sops everywhere

2025-03-05 20:25:46 +00:00 · 2025-03-05 20:25:46 +00:00 · 7b1ca01cf1
commit 7b1ca01cf1
parent 093b0ddc58
4 changed files with 48 additions and 0 deletions
--- a/home/deepak/.sops.yaml
+++ b/home/deepak/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &nixosEggYoke age1tk3vdafrm93dyqpnjymns92z9gmcrnr23cd6fh7ten8092j4tfas84wyhe
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *nixosEggYoke
--- a/home/deepak/home.nix
+++ b/home/deepak/home.nix
@ -177,5 +177,19 @@ in
 		'';
 	};
 	
+	sops = {
+		age.keyFile = "/home/deepak/.config/sops/age/keys.txt"; # must have no password!
+		# It's also possible to use a ssh key, but only when it has no password:
+		#age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
+		defaultSopsFile = ./secrets.yaml;
+		secrets.test = {
+			# sopsFile = ./secrets.yml.enc; # optionally define per-secret files
+
+			# %r gets replaced with a runtime directory, use %% to specify a '%'
+			# sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf
+			# DARWIN_USER_TEMP_DIR) on darwin.
+			path = "%r/test.txt"; 
+		};
+	};

 }
--- a/home/deepak/secrets.yaml
+++ b/home/deepak/secrets.yaml
@ -0,0 +1,23 @@
+hello: ENC[AES256_GCM,data:mdwrgkzAvxazg319XbXnHTMUOJLO5ybx7iK0HfRHn0tYj+5q8EQB7XxQThF7Xw==,iv:XJIl2Idal+O61ONAKCaCGaGvB7mwyBMtd2+THsaeqdg=,tag:/vN0rkCNMPe62uMxwMg75Q==,type:str]
+#ENC[AES256_GCM,data:XQeqeSMpzA/awNfbiWdq0GhfreE+0a5t1dmd5Ic=,iv:Tv0uGl9LtoF+F5o2HBGMnPCU05eHmekSn51HNxzlRWw=,tag:fQdevcwTK0oI3EzRZik0XA==,type:comment]
+anthropic_key: ENC[AES256_GCM,data:tcuddpeu3PKPXrf8EgmSfjd12d7ptLok/DlumQC/oIzTGG7sYsvxseZrDElsYT4AGmkWPNVVhac+3PmKfGFL4rV16u+6G+weMgTCYsDHyg0KaWM5a01MB3GMf2HyA65RYUxaRW4kP+6UlOXO,iv:dyD6lxxLa99HP9NXf/ewZu1h6Sm6KBYPJqwM3l6SX88=,tag:23+3ad8o67Niyil9M+B4ag==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tk3vdafrm93dyqpnjymns92z9gmcrnr23cd6fh7ten8092j4tfas84wyhe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVXdoaHhPdE8yVC9YcCsr
+            dDNiTldVcVZiVVJzMG4zSHhWenJUbmhxMXhVCkoxOE5QZkxBTmQ3Zm5qZml1MVBP
+            Y2UvWXpuc1ZhcFFIRktIb0RvWXlBT1EKLS0tIGZYWDFyWHNYUmc3U3UxOW1yUG9m
+            OENPOXBEZ3ZrU1k1bGk2Tko0VzcyME0Kc+d+9WO9Yv7wbg56cnGyklaeoQTfKqYr
+            7sycCyJFzlihyfiPxkHzGFkAudmakuwKo4cj+L4V7pDLta1leA4X+w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-05T20:08:03Z"
+    mac: ENC[AES256_GCM,data:he/4cI1SH0uloLOWd7Qi4wtrOrFQKE3xy6doDg0Uv0mp7ViScYiYbIq8r1bM/zH0X8aTKyYj9O75b+rm+vS3Q8sG8PFj6vHvF4bwduO1jobNnLnUjJDgpSmpLneGAPJyyV2UBFXRCQOJ0anshmNCD0bFPyV9SnSaf5NgBdBpkeI=,iv:7PmJ6zuY+tMzectAuDp6uCUpxbDp0CWqCCQzpq2evjY=,tag:OIwFQ96feI75ld9feB25Og==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@ -54,6 +54,7 @@ in
 		};
 		modules = [
 			./nixosEggYoke/configuration.nix
+			inputs.sops-nix.nixosModules.sops
 			homeManager-24-05.nixosModules.home-manager {
 				home-manager.extraSpecialArgs = {
 					withGUI = false;
@ -64,6 +65,9 @@ in
 				home-manager.users.deepak = {
 					imports = [ ../home/deepak/home.nix ];
 				};
+				home-manager.sharedModules = [
+					inputs.sops-nix.homeManagerModules.sops
+				];
 			}
 			NixOS-WSL-2405.nixosModules.wsl
 		];