Madmin
/
nixos-config-priv
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config-priv/systems/common/core/sops.nix

73 lines
3.0 KiB
Nix
Raw Blame History

# hosts level sops. see home/[user]/common/optional/sops.nix for home/user level
{ pkgs, inputs, config, configVars, ... }:
let
secretsDirectory = builtins.toString inputs.nix-secrets;
# FIXME: Switch to a configLib function
homeDirectory =
if pkgs.stdenv.isLinux
then "/home/${configVars.username}"
else "/Users/${configVars.username}";
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = "${secretsDirectory}/secrets.yaml";
validateSopsFiles = false;
age = {
# automatically import host SSH keys as age keys
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# this will use an age key that is expected to already be in the filesystem
keyFile = "/var/lib/sops-nix/key.txt";
# generate a new key if the key specified above does not exist
generateKey = true;
};
# secrets will be output to /run/secrets
# e.g. /run/secrets/msmtp-password
# secrets required for user creation are handled in respective ./users/<username>.nix files
# because they will be output to /run/secrets-for-users and only when the user is assigned to a host.
secrets = {
# For home-manager a separate age key is used to decrypt secrets and must be placed onto the host. This is because
# the user doesn't have read permission for the ssh service private key. However, we can bootstrap the age key from
# the secrets decrypted by the host key, which allows home-manager secrets to work without manually copying over
# the age key.
"age_keys/${config.networking.hostName}" = {
owner = config.users.users.${configVars.username}.name;
inherit (config.users.users.${configVars.username}) group;
# We need to ensure the entire directory structure is that of the user...
path = "${homeDirectory}/.config/sops/age/keys.txt";
};
# ta-password to /run/secrets-for-users/ so it can be used to create the user
"${configVars.username}/password".neededForUsers = true;
#FIXME move to mstmp.nix and also have host and address being assigned to configVars as per fidgetingbits
msmtp-host = { };
msmtp-address = { };
msmtp-password = { };
# extract to default pam-u2f authfile location for passwordless sudo. see ../optional/yubikey
"yubico/u2f_keys" = {
path = "/home/${configVars.username}/.config/Yubico/u2f_keys";
};
};
};
# The containing folders are created as root and if this is the first ~/.config/ entry,
# the ownership is busted and home-manager can't target because it can't write into .config...
# FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
system.activationScripts.sopsSetAgeKeyOwnwership = let
ageFolder = "${homeDirectory}/.config/sops/age";
user = config.users.users.${configVars.username}.name;
group = config.users.users.${configVars.username}.group;
in ''
mkdir -p ${ageFolder} || true
chown -R ${user}:${group} ${homeDirectory}/.config
'';
}
Reference in New Issue View Git Blame Copy Permalink