Commit 62c0e76c5f6e
Changed files (20)
secrets
shells
systems
hosts
modules
core
profiles
secrets/redhat/2015-RH-IT-Root-CA.pem.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 ItIHHA A58kGk1xKFFA+j6qHdz6LPhZBekNTO2JCEWAk7/cjMnt
+QJEjDPIbknRt9mohawW/BGbiUAWaSGL1m7KtIhl5wv0
+-> ssh-ed25519 irMfZA MmXjG/jf6MqLuUKPR++ku+mgQnVSxtCaFBKUPkhXDDY
+v0bHbpW0a8vV1qcBsPAWFEMzhHtAgUEAECx4qMCWd7Q
+-> ssh-ed25519 9N8CYA 7GRlkB7R5tbM22753Vdrajft/6TzDvoj8YG/wL4/BRw
+sCqoXe2RkDasKBA9nNfIyt4hzjo/CAcW+wwrcJNG3fI
+--- ARcLO+/OqM2+S4D47xgIeuSb4UNhhvvzXd0YtBZB3Y0
+G��G*��������x��wI@d;�����t
\ No newline at end of file
secrets/redhat/Eng-CA.crt.age
Binary file
secrets/redhat/ipa.crt.age
Binary file
secrets/redhat/newca.crt.age
Binary file
secrets/redhat/oracle_ebs.crt.age
Binary file
secrets/redhat/pki-ca-chain.crt.age
Binary file
secrets/redhat/redhat.pem.age
Binary file
secrets/redhat/RH_ITW.crt.age
Binary file
secrets/redhat/win-intermediate-ca.cer.age
Binary file
secrets/shikoku/aria2rpcsecret.age
Binary file
secrets/minica.pem.age
Binary file
shells/nixos-config.nix
@@ -1,14 +1,8 @@
{ pkgs, inputs }:
-let
- inherit (inputs.sops-nix.packages."x86_64-linux") sops-import-keys-hook;
-in
+
pkgs.mkShell
{
name = "NixOS config";
- sopsPGPKeyDirs = [ "./secrets/keys" ];
- nativeBuildInputs = [
- inputs.sops-nix.packages."x86_64-linux".sops-import-keys-hook
- ];
buildInputs = with pkgs; [
cachix
git
systems/hosts/aomi.nix
@@ -116,8 +116,6 @@ in
packages = with pkgs; [ networkmanager-openvpn ];
};
- sops.defaultSopsFile = ../../secrets/secrets.yaml;
-
boot = {
loader.systemd-boot.netbootxyz.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
systems/hosts/shikoku.nix
@@ -146,7 +146,8 @@ in
programs.ssh.setXAuthLocation = true;
- sops.secrets.aria2RPCSecret = {
+ age.secrets."aria2RPCSecret" = {
+ file = ../../secrets/shikoku/aria2rpcsecret.age;
mode = "444";
owner = "aria2";
group = "aria2";
@@ -175,7 +176,6 @@ in
};
downloadDir = "/data/downloads";
rpcSecretFile = "${pkgs.writeText "aria" "aria2rpc\n"}";
- # rpcSecretFile = config.sops.secrets.aria2RPCSecret.path;
};
bazarr = {
enable = true;
systems/modules/core/default.nix
@@ -1,13 +1,5 @@
{ config, lib, pkgs, ... }:
-let
- common = {
- sopsFile = ../../../secrets/secrets.yaml;
- mode = "444";
- owner = "root";
- group = "root";
- };
-in
{
imports = [
./binfmt.nix
@@ -40,12 +32,12 @@ in
'';
};
- sops.secrets."minica.pem" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."minica.pem" = {
+ file = ../../../secrets/minica.pem.age;
path = "/etc/ssl/certs/minica.pem";
};
- sops.secrets."redhat.pem" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."redhat.pem" = {
+ file = ../../../secrets/redhat/redhat.pem.age;
path = "/etc/ssl/certs/redhat.pem";
};
@@ -140,8 +132,6 @@ in
security.pki.certificateFiles = [
"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
- # config.sops.secrets."minica.pem".path
- # config.sops.secrets."redhat.pem".path
# "/etc/ssl/certs/minica.pem"
# "/etc/ssl/certs/redhat.pem"
];
systems/modules/profiles/builder.nix
@@ -18,11 +18,12 @@ in
};
config = mkIf cfg.enable {
nix.distributedBuilds = true;
- sops.secrets.builder = {
- sopsFile = ../../../secrets/builder.yaml;
- mode = "600";
- path = "/etc/nix/builder.key";
- };
+ # FIXME Redo this later
+ # sops.secrets.builder = {
+ # sopsFile = ../../../secrets/builder.yaml;
+ # mode = "600";
+ # path = "/etc/nix/builder.key";
+ # };
nix.buildMachines = (filter isCurrentHost
[
@@ -30,7 +31,7 @@ in
hostName = "${metadata.hosts.shikoku.addrs.v4}";
maxJobs = metadata.hosts.shikoku.builder.maxJobs;
sshUser = "builder";
- sshKey = config.sops.secrets.builder.path;
+ # sshKey = config.sops.secrets.builder.path;
systems = metadata.hosts.shikoku.builder.systems;
supportedFeatures = metadata.hosts.shikoku.builder.features;
}
@@ -38,7 +39,7 @@ in
hostName = "${metadata.hosts.aomi.addrs.v4}";
maxJobs = metadata.hosts.aomi.builder.maxJobs;
sshUser = "builder";
- sshKey = config.sops.secrets.builder.path;
+ # sshKey = config.sops.secrets.builder.path;
systems = metadata.hosts.aomi.builder.systems;
supportedFeatures = metadata.hosts.aomi.builder.features;
}
systems/modules/profiles/work.nix
@@ -3,12 +3,6 @@
with lib;
let
cfg = config.modules.profiles.work;
- common = {
- sopsFile = ../../../secrets/desktops/redhat.yaml;
- mode = "444";
- owner = "root";
- group = "root";
- };
in
{
options = {
@@ -28,7 +22,7 @@ in
age.secrets."krb5.conf" = {
file = ../../../secrets/redhat/krb5.conf.age;
path = "/etc/krb5.conf";
- mode = "770";
+ mode = "444";
group = "wheel";
};
# NetworkManager
@@ -53,37 +47,45 @@ in
mode = "600";
};
# Certificates
- sops.secrets."ipa.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."ipa.crt" = {
+ file = ../../../secrets/redhat/ipa.crt.age;
path = "/etc/ipa/ipa.crt";
+ mode = "444";
};
- sops.secrets."2015-RH-IT-Root-CA.pem" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."2015-RH-IT-Root-CA.pem" = {
+ file = ../../../secrets/redhat/2015-RH-IT-Root-CA.pem.age;
path = "/etc/pki/tls/certs/2015-RH-IT-Root-CA.pem";
+ mode = "444";
};
- sops.secrets."Eng-CA.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."Eng-CA.crt" = {
+ file = ../../../secrets/redhat/Eng-CA.crt.age;
path = "/etc/pki/tls/certs/Eng-CA.crt";
+ mode = "444";
};
- sops.secrets."newca.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."newca.crt" = {
+ file = ../../../secrets/redhat/newca.crt.age;
path = "/etc/pki/tls/certs/newca.crt";
+ mode = "444";
};
- sops.secrets."oracle_ebs.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."oracle_ebs.crt" = {
+ file = ../../../secrets/redhat/oracle_ebs.crt.age;
path = "/etc/pki/tls/certs/oracle_ebs.crt";
+ mode = "444";
};
- sops.secrets."pki-ca-chain.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."pki-ca-chain.crt" = {
+ file = ../../../secrets/redhat/pki-ca-chain.crt.age;
path = "/etc/pki/tls/certs/pki-ca-chain.crt";
+ mode = "444";
};
- sops.secrets."RH_ITW.crt" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."RH_ITW.crt" = {
+ file = ../../../secrets/redhat/RH_ITW.crt.age;
path = "/etc/pki/tls/certs/RH_ITW.crt";
+ mode = "444";
};
- sops.secrets."win-intermediate-ca.cer" = {
- inherit (common) mode owner group sopsFile;
+ age.secrets."win-intermediate-ca.cer" = {
+ file = ../../../secrets/redhat/win-intermediate-ca.cer.age;
path = "/etc/pki/tls/certs/win-intermediate-ca.cer";
+ mode = "444";
};
};
flake.lock
@@ -677,28 +677,7 @@
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_3",
"nixpkgs-24_05": "nixpkgs-24_05",
- "nixpkgs-24_11": "nixpkgs-24_11",
- "sops-nix": "sops-nix"
- }
- },
- "sops-nix": {
- "inputs": {
- "nixpkgs": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1739262228,
- "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
- "owner": "Mic92",
- "repo": "sops-nix",
- "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
- "type": "github"
- },
- "original": {
- "owner": "Mic92",
- "repo": "sops-nix",
- "type": "github"
+ "nixpkgs-24_11": "nixpkgs-24_11"
}
},
"systems": {
flake.nix
@@ -34,7 +34,6 @@
./systems/modules/virtualisation/buildkit.nix
./systems/modules/services/default.nix
inputs.agenix.nixosModules.default
- inputs.sops-nix.nixosModules.sops
# inputs.envfs.nixosModules.envfs
{
# config.nix.generateRegistryFromInputs = true;
@@ -42,8 +41,6 @@
config.home-manager.useUserPackages = true;
# Import custom home-manager modules (NixOS)
config.home-manager.sharedModules = import ./users/modules/modules.nix;
- # Default SopsFile
- config.sops.defaultSopsFile = ./secrets/secrets.yaml;
}
];
in
@@ -145,7 +142,7 @@
};
in
pkgs.mkShell {
- packages = [ pkgs.alejandra pkgs.git pkgs.nodePackages.prettier pkgs.deadnix pkgs.nixfmt-classic pkgs.sops inputs.agenix.packages.x86_64-linux.default ];
+ packages = [ pkgs.alejandra pkgs.git pkgs.nodePackages.prettier pkgs.deadnix pkgs.nixfmt-classic inputs.agenix.packages.x86_64-linux.default ];
name = "home";
DIRENV_LOG_FORMAT = "";
};
@@ -176,13 +173,6 @@
inputs.nixpkgs-stable.follows = "nixpkgs-24_05";
};
- sops-nix = {
- type = "github";
- owner = "Mic92";
- repo = "sops-nix";
- inputs.nixpkgs.follows = "nixpkgs";
- };
-
# WSL
nixos-wsl = { type = "github"; owner = "nix-community"; repo = "NixOS-WSL"; inputs.nixpkgs.follows = "nixpkgs"; };
nixos-hardware = { type = "github"; owner = "NixOS"; "repo" = "nixos-hardware"; };
secrets.nix
@@ -24,14 +24,16 @@ in
"secrets/redhat/AMS2.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
"secrets/redhat/RDU2.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
"secrets/redhat/BBRQ.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
- # "some-secret.age".publickeys = users ++ systems;
- # "some-desktops-secrets.age".publicKeys = desktops;
- # "some-servers-secrets.age".publicKeys = servers;
- # "aomi/foo.age".publicKeys = [ aomi ];
- # "athena/foo.age".publicKeys = [ athena ];
- # "demeter/foo.age".publicKeys = [ demeter ];
- # "kerkouane/foo.age".publicKeys = [ kerkouane ];
- # "sakhalin/foo.age".publicKeys = [ sakhalin ];
- # "shikoku/foo.age".publicKeys = [ shikoku ];
- # "wakasu/foo.age".publicKeys = [ wakasu ];
+ "secrets/redhat/ipa.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/2015-RH-IT-Root-CA.pem.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/Eng-CA.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/newca.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/oracle_ebs.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/pki-ca-chain.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/RH_ITW.crt.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/win-intermediate-ca.cer.age".publicKeys = users ++ [ aomi wakasu ];
+ "secrets/redhat/redhat.pem.age".publicKeys = users ++ systems;
+ # Others
+ "secrets/minica.pem.age".publicKeys = users ++ systems;
+ "secrets/shikoku/aria2rpcsecret.age".publicKeys = users ++ [ shikoku ];
}