diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix index 52689b7..19772de 100644 --- a/flake-parts/sops.nix +++ b/flake-parts/sops.nix @@ -10,13 +10,13 @@ { packages.sops-config = let - adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; + adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; mkCreationRule = sopsCfg: { - path_regex = self.lib.relativePath sopsCfg.secretsFile; + path_regex = sopsCfg.secretsFile; key_groups = lib.singleton { age = [ - adminPublicKey + adminKey sopsCfg.agePublicKey ]; }; diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 1a3f192..2763555 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -10,7 +10,10 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops.enable = true; + sops = { + enable = true; + agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc"; + }; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/desktop/keys/age.pub b/hosts/desktop/keys/age.pub deleted file mode 100644 index 8a84c37..0000000 --- a/hosts/desktop/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 4eabbf8..2ddcf5c 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -10,7 +10,10 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops.enable = true; + sops = { + enable = true; + agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e"; + }; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/laptop/keys/age.pub b/hosts/laptop/keys/age.pub deleted file mode 100644 index 910645d..0000000 --- a/hosts/laptop/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index 03bbcca..fae712c 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,7 +16,10 @@ custom = { persistence.enable = true; - sops.enable = true; + sops = { + enable = true; + agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994"; + }; boot.loader.grub.enable = true; diff --git a/hosts/vps-monitor/keys/age.pub b/hosts/vps-monitor/keys/age.pub deleted file mode 100644 index afc65a6..0000000 --- a/hosts/vps-monitor/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994 diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 95e52d6..4ffc15f 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -16,7 +16,10 @@ custom = { persistence.enable = true; - sops.enable = true; + sops = { + enable = true; + agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69"; + }; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-private/keys/age.pub b/hosts/vps-private/keys/age.pub deleted file mode 100644 index 2ae777a..0000000 --- a/hosts/vps-private/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69 diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index c13ed39..52841f9 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -16,7 +16,10 @@ custom = { persistence.enable = true; - sops.enable = true; + sops = { + enable = true; + agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh"; + }; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-public/keys/age.pub b/hosts/vps-public/keys/age.pub deleted file mode 100644 index ff14a0a..0000000 --- a/hosts/vps-public/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 54c0884..9ae8915 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -42,11 +42,11 @@ in default = if cfg.routableAddress != null then 47141 else null; }; - publicKeyPath = lib.mkOption { + pubPath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.pub"; }; - certificatePath = lib.mkOption { + certPath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.crt"; }; @@ -69,7 +69,7 @@ in enable = true; ca = ./ca.crt; - cert = cfg.certificatePath; + cert = cfg.certPath; key = config.sops.secrets."nebula/host-key".path; listen.port = cfg.routablePort; diff --git a/modules/system/sops.nix b/modules/system/sops.nix index a8f25be..9234d42 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -7,6 +7,8 @@ }: let cfg = config.custom.sops; + + absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.nixosModules.sops ]; @@ -15,15 +17,15 @@ in enable = lib.mkEnableOption ""; agePublicKey = lib.mkOption { type = lib.types.nonEmptyStr; - default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; + default = ""; }; secretsFile = lib.mkOption { - type = lib.types.path; - default = "${self}/hosts/${config.networking.hostName}/secrets.json"; + type = lib.types.nonEmptyStr; + default = "hosts/${config.networking.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; + default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; }; }; @@ -32,7 +34,7 @@ in age.sshKeyPaths = [ "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = cfg.secretsFile; + defaultSopsFile = absoluteSecretsPath; }; }; }