users in hosts

.sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  - &users:
+    - &sam age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
+  - &hosts:
+    - &nixdev age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *sam
+        - *nixdev

flake.lock

@@ -32,6 +32,22 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1715458492,
+        "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8e47858badee5594292921c2668c11004c3b0142",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1714906307,
@@ -52,7 +68,29 @@
       "inputs": {
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1715482972,
+        "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -12,6 +12,12 @@
     # Home manager
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Secrets management
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -68,7 +74,7 @@
       # FIXME replace with your username@hostname
       "sam@nixdev" = home-manager.lib.homeManagerConfiguration {
         pkgs = nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
-        extraSpecialArgs = {inherit inputs outputs;};
+        extraSpecialArgs = {inherit inputs outputs ;};
         modules = [
           # > Our main home-manager configuration file <
           ./home/sam/nixdev.nix

home/sam/common/core/default.nix

@@ -15,6 +15,7 @@
     pkgs.kitty
     pkgs.zathura
     pkgs.xfce.thunar
+    #pkgs.age
   ];
 
   programs.zsh = {

home/sam/common/optional/sops.nix

@@ -0,0 +1,23 @@
+{ inputs, config, ... }:
+let
+  secretsFile = ../../../../secrets.yaml;
+  homeDirectory = config.home.homeDirectory;
+in
+{
+  imports = [
+    inputs.sops-nix.homeManagerModules.sops
+  ];
+
+  sops = {
+    age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
+
+    defaultSopsFile = "${secretsFile}";
+    validateSopsFiles = false;
+
+    secrets = {
+      "ssh_keys/sam" = {
+        path = "${homeDirectory}/.ssh/sam";
+      };
+    };
+  };
+}

home/sam/nixdev.nix

@@ -8,6 +8,7 @@
     ./common/core
     ./common/optional/desktop/hyprland
     ./common/optional/desktop/waybar.nix
+    ./common/optional/sops.nix
   ];
 
   #  ------  

hosts/common/core/default.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  imports = [
+    ./sops.nix
+  ];
+}

hosts/common/core/sops.nix

@@ -0,0 +1,22 @@
+{ pkgs, inputs, config, configVars, ... }:
+let
+  secretsDirectory = ../../../secrets.yaml;
+  secretsFile = "${secretsDirectory}/secrets.yaml";
+  homeDirectory = "/home/${configVars.username}";
+in
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = "${secretsFile}";
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}

hosts/common/optional/openssh/default.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+let
+  sshPort = 22;
+in
+
+{
+  services.openssh = {
+    enable = true;
+    ports = [ sshPort ];
+
+    settings = {
+      # Harden
+      PasswordAuthentication = true;
+      PermitRootLogin = "no";
+      # Automatically remove stale sockets
+      StreamLocalBindUnlink = "yes";
+    };
+
+  };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+}

hosts/common/users/sam/default.nix

@@ -0,0 +1,25 @@
+{ pkgs, inputs, config, lib, ... }:
+{
+  users.users.sam = {
+    isNormalUser = true;
+    password = "nixos"; # Overridden if sops is working
+    shell = pkgs.zsh; # default shell
+
+    extraGroups = [
+      "wheel"
+      "docker"
+      "git"
+      "networkmanager"
+    ];
+
+  };
+
+  programs.zsh.enable = true;
+
+  environment.systemPackages = [
+      pkgs.rsync
+      pkgs.curl
+      pkgs.tmux
+      pkgs.neovim
+  ]; 
+}

hosts/common/users/sam/keys/laptop.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop

hosts/nixdev/default.nix

@@ -1,12 +1,21 @@
-{ inputs, config, lib, pkgs, outputs, ... }:
+{ inputs, config, lib, pkgs, outputs, configLib, ... }:
 
 {
   imports =
     [ 
+      # Import core options
       ./hardware-configuration.nix
+      ../common/core
+
+      # Import optional options
       ../common/optional/pipewire.nix
       ../common/optional/hyprland.nix
       ../common/optional/displayManager/sddm.nix
+      ../common/optional/openssh
+
+      # Create users for this host
+      ../common/users/sam
+
     ];
 
   nixpkgs = {
@@ -45,12 +54,12 @@
 
   services.libinput.enable = true;
 
-  users.users.sam = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ]; 
-  };
+#  users.users.sam = {
+#    isNormalUser = true;
+#    extraGroups = [ "wheel" ]; 
+#  };
   
-  users.users.sam.shell = pkgs.zsh;
+#  users.users.sam.shell = pkgs.zsh;
 
   environment.systemPackages = with pkgs; [
 #    curl
@@ -81,14 +90,12 @@
     enableSSHSupport = true;
   };
 
-  programs.zsh.enable = true;
-
+#  programs.zsh.enable = true;
   hardware = {
     opengl.enable = true;
     nvidia.modesetting.enable = true;
   };
 
-  services.openssh.enable = true;
 
   system.stateVersion = "23.11"; 
 

secrets.yaml

@@ -0,0 +1,32 @@
+ssh_keys:
+    sam: ENC[AES256_GCM,data:kxUxu5TLJMYfJHLm1AoFkD8xYgxyj7kE8/cEVbm/BvvzPUCe2gvwrZpdEkPBRDMyOQk569szohQ5txPXLj/dYZpAqabqDCr2yNTNPTiOZX7mUp6tH8vWUUmoMRVpJFwdHpanmC8BaKWjgR4E/X293iVQiZ4pQz5QFaMzBQtnZehwNOKgBHIc8Ll/MTu17DmzVQSxrdK/jakBwVfsdV+NTZfGEXjTC5UlvoyeIyODuIiAifvFcB6n/mxxZ4rXHBYZrC0IusDgWvJ74GdYrNaIwnQIwEkWEyhKncDBJehWvlSabsYI02nW41BSMUgA+r/Lu1KwAU83QgW74FRBeC4ZEoL2cRMPTTJP69O3TqJ3CeWOSq1kHScpsSEP/8sGoDS5rX7WQFyHky5oecZlTvjNnklRztnftXL/rsFNOSouFoaAQGU5ay+7y7K8bAsveZVyImyCdGlf+864RxL1wD/oz1DIiYE/gR19bGPRJumDlBOufEHCH0ONU+8PZwpLMMpFVZ3HEMQYsva4eKZfMd5W,iv:X0yg22/dPbSAUmTcb8lePZ403RI6oGNELTZFI6y68AQ=,tag:YfTESEm2GWJApi7LOvY8RA==,type:str]
+sam-password: ENC[AES256_GCM,data:2TObp9d8fvWWsKyTVqNqSabhmcA+ZVo5N1qmn8N15ZXhb9G4sdfkPspnCZmxZ+FttfTvNYG8ZwcDzBAx2XbR8jRwGxljZaoBXQ==,iv:mysxYtfrE8KEkK0qO1C4+FgJYuWsKvsYVMAYRD0FW/Q=,tag:5LNmkZn1msT6n18BLLP4vA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z6a934w5cwjge2lchrs7f0a7lp6s30s3tygq3alu7z9zwc8fqs2qdnd4mv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbE1DejdDSTVhVmdrTC9r
+            Y3BLLytPem90UnUvQkpCZ3NMaFBhYytWUndzCkNUWElDOVVwc0dhWFRWL2ZFQXV4
+            Qi9PdDdqZHR2S2JkeXdEL3RQbXVQREkKLS0tIE5JcHVlTS9LellRM08wZUpiRS9Y
+            cE5LK1llSXVhYWVzUjg0Z0VoQVJIMDAKt+bCXwj6jMLiRDS+/4K3+z+8nc3lUFli
+            WWRVNOTUZT8Ckt5UjHWrZ/FOfgCupGiDD9Imsx1x37cgN0P88vib/A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age136u5hqnlp2mvepjh575yl9346wl08v9jyta9ynhqrawaqpcmldqsu5wns3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOG1jTEZYMmdFMWxzWGxE
+            cWp2QlM2N1hxYTlmN0NnRzJKczI4OWRtUW5nCmQ2YVB3SkNxVlFwL3ZVNm03K2U3
+            SFdDU1JXTXJjM1M5UzV1ckoyRGQ5R0EKLS0tIHFsSnk5VWlReW1VZmYvMW50OGJr
+            ZE90dTRDQWdUL0FXNC9IWFhKcEhocG8KF4F5wAnkwF2gfGa3jt2OHseY4NlqHqf2
+            /g2Huk8W6pni2K3XOnIrb+89JQaafI8AJgaBLl6kMrsGHx5Jqa2HjQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-12T17:16:39Z"
+    mac: ENC[AES256_GCM,data:WapNxbYGJC5P07Wh7L7N5na0k6/bNTtQLr0BZWlWBUObwVeCnP2ALBx0RcR34f5fQYGheM6W076AEmMBlmcKmGd8TFoxXikl4ZlCPumD6mp+f49V/YWSEzGKtoAKvdaG2D/1tV37INh/OV6fqyXapZkEEVc25AgjKwzYY8wdM4M=,iv:JDHwLh+Fuhs4WOmZU9/dyKbtH2dC7Adj/vt9/Tci6VM=,tag:qqjhwiYC8x6I1AkvZhyVSA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1