From 2a7521ee774d9854d53bc11424c63d8b2f6286fd Mon Sep 17 00:00:00 2001 From: William P Date: Sun, 22 Feb 2026 21:02:22 -0500 Subject: [PATCH] secrets management with SOPS --- .gitignore | 3 ++- flake.lock | 23 ++++++++++++++++++++++- flake.nix | 10 ++++++++-- security/security.nix | 6 ++++++ security/sops.nix | 23 +++++++++++++++++++++++ security/sops_nix.yaml | 17 +++++++++++++++++ security/ssl.nix | 30 ++++++++++++++++++++++++++++++ users/root.nix | 7 +++++++ users/users.nix | 1 + users/williamp.nix | 3 +++ 10 files changed, 119 insertions(+), 4 deletions(-) create mode 100644 security/security.nix create mode 100644 security/sops.nix create mode 100644 security/sops_nix.yaml create mode 100644 security/ssl.nix create mode 100644 users/root.nix diff --git a/.gitignore b/.gitignore index e2f5dd2..14be3e6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -result \ No newline at end of file +result +secrets/ \ No newline at end of file diff --git a/flake.lock b/flake.lock index a13f9c7..dbbc8eb 100644 --- a/flake.lock +++ b/flake.lock @@ -40,7 +40,28 @@ "root": { "inputs": { "disko": "disko", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771735105, + "narHash": "sha256-MJuVJeszZEziquykEHh/hmgIHYxUcuoG/1aowpLiSeU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d7755d820f5fa8acf7f223309c33e25d4f92e74f", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index b47c434..17d6925 100644 --- a/flake.nix +++ b/flake.nix @@ -8,9 +8,14 @@ url = "github:nix-community/disko/v1.13.0"; inputs.nixpkgs.follows = "nixpkgs"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, disko }: + outputs = { self, nixpkgs, disko, sops-nix, ... }: { nixosConfigurations = { weyma-bs = nixpkgs.lib.nixosSystem { @@ -19,6 +24,7 @@ disko.nixosModules.disko { disko.devices.disk.main.device = "/dev/vda"; } ./common/core.nix + ./security/security.nix ./disko/uefi-nosecure.nix ./users/users.nix { @@ -61,7 +67,7 @@ ]; specialArgs = { inputs = { - inherit self nixpkgs disko; + inherit self nixpkgs disko sops-nix; }; }; }; diff --git a/security/security.nix b/security/security.nix new file mode 100644 index 0000000..cfaabf6 --- /dev/null +++ b/security/security.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./ssl.nix + ./sops.nix + ]; +} \ No newline at end of file diff --git a/security/sops.nix b/security/sops.nix new file mode 100644 index 0000000..240e3ac --- /dev/null +++ b/security/sops.nix @@ -0,0 +1,23 @@ +{ inputs, ... }: + +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = ./sops_nix.yaml; + #validateSopsFiles = false; + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + }; + secrets = { + pw_root = { + neededForUsers = true; + }; + pw_williamp = { + neededForUsers = true; + }; + }; + }; +} \ No newline at end of file diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml new file mode 100644 index 0000000..7812f83 --- /dev/null +++ b/security/sops_nix.yaml @@ -0,0 +1,17 @@ +pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str] +pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str] +sops: + age: + - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeHl6YW5XaDVYeitwUDlM + cEVrNGtoQVljclVPV0pBSUJsS1lFQmlCZFcwCkZoSVNWUmVQK0VWcHRsN1hPY1Nl + TmVTQU1pMHhoMnRkV3I1OSt3WElGR28KLS0tIEtmMlFWUUNsdnhyZWkvTW1yWmE1 + Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t + F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-23T01:50:31Z" + mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 \ No newline at end of file diff --git a/security/ssl.nix b/security/ssl.nix new file mode 100644 index 0000000..f07644d --- /dev/null +++ b/security/ssl.nix @@ -0,0 +1,30 @@ +{ + security = { + pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIIDZDCCAkygAwIBAgIUBURUWatoNahkcEbEfsHu8XfvRD8wDQYJKoZIhvcNAQEL + BQAwJTEjMCEGA1UEAxMad2V5bWEtY2EuaW5mcmEuZHVieWF0cC54eXowHhcNMjUw + NTA3MTkwODUyWhcNMzUwNTA1MTkwOTIyWjAlMSMwIQYDVQQDExp3ZXltYS1jYS5p + bmZyYS5kdWJ5YXRwLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AKRMM0GABCHa8s1jnGyRyoOZs8lhY0amPs2Z3ojxLd/aNoYyeF1D/lg3lriDalZI + vMabTo0b4Y1lKbMQdDfk6HvVd/1eeV48NhCynxt3ssZgHtYwho/kPdJMlsnxguaS + iUuMMgXzjnksonQO2UjKOo6P8hyouY8z7P8JFAeD3s1pO2fmvA/iZnSxBnGOzqvA + LHrnfsU03u9ma3iiufaF7HhpL9pxvC1gonfyxwMUa/WIHhziB4t0DijR7FY3K/CU + EFoR+B2LVJCjzt2d17DUS9A78H2YdQwqaNNGecGGG78eRcJJTUK9MxduhiO5FpjG + /K7E3GMMRuUnWc5vJCmljJkCAwEAAaOBizCBiDAOBgNVHQ8BAf8EBAMCAQYwDwYD + VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU21dLq6kC5DAdR9wI9KT9DoMGdZ8wHwYD + VR0jBBgwFoAU21dLq6kC5DAdR9wI9KT9DoMGdZ8wJQYDVR0RBB4wHIIad2V5bWEt + Y2EuaW5mcmEuZHVieWF0cC54eXowDQYJKoZIhvcNAQELBQADggEBAFnfte2iJqvI + htJLnnIeoYnKo0l68MVL1kn2xVAciqHsoGnnbyDelGSYJU9Tc5aUEgrCECbM+Ssp + Fc8ZEA0y0gLyRIVs53obtCPBQ2yVS5LE95dd6g+o3ZSPbhZqu2ioT579BIVGyTxH + /DPA0QdMI5hGLL+ZgsooS2Q4IsIvlzSJEBd5G+qbXnC1p0UVzMlsAM6ubIKnCD9e + urnpvvYP68Re+U1H9xa0is1r7zcCQOyVgRk4ttqJ9ye9eRP11IDHmhZSpQtj8LR5 + V43pqIG7H/yUOlHmhCl+anLWnuDUYMHRvFXhnfc6sybVL0ibUJZJOs6VaNJ8zdnM + Dh0mNAKi790= + -----END CERTIFICATE----- + + '' + ]; + }; +} \ No newline at end of file diff --git a/users/root.nix b/users/root.nix new file mode 100644 index 0000000..3621f1e --- /dev/null +++ b/users/root.nix @@ -0,0 +1,7 @@ +{ config, ... }: + +{ + users.users.root = { + hashedPasswordFile = config.sops.secrets.pw_root.path; + }; +} \ No newline at end of file diff --git a/users/users.nix b/users/users.nix index c335b63..26d14fd 100644 --- a/users/users.nix +++ b/users/users.nix @@ -1,5 +1,6 @@ { imports = [ ./williamp.nix + ./root.nix ]; } \ No newline at end of file diff --git a/users/williamp.nix b/users/williamp.nix index 87578c3..2584eb2 100644 --- a/users/williamp.nix +++ b/users/williamp.nix @@ -1,6 +1,9 @@ +{ config, ... }: + { users.users.williamp = { isNormalUser = true; + hashedPasswordFile = config.sops.secrets.pw_williamp.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5lZ0/JJyLLwSrFfSs+DF/v0EkV2i/SVDf18+/K5NDV me@williamtpeebles.com" ];