146 current 2024-05-26 02:50:51 24.05.20240419.5c24cf2 6.8.6-zen1 *

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &desktop age1xsuyaeehzv4ar4f6xpc6tfp9pttzjf7qdyl3x2tj42vjc8szlqpq834e3d
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *desktop

boxes/desktop/configuration.nix

@@ -2,7 +2,6 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-# { config, lib, pkgs, inputs, ... }:
 { config, lib, pkgs, inputs, ... }:
 
 {
@@ -10,8 +9,32 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      inputs.sops-nix.nixosModules.sops
     ];
-
+  sops.defaultSopsFile = ../../secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/meyer/.config/sops/age/keys.txt";
+  sops.secrets.password.neededForUsers = true;
+  users.users.meyer = {
+    isNormalUser = true;
+    hashedPasswordFile = config.sops.secrets.password.path;
+    extraGroups = [
+      "wheel" # Enable ‘sudo’ for the user.
+      "audio"
+      "sound"
+      "video"
+      "networkmanager"
+      "input"
+      "tty"
+    ];
+    shell = pkgs.zsh;
+  };
+  home-manager = {
+    extraSpecialArgs = { inherit inputs; };
+    users = {
+      "meyer" = import ./home.nix;
+    };
+  };
   # Use the systemd-boot EFI boot loader.
   boot.loader.grub.device = "nodev";
   boot.kernelPackages = pkgs.linuxPackages_zen;
@@ -71,19 +94,6 @@
   # services.xserver.libinput.enable = true;
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.meyer = {
-    isNormalUser = true;
-    extraGroups = [
-      "wheel" # Enable ‘sudo’ for the user.
-      "audio"
-      "sound"
-      "video"
-      "networkmanager"
-      "input"
-      "tty"
-    ];
-    shell = pkgs.zsh;
-  };
 
 
 
@@ -96,12 +106,6 @@
 
 
 
-  home-manager = {
-    extraSpecialArgs = { inherit inputs; };
-    users = {
-      "meyer" = import ./home.nix;
-    };
-  };
   # networking.nameservers = ["10.0.0.97" "1.1.1.1"];
   networking.nameservers = [ "10.0.0.97" ];
   # List packages installed in system profile. To search, run:

flake.lock

@@ -36,10 +36,62 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1716702362,
+        "narHash": "sha256-1iExBg0gqYHqSEwALu4LYPOKlJMbUUbsfhsGZf2mi0M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8ed72179617b1b4dbd15134371daf4e9c4c039ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1716651315,
+        "narHash": "sha256-iMgzIeedMqf30TXZ439zW3Yvng1Xm9QTGO+ZwG1IWSw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c5187508b11177ef4278edf19616f44f21cc8c69",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1716692524,
+        "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "962797a8d7f15ed7033031731d0bb77244839960",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -4,6 +4,9 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+    };
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";

secrets.yaml

@@ -0,0 +1,21 @@
+password: ENC[AES256_GCM,data:4/T7FbEmbBwWD7HpnCJVdzvKHQHyTgOY+rPXlnhPJRIYzsFkHpWGxVuzFKa6JkMqUWDTbdtMp4tpZAtP3mlRprdXOoO6v+Nv6A==,iv:Etm9J/FefdWrG2tNe3PIWqLfF3JHD5TY13eNMhOmORs=,tag:rqHXqIVjFmxyI5bVxezgAA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xsuyaeehzv4ar4f6xpc6tfp9pttzjf7qdyl3x2tj42vjc8szlqpq834e3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQURMRnRWdDRrbllyOTM4
+            UkZtaXBtOFJFamVXb3IvVjI0d1BZd0J5VUFNCm1DczB0Y2lLMlVCaFlYcXZqSjdT
+            dUFLNElvU0NzS0UyRmNTWnAvcXIyR3cKLS0tIFlIcGgrMHAzTHdTTTVPREhIQ01h
+            bGd1cFJvRXA0bzRJK1FDRHB1Si90TjQKVBjOBvTQcCzUdgJxH8QwqOZjUDSKULqX
+            cjj0aw9I0X94VnZVqFghwlyJGFMYt2p1GP0n5XF3sTkbPhHce8mM2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-26T05:51:21Z"
+    mac: ENC[AES256_GCM,data:udNen7qCF1RLdjXbBgIInDf7Fh442UajcXEZk0QxjRKbk31p4xV9MdrEGIuBDalva1lGp/BjRSCxnq5Oq9tYAvvNQ077dpatIxgCmaZGHchcPZQfmnCfIeTLxJBP3XXaity+vsQOYRYKEpXagUc1juBfkloHmgiiZJwQqx/UBtk=,iv:K7NH07nvWD+aPr4EUbykVU7G0vuvB3H9mOtsyzArf4c=,tag:A9aXi7R5rvZnL5JgdSCnbA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1