completions # generate system completions
programs.zsh.enable = true; programs.zsh.enable = true;

15
users/rouven/modules/accounts/default.nix
View file

@ -3,12 +3,19 @@ let
gpg-default-key = "116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09"; gpg-default-key = "116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09";
in in
{ {
sops.secrets = {
"email/rfive" = {};
"email/tu-dresden" = {};
"email/ifsr" = {};
"email/google" = {};
};
home.packages = with pkgs; [ home.packages = with pkgs; [
imv imv
w3m w3m
urlview urlview
]; ];
services.mbsync.enable = true; services.mbsync.enable = true;
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
programs = { programs = {
neomutt = { neomutt = {
enable = true; enable = true;
@ -37,7 +44,7 @@ in
gpg.key = gpg-default-key; gpg.key = gpg-default-key;
realName = "Rouven Seifert"; realName = "Rouven Seifert";
userName = address; userName = address;
passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/rfive"; passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/rfive";
imap = { imap = {
host = "pro1.mail.ovh.net"; host = "pro1.mail.ovh.net";
port = 993; port = 993;
@ -96,7 +103,7 @@ in
gpg.key = gpg-default-key; gpg.key = gpg-default-key;
realName = "Rouven Seifert"; realName = "Rouven Seifert";
userName = "rose159e"; userName = "rose159e";
passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/tu-dresden"; passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/tu-dresden";
imap = { imap = {
host = "msx.tu-dresden.de"; host = "msx.tu-dresden.de";
port = 993; port = 993;
@ -160,7 +167,7 @@ in
gpg.key = gpg-default-key; gpg.key = gpg-default-key;
realName = "Rouven Seifert"; realName = "Rouven Seifert";
userName = "rouven.seifert"; userName = "rouven.seifert";
passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/ifsr"; passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/ifsr";
imap = { imap = {
host = "mail.ifsr.de"; host = "mail.ifsr.de";
port = 143; port = 143;
@ -220,7 +227,7 @@ in
address = "seifertrouven@gmail.com"; address = "seifertrouven@gmail.com";
realName = "Rouven Seifert"; realName = "Rouven Seifert";
userName = address; userName = address;
passwordCommand = "${pkgs.coreutils}/bin/cat /run/secrets/email/google"; passwordCommand = "${pkgs.coreutils}/bin/cat $XDG_RUNTIME_DIR/secrets/email/google";
imap = { imap = {
host = "imap.gmail.com"; host = "imap.gmail.com";
port = 993; port = 993;

1
users/rouven/modules/default.nix
View file

@ -10,6 +10,7 @@
./hyprland ./hyprland
./neovim ./neovim
./qutebrowser ./qutebrowser
./sops
./ssh ./ssh
./tmux ./tmux
./vifm ./vifm

8
users/rouven/modules/sops/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, ... }:
{
sops = {
age.sshKeyPaths = [ "/home/${config.home.username}/.ssh/id_ed25519" ];
age.generateKey = false;
defaultSopsFile = ../../../../secrets/${config.home.username}.yaml;
};
}