infrastructure/black-start
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secrets management with SOPS

Browse Source
This commit is contained in:
William Peebles
2026-02-22 21:02:22 -05:00
parent de4c297252
commit 2a7521ee77
10 changed files with 119 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
result
secrets/

23
flake.lock generated
View File

@@ -40,7 +40,28 @@
"root": {
"inputs": {
"disko": "disko",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1771735105,
"narHash": "sha256-MJuVJeszZEziquykEHh/hmgIHYxUcuoG/1aowpLiSeU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d7755d820f5fa8acf7f223309c33e25d4f92e74f",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},

10
flake.nix
View File

@@ -8,9 +8,14 @@
url = "github:nix-community/disko/v1.13.0";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, disko }:
outputs = { self, nixpkgs, disko, sops-nix, ... }:
{
nixosConfigurations = {
weyma-bs = nixpkgs.lib.nixosSystem {
@@ -19,6 +24,7 @@
disko.nixosModules.disko
{ disko.devices.disk.main.device = "/dev/vda"; }
./common/core.nix
./security/security.nix
./disko/uefi-nosecure.nix
./users/users.nix
{
@@ -61,7 +67,7 @@
];
specialArgs = {
inputs = {
inherit self nixpkgs disko;
inherit self nixpkgs disko sops-nix;
};
};
};

6
security/security.nix Normal file
View File

@@ -0,0 +1,6 @@
{
imports = [
./ssl.nix
./sops.nix
];
}

23
security/sops.nix Normal file
View File

@@ -0,0 +1,23 @@
{ inputs, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ./sops_nix.yaml;
#validateSopsFiles = false;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
};
secrets = {
pw_root = {
neededForUsers = true;
};
pw_williamp = {
neededForUsers = true;
};
};
};
}

17
security/sops_nix.yaml Normal file
View File

@@ -0,0 +1,17 @@
pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
sops:
age:
- recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeHl6YW5XaDVYeitwUDlM
cEVrNGtoQVljclVPV0pBSUJsS1lFQmlCZFcwCkZoSVNWUmVQK0VWcHRsN1hPY1Nl
TmVTQU1pMHhoMnRkV3I1OSt3WElGR28KLS0tIEtmMlFWUUNsdnhyZWkvTW1yWmE1
Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-23T01:50:31Z"
mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

30
security/ssl.nix Normal file
View File

@@ -0,0 +1,30 @@
{
security = {
pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIUBURUWatoNahkcEbEfsHu8XfvRD8wDQYJKoZIhvcNAQEL
BQAwJTEjMCEGA1UEAxMad2V5bWEtY2EuaW5mcmEuZHVieWF0cC54eXowHhcNMjUw
NTA3MTkwODUyWhcNMzUwNTA1MTkwOTIyWjAlMSMwIQYDVQQDExp3ZXltYS1jYS5p
bmZyYS5kdWJ5YXRwLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKRMM0GABCHa8s1jnGyRyoOZs8lhY0amPs2Z3ojxLd/aNoYyeF1D/lg3lriDalZI
vMabTo0b4Y1lKbMQdDfk6HvVd/1eeV48NhCynxt3ssZgHtYwho/kPdJMlsnxguaS
iUuMMgXzjnksonQO2UjKOo6P8hyouY8z7P8JFAeD3s1pO2fmvA/iZnSxBnGOzqvA
LHrnfsU03u9ma3iiufaF7HhpL9pxvC1gonfyxwMUa/WIHhziB4t0DijR7FY3K/CU
EFoR+B2LVJCjzt2d17DUS9A78H2YdQwqaNNGecGGG78eRcJJTUK9MxduhiO5FpjG
/K7E3GMMRuUnWc5vJCmljJkCAwEAAaOBizCBiDAOBgNVHQ8BAf8EBAMCAQYwDwYD
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU21dLq6kC5DAdR9wI9KT9DoMGdZ8wHwYD
VR0jBBgwFoAU21dLq6kC5DAdR9wI9KT9DoMGdZ8wJQYDVR0RBB4wHIIad2V5bWEt
Y2EuaW5mcmEuZHVieWF0cC54eXowDQYJKoZIhvcNAQELBQADggEBAFnfte2iJqvI
htJLnnIeoYnKo0l68MVL1kn2xVAciqHsoGnnbyDelGSYJU9Tc5aUEgrCECbM+Ssp
Fc8ZEA0y0gLyRIVs53obtCPBQ2yVS5LE95dd6g+o3ZSPbhZqu2ioT579BIVGyTxH
/DPA0QdMI5hGLL+ZgsooS2Q4IsIvlzSJEBd5G+qbXnC1p0UVzMlsAM6ubIKnCD9e
urnpvvYP68Re+U1H9xa0is1r7zcCQOyVgRk4ttqJ9ye9eRP11IDHmhZSpQtj8LR5
V43pqIG7H/yUOlHmhCl+anLWnuDUYMHRvFXhnfc6sybVL0ibUJZJOs6VaNJ8zdnM
Dh0mNAKi790=
-----END CERTIFICATE-----
''
];
};
}

7
users/root.nix Normal file
View File

@@ -0,0 +1,7 @@
{ config, ... }:
{
users.users.root = {
hashedPasswordFile = config.sops.secrets.pw_root.path;
};
}

1
users/users.nix
View File

@@ -1,5 +1,6 @@
{
imports = [
./williamp.nix
./root.nix
];
}

3
users/williamp.nix
View File

@@ -1,6 +1,9 @@
{ config, ... }:
{
users.users.williamp = {
isNormalUser = true;
hashedPasswordFile = config.sops.secrets.pw_williamp.path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5lZ0/JJyLLwSrFfSs+DF/v0EkV2i/SVDf18+/K5NDV me@williamtpeebles.com"
];