diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..189c6f9 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1mggj0wsszz92kfpvq7pjlf0mthkljl9usu7u98jrmyxh85q4pecs6zz4ll +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/flake.lock b/flake.lock index 07e7a6a..ba3f1a5 100644 --- a/flake.lock +++ b/flake.lock @@ -239,7 +239,28 @@ "nix-flatpak": "nix-flatpak", "nixcord": "nixcord", "nixpkgs": "nixpkgs", - "nixvim": "nixvim" + "nixvim": "nixvim", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index ae7e77e..8ac461e 100644 --- a/flake.nix +++ b/flake.nix @@ -14,19 +14,26 @@ inputs.nixpkgs.follows = "nixpkgs"; }; nix-flatpak.url = "github:gmodena/nix-flatpak"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, home-manager, ... } @ inputs: + let + rootPath = ./.; + in { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; + specialArgs = { inherit inputs rootPath; }; modules = [ ./hosts/nixos/configuration.nix ]; }; homeConfigurations."toast@nixos" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages.x86_64-linux; - extraSpecialArgs = { inherit inputs; }; + extraSpecialArgs = { inherit inputs rootPath; }; modules = [ ./home/toast/home.nix ]; diff --git a/home/toast/home.nix b/home/toast/home.nix index 51975cb..a8b284a 100644 --- a/home/toast/home.nix +++ b/home/toast/home.nix @@ -4,6 +4,7 @@ inputs.nixvim.homeManagerModules.nixvim inputs.nixcord.homeModules.nixcord inputs.nix-flatpak.homeManagerModules.nix-flatpak + inputs.sops-nix.homeManagerModules.sops ./modules/kitty.nix ./modules/git.nix @@ -24,6 +25,7 @@ ./modules/hypridle.nix ./modules/obsidian.nix ./modules/xdg.nix + ./modules/sops.nix ]; home = { diff --git a/home/toast/modules/sops.nix b/home/toast/modules/sops.nix new file mode 100644 index 0000000..7b1a78d --- /dev/null +++ b/home/toast/modules/sops.nix @@ -0,0 +1,10 @@ +{ rootPath, ... }: + +{ + sops.defaultSopsFile = rootPath + /secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/toast/.config/sops/age/keys.txt"; + + sops.secrets."tailscale/authkey" = { }; +} diff --git a/hosts/nixos/configuration.nix b/hosts/nixos/configuration.nix index a2227ea..e13bee2 100644 --- a/hosts/nixos/configuration.nix +++ b/hosts/nixos/configuration.nix @@ -4,6 +4,7 @@ imports = [ inputs.nix-flatpak.nixosModules.nix-flatpak + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./modules/boot.nix @@ -15,8 +16,9 @@ ./modules/hardware.nix ./modules/environment.nix ./modules/programs.nix + ./modules/sops.nix ]; system.stateVersion = "25.05"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; -} \ No newline at end of file +} diff --git a/hosts/nixos/modules/services.nix b/hosts/nixos/modules/services.nix index 050966c..ea1ebc1 100644 --- a/hosts/nixos/modules/services.nix +++ b/hosts/nixos/modules/services.nix @@ -18,7 +18,10 @@ }; }; }; - services.tailscale.enable = true; + services.tailscale = { + enable = true; + authKeyFile = config.sops.secrets."tailscale/authkey".path; + }; services.flatpak = { enable = true; packages = [ diff --git a/hosts/nixos/modules/sops.nix b/hosts/nixos/modules/sops.nix new file mode 100644 index 0000000..7b1a78d --- /dev/null +++ b/hosts/nixos/modules/sops.nix @@ -0,0 +1,10 @@ +{ rootPath, ... }: + +{ + sops.defaultSopsFile = rootPath + /secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/toast/.config/sops/age/keys.txt"; + + sops.secrets."tailscale/authkey" = { }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..4fbc80f --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,17 @@ +tailscale: + authkey: ENC[AES256_GCM,data:ssxd13QKzXbezZs9ewR0CRsN0T6FMzQjGyJ5czjv4lHP6ODM1hAkS728vInfgq2hwUwVzs17I0C4017MGg==,iv:r/M4WtjrQZLdqidlFNUvY9NQhDSntNka2iYOAu+RQc8=,tag:kycZLagUboZ31ryQ3exi3w==,type:str] +sops: + age: + - recipient: age1mggj0wsszz92kfpvq7pjlf0mthkljl9usu7u98jrmyxh85q4pecs6zz4ll + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VXJQZ2RkQ0F4aHNSRVh5 + OTVFdDJ5bTFoM3M4Q2VBVE5EU1NlRkNJZURFCm9hOGJUZmpHNzNhQkxzdjh3aW1q + VWtPNVhoVzRoMjl3ZFhHaDdlYnVqN00KLS0tIFRiNmF5a2pZbnI4Q3p1Z1pHZGN5 + Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW + j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-23T08:50:02Z" + mac: ENC[AES256_GCM,data:nlUuYj6F960mebfQEER+ZyUfulIRRC1Uo1U0ZvKLA/YeemIzbbS/PlVawncsYEmhl6dyQ3RsXTEEqV7dAr0Bz3Ds5TFf4zz5kvRAf++1ho8TGyjBC88qR6hEoShJsuTfjFUn6NWiYetIKbmnLsuclE2aQU+8fo54PvIx8ut8mpo=,iv:qOHR8lXg9IeSHHq5StrwVsgIC4tIOAzvcSGS6bO7MXc=,tag:tZ7PByMZAPwe10sr3YLRgw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/shell.nix b/shell.nix index 2f5e6cf..e59b2b2 100644 --- a/shell.nix +++ b/shell.nix @@ -5,5 +5,6 @@ pkgs.mkShell { nix home-manager git + sops ]; }