✨ Finish sops-nix configuration, update README and more

2025-09-10 12:50:05 +00:00 · 2025-05-22 02:08:17 +02:00 · 2025-05-22 02:08:17 +02:00 · d7a1a9ffbd
commit d7a1a9ffbd
parent 6dc0e02a92
12 changed files with 111 additions and 17 deletions
--- a/systems/x86_64-nixos/puzzlevision/default.nix
+++ b/systems/x86_64-nixos/puzzlevision/default.nix
@ -1,12 +1,27 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  imports = [
    ./hardware.nix
  ];

+  # Todo: automate this globally for all workstation and server archetypes!
+  # Configure Sops
+  sops.defaultSopsFile = ./secrets/users.yaml;
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+
+  # Todo: automate this import in users module!
+  # Require user password secrets for users
+  sops.secrets."users/jo/password_hash" = {
+    neededForUsers = true;
+  };
+
  puzzlevision = {
    users.jo = {
      enable = true;
-      password = "jo"; # For testing only, replace with sops secret before production use
+      hashedPasswordFile = config.sops.secrets."users/jo/password_hash".path; # For testing only, replace with sops secret before production use
      extraGroups = ["wheel"];
    };

--- a/systems/x86_64-nixos/puzzlevision/secrets/users.yaml
+++ b/systems/x86_64-nixos/puzzlevision/secrets/users.yaml
@ -0,0 +1,27 @@
+users:
+    jo:
+        password_hash: ENC[AES256_GCM,data:uL+bcgY09s6X1QGgRF9QjCYzba/vPp2mUmEtMWnOID8lmn7rBrYB5pQ1HL/vXtUQUnrnxoXiy5l4nRlT7vxbmIMOgzSiu6fQvQ==,iv:v5ags2roqXyMEQiYdryt+G8/yp1NFT4zlS07BBErGlY=,tag:AedjvcTidDT2EzFipBkxqw==,type:str]
+sops:
+    age:
+        - recipient: age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSEdxL2pyZHRiVlFqOE1i
+            MWpScjRSdEJJZjRmQ0dsRTBYSlFsSncyd1FnCjNDWEI1cHNuVGd4dEJDMXF2NnlI
+            SFA3NFU3SkpGLzZMNjZtc1JHajhEeXMKLS0tIGhaSDVqSGxaZEwrdFZ6ZDF6a0cw
+            ZmluTzlkNGFSTmZLNlVYdFBOWTQ2cDgKJL4o95JLEKFI3FUQ2+g4N0GWGohRtmW7
+            fn7zxQhRFf8U9yE4gI3OBTEweoyJQh+m/JH6XCg7H5jrJjze5miSUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdkFCaFZkZjJuc0dHdE03
+            Z2N5ZnZrMnFIQ0R5U2NqMjFoWWZSNUl5Mm1FCmxIMDFNSGtOamhtZDJjdi82Ty9h
+            VU0xN1pza2VpSDA1N01oN3FTUHNxcGcKLS0tIFZhVWFuQ1VXS2dyUEF6NHliNW9I
+            N21SUVFML3Z3Y3FMV3RiV2pGOUJMd00KyoA9/4gSxQTIInRsiF0gdOqYHoI8s2cG
+            DozFpSRzkrev6sSxEDJC8N/BmpVm2v8Wzpg572i1trEBQIjZMqqhJA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-21T23:53:55Z"
+    mac: ENC[AES256_GCM,data:cFcxewPQLyf6w6UlJrPqeZBqIO745gBUaeYbpe4OW+ZnhH54/fsneotceVMT2svUUzwzZbwuwe+wzg6UIR+hEve5XBjxMohKDJqt37R/Q2LkGiabYfxbF0sc8Tdt1W4tYTk1BjkhK0oBIZxmgZCej9kD4iVZH5G2Ku1nOfaiZpo=,iv:x4sG46l7msbt5mhn4O4yv3k+LhBbKqC0nBpsq+MF844=,tag:C8xxYVSKND4DTD3u3Ln27A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2