Squash merge sops-nix into main

.sops.yaml

@@ -0,0 +1,8 @@
+keys:
+  - &dn_server age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
+
+creation_rules:
+  - path_regex: system/dev/dn-server/secret.yaml
+    key_groups:
+      - age:
+          - *dn_server

flake.lock

@@ -1106,6 +1106,22 @@
       }
     },
     "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1744502386,
+        "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1737003892,
         "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=",
@@ -1187,6 +1203,7 @@
         "nix-index-database": "nix-index-database",
         "nix-minecraft": "nix-minecraft",
         "nixpkgs": "nixpkgs_4",
+        "sops-nix": "sops-nix",
         "yazi": "yazi"
       }
     },
@@ -1232,6 +1249,24 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1744669848,
+        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1689347949,
@@ -1402,7 +1437,7 @@
     "yazi": {
       "inputs": {
         "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {

flake.nix

@@ -68,6 +68,10 @@
     nix-minecraft = {
       url = "github:Infinidoge/nix-minecraft";
     };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+    };
   };
 
   outputs =
@@ -87,6 +91,7 @@
         modules = [
           home-manager.nixosModules.default
           nix-index-database.nixosModules.nix-index
+          inputs.sops-nix.nixosModules.sops
         ];
         args = {
           inherit

home/config/nvim/lua/plugins/suda.lua

@@ -1,7 +1,7 @@
 return {
   {
     "lambdalisue/vim-suda",
-    cmd = "SudaWrite",
+    cmd = { "SudaWrite", "SudaRead" },
     keys = { { "<leader>bs", "<cmd>SudaWrite<cr>", desc = "Save Buffer as Root" } },
   },
 }

pkgs/overlays/default.nix

@@ -1,4 +1,4 @@
 [
-  (import ./ferium.nix)
+  # (import ./ferium.nix)
   (import ./vesktop.nix)
 ]

pkgs/overlays/ferium.nix

@@ -1,4 +1,4 @@
-prev: final: {
+final: prev: {
   ferium = prev.ferium.overrideAttrs (
     final: prev: rec {
       cargoHash = "sha256-yedl4KQCpT7Ai1EPvwD5kzhkHesIjGVAcxKjp5k2jmI=";

system/dev/dn-server/networking.nix

@@ -1,5 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
-
 {
   networking = {
     networkmanager.enable = true;

system/dev/dn-server/nextcloud.nix

@@ -64,7 +64,7 @@
               tar -xf passwords.tar.gz
               mv passwords/* ./
               rm passwords.tar.gz
-              rm -rpasswords
+              rm -r passwords
             '';
           });
     };
@@ -72,7 +72,7 @@
 
     database.createLocally = true;
     config = {
-      adminpassFile = "/run/keys/nextcloud-admin-password.key";
+      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
       dbtype = "pgsql";
     };
 

system/dev/dn-server/secret.yaml

@@ -0,0 +1,27 @@
+wireguard:
+    privateKey: ENC[AES256_GCM,data:0lryTtUwLxr7d+EKdu618HwVAl9kSDkDfkpTrX5cMGJATXMmEnaMEVGPYnY=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:RAQIkl6zRQzFuzorg2aeew==,type:str]
+    conf: ""
+nextcloud:
+    adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str]
+step_ca:
+    password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuKzJObXlPVUJzUkEyZXlV
+            Q0tEbzBPTy9kUXIwVmJkckUyWklUMzhCcTE0Ckh3bXIwRkpESTJYeTBPMGhQYk9y
+            L2NQTWFuMWVqYzJHZGhTaHpDRE5CRGMKLS0tIEsybHdPMk9JeEM2cXFwdlpOeXRj
+            Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY
+            11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-21T12:56:08Z"
+    mac: ENC[AES256_GCM,data:b1e1MemL+HHD1pl5X8gnSpczuM7bR+tmkwZJgdZclwkJwi0yBCq14Fy4VE9LklpU2k+WtD1RLqpSZtgz95skpYQog/3phaQNSPLZKXCRfnmTtDxUxWC52cBkhv/RIe99ROzIoG9hBvoPptnCZDlv70vL21xBFyhgzyo1guQUC6w=,iv:VNFKWZMNO+wkrC4NCsmFUrQa09FibMlu+yQOhzqduO0=,tag:imZRSLg4NBF1zaDTmIAPvA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

system/dev/dn-server/services.nix

@@ -1,5 +1,6 @@
 {
   settings,
+  config,
   pkgs,
   lib,
   ...
@@ -303,7 +304,7 @@ in
         ${personal.interface} = {
           ips = [ personal.ip ];
           listenPort = personal.port;
-          privateKeyFile = "/etc/wireguard/privatekey";
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
           peers = builtins.map (r: {
             publicKey = r.publicKey;
             allowedIPs = r.allowedIPs;
@@ -313,7 +314,7 @@ in
         ${kube.interface} = {
           ips = [ kube.ip ];
           listenPort = kube.port;
-          privateKeyFile = "/etc/wireguard/privatekey";
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
           peers = [ ];
         };
       };

system/dev/dn-server/step-ca.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   environment.systemPackages = with pkgs; [ step-cli ];
 
@@ -12,9 +12,72 @@
   services.step-ca = {
     enable = true;
     address = "0.0.0.0";
-    settings = builtins.fromJSON (builtins.readFile /var/lib/step-ca/config/ca.json);
+    settings = {
+      address = ":443";
+      authority = {
+        provisioners = [
+          {
+            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUTZYbDJOdkFabGZZSTZ5QnBrZWp6dyJ9.z
+Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB1ezz4NvpSDe9GIweBlTLH4DpZ7As65QftJf-32vFeSjw_8So8ugpS2BmfWaMcL6rHxJG369zf-Ninecy3yg4AvQ0WvzUWCYnR2m5-B2YYFJ0SlTv-FXOf_412ZaGdIK9FQo
+8LszKMGzw0e3YkBuAAfEsqYaCTd27trDDPUelTVnC20zblVDEkBlusvoNeYEiy7nphjqy2OPW6bxLKdQMg-b9zVgZqkImRqojBBqnV85sBHaSyQWA9rP2PPJM8AVjVBtrVLG3YIVObbjiLAa21WMaFe1bW4LK7BNj7KwQ2JJzlBfkDkdmo3gZvYag--9AarieKeIumQ.Vxj5NwzSurT
+47yHhoiCOug";
+            key = {
+              alg = "ES256";
+              crv = "P-256";
+              kid = "ywqnDBi0j1wjIx4i8xOBhqd6sCqsI_Z7aGQ6QifKFtM";
+              kty = "EC";
+              use = "sig";
+              x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
+              y = "y5OFjciRMVg8ePaEsjSPWbKp_
+NjQ6U4CtbplRx7z3Bw";
+            };
+            name = "danny@smallstep.net.dn";
+            type = "JWK";
+          }
+          {
+            claims = {
+              maxTLSCertDuration = "8760h";
+            };
+            name = "acme";
+            options = {
+              enableRenewal = true;
+            };
+            type = "ACME";
+          }
+        ];
+      };
+      crt = "/var/lib/s
+tep-ca/certs/intermediate_ca.crt";
+      db = {
+        badgerFileLoadingMode = "";
+        dataSource = "/var/lib/step-ca/db";
+        type = "badgerv2";
+      };
+      dnsNames = [
+        "10.0.0.1"
+        "ca.net.dn"
+      ];
+      federatedRoots = null;
+      insecureAddress = "";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+      logger = {
+        format = "text";
+      };
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_EC
+DHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        maxVersion = 1.3;
+        minVersion = 1.2;
+        renegotiation = false;
+      };
+
+    };
     port = 8443;
     openFirewall = true;
-    intermediatePasswordFile = "/run/keys/step-password";
+    intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
   };
 }

system/modules/presets/basic.nix

@@ -26,5 +26,6 @@
     ../tmux.nix
     ../users.nix
     ../ca.nix
+    ../sops-nix.nix
   ];
 }

system/modules/presets/minimal.nix

@@ -16,5 +16,6 @@
     ../users.nix
     ../tmux.nix
     ../ca.nix
+    ../sops-nix.nix
   ];
 }

system/modules/sops-nix.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+let
+  defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/secret.yaml";
+  ageKeyFile = "/var/lib/sops-nix/key.txt";
+in
+{
+  sops = {
+    defaultSopsFile = defaultSopsFile;
+
+    age = {
+      keyFile = ageKeyFile;
+    };
+
+    secrets = {
+      "wireguard/privateKey" = { };
+      "wireguard/conf" = { };
+      "nextcloud/adminPassword" = { };
+      "step_ca/password" = { };
+    };
+  };
+
+  environment.variables = {
+    SOPS_AGE_KEY_FILE = ageKeyFile;
+  };
+}

system/modules/wireguard.nix

@@ -1,14 +1,12 @@
 {
+  config,
   ...
 }:
-let
-  configPath = "/etc/wireguard/wg0.conf";
-in
 {
   networking = {
     firewall = {
       allowedUDPPorts = [ 51820 ];
     };
-    wg-quick.interfaces.wg0.configFile = configPath;
+    wg-quick.interfaces.wg0.configFile = config.sops.secrets."wireguard/conf".path;
   };
 }