add some secrets for use in algiz

add a secret
try first secret
2024-12-21 21:50:43 -06:00 · 2024-11-28 19:19:04 -06:00 · 2024-11-28 19:10:22 -06:00 · 2024-11-28 18:44:56 -06:00 · 2024-11-28 17:50:40 -06:00
10 changed files with 160 additions and 40 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,19 @@
 # This document uses YAML anchors which allows reuse of multiple keys
 # without having to repeat yourself.
 # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
 # for a more complex example.
 keys:
  - &admin_daylin age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
  - &host_othalan age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy
 creation_rules:
  - path_regex: hosts/(.*)/[^/]+\.(yaml|json|env|ini)$
  # - path_regex: hosts/algiz/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *admin_daylin
  - path_regex: hosts/othalan/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *admin_daylin
      - *host_othalan
--- a/flake.lock
+++ b/flake.lock
@ -915,11 +915,32 @@
        "nixpkgs": "nixpkgs_4",
        "nixpkgs-wayland": "nixpkgs-wayland",
        "pixi": "pixi",
        "sops-nix": "sops-nix",
        "stable": "stable",
        "tsm": "tsm",
        "utils": "utils"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1732575825,
        "narHash": "sha256-xtt95+c7OUMoqZf4OvA/7AemiH3aVuWHQbErYQoPwFk=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "3433ea14fbd9e6671d0ff0dd45ed15ee4c156ffa",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "stable": {
      "locked": {
        "lastModified": 1732632634,
--- a/flake.nix
+++ b/flake.nix
@ -16,6 +16,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix = {
      url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
      flake = false;
--- a/hosts/algiz/default.nix
+++ b/hosts/algiz/default.nix
@ -1,4 +1,5 @@
 {
  config,
  enabled,
  enableAttrs,
  listify,
@ -15,7 +16,8 @@
    user = "root";
    rcloneConfigFile = "/home/daylin/.config/rclone/rclone.conf";
    repository = "rclone:g:archives/algiz";
-    passwordFile = "/home/daylin/.config/restic/algiz-pass";
+    # passwordFile = "/home/daylin/.config/restic/algiz-pass";
    passwordFile = config.sops.secrets.restic-algiz.path;
    paths = [
      "/home/daylin/services/git/"
      "/home/daylin/services/gotosocial/"
@ -26,4 +28,11 @@
  # git user handles the forgjo ssh authentication
  users.users.git.isNormalUser = true;
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = ./secrets.yaml;
    # by default is accessible only by root:root which should work with above service
    secrets.restic-algiz = { };
  };
 }
--- a/hosts/algiz/secrets.yaml
+++ b/hosts/algiz/secrets.yaml
@ -0,0 +1,21 @@
 restic-algiz: ENC[AES256_GCM,data:r7z1s5pSEIlg2laRmY4D,iv:nfajL8J2A8G80NqMBw/t1tFXCsK9JbTzUgFTisf5JLk=,tag:LWOT9vVzuinXD+AYwk35jA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZUJhVVV1SFBEV1BNRS9D
            TlhhMW1RbGtaam1FYnppcURlU0VVekRNTUNvCk50aW4yaWJpVTZPK3dPMWI3UjBY
            L3k5c1lnejl5M1FxZC9TQU8yWVNZRlkKLS0tIEZHRXNLZG1McFFOeVpWUWtHYUl3
            YWlZMzI4eUoxMW5SanJxSzVpRmJnQlUKPiZnIuBQ5E0A5yorjmoI2pehpMDQ7TNs
            3IvyW+HUOnM/gCJqKBzR/Iqlk74mRKoDb5GuOiUpy7yN/1vrMdHQmw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-29T01:19:00Z"
    mac: ENC[AES256_GCM,data:J8jbVgwtqck2Sis03re93cVyFw1tMrPc+nnWmlDGoLWh6Jrxq8n+Eac7nsIxU/pZVnY+1x68lAz/2+YHPe8zxChz3f6O2ebscQaAo9M7gG76W2Rt6pDtrKXL7U2pDbjx0p5RwZQM/1tdeRbuUvJk/PYPJONiPVgi/bL6chd2Tew=,iv:brwJE8CZY0K6iRqB9ZUG1AwPfkISoSax692NZoyaNVQ=,tag:7/7V/jw/cgsCSJryrRMJMA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/hosts/othalan/default.nix
+++ b/hosts/othalan/default.nix
@ -2,6 +2,7 @@
  enabled,
  enableAttrs,
  listify,
  config,
  ...
 }:
 {
@ -25,4 +26,16 @@
      |> listify
      |> enableAttrs
    );
  sops.defaultSopsFile = ./secrets.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.secrets.restic-othalan = {
    # Permission modes are in octal representation (same as chmod),
    mode = "0440";
    # It is recommended to get the group/name name from
    # `config.users.users.<?name>.{name,group}` to avoid misconfiguration
    owner = config.users.users.daylin.name;
    group = config.users.users.daylin.group;
  };
 }
--- a/hosts/othalan/pkgs.nix
+++ b/hosts/othalan/pkgs.nix
@ -7,7 +7,7 @@
    ]
    ++ (with pkgs; [
-
+      sops
      distrobox
      zk
      quarto
--- a/hosts/othalan/secrets.yaml
+++ b/hosts/othalan/secrets.yaml
@ -0,0 +1,30 @@
 restic-othalan: ENC[AES256_GCM,data:HNIya1Rp,iv:8QkDewpXoy+3ahuuaCN/HfbGOgfQQ0Ud5emD7zVPE2s=,tag:bDfumEnt20lun5hnLY+eVA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK3pzZ3hXdG40L1JyK281
            NDJ4WWEyWFBPeERabXpSUXYzOWMxdWJlMGdFCmQydi8rbVZCUFBzM0NUbWJlZzZ3
            anV6a2FCL1BRTWg2V1RBZFJXUUNRUEkKLS0tIHIwTzl5NEdoTWRaUm9LR3I1MFph
            TFJjQndHQUJZdEZsSElmY0xDMTMvc2MKCO9BP1jccmFXqLjJQyk5a1/QC69/WPaV
            xl8U7gFoiOf6ZIESk/fADVtnG+thEYF1vwEMI8ClUfs+8kWgwBqoGw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWnBYVFRKMVJPVEQ1VlAy
            Y000L1lHM2JyN0oyeTFROXh6OTVlTkc5RlVBCkdqU20yeGtVcWo3cmRoQmFKVG91
            d3RQazc1UTJBdWQwUEdzNkNPYXZ3SmsKLS0tIHdzd0Q0a1pPeEJqS1Rrckt6aUdt
            UmE2Mk4yV21TNTF2NjBqZ0txYThRRzAKgyWCwmF4mhX8lmfslmBf2UrcFqzT8m11
            AqhJsG2LRU/9/6FXOYn2rYeCIDpTkPoQ4ez7F4m/zp+RvOc2eW3g2g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-29T00:41:44Z"
    mac: ENC[AES256_GCM,data:4+H5OmCCTrMrkz9sLHcdwu8EFc+iS3MUTfhLgH6crfE0QSmV87b4JKQTVtdoYnzB8f2hRS/DeAImaLs68NQ/c7raLKwKmX1Bx2htV92MEOhoEjnZ6IbpCzY9FhrtRFjjBrg/nAuMpK0ktYW3w9C/v/jq/YEnP+pabkPhsUav8GU=,iv:LtBd2nj21ZCOXmvfbCIz/lvYC4neRk7ZTnY/rbJnATU=,tag:o9K/TxIp/NLmcvpXHYPHoQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/hosts/othalan/services.nix
+++ b/hosts/othalan/services.nix
@ -1,35 +1,39 @@
-{ pkgs, ... }:
+{
-let
+  config,
-  notes-git = ''${pkgs.git}/bin/git -C /home/daylin/stuff/notes'';
+#  pkgs,
-in
+  ...
 }:
 # let
 #   notes-git = ''${pkgs.git}/bin/git -C /home/daylin/stuff/notes'';
 # in
 {
  services.restic.backups.gdrive = {
    user = "daylin";
    repository = "rclone:g:archives/othalan";
-    passwordFile = "/home/daylin/.config/restic/othalan-pass";
+    passwordFile = config.sops.secrets.restic-othalan.path;
    paths = [
      "/home/daylin/stuff/"
      "/home/daylin/dev/"
    ];
  };
-  systemd.services.notes-bot = {
+  # systemd.services.notes-bot = {
-    description = "auto commit changes to notes";
+  #   description = "auto commit changes to notes";
-    serviceConfig = {
+  #   serviceConfig = {
-      Type = "oneshot";
+  #     Type = "oneshot";
-      User = "daylin";
+  #     User = "daylin";
-      ExecStart = ''
+  #     ExecStart = ''
-        ${pkgs.bash}/bin/bash -c '${notes-git} commit -m ":memo: :robot: $(${pkgs.coreutils}/bin/date +\'%%T\')" --no-gpg-sign -- notes'
+  #       ${pkgs.bash}/bin/bash -c '${notes-git} commit -m ":memo: :robot: $(${pkgs.coreutils}/bin/date +\'%%T\')" --no-gpg-sign -- notes'
-      '';
+  #     '';
-    };
+  #   };
-  };
+  # };
-  systemd.timers.notes-bot-timer = {
+  # systemd.timers.notes-bot-timer = {
-    description = "run notes commit service";
+  #   description = "run notes commit service";
-    wantedBy = [ "timers.target" ];
+  #   wantedBy = [ "timers.target" ];
-    timerConfig = {
+  #   timerConfig = {
-      OnCalendar = "daily";
+  #     OnCalendar = "daily";
-      Persistent = true;
+  #     Persistent = true;
-      Unit = "notes-bot.service";
+  #     Unit = "notes-bot.service";
-    };
+  #   };
-  };
+  # };
 }
--- a/lib/generators.nix
+++ b/lib/generators.nix
@ -17,13 +17,15 @@ let
    listify
    ;
  inherit (lib.filesystem) listFilesRecursive;
  flake = flakeFromSystem "x86_64-linux";
  hostPath = host: ../. + "/hosts/${host}";
  # all nix files not including pkgs.nix
  # hostFiles = host: filter isNixFile (listFilesRecursive (hostPath host));
  hostFiles = host: host |> hostPath |> listFilesRecursive |> filter isNixFile;
  nixosModules = names: names |> listify |> map (n: inputs.${n}.nixosModules.default);
  selfModules = names: names |> listify |> map (n: self.nixosModules.${n});
  commonSpecialArgs = {
    inherit
      self
@ -35,12 +37,7 @@ let
  mkIso = nixosSystem {
    system = "x86_64-linux";
-    modules = [
+    modules = (nixosModules "lix-module") ++ (selfModules "nix|essentials|iso");
      inputs.lix-module.nixosModules.default
      self.nixosModules.nix
      self.nixosModules.essentials
      self.nixosModules.iso
    ];
    specialArgs = commonSpecialArgs;
  };
@ -48,12 +45,13 @@ let
    hostName:
    nixosSystem {
      system = "x86_64-linux";
-      modules = [
+      modules =
-        ../modules/oizys.nix
+        [
-        inputs.lix-module.nixosModules.default
+          inputs.comin.nixosModules.comin
-        inputs.hyprland.nixosModules.default
+        ]
-        inputs.comin.nixosModules.comin
+        ++ (selfModules ''oizys'')
-      ] ++ (hostFiles hostName);
+        ++ (nixosModules ''lix-module|hyprland|sops-nix'')
        ++ (hostFiles hostName);
      specialArgs = commonSpecialArgs // {
        inherit
Author	SHA1	Message	Date
Daylin Morgan	7b9f59a5bb	add some secrets for use in algiz	2024-11-28 19:19:04 -06:00
Daylin Morgan	0447eb645a	add a secret	2024-11-28 19:10:22 -06:00
Daylin Morgan	f29fcf634b	try first secret	2024-11-28 18:44:56 -06:00
Daylin Morgan	dba19e95f0	add sops + sops-nix	2024-11-28 17:50:40 -06:00