sops-nix testing

2025-12-06 07:16:37 +03:00 · 2024-03-13 21:42:19 +03:00 · 2024-03-13 21:42:19 +03:00 · 338f473859
parent efd2152724
commit 338f473859
6 changed files with 160 additions and 110 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,8 @@
+
+keys:
+  - &dlaptop age15ztewc67js3aunwx8zvkdukqy8r3qswpqucjsqqnqjy3zecvacyqdxhl4y
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|bin)$
+    key_groups:
+    - age:
+      - *dlaptop
--- a/flake.lock
+++ b/flake.lock
@ -42,25 +42,6 @@
        "type": "github"
      }
    },
-    "ayugram-desktop": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_2"
-      },
-      "locked": {
-        "lastModified": 1710190896,
-        "narHash": "sha256-IElr6yTJ9nohdyz2uMmOgoYrd6wnkx2sHX57NfpSeFk=",
-        "owner": "shwewo",
-        "repo": "ayugram-desktop",
-        "rev": "e90a1908a63dbcc9b7c668c4c61e627f78894def",
-        "type": "github"
-      },
-      "original": {
-        "owner": "shwewo",
-        "repo": "ayugram-desktop",
-        "type": "github"
-      }
-    },
    "cachix": {
      "locked": {
        "lastModified": 1635350005,
@ -141,24 +122,6 @@
      "inputs": {
        "systems": "systems_2"
      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_3"
-      },
      "locked": {
        "lastModified": 1709126324,
        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
@ -173,9 +136,9 @@
        "type": "github"
      }
    },
-    "flake-utils_3": {
+    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1705309234,
@ -191,9 +154,9 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1705309234,
@ -273,7 +236,7 @@
    },
    "lib-aggregate": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
@ -353,6 +316,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1709150264,
@ -370,22 +349,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1709961763,
-        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1709128929,
        "narHash": "sha256-GWrv9a+AgGhG4/eI/CyVVIIygia7cEy68Huv3P8oyaw=",
@ -401,6 +364,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1709968316,
+        "narHash": "sha256-4rZEtEDT6jcgRaqxsatBeds7x1PoEiEjb6QNGb4mNrk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0e7f98a5f30166cbed344569426850b21e4091d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1709128929,
@ -437,17 +416,36 @@
      "inputs": {
        "agenix": "agenix",
        "anyrun": "anyrun",
-        "ayugram-desktop": "ayugram-desktop",
        "firefox": "firefox",
        "home-manager": "home-manager_2",
        "home-manager-unstable": "home-manager-unstable",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
        "telegram-desktop-patched": "telegram-desktop-patched",
        "telegram-desktop-patched-unstable": "telegram-desktop-patched-unstable"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -508,24 +506,9 @@
        "type": "github"
      }
    },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "telegram-desktop-patched": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
@ -545,7 +528,7 @@
    },
    "telegram-desktop-patched-unstable": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -15,9 +15,15 @@
    telegram-desktop-patched-unstable.url = "github:shwewo/telegram-desktop-patched";
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.darwin.follows = "";
+    #ragenix = {
+    #  url = "github:yaxitech/ragenix";
+    #  inputs.flake-utils.follows = "flake-utils";
+    #  inputs.nixpkgs.follows = "nixpkgs";
+    #};
+    sops-nix.url = "github:Mic92/sops-nix";
  };

-  outputs = inputs @ { nixpkgs, nixpkgs-stable, nixpkgs-unstable, home-manager, home-manager-unstable, firefox, anyrun, agenix, ... }: {
+  outputs = inputs @ { self, nixpkgs, nixpkgs-stable, nixpkgs-unstable, home-manager, home-manager-unstable, firefox, anyrun, agenix, sops-nix, ... }: {
    nixosConfigurations.dlaptop = nixpkgs-unstable.lib.nixosSystem {
      system = "x86_64-linux";
      specialArgs = {
@ -38,6 +44,7 @@
        ./hosts/dlaptop/age.nix
        home-manager-unstable.nixosModules.home-manager
        agenix.nixosModules.default
+        sops-nix.nixosModules.sops
        {
          home-manager.useGlobalPkgs = true;
          home-manager.useUserPackages = true;
@ -111,5 +118,18 @@
        }
      ];
    };
+    
+  #  devShells = flake-utils.lib.eachDefaultSystem (system: rec {
+  #  pkgs = import nixpkgs {
+  #    inherit system;
+  #    overlays = [  ];
+  #  };
+  #  default = pkgs.mkShell {
+  #    packages = [  ];
+  #    # ...
+  #  };
+  #});
+
+
  };
 }
--- a/home/scripts.nix
+++ b/home/scripts.nix
@ -65,11 +65,28 @@ let
    fi
  '';

+  ephemeralbrowserDesktopItem = pkgs.makeDesktopItem {
+    name = "ephemeralbrowser";
+    desktopName = "Ephemeral Browser";
+    icon = "google-chrome-unstable";
+    exec = "/etc/profiles/per-user/delta/bin/ephemeralbrowser";
+    type = "Application";
+  };
+
  keepassxc = pkgs.writeScriptBin "keepassxc" ''
    #!/usr/bin/env bash
    ${pkgs.coreutils}/bin/cat /run/agenix/qqq | ${pkgs.keepassxc}/bin/keepassxc --pw-stdin ~/Dropbox/pswd.kdbx
  '';

+  keepassxcDesktopItem = pkgs.makeDesktopItem {
+    name = "org.keepassxc.KeePassXC";
+    desktopName = "KeePassXC";
+    icon = "keepassxc";
+    exec = "/etc/profiles/per-user/delta/bin/keepassxc";
+    type = "Application";
+    startupWMClass = "keepassxc";
+  };
+
  kitty_wrapped = pkgs.writeScriptBin "kitty_wrapped" ''
    #!/usr/bin/env bash
    pid=$(${pkgs.procps}/bin/pgrep "kitty")
@ -85,44 +102,25 @@ let
    #!/usr/bin/env bash
    ${pkgs.coreutils}/bin/sleep 5
    ${pkgs.gtk3}/bin/gtk-launch maestral.desktop
-    ${pkgs.gtk3}/bin/gtk-launch keepassxc.desktop
+    ${pkgs.gtk3}/bin/gtk-launch org.keepassxc.KeePassXC.desktop
    exit 0
  '';

+  autostartDesktopItem = pkgs.makeDesktopItem {
+    name = "autostart";
+    desktopName = "Autostart";
+    icon = "app-launcher";
+    exec = "/etc/profiles/per-user/delta/bin/autostart";
+    type = "Application";
+  };
 in {
  home.packages = with pkgs; [
    ephemeralbrowser
+    ephemeralbrowserDesktopItem
    keepassxc
+    keepassxcDesktopItem
    kitty_wrapped
    autostart
+    autostartDesktopItem
  ];
-
-  xdg.desktopEntries = {
-    keepassxc = {
-      name = "KeePassXC";
-      icon = "keepassxc";
-      exec = "/etc/profiles/per-user/delta/bin/keepassxc";
-      type = "Application";
-    };
-    ephemeralbrowser = {
-      name = "Ephemeral Browser";
-      icon = "google-chrome-unstable";
-      exec = "/etc/profiles/per-user/delta/bin/ephemeralbrowser";
-      type = "Application";
-    };
-    firefox_work = {
-      name = "Firefox Work";
-      icon = "browser";
-      exec = "firejail --noprofile --netns=novpn firefox -p work -no-remote";
-      type = "Application";
-    };
-    autostart = {
-      name = "Autostart";
-      icon = "app-launcher";
-      exec = "/etc/profiles/per-user/delta/bin/autostart"; # this is needed due to nix stuff, the path is going to be changed every time i update autostart script
-      type = "Application";
-    };
-  };
-  
-}
-
+}
--- a/hosts/dlaptop/configuration.nix
+++ b/hosts/dlaptop/configuration.nix
@ -13,6 +13,16 @@
    LC_ALL = "en_US.UTF-8";
  };

+  # age.rekey = {
+  #   hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGL2UD0frl9F2OPBiPlSQqxDsuACbAVgwH24F0KT14L delta@dlaptop";
+  #   #masterIdentities = [ "/home/delta/.ssh/id_ed25519" ];
+  #   masterIdentities = [ "/home/delta/.secrets/key.txt" ];
+  #   storageMode = "local";
+  #   localStorageDir = ../../secrets/rekeyed/${config.networking.hostName};
+  # };
+
+
+
  hardware.opengl = {
    enable = true;
    driSupport = true;
@ -279,7 +289,8 @@
    #inputs.anyrun.packages.${pkgs.system}.anyrun
    inputs.telegram-desktop-patched-unstable.packages.${pkgs.system}.default
    inputs.agenix.packages.x86_64-linux.default
-  ];
+    # inputs.ragenix.packages.x86_64-linux.default
+    ];

  users.users.socks = {
    group = "socks";
--- a/secrets/example.yaml
+++ b/secrets/example.yaml
@ -0,0 +1,30 @@
+hello: ENC[AES256_GCM,data:ECm2+ZCe7Jeb3ROTDhYBTk9Ex7Hbns84wW/hnJP/JRHT0FdVdRbl0SvjaLOuTg==,iv:UmHA8FAU7W94KNXNfQNjr5CLXCfae/pFs5h2uTkMqZg=,tag:xSXb36kOPeZHXWgvJao5tQ==,type:str]
+example_key: ENC[AES256_GCM,data:tL0vrJtC9fY+IRlnWA==,iv:2i5heEOliI1qoOgW5Mx+QlR0e92l7ym5Kf/Tt4xutKA=,tag:2X1+6MlXssXjVADM56HKfg==,type:str]
+#ENC[AES256_GCM,data:loEhZpgDmndk9f2pkkTerg==,iv:j0S/vRASUFdbTG7G8ylFSmTydCrLf8a0oUd/zdWSR4A=,tag:tpcXeYnzLUyu6hDTw2T5hA==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:wtn0wrhj0Mg1S3k52q4=,iv:F9TWOYvERUlA/UwlBjPfUHOqJdjaAPXBpu2Q7rrUGaY=,tag:/LYCfWRvaZDvmNDoy3LMhQ==,type:str]
+    - ENC[AES256_GCM,data:CxTy9D1UkWT2r59fwJI=,iv:KZKhWGrDhLrMMpCHs2bcZSQQkrIPqIy5O7J8cZoxPxQ=,tag:Mr2xc8RhIYGcdZj1Og8uYA==,type:str]
+example_number: ENC[AES256_GCM,data:xAIg3gNQqFglyA==,iv:zajS5ZrndwzHVTeIRsYnBJO2RzEiXYrYynjWrszqbvU=,tag:M0LVdKXMevz0meLN3dkwew==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:y7/KwA==,iv:WqDZeWBVVUJ1jDw2qIwvc7PfJOawaapFfhy6WvcXfEc=,tag:oSfxDqog7F/8QveeJ4fv0w==,type:bool]
+    - ENC[AES256_GCM,data:uM8s0kk=,iv:6foIM8/3gKrDWB5BkOQYeO5RaNhu9roDaX66zQlPdSM=,tag:u3vP6XAs0KqnopVctlDkAQ==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15ztewc67js3aunwx8zvkdukqy8r3qswpqucjsqqnqjy3zecvacyqdxhl4y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVT20rcmg1N1MrY3RkK0VO
+            TENHeW1GeE5wcDZtbkR3bDQzQ05XRWVPQVJjClpGNHVqd1FmZmlPSWdDQWZ6Ujg1
+            aEF4dU1MaWM5NmNhYVlKVXBNSWpWWjgKLS0tIGVLbEwrb09VWklIbmZWRGRSQXBz
+            QndtalQ5UHNUMGF0RGFNbys0WjFqanMKd9sbAHeJqltNpROdw0Y+ZzEH3NMD05xb
+            oc8ZvdTLS7R7aN0pHFMgMSlb/6lENjhANkCSEflfw+kT8gg3LrkV5Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-13T17:59:51Z"
+    mac: ENC[AES256_GCM,data:fxSCfmptMwdhgAXDoO2Q/mvbgKFFKZ24hZerMAlMgz+hZyrtyuwbW5pvzYnS5qUh6P+xBulMyGo0BDwFkpHKIaamNoHSmUZ/BmflehvI1KVm/0bzPGIwEhAMurdIvJ/vh5z55JH6DDWArXLuGNXTpDpyrIGxOd/JgUx3kDHYSxM=,iv:bG7VpX653bArHS9z2yXUCynHKnbvpCbamdY3Al+tIFc=,tag:3gu9fS5aJPcwfXJsz3rSzQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1