sops working for ssh authkeys

2025-11-12 19:13:56 -06:00 · 2025-11-12 19:13:56 -06:00 · be3503019c
commit be3503019c
parent 52b024181a
2 changed files with 73 additions and 18 deletions
--- a/hosts/workstation/default.nix
+++ b/hosts/workstation/default.nix
@ -55,6 +55,60 @@ in {
    ./wine.nix
  ];

+  sops = {
+    age.keyFile = "/home/don/.config/sops/age/keys.txt";
+
+    defaultSopsFile = ../../secrets.yaml;
+    # defaultSymlinkPath = "/run/user/1000/secrets";
+    # defaultSecretsMountPoint = "/run/user/1000/secrets.d";
+
+    secrets = {
+      "users/root_password" = {
+        owner = "root";
+        mode = "0400";
+      };
+      "users/root_sshauth" = {
+        owner = "root";
+        mode = "0400";
+        path = "/etc/ssh/authorized_keys.d/root";
+      };
+      "users/don_password" = {
+        owner = "don";
+        mode = "0400";
+      };
+      "users/don_sshauth" = {
+        owner = "don";
+        mode = "0400";
+        path = "/etc/ssh/authorized_keys.d/don";
+      };
+      "users/vicky_password" = {
+        owner = "don";
+        mode = "0400";
+      };
+      "users/vicky_sshauth" = {
+        owner = "don";
+        mode = "0400";
+        path = "/etc/ssh/authorized_keys.d/vicky";
+      };
+      "smtp/smtp_password" = {
+        owner = "root";
+        mode = "0444";
+      };
+      "smtp/smtp_server" = {
+        owner = "root";
+        mode = "0444";
+      };
+      "smtp/smtp_port" = {
+        owner = "root";
+        mode = "0444";
+      };
+      "tailscale/ts_api" = {
+        owner = "root";
+        mode = "0400";
+      };
+    };
+  };
+
  networking = {
    networkmanager.enable = true;
    enableIPv6 = true;
@ -159,8 +213,8 @@ in {
      package = pkgs.mlocate;
    };
    logind = {
-      lidSwitchDocked = "ignore";
-      lidSwitchExternalPower = "ignore";
+      # lidSwitchDocked = "ignore";
+      # lidSwitchExternalPower = "ignore";
      settings = {
        Login = {
          HandleLidSwitchDocked = "ignore";
@ -222,9 +276,6 @@ in {
    users = {
      root = {
        initialPassword = "changeme";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki"
-        ];
      };
      don = {
        isNormalUser = true;
@ -239,7 +290,7 @@ in {
  };

  zramSwap = {
-    enable = true;
+    enable = false;
    memoryPercent = 25;
    memoryMax = 2147483648;
  };
@ -274,6 +325,7 @@ in {
  environment.systemPackages = with pkgs; [
    python-with-my-packages
    acpi
+    age
    aspell
    aspellDicts.en
    base16-schemes