Secrets: Add SSH key and kdeconnect secrets

2025-07-12 17:05:31 +02:00
parent 0727dc25ba
commit 0b12d5873e
5 changed files with 25 additions and 11 deletions
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -299,13 +299,13 @@
    # Files to generate in the home directory are specified here.
    file = lib.mkMerge [
      {
-        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
-        ".secrets/age/age.pub".text = "${publicKeys.${username}.age}";
-
        # Because we can't access the absolute path /run/secrets/... we have to symlink.
        # This will create a chain of links leading to /run/secrets/... without /nix/store
        # containing the secret contents.
-        # ".config/docker/key.json".source = config.lib.file.mkOutOfStoreSymlink "${nixosConfig.sops.secrets.docker-key.path}";
+        ".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "${nixosConfig.sops.secrets.ssh-private-key.path}";
+        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
+
+        ".secrets/age/age.pub".text = "${publicKeys.${username}.age}";

        # The sops config specifies what happens when we call sops edit
        ".sops.yaml".text = ''
--- a/system/default.nix
+++ b/system/default.nix
@ -91,13 +91,14 @@ with mylib.networking; {

    polkit.enable = true;

-    sops-nix.secrets.${username} = [
-      "docker-password"
-    ];
-
    sops-nix.bootSecrets.${username} = [
      "user-password"
    ];
+
+    sops-nix.secrets.${username} = [
+      "docker-password"
+      "ssh-private-key"
+    ];
  };

  # Enable flakes
--- a/system/modules/sops-nix/secrets.yaml
+++ b/system/modules/sops-nix/secrets.yaml
@ -2,8 +2,15 @@
 #ENC[AES256_GCM,data:mZKPbrWtgyRvOg==,iv:vLyN3JkWWrWS+0pndTuom8cNVfpb8SUC4dA6m7utXoE=,tag:YAy2gPot6KFS9/VLVAoSxw==,type:comment]
 #
 user-password: ENC[AES256_GCM,data:okgvaTTesCDwriI8PxhNdHZF8XgzB4yxapuFl2/CK8x4WNYxGFjuZqGKcu7pqfnBofNcF2ByuM+HLH9FKxpK0dMCoHD/laR1IA==,iv:ltExELuM7g7ydSAMj8ioF9Nb7N4xe5enhDQrVJ+k2jQ=,tag:AV165m5yKnX+uJnMyC3mxA==,type:str]
+ssh-private-key: ENC[AES256_GCM,data:JrRarfeS3y6b9gxg4Za5GIc5Ci3aGR+OyZxQybj4dcv2mzxXmT/bm7KOwM1zkz1PFl1xW5X82T5jte+XQOKx0+6m4ovjUgUmQUMP4E/yosp8XSdi0+YlUKBEHEJx6HqCZy+v6qx5kfp9JC6fZqCbL1J6FIqWqAoKTFXoiou1YnhmBa2fM17Q++i6TflDWiVrUS7X9xjuZFq1hz1aQXS303uvJEUOEpXdqPyJvUKJWzVsFrAwpa9FG+reO70SSc+1hBbqdw1QjrzNWh3eNnztwZURauJtVFBYUZ5ozHmWBr4aVFjYvqz+t6G1SAunmBRbVqbH4bjBv9jXXjHAB4U0wanvkJN2C+EY1zxwjyx2fWckMdhoLr9gtC1FJKMbV49UFHJ3iXWNczKj1t7LrctehEKXJa0Eb3UogYuaRxbVYbC++kD8LvL4AY8ertgc9/pxQQZmogdINJmIxKN4HTlGbX8kSDLbohZLheOfzZ5ycTlrbOjfJ1EBMLo+mJcMUW0qhFySl1aamPqTeII7lvgTOE3xV/d/9VAQTFKsftWPNkfhAJIym51bYrrMPV8AVeFQnLhSid3d3zK4w20zIQKSYnq9A8zcNhM0keddiv4XC+M=,iv:7HP7VCFpMRZXRD6GD/zFzDSBO02V/DyxKLmuDCLXTLU=,tag:Ugx81JwCP8HmhtflYoevLg==,type:str]
 docker-password: ENC[AES256_GCM,data:mK5YWEQPKWBtVCgRBZvwWTdVAi8MEGbLnLeP7hfDkcc=,iv:Az8+eAK6R6xssmmbhuEsDbLU+ks8lS+qzc4L33WfefA=,tag:NSXvRhbIuRZZqRR28Tu0PQ==,type:str]
 #
+#ENC[AES256_GCM,data:y5dlZFhK38dR+Q==,iv:1JYizUeyWeMR4KUblkj7kVSHPCL5l8mFpaQdo774BcM=,tag:kUTnBZb46KYQyi8bgIYSOQ==,type:comment]
+#
+kdeconnect-cert: ENC[AES256_GCM,data:9F/puHRjrsN+ALk33dg0bN7ev/AbO4yyUbgucN1IxTun1Ht7TIMUQfCv+pl+PfeWClcn9KJ1wSoUBU3KM6b8xb8yib0u+HbKRM+ZoHSXuEL87OXZcp0HdsH3cOijDr3QaIoZJkxOWR8AXxOnkNqly5jKKy7uH1F3eWc4NmCzUn+GemyKJDPEg0FgHDNA4hRwH3CloCk/3kJn6vy4NHYf5+a1/EvSpfdi+8NXKYpEiQz7c0DXmpWv+rXsibnWTbxrwcahBCWquiIDu7xERYPqcfl4poMIoSWffr+rB+C5QdCfAk0bgT3Yey0ABJRyBrjkZR9MWly4zC3n4g/d6s1KeME9K0g0A2LniWpJFZTpW9tCsPavhDufNZDvVYF23vxS96OP3OwfggP6HNqP0UF9TSUnagtDp7OiFZbwA9jZ8ptHt3rHNNxDy8LwUiiOMQYcsF4VP8+2U087VJeGuskXCqbLrArO+zEOwLL9fRA2bNRY//hP+zHtATzD75X9XoBGmWFAMq41yXOtfun7TqHEcc/pMLpTalVYoB9wynx2DpGrCFrU/Zz3utcXkvEgVXPaPogMy5IJfClDRBB/7FI8wSVvEUx1ZQGx2Z3dGTrbIVQ9BxkPVUTcXAgpOJbX7jkM4aXzusaYqtItZHqkoeLqW6ETniWWlJPg8+A6jMs+trHFT2rLv9bhWdPSn8GIS8ffZerZ9H5hVrhZxBSR3oytRluLyJwE0yfJ2sj7XE0738PutFLkoMYcAINYLcV8XVCeUnDQrkPVSbPK9aGSVuZhtc0pJBYKikAKj3nBnYXT3eK5DIslQCLrFEOJ2f6mFig=,iv:y3YOsyFmEdiixpgCHL8/PZ/rXXAALUUJXO4WgoQbahI=,tag:pl6M+l3uDjsQA6nImgC6qg==,type:str]
+kdeconnect-privatekey: ENC[AES256_GCM,data:kDYemoOlOewW5d1ZW3AEM0LhrrBCo8DlgsqRYOUgVOCvt1hUA/MD7s7EzIiEsdzlnSTgjQWVOoPY/HcJvpkwbJOLwh05jfTOj5/lB0bLubDAoE0Xtxx1cYhzrYfCxkxa3XRXzqIXVVU1uN/QDM+/vhXHg7iHlTxLDDxuUPLTbpj8HQQ/1Ll7dyZ2C1QTViTIZiMP4Cu+vQh1AkEijRF02hG6IT3XkKwiyPwT40PCRVziBCO2Bambnuu8HLhXSvnznRpdYTlcPKwT1QJVKIgdnW3tDcZ4Vuqb+XlZOpGWro2KPaQ=,iv:PLEtAsht75Wl+95BtDrYWPHF6bIY+fk6xZH93uJEFak=,tag:Wf3t65cUokBP20ZVF6aJTQ==,type:str]
+kdeconnect-devices: ENC[AES256_GCM,data:V52KbGwc78WntGLSqxqCvLU7H5peFha7YpwVRPTAQi+W9cMtqkqvhsDG4u9Pg3pfmTjka6IJWWgi2cHYnPo8IP36Te+3ssUHu3ZW/D+G+cgbcTANIpw05T28yPF011BsI0sGeknwxaicv9A/txhzm+ZLkctNkNlB2tHRJw8guMKJnJ+GSVwMulx6XMJ8YX8aSFbIJYU3KRZ205EoLM2GJodtPuj+uQ6Ox82AzXgOZ4HHFhVodNujHxJPg6diuckdjymGSpLFva7HpwP9/QuzjbEatJKAf9n7JLOo7NeEKKtOPUrUiBOtlCkFwk/v7119/xgDFyoxXDpK0YVgYFiiHG3TEGzqDjQkNNMsV+PH+vE+4iDJoc9utJGj0fOR7mqrmICORQ4kJwYEKdAXieV3iPmDFbvIAociqPqIihmAsGvJYG20oHojGyqZqY6KJf9qeFdBUXHvtK17hvLyREa/eNOb2DQcVd6Xu3qUIgQps2X7EPUY8GICaiLlDFYD5YiZQgo/t8/zejogluzp5bVGb+La1NsImQJhFaLfwaZwU/5Uybq1c9B8gC11+9pyE5ip/ubH7+yzhBJ90PYlePQZ/uR55CfGRi9AmFdDgaM5FJenGHXGei84UuHZa0NDUKD4QAZWvf3VJJgTGPZyEY+NCe592AIgmCDb9/H1RHn0Cm/ye8L1y7RJ0RUb374D5wwH3zwgm8zuVXyycbEsIHHQGKAn1WfjpqRXAgl5MsBAHQm/aOFJdH5dyxe+xXgc8h1l/ijZMKj4m4W1D8d1hpyARzL3xcqbzc17ZPStRI1a04IZAfsbLmWvecS2mQDATgJ31k3luh4hg0LJZvvA9/cQ2c7F/ZGhVHEpXv1LguBG6XduHS1qCfhSiMYN060Jh/YO2nZ5EMKN+bTx+c+vUHbLSO764h4ycI+PAIndxgPsWKDhDztAcX9nGTU+27eXpKOi0+J6/1KuTA==,iv:jeyEk0s+N7I2HBtRGj2Y6N5bEhZ3ETmd3ldeQj3TAaI=,tag:noeRbcabwFLHNduRsZMydQ==,type:str]
+#
 #ENC[AES256_GCM,data:Raagjz1qPvXC,iv:OSWTKaIlmo1paU2ZZn20XMeZ2gdM52pHmVZ3m2ngCdI=,tag:bPCdvjOFjpxxkrwA7Mhl5Q==,type:comment]
 #
 heidi-discord-token: ENC[AES256_GCM,data:FYvfUn8tG7glqIomSDj9rGyNQjnHSCsD/C3Kk/JR1vm/xkrxzXwP3rpyxAzqRQ7vd+zFBf2BJfV/zMk=,iv:b+aKcu98rxslEGSYf6t/jGwPfS256WQ3B/iuQ4Qeykk=,tag:e48Q0BraIvItyD2WBfbYEA==,type:str]
@ -26,7 +33,7 @@ sops:
            SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h
            FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-12T14:45:20Z"
-    mac: ENC[AES256_GCM,data:1NSA8aHrwgpiuH1cuZLZGpLw0eq8HBTyCyNypbxGB+M5fQESVClGAsFTUkce4xrfF49P1V0fIckGuDDezWYZoennw72Mze09z/eFA556voJCMRrvzTlGPaIK2xCb8awyh9BJdeaWG8JV8ck5PFOTl+sjd6+9vN05XttX8QEdPXs=,iv:cBohGC5SWLXiPIwypVyHzj3ro73kY2p+H8rgHA5U6mo=,tag:20l35bcoDsJPDgW68dUuUA==,type:str]
+    lastmodified: "2025-07-12T14:59:23Z"
+    mac: ENC[AES256_GCM,data:+qMojkbBDisMKDCZrHCZyWyD+JNGtzUwSdIDwuslcQrmVN0AiWKm93SczVapsFiLbZ+QlALdck/oV53ASjuLfiMSi1bgsRIfWe4+ZdRz8t2Tn/PMjS5utiYgGGxpghXY4/fn1UQhLSf5WeGaCNFLFDX2DVJ4bZv9xEkPQY0eN+k=,iv:7Cw/tTTb4FSMk3SstSD67nJ5hqkLqVyBnFR/udu3feU=,tag:gYjPj+GilOp3MzdptG2QXg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/system/nixinator/default.nix
+++ b/system/nixinator/default.nix
@ -74,6 +74,12 @@
        4242 # Lan-Mouse
      ];
    };
+
+    sops-nix.secrets.${username} = [
+      "kdeconnect-cert"
+      "kdeconnect-privatekey"
+      "kdeconnect-devices"
+    ];
  };

  boot = {
--- a/system/thinknix/default.nix
+++ b/system/thinknix/default.nix
@ -56,7 +56,7 @@
    };

    sops-nix.secrets.${username} = [
-      "wireguard-vps-private-key"
+      # "wireguard-vps-private-key"
    ];
  };