From a32917bd22ba275f5c789a94b51e9707e9417a00 Mon Sep 17 00:00:00 2001 From: js0ny Date: Tue, 4 Nov 2025 08:48:21 +0000 Subject: [PATCH] nix: sops-nix --- nixcfgs/.sops.yaml | 10 +++ nixcfgs/flake.lock | 123 +++++--------------------- nixcfgs/flake.nix | 10 ++- nixcfgs/secrets/secrets.yaml | 25 ++++++ nixcfgs/users/js0ny/programs/sops.nix | 27 ++++++ nixcfgs/users/js0ny/zephyrus.nix | 26 +++++- 6 files changed, 118 insertions(+), 103 deletions(-) create mode 100644 nixcfgs/.sops.yaml create mode 100644 nixcfgs/secrets/secrets.yaml create mode 100644 nixcfgs/users/js0ny/programs/sops.nix diff --git a/nixcfgs/.sops.yaml b/nixcfgs/.sops.yaml new file mode 100644 index 0000000..a62964c --- /dev/null +++ b/nixcfgs/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &host_zephyrus age1amkejw3q2aqf8yvh9mkqw8ad4g89mkuudyhv5k6k7s722fa85d6skem8vc + - &user_js0ny age1mcvqpg39t32ll684r4m2l8j0l9zag6endg0h6zjw8svkgdwc4pjqkk5fvj + +creation_rules: + - path_regex: secrets/.*\.yaml + key_groups: + - age: + - *user_js0ny + - *host_zephyrus diff --git a/nixcfgs/flake.lock b/nixcfgs/flake.lock index 4e79acb..5bfa77d 100644 --- a/nixcfgs/flake.lock +++ b/nixcfgs/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" - }, - "locked": { - "lastModified": 1761656077, - "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=", - "owner": "ryantm", - "repo": "agenix", - "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "caelestia-cli": { "inputs": { "caelestia-shell": [ @@ -67,28 +46,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -112,7 +69,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -129,27 +86,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -207,16 +143,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754028485, - "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -238,22 +174,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1761880412, - "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1761907660, "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", @@ -272,7 +192,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1762155241, @@ -334,34 +254,39 @@ }, "root": { "inputs": { - "agenix": "agenix", "caelestia-shell": "caelestia-shell", "flake-utils": "flake-utils", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", - "plasma-manager": "plasma-manager" + "plasma-manager": "plasma-manager", + "sops-nix": "sops-nix" } }, - "systems": { + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", + "owner": "Mic92", + "repo": "sops-nix", "type": "github" } }, - "systems_2": { + "systems": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/nixcfgs/flake.nix b/nixcfgs/flake.nix index da55ea6..047c9f4 100644 --- a/nixcfgs/flake.nix +++ b/nixcfgs/flake.nix @@ -25,7 +25,10 @@ url = "github:caelestia-dots/shell"; inputs.nixpkgs.follows = "nixpkgs"; }; - agenix.url = "github:ryantm/agenix"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -38,7 +41,7 @@ plasma-manager, nur, caelestia-shell, - agenix, + sops-nix, ... } @ inputs: let overlays = [ @@ -65,7 +68,7 @@ system = "x86_64-linux"; inherit specialArgs; modules = [ - agenix.nixosModules.default + sops-nix.nixosModules.sops ./hosts/${hostname} {nixpkgs.overlays = overlays;} ]; @@ -98,6 +101,7 @@ ./users/js0ny/zephyrus.nix plasma-manager.homeModules.plasma-manager nix-flatpak.homeManagerModules.nix-flatpak + sops-nix.homeManagerModules.sops ]; }; "js0ny@nixvirt" = home-manager.lib.homeManagerConfiguration { diff --git a/nixcfgs/secrets/secrets.yaml b/nixcfgs/secrets/secrets.yaml new file mode 100644 index 0000000..48bdcb9 --- /dev/null +++ b/nixcfgs/secrets/secrets.yaml @@ -0,0 +1,25 @@ +openrouter_api: ENC[AES256_GCM,data:ceu+FlTNrNoS56rHL9bdGjODfPBYnBd1GL97BgpmLvHz8q2KMXMvGofMTyZVGsLs1BEq4scjr+HN9r52tozLxeVWzkVfumcUMA==,iv:zT2vT94zAoKoutl58pbeOVqHm5nPmoMrA7wlZQcYVLs=,tag:+gS9EPcmfANCUipbeiAi0Q==,type:str] +sops: + age: + - recipient: age1mcvqpg39t32ll684r4m2l8j0l9zag6endg0h6zjw8svkgdwc4pjqkk5fvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZGIwNlpPUlY2cCttTkJL + cEFDOWJ6TE0vUTQ3czJQTTdJUlpCWWJuRWp3CmJaZS9vbnBUVUpGaDR0MlNOK25q + b2Qvb0FjZlR2R1crTEdJTUFBbnR6ZWsKLS0tIDRkWFFXNkR0dml6eGdOZi9kUE41 + djJMZUlQWU5ELyswdkNXTUUwUUZQY1kKRLHcH5mpHyMKBchX/zE1C6CqxGw8Yu6X + efAVToPTbi6f/8a1SiegkxSulnyRrhNkX0NeqU9/8hLky8NHr1yN1g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1amkejw3q2aqf8yvh9mkqw8ad4g89mkuudyhv5k6k7s722fa85d6skem8vc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWmFrdTNsK1lWZmNBMEZT + T2ZCRktNRldJdXphT0JweldqSTdPUGZLQmpVCnEyT2FnWGNkemZyT05NN3ptcUlW + dnZsdGNwOXlEdjdPcFBCcFBVU0FSRzgKLS0tIHdETzFSVE1YVUd5Q3ZzTWYyRWZK + c3ZZQlRrZDhtT2NFM0lnZTUxWmptQjgK5lZBkR5oSpb90oa+LWinEnvcmdPTF6wP + Q1gJoVoT/krUu22VSTOj/ojKEzS6uamZnJkMBhH31f1w2j4TEtY5Lw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-03T09:13:13Z" + mac: ENC[AES256_GCM,data:1bZT8E/M7CQgfshQV1LKJAqWcyoYomG29y7zSp7THZ9lwA4+FVpBNXV1HLQru4CMs3N1pq8g1ww6KxtGZ92pUo+JxtRdT9GxzqJenCp2qzSo5d2ws5fFvvjLnOtoPcqXlMTchECeA3K/emwbmIfjCH63D5STZmBz7+dNbx5PY20=,iv:Wcv6PNwroQawHkjJpspN5mM0b+PZG5BQTP9jOKH0OTQ=,tag:N/d/O/zbVkkH8kZdlkZErQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/nixcfgs/users/js0ny/programs/sops.nix b/nixcfgs/users/js0ny/programs/sops.nix new file mode 100644 index 0000000..eb982fb --- /dev/null +++ b/nixcfgs/users/js0ny/programs/sops.nix @@ -0,0 +1,27 @@ +{config, ...}: { + sops = { + # enable = true; + defaultSopsFile = ../../secrets/secrets.yaml; + age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; + age.generateKey = true; + secrets = { + "OPENROUTER_API_KEY" = { + key = "openrouter_api"; + }; + }; + }; + + # home.sessionVariables = { + # OPENROUTER_API_KEY = config.sops.secrets."OPENROUTER_API_KEY".path; + # }; + + systemd.user.services.sops-envvar = { + Unit.Description = "[sops-envvar] Auto-source environment variables defined via sops-nix"; + Service = { + ExecStart = pkgs.writeShellScript "start" '' + export OPENROUTER_API_KEY=$(cat ${config.sops.secrets."OPENROUTER_API_KEY".path}) + ''; + }; + Install.WantedBy = ["default.target"]; + }; +} diff --git a/nixcfgs/users/js0ny/zephyrus.nix b/nixcfgs/users/js0ny/zephyrus.nix index c745765..1e00dcc 100644 --- a/nixcfgs/users/js0ny/zephyrus.nix +++ b/nixcfgs/users/js0ny/zephyrus.nix @@ -1,5 +1,9 @@ # ~/.config/nixcfgs/users/js0ny/default.nix -{...}: { +{ + pkgs, + config, + ... +}: { imports = [ # General config ./default.nix @@ -56,5 +60,25 @@ ../../modules/home/dev/verilog.nix ]; + home.packages = with pkgs; [ + rose-pine-cursor + ]; + + sops = { + # enable = true; + defaultSopsFile = ../../secrets/secrets.yaml; + age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; + age.generateKey = true; + secrets = { + "OPENROUTER_API_KEY" = { + key = "openrouter_api"; + }; + }; + }; + + home.sessionVariables = { + OPENROUTER_API_KEY = "$(cat ${config.sops.secrets."OPENROUTER_API_KEY".path})"; + }; + home.stateVersion = "25.05"; }