started soteria-specific secrets

2026-03-23 17:58:26 -05:00
parent 52a351ee8c
commit a45f5a4cca
4 changed files with 53 additions and 49 deletions
@@ -0,0 +1,26 @@
 janus:
    admin_password: ENC[AES256_GCM,data:4pnSq0f1iTNFWn/Qcw+J7LWIXXd/j5v3WwFSzXfqgKA=,iv:/usSHYST8zv7AMvDNuW/fFLL+40IrderjL6bUWzBNd4=,tag:V/q1+SjIcYsZ0+PC/Q7c1A==,type:str]
 sops:
    age:
        - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0V1JsVDhnMHpaNHRQRCtw
            V3JMQm1SREZSYUpaYmZNQ1FEVmN0VFZRSlQ0Ck9wQlpqZFBrRUJENWVBbTd5cVVo
            ZlhYZnhGamk1ZlQ0N001ZWcrQ1Evb3cKLS0tIHpuTWhRTU1QeWFRUytiU21CMW94
            eFc0ankvcWhqK3Q4MjRCVC9nTlJteU0K1tJvYM2M1XmlsCTpadHyf6EGE2Lg+XBL
            TGTjMPSWqClWYB9HFZ4nCurEK/JidBanmGkc0Y9eFz9XYKl7rtyXUw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1h0prahyukq4l564yqwgcpg3g6gdrjflk0suklussjjrjstxd9uesws8633
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRzFlWTNxSGpaNU85QTFj
            SnlRZkpZQTZQVjNqWFhLMHhKVm5ZVXB4Rms0CmZQclFzYkpWLzlqT2xNUTJMd2dJ
            Wm5PQXNabjRwV1hVRXFGVmxteGk2emMKLS0tIG5kcm5KamxNZmpKVGt5bUo1dVg5
            dFN2RGdqM29mM3hadXpBakY4QThxZnMKI9RbfXJHIHvYHy/2corfwDq+OHRPrmkA
            tWLH/KWqwGt0hvc5j8bUfRECgjdXmbC9kpAgDs8PhJF+X1ijVFrIYg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-03-23T22:27:45Z"
    mac: ENC[AES256_GCM,data:tQ8EMXWqw7wd/QZqUPn/sAczk0G4jSUR96AF83cmJGYuoZkMkOzsMFt448IkWxNWOJHPmIc0vs+c3ngQxHyx6Uf9jVWzMkvfdzMYj82QuLsmXQ9e4/IAE9h+52uagbwgoOJwPCF+AQetSHez/jWPPIQPN5DLfz0edg4xYReX7DA=,iv:GsvotFkehIz5L4I9j0oQ89oM5XjZQAr6vrVd79tqFes=,tag:wLi4sXz8JqvaoUaYjEj/vA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -27,6 +27,10 @@ in
          hostname = hostname;
          caURL = caURL;
        };
        sops.defaultSopsFile = ./secrets.yaml;
        sops.secrets."janus/admin_password" = {
          owner = "${hostname}";
        };
        # mtls = {
        #   enable = true;
        #   subject = hostname;
@@ -61,33 +65,34 @@ in
        # };
        home-manager.users."${username}" = {
-          imports = with inputs.self.modules.homeManager; [
+          imports = with inputs.self.modules; [
-            sops
+            homeManager.sops
-            step-ssh-user
+            homeManager.step-ssh-user
            homeManager"${hostname}"
          ];
          shell.program = "zsh";
        };
      }
    ];
  };
  flake.modules.homeManager."${hostname}" = { config, ... }: {
    imports = with inputs.self.modules.homeManager; [
      rebuild
      sops
      mtls
    ];
    homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
    home.username = "${username}";
    home.homeDirectory = "/home/${username}";
    shell.program = "zsh";
  };
  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${username}"
-      {
+      homeManager."${hostname}"
        imports = with inputs.self.modules.homeManager; [
          rebuild
          # sops
          # step-ssh-user
          # mtls
          # restic
        ];
        home.username = "${username}";
        home.homeDirectory = "/home/${username}";
        shell.program = "zsh";
      }
    ];
  };
 }
@@ -32,6 +32,7 @@
          '')
          (writeShellScriptBin "nhms" ''
            HOSTNAME=$(hostname -s)
            echo "Switching to the $HOSTNAME profile"
            ${lib.getExe home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME
          '')
          (writeShellScriptBin "nhmu" ''
@@ -11,15 +11,8 @@ in
  };
  flake.modules.nixos.sops = {
-    imports = with inputs.sops-nix.nixosModules; [
+    imports = [ inputs.sops-nix.nixosModules.sops ];
-      sops
+    # sops.defaultSopsFile = ../../keys/secrets.yaml;
    ];
    sops.defaultSopsFile = ../../keys/secrets.yaml;
    sops.secrets."test-nix/ssh_host_key" = {
      owner = "john";
      path = "/home/john/.ssh/host_key";
    };
  };
  # Define the homeModules that are used by flake-parts
@@ -39,6 +32,7 @@ in
      sops # This is necessary to make the sops binary available
      ssh-to-age
      (writeShellScriptBin "gen-age-key" ''
        mkdir -p "${config.xdg.configHome}/sops/age"
        ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${ageKeyFile}
        echo -n "Created ${ageKeyFile}: "
        echo $(show-age-key)
@@ -55,34 +49,12 @@ in
      inputs'.sops-nix.homeManagerModules.sops
    ];
    home.sessionVariables = {
      GMAIL_CREDS_PATH = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
    };
    # Option definitions for the sops home-manager module:
    # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
    sops = {
-      defaultSopsFile = sopsSecretsPath;
+      # defaultSopsFile = sopsSecretsPath;
      defaultSopsFormat = "yaml";
      age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
      secrets."api/gmail_client_secret" = { };
      templates."gmail_creds" = {
        path = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
        content = ''
          {
              "installed": {
                  "client_id": "499012320469-vtml6emu6bmujpsj9lud2b44jqu7h26j.apps.googleusercontent.com",
                  "project_id": "python-apis-423500",
                  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
                  "token_uri": "https://oauth2.googleapis.com/token",
                  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
                  "client_secret": "${config.sops.placeholder."api/gmail_client_secret"}",
                  "redirect_uris": [ "http://localhost" ]
              }
          }
        '';
      };
    };
  };
 }