From 10362bd42ba112ae7303cc55f3a569c190f1b579 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 25 Dec 2025 20:23:03 +0100 Subject: [PATCH] sops: Read age public-keys from files --- hosts/desktop/default.nix | 5 +---- hosts/desktop/keys/age.pub | 1 + hosts/laptop/default.nix | 5 +---- hosts/laptop/keys/age.pub | 1 + hosts/vps-monitor/default.nix | 5 +---- hosts/vps-monitor/keys/age.pub | 1 + hosts/vps-private/default.nix | 5 +---- hosts/vps-private/keys/age.pub | 1 + hosts/vps-public/default.nix | 5 +---- hosts/vps-public/keys/age.pub | 1 + modules/system/sops.nix | 2 +- 11 files changed, 11 insertions(+), 21 deletions(-) create mode 100644 hosts/desktop/keys/age.pub create mode 100644 hosts/laptop/keys/age.pub create mode 100644 hosts/vps-monitor/keys/age.pub create mode 100644 hosts/vps-private/keys/age.pub create mode 100644 hosts/vps-public/keys/age.pub diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 2763555..1a3f192 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/desktop/keys/age.pub b/hosts/desktop/keys/age.pub new file mode 100644 index 0000000..8a84c37 --- /dev/null +++ b/hosts/desktop/keys/age.pub @@ -0,0 +1 @@ +age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 2ddcf5c..4eabbf8 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/laptop/keys/age.pub b/hosts/laptop/keys/age.pub new file mode 100644 index 0000000..910645d --- /dev/null +++ b/hosts/laptop/keys/age.pub @@ -0,0 +1 @@ +age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index fae712c..03bbcca 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994"; - }; + sops.enable = true; boot.loader.grub.enable = true; diff --git a/hosts/vps-monitor/keys/age.pub b/hosts/vps-monitor/keys/age.pub new file mode 100644 index 0000000..afc65a6 --- /dev/null +++ b/hosts/vps-monitor/keys/age.pub @@ -0,0 +1 @@ +age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994 diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 4ffc15f..95e52d6 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-private/keys/age.pub b/hosts/vps-private/keys/age.pub new file mode 100644 index 0000000..2ae777a --- /dev/null +++ b/hosts/vps-private/keys/age.pub @@ -0,0 +1 @@ +age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69 diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 52841f9..c13ed39 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-public/keys/age.pub b/hosts/vps-public/keys/age.pub new file mode 100644 index 0000000..ff14a0a --- /dev/null +++ b/hosts/vps-public/keys/age.pub @@ -0,0 +1 @@ +age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 9234d42..88661bf 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -17,7 +17,7 @@ in enable = lib.mkEnableOption ""; agePublicKey = lib.mkOption { type = lib.types.nonEmptyStr; - default = ""; + default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; }; secretsFile = lib.mkOption { type = lib.types.nonEmptyStr;