nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secrets,nix: add nix access tokens

Browse source
This commit is contained in:
Guanran Wang 2023-10-15 15:44:55 +08:00
parent 5bd2c3dbde
commit 87ad449cc2
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
2 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
users/guanranwang/nixos.nix
View file

@ -4,7 +4,7 @@
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
extraGroups = [ "wheel" "networkmanager" "tss" "nix-access-tokens" ]; # tss = access to tpm devices
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
packages = [];
@ -22,6 +22,8 @@
### home-manager
home-manager.users.guanranwang = import ./home-manager/nixos;
### sops-nix
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
users.groups."nix-access-tokens" = {};
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
@ -29,8 +31,11 @@
secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
"clash-config" = { # Clash.Meta configuration
#mode = "0444"; # readable
owner = config.users.users."clash-meta".name;
group = config.users.users."clash-meta".group;
restartUnits = [ "clash-meta.service" ];

6
users/guanranwang/secrets/secrets.yaml
View file

@ -1,5 +1,7 @@
#ENC[AES256_GCM,data:foyB70p8iklGCcX/ybRiMKVWDohm,iv:d42fIurrsZ3wL7e6dowyMXyN1dduRQWNKeqM1AKPzDk=,tag:LXUJOv4GOmI+6l2qcMwBUQ==,type:comment]
hashed-passwd: ENC[AES256_GCM,data:aXK4GlXTJAHjw/fpwBYWUnKtaHhxYI/anpQZgUI8tYoSw7qRhAdfO84FoUSEGvqin0889dmtXGqFErBK1Q8TQpBh5DX2VVmeWg==,iv:rs2uBRdhKBUrwFIgJrAgt1lqyyDTP1HXNQvy3k3ANTc=,tag:aTIA9fB7MUNI0tNkBxLQJg==,type:str]
#ENC[AES256_GCM,data:+EOgpndwI/KdAI7qsh6w35gx,iv:mhr3AuN/zpkSnXSwDcAHeNz71l/XBYGnIAeTiC5Rldo=,tag:2XW+tocIkD1tYrXluxD0iQ==,type:comment]
nix-access-tokens: ENC[AES256_GCM,data:jbh84h/tNCj85Vaq0DiffrxzBWyKgGZsmhj3D/D7Iod6wXnXkY+vctJLgo6h4BVEU6PXVIMWFJzTovjkgmzOCA+jWXw1RBl3XskwLLY9uRArHi77Dfxm1k/ZnPL6T77ZnHVwYBbzxf3+zoFLCcrWZWqHkIcFOoMd,iv:LJED9JArmGPP9AIfXHhUiicDSa8DyP1cV2POhdTM+CY=,tag:4NJK+KAw1q2iQ0ZnreQuAA==,type:str]
#ENC[AES256_GCM,data:Twmef9H4w9Ay/RrX9jWay1Bj3b8=,iv:ZFSSskG0NNSpJ/0MbUIUZtaYT6haq4pH/A9RsuoFqks=,tag:4A3AmDjzMGwHT96fy00k0A==,type:comment]
wireless:
home: ENC[AES256_GCM,data:JTJVamFEmSIdVCJZcitgBCY4M3Gfg8T/F+LTed8TclIjeVEATc3vci6PoBvuuE6JTThowKm7quP8Q5Sn0ZdIn/j6/XOMo/mfh5zXAqQ5Q55xTym9mO3RCaeYdUg4IRDcmnzPTguErSySgB6/feizGEMe8OMNwHzOreI8NqrNXgQnDE3ZmdT0LzJ17JWgBe6KwedKxIweSxwmcyGErQkYvJPdsxXdBAa5gD40S0ioPETbZI73E6aOOEryp1poTVjfFSu2IWELryR/ZVUOcU2VmveP7+YGE7ydpR7CHnAUEu36tWD4iYIb71XRhEW/rffVnwHHCAJfgVS4/t55B2BM3JvQYMZt3McHEr+R2dnD2KJv55ADKt/73ibAPYrj4EmEHUbswXxgqOJPErHQSNKXejJzBhxaIK63L7wZwzthfU/BbnV32l4A0Oxm3c0gpyyRFNhE3UPi+h5pzRcoyfDPJzfQTC76mN4oSjRW3lQV3bBLA5qflRGzI8xS+vc2UFlW2XVxoKINrGZTkB8T34WFvJty3JvD9ddSp/dqnu4LaIMETcWKMrabvelJunIvq59dw+9HPpM7Be/NOuAErHlwvHaFSWjQ/yz2CG8b/djzpQ==,iv:znowKErkz/f72SvyBa5/TN52mc0Ks4XoxNY/5rcihCI=,tag:4pHdKBYfQ0A+y3ZrTfpFjg==,type:str]
@ -30,8 +32,8 @@ sops:
bEdVQ0dicTVaRkJUNFB0d3Y1S1hmL3MKFVPyIyjRkQcdimUE/tWxQzQU1cqkB5lN
o+7a8JuA5gOxG7OInWbfkDe9/wSFCJW2S5z9jON/tLy6atPdmPYUdg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-12T14:17:18Z"
mac: ENC[AES256_GCM,data:JEtG8NcT5KK9VQIJxCRpjtHtwngf8qC4oLoV9MoxD7t1UPQVlpKrxCOhby/zvlKzTc0nTLc/sEOF7VAXclICXZGLiYZxL2iWf7sBG8MWdFAEVkZADOTSNvofrbkuP8RJQpJzvyKBAwmhHTR14N2y1voo7f7zNjfyE+8Vu2PL5m4=,iv:8N1wjSTqGIH9PFzy7X6wvKBGGP76EvhPp1KQ7Fk2QBA=,tag:W0LOQA3rQvZZcI5D52LI+A==,type:str]
lastmodified: "2023-10-14T08:37:22Z"
mac: ENC[AES256_GCM,data:1JWQyLehqUDDGmFRx/ticbDUCs7yyxzP5gQO1LB9BLGxr5AFXYhO/5+NZbmo4087Bl+mkZ2vopg5ZlIG8npYdBmeNvlXQfPjbfnw4GSnwomPKWvYpY5uBCnazxaJFIavK67EgdVLIIkLiL9F7RjMrNCvjj1LXZSxA8eRxysuloA=,iv:qqTEQURJ5G52jnZXI4rvWJKPArNLvNo/+1P+rfcj+7M=,tag:6xj9LraD3j4n+w6c3Ju66A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.0