Add sops

2024-03-06 20:17:04 +01:00 · 2024-03-06 20:17:04 +01:00 · a7250e9581
commit a7250e9581
parent fd6d93d0cf
10 changed files with 158 additions and 9 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,17 @@
 keys:
  - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
  - &server_gunter age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|toml)
    key_groups:
      - age:
        - *admin_torjus
  - path_regex: secrets/gunter/[^/]+\.(yaml|json|env|ini|toml)
    key_groups:
      - age:
        - *admin_torjus
        - *server_gunter
  - path_regex: secrets/torjus/[^/]+\.(yaml|json|env|ini|toml)
    key_groups:
      - age:
        - *admin_torjus
--- a/flake.lock
+++ b/flake.lock
@ -37,6 +37,22 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1709428628,
        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1709479366,
@ -53,11 +69,47 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1709356872,
        "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "458b097d81f90275b3fdf03796f0563844926708",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1709711091,
        "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -9,9 +9,10 @@
      url = "github:nix-community/home-manager?ref=release-23.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix.url = "github:Mic92/sops-nix";
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs:
    let
      system = "x86_64-linux";
      user = "torjus";
@ -36,10 +37,11 @@
        };
        gunter = nixpkgs.lib.nixosSystem {
          inherit system;
-          specialArgs = { inherit inputs self user; };
+          specialArgs = { inherit inputs self user sops-nix; };
          modules = [
            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
            ./hosts/gunter
            sops-nix.nixosModules.sops
          ];
        };
      };
--- a/home/default.nix
+++ b/home/default.nix
@ -1,4 +1,4 @@
-{ pkgs, inputs, self, user, ... }: {
+{ pkgs, inputs, user, ... }: {
  imports = [ inputs.home-manager.nixosModules.home-manager ];
  home-manager = {
    useUserPackages = true;
@ -6,6 +6,8 @@
    extraSpecialArgs = { inherit pkgs inputs user; };
    users.${user} = { pkgs, ... }: {
      imports = [
        inputs.sops-nix.homeManagerModules.sops
        ./sops
        ./editor/neovim
        ./programs/firefox
        ./programs/tmux
--- a/home/packages/default.nix
+++ b/home/packages/default.nix
@ -28,6 +28,7 @@
    restic
    ripgrep
    rofi-rbw-wayland
    sops
    spotify
    spicetify-cli
    sshfs
--- a/home/services/backup-home.nix
+++ b/home/services/backup-home.nix
@ -1,10 +1,17 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 let
  # Backup home script
  backup-home = pkgs.writeShellScriptBin "backup-home.sh"
    ''
      export RESTIC_PASSWORD="gunter.home.2rjus.net"
      export RESTIC_REPOSITORY="rest:http://10.69.12.52:8000/gunter.home.2rjus.net"
      GOTIFY_TOKEN=$(<"$XDG_RUNTIME_DIR/gotify_backup_home.txt")
      if [ -z "$GOTIFY_TOKEN" ]; then
        ${pkgs.libnotify}/bin/notify-send -u critical "Backup issue" "No Gotify token found"
      fi
      echo "GOTIFY_TOKEN=$GOTIFY_TOKEN"
      # Send start notification
      ${pkgs.libnotify}/bin/notify-send -e -t 3000 "Backup started" "Backup of /home/torjus started"
@ -26,7 +33,7 @@ let
          retval=$?
          if [ $retval -ne 0 ]; then
            # TODO: put token in sops
-            ${pkgs.curl}/bin/curl "https://gotify.t-juice.club/message?token=ABgV8XT62bxyCzF" \
+            ${pkgs.curl}/bin/curl "https://gotify.t-juice.club/message?token=$GOTIFY_TOKEN" \
              -F "title=Backup of home@gunter failed!" \
              -F "message=Please check status of backup-home service"
          fi
@ -59,10 +66,12 @@ let
    '';
 in
 {
  sops.secrets."gotify_backup_home" = { };
  systemd.user.services.backup-home = {
    Unit = {
      Description = "Backup home directory";
-      After = [ "network.target" ];
+      After = [ "network.target" "sops-nix.service" ];
    };
    Service = {
      Type = "oneshot";
--- a/home/sops/default.nix
+++ b/home/sops/default.nix
@ -0,0 +1,6 @@
 { user, ... }: {
  sops = {
    age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
    defaultSopsFile = ../../secrets/torjus/secret.yaml;
  };
 }
--- a/hosts/gunter/configuration.nix
+++ b/hosts/gunter/configuration.nix
@ -1,7 +1,15 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, pkgs, ... }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [
    ./hardware-configuration.nix
  ];
  # Sops stuff
  sops.defaultSopsFile = ../../secrets/gunter/secrets.yaml;
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  sops.age.generateKey = true;
  sops.secrets."gotify_tokens/backup-home" = { };
  # Bootloader stuff
  boot.kernelParams = [
--- a/secrets/gunter/secrets.yaml
+++ b/secrets/gunter/secrets.yaml
@ -0,0 +1,31 @@
 gotify_tokens:
    backup-home: ENC[AES256_GCM,data:sq5ijJ0/jms=,iv:r+hobBUbO3wOp+Xx22yff2sXc44XrCXVDhbD/IS3Rtg=,tag:ypOiz21arspX3TGYeGtgxg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNm9vK1k0ODFwVTVDUEIw
            VXVIdllUZnJEUUVHdGY1VzV4d2grekFRNTJVCjR3MkJwQ1p2TDdDUzJEV3psQ0VR
            S3ZwNXhPK01MREJaOTJPKzcvYXh5NXMKLS0tIEU2b05pUXlKNHdqVHYzWFJrL0NO
            eUNJUHNxR1JQVUozc3ZBVVN2TVM2bjAK7BZLtjEEefxf53xPRbw2xeXNke/JK99u
            xj1FtTTnQhNAQ0jgR2N4jtwJ1L2+1usjSF1Lq16Y5TqZ/wO6368XOw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTmdSdWZESDI2WE9CU0Uy
            SzhWNXlpV2QyK3JGQ0FHWVh3TEZqM3Fzbm44CnRNbGlmaVBiZURJSFUvdDVZWnIw
            RU53Uk9KRGZKeE9mRHQxRTFjdVM2WWMKLS0tIEZjWkxKYnBFb0pYTitvdVZBckht
            NElxU2dyQ3l2RmpERXZPcHJZVEJuTDAKEDpzlk5kOQ8ZYduWVy+2g8f/r4XEtcL5
            32tNuXEaM+qS49Ef6g84uuwKyQ2ju1UJUtC4XcoRn6nQ9yUkMVWtMQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-03-06T19:27:51Z"
    mac: ENC[AES256_GCM,data:IrgIp2evBmZYQGvo29kkIFfNsECVlqU3ZyksxKapK/yY45DWLlxtz5TBn6wpDZ8grygCz8SCJR8Ug4Yik7TTJRCgdSGtNjp3gvt3aUF+K9aJQgSQCsh/Uk0S+ZYK2YxZDmrgRo2I5unSdEtFV3X0Rp/aGmzCptLa2ZMnxrbgsis=,iv:nRXCllfgJ8QkBFC7FC9QLaKFLLFyUQe8NKmgGG+waGI=,tag:vXOw1nNMoJa7PSPvoNsYRQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets/torjus/secret.yaml
+++ b/secrets/torjus/secret.yaml
@ -0,0 +1,21 @@
 gotify_backup_home: ENC[AES256_GCM,data:DV22pltF1db7mP8dK4fb,iv:487nKwVToOX2KSBmz3pp1T0wwi2JTMZzwH2arp8DatA=,tag:uVmONZ1fznTXDxySh+xXvA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdDRDc0UvaWY4U0loZzQ0
            bDZCMitGbGVYaGJyUXNrZGpnZHJlWHRkK3drCnJ2TlovSUI0OEVrV2FBbVdlSm1z
            OE9lYXNMSXpCS0NMSkZDcjhtWENOUTAKLS0tIEZFMnVqcktwWkR5VHBGQXdobXlp
            Q3gxalhGVjNlS3B3YlFsK0VQMUFITEUKE87+RpOG6ucXHHQ0DMQ9F3yo0n1aXbv7
            OX5ibHU7RroUQwFmDj87u59VUTvpWRQjsBW4c4WrZRk9KcjwinZZZQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-03-06T20:24:35Z"
    mac: ENC[AES256_GCM,data:1+fxim6Z9BLqpxRVUse5yfGyv5Y1OYLnWjuw//WtPU1Y1noXQC2SapbqaMgrJo5wDddom41RnOnJw7wjXLmA4cKndcrmotpXQIq1gYFrQtDoVuZjhcBzbY4rQiHUsMtQHQXFvn9SpreO5RMz9o5Zl25cWe1txH0K/DqavHlh+1c=,iv:1sWteDKqcDTPBfnFVSVO0V1JBfw9aj2OC/K0mVbwsdI=,tag:/AlPi/Y0Ztd6KghctMD9jg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1