[water7] feat: Add sops + age secret handling, still wip
I'm kinda lost, but we'll get there lol soon forgejo secrets will be fixed! Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>
This commit is contained in:
parent
306737d73d
commit
a3e8fe8ab8
GPG key ID:
D2BBDF3EDE6BA9A6
6 changed files with 69 additions and 3 deletions
7
.sops.yaml
Normal file
7
.sops.yaml
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
keys:
|
||||||
|
- &primary age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: shared/secrets/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *primary
|
||||||
21
flake.lock
generated
21
flake.lock
generated
|
|
@ -61,9 +61,30 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"zen-browser": "zen-browser"
|
"zen-browser": "zen-browser"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1760240450,
|
||||||
|
"narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
|
||||||
|
"owner": "mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"zen-browser": {
|
"zen-browser": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"home-manager": "home-manager_2",
|
"home-manager": "home-manager_2",
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,11 @@
|
||||||
url = "github:0xc000022070/zen-browser-flake";
|
url = "github:0xc000022070/zen-browser-flake";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, ... }@inputs: {
|
outputs = { self, nixpkgs, ... }@inputs: {
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,8 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
inputs.home-manager.nixosModules.default
|
inputs.home-manager.nixosModules.default
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
|
@ -95,7 +96,12 @@
|
||||||
home-manager = {
|
home-manager = {
|
||||||
extraSpecialArgs = { inherit inputs; };
|
extraSpecialArgs = { inherit inputs; };
|
||||||
users = {
|
users = {
|
||||||
"sid" = import ./home.nix;
|
sid = {
|
||||||
|
imports = [
|
||||||
|
./home.nix
|
||||||
|
inputs.sops-nix.homeManagerModules.sops
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, inputs, ... }:
|
{ config, pkgs, inputs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
# Home Manager needs a bit of information about you and the paths it should
|
# Home Manager needs a bit of information about you and the paths it should
|
||||||
|
|
@ -22,8 +22,16 @@
|
||||||
pinentry-curses
|
pinentry-curses
|
||||||
hyprpaper
|
hyprpaper
|
||||||
inputs.zen-browser.packages."x86_64-linux".default
|
inputs.zen-browser.packages."x86_64-linux".default
|
||||||
|
sops
|
||||||
|
age
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = "../../.sops.yaml";
|
||||||
|
defaultSopsFormat = "yaml";
|
||||||
|
age.keyFile = "/home/sid/.config/sops/age/keys.txt";
|
||||||
|
};
|
||||||
|
|
||||||
# Home Manager is pretty good at managing dotfiles. The primary way to manage
|
# Home Manager is pretty good at managing dotfiles. The primary way to manage
|
||||||
# plain files is through 'home.file'.
|
# plain files is through 'home.file'.
|
||||||
home.file = {
|
home.file = {
|
||||||
|
|
|
||||||
19
shared/secrets/secrets.yaml
Normal file
19
shared/secrets/secrets.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
forgejo:
|
||||||
|
LFS_JWT_SECRET: ENC[AES256_GCM,data:qdYhKX+SRnpy5ur5XkBmQ9gN6dNCOw3q2dliUssWaNHP7RWATwsTcdsApQ==,iv:EazZrHXvDUM1z2UcqbH6tHmTs7+COv4CFNo04fDgAWw=,tag:ZJZn8d1yuHnB/1CHyuuTyg==,type:str]
|
||||||
|
INTERNAL_TOKEN: ENC[AES256_GCM,data:Wg+VeKKZK/EIjREIWQuWKCUB7CoL4SlPwBC3ldyul3EWu+YAzc6nouWqp1Q4eH9ib9nNztnOQ66cru8u513TMJfNA7F9BuCGf3b2MjIRwcf12aXJR7yHc15nPD0/LwJ6PXQQBAXZNnfh,iv:STOtNKSxF5LzexsYVvWUQDa/ZXkWV2CJRFD0nYr9U+g=,tag:yKfUIkKVZXWJ5zDOCseLNw==,type:str]
|
||||||
|
oauth2.JWT_SECRET: ENC[AES256_GCM,data:lypGzbbbXhXc75Gi1I6LVQIDAgsQseuvz60Um+YglkMkDMuMfpEAX1AkhQ==,iv:uMzIu0+O8f98074BP8V8tkNQKhCc+jAGPCf3ZSVuUS4=,tag:GFIIZYiKqgfZ/C+9iiVxvQ==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraGdMYXBEZGMvbGVqSkJE
|
||||||
|
aWJRRUtBN3Q1cVR3S0xHTU00akhOL0hhSlc0Clh5SVlycit2b3pPMVMzV3BPdTNM
|
||||||
|
S3lNRFVCZFZwaWwzc1QxdSthYTdsNlEKLS0tICtJem9UaXp4cFJWMWU2cmRXL2pV
|
||||||
|
Yk9ETmxVV3Ezb0ZUQXViNkNxaHk1bmcKwBkyJN6IFH59THyuhYydP7lqfki26rNX
|
||||||
|
Eb0/GmRLhx9P9EfA+eMwL5rox4nksoqktOxDB8MATASOAH3EM/+e5A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-10-12T07:11:43Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Ox0JQ/90f5uey1+CEXBexVkTDd0PsLDqRdKZNi3OHoUJG9B3Oty5NRqsOdowlGQdGJ7Hn0gxprwO4/QQ/SS45rZFX1bNWywSxTtNuKK9HeOG5DFFaLaJTGUa2UHxjb3Owu2ScHUUOzEWxZt2h1mBpnxEKvdxajq5X8ww+hgXd7s=,iv:SMY3PANRZq33KNn8JwnBdqRFMOWwfxTz7l7ZKA/suFg=,tag:JVGqCRkUw12k7wwqc1vI8g==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
||||||
Loading…
Add table
Add a link
Reference in a new issue