From 374f2f364a3a5de5438dd310f6cb50490eae6f1e Mon Sep 17 00:00:00 2001 From: sefidel Date: Mon, 6 Feb 2023 18:16:38 +0900 Subject: feat: use sops for secret management --- nixos/alpha/configuration.nix | 8 ++++++-- nixos/alpha/secrets/secrets.yaml | 44 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 nixos/alpha/secrets/secrets.yaml (limited to 'nixos/alpha') diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix index 67f56a2..d9dd00d 100644 --- a/nixos/alpha/configuration.nix +++ b/nixos/alpha/configuration.nix @@ -236,16 +236,20 @@ ]; }; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.zach-password.neededForUsers = true; + users.mutableUsers = false; fileSystems."/persist".neededForBoot = true; users.users = { - root.passwordFile = "/persist/passwords/root"; + root.passwordFile = config.sops.secrets.root-password.path; zach = { isNormalUser = true; shell = pkgs.zsh; - passwordFile = "/persist/passwords/zach"; + passwordFile = config.sops.secrets.zach-password.path; extraGroups = [ "wheel" diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml new file mode 100644 index 0000000..185220f --- /dev/null +++ b/nixos/alpha/secrets/secrets.yaml @@ -0,0 +1,44 @@ +root-password: ENC[AES256_GCM,data:KVPWUhy2dqSz8djBQRogBYUxZXmnJ1m7w+d6osLQXiVyrMf/ZKdJIn3jWUNkTTFRIdiHeZT4WZbffHtZO1GhjQG4jeRIfS6oBmPzhFJKG8d3R2JwbL4gCXQT9mvmX4cgPIs7BJxCo3GnWg==,iv:D9uva5kvuiPtYWGDcStbD+f+K2+xpE3Ogdq4idCnUsQ=,tag:OcwGkm541OPSHMEqU4odgw==,type:str] +zach-password: ENC[AES256_GCM,data:hjCi2Pu0KtmaJ+RVU1SyLHKMgG/WP/AcTBYce+IV/ftfA9e7z294yZ6EizvtwwTDqJbI0ADSekdiomYIP5u6g1gz9pvexDEw3KR3nhVSQSKnhOwZ6wBm9ycNhRJhPmCM27uh6dM/SPuIgg==,iv:qJuPimIzJP053V1GnUTe5GKC8s/sFfQ7Wr3Wb0meGGM=,tag:SR4jecEt2P6u+PzqEl2ZNQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-05T11:33:33Z" + mac: ENC[AES256_GCM,data:bgEgm7Wu53ttYIygSCMZP9F2FMcqjc941cmERolnwFQhbjYMh5viRIsBm5t+bRDRRgIpOZsrieCGzRHll4Ub3718geLx8mkEOA57bRSgl4BBVx2qg7HHhK9yHMhO1VsazVQg/W5QW+m0EGtc/skfnM9rprywbPIGiPQW0RuP0LY=,iv:s8zHX5z9iGzijvn4fb5vZRuyDMsdZKWYRMZ3z/I1c4s=,tag:3WwXUfhmg5rsBxtq/PbOvQ==,type:str] + pgp: + - created_at: "2023-02-05T09:49:30Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdA+fosTjcmurKUcSFNK/FF5LNqpajbdcBxjm/ZBKMOLFEw + ITClO3QJMtQjG8knzV5Pk8EekGFWYcdhQETvuVHZpEpaPmZDcYUsFa/N/7S7dtUl + 0l4BFfTjxrZTNqO43pnhS+TYOIMuutNKfknE7kaFCw5TpLHkpf+QZz4Ted0B4Wbh + JMaiaMGmCGi2z1AjLpHTiRPFd3kkoljhm4geITMqL0AlmumrxosGWkdqejXtIbBr + =mxAB + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - created_at: "2023-02-05T09:49:30Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwdMqFVkGlt/AQ/9Gh0eEPgRGO/n3fihcpy7Ec5n1BTZ6IYcIFayFrLoqztP + LzRNwT5gt3T/D7rRCwgYEULXWGC1+9JLoLw6QgjiK4ArO8Wkb+7V2FEHF+jdpqth + +XrwGEozwsmOi0Oh1BBUIF5mpPjrQjf3SyF9Rr6hhauhg0WWMAeuDu1uP9xMaZet + lZVv73G3WvHwphRzaSoA70yby+o5EzT1DuOSjH5/6X6GP0U5LmnsZx1o7HHJ9tN6 + 9uD5TnUVzE7Ib0Bh/+3Hxb1csWI7HW9nH5A687foX5zuPklvFjtkaR3fH2gzo7l3 + pL+PXhlpO7BPoNHKghAUhKNrk1TUHZZUyqplVPcLTXt14wK5sWWMvn7h4OMqt7h/ + rGXNhEzNR66urJBCykBJ+3bdD7t324M+KWK5gcwbJgN9VVs1UVGYNcbqwGP94eNs + A3vUUBrMRbSXHi2FMRMQTPCO3CH5X+xpTn3yYSZLDvPrLRpLKffGph/usEwmnXub + TYXNMRa+Kt8zjLIF9R+eemjSYQ5Z+jg5GDUGmMw8xEk8nY9TsqOxKQ1keh1BIScF + 7xY9rzDI2CDmSH88Gs+cifAW3MwOLGjPSmzuNpMqm6JPrOPNWtVIMe5cd5dNNbcu + 2Qgvxr3KtXzO/fX/DjbdOWSpS6yWpKnoTwkM6ATuAS6OodTvenqj8GO5yiXRDO7S + WAFf9iqF0/ajPpbjeRS17NA/eC5CmRJ7aw66TbD4mndGUusTqVNvL98OtadLmSuF + T1UkSAJeyGSb2THMLLFcTvpYu1q83l+mBbMDaIkLd/VO2dQG/AfwKuE= + =QIC+ + -----END PGP MESSAGE----- + fp: c62b0336ff6e444e5f2041e8074ca855641a5b7f + unencrypted_suffix: _unencrypted + version: 3.7.3 -- cgit 1.4.1