harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(x1): add secrets management and configuration

Browse source 
Introduce encrypted secrets and SOPS configuration for the x1 system. Update SSH and related services to utilize these secrets and modify flake.lock to align with the latest dependencies.
This commit is contained in:
Harald Hoyer 2025-04-04 14:54:25 +02:00
parent 600245fe27
commit 8a7ac30acf
4 changed files with 81 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

26
systems/x86_64-linux/x1/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:
with lib;
with lib.metacfg;
{
@ -7,6 +7,30 @@ with lib.metacfg;
# ./ipu.nix
];
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
sops.secrets."wg".sopsFile = ../../../.secrets/x1/files.yaml;
sops.secrets."wg".mode = "0444";
sops.secrets."hosts".sopsFile = ../../../.secrets/x1/files.yaml;
sops.secrets."hosts".mode = "0444";
environment.etc."wg0.backup.conf".source = config.sops.secrets."wg".path;
environment.etc."hosts.backup".source = config.sops.secrets."hosts".path;
services.openssh = {
enable = true;
hostKeys = [
{
path = "/var/lib/secrets/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/var/lib/secrets/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
hardware.bluetooth.input.General.ClassicBondedOnly = false;
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"