secrets management with SOPS

2026-02-22 21:02:22 -05:00
parent de4c297252
commit 2a7521ee77
10 changed files with 119 additions and 4 deletions
--- a/security/security.nix
+++ b/security/security.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./ssl.nix
+    ./sops.nix
+  ];
+}
--- a/security/sops.nix
+++ b/security/sops.nix
@@ -0,0 +1,23 @@
+{ inputs, ... }:
+
+{
+    imports = [
+        inputs.sops-nix.nixosModules.sops
+    ];
+
+    sops = {
+        defaultSopsFile = ./sops_nix.yaml;
+        #validateSopsFiles = false;
+        age = {
+            keyFile = "/var/lib/sops-nix/key.txt";
+        };
+        secrets = {
+            pw_root = {
+                neededForUsers = true;
+            };
+            pw_williamp = {
+                neededForUsers = true;
+            };
+        };
+    };
+}
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -0,0 +1,17 @@
+pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
+pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
+sops:
+    age:
+        - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeHl6YW5XaDVYeitwUDlM
+            cEVrNGtoQVljclVPV0pBSUJsS1lFQmlCZFcwCkZoSVNWUmVQK0VWcHRsN1hPY1Nl
+            TmVTQU1pMHhoMnRkV3I1OSt3WElGR28KLS0tIEtmMlFWUUNsdnhyZWkvTW1yWmE1
+            Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
+            F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-23T01:50:31Z"
+    mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/security/ssl.nix
+++ b/security/ssl.nix
@@ -0,0 +1,30 @@
+{
+    security = {
+        pki.certificates = [
+            ''
+                -----BEGIN CERTIFICATE-----
+                MIIDZDCCAkygAwIBAgIUBURUWatoNahkcEbEfsHu8XfvRD8wDQYJKoZIhvcNAQEL
+                BQAwJTEjMCEGA1UEAxMad2V5bWEtY2EuaW5mcmEuZHVieWF0cC54eXowHhcNMjUw
+                NTA3MTkwODUyWhcNMzUwNTA1MTkwOTIyWjAlMSMwIQYDVQQDExp3ZXltYS1jYS5p
+                bmZyYS5kdWJ5YXRwLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+                AKRMM0GABCHa8s1jnGyRyoOZs8lhY0amPs2Z3ojxLd/aNoYyeF1D/lg3lriDalZI
+                vMabTo0b4Y1lKbMQdDfk6HvVd/1eeV48NhCynxt3ssZgHtYwho/kPdJMlsnxguaS
+                iUuMMgXzjnksonQO2UjKOo6P8hyouY8z7P8JFAeD3s1pO2fmvA/iZnSxBnGOzqvA
+                LHrnfsU03u9ma3iiufaF7HhpL9pxvC1gonfyxwMUa/WIHhziB4t0DijR7FY3K/CU
+                EFoR+B2LVJCjzt2d17DUS9A78H2YdQwqaNNGecGGG78eRcJJTUK9MxduhiO5FpjG
+                /K7E3GMMRuUnWc5vJCmljJkCAwEAAaOBizCBiDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+                VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU21dLq6kC5DAdR9wI9KT9DoMGdZ8wHwYD
+                VR0jBBgwFoAU21dLq6kC5DAdR9wI9KT9DoMGdZ8wJQYDVR0RBB4wHIIad2V5bWEt
+                Y2EuaW5mcmEuZHVieWF0cC54eXowDQYJKoZIhvcNAQELBQADggEBAFnfte2iJqvI
+                htJLnnIeoYnKo0l68MVL1kn2xVAciqHsoGnnbyDelGSYJU9Tc5aUEgrCECbM+Ssp
+                Fc8ZEA0y0gLyRIVs53obtCPBQ2yVS5LE95dd6g+o3ZSPbhZqu2ioT579BIVGyTxH
+                /DPA0QdMI5hGLL+ZgsooS2Q4IsIvlzSJEBd5G+qbXnC1p0UVzMlsAM6ubIKnCD9e
+                urnpvvYP68Re+U1H9xa0is1r7zcCQOyVgRk4ttqJ9ye9eRP11IDHmhZSpQtj8LR5
+                V43pqIG7H/yUOlHmhCl+anLWnuDUYMHRvFXhnfc6sybVL0ibUJZJOs6VaNJ8zdnM
+                Dh0mNAKi790=
+                -----END CERTIFICATE-----
+
+            ''
+        ];
+    };
+}