jmug
a42e0442f6
Signed-off-by: jmug <u.g.a.mariano@gmail.com> arst Signed-off-by: jmug <u.g.a.mariano@gmail.com>
48 lines
1.3 KiB
Nix
48 lines
1.3 KiB
Nix
{ inputs, config, ... }:
|
|
{
|
|
imports = [
|
|
inputs.sops-nix.nixosModules.sops
|
|
];
|
|
|
|
sops = {
|
|
defaultSopsFile = ../../../secrets.yaml;
|
|
validateSopsFiles = false;
|
|
|
|
# To bootstrap a new device you need to ensure
|
|
# that the ssh service was enabled at least once
|
|
# (if you don't plan to keep it enabled permanently)
|
|
# then you need to derive an age public key from the
|
|
# ssh key by using:
|
|
#
|
|
# $ nix-shell -p ssh-to-age
|
|
# $ sudo ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub
|
|
#
|
|
# This will give you the public key that you must put under .sops.yaml
|
|
# at the root of this repo.
|
|
#
|
|
# You'll then need to bootsrap the environment, so copy the secret key from
|
|
# cold storage to ~/.config/sops/age/keys.txt
|
|
# chomd it to 755
|
|
#
|
|
# The run:
|
|
# $ nix-shell -p sops
|
|
# $ sops updatekeys secrets.yaml
|
|
#
|
|
# You're bootsrapet and good to go!
|
|
age = {
|
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
keyFile = "/var/lib/sops-nix/key.txt";
|
|
generateKey = true;
|
|
};
|
|
};
|
|
|
|
sops.secrets = {
|
|
"wireless.env" = {};
|
|
|
|
"yubico/u2f_keys/jmug" = {
|
|
owner = config.users.users.jmug.name;
|
|
inherit (config.users.users.jmug) group;
|
|
path = "/home/jmug/.config/Yubico/u2f_keys";
|
|
};
|
|
};
|
|
}
|