Add sops and setup sops-nix
We want to store secrets, and due to the shortcomings of git-crypt (not
working, not being able to push to public caches, etc.) we have decided
to use sops.
Change-Id: I9ed38a93879ca5ff4a452e6e8017b500a4d2cbb6
Reviewed-on: https://git.clicks.codes/c/Chimera/NixFiles/+/414
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>
diff --git a/.gitignore b/.gitignore
index 0e2b511..7e7e5f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@
tmp/
result/
+
+.sops.yaml
\ No newline at end of file
diff --git a/.sops.nix b/.sops.nix
new file mode 100644
index 0000000..ae58c94
--- /dev/null
+++ b/.sops.nix
@@ -0,0 +1,38 @@
+nixpkgs: let
+ keys = {
+ users = {
+ coded = "BC82DF237610AE9113EB075900E944BFBE99ADB5";
+ minion = "76E0B09A741C4089522111E5F27E3E5922772E7A";
+ };
+ hosts = {
+ shorthair = "B5237D6B63AB2E13FDA07170E5AED9775DD21543";
+ greylag = "047bf8897df877fe86133e98522c6d280d545c00";
+ };
+};
+in {
+ creation_rules = [
+ {
+ path_regex = ''.*\.sops\.chimera\.(yaml|json|env|ini|[^.]*\.bin)$'';
+ pgp = nixpkgs.lib.concatStringsSep "," [
+ keys.users.coded
+ keys.users.minion
+ keys.hosts.shorthair
+ keys.hosts.greylag
+ ];
+ }
+ {
+ path_regex = ''.*\.sops\.coded\.(yaml|json|env|ini|[^.]*\.bin)$'';
+ pgp = nixpkgs.lib.concatStringsSep "," [
+ keys.users.coded
+ keys.hosts.shorthair
+ ];
+ }
+ {
+ path_regex = ''.*\.sops\.minion\.(yaml|json|env|ini|[^.]*\.bin)$'';
+ pgp = nixpkgs.lib.concatStringsSep "," [
+ keys.users.minion
+ keys.hosts.greylag
+ ];
+ }
+ ];
+}
\ No newline at end of file
diff --git a/configure.sh b/configure.sh
new file mode 100755
index 0000000..18c90e7
--- /dev/null
+++ b/configure.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+nix eval -f .sops.nix --apply "(f: f (builtins.getFlake \"nixpkgs\"))" --json > .sops.yaml # regenerate the "yaml" so you can add secrets
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
index 26198c8..d58bd9d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -235,6 +235,22 @@
"type": "github"
}
},
+ "nixpkgs-stable": {
+ "locked": {
+ "lastModified": 1708210246,
+ "narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "release-23.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nixpkgs_2": {
"locked": {
"lastModified": 1707546158,
@@ -251,6 +267,22 @@
"type": "github"
}
},
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1708151420,
+ "narHash": "sha256-MGT/4aGCWQPQiu6COqJdCj9kSpLPiShgbwpbC38YXC8=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "6e2f00c83911461438301db0dba5281197fe4b3a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nur": {
"locked": {
"lastModified": 1707853532,
@@ -275,7 +307,8 @@
"nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs_2",
"nur": "nur",
- "snowfall-lib": "snowfall-lib"
+ "snowfall-lib": "snowfall-lib",
+ "sops-nix": "sops-nix"
}
},
"snowfall-lib": {
@@ -300,6 +333,25 @@
"type": "github"
}
},
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": "nixpkgs_3",
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1708500294,
+ "narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ },
"systems": {
"locked": {
"lastModified": 1689347949,
diff --git a/flake.nix b/flake.nix
index 77d6f4d..082873d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,25 +2,6 @@
description = "The Chimera nix configuration flake, a shared system configuration";
inputs = {
- nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-
- snowfall-lib = {
- url = "github:snowfallorg/lib";
- inputs.nixpkgs.follows = "nixpkgs";
- };
-
- home-manager = {
- url = "github:nix-community/home-manager";
- inputs.nixpkgs.follows = "nixpkgs";
- };
-
- nix-index-database = {
- url = "github:nix-community/nix-index-database";
- inputs.nixpkgs.follows = "nixpkgs";
- };
-
- hyprland.url = "github:hyprwm/Hyprland";
-
anyrun = {
url = "github:Kirottu/anyrun";
inputs.nixpkgs.follows = "nixpkgs";
@@ -31,7 +12,28 @@
flake = false;
};
+ home-manager = {
+ url = "github:nix-community/home-manager";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ hyprland.url = "github:hyprwm/Hyprland";
+
+ nix-index-database = {
+ url = "github:nix-community/nix-index-database";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
nur.url = "github:nix-community/nur";
+
+ snowfall-lib = {
+ url = "github:snowfallorg/lib";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ sops-nix.url = "github:Mic92/sops-nix";
};
outputs =
@@ -54,10 +56,10 @@
homes.users."minion@greylag".modules = extraHomeModules;
-
- system.modules.nixos = [
+ systems.modules.nixos = [
inputs.hyprland.nixosModules.default
inputs.nur.nixosModules.nur
+ inputs.sops-nix.nixosModules.sops
];
snowfall = {
diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix
new file mode 100644
index 0000000..d978623
--- /dev/null
+++ b/modules/home/sops/default.nix
@@ -0,0 +1,3 @@
+{ pkgs, ... }: {
+ home.packages = [ pkgs.sops ];
+}
\ No newline at end of file
diff --git a/modules/nixos/registry/default.nix b/modules/nixos/registry/default.nix
new file mode 100644
index 0000000..cd6ef76
--- /dev/null
+++ b/modules/nixos/registry/default.nix
@@ -0,0 +1,5 @@
+{ inputs, ... }: {
+ nix.registry = inputs // {
+ templates = "https://git.clicks.codes"; # nix init -t templates#typescript
+ };
+}
\ No newline at end of file
diff --git a/modules/nixos/wifi/default.nix b/modules/nixos/wifi/default.nix
index f0d5d1e..e0b7968 100644
--- a/modules/nixos/wifi/default.nix
+++ b/modules/nixos/wifi/default.nix
@@ -1,8 +1,40 @@
-{ ... }:
-{
+{ config, ... }: {
networking.wireless = {
enable = true;
userControlled.enable = true;
+
+ networks = {
+ newadelie24 = {
+ psk = "@newadelie24@";
+ priority = 25;
+ };
+ newadelie50.psk = "@newadelie50@";
+ adelie10 = {
+ psk = "@adelie10@";
+ priority = 50;
+ };
+
+ # Hills Road 6th Form College
+ "HRSFC Wi-Fi".psk = "@HRSFC_Wi_Fi@";
+
+ # Coded's house
+ Orange2.psk = "@Orange2@";
+ "Orange2_5G A" = {
+ psk = "@Orange2_5G_A@";
+ priority = 100;
+ };
+ };
+
+ environmentFile = config.sops.secrets."modules/nixos/wifi/wifi-passwords.sops.chimera.env.bin".path;
};
+
hardware.enableRedistributableFirmware = true;
+
+ sops.secrets."modules/nixos/wifi/wifi-passwords.sops.chimera.env.bin" = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ./wifi-passwords.sops.chimera.env.bin;
+ format = "binary";
+ };
}
diff --git a/modules/nixos/wifi/wifi-passwords.sops.chimera.env.bin b/modules/nixos/wifi/wifi-passwords.sops.chimera.env.bin
new file mode 100644
index 0000000..6b62a11
--- /dev/null
+++ b/modules/nixos/wifi/wifi-passwords.sops.chimera.env.bin
@@ -0,0 +1,36 @@
+{
+ "data": "ENC[AES256_GCM,data:Wj6IlH/1YFqtWQ1aKxL6m2/mvlPA4fCqOQLHP5eU8houuqA98Hl2C0bYZ7lwSB/xmWHxHAwFBZ9wPcHS3o4zLMgOAlziKU4URO3/X5ibLk40LAuHya7VqNWv5/GT7YkTT/wPaVatn9RIm4MbwoHWS3X2hm1QCuZ/v6btjD27Vlv1f2dWpI6kr6R1wB8Bs3WvZrbMPcqu1GSaYYtvm3cdWXuzwsLNECimET0oOVP0oXzU0dmIGO3SlaOxGPGGfyZXL1RSCDZ8fO2ZNdvFhMQzZ+tZ5lPMJknW,iv:giyihKo0rubYawEuQNPzTW0EZZandRi8amiDQLgPTTg=,tag:gDTO6vtihaRigBXWJbuWNA==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-02-21T22:53:03Z",
+ "mac": "ENC[AES256_GCM,data:zoxtaHmE580xDb7yunQiG3/4GTVVm5nzyzn+/1otNd86Ra5ijtunHrMAv6yb6EWEz0IeriQ+XkQ7oCFJIFL5uZYzyJBFqkfhkXrAfXuPpHDHoLtndjKL4zRpn1hovM+mkhHS6E/CiROwt1cSXVsHSbTscxRNoeswMW15lD3TJnI=,iv:y6xUvF8w8xN7rasGLuYq7XzjdhNIqNYJp9qAAfmq6vg=,tag:3qn+RJoJ3DYqfrvT62hoIg==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2024-02-21T22:51:05Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D6MHlIv4I/7ASAQdAG20f4ypslYKbRG5yE32LCN08XVetS15FMIeOdr5okzcw\nS7K4C8C/VOWbQqJYfPbJLpnegoaVE/gMkCCadtUQw0C+1S4xkEEW9L2Ng3M1z2BY\n0lwBEVRe96adeLKCjmKyN6h7zHrJVdoxCdhqYdMWI9eCHSrc/3JL1XF71OP+qKTe\n6OcwKXsIE30hm3p4Mcea5RtwYnqxQ4EVOwrnoiObcFhPlSWFmJVtzrCy0FK+jA==\n=6/UN\n-----END PGP MESSAGE-----",
+ "fp": "BC82DF237610AE9113EB075900E944BFBE99ADB5"
+ },
+ {
+ "created_at": "2024-02-21T22:51:05Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DN4EYND8+bNUSAQdAXqYNDSDYaLNyOg1bLO9bqhTEWnG12c9ppbgcM1BnTRIw\npQgdsoZwcLQYcMf9NzbfEH1U2KQRn8XVuJBsPCACZVdgUFjfjejtIOwypPtEBV7D\n0lwB+odiT0QF/c+iqi2fvfr9I4iKiREH9gIoOQwUca0kpoIuYjVtrt2d71QEJryK\nr6vY/eRCbXVBHK3OMCguF6x0lH6GEm+iYSAalh7InUA+GnYVb1WUxYWaNqOZmw==\n=y0Jp\n-----END PGP MESSAGE-----",
+ "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
+ },
+ {
+ "created_at": "2024-02-21T22:51:05Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA+Wu2Xdd0hVDARAAruJDBJPezmYJoy/QoY5HRuiQZpAHDQmI8lKBEAZK3Yl4\ntIY2xg10ktMX9G2uohPMb95bN8tvfNUu4Vy9hhyS4AWvpP0vlhaZ0+DkHkb11WFJ\nBhScm5qBDORwEYYK6wmq+YkMTkFOZA5bRYXwEJjAOAhDdZXw+biAh2GH+1qkZRlE\n9ECe6/1vsauKARz4MlQamz0DnDyfuBu0kf08Ef1WHr8aBDima7Nu+Yy95/mLaGs7\ndkR6yu40THEqBX7/gNfzt6FCkNK/cdZW6BcSAB1dHsU5xOphgXNRK63KqgSQi6oG\nGDWh6ruojIY+PHMoHrn+r7PMteRUyCq2EFRrX6+vAhCKPx03WRWisy94QIp9c9PU\nlFUj6Q9+pdPCNVy9oOTU+hg9iAbcd0FT/eDRLOrRqG7QznHCZEDJwAyWmN2uUKdM\nAzHhmz3DARcIUWciVWsVS8KgjsfqK8GQTqHKNg2np2EftWk2rBFmCviM8Pf04bD5\nNXyMumdP8sFDDaHpmkoTv3iJIB2lc9dmN6Mw/4RKf66vj1MY0XUqFwyyXEp1Egsd\nn82Ik0dXNais+b0Dff5INAzW9sxEGOqgb7Wn4zAdHNEX33zZmOkrhb8FdGR63YqL\nysQSKRabedyraPfFUJEFOYH2XbKBxyrweIpMvm3JBWuzKBTm4Tgh0Ivv2gNcJlPS\nVgEYHPivwC+hYPTO5FgY8hBIz0EUw0CEI0hSbZg6rY2Fh74StKfteYEydQUGf6IU\nejJHJKbbIuqaa9Y3aK2Oeek6ZGeWFuCSPjaGkQSGShJxcavdiebn\n=hIY0\n-----END PGP MESSAGE-----",
+ "fp": "B5237D6B63AB2E13FDA07170E5AED9775DD21543"
+ },
+ {
+ "created_at": "2024-02-21T22:51:05Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA1IsbSgNVFwAAQ/8DbOb5rFwn2S9aNaD5fS8pdaimLNC7pMzRr4cGCZbEia8\nu+uaNuuY9R8XgiNxm+skrqchOU3ecWE5NRimNGaklNm3reGnB3wpBaZGQ1Y8+Tmj\nF73XflBK5tEMqSTuCtjWqHVGOp33xZivJrZfehCFnAxJRWrZC17v5FAjgcFBHucx\nRhX/7x06L+MfCkCnz4wOByv0lG1gEm+S65vogYUu2opcOeycueCL/MG2vyFWLM/9\n9nseRJbvhYqGbDtErH2BbcORcYSnI+W0YvA+6qHJxZCK9Kc1hvm8AqPc8cEF7HMR\nT8UnRLT7NPOZAEcZ+xb+otI2lb7C2rO9aEfjac4sumCi/IDJzNqIG6dY3IcMiBq3\nZE8h9M0lm5S9Rs73n4GCtmr7kXrjdihpC1zZJM+xcyK1eUlnEIA027epGQ8Hb8J7\ngFge4kVbT4HHLUJI8ZgaFybSDZ2dnLGhqpn7bZuX1O4KI8urkvMPpDBJ5yvOOa1L\ndcI5gfLA2NgKyE+MrAhGrY7Evfn++AMsD48HQ91G21s87bLrXn4jY3UhR+OrgYR6\n8FKpx00CWRJ6G7qMZKc7hjIDGqF2csxBf7z4nvhYnPq9jDDS6hRcCWbGrqVy/vm2\nnCLDp4PkcusPGzRJ1zrlJCOUGE+G3Ltw2hu7hIyvjgr6o0kgkrmf27B5WpuYsXnS\nVgFfxQ57JiXR9+rmY/f0l9yHWnrDm1BMPNjLvUWDEgv4hB+5Cy1mcYkqhnqmSiW4\nINLYhPkp8folkShlwmsarxDuqsxjxI9NayBNfNeGK2RhNotynKpg\n=subF\n-----END PGP MESSAGE-----",
+ "fp": "047bf8897df877fe86133e98522c6d280d545c00"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
\ No newline at end of file