configured sops

No real secrets are added yet
This commit is contained in:
Rouven Seifert 2022-12-27 17:46:57 +01:00
parent bcd03bd6b3
commit fa685385b7
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
7 changed files with 215 additions and 10 deletions

10
.sops.yaml Normal file
View file

@ -0,0 +1,10 @@
keys:
- &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
- &thinkpad age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge
creation_rules:
- path_regex: secrets/thinkpad\.yaml$
key_groups:
- pgp:
- *rouven
age:
- *thinkpad

View file

@ -6,11 +6,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1671459164, "lastModified": 1671966569,
"narHash": "sha256-RbkDnvLV7WjbiF4Dpiezrf8kXxwieQXAVtY8ciRQj6Q=", "narHash": "sha256-jbLgfSnmLchARBNFRvCic63CFQ9LAyvlXnBpc2kwjQc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e7eba9cc46547ae86642ad3c6a9a4fb22c07bc26", "rev": "c55fa26ce05fee8e063db22918d05a73d430b2ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -35,13 +35,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1671923641,
"narHash": "sha256-flPauiL5UrfRJD+1oAcEefpEIUqTqnyKScWe/UUU+lE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "939c05a176b8485971463c18c44f48e56a7801c9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1671313200, "lastModified": 1671883564,
"narHash": "sha256-itZTrtHeDJjV696+ur0/TzkTqb5y3Eb57WRLRPK3rwA=", "narHash": "sha256-C15oAtyupmLB3coZY7qzEHXjhtUx/+77olVdqVMruAg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0938d73bb143f4ae037143572f11f4338c7b2d1c", "rev": "dac57a4eccf1442e8bf4030df6fcbb55883cb682",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,10 +67,46 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1671877799,
"narHash": "sha256-jjC0NtPOT4huSwyichdrKHVCjuGr1al7Wu6PcHo5XZs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8351f271f85dae1ee28269028acde661e60394dd",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1671937829,
"narHash": "sha256-YtaNB+mLw0d67JFYNjRWM+/AL3JCXuD/DGlnTlyX1tY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "855b8d51fc3991bd817978f0f093aa6ae0fae738",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"utils": { "utils": {

View file

@ -3,9 +3,10 @@
inputs = { inputs = {
nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; nixpkgs.url = github:nixos/nixpkgs/nixos-22.11;
home-manager.url = github:nix-community/home-manager; home-manager.url = github:nix-community/home-manager;
sops-nix.url = github:Mic92/sops-nix;
}; };
outputs = { self, nixpkgs, home-manager }: { outputs = { self, nixpkgs, home-manager, sops-nix }: {
nixosConfigurations = { nixosConfigurations = {
thinkpad = nixpkgs.lib.nixosSystem { thinkpad = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
@ -13,6 +14,7 @@
./hosts/thinkpad ./hosts/thinkpad
./users/rouven ./users/rouven
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
]; ];
}; };
}; };

View file

@ -7,6 +7,7 @@
./modules/autorandr ./modules/autorandr
../../shared/vim.nix ../../shared/vim.nix
../../shared/input.nix ../../shared/input.nix
../../shared/sops.nix
]; ];
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
@ -15,8 +16,9 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "thinkpad"; # Define your hostname. networking.hostName = "thinkpad";
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. sops.defaultSopsFile = ../../secrets/thinkpad.yaml;
networking.networkmanager.enable = true;
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ 51820 ]; # used for wireguard allowedUDPPorts = [ 51820 ]; # used for wireguard
checkReversePath = false; checkReversePath = false;
@ -90,6 +92,7 @@
printing.enable = true; printing.enable = true;
fprintd.enable = true; # log in using fingerprint fprintd.enable = true; # log in using fingerprint
picom.enable = true; picom.enable = true;
openssh.enable = true;
}; };
programs.steam.enable = true; # putting steam in here since home manager weirdly complains about it programs.steam.enable = true; # putting steam in here since home manager weirdly complains about it

88
keys/gpg/rouven.asc Normal file
View file

@ -0,0 +1,88 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGMtdrMBEADV2urYH833EH9HjrJnCMivOEoPHUUP7XWygyzhEMeKwAAX57qr
JMmnKcaX/KNmt5ZuwJRR9YwG1NCR5a5ukAkkNhFsQov6ntd2HfCAanC/1lIWrII6
8bGMIZEb3FXNOMfqOKpCAKfJ91KCEF9kIe0h8+hqvWyhG/hBSO5pkL1tDm2MXhaA
jAF4q3uYaMqoBtSES1AbnHyLoqnqlENeTvwqA9+XoR1KisQcFAk+2Q5RPuz8OvLq
OM3vdyspa1zx/tnjcek+G9VyIYJIW6oNT8tyjrs92sSGzjjBwv6flyR2L6t/zxR7
ffdPzR90R7wa3I6o560i4uVzzFH6k4kgvCn2hoI55L7coHO9LEIE9ZPHpBagQM6N
Z62/7GGOYRHiMx7x68BC7XH6+1x2VBwo3GoVGzGeP8cuLo0J76GDWykupWSIX0yc
F6pCCjjxqwVKpcYRKm9yrQr3zitMxVg4tzDc01AZ32V+OG+w6mTT4qcO/LWlXiad
Ho2VfNL+wXzTVJfjHGgTscwBBFLwUF1yuEI2UPx4z2IRIpPrMBraHHAaZR1auRAr
IRU7g6tP5Ekz9/IWgLO0W1dcfhLa4iUzTCtzh3vG3FUY/7aERIZryR25ettsTQNa
YxRFdGrf3C7oFHWcMPcLT+L49ZGzX8TOOi7BcDO7iCJdIt05PY8HXSBOuwARAQAB
tDVSb3V2ZW4gU2VpZmVydCA8cm91dmVuLnNlaWZlcnRAbWFpbGJveC50dS1kcmVz
ZGVuLmRlPokCVAQTAQgAPhYhBBFph6jdP3j/hgG/Tblej+axHE0JBQJjQGulAhsD
BQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELlej+axHE0J8lUQAMZX
IqSX67I5sdnRbeZDn0WBAtuEInJlK/ZywAQ8MGn1TokMg1fdBoY7v/ehHn1V/3d7
5Ax6UvHrsSwqwMMKykRbeTbmNIyBdsmgDDbmlt4hlr6V0kLrGvr3e8bBVgL63uLb
98EtP4raYaZuXrby9hP+uwRvRaxlsBMH2+dbZ62qPlmnLnlw9yZ9K1qH8bhLzQ7C
IXLog/DHHQMnfAqHE0vJBReJAtfR/AW8JqW+GTJBpTjiiiaeBWFmBY8z4RhGOA0M
+SxD7MukgSbEjtbZavf6+Hr+n4zqVFoUZm+Py8qtq8nnL2M96TdCPlWOibT5yHae
eCzVq42MWEZri0Y0+/rzsaVgGkS/Es3SoSWfcUgF1TSnK0tgxM0o415L+cbRxVKh
Q3zu7BzUaVZocdVQ1B244GKUUBzghy/rOkPdj7eC9trc3O2sdCrhARnMw50b9Mso
fGwppasWVrl7obgESy63b1JlIxnThh65XbK9Ma/GxwyLBqVQsoGDIE6skovrnKnD
HJizsQkN66FGA0QS9o6A3LhprFBuvEPW0ZugRiFi6HW7MWEaQASn0k0uKkjUF2MX
vp5b9yCV8Tt1LsPPPW18z47nclcQmqpktiOLw/fJ+eWgJ28za5Y8Sg3pcCb+8wMg
7ZKn6oPUTQ9pzmQSN5JD8LE0UAmHSzXeotn2bm1UtCBSb3V2ZW4gU2VpZmVydCA8
cm91dmVuQHJmaXZlLmRlPokCVAQTAQgAPhYhBBFph6jdP3j/hgG/Tblej+axHE0J
BQJjLXazAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELlej+ax
HE0JWlUP/0nfVRPbeFhrgKBQKuph+sAiTl5b82BDOvDaBEMgIVuKJq5YST1zZLT2
WmBHHS0offYYGcn8PW23m2hneOc19zE5vJzztc+5jY7IeQzuNANkVqib7pFV8tFU
pc7q4TD12mw2CI/bhhXcSuygCFh4lp2wEwpmbXD/vBpF5oP/OHJrF8/pgPIrRAhL
6H03hY4nYlCnRz0VJ+KoXqq79Y8lW0bDC2Iy2hTaF69z1OzbYZeikbOI8sJOx8q7
uZ7uOceKoev9wQt2/FHx2RNnRQNG8lm1rJcjHkKARMvJZt3AGDn2z5X4ye55wtgq
oQ4Fo7J3xUebFIZFAHfWQuFhT6yWjjml+TwF7de7TBUDE3FreoNM1avaSF+DDaaD
0p6j0mSwis/epzj85bLxb76/lxxoEJPEtv9x0/iHlQg3aFtnjT3LoSEPdLSjjwP1
kPlQ9vm2ph8FtyN11YdG7W6c1DQ0OG0kvZCuFeAr9sMuFGSHyiYw7jThoNnAQVI3
7tVspHSaSVg5mZ/9HF+WIH7pUMY+Jl4v0/MVG7th4sbXDAx3r6zYPP2JxytW4F9c
Y+KKbmHHU8h/XtiTm+19T6gAJX0+Ijn43G1cjnDw++iLKWOf/+XniTsnCyNAp2CL
jp+/EUsj4/tY+Q+yzk5WAY1Zwn2LJ91mfVmkjFzoCfi9mGsBfDrXuQINBGMtdrMB
EACZnGENDIdFCslo/8eGod8JCg3sSWYeTj6zjorTZA0HZjLkZ+YZw6Ufp5l9qnAX
HvJJ1jtDI3NF+vO+XkwpFbg0mFDE7J6FT/8R3u7oj5zxqbxpEjRsHrsx/b1FvIv3
BWNGep6PLKAHlpaGX9aCZjygGVundnvHeNmUQyG1XWWRp1rZHKPVvNjuyljtr07s
uF55RFi/RjK2VGUwKWFgY4u2X7sxfrMJIft1JGXd9TiPEn7uckS/jR7c0oGrzFEy
X9hQCIMIgg6OqoKSchxbMTdfEcfMfAtF1dOt77kG2rmKCf2OMXYjP7i04C9hPcKa
8dulatE+GnikD9qSQTybvvbQwDwL6h7TvmTKZcBbkRsJ6i/LOdsqErV85MGDNDzw
R6HITLWGDF2IpzUhsCL70WM/NYNseFZqBqeoPadNwvqzSfiXwEHgwWSflB/bdzZG
PCUphO8erU4RsVyrLcMge/nctFgo4MdVpf31bm2+kQksHtOxx4t5QKULWd4b5Rku
lAMCYMCIhz1zLSUl/XeDk3R+ogKEfvoI/QgS4NwSvA/C6NuNsSYw1ExkVwsPmXsP
juA9DTcVc8AgT1cheUCPLQuCJ5kKOdnZFxWArgc3fPt5PHNwqXXpfY+X0faEpPBN
Mfugjir8nUV8EdxJM8m0ZqPm6zgqjr04bBTmy1IBfQs/iQARAQABiQI8BBgBCAAm
FiEEEWmHqN0/eP+GAb9NuV6P5rEcTQkFAmMtdrMCGwwFCQWjmoAACgkQuV6P5rEc
TQm8TBAAyIe2EehTZHegPoThuKKiqdYPLRPivhaePdogsirLq6EQ9/pRQgXS2VVr
SAwACSnZpYWUm3CE7NDvcf0F3aHTujkLTcD0UGpQMeR9HTl7V+P7goKbm7Vl0RSu
oI4kpGC5iqfpEk7hMQSEaeL1SgoU+B0Y5QwO26dFNd9KeOaMbi4RGf3S7+d+taBL
ctjMKgf0B6MIz0OAXVB4Ulg3QHOiwdxpGB8a/VrBjTOu11+lsEh4fZdS4o4fzgrb
rlS8DQyuCJuxG41f+KgSsfKdeWt2LWowP+EFc+dJ+9La4PMWWWlhTcVoYSi84bx0
URHTzvpacRSPFhCWQ31BSgM6USejn1oyrdb6vmWxc3UqbqM40J1NPzP4IQxc8pdh
N19ffC2aDkqApKPTzZ2xXmF0QOOGBqMnF4ge/dSGvao9FgK53RwpZfFJEFSK1N7h
Yrh/rxSGQRpl6LhR8gK+jX7Ocu8RXQ1i8VkvqjFnwVVGYPLpWkwiKybeyoCbbXP8
YJI9R5vlth5jPY3emFpRmNaTNYm5mWb63IQpI+ItCeXDxU+WAws5AYzuBl1eOoS7
G7tnsuSLpdQxSEm8JqyFigcXw40iWBMUWc+V7gzDCd+0DR9u7F2Kvlr4k1JL/DhC
Q45kNrCpgazaquAecdL8WPzUgzNJptP0bGMaL/IW70Y4y/nrJEy5Ag0EY1RWbQEQ
ANxWRFzIW0s+3yHVz9GHfoZ7001XIAmqhUrz1kALGG/dBSmF4kRQ91GzlzSjWFEM
/ZbTIIe/lehTufBzqItfgw3WfQnc7bhUBTdIsqORu8c9LSxEjbAYh2koRRRRdY85
mY7dblh3Mg4i/rWUV4SLnG/iy64XGLzVtw90IIc1W2ijRXlCkjEQsYwXTqshKmiS
v0x/CIAaz5koYex3Pozr9EEP0vJA/cJ7WoTOCZml08Ly7LwIClbM83ZvlmTnUtGB
WVQ+Wmh05ZKEmPv7jQaZN7AqLaHimM7NHV7MddfcPvgFJc4ZF6IX/rNjM+R3DkuC
86vuzMIggzbxPAVCK7VY0gqhoA0qB6V1jbeWD9nulZJN9QUdiEtmKq1hmZADTvU5
HJs1XtSVCb8rFa+Th0xcC8n1cB96uiF/FWenCxvIXF/CNYclhuUqd6P0SfqHZ/Jr
IDMB7s4KU6mLdy5AIBnIqI276cegiFi1U+5QsDfSp/8cgT5gwT9zuE7lrsW5/27U
DvIzYACK7Hkl3c3F2EetqAWf3A1DeK8XYItwUC7kwcSy+7HZApOOYgRubgzRF1b3
PJn0eGkKOL7asRXU719vEm8+ic3AxIBA9KCh3BEDepNzBVFfpFZo9zMzU02I9FT8
G7eAVMgPFmO3wUWC7wP2ioHrZnFfyLebMl8pfT0QW+TjABEBAAGJAjYEGAEIACAW
IQQRaYeo3T94/4YBv025Xo/msRxNCQUCY1RWbQIbIAAKCRC5Xo/msRxNCZw4D/92
YNPzMsao30cCJ3WJb6QoiI8RwE1gDdKcjWbnGobyCKg++oWtQQl6R5PoHH9/eR5U
O8XgqYP8da9y4mAKSDximhuCLhATUpDGSte7N+eVmokmPCxIHSL3Cm/hZ/mM0Qhk
eT95MHcLzx0onrzw1KhvNFvucsvhT40JkLIAECGUL8F9KQhQVkCaCAHpaZbBzEfd
vAHVYgm7KvwtAGt2Lv88GhIR2AOSj6ijQC4sAGQyKARixsoRlqzjkveqtci06mB8
kff6BoqSf0sGzEkOlZkctoEXdz9f6mCMvpH3skYmcK6WTDbQYno8yxCC/tfqjYp6
vlYetURLjdpawghhhlvSceJEwt796Eii3YrBvARs1CDM43hP/MfmjJiD4kKDkI/R
xa14JTfJgcr5xhRUIPQLdfFGVnn7aF16nN0N1QMOeIDxbckPjFzgTIDjEbmWaogw
QGjc7hoaHVR2d7Jwz3acRV18WN6vMwohsU513LY+2skRgahkotFMcNmO4cuBp07b
Js9gxmueL2pQ1NxwFdouVxceUGgnIuhG93OI8UZPJpnd4KeURfI8wMW5kv0wF1hy
nyxDASxiYkMLUgFRehh02ShI2Y9LTLBvRTbVoxpnitZ6HHiZ4LI0Qk78gF0LNkXj
XIponcFa0+0w3inIywIIYRs/wTPxAMheeclH9zW18w==
=JFdx
-----END PGP PUBLIC KEY BLOCK-----

41
secrets/thinkpad.yaml Normal file
View file

@ -0,0 +1,41 @@
o: ENC[AES256_GCM,data:OQ==,iv:bxliflmDvVoZkuJXrOGc1kh8/urnWdbt3wFcLmPcDf8=,tag:dk0FgO/KZGou4ujnZTpmOA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbk81MnpjSzRBdmFJNFhV
RE9oZHFuUzd3bWRuNDI3VEpYK2VTMXdBSlNVCkJjS0dnc1NzenpzYWdydkJ0enVB
dGJVU2hTKzV1bDV2VnJ1Y0xBaHVoZW8KLS0tIGtaelVQNFFtMDVndlpoMFpKY3p2
S0NwYWFQcmFtTm5zTEZLVXRtMi91Zk0K3ylHH4OXduJlJxepPz9GxBzVmKGpv9LL
ApkEQxfPL4Bxrb2XOFLOYqJGv2SwxBv1QNYT7eTXRLTEsIXUHR0MGA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-27T16:39:22Z"
mac: ENC[AES256_GCM,data:ziliEa5Nqxpgp8fAQ89TjnUvCpSH813aViSpBZGqAq+fO0QSsNOIGiTCVoEskwAhIUK733rheJpBKfhApGk87Z/aZeUV3KYMhA80n8J5TMwqXAMoIqlYVXJv/HkRF40yafkSlDewURgUE+dx/IqKT++XOA5/S6E2lyLvTpsEyDc=,iv:gste7RZyzgrE8FdLYruAvdc6Obq/KCJFx4YPd4NWEjs=,tag:BGwL2z/6rgW6hZTcQ7hFMQ==,type:str]
pgp:
- created_at: "2022-12-27T16:39:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAzUXo8ZPJwGLAQ/+O6i2iycUhTxUEd+JjpRVOuK2+84ZS5vub8zEdgtvNZlb
+Jokp1pmzWxQ5jqwzJoJ4ALhK4RZWf/WdmUuDK2M7/T99zosPg8ZiADcqna3AACt
Neg/6irkgNfBEkhzKnSkfintE0U2GXcYQeKiQ88qtjJ2MFBrDmnMaTAr63C2u4ng
tiZ4VAgqWwJVpSOQ0lQn/QuZcQKeaXMP+1C8ezbbr/bh3AiOSN5CHNwNgwXVQFOj
JML4yyK+OTYG6STDDX2z18CosjZkrCakybFkW1sgb5KHnFmjouCLOH/eaof2Abea
B1d4TRkSCEHct471oVtFBc7FXuF80JG+OYActBYMviCReanbuQmiI63ngMS6+hkv
fkbRKpdZRYTRkYnKRbQeyOZ4e0+CTbVhNuSNgHF31zC8XUq4dZj67vJn9O0qvOJb
vtkoUAt+tsHeoCJjQsCb0UshjPPo3WAQThZdvE3PDX36qdm2WPkRkk2YYeu7YuPb
8oZIPxF8UWriO5o/C6pqzMwMXqWTjFREz/7tZ7QbxMPSt1VgJGi1t63LMyv0Jw+Q
O87/hfWfoCBXS4juS3UuQGJqAV3M7qa17J1GrsJpOh/gWYIrkW1PQ4bfjY3Vj7P1
arjRyk3QTxAPJy68p+1+p5QKCqWNrlZpZClHV6U9f0d4b+bdy2uaIZ5xHsf54oXS
UQHpLgxNzvTQZLTsMqb8yvFdj/KiQfa1MiOKMh2zMCpMImvkptmc3XtqXSybuCS4
6jPzv4cTvE/kpSxUO7fCOFIGoLleRYMpieYLyYsCrDrP8g==
=hdQ0
-----END PGP MESSAGE-----
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
unencrypted_suffix: _unencrypted
version: 3.7.3

9
shared/sops.nix Normal file
View file

@ -0,0 +1,9 @@
{config, pkgs, ...}:
{
environment.systemPackages = with pkgs; [ sops ];
# directory party
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.generateKey = false;
}