mirror of
https://github.com/JulienMalka/snowfield.git
synced 2025-03-26 05:40:52 +01:00
First step with sops
This commit is contained in:
Julien Malka
parent
2d63b9e96e
commit
516034c19f
5 changed files with 66 additions and 4 deletions
11
.sops.yaml
Normal file
11
.sops.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
keys:
|
||||||
|
- &macintosh age1z7ysc378s6rymamdawzav4jg5scl0ufg0lfgx7zuyh234lsnfsrqw9s0cn
|
||||||
|
- &newton age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45
|
||||||
|
- &lisa age14shnplzdf2uatzd7wkvnquqw00zjfly3404ak5lqevajanzdw5qqedjw0y
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *macintosh
|
||||||
|
- *newton
|
||||||
|
- *lisa
|
||||||
9
base.nix
9
base.nix
|
|
@ -1,10 +1,15 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, sops-nix, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [ ./users/julien.nix ];
|
imports = [
|
||||||
|
./users/julien.nix
|
||||||
|
];
|
||||||
luj.nix.enable = true;
|
luj.nix.enable = true;
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ./secrets/secrets.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/home/julien/.ssh/id_ed25519"];
|
||||||
|
|
||||||
time.timeZone = "Europe/Paris";
|
time.timeZone = "Europe/Paris";
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
console = {
|
console = {
|
||||||
|
|
|
||||||
|
|
@ -20,12 +20,14 @@
|
||||||
neomutt
|
neomutt
|
||||||
htop
|
htop
|
||||||
evince
|
evince
|
||||||
|
brightnessctl
|
||||||
wireguard
|
wireguard
|
||||||
mosh
|
mosh
|
||||||
signal-desktop
|
signal-desktop
|
||||||
flameshot
|
flameshot
|
||||||
ctags
|
ctags
|
||||||
ungoogled-chromium
|
ungoogled-chromium
|
||||||
|
networkmanagerapplet
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
39
secrets/secrets.yaml
Normal file
39
secrets/secrets.yaml
Normal file
|
|
@ -0,0 +1,39 @@
|
||||||
|
user-julien-password: ENC[AES256_GCM,data:CnAfCPKEG2OUcM8pyICaZ7ZwclTouENCh1pl4LqFads8yOezvOYDwZSWVGM6P6z79kEL6o5Jt4dnHvRdln8gcANElJtqk1C7zfXlp47SegqzKa7QAEMKVURsO0RQj27I7cRbRaAkBWeFCg==,iv:Gv6y9DnKuxVz+QxSIW9IVCv9DdU5cA6+WR/OSA0SNfQ=,tag:ae0jTJFelKlSSGgVkFjHww==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1z7ysc378s6rymamdawzav4jg5scl0ufg0lfgx7zuyh234lsnfsrqw9s0cn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHY0xEUDBCcUhCKzNIbUlm
|
||||||
|
enZrV2MyZytSNkRFNDJLd3hsMlFvc2V2Qnd3ClQ0U2JYY0M5clJtU1NyQTJNNEVG
|
||||||
|
UEpUOUJELzByTHJqcXIvWE5HMjN5SHMKLS0tIHhLOStlYnVnbmVBSkdOY083TFR4
|
||||||
|
Zk9FUG5lR0Q4L3V1M1FmRHBtbGc4YVUK2TCeXI+GrRz72JEud0tT/V8uryF0rVOU
|
||||||
|
gDEotieLsd4MSWsYYALvHHAx7uKDtEhIdliPohqM9IAKRq+3GGKtsg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUlhUeE1saC9zRm5FczRh
|
||||||
|
NGx4Umx6SXZJdHBIcURoMmlEY2JtdU1jMlY4CjlKenFxV1J3blR0ZVByQVpEYU1U
|
||||||
|
UUlCSmJRdHZJNGpWNFpqQ1lBajBPY0UKLS0tIEo4aDlScjl2MmYrQ1NYYVE3N1RU
|
||||||
|
MytabnVhSGlqdFQ4RGF0OE9va28weDQKawBOw62DucCBFbkxL6/NuYBPcxyc7sCu
|
||||||
|
JvzAComgfSmp5ROSuigAbjs5stz7hn2yNHKtBD3UxqTtDKblXaSN8w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age14shnplzdf2uatzd7wkvnquqw00zjfly3404ak5lqevajanzdw5qqedjw0y
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTWFiU1FweDNQQjl1ODBC
|
||||||
|
STUyOGpZdmE2d0p1ZnQrblB5TzJFY05lV0NZCnhSUWpzdW1wb05rZFdVWmM1ZTkr
|
||||||
|
TDdnWU1KcEYxTWNuTUoxSlVpL1VsSDQKLS0tIE5GbWZsZk9sdmtFNkVtc2VKejV2
|
||||||
|
dStVUTRYUnlDTXk5UXN1NDJYN29KeG8KhdZjc591xMCYGAIvhhq5fcT79ozAyo7F
|
||||||
|
89Zjm96eVH+r9g5QOc6+A1GWeQrp90l7/m3TNmCRZnAa1TiWe6sYiQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2021-12-21T21:53:13Z"
|
||||||
|
mac: ENC[AES256_GCM,data:PYGLtjwSVX+Pi/fRQNcSYWKlXNg/KT1oo4UNd0+ZfsY9BhSSgtQFb9CAgQiQIhq89jNhtYhpI4Yedqw7RbNM0uTErF0fyYEpjvTRRnxumYKLVGNrPMjtWI5jyZROmmvFV67OmCvfEL5JjK87aIG5ygMPYVlJrWQ7ZRSc6LJ9Od4=,iv:q+o9VePVlYxP3bmIWLOK0QyPxDzkTfGeUC3orkUqM+4=,tag:gDnn33NNsz7OujJtK5+mpA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.1
|
||||||
|
|
@ -1,10 +1,15 @@
|
||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
|
|
||||||
|
users.mutableUsers = false;
|
||||||
|
sops.secrets.user-julien-password.neededForUsers = true;
|
||||||
|
|
||||||
users.users.julien = {
|
users.users.julien = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
home = "/home/julien";
|
home = "/home/julien";
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" "keys"];
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
|
passwordFile = config.sops.secrets.user-julien-password.path;
|
||||||
openssh.authorizedKeys.keyFiles = [
|
openssh.authorizedKeys.keyFiles = [
|
||||||
(pkgs.fetchurl {
|
(pkgs.fetchurl {
|
||||||
url = "https://github.com/JulienMalka.keys";
|
url = "https://github.com/JulienMalka.keys";
|
||||||
|
|
@ -13,5 +18,5 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.allowedUsers = [ "julien" ];
|
nix.allowedUsers = [ "lol" "julien" ];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue