From eac053ca072af8f69b9a482c454105ae4e61a1c6 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:51:59 -0500 Subject: [PATCH] sops updates --- modules/hosts/{ => john-pc}/john-pc-ubuntu.nix | 8 ++++---- modules/hosts/soteria/soteria.nix | 8 ++------ modules/programs/sops.nix | 13 ++++++------- 3 files changed, 12 insertions(+), 17 deletions(-) rename modules/hosts/{ => john-pc}/john-pc-ubuntu.nix (89%) diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc/john-pc-ubuntu.nix similarity index 89% rename from modules/hosts/john-pc-ubuntu.nix rename to modules/hosts/john-pc/john-pc-ubuntu.nix index f8bbcab..568f97f 100644 --- a/modules/hosts/john-pc-ubuntu.nix +++ b/modules/hosts/john-pc/john-pc-ubuntu.nix @@ -2,8 +2,8 @@ let username = "john"; hostname = "john-pc-ubuntu"; - # testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; - testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; + # testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix + testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria in { flake.modules.homeManager."${hostname}" = { pkgs, config, ... }: @@ -65,8 +65,8 @@ in }; }; - mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/jsl-dendritic/secrets.yaml"; - sops.defaultSopsFile = "${config.xdg.configHome}/home-manager/jsl-dendritic/secrets.yaml"; + # This provides the keys at build time and will be included in the nix store + sops.defaultSopsFile = ../../../keys/secrets.yaml; sops.secrets."restic_password/john_ubuntu" = { path = resticPasswordFile; diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 0db38c1..aa767b7 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -50,13 +50,9 @@ in shell.program = "zsh"; docker.enable = true; - # sops.secrets."janus/admin_password" = { - # path = "${config.home.homeDirectory}/.janus"; - # mode = "0400"; - # sopsFile = ./secrets.yaml; - # }; - + # This will provide the edit-secrets script targeting this file mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml"; + mtls = { enable = true; subject = hostname; diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix index 9477e1d..a923f8f 100644 --- a/modules/programs/sops.nix +++ b/modules/programs/sops.nix @@ -12,7 +12,6 @@ in flake.modules.nixos.mysops = { imports = [ inputs.sops-nix.nixosModules.sops ]; - # sops.defaultSopsFile = ../../keys/secrets.yaml; }; # Define the homeModules that are used by flake-parts @@ -23,6 +22,10 @@ in sopsBin = lib.getExe pkgs.sops; sopsConfigPath = ../../.sops.yaml; sopsSecretsPath = ../../keys/secrets.yaml; + + editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin "edit-secrets" '' + ${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile} + ''); in { imports = [ @@ -31,7 +34,6 @@ in ]; options.mysops = { - enable = lib.mkEnableOption "Customized SOPS tools"; ageKeyFile = lib.mkOption { description = "Default location for the age key"; type = lib.types.str; @@ -70,17 +72,14 @@ in '') (writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}") (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets") - ] ++ lib.optional (cfg.hostSecretFile != null) (writeShellScriptBin "edit-secrets" '' - set -e - ${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile} - ''); + ] ++ editScript; home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}"; # Option definitions for the sops home-manager module: # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix sops = { - # defaultSopsFile = sopsSecretsPath; + defaultSopsFile = sopsSecretsPath; defaultSopsFormat = "yaml"; age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ]; };