From 7b1ca01cf1d4cb715e5e7382c69b5920759c20ce Mon Sep 17 00:00:00 2001 From: Deepak Mallubhotla Date: Wed, 5 Mar 2025 20:25:46 +0000 Subject: [PATCH] sops everywhere --- home/deepak/.sops.yaml | 7 +++++++ home/deepak/home.nix | 14 ++++++++++++++ home/deepak/secrets.yaml | 23 +++++++++++++++++++++++ hosts/hosts.nix | 4 ++++ 4 files changed, 48 insertions(+) create mode 100644 home/deepak/.sops.yaml create mode 100644 home/deepak/secrets.yaml diff --git a/home/deepak/.sops.yaml b/home/deepak/.sops.yaml new file mode 100644 index 0000000..f6ea858 --- /dev/null +++ b/home/deepak/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &nixosEggYoke age1tk3vdafrm93dyqpnjymns92z9gmcrnr23cd6fh7ten8092j4tfas84wyhe +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *nixosEggYoke diff --git a/home/deepak/home.nix b/home/deepak/home.nix index de9039d..b43829e 100644 --- a/home/deepak/home.nix +++ b/home/deepak/home.nix @@ -176,6 +176,20 @@ in eval "$(${pkgs.direnv}/bin/direnv hook zsh)" ''; }; + + sops = { + age.keyFile = "/home/deepak/.config/sops/age/keys.txt"; # must have no password! + # It's also possible to use a ssh key, but only when it has no password: + #age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ]; + defaultSopsFile = ./secrets.yaml; + secrets.test = { + # sopsFile = ./secrets.yml.enc; # optionally define per-secret files + # %r gets replaced with a runtime directory, use %% to specify a '%' + # sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf + # DARWIN_USER_TEMP_DIR) on darwin. + path = "%r/test.txt"; + }; + }; } diff --git a/home/deepak/secrets.yaml b/home/deepak/secrets.yaml new file mode 100644 index 0000000..f9b92e7 --- /dev/null +++ b/home/deepak/secrets.yaml @@ -0,0 +1,23 @@ +hello: ENC[AES256_GCM,data:mdwrgkzAvxazg319XbXnHTMUOJLO5ybx7iK0HfRHn0tYj+5q8EQB7XxQThF7Xw==,iv:XJIl2Idal+O61ONAKCaCGaGvB7mwyBMtd2+THsaeqdg=,tag:/vN0rkCNMPe62uMxwMg75Q==,type:str] +#ENC[AES256_GCM,data:XQeqeSMpzA/awNfbiWdq0GhfreE+0a5t1dmd5Ic=,iv:Tv0uGl9LtoF+F5o2HBGMnPCU05eHmekSn51HNxzlRWw=,tag:fQdevcwTK0oI3EzRZik0XA==,type:comment] +anthropic_key: ENC[AES256_GCM,data:tcuddpeu3PKPXrf8EgmSfjd12d7ptLok/DlumQC/oIzTGG7sYsvxseZrDElsYT4AGmkWPNVVhac+3PmKfGFL4rV16u+6G+weMgTCYsDHyg0KaWM5a01MB3GMf2HyA65RYUxaRW4kP+6UlOXO,iv:dyD6lxxLa99HP9NXf/ewZu1h6Sm6KBYPJqwM3l6SX88=,tag:23+3ad8o67Niyil9M+B4ag==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tk3vdafrm93dyqpnjymns92z9gmcrnr23cd6fh7ten8092j4tfas84wyhe + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVXdoaHhPdE8yVC9YcCsr + dDNiTldVcVZiVVJzMG4zSHhWenJUbmhxMXhVCkoxOE5QZkxBTmQ3Zm5qZml1MVBP + Y2UvWXpuc1ZhcFFIRktIb0RvWXlBT1EKLS0tIGZYWDFyWHNYUmc3U3UxOW1yUG9m + OENPOXBEZ3ZrU1k1bGk2Tko0VzcyME0Kc+d+9WO9Yv7wbg56cnGyklaeoQTfKqYr + 7sycCyJFzlihyfiPxkHzGFkAudmakuwKo4cj+L4V7pDLta1leA4X+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-05T20:08:03Z" + mac: ENC[AES256_GCM,data:he/4cI1SH0uloLOWd7Qi4wtrOrFQKE3xy6doDg0Uv0mp7ViScYiYbIq8r1bM/zH0X8aTKyYj9O75b+rm+vS3Q8sG8PFj6vHvF4bwduO1jobNnLnUjJDgpSmpLneGAPJyyV2UBFXRCQOJ0anshmNCD0bFPyV9SnSaf5NgBdBpkeI=,iv:7PmJ6zuY+tMzectAuDp6uCUpxbDp0CWqCCQzpq2evjY=,tag:OIwFQ96feI75ld9feB25Og==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/hosts.nix b/hosts/hosts.nix index 4c8fed3..105fca7 100644 --- a/hosts/hosts.nix +++ b/hosts/hosts.nix @@ -54,6 +54,7 @@ in }; modules = [ ./nixosEggYoke/configuration.nix + inputs.sops-nix.nixosModules.sops homeManager-24-05.nixosModules.home-manager { home-manager.extraSpecialArgs = { withGUI = false; @@ -64,6 +65,9 @@ in home-manager.users.deepak = { imports = [ ../home/deepak/home.nix ]; }; + home-manager.sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; } NixOS-WSL-2405.nixosModules.wsl ];