shahab/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: NixOS | use sops-nix to get user password from nix-secrets

Browse Source
This commit is contained in:
Shahab Dogar
2025-02-02 17:58:24 +05:00
parent 4289c5ac2b
commit fcee2c6250
3 changed files with 68 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
flake.lock generated
View File

@@ -402,6 +402,24 @@
"type": "github" "type": "github"
} }
}, },
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1738498247,
"narHash": "sha256-xMq5P/UOmLy5iaQo6/5X4JK1MNnmL7EJAfWqPmjtRMQ=",
"ref": "main",
"rev": "270597e8706aead70607fbed0a78366ed9c2b3c5",
"shallow": true,
"type": "git",
"url": "ssh://git@git.dogar.dev/shahab/nix-secrets"
},
"original": {
"ref": "main",
"shallow": true,
"type": "git",
"url": "ssh://git@git.dogar.dev/shahab/nix-secrets"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1738471961, "lastModified": 1738471961,
@@ -539,8 +557,10 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"hyprland": "hyprland", "hyprland": "hyprland",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-secrets": "nix-secrets",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
} }
}, },
"rust-overlay": { "rust-overlay": {
@@ -564,6 +584,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1738291974,
"narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,

6
flake.nix
View File

@@ -32,6 +32,12 @@
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Secrets
nix-secrets = {
url = "git+ssh://git@git.dogar.dev/shahab/nix-secrets?shallow=1&ref=main";
flake = false;
};
}; };
outputs = { outputs = {

23
nixos/configuration.nix
View File

@@ -2,8 +2,11 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ lib, inputs, pkgs, hostname, ... }: { config, lib, inputs, pkgs, hostname, ... }:
let
secretspath = builtins.toString inputs.nix-secrets;
in
{ {
# Bootloader. # Bootloader.
boot = { boot = {
@@ -134,6 +137,8 @@
id = ["24353659"]; id = ["24353659"];
}; };
users.mutableUsers = false;
# Define a user account. Don't forget to set a password with mkpasswd. # Define a user account. Don't forget to set a password with mkpasswd.
users.users.shahab = { users.users.shahab = {
shell = pkgs.zsh; shell = pkgs.zsh;
@@ -144,7 +149,21 @@
isNormalUser = true; isNormalUser = true;
description = "Shahab Dogar"; description = "Shahab Dogar";
extraGroups = [ "networkmanager" "wheel" "input" "libvirtd" ]; extraGroups = [ "networkmanager" "wheel" "input" "libvirtd" ];
hashedPassword = "$6$.ZlYnf2cZph4tCbM$E/JJUDirRV8MZrgX4Rh.Pi1q95tev1ZxcKjPA1I.uURv56qoWcC39MJWO9S2T5MlkPVbSLGiM8Ihfz9mERImo/"; hashedPasswordFile = config.sops.secrets.shahab_passwd.path;
};
sops = {
defaultSopsFile = "${secretspath}/secrets.yaml";
age = {
sshKeyPaths = ["/home/shahab/.ssh/id_ed25519"];
keyFile = "/home/shahab/.config/sops/age/key.txt";
generateKey = true;
};
secrets = {
shahab_passwd = {
neededForUsers = true;
};
};
}; };
# Allow unfree packages # Allow unfree packages