diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix index 19772de..52689b7 100644 --- a/flake-parts/sops.nix +++ b/flake-parts/sops.nix @@ -10,13 +10,13 @@ { packages.sops-config = let - adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; + adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; mkCreationRule = sopsCfg: { - path_regex = sopsCfg.secretsFile; + path_regex = self.lib.relativePath sopsCfg.secretsFile; key_groups = lib.singleton { age = [ - adminKey + adminPublicKey sopsCfg.agePublicKey ]; }; diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 2763555..1a3f192 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/desktop/keys/age.pub b/hosts/desktop/keys/age.pub new file mode 100644 index 0000000..8a84c37 --- /dev/null +++ b/hosts/desktop/keys/age.pub @@ -0,0 +1 @@ +age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 2ddcf5c..4eabbf8 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/laptop/keys/age.pub b/hosts/laptop/keys/age.pub new file mode 100644 index 0000000..910645d --- /dev/null +++ b/hosts/laptop/keys/age.pub @@ -0,0 +1 @@ +age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index fae712c..03bbcca 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994"; - }; + sops.enable = true; boot.loader.grub.enable = true; diff --git a/hosts/vps-monitor/keys/age.pub b/hosts/vps-monitor/keys/age.pub new file mode 100644 index 0000000..afc65a6 --- /dev/null +++ b/hosts/vps-monitor/keys/age.pub @@ -0,0 +1 @@ +age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994 diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 4ffc15f..95e52d6 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-private/keys/age.pub b/hosts/vps-private/keys/age.pub new file mode 100644 index 0000000..2ae777a --- /dev/null +++ b/hosts/vps-private/keys/age.pub @@ -0,0 +1 @@ +age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69 diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 52841f9..c13ed39 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-public/keys/age.pub b/hosts/vps-public/keys/age.pub new file mode 100644 index 0000000..ff14a0a --- /dev/null +++ b/hosts/vps-public/keys/age.pub @@ -0,0 +1 @@ +age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 9ae8915..54c0884 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -42,11 +42,11 @@ in default = if cfg.routableAddress != null then 47141 else null; }; - pubPath = lib.mkOption { + publicKeyPath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.pub"; }; - certPath = lib.mkOption { + certificatePath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.crt"; }; @@ -69,7 +69,7 @@ in enable = true; ca = ./ca.crt; - cert = cfg.certPath; + cert = cfg.certificatePath; key = config.sops.secrets."nebula/host-key".path; listen.port = cfg.routablePort; diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 9234d42..a8f25be 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -7,8 +7,6 @@ }: let cfg = config.custom.sops; - - absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.nixosModules.sops ]; @@ -17,15 +15,15 @@ in enable = lib.mkEnableOption ""; agePublicKey = lib.mkOption { type = lib.types.nonEmptyStr; - default = ""; + default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; }; secretsFile = lib.mkOption { - type = lib.types.nonEmptyStr; - default = "hosts/${config.networking.hostName}/secrets.json"; + type = lib.types.path; + default = "${self}/hosts/${config.networking.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; + default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; }; @@ -34,7 +32,7 @@ in age.sshKeyPaths = [ "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = absoluteSecretsPath; + defaultSopsFile = cfg.secretsFile; }; }; }