home-manager: start using homeage, sops
the workflow is as follows: * age is used to manually encrypt e.g the sops keys file so it can securely be stored in git * homeage decrypts the file and symlinks it where sops expects it to be present. decrypted, which it will be, but it will in fact be residing in $XDG_RUNTIME_DIR (which *should* be tmpfs) and only be symlinked to $HOME/... * sops can from then on be used to manage arbitrary secrets as usual
This commit is contained in:
parent
229ebf6478
commit
62518f7ad7
3
.gitattributes
vendored
3
.gitattributes
vendored
@ -1 +1,2 @@
|
||||
*.service linguist-language=systemd
|
||||
*.service linguist-language=systemd
|
||||
/secrets/*.enc.yaml diff=sopsdiffer
|
||||
|
5
.sops.yaml
Normal file
5
.sops.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
creation_rules:
|
||||
- path_regex: ./*.*
|
||||
age: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
|
||||
...
|
21
flake.lock
21
flake.lock
@ -21,6 +21,26 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"homeage": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1662769985,
|
||||
"narHash": "sha256-zGk10O4osXxf1n9RafSMpPBsEibAGzx4OL4MLmlodB4=",
|
||||
"owner": "jordanisaacs",
|
||||
"repo": "homeage",
|
||||
"rev": "dd98c460175a0781ad0b51f4392de97c5454a5c4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "jordanisaacs",
|
||||
"repo": "homeage",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1661541451,
|
||||
@ -40,6 +60,7 @@
|
||||
"root": {
|
||||
"inputs": {
|
||||
"home-manager": "home-manager",
|
||||
"homeage": "homeage",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
},
|
||||
|
10
flake.nix
10
flake.nix
@ -8,11 +8,16 @@
|
||||
url = "github:nix-community/home-manager";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
homeage = {
|
||||
url = "github:jordanisaacs/homeage";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = {
|
||||
nixpkgs,
|
||||
home-manager,
|
||||
homeage,
|
||||
...
|
||||
}: let
|
||||
system = "x86_64-linux";
|
||||
@ -27,7 +32,10 @@
|
||||
|
||||
# Specify your home configuration modules here, for example,
|
||||
# the path to your home.nix.
|
||||
modules = [./home.nix];
|
||||
modules = [
|
||||
./home.nix
|
||||
homeage.homeManagerModules.homeage
|
||||
];
|
||||
|
||||
# Optionally use extraSpecialArgs
|
||||
# to pass through arguments to home.nix
|
||||
|
18
home.nix
18
home.nix
@ -1,6 +1,7 @@
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
homeage,
|
||||
...
|
||||
}: {
|
||||
home.username = "$USER";
|
||||
@ -13,6 +14,23 @@
|
||||
'';
|
||||
};
|
||||
|
||||
homeage = {
|
||||
# Absolute path to identity (created not through home-manager)
|
||||
identityPaths = [
|
||||
"~/.ssh/theEd"
|
||||
];
|
||||
|
||||
# "activation" if system doesn't support systemd
|
||||
installationType = "activation";
|
||||
|
||||
file."sops-age-keys.txt" = {
|
||||
# Path to encrypted file tracked by the git repository
|
||||
source = ./secrets/sops-keys.age;
|
||||
# can be "copies" or "symlink"
|
||||
symlinks = [".config/sops/age/keys.txt"];
|
||||
};
|
||||
};
|
||||
|
||||
# build a configuration and switch:
|
||||
# ➜ home-manager switch --no-out-link -b backup --flake~/utils/dotfiles#$USER
|
||||
|
||||
|
11
secrets/sops-keys.age
Normal file
11
secrets/sops-keys.age
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDZUei9UUSBhVkh3
|
||||
MDdndnRDbjlnS2FKZDFhZFovak9CSWM1aGsxNGxJbHV4SnNLOUJJCkhWTHV6SEp4
|
||||
UFJBS3IyUmxtRjNtdlJ0Q3k5cWEyNlJBajRURHZLU2VaN2sKLS0tIEtZTFR6SlhZ
|
||||
NzdaKzdudVVHMGNLT29oVzJUbHFkOXVJODVnSXZoTFJIbTgKFwKG+3yR6NSpF0Dn
|
||||
bvPThslM+M3nFABgQn1Gs74N8UFTMa+q5Bz2xaWbiczeQ2Ql0b4KwX1hrwWEXCVT
|
||||
qwSY2o4XQC3LbVYk9Omxl22gUGshtcyqbJHN7MF9k4S7uzuHt78Rm7/BnAzW7LjX
|
||||
oPsLshVEGEBVUVQIvC8EfHSRMHdC84EEOL/IfqHbAvkHPkSPj7YnGMdqLBluDzYI
|
||||
t77SqXiP9VA+h1n50SAUg6CU0wZCqIOt5ZcjDxzHGFZC1+Kt2JQv9lGzBqLez/JN
|
||||
yjmQbxc7msnqrkYD6mlZmdU=
|
||||
-----END AGE ENCRYPTED FILE-----
|
20
secrets/sops-secrets.enc.yaml
Normal file
20
secrets/sops-secrets.enc.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORW1QaS91aGpTT1RINTJS
|
||||
ZGMvQVU1OXc4dERoMWcwOXJaVWlFSDlKQ0NrClFCZVpUOCs5RVZhRVBkdDNTdVJX
|
||||
bHlUNWw1dHNVRFlRQ0tuSnRqQ3hjWGcKLS0tIE4vWDlyK2NkZkpqVHV5aVBpWWxz
|
||||
ekw2d2FVS3dxUmpzV3pXOWZTaENwR0UKH93OIxoc09BGqfJWxYvfZFXrNrQbv65H
|
||||
K1IEVR31Qno9YQuwnrKJ6SR5MlvJ6A8FeGmqgoyWj4pLRU35a1XQCg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-10T14:25:34Z"
|
||||
mac: ENC[AES256_GCM,data:YIuDT6kePJUOVADzIFsGKDKLcXPmDehtg1sH7ve7/3ko51N94Q7WyiXakcMliSMKQvfziWSpjQm7EsRJAZxDWd9ecweNHIgFxJdrAWHKbptxtFa2WedjP/R1Xau5NE53E3B1Hicq8wh6tgQjubUpR+IPzpnjUETxAcLuKRjmS0o=,iv:AWSCTld6BboQUgf2XZdB2wxiSlbT8JtYATw702Q2YeM=,tag:R8nEF5fBMy07v74V6H8TJQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue
Block a user