From b1aa689c41920951681f321066a192426ab7d6d0 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Wed, 9 Jul 2025 17:28:27 +0200 Subject: [PATCH] Modules: Rename sops modules to sops-nix --- system/modules/default.nix | 2 +- system/modules/sops-nix/default.nix | 37 ++++++++++++++++++++++++++++ system/modules/sops-nix/options.nix | 16 ++++++++++++ system/modules/sops-nix/secrets.yaml | 20 +++++++++++++++ system/modules/sops-nix/sops.yaml | 7 ++++++ system/modules/sops/default.nix | 15 ----------- system/modules/sops/options.nix | 6 ----- system/modules/sops/secrets.yaml | 24 ------------------ system/modules/sops/sops.yaml | 8 ------ 9 files changed, 81 insertions(+), 54 deletions(-) create mode 100644 system/modules/sops-nix/default.nix create mode 100644 system/modules/sops-nix/options.nix create mode 100644 system/modules/sops-nix/secrets.yaml create mode 100644 system/modules/sops-nix/sops.yaml delete mode 100644 system/modules/sops/default.nix delete mode 100644 system/modules/sops/options.nix delete mode 100644 system/modules/sops/secrets.yaml delete mode 100644 system/modules/sops/sops.yaml diff --git a/system/modules/default.nix b/system/modules/default.nix index 69ccf370..ee10dc91 100644 --- a/system/modules/default.nix +++ b/system/modules/default.nix @@ -7,6 +7,6 @@ ./mime ./network ./polkit - ./sops + ./sops-nix ]; } diff --git a/system/modules/sops-nix/default.nix b/system/modules/sops-nix/default.nix new file mode 100644 index 00000000..cb500816 --- /dev/null +++ b/system/modules/sops-nix/default.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + mylib, + pkgs, + username, + ... +}: let + inherit (config.modules) sops-nix; +in { + options.modules.sops-nix = import ./options.nix {inherit lib mylib;}; + + config = { + environment.systemPackages = with pkgs; [ + sops + age + ssh-to-age + ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + + age = { + keyFile = "/home/${username}/.secrets/age/age.key"; + generateKey = false; + sshKeyPaths = []; + }; + + secrets = let + mkSecret = name: {${name} = {};}; + in + if (builtins.hasAttr "${username}" sops-nix.secrets) + then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username}) + else {}; + }; + }; +} diff --git a/system/modules/sops-nix/options.nix b/system/modules/sops-nix/options.nix new file mode 100644 index 00000000..c197217c --- /dev/null +++ b/system/modules/sops-nix/options.nix @@ -0,0 +1,16 @@ +{ + lib, + mylib, + ... +}: { + secrets = lib.mkOption { + type = lib.types.attrsOf (lib.types.listOf lib.types.str); + description = "The secrets to expose on this host"; + example = '' + christoph = [ + "docker-password" + ]; + ''; + default = []; + }; +} diff --git a/system/modules/sops-nix/secrets.yaml b/system/modules/sops-nix/secrets.yaml new file mode 100644 index 00000000..d469201c --- /dev/null +++ b/system/modules/sops-nix/secrets.yaml @@ -0,0 +1,20 @@ +docker-password: ENC[AES256_GCM,data:wUTViGGdu2tX6YbS7PuNj44uvixvUYBgNtumbhh1UU4=,iv:XIMLnEyNifD1nGfuFbqrxCBgfbPfC8ARP/eEzGo5McE=,tag:OwR++1BIGZ7obQcNAKhu0g==,type:str] +heidi-discord-token: ENC[AES256_GCM,data:Nnt3mH5HCMog3b5Bz2vuaseCee7gA1HsBP16M7toXLs/TxZDlNWZQR4HMuJA/fwVjhd0WxzWzaX69lk=,iv:xhELYieQxBpecslhcpwTxJKJ/KEH2kDwqHMfO2VTdt8=,tag:JXYzgh4gMEwEkIUzf7gvRw==,type:str] +kopia-server-username: ENC[AES256_GCM,data:9+PsrhKKcJJp,iv:dRTclwpZmfL8ixaUSzqgZXPbO+wTXcVJIKlQCky3tZg=,tag:ntLvlsxVuPvwr9D2YRGrtw==,type:str] +kopia-server-password: ENC[AES256_GCM,data:B32JJPg=,iv:LZtud43b2/hotB2/TGQvp5ENBXXy5eGpJg4fUF3ymSM=,tag:CdKddcv7TDMBSH/nkmOAXg==,type:str] +kopia-user-password: ENC[AES256_GCM,data:aHK2NZATutKxaQ==,iv:vWUK9QoOOszHqRrhZHwWhFC8VBcBnJY/GiVRkbPFyyg=,tag:qioUwrdiwBBTliFXxzda0g==,type:str] +sops: + age: + - recipient: age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTXEyQlVTZnpoL2paTXhx + eVF2M1JDNkdOUDRwMkEzNE5lRWJma2Z3Q0RFCnJCa2ZvU3hMNm1wRUxpRFg3QmR5 + UXZOS241UTEwYTF2WGdxdW1WMU9QTnMKLS0tIG1IeUdjSGxuT0JWYUd4ci85WHFq + ZEc2MFA5VG9QbFhzYmp3c3B5MzMwTjAKYBcvUmD00oUUllNbqqi9wouoaffMjaxN + nYFhzbgK8n0a5+9ZKTQGgDnl2W0M7uKuADTN8DF7JtepIeQYGWi2sQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-09T15:08:08Z" + mac: ENC[AES256_GCM,data:0B6GHJaqzONxtGqI14iEYvx/6Kjg2NnnxLyaecdrQ9klu4Ee4/SKA8ZlgLx8+953iXGgkDHzG0nCe/1TTjMjzW4AucdynMTJmgL68lQfLeVgkhrCVGpkH0LHIFokrnWy2++0aGvrsYCA0OXDdts+b9nU9kfRAZ4OIUQ1RjB5vX4=,iv:7s/SJtqfz3/pdmnP/SGSyM5/PY1UGn+P9c1/uz679SU=,tag:vo0IxNlOPwocJl3d+B9hgg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/system/modules/sops-nix/sops.yaml b/system/modules/sops-nix/sops.yaml new file mode 100644 index 00000000..4973678a --- /dev/null +++ b/system/modules/sops-nix/sops.yaml @@ -0,0 +1,7 @@ +keys: + - &christoph age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *christoph diff --git a/system/modules/sops/default.nix b/system/modules/sops/default.nix deleted file mode 100644 index 5842e80d..00000000 --- a/system/modules/sops/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - lib, - mylib, - pkgs, - ... -}: let - inherit (config.modules) sops; -in { - options.modules.sops = import ./options.nix {inherit lib mylib;}; - - config = { - environment.systemPackages = [pkgs.sops]; - }; -} diff --git a/system/modules/sops/options.nix b/system/modules/sops/options.nix deleted file mode 100644 index d2d37dc3..00000000 --- a/system/modules/sops/options.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - lib, - mylib, - ... -}: { -} diff --git a/system/modules/sops/secrets.yaml b/system/modules/sops/secrets.yaml deleted file mode 100644 index 6d83b736..00000000 --- a/system/modules/sops/secrets.yaml +++ /dev/null @@ -1,24 +0,0 @@ -kopia: - server-password: ENC[AES256_GCM,data:D2yE4j4=,iv:j96uk5MuHrrEf8y6c3HWBB822fBjC5ilhO6GMnruU6o=,tag:YmqD3Id7jD4sPAu2ncFJaQ==,type:str] - user-password: ENC[AES256_GCM,data:Trv39FNFSzvb2g==,iv:Bqvv8UipTIWd7zkYCZNe8Wjj+zdt2b8J+86g2gRKfvY=,tag:Jb6E76hj1bkSmqxPu6c+mA==,type:str] -dockerhub: - password: ENC[AES256_GCM,data:7q6WsQ2rVIAC7HeLqYUK1g9WmTAEu8vvplpe/Kmt7Ns=,iv:x3b3eoj3UuRK3XZAN6KyYcVlXjm7sidtoqaByPdl90s=,tag:vZKO5gxtFG5nSiRQxxfCGQ==,type:str] -heidi: - discord-token: ENC[AES256_GCM,data:lhG/5UHsgJX6dF8x29GlPJ0SL3WVRd72NgiTAIqJOGODlzDqjqRG+vM+FR2Rn2QPt9MatqDWH4c9hxQ=,iv:hd2DFftCaPnDO74n0SKsOEstRoUdgRshUPliFhtjSEc=,tag:nJs/PYDj4f7g4gdiEGrStQ==,type:str] -sops: - lastmodified: "2025-07-09T14:23:23Z" - mac: ENC[AES256_GCM,data:Q7TiCljoWvzTsfmHc3xjh2rc4KKtw4rhxm0IkeZlUv0lshgjfrNpLxZVDnACavWG8ez379vpauuIhwZdZIaoO8Vtd2RfCS6bIOr4LdO8c89fVMhKSWa00a1uKsjjKTra9uAWoZZjBcZjLzAeIJWEHfcjQqqDNZl9thMAlguIr+Y=,iv:w41vmyiBrkzPzCZKzkAEF7jVyhOOTCgoEkAxYYa+VZc=,tag:Qw/asLEK/dms9GD+rJp4aA==,type:str] - pgp: - - created_at: "2025-07-09T14:12:43Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DqfTzg9CqtWESAQdAu4+RjWQkFhZACL8agIDAfDRl7SGwkerlYB/JVwbTvF4w - Aka16C3y25sjOegyLfuHm0omD1ojca9LgfEDPIh3sUTlUcMttPDYbmraW6MDMM/W - 0lwB+1YoPkhaT0AhwmFG+1PnVGtCaOaV3yaBsEv6KBrQ6D9PkgAgN1sNmVgRevXo - pMjdAsFTRXeJyCAtvAwYet0IhhZ5NqMvvkmjU5Mo3eV/eil4w8WafYq4qOamfw== - =Cs9+ - -----END PGP MESSAGE----- - fp: 2D77520CF698928A855E0B9A2AB59FDA7728388B - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/system/modules/sops/sops.yaml b/system/modules/sops/sops.yaml deleted file mode 100644 index 1bf37b8f..00000000 --- a/system/modules/sops/sops.yaml +++ /dev/null @@ -1,8 +0,0 @@ -keys: - # sops-nix public gpg key fingerprint - - &christoph 2D77520CF698928A855E0B9A2AB59FDA7728388B -creation_rules: - - path_regex: secrets.yaml$ - key_groups: - - pgp: - - *christoph