From 1d47409d96f305bde054dd7a05933af4df5093e5 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 22 Jan 2026 16:48:59 +0900 Subject: [PATCH] base: configure sops --- base/default.nix | 5 +++-- base/sops.nix | 12 ++++++++++++ hosts/bakke/configuration.nix | 5 ----- hosts/bekkalokk/configuration.nix | 5 ----- hosts/bicep/configuration.nix | 5 ----- hosts/ildkule/configuration.nix | 5 ----- hosts/kommode/configuration.nix | 5 ----- hosts/lupine/configuration.nix | 3 --- hosts/shark/configuration.nix | 5 ----- hosts/skrott/configuration.nix | 5 ----- hosts/temmie/configuration.nix | 5 ----- hosts/ustetind/configuration.nix | 5 ----- hosts/wenche/configuration.nix | 5 ----- 13 files changed, 15 insertions(+), 55 deletions(-) create mode 100644 base/sops.nix diff --git a/base/default.nix b/base/default.nix index 91d7414..5a334b2 100644 --- a/base/default.nix +++ b/base/default.nix @@ -10,11 +10,12 @@ (fp /users) (fp /modules/snakeoil-certs.nix) + ./flake-input-exporter.nix ./networking.nix ./nix.nix - ./vm.nix - ./flake-input-exporter.nix ./programs.nix + ./sops.nix + ./vm.nix ./services/acme.nix ./services/auto-upgrade.nix diff --git a/base/sops.nix b/base/sops.nix new file mode 100644 index 0000000..a050f79 --- /dev/null +++ b/base/sops.nix @@ -0,0 +1,12 @@ +{ config, fp, lib, ... }: +{ + sops.defaultSopsFile = let + secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml; + in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath; + + sops.age = lib.mkIf (config.sops.defaultSopsFile != null) { + sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; +} diff --git a/hosts/bakke/configuration.nix b/hosts/bakke/configuration.nix index 5805a43..5478f9f 100644 --- a/hosts/bakke/configuration.nix +++ b/hosts/bakke/configuration.nix @@ -6,11 +6,6 @@ ./filesystems.nix ]; - sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - networking.hostId = "99609ffc"; systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { matchConfig.Name = "enp2s0"; diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 4fe7968..d1ced94 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -19,11 +19,6 @@ ./services/qotd ]; - sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { matchConfig.Name = "enp2s0"; address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ]; diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix index bef51ee..913c193 100644 --- a/hosts/bicep/configuration.nix +++ b/hosts/bicep/configuration.nix @@ -15,11 +15,6 @@ ./services/matrix ]; - sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // { systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { #matchConfig.Name = "enp6s0f0"; diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix index e684285..0a7192c 100644 --- a/hosts/ildkule/configuration.nix +++ b/hosts/ildkule/configuration.nix @@ -10,11 +10,6 @@ ./services/journald-remote.nix ]; - sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - boot.loader.systemd-boot.enable = false; boot.loader.grub.device = "/dev/vda"; boot.tmp.cleanOnBoot = true; diff --git a/hosts/kommode/configuration.nix b/hosts/kommode/configuration.nix index 9a4f63f..ab32558 100644 --- a/hosts/kommode/configuration.nix +++ b/hosts/kommode/configuration.nix @@ -9,11 +9,6 @@ ./services/nginx.nix ]; - sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ]; diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix index 81cbefa..43d35c1 100644 --- a/hosts/lupine/configuration.nix +++ b/hosts/lupine/configuration.nix @@ -9,9 +9,6 @@ ]; sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { matchConfig.Name = "enp0s31f6"; diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix index efcb0f8..5036782 100644 --- a/hosts/shark/configuration.nix +++ b/hosts/shark/configuration.nix @@ -6,11 +6,6 @@ (fp /base) ]; - sops.defaultSopsFile = fp /secrets/shark/shark.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ]; diff --git a/hosts/skrott/configuration.nix b/hosts/skrott/configuration.nix index ca9435b..58aac60 100644 --- a/hosts/skrott/configuration.nix +++ b/hosts/skrott/configuration.nix @@ -22,11 +22,6 @@ # TODO: can we reduce further? - sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - sops.secrets = { "dibbler/postgresql/url" = { owner = "dibbler"; diff --git a/hosts/temmie/configuration.nix b/hosts/temmie/configuration.nix index 9ae5f85..ba9930f 100644 --- a/hosts/temmie/configuration.nix +++ b/hosts/temmie/configuration.nix @@ -8,11 +8,6 @@ ./services/nfs-mounts.nix ]; - # sops.defaultSopsFile = fp /secrets/shark/shark.yaml; - # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - # sops.age.generateKey = true; - systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ]; diff --git a/hosts/ustetind/configuration.nix b/hosts/ustetind/configuration.nix index 23dbfb3..acbdcda 100644 --- a/hosts/ustetind/configuration.nix +++ b/hosts/ustetind/configuration.nix @@ -7,11 +7,6 @@ ./services/gitea-runners.nix ]; - sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - boot.loader.systemd-boot.enable = false; networking.useHostResolvConf = lib.mkForce false; diff --git a/hosts/wenche/configuration.nix b/hosts/wenche/configuration.nix index 7309143..00b94a3 100644 --- a/hosts/wenche/configuration.nix +++ b/hosts/wenche/configuration.nix @@ -14,11 +14,6 @@ "armv7l-linux" ]; - sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - sops.age.generateKey = true; - boot.loader.systemd-boot.enable = false; boot.loader.grub.device = "/dev/sda";