From 10362bd42ba112ae7303cc55f3a569c190f1b579 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 25 Dec 2025 20:23:03 +0100 Subject: [PATCH 1/3] sops: Read age public-keys from files --- hosts/desktop/default.nix | 5 +---- hosts/desktop/keys/age.pub | 1 + hosts/laptop/default.nix | 5 +---- hosts/laptop/keys/age.pub | 1 + hosts/vps-monitor/default.nix | 5 +---- hosts/vps-monitor/keys/age.pub | 1 + hosts/vps-private/default.nix | 5 +---- hosts/vps-private/keys/age.pub | 1 + hosts/vps-public/default.nix | 5 +---- hosts/vps-public/keys/age.pub | 1 + modules/system/sops.nix | 2 +- 11 files changed, 11 insertions(+), 21 deletions(-) create mode 100644 hosts/desktop/keys/age.pub create mode 100644 hosts/laptop/keys/age.pub create mode 100644 hosts/vps-monitor/keys/age.pub create mode 100644 hosts/vps-private/keys/age.pub create mode 100644 hosts/vps-public/keys/age.pub diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 2763555..1a3f192 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/desktop/keys/age.pub b/hosts/desktop/keys/age.pub new file mode 100644 index 0000000..8a84c37 --- /dev/null +++ b/hosts/desktop/keys/age.pub @@ -0,0 +1 @@ +age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 2ddcf5c..4eabbf8 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -10,10 +10,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; custom = { - sops = { - enable = true; - agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e"; - }; + sops.enable = true; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/laptop/keys/age.pub b/hosts/laptop/keys/age.pub new file mode 100644 index 0000000..910645d --- /dev/null +++ b/hosts/laptop/keys/age.pub @@ -0,0 +1 @@ +age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index fae712c..03bbcca 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994"; - }; + sops.enable = true; boot.loader.grub.enable = true; diff --git a/hosts/vps-monitor/keys/age.pub b/hosts/vps-monitor/keys/age.pub new file mode 100644 index 0000000..afc65a6 --- /dev/null +++ b/hosts/vps-monitor/keys/age.pub @@ -0,0 +1 @@ +age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994 diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 4ffc15f..95e52d6 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-private/keys/age.pub b/hosts/vps-private/keys/age.pub new file mode 100644 index 0000000..2ae777a --- /dev/null +++ b/hosts/vps-private/keys/age.pub @@ -0,0 +1 @@ +age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69 diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 52841f9..c13ed39 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -16,10 +16,7 @@ custom = { persistence.enable = true; - sops = { - enable = true; - agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh"; - }; + sops.enable = true; boot.loader.systemd-boot.enable = true; diff --git a/hosts/vps-public/keys/age.pub b/hosts/vps-public/keys/age.pub new file mode 100644 index 0000000..ff14a0a --- /dev/null +++ b/hosts/vps-public/keys/age.pub @@ -0,0 +1 @@ +age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 9234d42..88661bf 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -17,7 +17,7 @@ in enable = lib.mkEnableOption ""; agePublicKey = lib.mkOption { type = lib.types.nonEmptyStr; - default = ""; + default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; }; secretsFile = lib.mkOption { type = lib.types.nonEmptyStr; From 21b4e0461333d10f1cff344018d9dd3a8f67dddd Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 25 Dec 2025 20:27:13 +0100 Subject: [PATCH 2/3] nebula: Rename options for public key and certificate paths for clarity --- modules/system/services/nebula/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index 9ae8915..54c0884 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -42,11 +42,11 @@ in default = if cfg.routableAddress != null then 47141 else null; }; - pubPath = lib.mkOption { + publicKeyPath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.pub"; }; - certPath = lib.mkOption { + certificatePath = lib.mkOption { type = lib.types.path; default = "${self}/hosts/${hostname}/keys/nebula.crt"; }; @@ -69,7 +69,7 @@ in enable = true; ca = ./ca.crt; - cert = cfg.certPath; + cert = cfg.certificatePath; key = config.sops.secrets."nebula/host-key".path; listen.port = cfg.routablePort; From 1170bbf857072c3124286114e558eba13b517c4b Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 25 Dec 2025 21:06:56 +0100 Subject: [PATCH 3/3] sops: Turn `secretsFile` into an absolute path --- flake-parts/sops.nix | 6 +++--- modules/system/sops.nix | 10 ++++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix index 19772de..52689b7 100644 --- a/flake-parts/sops.nix +++ b/flake-parts/sops.nix @@ -10,13 +10,13 @@ { packages.sops-config = let - adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; + adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; mkCreationRule = sopsCfg: { - path_regex = sopsCfg.secretsFile; + path_regex = self.lib.relativePath sopsCfg.secretsFile; key_groups = lib.singleton { age = [ - adminKey + adminPublicKey sopsCfg.agePublicKey ]; }; diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 88661bf..a8f25be 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -7,8 +7,6 @@ }: let cfg = config.custom.sops; - - absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.nixosModules.sops ]; @@ -20,12 +18,12 @@ in default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; }; secretsFile = lib.mkOption { - type = lib.types.nonEmptyStr; - default = "hosts/${config.networking.hostName}/secrets.json"; + type = lib.types.path; + default = "${self}/hosts/${config.networking.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; + default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; }; @@ -34,7 +32,7 @@ in age.sshKeyPaths = [ "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = absoluteSecretsPath; + defaultSopsFile = cfg.secretsFile; }; }; }