beastie/dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganise sops.

Browse Source
This commit is contained in:
Jérémie SALVI
2026-02-10 18:18:12 +01:00
parent 73de596c29
commit 961e9c475e
4 changed files with 78 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/core/default.nix
View File

@@ -5,6 +5,7 @@
imports = [ imports = [
./grub.nix ./grub.nix
./packages.nix ./packages.nix
./sops.nix
./ssh.nix ./ssh.nix
./system.nix ./system.nix
./tty.nix ./tty.nix

19
modules/core/sops.nix Normal file
View File

@@ -0,0 +1,19 @@
{
inputs,
...
}:
let
secretsPath = builtins.toString inputs.mysecrets;
in
{
sops = {
defaultSopsFile = "${secretsPath}/secrets.yaml";
age = {
sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}

7
modules/core/users.nix
View File

@@ -5,6 +5,11 @@
... ...
}: }:
{ {
sops.secrets = {
"users_password/beastie" = {
neededForUsers = true;
};
};
users = { users = {
users = { users = {
${username} = { ${username} = {
@@ -18,7 +23,7 @@
"video" "video"
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
config.sops.secrets."ssh_keys/beastie_priv".path "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKMJ3TkEmRQcX7RQijNa2km6a2xXJk6M6FERh7C9nTJ"
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

119
modules/optionnals/sops-desktop.nix
View File

@@ -1,76 +1,61 @@
{ {
inputs,
username, username,
... ...
}: }:
let
secretsPath = builtins.toString inputs.mysecrets;
in
{ {
sops = { sops.secrets = {
defaultSopsFile = "${secretsPath}/secrets.yaml"; "users_password/beastie" = {
age = { neededForUsers = true;
sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
}; };
"ssh_keys/default_pub" = {
secrets = { owner = "${username}";
"users_password/beastie" = { mode = "0644";
neededForUsers = true; path = "/home/${username}/.ssh/id_ed25519.pub";
}; };
"ssh_keys/default_pub" = { "ssh_keys/default_priv" = {
owner = "${username}"; owner = "${username}";
mode = "0644"; mode = "0600";
path = "/home/${username}/.ssh/id_ed25519.pub"; path = "/home/${username}/.ssh/id_ed25519";
}; };
"ssh_keys/default_priv" = { "ssh_keys/ansible_pub" = {
owner = "${username}"; owner = "${username}";
mode = "0600"; mode = "0644";
path = "/home/${username}/.ssh/id_ed25519"; path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
}; };
"ssh_keys/ansible_pub" = { "ssh_keys/ansible_priv" = {
owner = "${username}"; owner = "${username}";
mode = "0644"; mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_ansible.pub"; path = "/home/${username}/.ssh/id_ed25519_ansible";
}; };
"ssh_keys/ansible_priv" = { "ssh_keys/beastie_pub" = {
owner = "${username}"; owner = "${username}";
mode = "0600"; mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_ansible"; path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
}; };
"ssh_keys/beastie_pub" = { "ssh_keys/beastie_priv" = {
owner = "${username}"; owner = "${username}";
mode = "0644"; mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_beastie.pub"; path = "/home/${username}/.ssh/id_ed25519_beastie";
}; };
"ssh_keys/beastie_priv" = { "ssh_keys/gitea_semaphore_pub" = {
owner = "${username}"; owner = "${username}";
mode = "0600"; mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_beastie"; path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
}; };
"ssh_keys/gitea_semaphore_pub" = { "ssh_keys/gitea_semaphore_priv" = {
owner = "${username}"; owner = "${username}";
mode = "0644"; mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub"; path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
}; };
"ssh_keys/gitea_semaphore_priv" = { "ssh_keys/wol_pub" = {
owner = "${username}"; owner = "${username}";
mode = "0600"; mode = "0644";
path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore"; path = "/home/${username}/.ssh/id_ed25519_wol";
}; };
"ssh_keys/wol_pub" = { "ssh_keys/wol_priv" = {
owner = "${username}"; owner = "${username}";
mode = "0644"; mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_wol"; path = "/home/${username}/.ssh/id_ed25519_wol.priv";
};
"ssh_keys/wol_priv" = {
owner = "${username}";
mode = "0600";
path = "/home/${username}/.ssh/id_ed25519_wol.priv";
};
}; };
}; };
} }