sops homemanager

2026-03-24 18:57:04 +01:00
parent aebfb0b480
commit 097078172e
10 changed files with 70 additions and 8 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &host age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *host
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:

 let
  images = pkgs.callPackage ./home/themes/images.nix { };
@@ -8,6 +8,7 @@ in
  imports = [
    ./builds/steam/default.nix
    ./home/extras/printer.nix
+    ./home/extras/sops.nix
  ];

  # ── Use the systemd-boot EFI boot loader. ─────────────────────────────
@@ -98,7 +99,7 @@ in
        "render"
        "adbusers"
      ];
-      hashedPassword = "$6$pdAJt1f0v7Zb13Ri$1WpKrErAp5JCb7eXs7EeeWYRMBLu5/WKDdMyGzJyYQDijG2NiywUXpAkl/8p1noxOOqYbb.MTw7JmTzhWGsT21";
+      hashedPassword = config.sops.secrets.user_password.path;
    };
  };

--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,9 @@
                  ./home/default-laptop.nix
                  catppuccin.homeModules.catppuccin
                ];
+                sharedModules = [
+                  inputs.sops-nix.homeManagerModules.sops
+                ];
              };
              nixpkgs.overlays = [
                # (import ./overlays/river-status.nix)
@@ -95,6 +98,7 @@
                users.elias.imports = [
                  ./home/default-desktop.nix
                  catppuccin.homeModules.catppuccin
+                  sops-nix.homeManagerModules.sops
                ];
              };
              nixpkgs.overlays = [
@@ -120,6 +124,7 @@
                users.elias.imports = [
                  ./home/default-desktop.nix
                  catppuccin.homeModules.catppuccin
+                  sops-nix.homeManagerModules.sops
                ];
              };
              nixpkgs.overlays = [
--- a/home/default.nix
+++ b/home/default.nix
@@ -48,6 +48,7 @@

      # sops
      sops
+      age
    ];

    stateVersion = "23.11";
--- a/home/extras/sops-HM.nix
+++ b/home/extras/sops-HM.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = "./secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/etc/sops/keys.txt";
+  };
+}
--- a/home/extras/sops.nix
+++ b/home/extras/sops.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  sops = {
+    defaultSopsFile = "./secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/etc/sops/keys.txt";
+    secrets.user_password.neededForUsers = true;
+  };
+}
--- a/home/programs/git.nix
+++ b/home/programs/git.nix
@@ -1,4 +1,9 @@
-{ lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 {
  home.packages = with pkgs; [
@@ -15,12 +20,12 @@
          defaultBranch = "main";
        };
        user = {
-          email = "elias.schroeter@e.email";
-          name = "Elias Schröter";
+          email = config.sops.secrets.git.email.path;
+          name = config.sops.secrets.git.name.path;
        };
      };
      signing = {
-        key = "04F3A2ED4B33F254";
+        key = config.sops.secrets.git.signingkey.path;
        format = lib.mkForce "openpgp";
        signByDefault = true;
      };
--- a/home/programs/zsh.nix
+++ b/home/programs/zsh.nix
@@ -13,12 +13,17 @@
    enable = true;
    dotDir = "${config.xdg.configHome}/zsh";
    shellAliases = {
+      encryptSops = "sops --age age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd -e -i secrets/secrets.yaml";
      update = "sudo nixos-rebuild switch";
      conWG = "ssh elias@logout.nonagon.dev -p 6969";
      conWS = "ssh elias@192.168.31.200";
      setupPC = "wlr-randr --output HDMI-A-2 --on --mode 1920x1080 --pos 0,0;wlr-randr --output DVI-D-1 --on --mode 1920x1080 --pos 1920,0;wlr-randr --output DP-2 --on --mode 1920x1080 --pos 3840,0 --primary";
    };
    autosuggestion.enable = true;
+    localVariables = {
+      EDITOR = "nvim";
+      SOPS_AGE_KEY_FILE = "/etc/sops/keys.txt";
+    };
    enableCompletion = true;
    enableVteIntegration = true;
    history = {
--- a/home/services/ssh-agent.nix
+++ b/home/services/ssh-agent.nix
@@ -1,6 +1,5 @@
 { ... }:

 {
-  services.ssh-agent.enable = true;
+  services.ssh-agent.enable = false;
 }
-
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -0,0 +1,20 @@
+user_password: ENC[AES256_GCM,data:+y3eoDmYNSRA5b/ywkZdJ6ai4DbU19LKIk0EbvRt9qXyfswr5fhGEgHPa+vpdbSCEaUukcW1Ch1JcLpDV/EhiI+gErjxl4iB44ul1naUT+yVqZ00Q2s9OCjI9VpWH+fVcRpJpYdOGFsztg==,iv:6t+pKJxT00kSCF6QdR319oKXXtCbKQdkXW5lDaJotBE=,tag:DO8XyiwdGrg2wpRObo7law==,type:str]
+git:
+    email: ENC[AES256_GCM,data:kYE+lvW+oEUdC4ZDW402NmMJMSQO/kM=,iv:ZoOnRzpRRiWRQMWNF1ZG1cHdA2p7QZZ+GwPEKxopF8s=,tag:cQ+oD/WxQEM+NQ97fvjvpA==,type:str]
+    name: ENC[AES256_GCM,data:7wUAFW1wi3ToC3jZqUlw,iv:gSjo4uAEyznh805vpl8foQuV59ym0v5o0fANTb+YN0A=,tag:DXaZFwlYHQf4G1rJRC+uqA==,type:str]
+    signingkey: ENC[AES256_GCM,data:E8p3Y0Tzr1SnxAimkg5ktQ==,iv:eLdSOFB1m82dFYY+FG9BFuhOnWokVrKbfC+skT9umB4=,tag:Zb6OxpR6E6DwLQO0AN6T1A==,type:str]
+sops:
+    age:
+        - recipient: age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOVE0cDNvSElzcEZhVlc3
+            NDY0OGRmd1FSMTFFblhOOTQwcmxJU0pnenkwCnFaMUtvWDFSeHhOYVd4MG9ZVDhH
+            Ym52c0FqQnVTR1B6TzJhdW9ZMmRTYm8KLS0tIDdaN08vS2NnRkV5dnVDUEFEaXZZ
+            WWc2ZXl4Mmpjck1JTXYvbTB2bzFnRmMKU7tLqqHSPpmwQluuxQ3UIhrGARneQc9+
+            8hJ4b8/KH9PczWlSqwhx1nOO+/e4ZNDjd6635CQlWWghBI3p/UjhqA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-23T10:14:56Z"
+    mac: ENC[AES256_GCM,data:JlqAMVVW4kaIlf2m9SasUW9n2DSvLNaZU00X6BUNtnYUA8bHJWpx4cg4A93Bo9n/EsR13Onw8JvAiDVE3GyILBe9OzpN2avNOvuR+/FVFBhJ8UMJwQcfd9VOcAwibCLZb8esw/bgvdNpy5sDJYGIr+DA2Io3kex19xMAFLBEZZg=,iv:XhUh3Z6Omzy5fu0JDikxYrUdvLEAsJZG1FIglKSDZP4=,tag:54SJxkShXCA+WZinjCXKsA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1