Sops based on ssh keys

2025-07-30 18:51:51 +02:00 · 2025-07-30 18:51:51 +02:00 · 1b6310a742
commit 1b6310a742
parent ec740591b3
16 changed files with 115 additions and 78 deletions
--- a/disko/impermanence-btrfs-luks.nix
+++ b/disko/impermanence-btrfs-luks.nix
@ -1,4 +1,8 @@
-{device ? throw "Set this to your disk device, e.g. /dev/sda", ...}:
+{
+  device ? throw "Set this to your disk device, e.g. /dev/sda",
+  lib,
+  ...
+}:
 # IMPORTANT
 # Calculate offset using https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Acquire_swap_file_offset
 # AND create this config
@ -77,4 +81,28 @@
  };

  fileSystems."/persist".neededForBoot = true;
+  boot.initrd.postResumeCommands = lib.mkAfter ''
+    mkdir -p /btrfs_tmp
+    mount /dev/disk/by-label/nixos /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+        delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+  '';
 }
--- a/disko/impermanence-btrfs.nix
+++ b/disko/impermanence-btrfs.nix
@ -70,4 +70,28 @@
      };
    };
  };
+  boot.initrd.postDeviceCommands = ''
+    mkdir -p /btrfs_tmp
+    mount /dev/root_vg/root /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+        delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+  '';
 }
--- a/flake.nix
+++ b/flake.nix
@ -263,7 +263,10 @@
        system = x86;
        pkgs = kylekrein-framework12-pkgs nixpkgs;
        modules = [
-          (import ./disko/impermanence-btrfs-luks.nix {device = "/dev/nvme0n1";})
+          (import ./disko/impermanence-btrfs-luks.nix {
+            device = "/dev/nvme0n1";
+            lib = (kylekrein-framework12-pkgs nixpkgs).lib;
+          })
          ./nixos/configuration.nix
        ];
      };
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -241,6 +241,9 @@ in {
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
+    sharedModules = [
+      inputs.sops-nix.homeManagerModules.sops
+    ];
  };

  programs.bash = {
@ -281,7 +284,6 @@ in {
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
-    extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
  };

  # Open ports in the firewall.
--- a/nixos/homes/kylekrein/niri.nix
+++ b/nixos/homes/kylekrein/niri.nix
@ -9,12 +9,10 @@
  hwconfig,
  username,
  ...
-}: 
-let 
-lisgd-patched = pkgs.callPackage ./lisgd.nix {};
-wvkbd-patched = pkgs.callPackage ./wvkbd.nix {};
-in
-{
+}: let
+  lisgd-patched = pkgs.callPackage ./lisgd.nix {};
+  wvkbd-patched = pkgs.callPackage ./wvkbd.nix {};
+in {
  programs.fuzzel = {
    enable = true;
    settings.main.terminal = "kitty";
@ -62,7 +60,11 @@ in
          command = [
            "${lib.getExe pkgs.brightnessctl}"
            "set"
-            (if hwconfig.hostname == "kylekrein-framework12" then "20%" else "25%")
+            (
+              if hwconfig.hostname == "kylekrein-framework12"
+              then "20%"
+              else "25%"
+            )
          ];
        };
        touchscreen-gestures = lib.mkIf (hwconfig.hasTouchscreen) {
@ -70,7 +72,7 @@ in
            "while true; do ${lisgd-patched}/bin/lisgd; done" #https://git.sr.ht/~mil/lisgd
          ];
        };
-	touchscreen-keyboard = lib.mkIf(hwconfig.hasTouchscreen){
+        touchscreen-keyboard = lib.mkIf (hwconfig.hasTouchscreen) {
          command = [
            "${wvkbd-patched}/bin/wvkbd"
            "--hidden"
--- a/nixos/homes/kylekrein/wvkbd.nix
+++ b/nixos/homes/kylekrein/wvkbd.nix
@ -1,8 +1,11 @@
-{wvkbd, fetchFromGitHub, ...}:
-let 
+{
+  wvkbd,
+  fetchFromGitHub,
+  ...
+}: let
  niri-patch = ./wvkbd-niri.patch; #https://github.com/jjsullivan5196/wvkbd/issues/70
 in
-wvkbd.overrideAttrs (final: prev: {
+  wvkbd.overrideAttrs (final: prev: {
    version = "0.17";
    src = fetchFromGitHub {
      owner = "Paulicat";
@ -11,5 +14,5 @@ wvkbd.overrideAttrs (final: prev: {
      hash = "sha256-py/IqNEEaTOx/9W935Vc47WoNFz99+bNaYD0sL//JmY=";
    };
    installFlags = prev.installFlags ++ ["LAYOUT=vistath"];
-  patches = prev.patches or [] ++ [ niri-patch ];
-})
+    patches = prev.patches or [] ++ [niri-patch];
+  })
--- a/nixos/hosts/andrej-pc/configuration.nix
+++ b/nixos/hosts/andrej-pc/configuration.nix
@ -295,7 +295,6 @@
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
    settings.PermitRootLogin = "no";
-    #extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
  };

  # Open ports in the firewall.
--- a/nixos/hosts/andrej-pc/default.nix
+++ b/nixos/hosts/andrej-pc/default.nix
@ -31,6 +31,5 @@

  hardware.nvidia.open = lib.mkForce false;
  #hardware.nvidia.package = lib.mkForce config.boot.kernelPackages.nvidiaPackages.latest;
-  #sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
  systemd.network.wait-online.enable = lib.mkForce false;
 }
--- a/nixos/hosts/kylekrein-framework12/default.nix
+++ b/nixos/hosts/kylekrein-framework12/default.nix
@ -23,7 +23,9 @@
    ./hibernation.nix
  ];

-  sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
+  services.scx.enable = true; # by default uses scx_rustland scheduler
+
  services.fwupd.enable = true; #fwupdmgr update
  nixpkgs.overlays = [
    # Fixes java crash because of bind mount with impermanence when loading too many mods(ex. All The Mods 9)
--- a/nixos/hosts/kylekrein-homepc/default.nix
+++ b/nixos/hosts/kylekrein-homepc/default.nix
@ -23,7 +23,6 @@

  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
  services.scx.enable = true; # by default uses scx_rustland scheduler
-  sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
  nixpkgs.overlays = [
    # Fixes java crash because of bind mount with impermanence when loading too many mods(ex. All The Mods 9)
    (self: super: {
--- a/nixos/hosts/kylekrein-mac/default.nix
+++ b/nixos/hosts/kylekrein-mac/default.nix
@ -16,7 +16,6 @@

    ../../users/kylekrein
  ];
-  sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
  facter.reportPath = lib.mkForce null; #fails to generate
  boot.binfmt.emulatedSystems = ["x86_64-linux"];
  nix.settings.extra-platforms = config.boot.binfmt.emulatedSystems;
--- a/nixos/hosts/kylekrein-server/default.nix
+++ b/nixos/hosts/kylekrein-server/default.nix
@ -25,7 +25,6 @@
  config = {
    home-manager.users = lib.mkForce {};
    stylix.image = ../../modules/hyprland/wallpaper.jpg;
-    #sops.secrets."ssh_keys/${hwconfig.hostname}" = {};
    boot.tmp.cleanOnBoot = true;
    boot.loader.grub.enable = true;
    boot.loader.grub.device = "/dev/sda";
@ -56,7 +55,6 @@
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = "no";
-      #extraConfig = "HostKey ${config.sops.secrets."ssh_keys/${hwconfig.hostname}".path}";
    };

    zramSwap = {
--- a/nixos/modules/impermanence/default.nix
+++ b/nixos/modules/impermanence/default.nix
@ -4,7 +4,6 @@
  inputs,
  ...
 }: let
-  isBtrfs = config.fileSystems."/".fsType == "btrfs";
 in {
  imports = [
    inputs.impermanence.nixosModules.impermanence
@ -48,32 +47,4 @@ in {
  ];

  programs.fuse.userAllowOther = true;
-  boot.initrd.postDeviceCommands = lib.mkAfter (
-    if isBtrfs
-    then ''
-      mkdir /btrfs_tmp
-      mount /dev/root_vg/root /btrfs_tmp
-      if [[ -e /btrfs_tmp/root ]]; then
-          mkdir -p /btrfs_tmp/old_roots
-          timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-          mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-      fi
-
-      delete_subvolume_recursively() {
-          IFS=$'\n'
-          for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-              delete_subvolume_recursively "/btrfs_tmp/$i"
-          done
-          btrfs subvolume delete "$1"
-      }
-
-      for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-          delete_subvolume_recursively "$i"
-      done
-
-      btrfs subvolume create /btrfs_tmp/root
-      umount /btrfs_tmp
-    ''
-    else ''''
-  );
 }
--- a/nixos/modules/sops/.sops.yaml
+++ b/nixos/modules/sops/.sops.yaml
@ -1,7 +1,9 @@
 keys:
  - &primary age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+  - &kylekrein-framework12 age10s6c9har9pg2a0md30fhpp2mfy89xxrrnu5dwrjtqzh3lktcdaysq7st65
 creation_rules:
  - path_regex: secrets/secrets.yaml$
    key_groups:
    - age:
      - *primary
+      - *kylekrein-framework12
--- a/nixos/modules/sops/default.nix
+++ b/nixos/modules/sops/default.nix
@ -14,7 +14,8 @@ in {
  environment.systemPackages = with pkgs; [sops];
  sops.defaultSopsFile = ./secrets/secrets.yaml;
  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = keyPath;
+  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key" "/home/kylekrein/.ssh/id_ed25519"];
+  #sops.age.keyFile = keyPath;
  # This will generate a new key if the key specified above does not exist
  sops.age.generateKey = true;
 }
--- a/nixos/modules/sops/secrets/secrets.yaml
+++ b/nixos/modules/sops/secrets/secrets.yaml
@ -2,10 +2,6 @@ users:
    kylekrein: ENC[AES256_GCM,data:DNLVQ4IPFhUG9MR9hk2BuElvfNZIky3nMGWgilutRwvT3wl25vOLEETrBFoWUO+2ZgLSnhtwWtIJhNlRlTK/rsrUNVTOdwq9AA==,iv:Z+dhr33Wotm064IcwtNfFpvQeL03T29Dn3Bl9VqPL1g=,tag:Qe3sOY0DegSKDptBjnbFrQ==,type:str]
    tania: ENC[AES256_GCM,data:veo/dKQpztSGLfCxpWqoTOlPqSaNeNW2pYrTU9z125hjBVt2LC8X+mDp8vA0r8QFKpkGr1BiwviUTuXsSO1IXn3nHfDGsHQqFQ==,iv:q3pCcil1wiKe5xC6QEn3Q4wV1icW+3CCUQw6QZIINWU=,tag:XvBfIEORfdTcUihtcJQZVg==,type:str]
    andrej: ENC[AES256_GCM,data:x/cWcswSDMFxXSLXe1JWGnQAuPYWM5AU4X3WxVAqUIifcYWxxynMfL9LXEgo3sP1IvRyp4FW+voWQrJM/KGdbYkkrAJNhbD7/Q==,iv:C51H9Zz4nxB+K1cohRq+1oPQ/ckDgVCMW4vB4+3wEt8=,tag:8ENLfMIoHbJGxceCKZulxg==,type:str]
-ssh_keys:
-    kylekrein-mac: ENC[AES256_GCM,data:Gnh34OQWO6eQfNfyYZsVfvktknmZorQYF+lNMKYvV7XkKjZ3RQNHyJ3UWOX+sVwWdtF7EboXkBPdHvnyLvDVIyv7trxTU5IXQzOI+34AKfPHa828HuOLk0AclCmm6GcNq/X4dKTX5DADG4cE4/V+KtdjvSMtLX7I1cjlfsN7JzcsnjERbK8Q0pTMuA44IUdnh0odH9xFEP/f/hVZZZhc5vrMfAqSx3lQxCF62c0wJaorobsPSM7BTzorVgnMnc3zJRAlgQnCnAe306/6g4hurBteIVeGFhA8gSk1fjZh2fm0opo/lgvHRJOwfpvRWJGEedx7hEpjsDr8BRxeBc2OHaRO5UP+fYh8Qtki8ZeFUjr/psjRRz128Kr0C+NS0AByZtwg54d705uwsnf79jPdM1ewGryCcsxqYWCvT0174cIg3sLdQvPnESbV1zU+QsVskFZwYL+gLtzuAwExPW7cM12M/HS+Eb5xtWvRA46FZ/dnKFwQkUA/VgSi08eC5/EYg8dFBht9hDK+kiLPGHML8A6a3CoiMf0pd+DbdOxA21F0Tw==,iv:oEXxrvWosuiH2wSoSkP7YMwBQu3JKIhn/YeiaTL/UT4=,tag:XgBw2q/6LPWg2zuOC9Wb+w==,type:str]
-    kylekrein-homepc: ENC[AES256_GCM,data:/7b7wHk9jX+2Gel3157KO4YHia+IyEurUic0BX9flNKdsjIyG/3N8lORAkIjwnPlFaN2VqGu6o1pFgW2dzkSAyATQIUeWpqL5rjxsG3mJ9/9TLh58Y7MIpFKx2r8AeUY0xEAhT1A4BCbnDMsneQtM9gBkgPdhhv6vVpe4XJS3n+dGPER/bQxxRbEt260EjxvL1OPf5C7Z7qNVhOzxNdgdJMQvXxyhRGlXRrrHFRdbw0nChStevgBL4+FoMuBFkqF/aJSoapwe8PNxp8z+Hk5Em+BQv/ieFcscESssCK1gSbvfz6MQyX+5ig+Gy+t28yy56/ir44PHwX47IOILzg7lABSvN+Uyt+sRKyBfx124hJjqgXf65YQ/fgknQt0NDKwZyP/gPSLC9HiLKdva/P9nuenfSnlLrGtfugejBAVQBMOP2HTp/ZKtveeKLVIzM7NLeHAw8ul1OL8OlOgyO3vhEkEVagLwtQYHqwoF7+z30TzTtGyDzuhohbhUH36D8BD/LTaPHxnnVIzWq/IBOmAU06U/EvS5x/JJtqMm8aaDFFEYA==,iv:+4umMhsr8s0IuiYuEdhDAOfLjAELEHbFVvWqaVyF2yQ=,tag:eE9gCZ3pC4wDLeMs5cQGZg==,type:str]
-    kylekrein-framework12: ENC[AES256_GCM,data:mrdF0QNEgtuA+DfIsOFI63fTVwT8G8g7gH9aMRJ+8Z5b/BrlsaP2/ghFhRB2aFtLvs4FamNQIS88rnbdAd/3FyhS7rLnPfuMQIPwFQqHTfxKyx9BDnZsDIPbJUnBxm5mf635CQ0Oif4EqIJPCioAkZ4bTwiRTfB9tALJD0FkgOVTVpjmEB0caC7UZRYoxAixLYmo1uklK/ifhh+JMcF9T2f3yAEQG5qh+3uTQFP/bxOYkWkLv9cKZSXtStVu20Zwg2KvWuWhTWEYgOl8WTAjtUcyaN2Z/DxuHoKkUCce9e53o4kYJIKj6UENnpgUj0nqFUf1C+qRPvhM4TsCKvmbFFv08IwkszI5+FsmfVZCgaV6GEmGjyZjaN4w70mwtLEXjGAnZRSP0gMhlhJdEn1Suj3fQ2ki4B9LhkPGoSHE0pam53Cl1D3tSQnDqSIR6cKzEktwoDXak7VzwNFCOszLhi31TgbGbktrOMk/OS0lyDatmv5uqi52JjnCEFcIxIY9A5IzKobU5TYeqTZ622rQjiY7jscO5y2X8qSSCRLMX288qoVOXf/+E3tuglnxe3s=,iv:Cnt142OCG5uFDAzT51ztU4EF6cfzZ6Kr2iACA62lGFU=,tag:Agum3lmsVEGBpPm4HJcZfw==,type:str]
 services:
    conduwuit: ENC[AES256_GCM,data:1shEq67QJTkeqrfYSr/eYG7gYWH//5ey6XQ=,iv:hy5wQmue8qU4ALfn9BrNQLnsTk8BsVVXY/8bDj18mXk=,tag:h6+hL0HjgSzd15Kc7Zg4ng==,type:str]
    gitlab:
@ -23,13 +19,22 @@ sops:
        - recipient: age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOEtvVCtWRzN6S1BBTkJR
-            aDM2T2x6MFo2aUFXOXVJNXJ2eWVucWltRjB3Cmc5SFJiOURLeWRDcGUvTzcyR2w2
-            OXBlb1lRNi9vdHAyb2V6TUJRQ3M3TEUKLS0tIHpMdEtzUi9rTWFvUU9xQXptSmtu
-            M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8
-            Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM0tFMzYvZWFVd1VsQVpy
+            SHc2SFVBK0R4eWFCamx3Y2hzVFNHZ0Y1S2xjCjBSNDFzZ0M4Vk9NWmFYbmRmSmsx
+            ZktxYUFHV0FRaEZDMkFSZkU5bFFpWk0KLS0tIGlLRzhMangzNVhUYnJWVE5Qd1ds
+            OFd4WFZWSHNUNFFWb1lnTkJmS3YzWEEKbErGqqGHpExXTzujeuQA807Ll68UU66x
+            +JGGtXcpURyCgj2jaaVw5QX/ibS5VPXNUpRXgIXRyJiEp+YKsJkAFA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-30T13:54:40Z"
-    mac: ENC[AES256_GCM,data:wjsbivXkKBsNNAQNftB+g6ghT5bs7krDLm+6p3KwrOnLkxgWTXtzSGk86e0D3k9dr+Nqe8JhaQzAnu7IqUz4KUUI2/y76rOEhPYBJFjU4kWA9GdDTpQsRW0RXwmpf5u23sE/IKJQhKOPtaHvs/OwBIzmUldu81lxcxGwXpc0Jnw=,iv:QD14tHzlvPyUwj30G7Yw4CRqKyOcOJDXxZbJY5ggcYQ=,tag:8gEGhlXB6JkE2lKSwQTjLg==,type:str]
+        - recipient: age10s6c9har9pg2a0md30fhpp2mfy89xxrrnu5dwrjtqzh3lktcdaysq7st65
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd0V6ZnVOKytyYWg4bkVt
+            cGlhK1p2UnU1T1dadFRwME1vOEQ0aENVSGhrClFUVmM1a1pQL0ZxWloyUVBGRFRJ
+            SE1RM01lN3VlZHRNTHU4SjZ1UWw4T1EKLS0tIDJsSlp4dTN6WVEwSkJtMS93NGNN
+            STVLZ0lYMnl6enV0TWdDU21TMDZ6blUKCF2gTYI/ipXa48a8S4TmOZzElNW1+XqS
+            hZSKpGhBxMuxLnBJj9iyQjcQmXG0M90AXVhJNyej96thDFxNByIMpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-30T16:15:59Z"
+    mac: ENC[AES256_GCM,data:mmJH3BEqsrboGaQM7yWuHF1MWREC4bLc+RAZgsqlNvhgoWLoaVDLuBjEfuXCDPdnvDPesbUrI8HHA5gz523C0PoJdkoFcRoVOwhLqj6tJjT4JnlaTgpBMN5UqBqt9Gm68mqekE0bm7ihdc3lnn/OkRrxJI3Th5KzUC4zMmdjVsI=,iv:K0f75ft3PQdQ1AUFzrannvLv03fl6FS6se/muMcyQkY=,tag:y3FJQDthKoWvoMHdmcvRQA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2