diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..532f64c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +# .sops.yaml + +keys: + - age13dpyswy6ezqr2gyty75waanpc9lhjs073vt56z6tvjyzh9mkydaqwsystl +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - age13dpyswy6ezqr2gyty75waanpc9lhjs073vt56z6tvjyzh9mkydaqwsystl diff --git a/flake.lock b/flake.lock index 2fde9c5..ce3076e 100644 --- a/flake.lock +++ b/flake.lock @@ -68,9 +68,7 @@ "inputs": { "crane": "crane", "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs", "rust-overlay": "rust-overlay" }, "locked": { @@ -125,6 +123,38 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1700390070, + "narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1700342017, + "narHash": "sha256-HaibwlWH5LuqsaibW3sIVjZQtEM/jWtOHX4Nk93abGE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "decdf666c833a325cb4417041a90681499e06a41", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1700204040, "narHash": "sha256-xSVcS5HBYnD3LTer7Y2K8ZQCDCXMa3QUD1MzRjHzuhI=", @@ -140,6 +170,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1700108881, + "narHash": "sha256-+Lqybl8kj0+nD/IlAWPPG/RDTa47gff9nbei0u7BntE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7414e9ee0b3e9903c24d3379f577a417f0aae5f1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1700455140, @@ -160,8 +206,9 @@ "helix": "helix", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", - "nur": "nur" + "nixpkgs": "nixpkgs_2", + "nur": "nur", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -189,6 +236,25 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1700362823, + "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "49a87c6c827ccd21c225531e30745a9a6464775c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 01659f2..cd1289f 100644 --- a/flake.nix +++ b/flake.nix @@ -18,7 +18,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; helix = { url = "github:helix-editor/helix/master"; - inputs.nixpkgs.follows = "nixpkgs"; + # inputs.nixpkgs.follows = "nixpkgs"; }; home-manager = { url = "github:nix-community/home-manager"; @@ -26,6 +26,7 @@ }; nixos-hardware.url = "github:NixOs/nixos-hardware/master"; nur.url = "github:nix-community/nur"; + sops-nix.url = "github:Mic92/sops-nix"; }; # pass in the urls defined above @@ -37,6 +38,7 @@ helix, nixos-hardware, nur, + sops-nix, ... } @ inputs: let system = "x86_64-linux"; @@ -67,6 +69,7 @@ specialArgs = {inherit inputs;}; modules = [ ./hosts/JWST/configuration.nix + sops-nix.nixosModules.sops # nixos-hardware.nixosModules.dell-xps-15-9520 nixos-hardware.nixosModules.common-gpu-nvidia-disable {nixpkgs.overlays = overlays;} @@ -83,14 +86,14 @@ }; #homeConfigurations: define options for different users - homeConfigurations."tacocat" = inputs.home-manager.lib.homeManagerConfiguration { - inherit pkgs; - extraSpecialArgs = {inherit inputs;}; # Pass flake inputs to our config - modules = [ - {nixpkgs.overlays = overlays;} - ./users/tacocat/home.nix - ]; - }; + # homeConfigurations."tacocat" = inputs.home-manager.lib.homeManagerConfiguration { + # inherit pkgs; + # extraSpecialArgs = {inherit inputs;}; # Pass flake inputs to our config + # modules = [ + # {nixpkgs.overlays = overlays;} + # ./users/tacocat/home.nix + # ]; + # }; # packages.${system}."tacocat" = self.homeConfigurations."tacocat".activationPackage; }; diff --git a/hosts/JWST/configuration.nix b/hosts/JWST/configuration.nix index fe2f611..ae7d5aa 100644 --- a/hosts/JWST/configuration.nix +++ b/hosts/JWST/configuration.nix @@ -12,6 +12,11 @@ ./hardware-configuration.nix ]; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/tacocat/.config/sops/age/keys.txt"; + boot.loader = { efi.canTouchEfiVariables = false; grub = { diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..af7ce84 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,35 @@ +#ENC[AES256_GCM,data:JjngdEl24lzivXSGGtT+BmiEgJv9CYFGoshMp341WTVhGZb0CfJw/INV5Hds4It+b5VdKwsq,iv:z7QQf9jHo/UnOeFL5Xr+Gigvumj5oeCw+qbuDDvC05k=,tag:E76DCMWb0jJtNpjVEY7Tiw==,type:comment] +#ENC[AES256_GCM,data:HICA26c4UzeSp1IhNUkoFukr14zNLQ6PRzXa,iv:Ai2VRUy4F0l58M+zP8UTJ+HwpnnntvhXqRGDFKgfxoc=,tag:u3Z1J+6jjDStKsPVcdQ48w==,type:comment] +#ENC[AES256_GCM,data:91rUTDQieSAoP34dVPhUVQ==,iv:yiCh0c97u0FcofOfTkvJG0kee12GyObDQWiV2cLeN8g=,tag:RxtR8qSFw/U3NdKJl/6q3g==,type:comment] +#ENC[AES256_GCM,data:fBniAj/OEUphfzuouN4V,iv:oDvxL66JaHok1Bmd4gVc85/5bHpVPgixT/DM92eeqwI=,tag:ZQsqpszjmPThhkFaeI3hfg==,type:comment] +#ENC[AES256_GCM,data:5vniSSqRnOLyiyV6ylKevv8AZsJw,iv:Z5mefVGn9jSCPJZRkwjPZ2alkUwao0bCJVS3aRY3egE=,tag:aHZcDJWmHx1MEux6bKuWFg==,type:comment] +#ENC[AES256_GCM,data:al064LOcqMiJljtxOtEkYPiTFanG,iv:mqO28HpExCICHRPbmyo3LK7QFysAOzf8Mn666QgC/9Q=,tag:Pcb0VSAJ3TkQLbDoobJTkA==,type:comment] +#ENC[AES256_GCM,data:tMg+HbmZGZLzc3WZJVrwmOi7JjCBbkJdWRwm,iv:3pDsdJX2OSactrP9CQeNvQR7q01qXo/BR4FKLhcaiyQ=,tag:Wxlf6SuGWgGEVvG7Sjcojw==,type:comment] +#ENC[AES256_GCM,data:Qs7LdUYBaoCLtlu+VdIHrIsA,iv:lWJsId1PA6mc+E0+mP55EfoCk5rixb+Z91XtUg6ivCw=,tag:XVDzTi/poTsRT6m3dbcLZA==,type:comment] +#ENC[AES256_GCM,data:73KcTxpT6YfRex8=,iv:3pLvjR/BOayKYUvCaZbW4JbCpbNqJ0QrcO+GvAAZauo=,tag:y4HM5xLSAzaEBrSqWUlpsQ==,type:comment] +#ENC[AES256_GCM,data:OiGD0S0aKU15hDKi,iv:dIFoxlFYv2dbQFTk1O/pJld30sVNOFpq83z8YqFdruE=,tag:PRat5Zkn5MBfgAt0voPuNg==,type:comment] +email: + school: ENC[AES256_GCM,data:5YdbEGvP3dkwOnGlwL2B,iv:FMHMImPMKCgtIoj8s3O5zPawPfMzJun7p0CACE/Iey4=,tag:NEA8a55p38za/kvhJOgfmg==,type:str] + personal: ENC[AES256_GCM,data:YFgATpdZkwYAmvyJcdbjuA==,iv:709EcGDPSfnUFI4Epdj3FLCQ/V3BvN3e50/c49n9qyg=,tag:xmR6B13j1zOo5KYxYU1iRQ==,type:str] + spam: ENC[AES256_GCM,data:Y0l/i74rH9brxBOyiCPyMaeE3A==,iv:cS/32vlXFLQI3vCIdMqNrzivO/9aqXNPAqQ1YWgjAoQ=,tag:+CBrYlnH5xgHkVZU/MMIDQ==,type:str] + proton: ENC[AES256_GCM,data:0jOY+B5px9GTLHCBXFz+QFE+CQ==,iv:R8CCCewIUo9fJ4gTByzTwwfNyTIOPH9ktUAPPqkGMd8=,tag:nqjFuvmBq5N02MPXi6ha6A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13dpyswy6ezqr2gyty75waanpc9lhjs073vt56z6tvjyzh9mkydaqwsystl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNnpRZXBwaXk0aDZhMDBy + cThMNGdWaE9GZlpFN3RTLzhaYVJUKzFORkNjCmtuakFIczhVNXltQk42RWxjUnlz + dTdkUmJOdjBCZXZNZjE4QURGVW5wUGsKLS0tIGhkclA1M3dKZzUxZWpLZDlsRHZR + VTlua3pQRTZGUGw4OEVQSUhsMHZoVncKm0+J++ZOflbTjfb0Q/nC/LnwKXOq5XEE + CvRQmjp4sWgmnP8wrcPvtInPrkVYBHluI9DD9DRoQ+PTYsz8xSIRig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-22T04:23:23Z" + mac: ENC[AES256_GCM,data:JviqHLWwa+6Mnc8rmqaXWkPVRPm9LbwQBzXkc/ZsMHpcpBN2W6jWxof8AbNsU+d7eKhYlT4QeBC/13nlIcgxdNOP1ArDL94g9aFmve7iEyCUOQLf3bBExpFLxHWzUFmDTNh0ZmaGtUBH2gWyj3zY5t6EQ87Wo+PPlaiOHaNskBo=,iv:N1/eXQOjBR027T6hAsmNoZyVzU+uWZrtRBJLesaM76c=,tag:ycl1tNjSn3VkPek9woQWGg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/users/tacocat/home.nix b/users/tacocat/home.nix index 5e1056d..b07ec1f 100644 --- a/users/tacocat/home.nix +++ b/users/tacocat/home.nix @@ -14,6 +14,7 @@ ]; packages = with pkgs; [ rnote + sops libreoffice notify-desktop texlive.combined.scheme-medium