diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 825333b..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,16 +0,0 @@ -keys: - - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - - - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - -creation_rules: - - path_regex nixos/machines/nyarlathotep/.* - key_groups: - - age: - *nerf - *nyarlathotep - # this is the catchall clause if nothing above machtes. Encrypt to users but not - # to machines - - key_groups: - - age: - *nerf diff --git a/README.md b/README.md index 44e28aa..03dc6fa 100644 --- a/README.md +++ b/README.md @@ -11,28 +11,3 @@ nix build .#nixosConfiguration..config.system.build.toplevel ### On the machine clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select the appropriate machine based on hostname - - -### sops - -We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix) -As of right now we use only `age` keys. -The machine keys are derived from their server ssh keys, that they generate at first boot. -User keys are generated by the users. -New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo. - -To make a secret available on a given machine you need to do the following. Configure the following keys - -``` -sops.secrets.example-key = { - sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used) - path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path" - owner = user that owns the secret file: config.users.users.nerf.name (for example) - group = same as user just with groups: config.users.users.nerf.group - mode = "premission in usual octet: 0400 (for example)" -``` -afterwards the secret should be available in `/run/secrets/example-key`. -If the accessing process is not root it must be member of the group `config.users.groups.keys` -for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];` -it the service config. - diff --git a/flake.lock b/flake.lock index e3f7e40..4f71017 100644 --- a/flake.lock +++ b/flake.lock @@ -104,49 +104,11 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1694908564, - "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "596611941a74be176b98aeba9328aa9d01b8b322", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "flake-parts": "flake-parts", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1695284550, - "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs": "nixpkgs" } }, "utils": { diff --git a/flake.nix b/flake.nix index 727dd91..d2c7384 100644 --- a/flake.nix +++ b/flake.nix @@ -10,10 +10,6 @@ nixpkgs.follows = ""; }; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs@{ flake-parts, ... }: diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index ef87e41..cca5849 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -11,7 +11,7 @@ pkgs.nixos { imports = [ (import (./. + "/machines/${name}/configuration.nix") inputs) - inputs.sops-nix.nixosModules.sops + # inputs.secrets.nixosModules.default ]; }; in lib.genAttrs machines makeSystem); diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix deleted file mode 100644 index 3c24242..0000000 --- a/nixos/roles/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... } : { - -sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; -}