From be3503019c8ee6226118b7d2c2629b5f0b94ef2c Mon Sep 17 00:00:00 2001 From: Don Harper Date: Wed, 12 Nov 2025 19:13:56 -0600 Subject: [PATCH] sops working for ssh authkeys --- hosts/workstation/default.nix | 64 +++++++++++++++++++++++++++++++---- secrets.yaml | 27 ++++++++------- 2 files changed, 73 insertions(+), 18 deletions(-) diff --git a/hosts/workstation/default.nix b/hosts/workstation/default.nix index d9518f9..e800380 100644 --- a/hosts/workstation/default.nix +++ b/hosts/workstation/default.nix @@ -55,6 +55,60 @@ in { ./wine.nix ]; + sops = { + age.keyFile = "/home/don/.config/sops/age/keys.txt"; + + defaultSopsFile = ../../secrets.yaml; + # defaultSymlinkPath = "/run/user/1000/secrets"; + # defaultSecretsMountPoint = "/run/user/1000/secrets.d"; + + secrets = { + "users/root_password" = { + owner = "root"; + mode = "0400"; + }; + "users/root_sshauth" = { + owner = "root"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/root"; + }; + "users/don_password" = { + owner = "don"; + mode = "0400"; + }; + "users/don_sshauth" = { + owner = "don"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/don"; + }; + "users/vicky_password" = { + owner = "don"; + mode = "0400"; + }; + "users/vicky_sshauth" = { + owner = "don"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/vicky"; + }; + "smtp/smtp_password" = { + owner = "root"; + mode = "0444"; + }; + "smtp/smtp_server" = { + owner = "root"; + mode = "0444"; + }; + "smtp/smtp_port" = { + owner = "root"; + mode = "0444"; + }; + "tailscale/ts_api" = { + owner = "root"; + mode = "0400"; + }; + }; + }; + networking = { networkmanager.enable = true; enableIPv6 = true; @@ -159,8 +213,8 @@ in { package = pkgs.mlocate; }; logind = { - lidSwitchDocked = "ignore"; - lidSwitchExternalPower = "ignore"; + # lidSwitchDocked = "ignore"; + # lidSwitchExternalPower = "ignore"; settings = { Login = { HandleLidSwitchDocked = "ignore"; @@ -222,9 +276,6 @@ in { users = { root = { initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki" - ]; }; don = { isNormalUser = true; @@ -239,7 +290,7 @@ in { }; zramSwap = { - enable = true; + enable = false; memoryPercent = 25; memoryMax = 2147483648; }; @@ -274,6 +325,7 @@ in { environment.systemPackages = with pkgs; [ python-with-my-packages acpi + age aspell aspellDicts.en base16-schemes diff --git a/secrets.yaml b/secrets.yaml index d4b6978..4530cdf 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,16 +1,19 @@ #ENC[AES256_GCM,data:ZNxS2TSn,iv:29wdug8DNsqXK9gi3+HNSW1eeJGTcMtvccH2nFLk1DY=,tag:S3qAU5HB8Y5595dA6ItCmQ==,type:comment] -root_password: ENC[AES256_GCM,data:T4xaN92i7Q==,iv:dBznOslNEYSv2b90PZbR0G84hJyrI2sYR1YzJuLWPK0=,tag:mXT4ir6t4oOeT0X8S3QTSA==,type:str] -root_sshauth: ENC[AES256_GCM,data:eSxg81u5yRSSev2clW4YL2b6T4ygfUon636T+q2MTnoBQTbZxaknvJxNJemEGQKJRRNmzFQzP2LVWH7WbcNsALt0FQyo8oRJnSlGxebk+1MIlgrFxqFlY8c=,iv:7jyZ9WrKyX5EbbGYunzN/Ez2ULuKGo+FkVHk7hBtEtY=,tag:Gbr/ylA1S/9ZDfvK4xUvGg==,type:str] -don_password: ENC[AES256_GCM,data:LUAJQBmJlQ==,iv:FKmu8y6DuWa/XD0wqb7dxJNxITzrKOZNGZF94pqaaUo=,tag:YZdiWDImCi7AXYoU3uB0vw==,type:str] -don_sshauth: ENC[AES256_GCM,data:No8G1fgYWWKhUbaydGoxHe+fGWI5p0fD9cx2qegI+dZ9DV1ENKiACsJzWd004ZHA2G9PGzSeGb/p8Ay/3zVbSLJccWeblNE+P7e/HlGixZRXmv9BcvXm5cE=,iv:Bd3QLGrctTaBfOHMAnmPys8uViQFbBh4D2cxxhEeQJE=,tag:LD2QStSyEJ5yxQMbHOz3WA==,type:str] -vicky_password: ENC[AES256_GCM,data:XCKBMoOV,iv:swdBKF0STzMFbzYMBI8/nuNTE5B5DN7STkdNVx0w8Ys=,tag:Lw4SkSm3W0xh80M8loD/BQ==,type:str] -vicky_sshauth: ENC[AES256_GCM,data:1ec9IXnH4FSPG+9M2fMuDsDEo2E4PatwZiH8zIAKPCjlLIgvxRlioDO6fd+a9eaoAOoEIRaIwCOyK+VAlAxshrDA72nGH3xT/RmSeX6nVHGNh7gswdYh2Ts=,iv:jyuN5+Yj3Tfzk7h3ASPrNhxaFezJGLE5eWtgKl1SulY=,tag:gsQCp5g1ZpQA/wrWfGODqA==,type:str] +users: + root_password: ENC[AES256_GCM,data:c38DypOUaA==,iv:wwpjTEgTBMy3J7PzKnLO9IbLnq9HOMgQG/EQD+07U38=,tag:J/U8ddG2gqtRLUADWiJ8Bw==,type:str] + root_sshauth: ENC[AES256_GCM,data:1z7lTmMn2QB177S2re4+BIoiQ7XAmx9zKscUlUQKywQLqLDQJdvWJ0PvcKNfi0dyCJf5lWG3V3aZhGvIKMUizrZ0JMIZfRStbbLZKSnh0xsSvBdxo4NSd/k=,iv:iXnrcRN7l0uBboJsx/N1uCPkyqPWwbiR3Cp1RJVCVBU=,tag:h1rKlReNxKJ8uBTWVRAPgA==,type:str] + don_password: ENC[AES256_GCM,data:m9Jf4fvpSg==,iv:Z40H6ZSqjRFwvBdak22ijX0s4NVIjqbT1qfRkFnmp6c=,tag:K41k1JQUavKSZ47MkqF6PQ==,type:str] + don_sshauth: ENC[AES256_GCM,data:a7m3lzi9cRMfjSTZAUV6BUmSjcJcTTAex5vFmfC/narajIpmeo2So52cJKV9YYOgKaOCXEmMuokH8kXXZ9QL0zx5HhaCWSxCbsqh+wHEFiRdQFxBn1YLzM4=,iv:x2n+KQjbpReHIZDRnlNUd5HIHfowrnMD0dD4FxdDos8=,tag:PwzOCm3YjF/EiEStFpBGtg==,type:str] + vicky_password: ENC[AES256_GCM,data:KrTs/5d2,iv:ykzA5NMzD6EZJKLpFdgYm0E8/l+K8C96qsUJVm9qovY=,tag:xFzOmny25ytR/64SX0TPyA==,type:str] + vicky_sshauth: ENC[AES256_GCM,data:jFedFDYzaHtHOjKTc3iei3+dw3gpm9mZLncye9henZfx/fK1cbaH6SugnvsEZTtOEt7cjWkBhAKzRxCemhp0WENa2w9cQXrMtnzniIz4k7NsPkKWdBy+n34=,iv:cRPy89hstypZ5RhTlI2dQ28DIsCv9qjGglRdau5A53M=,tag:QosA7AeYaX8Su6wOX7XTVg==,type:str] #ENC[AES256_GCM,data:wPhrf7k=,iv:2HQ4jzpjasLF1gZCfVCGv30xajhBUzhAXsi9s5Cy9JM=,tag:aCM86v27N+TAGVrxbuO5tg==,type:comment] -smtp_password: ENC[AES256_GCM,data:UvXraq2vRWejRscrg6ZSTg==,iv:ClAb/8jkLgBQC8FsTfEZNC/D9yzW2jZCCz82ziwF/oM=,tag:XxF4y10Dl7DLhvkCR1hV4A==,type:str] -smtp_server: ENC[AES256_GCM,data:WqiUBqsOvkGTFzMevId6Ug==,iv:ESeB2sKoyacK4nEEULIsCOUKF7WfFPdEcn0AfZ+ENfY=,tag:SgPgSz1ljKR1TynXrcD1Ag==,type:str] -smtp_port: ENC[AES256_GCM,data:9dtc,iv:M8RhdH1BYBQZ4NqoSKbO6UT22MOtNjmCPaz9AL90nF8=,tag:IUI0z4r+CHTJzwkF/99Ykw==,type:int] +smtp: + smtp_password: ENC[AES256_GCM,data:YP3NqVQjuWPyCuTgmxBwSw==,iv:1eyDvHplyh9pKfdY795ndJzzl1LLFudYZB2eqkjYmlw=,tag:Jvb9escI5pNorDmIiXuFrw==,type:str] + smtp_server: ENC[AES256_GCM,data:Mkya/PLitKQXnUyRBM1N9g==,iv:Q+6Fi32v+8Z4YtrsgLelw9PRsA+WfElfYwYjxnUHfhM=,tag:muCZ/zmoAzLZ1+qWQiXPHg==,type:str] + smtp_port: ENC[AES256_GCM,data://oT,iv:6fGj9npq+JsB2o6fG33uWJpVgoihqVxaLeOAGiv51T0=,tag:BVhhmptrJjljKFxQ4J0sXw==,type:str] #ENC[AES256_GCM,data:SFZglQQ16U0jDBTmBuxHH2TGFRt9rOxZTzc=,iv:MnzSRM4bte5WACvlTDSVTqFTBJMFFv8l8e7p1lu/bZE=,tag:v6JKaBu6dl+1jrK0VmpPBg==,type:comment] -ts_api: ENC[AES256_GCM,data:IkJ2+er8agfcTwPwWriensoEg8CQeNl3ZXUcadm3rbraXNKyqLY5UO6RNZxLk2CAvAY4MB7/fDRryDGZ3Po=,iv:ml9vhPKmKI2PlYjzFrVoUMjHRrPdI69zSY2qBa71ODU=,tag:TXnXEbN7X51PYwu8O8DfKw==,type:str] +tailscale: + ts_api: ENC[AES256_GCM,data:mchei6FdVpcn7A2m/1D/e7RbZ8YLdte2lZ1b8M1e6C5NqzzDzRSNS7Wne2bm7szPe6nzeDGVZZ/jp5WR26M=,iv:/DZsAk+W+Ev+ZS7XNvLbNXCARL9YjUgvrae5bUppWBY=,tag:Uj8FT/gCpO4XmMRDykz8ZA==,type:str] sops: age: - recipient: age16a4ywf6pycs9l8rn7y34c6y8pqfz9utmwwkr70d0hapknkzdaafsesn0ff @@ -22,7 +25,7 @@ sops: em9ZMDljK2tXVnVDN1Q2UnYrZWVwblEKE/z1PQsld/r4AEWFyUgt6zNf7QfcLNYh Btn5qGBPYizmYzAwleNOq5PDINUAlfT9fTfU6QBdRYkarbVjqDV6Pg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T02:13:51Z" - mac: ENC[AES256_GCM,data:ntO/fVmW2w04YQab12rvDa6feFmiNO4CQmi7LA/5wWt+J4z3qTyfYdNfb0mKEMFo5Wu3KhZWKIi97HDOAsKJqhIEgsdLOY9RbKuH+KHC81qjfRhbKC/yK84JHU2mc3K2cTpuFqw+xhJaGsbLNQYsWxi+dot7QvZTEPcC11XskFY=,iv:erleqHDriT1TQ86s1U8znD4s4o3g+mmClfELWtNNuss=,tag:McJZcWDdDb3X/emXvckPPg==,type:str] + lastmodified: "2025-11-13T00:39:12Z" + mac: ENC[AES256_GCM,data:uhMuODBQLyx6Ae18npzmptsX1HzVY7cmx8pZ5cUcYJb7VlVjgYMc6rp4UKozd4y8lGnKtQWaiUvsR8RFiueLsd/vLuNjI48qXmezluBoXFlqkCPuDBzZIFnWfo4omqfY9kZs3fafNfAW7GSrQOE5wP9xNdNO0dUkMs8QF93/SeA=,iv:/+3iBJpCZ2ujvF4kZ0wOIb1FkN9WE8P5ftnfrC7J4t0=,tag:W6JqByfgpxue1LvQAomsrw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0