From d7a1a9ffbd41fee1973944cdc8a1b968d377c81b Mon Sep 17 00:00:00 2001 From: Jo Date: Thu, 22 May 2025 02:08:17 +0200 Subject: [PATCH 1/3] =?UTF-8?q?=E2=9C=A8=20Finish=20sops-nix=20configurati?= =?UTF-8?q?on,=20update=20README=20and=20more?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .sops.yaml | 17 +++++++++--- README.md | 10 +++++++ homes/x86_64-linux/jo/default.nix | 12 ++++++++- homes/x86_64-linux/jo/secrets/wakatime.cfg | 19 +++++++++++++ modules/flake/default.nix | 6 ++--- modules/home/app/zed/default.nix | 7 ----- modules/home/security/sops/default.nix | 2 +- .../nixos/archetypes/workstation/default.nix | 5 ++++ modules/nixos/system/nix/default.nix | 2 ++ modules/nixos/users/default.nix | 2 ++ systems/x86_64-nixos/puzzlevision/default.nix | 19 +++++++++++-- .../puzzlevision/secrets/users.yaml | 27 +++++++++++++++++++ 12 files changed, 111 insertions(+), 17 deletions(-) create mode 100644 homes/x86_64-linux/jo/secrets/wakatime.cfg create mode 100644 systems/x86_64-nixos/puzzlevision/secrets/users.yaml diff --git a/.sops.yaml b/.sops.yaml index 44cfe5f..8995ac5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,19 +2,30 @@ keys: - &jo age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d - &absolutesolver age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini|cfg)$ + - path_regex: secrets/[^/]+\.(yaml|json|env|cfg)$ key_groups: - age: - *jo - *absolutesolver - - path_regex: systems/[^/]+/absolutesolver/secrets/.*\.(yaml|env|json|ini|cfg)$ + - path_regex: systems/[^/]+/absolutesolver/secrets/.*\.(yaml|env|json|cfg)$ key_groups: - age: - *jo - *absolutesolver - - path_regex: systems/[^/]+/puzzlevision/secrets/.*\.(yaml|env|json|ini|cfg)$ + - path_regex: systems/[^/]+/puzzlevision/secrets/.*\.(yaml|env|json|cfg)$ key_groups: - age: - *jo + + - path_regex: homes/[^/]+/jo/secrets/.*\.(yaml|env|json|cfg)$ + key_groups: + - age: + - *jo + + - path_regex: homes/[^/]+/cyn/secrets/.*\.(yaml|env|json|cfg)$ + key_groups: + - age: + - *jo + - *absolutesolver diff --git a/README.md b/README.md index 00e635a..90e679b 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,16 @@ Additionally, the following command may be used to create a new sops secret file nix-shell -p sops --run "sops secrets/example.yaml" ``` +You may also encrypt arbitrary binary formats, like .cfg, using the following command: + +> [!IMPORTANT] +> The original file location also HAS to match one of the sops creation rules, not just the output. +> Yes, I know this is stupid, and yes, I've wasted way too much time dealing with this :3 + +```sh +nix-shell -p sops --run "sops -e original_file.cfg > secrets/encrypted_file.cfg" +``` + Lastly, when adding new systems, make sure to update any required secret files with the following command: ```sh diff --git a/homes/x86_64-linux/jo/default.nix b/homes/x86_64-linux/jo/default.nix index fa5d00e..677b278 100644 --- a/homes/x86_64-linux/jo/default.nix +++ b/homes/x86_64-linux/jo/default.nix @@ -1,8 +1,18 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { puzzlevision = { themes.catppuccin.enable = true; }; + sops.secrets.wakatime-cfg = { + format = "binary"; + sopsFile = ./secrets/wakatime.cfg; + path = "${config.home.homeDirectory}/.wakatime.cfg"; + }; + home.packages = with pkgs; [ ## GENERAL youtube-music diff --git a/homes/x86_64-linux/jo/secrets/wakatime.cfg b/homes/x86_64-linux/jo/secrets/wakatime.cfg new file mode 100644 index 0000000..bf69df7 --- /dev/null +++ b/homes/x86_64-linux/jo/secrets/wakatime.cfg @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:NaNu0ytz8Ji7WJ4gDinY2Tsny+MzgG9vV/7xnZY/dQzB0jMHBxIRAcrzH1A+aqsANeeZPD0XGXC2qIpYUlMKBcfMxkqmlj7XnpvDiXQ9RciCNp8l1xs0wvoxjYghbD8nsL57UQ==,iv:qa1SPnWCShIiz7l4EW6tCT2gJO0qNNcDk05F5hS8H7U=,tag:zArwz8R3/uegsO1ShLjfwg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS0EySk4wMGVzaUtOZWlN\nUE15SXNVOUtqUDQxV29tNGpBRkdLek5icWg0Cnd5b1FmT3VQTTBDdEtCYzQxNVdk\nWVpQMFpmTXpOcFFlMG5MQjFLTXZRUGsKLS0tIHBvakR1Q0dYdkRqVTJtLzRORzBP\nNU55UEtWUXhBdGN0M0lMQktaVmhSK00KA93LFut6jiYtlndm9Oq0ferFPT4IlBQ1\nDmnD4hWz7NLimWED7RiJ2lSO9IRgQBhLHeiLums/ZPxjFGnnO6sicg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTHh4eExqN1lmUWhOd0tF\ndzVUYXpWblVlem5QcndUQVRRSnZsS0dNK3lVCnpJQUVyRDRiNTFyb3RnSFZnQW9D\nV2sxRlZDcE1yQjI5Yzk3Tmh2ZkdxZ00KLS0tIGlKYUVnZXZtYTJPNEhEVEVhVlI4\na1hGbjJ3VDE0WDZKd0FGYUZzZUp5SEkKp043TYYglP+SWD7IdK/rnSJ4jfqvpGSY\njIDWMZmFTIcPoeVSQrxi7PD9Cd4Q56lhPhCYZR4czk5EdeIEWS9Z6w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-21T22:54:54Z", + "mac": "ENC[AES256_GCM,data:vYmgUvgyQ1i+gih/6YMWX1vqkWzcAn8zgNspICF6KxTYE08i61LGJSaM2R5rh2r/xWY9zKYv8EKH2GSVyJ+hGgSsS0qY8BOKetKMHZEWuWtWSbjO/iKPlmqZXxmPPiPlYUXjlfXB1rzi7RXwDzwVpD1nQTuiK8t2rYJjGgH0kRM=,iv:EEepXDQ/1zy1sO8eXl5LXTHI5OUPFca6WwuYTkHuyEs=,tag:MHA262l7qa8Ngy0tuggPpw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/modules/flake/default.nix b/modules/flake/default.nix index 33820cf..1edda45 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -1,11 +1,11 @@ { imports = [ - # Exposes nixosModules and homeModules on flake outputs. - ./modules.nix - # Automagically imports libs from "/lib/lib-name" and exposes them to the `flake.lib` output. ./lib.nix + # Exposes nixosModules and homeModules on flake outputs. + ./modules.nix + # Automagically imports systems from "/systems/arch-classname/system-name". ./systems.nix ]; diff --git a/modules/home/app/zed/default.nix b/modules/home/app/zed/default.nix index e930080..df8f0fd 100644 --- a/modules/home/app/zed/default.nix +++ b/modules/home/app/zed/default.nix @@ -3,7 +3,6 @@ pkgs, self, config, - osConfig, ... }: let inherit (lib) mkEnableOption mkIf; @@ -16,12 +15,6 @@ in { }; config = mkIf cfg.enable { - sops.secrets.wakatime-cfg = { - format = "binary"; - sopsFile = "${self.outPath}/x86_64-nixos/${osConfig.networking.hostname}/secrets/wakatime.cfg"; - path = "/home/${config.home.homeDirectory}/.wakatime.cfg"; - }; - home.packages = with pkgs; [ alejandra ]; diff --git a/modules/home/security/sops/default.nix b/modules/home/security/sops/default.nix index eb9d437..e5a1245 100644 --- a/modules/home/security/sops/default.nix +++ b/modules/home/security/sops/default.nix @@ -1,5 +1,5 @@ {config, ...}: { sops = { - age.keyFile = "/home/${config.home.username}/.sops-nix/key.txt"; + age.keyFile = "/home/${config.home.username}/sops-nix/key.txt"; }; } diff --git a/modules/nixos/archetypes/workstation/default.nix b/modules/nixos/archetypes/workstation/default.nix index 914b59a..e2556b3 100644 --- a/modules/nixos/archetypes/workstation/default.nix +++ b/modules/nixos/archetypes/workstation/default.nix @@ -14,6 +14,11 @@ in { }; config = mkIf cfg.enable { + environment.sessionVariables = { + MOZ_ENABLE_WAYLAND = "1"; # Firefox native Wayland support + NIXOS_OZONE_WL = "1"; # Native Wayland in Chromium and Electron based applications + }; + ${namespace} = { # Basic system functionality system = { diff --git a/modules/nixos/system/nix/default.nix b/modules/nixos/system/nix/default.nix index a58b09c..f11ff4b 100644 --- a/modules/nixos/system/nix/default.nix +++ b/modules/nixos/system/nix/default.nix @@ -38,6 +38,8 @@ in { package = mkIf cfg.use-lix pkgs.lix; # Enable LIX }; + nixpkgs.config.allowUnfree = true; + # Dynamic libraries for unpackaged programs programs.nix-ld = mkIf cfg.use-nixld { enable = true; diff --git a/modules/nixos/users/default.nix b/modules/nixos/users/default.nix index 8ca18d4..2fdee80 100644 --- a/modules/nixos/users/default.nix +++ b/modules/nixos/users/default.nix @@ -21,6 +21,7 @@ isSystemUser = self.lib.mkBool false "Whether this user is considered a system user."; initialPassword = self.lib.mkOpt (types.nullOr types.str) null "Plaintext insecure initial user password, only recommended for testing."; password = self.lib.mkOpt (types.nullOr types.str) null "Plaintext insecure user password, only recommended for testing."; + hashedPasswordFile = self.lib.mkOpt (types.nullOr types.str) null "Secure, hashed user password stored in a separate file, recommended for production."; extraGroups = self.lib.mkOpt (types.listOf types.str) [] "List of additional groups this user belongs to."; }; }; @@ -48,6 +49,7 @@ in { users.users = lib.mapAttrs (username: userConfig: mkIf userConfig.enable { name = username; + hashedPasswordFile = userConfig.hashedPasswordFile; inherit (userConfig) isNormalUser isSystemUser initialPassword password extraGroups; }) cfg; diff --git a/systems/x86_64-nixos/puzzlevision/default.nix b/systems/x86_64-nixos/puzzlevision/default.nix index a2a5752..c3a6f16 100644 --- a/systems/x86_64-nixos/puzzlevision/default.nix +++ b/systems/x86_64-nixos/puzzlevision/default.nix @@ -1,12 +1,27 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { imports = [ ./hardware.nix ]; + # Todo: automate this globally for all workstation and server archetypes! + # Configure Sops + sops.defaultSopsFile = ./secrets/users.yaml; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + + # Todo: automate this import in users module! + # Require user password secrets for users + sops.secrets."users/jo/password_hash" = { + neededForUsers = true; + }; + puzzlevision = { users.jo = { enable = true; - password = "jo"; # For testing only, replace with sops secret before production use + hashedPasswordFile = config.sops.secrets."users/jo/password_hash".path; # For testing only, replace with sops secret before production use extraGroups = ["wheel"]; }; diff --git a/systems/x86_64-nixos/puzzlevision/secrets/users.yaml b/systems/x86_64-nixos/puzzlevision/secrets/users.yaml new file mode 100644 index 0000000..ff3afc9 --- /dev/null +++ b/systems/x86_64-nixos/puzzlevision/secrets/users.yaml @@ -0,0 +1,27 @@ +users: + jo: + password_hash: ENC[AES256_GCM,data:uL+bcgY09s6X1QGgRF9QjCYzba/vPp2mUmEtMWnOID8lmn7rBrYB5pQ1HL/vXtUQUnrnxoXiy5l4nRlT7vxbmIMOgzSiu6fQvQ==,iv:v5ags2roqXyMEQiYdryt+G8/yp1NFT4zlS07BBErGlY=,tag:AedjvcTidDT2EzFipBkxqw==,type:str] +sops: + age: + - recipient: age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSEdxL2pyZHRiVlFqOE1i + MWpScjRSdEJJZjRmQ0dsRTBYSlFsSncyd1FnCjNDWEI1cHNuVGd4dEJDMXF2NnlI + SFA3NFU3SkpGLzZMNjZtc1JHajhEeXMKLS0tIGhaSDVqSGxaZEwrdFZ6ZDF6a0cw + ZmluTzlkNGFSTmZLNlVYdFBOWTQ2cDgKJL4o95JLEKFI3FUQ2+g4N0GWGohRtmW7 + fn7zxQhRFf8U9yE4gI3OBTEweoyJQh+m/JH6XCg7H5jrJjze5miSUQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdkFCaFZkZjJuc0dHdE03 + Z2N5ZnZrMnFIQ0R5U2NqMjFoWWZSNUl5Mm1FCmxIMDFNSGtOamhtZDJjdi82Ty9h + VU0xN1pza2VpSDA1N01oN3FTUHNxcGcKLS0tIFZhVWFuQ1VXS2dyUEF6NHliNW9I + N21SUVFML3Z3Y3FMV3RiV2pGOUJMd00KyoA9/4gSxQTIInRsiF0gdOqYHoI8s2cG + DozFpSRzkrev6sSxEDJC8N/BmpVm2v8Wzpg572i1trEBQIjZMqqhJA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-21T23:53:55Z" + mac: ENC[AES256_GCM,data:cFcxewPQLyf6w6UlJrPqeZBqIO745gBUaeYbpe4OW+ZnhH54/fsneotceVMT2svUUzwzZbwuwe+wzg6UIR+hEve5XBjxMohKDJqt37R/Q2LkGiabYfxbF0sc8Tdt1W4tYTk1BjkhK0oBIZxmgZCej9kD4iVZH5G2Ku1nOfaiZpo=,iv:x4sG46l7msbt5mhn4O4yv3k+LhBbKqC0nBpsq+MF844=,tag:C8xxYVSKND4DTD3u3Ln27A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From 65f710a1793345b0c48b9058f6dad74817562548 Mon Sep 17 00:00:00 2001 From: Jo Date: Thu, 22 May 2025 02:09:21 +0200 Subject: [PATCH 2/3] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Move=20hashedPasswordF?= =?UTF-8?q?ile=20into=20inherit=20section?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/nixos/users/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/nixos/users/default.nix b/modules/nixos/users/default.nix index 2fdee80..9f900e7 100644 --- a/modules/nixos/users/default.nix +++ b/modules/nixos/users/default.nix @@ -49,8 +49,7 @@ in { users.users = lib.mapAttrs (username: userConfig: mkIf userConfig.enable { name = username; - hashedPasswordFile = userConfig.hashedPasswordFile; - inherit (userConfig) isNormalUser isSystemUser initialPassword password extraGroups; + inherit (userConfig) isNormalUser isSystemUser initialPassword hashedPasswordFile password extraGroups; }) cfg; From 87c59890d5a12af923e7183b571489881d529439 Mon Sep 17 00:00:00 2001 From: Jo Date: Thu, 22 May 2025 02:26:58 +0200 Subject: [PATCH 3/3] =?UTF-8?q?=E2=9C=A8=20Update=20password=20hash=20and?= =?UTF-8?q?=20shorten=20code=20slightly?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- systems/x86_64-nixos/puzzlevision/default.nix | 5 ++--- systems/x86_64-nixos/puzzlevision/secrets/users.yaml | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/systems/x86_64-nixos/puzzlevision/default.nix b/systems/x86_64-nixos/puzzlevision/default.nix index c3a6f16..fcad685 100644 --- a/systems/x86_64-nixos/puzzlevision/default.nix +++ b/systems/x86_64-nixos/puzzlevision/default.nix @@ -14,13 +14,12 @@ # Todo: automate this import in users module! # Require user password secrets for users - sops.secrets."users/jo/password_hash" = { - neededForUsers = true; - }; + sops.secrets."users/jo/password_hash".neededForUsers = true; puzzlevision = { users.jo = { enable = true; + #password = "4868320069443"; hashedPasswordFile = config.sops.secrets."users/jo/password_hash".path; # For testing only, replace with sops secret before production use extraGroups = ["wheel"]; }; diff --git a/systems/x86_64-nixos/puzzlevision/secrets/users.yaml b/systems/x86_64-nixos/puzzlevision/secrets/users.yaml index ff3afc9..e9a529b 100644 --- a/systems/x86_64-nixos/puzzlevision/secrets/users.yaml +++ b/systems/x86_64-nixos/puzzlevision/secrets/users.yaml @@ -1,6 +1,6 @@ users: jo: - password_hash: ENC[AES256_GCM,data:uL+bcgY09s6X1QGgRF9QjCYzba/vPp2mUmEtMWnOID8lmn7rBrYB5pQ1HL/vXtUQUnrnxoXiy5l4nRlT7vxbmIMOgzSiu6fQvQ==,iv:v5ags2roqXyMEQiYdryt+G8/yp1NFT4zlS07BBErGlY=,tag:AedjvcTidDT2EzFipBkxqw==,type:str] + password_hash: ENC[AES256_GCM,data:fdHmZC03D7X5Z8/ghp/lAv61+TSTr8i3gpBuwZq94JFsJHoaMwTiE2IqHWg/HtcDfynZTsVKbepORXbUPxL02JaRYHJNNkRg8cMIu9ZMs2b2DqypGKq4gKXEUn0QyuN0G3m9Hw2F8B6GRg==,iv:d2ELe9iQR0c9jnoK/nhzXs7p7Kr2kkqQVUXrUlwIQjY=,tag:7DQ/zTbFPr1tsE4k79Fq7w==,type:str] sops: age: - recipient: age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d @@ -21,7 +21,7 @@ sops: N21SUVFML3Z3Y3FMV3RiV2pGOUJMd00KyoA9/4gSxQTIInRsiF0gdOqYHoI8s2cG DozFpSRzkrev6sSxEDJC8N/BmpVm2v8Wzpg572i1trEBQIjZMqqhJA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-21T23:53:55Z" - mac: ENC[AES256_GCM,data:cFcxewPQLyf6w6UlJrPqeZBqIO745gBUaeYbpe4OW+ZnhH54/fsneotceVMT2svUUzwzZbwuwe+wzg6UIR+hEve5XBjxMohKDJqt37R/Q2LkGiabYfxbF0sc8Tdt1W4tYTk1BjkhK0oBIZxmgZCej9kD4iVZH5G2Ku1nOfaiZpo=,iv:x4sG46l7msbt5mhn4O4yv3k+LhBbKqC0nBpsq+MF844=,tag:C8xxYVSKND4DTD3u3Ln27A==,type:str] + lastmodified: "2025-05-22T00:25:40Z" + mac: ENC[AES256_GCM,data:5oMgqzkL1+VIAnC28q5CH4Y5Po/B5zg2v3kJAlid71K2CKN2s0xrygTmgHYQ0QlO/BJR5kF1HrBVloAq81jTSDyF7XfrdvBzG4Iqs/kmvMC1ln4khf0ZxaH5Q3caGJSmAH6nXMPOglAwFQEm9BXNuknocuQwUEzB6rijQ3F+yXw=,iv:GGleCn9EX76JcSqzPdZOnDzbfYla1eGQY/srHnZdBVk=,tag:09eZjhMYV0RIUqShsJfN0w==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2