From 338f473859c2f436704568069be4a46294a49954 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 Mar 2024 21:42:19 +0300 Subject: [PATCH] sops-nix testing --- .sops.yaml | 8 ++ flake.lock | 137 ++++++++++++++------------------ flake.nix | 22 ++++- home/scripts.nix | 60 +++++++------- hosts/dlaptop/configuration.nix | 13 ++- secrets/example.yaml | 30 +++++++ 6 files changed, 160 insertions(+), 110 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/example.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..916b2b0 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ + +keys: + - &dlaptop age15ztewc67js3aunwx8zvkdukqy8r3qswpqucjsqqnqjy3zecvacyqdxhl4y +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini|bin)$ + key_groups: + - age: + - *dlaptop diff --git a/flake.lock b/flake.lock index 34ffca2..bc119a7 100644 --- a/flake.lock +++ b/flake.lock @@ -42,25 +42,6 @@ "type": "github" } }, - "ayugram-desktop": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1710190896, - "narHash": "sha256-IElr6yTJ9nohdyz2uMmOgoYrd6wnkx2sHX57NfpSeFk=", - "owner": "shwewo", - "repo": "ayugram-desktop", - "rev": "e90a1908a63dbcc9b7c668c4c61e627f78894def", - "type": "github" - }, - "original": { - "owner": "shwewo", - "repo": "ayugram-desktop", - "type": "github" - } - }, "cachix": { "locked": { "lastModified": 1635350005, @@ -141,24 +122,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1709126324, "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", @@ -173,9 +136,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1705309234, @@ -191,9 +154,9 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_3": { "inputs": { - "systems": "systems_5" + "systems": "systems_4" }, "locked": { "lastModified": 1705309234, @@ -273,7 +236,7 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "nixpkgs-lib": "nixpkgs-lib" }, "locked": { @@ -353,6 +316,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1710033658, + "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1709150264, @@ -370,22 +349,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1709961763, - "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1709128929, "narHash": "sha256-GWrv9a+AgGhG4/eI/CyVVIIygia7cEy68Huv3P8oyaw=", @@ -401,6 +364,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1709968316, + "narHash": "sha256-4rZEtEDT6jcgRaqxsatBeds7x1PoEiEjb6QNGb4mNrk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0e7f98a5f30166cbed344569426850b21e4091d4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_4": { "locked": { "lastModified": 1709128929, @@ -437,17 +416,36 @@ "inputs": { "agenix": "agenix", "anyrun": "anyrun", - "ayugram-desktop": "ayugram-desktop", "firefox": "firefox", "home-manager": "home-manager_2", "home-manager-unstable": "home-manager-unstable", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", "telegram-desktop-patched": "telegram-desktop-patched", "telegram-desktop-patched-unstable": "telegram-desktop-patched-unstable" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1710195194, + "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -508,24 +506,9 @@ "type": "github" } }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "telegram-desktop-patched": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -545,7 +528,7 @@ }, "telegram-desktop-patched-unstable": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_5" }, "locked": { diff --git a/flake.nix b/flake.nix index 8b4cff8..9535c6e 100644 --- a/flake.nix +++ b/flake.nix @@ -15,9 +15,15 @@ telegram-desktop-patched-unstable.url = "github:shwewo/telegram-desktop-patched"; agenix.url = "github:ryantm/agenix"; agenix.inputs.darwin.follows = ""; + #ragenix = { + # url = "github:yaxitech/ragenix"; + # inputs.flake-utils.follows = "flake-utils"; + # inputs.nixpkgs.follows = "nixpkgs"; + #}; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = inputs @ { nixpkgs, nixpkgs-stable, nixpkgs-unstable, home-manager, home-manager-unstable, firefox, anyrun, agenix, ... }: { + outputs = inputs @ { self, nixpkgs, nixpkgs-stable, nixpkgs-unstable, home-manager, home-manager-unstable, firefox, anyrun, agenix, sops-nix, ... }: { nixosConfigurations.dlaptop = nixpkgs-unstable.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { @@ -38,6 +44,7 @@ ./hosts/dlaptop/age.nix home-manager-unstable.nixosModules.home-manager agenix.nixosModules.default + sops-nix.nixosModules.sops { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -111,5 +118,18 @@ } ]; }; + + # devShells = flake-utils.lib.eachDefaultSystem (system: rec { + # pkgs = import nixpkgs { + # inherit system; + # overlays = [ ]; + # }; + # default = pkgs.mkShell { + # packages = [ ]; + # # ... + # }; + #}); + + }; } diff --git a/home/scripts.nix b/home/scripts.nix index c92ba73..a31a6c3 100644 --- a/home/scripts.nix +++ b/home/scripts.nix @@ -65,11 +65,28 @@ let fi ''; + ephemeralbrowserDesktopItem = pkgs.makeDesktopItem { + name = "ephemeralbrowser"; + desktopName = "Ephemeral Browser"; + icon = "google-chrome-unstable"; + exec = "/etc/profiles/per-user/delta/bin/ephemeralbrowser"; + type = "Application"; + }; + keepassxc = pkgs.writeScriptBin "keepassxc" '' #!/usr/bin/env bash ${pkgs.coreutils}/bin/cat /run/agenix/qqq | ${pkgs.keepassxc}/bin/keepassxc --pw-stdin ~/Dropbox/pswd.kdbx ''; + keepassxcDesktopItem = pkgs.makeDesktopItem { + name = "org.keepassxc.KeePassXC"; + desktopName = "KeePassXC"; + icon = "keepassxc"; + exec = "/etc/profiles/per-user/delta/bin/keepassxc"; + type = "Application"; + startupWMClass = "keepassxc"; + }; + kitty_wrapped = pkgs.writeScriptBin "kitty_wrapped" '' #!/usr/bin/env bash pid=$(${pkgs.procps}/bin/pgrep "kitty") @@ -85,44 +102,25 @@ let #!/usr/bin/env bash ${pkgs.coreutils}/bin/sleep 5 ${pkgs.gtk3}/bin/gtk-launch maestral.desktop - ${pkgs.gtk3}/bin/gtk-launch keepassxc.desktop + ${pkgs.gtk3}/bin/gtk-launch org.keepassxc.KeePassXC.desktop exit 0 ''; + autostartDesktopItem = pkgs.makeDesktopItem { + name = "autostart"; + desktopName = "Autostart"; + icon = "app-launcher"; + exec = "/etc/profiles/per-user/delta/bin/autostart"; + type = "Application"; + }; in { home.packages = with pkgs; [ ephemeralbrowser + ephemeralbrowserDesktopItem keepassxc + keepassxcDesktopItem kitty_wrapped autostart + autostartDesktopItem ]; - - xdg.desktopEntries = { - keepassxc = { - name = "KeePassXC"; - icon = "keepassxc"; - exec = "/etc/profiles/per-user/delta/bin/keepassxc"; - type = "Application"; - }; - ephemeralbrowser = { - name = "Ephemeral Browser"; - icon = "google-chrome-unstable"; - exec = "/etc/profiles/per-user/delta/bin/ephemeralbrowser"; - type = "Application"; - }; - firefox_work = { - name = "Firefox Work"; - icon = "browser"; - exec = "firejail --noprofile --netns=novpn firefox -p work -no-remote"; - type = "Application"; - }; - autostart = { - name = "Autostart"; - icon = "app-launcher"; - exec = "/etc/profiles/per-user/delta/bin/autostart"; # this is needed due to nix stuff, the path is going to be changed every time i update autostart script - type = "Application"; - }; - }; - -} - +} \ No newline at end of file diff --git a/hosts/dlaptop/configuration.nix b/hosts/dlaptop/configuration.nix index 3a5fca7..6b35e4e 100644 --- a/hosts/dlaptop/configuration.nix +++ b/hosts/dlaptop/configuration.nix @@ -13,6 +13,16 @@ LC_ALL = "en_US.UTF-8"; }; + # age.rekey = { + # hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGL2UD0frl9F2OPBiPlSQqxDsuACbAVgwH24F0KT14L delta@dlaptop"; + # #masterIdentities = [ "/home/delta/.ssh/id_ed25519" ]; + # masterIdentities = [ "/home/delta/.secrets/key.txt" ]; + # storageMode = "local"; + # localStorageDir = ../../secrets/rekeyed/${config.networking.hostName}; + # }; + + + hardware.opengl = { enable = true; driSupport = true; @@ -279,7 +289,8 @@ #inputs.anyrun.packages.${pkgs.system}.anyrun inputs.telegram-desktop-patched-unstable.packages.${pkgs.system}.default inputs.agenix.packages.x86_64-linux.default - ]; + # inputs.ragenix.packages.x86_64-linux.default + ]; users.users.socks = { group = "socks"; diff --git a/secrets/example.yaml b/secrets/example.yaml new file mode 100644 index 0000000..13b4b6c --- /dev/null +++ b/secrets/example.yaml @@ -0,0 +1,30 @@ +hello: ENC[AES256_GCM,data:ECm2+ZCe7Jeb3ROTDhYBTk9Ex7Hbns84wW/hnJP/JRHT0FdVdRbl0SvjaLOuTg==,iv:UmHA8FAU7W94KNXNfQNjr5CLXCfae/pFs5h2uTkMqZg=,tag:xSXb36kOPeZHXWgvJao5tQ==,type:str] +example_key: ENC[AES256_GCM,data:tL0vrJtC9fY+IRlnWA==,iv:2i5heEOliI1qoOgW5Mx+QlR0e92l7ym5Kf/Tt4xutKA=,tag:2X1+6MlXssXjVADM56HKfg==,type:str] +#ENC[AES256_GCM,data:loEhZpgDmndk9f2pkkTerg==,iv:j0S/vRASUFdbTG7G8ylFSmTydCrLf8a0oUd/zdWSR4A=,tag:tpcXeYnzLUyu6hDTw2T5hA==,type:comment] +example_array: + - ENC[AES256_GCM,data:wtn0wrhj0Mg1S3k52q4=,iv:F9TWOYvERUlA/UwlBjPfUHOqJdjaAPXBpu2Q7rrUGaY=,tag:/LYCfWRvaZDvmNDoy3LMhQ==,type:str] + - ENC[AES256_GCM,data:CxTy9D1UkWT2r59fwJI=,iv:KZKhWGrDhLrMMpCHs2bcZSQQkrIPqIy5O7J8cZoxPxQ=,tag:Mr2xc8RhIYGcdZj1Og8uYA==,type:str] +example_number: ENC[AES256_GCM,data:xAIg3gNQqFglyA==,iv:zajS5ZrndwzHVTeIRsYnBJO2RzEiXYrYynjWrszqbvU=,tag:M0LVdKXMevz0meLN3dkwew==,type:float] +example_booleans: + - ENC[AES256_GCM,data:y7/KwA==,iv:WqDZeWBVVUJ1jDw2qIwvc7PfJOawaapFfhy6WvcXfEc=,tag:oSfxDqog7F/8QveeJ4fv0w==,type:bool] + - ENC[AES256_GCM,data:uM8s0kk=,iv:6foIM8/3gKrDWB5BkOQYeO5RaNhu9roDaX66zQlPdSM=,tag:u3vP6XAs0KqnopVctlDkAQ==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15ztewc67js3aunwx8zvkdukqy8r3qswpqucjsqqnqjy3zecvacyqdxhl4y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVT20rcmg1N1MrY3RkK0VO + TENHeW1GeE5wcDZtbkR3bDQzQ05XRWVPQVJjClpGNHVqd1FmZmlPSWdDQWZ6Ujg1 + aEF4dU1MaWM5NmNhYVlKVXBNSWpWWjgKLS0tIGVLbEwrb09VWklIbmZWRGRSQXBz + QndtalQ5UHNUMGF0RGFNbys0WjFqanMKd9sbAHeJqltNpROdw0Y+ZzEH3NMD05xb + oc8ZvdTLS7R7aN0pHFMgMSlb/6lENjhANkCSEflfw+kT8gg3LrkV5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-13T17:59:51Z" + mac: ENC[AES256_GCM,data:fxSCfmptMwdhgAXDoO2Q/mvbgKFFKZ24hZerMAlMgz+hZyrtyuwbW5pvzYnS5qUh6P+xBulMyGo0BDwFkpHKIaamNoHSmUZ/BmflehvI1KVm/0bzPGIwEhAMurdIvJ/vh5z55JH6DDWArXLuGNXTpDpyrIGxOd/JgUx3kDHYSxM=,iv:bG7VpX653bArHS9z2yXUCynHKnbvpCbamdY3Al+tIFc=,tag:3gu9fS5aJPcwfXJsz3rSzQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1