feat: Manage secrets w/ sops-nix

Closes #1
2024-12-28 22:28:56 -07:00
parent fa3bd72816
commit 52dc849c67
10 changed files with 186 additions and 9 deletions
--- a/users/crumb/default.nix
+++ b/users/crumb/default.nix
@@ -4,18 +4,28 @@
    # TODO: Don't hard-code `persist`.  Use
    # config.sydnix.impermanence.persistGroupName.
    extraGroups = [ "wheel" "persist" ];
-    # Change this immediately after installation!
-    initialPassword = "password123";
+    initialHashedPassword =
+      "$y$j9T$aEFDDwdTZbAc6VQRXrkBJ0$K8wxTGTWDihyX1wxJ.ZMH//wmQFfrGGUkLkxIU0Lyq8";
  };

  homeConfiguration = { config, lib, pkgs, ... }: {
    imports = [ ./programs.nix ];
+
+    sydnix = {
+      sops = {
+        enable = true;
+        secrets = {
+          example-user-key = {};
+        };
+      };
+    };
+
    home = {
-      stateVersion = "18.09";
      packages = [
-        pkgs.hello
-        # pkgs.wezterm
      ];
+
+      # Don't touch!
+      stateVersion = "18.09";
    };
  };
 }
--- a/users/crumb/secrets.yaml
+++ b/users/crumb/secrets.yaml
@@ -0,0 +1,21 @@
+example-user-key: ENC[AES256_GCM,data:zefLZFp/MuxwrhbNhiCRWOCG,iv:IFwI3e2+uq1yv+hWQnHcX25XGiHa3AFqeIr5LW+2KFo=,tag:yS6KzPK7robKJsupZW8a2w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qayk0d0f765v57pedm7mtau6qkmv8rh6jtaqm40g5g9armaty4jqc0v0y2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NE5mTER1OXpadmNzaXV6
+            b3RSbS9yWTN0NWR4Z2xBRnRSanQxYXdRT2drClVrSk1raXE4ZUVIVmxoMzJWU1Rj
+            VmxzdnVSUVEvQk1JcFo4Qjh6YWhiME0KLS0tIHh1OCtzSUZpWWhrbXB4SlA4RVBs
+            VVBqSEM2bVFBU0M5YzZBQWIwUmVXUXMKvWb57Rc+rO5M8Pf7lvbSjuZB4FrHgT3A
+            uBQHH3wpv0BVVzL8tucPnwNxDnwpWvFxxwNVy/rtfs6y6HPu6fuOsA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-29T08:21:03Z"
+    mac: ENC[AES256_GCM,data:08lmfeXvrhipenfCO9AjdahGSvfaUO74EVlbtjhNw+Pjlu3SQNlqTBdzPFwpebCphNnryun/WGgT6fopgyITdkd1V7DGQLV184LRe0lD5qA3DEBm+uEPBqFpXT0AYucylWEam8paZYZ8HjdPL91I1H1MTDqGcO2dYhAh59JWXfE=,iv:fY+FxlfexYkkQsYp/On/QEhiKrZyzJ6mzTaXIxY44u0=,tag:U29ULu1vNi2z/MXMz9PkTg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1