about summary refs log tree commit diff
path: root/nixos/alpha
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-02-06 18:16:38 +0900
committersefidel <contact@sefidel.net>2023-02-06 18:26:16 +0900
commit374f2f364a3a5de5438dd310f6cb50490eae6f1e (patch)
treec4a2f0dd33b61285606d894cc61353331c71f009 /nixos/alpha
parent9d2566b5958943643d138186ebc57def41f68e51 (diff)
downloadnixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.tar.gz
nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.zip
feat: use sops for secret management
Diffstat (limited to 'nixos/alpha')
-rw-r--r--nixos/alpha/configuration.nix8
-rw-r--r--nixos/alpha/secrets/secrets.yaml44
2 files changed, 50 insertions, 2 deletions
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index 67f56a2..d9dd00d 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -236,16 +236,20 @@
     ];
   };
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.zach-password.neededForUsers = true;
+
   users.mutableUsers = false;
 
   fileSystems."/persist".neededForBoot = true;
 
   users.users = {
-    root.passwordFile = "/persist/passwords/root";
+    root.passwordFile = config.sops.secrets.root-password.path;
     zach = {
       isNormalUser = true;
       shell = pkgs.zsh;
-      passwordFile = "/persist/passwords/zach";
+      passwordFile = config.sops.secrets.zach-password.path;
 
       extraGroups = [
         "wheel"
diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml
new file mode 100644
index 0000000..185220f
--- /dev/null
+++ b/nixos/alpha/secrets/secrets.yaml
@@ -0,0 +1,44 @@
+root-password: ENC[AES256_GCM,data:KVPWUhy2dqSz8djBQRogBYUxZXmnJ1m7w+d6osLQXiVyrMf/ZKdJIn3jWUNkTTFRIdiHeZT4WZbffHtZO1GhjQG4jeRIfS6oBmPzhFJKG8d3R2JwbL4gCXQT9mvmX4cgPIs7BJxCo3GnWg==,iv:D9uva5kvuiPtYWGDcStbD+f+K2+xpE3Ogdq4idCnUsQ=,tag:OcwGkm541OPSHMEqU4odgw==,type:str]
+zach-password: ENC[AES256_GCM,data:hjCi2Pu0KtmaJ+RVU1SyLHKMgG/WP/AcTBYce+IV/ftfA9e7z294yZ6EizvtwwTDqJbI0ADSekdiomYIP5u6g1gz9pvexDEw3KR3nhVSQSKnhOwZ6wBm9ycNhRJhPmCM27uh6dM/SPuIgg==,iv:qJuPimIzJP053V1GnUTe5GKC8s/sFfQ7Wr3Wb0meGGM=,tag:SR4jecEt2P6u+PzqEl2ZNQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-05T11:33:33Z"
+    mac: ENC[AES256_GCM,data:bgEgm7Wu53ttYIygSCMZP9F2FMcqjc941cmERolnwFQhbjYMh5viRIsBm5t+bRDRRgIpOZsrieCGzRHll4Ub3718geLx8mkEOA57bRSgl4BBVx2qg7HHhK9yHMhO1VsazVQg/W5QW+m0EGtc/skfnM9rprywbPIGiPQW0RuP0LY=,iv:s8zHX5z9iGzijvn4fb5vZRuyDMsdZKWYRMZ3z/I1c4s=,tag:3WwXUfhmg5rsBxtq/PbOvQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdA+fosTjcmurKUcSFNK/FF5LNqpajbdcBxjm/ZBKMOLFEw
+            ITClO3QJMtQjG8knzV5Pk8EekGFWYcdhQETvuVHZpEpaPmZDcYUsFa/N/7S7dtUl
+            0l4BFfTjxrZTNqO43pnhS+TYOIMuutNKfknE7kaFCw5TpLHkpf+QZz4Ted0B4Wbh
+            JMaiaMGmCGi2z1AjLpHTiRPFd3kkoljhm4geITMqL0AlmumrxosGWkdqejXtIbBr
+            =mxAB
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwdMqFVkGlt/AQ/9Gh0eEPgRGO/n3fihcpy7Ec5n1BTZ6IYcIFayFrLoqztP
+            LzRNwT5gt3T/D7rRCwgYEULXWGC1+9JLoLw6QgjiK4ArO8Wkb+7V2FEHF+jdpqth
+            +XrwGEozwsmOi0Oh1BBUIF5mpPjrQjf3SyF9Rr6hhauhg0WWMAeuDu1uP9xMaZet
+            lZVv73G3WvHwphRzaSoA70yby+o5EzT1DuOSjH5/6X6GP0U5LmnsZx1o7HHJ9tN6
+            9uD5TnUVzE7Ib0Bh/+3Hxb1csWI7HW9nH5A687foX5zuPklvFjtkaR3fH2gzo7l3
+            pL+PXhlpO7BPoNHKghAUhKNrk1TUHZZUyqplVPcLTXt14wK5sWWMvn7h4OMqt7h/
+            rGXNhEzNR66urJBCykBJ+3bdD7t324M+KWK5gcwbJgN9VVs1UVGYNcbqwGP94eNs
+            A3vUUBrMRbSXHi2FMRMQTPCO3CH5X+xpTn3yYSZLDvPrLRpLKffGph/usEwmnXub
+            TYXNMRa+Kt8zjLIF9R+eemjSYQ5Z+jg5GDUGmMw8xEk8nY9TsqOxKQ1keh1BIScF
+            7xY9rzDI2CDmSH88Gs+cifAW3MwOLGjPSmzuNpMqm6JPrOPNWtVIMe5cd5dNNbcu
+            2Qgvxr3KtXzO/fX/DjbdOWSpS6yWpKnoTwkM6ATuAS6OodTvenqj8GO5yiXRDO7S
+            WAFf9iqF0/ajPpbjeRS17NA/eC5CmRJ7aw66TbD4mndGUusTqVNvL98OtadLmSuF
+            T1UkSAJeyGSb2THMLLFcTvpYu1q83l+mBbMDaIkLd/VO2dQG/AfwKuE=
+            =QIC+
+            -----END PGP MESSAGE-----
+          fp: c62b0336ff6e444e5f2041e8074ca855641a5b7f
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3