diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..982a625 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek + - &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_cschmatzler + - *host_tahani diff --git a/flake.lock b/flake.lock index 2a396d9..9772856 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" - }, - "locked": { - "lastModified": 1754433428, - "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", - "owner": "ryantm", - "repo": "agenix", - "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "brew-src": { "flake": false, "locked": { @@ -39,28 +18,6 @@ } }, "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, - "darwin_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -122,7 +79,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -140,28 +97,7 @@ }, "home-manager": { "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1754974548, @@ -273,16 +209,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754028485, - "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "lastModified": 1754725699, + "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -303,22 +239,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1754725699, - "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1755005871, "narHash": "sha256-qqhLstgA5OFjSUkY0DeQJDyU8Yd0b3PAmSbHz9/bE+M=", @@ -334,7 +254,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1754393734, "narHash": "sha256-fbnmAwTQkuXHKBlcL5Nq1sMAzd3GFqCOQgEQw6Hy0Ak=", @@ -350,12 +270,28 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "nuschtosSearch": "nuschtosSearch", - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1754921951, @@ -396,16 +332,51 @@ }, "root": { "inputs": { - "agenix": "agenix", - "darwin": "darwin_2", + "darwin": "darwin", "flake-parts": "flake-parts", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "homebrew-axe": "homebrew-axe", "homebrew-cask": "homebrew-cask", "homebrew-core": "homebrew-core", "nix-homebrew": "nix-homebrew", - "nixpkgs": "nixpkgs_3", - "nixvim": "nixvim" + "nixpkgs": "nixpkgs_2", + "nixvim": "nixvim", + "secrets": "secrets", + "sops-nix": "sops-nix" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1755022209, + "narHash": "sha256-FZwzbsIz1iNqQjL85VH6rPfQzmWT1Twz21/XOF3as1E=", + "ref": "refs/heads/main", + "rev": "f2e263737af6b96108ba90c68406e0811043bcc1", + "revCount": 2, + "type": "git", + "url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { @@ -437,21 +408,6 @@ "repo": "default", "type": "github" } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d6b8e29..fa4719c 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/master"; flake-parts.url = "github:hercules-ci/flake-parts"; - agenix.url = "github:ryantm/agenix"; + sops-nix.url = "github:Mic92/sops-nix"; home-manager.url = "github:nix-community/home-manager"; darwin = { url = "github:LnL7/nix-darwin/master"; @@ -24,6 +24,10 @@ flake = false; }; nixvim.url = "github:nix-community/nixvim"; + secrets = { + url = "git+ssh://git@github.com/cschmatzler/nixos-config-secrets.git"; + flake = false; + }; }; outputs = inputs @ {flake-parts, ...}: diff --git a/hosts/nixos/tahani/default.nix b/hosts/nixos/tahani/default.nix index eb1ada8..3f365c2 100644 --- a/hosts/nixos/tahani/default.nix +++ b/hosts/nixos/tahani/default.nix @@ -1,6 +1,7 @@ { pkgs, hostname, +sops, user, ... }: { @@ -51,6 +52,8 @@ nameservers = ["1.1.1.1"]; }; + sops.defaultSopsFile = "./secrets/tahani.yaml"; + services.postgresql = { enable = true; package = pkgs.postgresql_17; diff --git a/modules/base/default.nix b/modules/base/default.nix index 28d93e9..cb64277 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -1,11 +1,10 @@ { - agenix, + sops-nix, pkgs, user, ... }: { imports = [ - agenix.darwinModules.default ]; nixpkgs = { @@ -42,13 +41,27 @@ ''; }; - environment.systemPackages = with pkgs; [ - agenix.packages."${pkgs.system}".default - ]; - programs.fish.enable = true; - services.tailscale = { - enable = true; + services = { + tailscale = { + enable = true; + }; + syncthing = { + enable = true; + openDefaultPorts = true; + dataDir = "/home/${user}/.local/share/syncthing"; + configDir = "/home/${user}/.config/syncthing"; + user = "${user}"; + group = "users"; + guiAddress = "0.0.0.0:8384"; + overrideFolders = true; + overrideDevices = true; + + settings = { + devices = {}; + options.globalAnnounceEnabled = false; + }; + }; }; } diff --git a/modules/base/packages.nix b/modules/base/packages.nix index c8028d7..f8b30d5 100644 --- a/modules/base/packages.nix +++ b/modules/base/packages.nix @@ -1,8 +1,7 @@ {pkgs}: with pkgs; [ - age - age-plugin-yubikey alejandra + sops claude-code delta docker diff --git a/modules/darwin/secrets.nix b/modules/darwin/secrets.nix index 93fa820..f4bb873 100644 --- a/modules/darwin/secrets.nix +++ b/modules/darwin/secrets.nix @@ -1,8 +1,4 @@ { - config, - pkgs, - agenix, - secrets, user, ... }: { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index c8dd207..faca300 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,15 +1,14 @@ { pkgs, nixvim, - config, user, - agenix, + sops-nix, ... }: let sshKeys = import ../../shared/ssh-keys.nix; in { imports = [ - agenix.nixosModules.default + sops-nix.nixosModules.sops ]; system.stateVersion = "25.11"; @@ -88,10 +87,6 @@ in { enable = true; }; - environment.systemPackages = [ - agenix.packages."${pkgs.system}".default - ]; - home-manager = { users.${user} = { pkgs, diff --git a/secrets/tahani.yaml b/secrets/tahani.yaml new file mode 100644 index 0000000..eaea437 --- /dev/null +++ b/secrets/tahani.yaml @@ -0,0 +1,26 @@ +syncthing_cert: ENC[AES256_GCM,data:24s+oLn0v5ZBeEzYLs/n/G3HhqwktLCyCqZ/JU7F9NQHK0ZlR0k/5TFAoxjSr+1/DHGYalCf+KtCv9rJfDH4Mj+ekd+H8JzPAg9nzZ+xw7D4FH+2oHv4nHSFeGinKbgNwXibXd915gugLb0qjN09DCrZrIlxYcglrK2ds1klFIp6npGF1AvCaZg4bqDI1k+ATVqjH8HoNWN9MJyjv2ixZ2hXuHK6y9waY9mweBh/0UK6IDwvrJx4mDjKTDhPTB9C08qNZ2wP+FPEdDOMUha1zv2KQocRp4b+U5bEUlLuxeVusMxYh4ZSuPQWrAr35D40bwyvi4c6uyVywIZ5XP+BxrJsLck+tD49QE6mqAMuRV0PjfakHnbiH1uV1Wop9P6+n7tKQ1umHPK7YSWAMSG2QmGJBTW5NoTgFPDRLa+9RMkEAX11BdkS8SgJtVS6i/B8WhtPIrSKi8KMaLkMJ5q42bgxwQmNhRuvzwV8nevbFdTcEg8ZHJS8WAP+viC9JiSryD2hz6GN6gZnEZAtlINNy9p3AtCYYc1BDACJgm4jtMTDWMmqy4K6lGhFW7hAKBxHoV4/a1Nyxx35IIV8AJVqWnmCR8P6Xy/UEUsFz1L8l/y15mvEhmAu6axUi+4qkqx+54cGWA75ml5b0KnG3j2E7p5NIRrILHpzlTsR3y+zakcwtOi3Ggbu16hvr/WM+D/PJacv3fnZG65lBShbIFNmKNgwPXMlXljzl23XY1mXcVNmDCXRgZhe2KnlzV//jWIYB/04GLDAJ0pLZ99lVLU8qoE9CCBW7sd/NZTaYbyLR2pBwQJhRVapwN60ZYDKqZWARqk5jR49ZR8LWA3EHGP6YfgjPGM6/xpMovqHNpys1TEBdzbB1vCsyseTnfJEApaWFsTg1472TIBWJP5YjScXtq6pRkqorLEyR4h331OX3Qu37sRpMlbxYFD9NpBajRiH01RoYKOqSIbttq8ovsAvt5LotrLUyTIR7hp5T5/Est1++o7zdGmOwL1Sl8VAlY0ucyEPBl2tNeUsEYRrRy0WVWD5zNRcXRmACpIsquYxvDJd5hrbeaAXhD1XCVaiV7cA1zg4EOcy6x/K0IPGGHm6U9UzHZmIzw/9MDb8vCOqb6r+58k2VqVl34l39X51Kl9xg1MJ9GWJKqah0d9JgRFGK2dHOUo5Yat7pe6fobP3BUGV8cxfEvny3IKpHnY6NllYaERQnq3Eje6nagyC1QQBVwYJeGqImqGJeYIT8+fhOnXUC/Uhmbe3OZQoWXhZMo1Pk+aMiiUPnAM3l+ykf0wlaf+r4JcCc+lQpcrGImK0XdsCf3SiairZowBMcuJqf/HVM99zujx2D/GG4HFttWXZN5KDcWqWfBkmWxQuXTR3tgIMXtZdCHVctN9LYRtJ4Rjp3T8GlQ==,iv:DSQ2uHBlhFaMklqbItA6Crt09EOydiCD7DzQcSPJdlM=,tag:nWT/ZiJVGKojw/QzhVJiqg==,type:str] +syncthing_key: ENC[AES256_GCM,data:W/mx/qc1Cc5AY3utYSfroSoVDzX+pyOE6z54ppck1Hc/Y2LLyInRuc6eIZgqdA9BvVtv8YDTltpXjp2kJSZSm+GWjrkl/OislojXeOLkuqjRtjydCyu/ErlFglcLLvWwx+kvLeq0yADARZnanmG2+HT1nnF8OORWQ08sP8GnujFKVj4JLUX7emBzUz6wARjjFbnuF1xNh+Ach+0J6g+shGRMDdVSazbk+lDKsotUCMItMLhEde0TK7fWxpsCGRBfTjERDoQiyIgwouOIvV78Z8Qa/5GCWntg2b8lvqE9IsWvdmySiZ0XNzP8Qmd1ux3PRT5Btw0e3eZIehVmtwEkgKmuBx++SmEi4fULlrA2bs/SW1lyDYazUXfMteGNtEUY4rlKpE2RMiY3xXi4+7/K1SgQoPLn0tIiW5YUVxmQKOSYvXoCg+HF3ppmbXRHnVrfj8rv/fEXjGXywXKCyGeIJMEp+gmPaxHaMIjiAXvsuxBhvOnc17j0UakKB9mdefVs,iv:RnSiWtdgQfDiEooqm5ecjubN5uR11+qa28d79v+6GK8=,tag:LJwBUw3BBvcUWPGBKOSSsA==,type:str] +sops: + age: + - recipient: age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VlRCZHlaRVVjbTAweEMv + RXc5eDZMdjk3MFEyZFY2NmFYZGg0WFVuK1d3CmpheFB0SzlTWTA2MXg4eDVSeG9a + ZGlkK3BJbzM5RkNOazV5TGNJWVI1bDAKLS0tIExBM1JQNk9IL1FHeXFabWJ2ckxW + U1BsSnRNWTdUMlR5YVlGaW1PWDdBNzQKSZVNl4AWkEzn6cTxOrl+OVpWel1JQHmy + w8kWDihMnFfB4LwuDePYtUIFdOxxWeTZjObP/UP6ZxumhxNEAOR6tQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZFhkSGVjSTNJVUdIbnFj + WEJNMGhheHVUUUdQM01vb0tNamg2ekExc244ClJsT21uZ2ZJZlNoQ0Vld01JWFAx + bDBwNEEvZ0dFalVVb2kxaUZ3Q0x4eTAKLS0tIHhWRmh2N3NEekN0bnJSSHBVTzBk + cEE5bVpUSE9TY2t3ZjZTSUZ3Z1ZreGsKqZH2+N5cTl5a5MIDO/x33RQ44ZZWM8HN + eb0lI8kOc+e4plDQF6Qe2RXJCKcD/4MPkB70sUiPb6SemqBfrREsew== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-12T18:34:32Z" + mac: ENC[AES256_GCM,data:XBKlvlDejMuOK5LXFTtmIV0TcnzAPctQrmhV28ZqPcdpiBYINGiWM4r4Zo3fNjpjBhKx+Vd3sIIGiBBi40Lhm1uK6FBAZ7eqhIDU0LOsJJ+jBo26m7kXCWYddzoPzTHBfYRx0DyecLml2bhW8JuRv5v5/IHSq6ibF5XUtbZT9GA=,iv:oOUCUd2BlodibsUoe1eLWWtJvempPZBckfgAwU4rqKA=,tag:gYmsLVaOopKJsO7k52vZKw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2