diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f2846b4 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &admin_teesh age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h + - &host_taki age1crm9ztzjuhg8yeudnqnrg9ljzc88x0tr79srjtyvt5vxnevpveaq9ggk7d + - &host_krembo age16yxzdjmlcwhkx3azmczuq9lvwyzsj6xvfpklp09aya2nwl7rfatsd7jcvs +creation_rules: + - path_regex: secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_teesh + - *host_taki + - *host_krembo diff --git a/flake.lock b/flake.lock index 1eb6075..59c650c 100644 --- a/flake.lock +++ b/flake.lock @@ -446,10 +446,31 @@ "niri-flake": "niri-flake", "nixpkgs": "nixpkgs_3", "noctalia": "noctalia", + "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "stylix": "stylix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1769921679, + "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "spicetify-nix": { "inputs": { "nixpkgs": "nixpkgs_4", diff --git a/flake.nix b/flake.nix index 57f3aa2..ac9d3d8 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,11 @@ }; spicetify-nix.url = "github:Gerg-L/spicetify-nix"; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ flake-parts, ... }: diff --git a/modules/base/sops.nix b/modules/base/sops.nix new file mode 100644 index 0000000..c876a56 --- /dev/null +++ b/modules/base/sops.nix @@ -0,0 +1,20 @@ +{ inputs, ... }: + +{ + flake.modules.nixos.base = { pkgs, ... }: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = ../../secrets.yaml; + sops.age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + environment.systemPackages = with pkgs; [ + sops + age + ]; + }; +} diff --git a/modules/desktop/apps/halloy.nix b/modules/desktop/apps/halloy.nix index 30e579f..0a40e85 100644 --- a/modules/desktop/apps/halloy.nix +++ b/modules/desktop/apps/halloy.nix @@ -3,6 +3,10 @@ { flake.modules.nixos.desktop = { pkgs, ... }: { environment.systemPackages = [ pkgs.halloy ]; + + sops.secrets."irc/password" = { + owner = config.flake.meta.user.name; + }; }; flake.modules.homeManager.desktop = { lib, ... }: { @@ -25,7 +29,7 @@ sasl.plain = lib.mkIf (config.flake.meta.irc.server.isBouncer or false) { username = config.flake.meta.user.name; - password = config.flake.meta.irc.password; # dont commit this yet, please use sops-nix + password_file = "/run/secrets/irc/password"; }; }; diff --git a/modules/server/soju.nix b/modules/server/soju.nix index 10d2768..1651afd 100644 --- a/modules/server/soju.nix +++ b/modules/server/soju.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { flake.modules.nixos.server = { @@ -6,5 +6,15 @@ services.soju.listen = [ "irc+insecure://0.0.0.0:6667" ]; + + # we may not use this in the configuration, however + # we still declare this for the sysadmin to then go and + # create the user using: + # + # sojuctl user create -name ${config.flake.meta.user.name} -password $(cat /run/secrets/irc/password) + # or whatever, i dont exactly remember the command + sops.secrets."irc/password" = { + owner = config.flake.meta.user.name; + }; }; } diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..bf87147 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,35 @@ +irc: + password: ENC[AES256_GCM,data:2ygTfVViSUw=,iv:Gj/43g2FPStdaxhvPt/cFZYxprmw1GeCPLr1X2hu5JU=,tag:EMMYsLI7az9r3rTc+YzRwA==,type:str] +sops: + age: + - recipient: age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTmJ3TW04SnlKQWcrUy83 + YW1NbFZOaXNQODFNUHl2UThkb3dleWZsTjBVClVOWXN1UE81dW1kZmdOTVF5bUxt + NkRidGJzbFVkeXJnV1pUUmhPZTVsQlkKLS0tIExoK2ZxMmFsQlR5UVVlbjdTa2h1 + djNyL29KcThBNGRLdFVUWndJb013bncKWHJy/o7WwCofBVDDDcCBlJEO6HN8EIO7 + 1UiSceMgS/E3dZCf5rDvMvkt98LWpFN9apzvJvVS5FHyksOFT3ZA+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1crm9ztzjuhg8yeudnqnrg9ljzc88x0tr79srjtyvt5vxnevpveaq9ggk7d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUEJnY2M2WDcxNlIxUWZX + R3pJSFE3QnJkR2RCSzh6cHJZTVV3ZytJVDFVCjFjWjFIbU81VVVHS2JQcUNjd2sw + c3R0NEtXMmVuTEpsMDg4a2hvZkcrS3MKLS0tIHJqN0dPRTRRUnByRHZTckN5L1Bt + bWdMUjU5SHhicnU5a3lZNTdrMkh6ODgKJJeQx93EN6VbWLQWoZylt62ZLhyRxP6c + zMx8NSmbaCLO+3FrzFK7OUOZV6r9U2T6Ec6yNypstGRjD5JrATwoGg== + -----END AGE ENCRYPTED FILE----- + - recipient: age16yxzdjmlcwhkx3azmczuq9lvwyzsj6xvfpklp09aya2nwl7rfatsd7jcvs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiM2V6eFVvTHVMbFk1QXlC + T3RDWHJWbS8rcW5kTEE5elBtWnoyUExQN2tJClpJNWdWZFRtbXBmZCtVR3RNVGFx + QmpQRkZudk5WOC9CT3BjY0I4UkZnc3MKLS0tIE5GaEJrTDhTWEhMYjRDYXFWMVdX + MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U + cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-02T14:10:01Z" + mac: ENC[AES256_GCM,data:+9LkPoOVneK1k8SionYYVbl/+4Ulxc7xeKKlRWOsERc7uGrnj1ED+yROrhhTcKJuzlNdi/1xjJPpw7Suks3+vArPH2mO1rA5yX5PihSGr8enjLTPYa7gcRD55vJ2HyEhyr1KhbeqZXr98yRZVzrQzG+Zhb4KMpn4qoWWg0glbp4=,iv:AsNYRTWOa1az3eYyPz2IFcqDX4jqtQdbCBbo8o4QXDU=,tag:ExEl0qW4Xab6hSr7jwGq7Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0