Add sops-nix

2024-06-17 22:17:55 -05:00
parent 4910af0d2c
commit 4e6cf6bf92
4 changed files with 103 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  - &admin_ankaa age1079fszreaakwf6xnwu9kra8xcsp4e8q8ed3y99yrhjnz9n3t9pnsj05m97
+  - &server_diphda age1rxqyz6watg05r3rzlme7grpgfgezhlt535gdl7psqys2ec8eegmqchfk4d
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin_ankaa
+  - path_regex: secrets/diphda/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin_ankaa
+      - *server_diphda
--- a/flake.lock
+++ b/flake.lock
@@ -71,6 +71,22 @@
        "type": "github"
      }
    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1718276985,
+        "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3f84a279f1a6290ce154c5531378acc827836fbb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1718437845,
@@ -87,6 +103,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1718478900,
+        "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c884223af91820615a6146af1ae1fea25c107005",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1718318537,
@@ -110,7 +142,27 @@
        "home-manager-stable": "home-manager-stable",
        "home-manager-unstable": "home-manager-unstable",
        "nixpkgs-stable": "nixpkgs-stable",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1718506969,
+        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,8 @@

        flake-utils.url = "github:numtide/flake-utils";

+        sops-nix.url = "github:Mic92/sops-nix";
+
    };

    outputs = inputs@{ self
@@ -25,6 +27,7 @@
                     , home-manager-stable
                     , home-manager-unstable
                     , flake-utils
+                     , sops-nix
                     , ...
                     }: let
        inherit (self) outputs;
@@ -204,10 +207,11 @@
                            networking.hostName = hostname;
                            simmer = currentConfig;
                        }
-                        (import ./modules/nix)
-                        (import ./modules/options)
                        systemConfig
                        (./. + "/hosts/${hostname}/hardware-configuration.nix")
+                        sops-nix.nixosModules.sops
+                        (import ./modules/nix)
+                        (import ./modules/options)
                        home-manager.nixosModules.home-manager
                        {
                            home-manager.useGlobalPkgs = true;
--- a/secrets/diphda/backups.yaml
+++ b/secrets/diphda/backups.yaml
@@ -0,0 +1,31 @@
+mc-arcadia:
+    repo_password: ENC[AES256_GCM,data:SPP/RmwxAeeyERrMjO7vEqMd/SY=,iv:/U4sbPogBeqJ4vli2MmMb4H4BjMPFO+Fe/uRtyltvsM=,tag:i06a7yIDmhYJt3ARfDaE4w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1079fszreaakwf6xnwu9kra8xcsp4e8q8ed3y99yrhjnz9n3t9pnsj05m97
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcGpQYUVrZElXK2pjeTlj
+            MW9DbHJhZkcvYlk2MlRUcitNQkZxS200YWo4CmxKeVA4Yk9VOWxqMHNqTUZDYm1G
+            YU8rZFBPMDhSTHN3eWU4Y1ZaRmRsakkKLS0tIHFlWllHVWNEeHZ0UHo5eU5Id0hj
+            dkRiYWRxTTI3QktpTFVlZDRma0NGN0UKdTh5HDNuqWWq4HFkoAaRJyqRU64TPr4u
+            BG+PkJuFwEzX/Zql0f8janB1U2xNA9B+GT6l62xgYSXaij1QgSKDTA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rxqyz6watg05r3rzlme7grpgfgezhlt535gdl7psqys2ec8eegmqchfk4d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbkRJeHI1VVVxQXFQcVVC
+            S2xVb1RiNGtpcmprQUgrbjRzN01VZ1FwNWc0ClpzZGFYOXQxZlplRExnOWdjdTFN
+            SHJWODQ5RG4yL2YyMmdRcG9DK0tyZG8KLS0tIHpCZHlKRGdVTGhOSGNmN3dXMGlv
+            aGtybEc5TWlwUUZvaDByQWU5aU1RM28KMSkwEEtDVACF8vO5dNxls4XWcmssMMTR
+            p2HRAb7UytCIYUtZ+FxEWKhozGP/RZ562Gmr3Ae5+E08bexebIzdiA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-18T03:14:52Z"
+    mac: ENC[AES256_GCM,data:B0rqLgUfVOxS79fKaEU8nH48Z5Kdex77vEWkuIUb14nd0pwvXY00HbLYwYQq3o9Lhfto60oRb/QVXMvMa+SCL6+23mZ2sBOBT9gRDDN6z45i1cdfZRjgqrctrQnwM914D9M3UVBdmrUdtijBY53xxGOFB9VZFkaf8R8gbSaanrE=,iv:efLjdoBadMe6b0CUGd4ZmFJEBgCxYYHYwSHnsGJ1nGY=,tag:De9FijcgKYMmo1TLW8gspw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1