Flake: Add public age key

System: Define general sops secrets
System/Servenix: Define sops secrets
2025-07-09 17:28:47 +02:00 · 2025-07-09 17:28:41 +02:00 · 2025-07-09 17:28:34 +02:00 · 2025-07-09 17:28:27 +02:00 · 2025-07-09 17:27:47 +02:00 · 2025-07-09 17:27:32 +02:00
14 changed files with 113 additions and 56 deletions
--- a/config/navi/christoph.cheat
+++ b/config/navi/christoph.cheat
@ -208,6 +208,20 @@ sops --config ~/NixFlake/system/modules/sops/sops.yaml ~/NixFlake/system/modules
 # Rekey secrets.yaml
 sops --config ~/NixFlake/system/modules/sops/sops.yaml updatekeys ~/NixFlake/system/modules/sops/secrets.yaml

+% ssh
+# Generate a new SSH key
+ssh-keygen -t <type> -C "<comment>"
+$ type: echo -e "ed25519    \tElliptic Curve\nrsa -b 4096\t4096 bit RSA" --- --column 1
+
+% age
+# Generate a new age key
+age-keygen -o <file>
+
+% age
+# Print the public key of an age key
+age-keygen -y <key>
+$ key: eza -f -1
+
 ; ===========================
 ; CODE
 ; ===========================
--- a/flake.nix
+++ b/flake.nix
@ -143,7 +143,11 @@
    # NOTE: Keep public keys here so they're easy to rotate

    publicKeys.christoph = {
+      # /home/christoph/.ssh/id_ed25519.pub
      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAoJac+GdGtzblCMA0lBfMdSR6aQ4YyovrNglCFGIny christoph.urlacher@protonmail.com";
+
+      # /home/christoph/.secrets/age/age.pub
+      age = "age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm";
    };

    # Extra NixOS system modules for all hosts.
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -300,6 +300,7 @@
    file = lib.mkMerge [
      {
        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
+        ".secrets/age/age.pub".text = "${publicKeys.${username}.age}";
      }
      (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
        ".config/xdg-desktop-portal-termfilechooser/config".text = ''
--- a/system/default.nix
+++ b/system/default.nix
@ -92,6 +92,10 @@ with mylib.networking; {
    };

    polkit.enable = true;
+
+    sops-nix.secrets.${username} = [
+      "docker-password"
+    ];
  };

  # Enable flakes
@ -265,7 +269,7 @@ with mylib.networking; {
    nix-ld.enable = true; # Load dynamically linked executables

    gnupg.agent = {
-      enable = true;
+      enable = false;
      enableBrowserSocket = true;
      enableExtraSocket = true;
      enableSSHSupport = true;
@ -284,7 +288,7 @@ with mylib.networking; {
      flake = "/home/christoph/NixFlake";
    };

-    ssh.startAgent = false; # Use gnupg
+    ssh.startAgent = true; # Use gnupg
    starship.enable = true;
    xwayland.enable = !headless;
  };
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -7,6 +7,6 @@
    ./mime
    ./network
    ./polkit
-    ./sops
+    ./sops-nix
  ];
 }
--- a/system/modules/sops-nix/default.nix
+++ b/system/modules/sops-nix/default.nix
@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  ...
+}: let
+  inherit (config.modules) sops-nix;
+in {
+  options.modules.sops-nix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      sops
+      age
+      ssh-to-age
+    ];
+
+    sops = {
+      defaultSopsFile = ./secrets.yaml;
+
+      age = {
+        keyFile = "/home/${username}/.secrets/age/age.key";
+        generateKey = false;
+        sshKeyPaths = [];
+      };
+
+      secrets = let
+        mkSecret = name: {${name} = {};};
+      in
+        if (builtins.hasAttr "${username}" sops-nix.secrets)
+        then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
+        else {};
+    };
+  };
+}
--- a/system/modules/sops-nix/options.nix
+++ b/system/modules/sops-nix/options.nix
@ -0,0 +1,16 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  secrets = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+    description = "The secrets to expose on this host";
+    example = ''
+      christoph = [
+        "docker-password"
+      ];
+    '';
+    default = [];
+  };
+}
--- a/system/modules/sops-nix/secrets.yaml
+++ b/system/modules/sops-nix/secrets.yaml
@ -0,0 +1,20 @@
+docker-password: ENC[AES256_GCM,data:wUTViGGdu2tX6YbS7PuNj44uvixvUYBgNtumbhh1UU4=,iv:XIMLnEyNifD1nGfuFbqrxCBgfbPfC8ARP/eEzGo5McE=,tag:OwR++1BIGZ7obQcNAKhu0g==,type:str]
+heidi-discord-token: ENC[AES256_GCM,data:Nnt3mH5HCMog3b5Bz2vuaseCee7gA1HsBP16M7toXLs/TxZDlNWZQR4HMuJA/fwVjhd0WxzWzaX69lk=,iv:xhELYieQxBpecslhcpwTxJKJ/KEH2kDwqHMfO2VTdt8=,tag:JXYzgh4gMEwEkIUzf7gvRw==,type:str]
+kopia-server-username: ENC[AES256_GCM,data:9+PsrhKKcJJp,iv:dRTclwpZmfL8ixaUSzqgZXPbO+wTXcVJIKlQCky3tZg=,tag:ntLvlsxVuPvwr9D2YRGrtw==,type:str]
+kopia-server-password: ENC[AES256_GCM,data:B32JJPg=,iv:LZtud43b2/hotB2/TGQvp5ENBXXy5eGpJg4fUF3ymSM=,tag:CdKddcv7TDMBSH/nkmOAXg==,type:str]
+kopia-user-password: ENC[AES256_GCM,data:aHK2NZATutKxaQ==,iv:vWUK9QoOOszHqRrhZHwWhFC8VBcBnJY/GiVRkbPFyyg=,tag:qioUwrdiwBBTliFXxzda0g==,type:str]
+sops:
+    age:
+        - recipient: age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTXEyQlVTZnpoL2paTXhx
+            eVF2M1JDNkdOUDRwMkEzNE5lRWJma2Z3Q0RFCnJCa2ZvU3hMNm1wRUxpRFg3QmR5
+            UXZOS241UTEwYTF2WGdxdW1WMU9QTnMKLS0tIG1IeUdjSGxuT0JWYUd4ci85WHFq
+            ZEc2MFA5VG9QbFhzYmp3c3B5MzMwTjAKYBcvUmD00oUUllNbqqi9wouoaffMjaxN
+            nYFhzbgK8n0a5+9ZKTQGgDnl2W0M7uKuADTN8DF7JtepIeQYGWi2sQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-09T15:08:08Z"
+    mac: ENC[AES256_GCM,data:0B6GHJaqzONxtGqI14iEYvx/6Kjg2NnnxLyaecdrQ9klu4Ee4/SKA8ZlgLx8+953iXGgkDHzG0nCe/1TTjMjzW4AucdynMTJmgL68lQfLeVgkhrCVGpkH0LHIFokrnWy2++0aGvrsYCA0OXDdts+b9nU9kfRAZ4OIUQ1RjB5vX4=,iv:7s/SJtqfz3/pdmnP/SGSyM5/PY1UGn+P9c1/uz679SU=,tag:vo0IxNlOPwocJl3d+B9hgg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/system/modules/sops-nix/sops.yaml
+++ b/system/modules/sops-nix/sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &christoph age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *christoph
--- a/system/modules/sops/default.nix
+++ b/system/modules/sops/default.nix
@ -1,15 +0,0 @@
-{
-  config,
-  lib,
-  mylib,
-  pkgs,
-  ...
-}: let
-  inherit (config.modules) sops;
-in {
-  options.modules.sops = import ./options.nix {inherit lib mylib;};
-
-  config = {
-    environment.systemPackages = [pkgs.sops];
-  };
-}
--- a/system/modules/sops/options.nix
+++ b/system/modules/sops/options.nix
@ -1,6 +0,0 @@
-{
-  lib,
-  mylib,
-  ...
-}: {
-}
--- a/system/modules/sops/secrets.yaml
+++ b/system/modules/sops/secrets.yaml
@ -1,24 +0,0 @@
-kopia:
-    server-password: ENC[AES256_GCM,data:D2yE4j4=,iv:j96uk5MuHrrEf8y6c3HWBB822fBjC5ilhO6GMnruU6o=,tag:YmqD3Id7jD4sPAu2ncFJaQ==,type:str]
-    user-password: ENC[AES256_GCM,data:Trv39FNFSzvb2g==,iv:Bqvv8UipTIWd7zkYCZNe8Wjj+zdt2b8J+86g2gRKfvY=,tag:Jb6E76hj1bkSmqxPu6c+mA==,type:str]
-dockerhub:
-    password: ENC[AES256_GCM,data:7q6WsQ2rVIAC7HeLqYUK1g9WmTAEu8vvplpe/Kmt7Ns=,iv:x3b3eoj3UuRK3XZAN6KyYcVlXjm7sidtoqaByPdl90s=,tag:vZKO5gxtFG5nSiRQxxfCGQ==,type:str]
-heidi:
-    discord-token: ENC[AES256_GCM,data:lhG/5UHsgJX6dF8x29GlPJ0SL3WVRd72NgiTAIqJOGODlzDqjqRG+vM+FR2Rn2QPt9MatqDWH4c9hxQ=,iv:hd2DFftCaPnDO74n0SKsOEstRoUdgRshUPliFhtjSEc=,tag:nJs/PYDj4f7g4gdiEGrStQ==,type:str]
-sops:
-    lastmodified: "2025-07-09T14:23:23Z"
-    mac: ENC[AES256_GCM,data:Q7TiCljoWvzTsfmHc3xjh2rc4KKtw4rhxm0IkeZlUv0lshgjfrNpLxZVDnACavWG8ez379vpauuIhwZdZIaoO8Vtd2RfCS6bIOr4LdO8c89fVMhKSWa00a1uKsjjKTra9uAWoZZjBcZjLzAeIJWEHfcjQqqDNZl9thMAlguIr+Y=,iv:w41vmyiBrkzPzCZKzkAEF7jVyhOOTCgoEkAxYYa+VZc=,tag:Qw/asLEK/dms9GD+rJp4aA==,type:str]
-    pgp:
-        - created_at: "2025-07-09T14:12:43Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DqfTzg9CqtWESAQdAu4+RjWQkFhZACL8agIDAfDRl7SGwkerlYB/JVwbTvF4w
-            Aka16C3y25sjOegyLfuHm0omD1ojca9LgfEDPIh3sUTlUcMttPDYbmraW6MDMM/W
-            0lwB+1YoPkhaT0AhwmFG+1PnVGtCaOaV3yaBsEv6KBrQ6D9PkgAgN1sNmVgRevXo
-            pMjdAsFTRXeJyCAtvAwYet0IhhZ5NqMvvkmjU5Mo3eV/eil4w8WafYq4qOamfw==
-            =Cs9+
-            -----END PGP MESSAGE-----
-          fp: 2D77520CF698928A855E0B9A2AB59FDA7728388B
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/system/modules/sops/sops.yaml
+++ b/system/modules/sops/sops.yaml
@ -1,8 +0,0 @@
-keys:
-  # sops-nix public gpg key fingerprint
-  - &christoph 2D77520CF698928A855E0B9A2AB59FDA7728388B
-creation_rules:
-  - path_regex: secrets.yaml$
-    key_groups:
-      - pgp:
-        - *christoph
--- a/system/servenix/default.nix
+++ b/system/servenix/default.nix
@ -61,6 +61,13 @@
        3000 # Gitea runner needs to reach local gitea instance
      ];
    };
+
+    sops-nix.secrets.${username} = [
+      "heidi-discord-token"
+      "kopia-server-username"
+      "kopia-server-password"
+      "kopia-user-password"
+    ];
  };

  networking.firewall.trustedInterfaces = ["docker0" "podman0"];
Author	SHA1	Message	Date
Christoph Urlacher	d00afa9329	Flake: Add public age key	2025-07-09 17:28:47 +02:00
Christoph Urlacher	3131da0fe7	System: Define general sops secrets	2025-07-09 17:28:41 +02:00
Christoph Urlacher	ae217314b5	System/Servenix: Define sops secrets	2025-07-09 17:28:34 +02:00
Christoph Urlacher	b1aa689c41	Modules: Rename sops modules to sops-nix	2025-07-09 17:28:27 +02:00
Christoph Urlacher	65fcbbf0ff	Home: Generate age public key file	2025-07-09 17:27:47 +02:00
Christoph Urlacher	0ce2448002	Config/Navi: Add age and ssh cheats	2025-07-09 17:27:32 +02:00