home-manager: start using homeage, sops
the workflow is as follows:
* age is used to manually encrypt e.g the sops keys file so it can
securely be stored in git
* homeage decrypts the file and symlinks it where sops expects it to
be present. decrypted, which it will be, but it will in fact be
residing in $XDG_RUNTIME_DIR (which *should* be tmpfs) and only be
symlinked to $HOME/...
* sops can from then on be used to manage arbitrary secrets as usual
This commit is contained in:
parent
229ebf6478
commit
62518f7ad7
GPG Key ID:
19CE1EC1D9E0486D
1
.gitattributes
vendored
1
.gitattributes
vendored
@ -1 +1,2 @@
|
|||||||
*.service linguist-language=systemd
|
*.service linguist-language=systemd
|
||||||
|
/secrets/*.enc.yaml diff=sopsdiffer
|
||||||
|
|||||||
5
.sops.yaml
Normal file
5
.sops.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: ./*.*
|
||||||
|
age: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
|
||||||
|
...
|
||||||
21
flake.lock
21
flake.lock
@ -21,6 +21,26 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"homeage": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1662769985,
|
||||||
|
"narHash": "sha256-zGk10O4osXxf1n9RafSMpPBsEibAGzx4OL4MLmlodB4=",
|
||||||
|
"owner": "jordanisaacs",
|
||||||
|
"repo": "homeage",
|
||||||
|
"rev": "dd98c460175a0781ad0b51f4392de97c5454a5c4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "jordanisaacs",
|
||||||
|
"repo": "homeage",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1661541451,
|
"lastModified": 1661541451,
|
||||||
@ -40,6 +60,7 @@
|
|||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
|
"homeage": "homeage",
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|||||||
10
flake.nix
10
flake.nix
@ -8,11 +8,16 @@
|
|||||||
url = "github:nix-community/home-manager";
|
url = "github:nix-community/home-manager";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
homeage = {
|
||||||
|
url = "github:jordanisaacs/homeage";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = {
|
outputs = {
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
home-manager,
|
home-manager,
|
||||||
|
homeage,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
@ -27,7 +32,10 @@
|
|||||||
|
|
||||||
# Specify your home configuration modules here, for example,
|
# Specify your home configuration modules here, for example,
|
||||||
# the path to your home.nix.
|
# the path to your home.nix.
|
||||||
modules = [./home.nix];
|
modules = [
|
||||||
|
./home.nix
|
||||||
|
homeage.homeManagerModules.homeage
|
||||||
|
];
|
||||||
|
|
||||||
# Optionally use extraSpecialArgs
|
# Optionally use extraSpecialArgs
|
||||||
# to pass through arguments to home.nix
|
# to pass through arguments to home.nix
|
||||||
|
|||||||
18
home.nix
18
home.nix
@ -1,6 +1,7 @@
|
|||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
homeage,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
home.username = "$USER";
|
home.username = "$USER";
|
||||||
@ -13,6 +14,23 @@
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
homeage = {
|
||||||
|
# Absolute path to identity (created not through home-manager)
|
||||||
|
identityPaths = [
|
||||||
|
"~/.ssh/theEd"
|
||||||
|
];
|
||||||
|
|
||||||
|
# "activation" if system doesn't support systemd
|
||||||
|
installationType = "activation";
|
||||||
|
|
||||||
|
file."sops-age-keys.txt" = {
|
||||||
|
# Path to encrypted file tracked by the git repository
|
||||||
|
source = ./secrets/sops-keys.age;
|
||||||
|
# can be "copies" or "symlink"
|
||||||
|
symlinks = [".config/sops/age/keys.txt"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# build a configuration and switch:
|
# build a configuration and switch:
|
||||||
# ➜ home-manager switch --no-out-link -b backup --flake~/utils/dotfiles#$USER
|
# ➜ home-manager switch --no-out-link -b backup --flake~/utils/dotfiles#$USER
|
||||||
|
|
||||||
|
|||||||
11
secrets/sops-keys.age
Normal file
11
secrets/sops-keys.age
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDZUei9UUSBhVkh3
|
||||||
|
MDdndnRDbjlnS2FKZDFhZFovak9CSWM1aGsxNGxJbHV4SnNLOUJJCkhWTHV6SEp4
|
||||||
|
UFJBS3IyUmxtRjNtdlJ0Q3k5cWEyNlJBajRURHZLU2VaN2sKLS0tIEtZTFR6SlhZ
|
||||||
|
NzdaKzdudVVHMGNLT29oVzJUbHFkOXVJODVnSXZoTFJIbTgKFwKG+3yR6NSpF0Dn
|
||||||
|
bvPThslM+M3nFABgQn1Gs74N8UFTMa+q5Bz2xaWbiczeQ2Ql0b4KwX1hrwWEXCVT
|
||||||
|
qwSY2o4XQC3LbVYk9Omxl22gUGshtcyqbJHN7MF9k4S7uzuHt78Rm7/BnAzW7LjX
|
||||||
|
oPsLshVEGEBVUVQIvC8EfHSRMHdC84EEOL/IfqHbAvkHPkSPj7YnGMdqLBluDzYI
|
||||||
|
t77SqXiP9VA+h1n50SAUg6CU0wZCqIOt5ZcjDxzHGFZC1+Kt2JQv9lGzBqLez/JN
|
||||||
|
yjmQbxc7msnqrkYD6mlZmdU=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
20
secrets/sops-secrets.enc.yaml
Normal file
20
secrets/sops-secrets.enc.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORW1QaS91aGpTT1RINTJS
|
||||||
|
ZGMvQVU1OXc4dERoMWcwOXJaVWlFSDlKQ0NrClFCZVpUOCs5RVZhRVBkdDNTdVJX
|
||||||
|
bHlUNWw1dHNVRFlRQ0tuSnRqQ3hjWGcKLS0tIE4vWDlyK2NkZkpqVHV5aVBpWWxz
|
||||||
|
ekw2d2FVS3dxUmpzV3pXOWZTaENwR0UKH93OIxoc09BGqfJWxYvfZFXrNrQbv65H
|
||||||
|
K1IEVR31Qno9YQuwnrKJ6SR5MlvJ6A8FeGmqgoyWj4pLRU35a1XQCg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-09-10T14:25:34Z"
|
||||||
|
mac: ENC[AES256_GCM,data:YIuDT6kePJUOVADzIFsGKDKLcXPmDehtg1sH7ve7/3ko51N94Q7WyiXakcMliSMKQvfziWSpjQm7EsRJAZxDWd9ecweNHIgFxJdrAWHKbptxtFa2WedjP/R1Xau5NE53E3B1Hicq8wh6tgQjubUpR+IPzpnjUETxAcLuKRjmS0o=,iv:AWSCTld6BboQUgf2XZdB2wxiSlbT8JtYATw702Q2YeM=,tag:R8nEF5fBMy07v74V6H8TJQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
||||||
Loading…
Reference in New Issue
Block a user