added sops-nix

flake.nix

@@ -47,7 +47,7 @@
        username = "kylekrein";
 
        general-modules = [
-	    #inputs.sops-nix.nixosModules.sops
+	    inputs.sops-nix.nixosModules.sops
 	    inputs.home-manager.nixosModules.default
 	    stylix.nixosModules.stylix
 

nixos/configuration.nix

@@ -10,6 +10,7 @@
       inputs.nixvim.nixosModules.nixvim
       ./firefox.nix
       ./modules/services/autoupgrade
+      ./modules/sops
     ];
     kylekrein.services.autoUpgrade = {
 	enable = true;
@@ -82,13 +83,23 @@
   
   services.udisks2.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users = {
-  users.users.${username} = {
+    mutableUsers = false;
-    isNormalUser = true;
+    users = {
-    description = "Aleksandr Lebedev";
+	root = {
-    extraGroups = [ "networkmanager" "wheel" ];
+	    # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
-    initialPassword = "1234";
+	    # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
-    packages = with pkgs; [];
+	    hashedPassword = "!";  # disable root logins, nothing hashes to !
+	};
+	${username} = {
+	    isNormalUser = true;
+	    description = "Aleksandr Lebedev";
+	    extraGroups = [ "networkmanager" "wheel" ];
+	    #initialPassword = "1234";
+	    hashedPasswordFile = config.sops.secrets."users/${username}".path;
+	    packages = with pkgs; [];
+	    };
+	};
   };
 
   qt = {

nixos/modules/impermanence/default.nix

@@ -15,8 +15,6 @@
     ];
     files = [
 	"/etc/machine-id"
-	"/etc/shadow"
-	"/etc/passwd"
 	{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
 	];
     };

nixos/modules/sops/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

nixos/modules/sops/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, inputs, username, hwconfig, ... }:
+{
+    environment.systemPackages = with pkgs; [sops];
+    sops.defaultSopsFile = ./secrets/secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+    sops.age.keyFile = (if hwconfig.useImpermanence then "/persist/sops/age/keys.txt" else "/home/${username}/.config/sops/age/keys.txt");
+    # This will generate a new key if the key specified above does not exist
+    sops.age.generateKey = true;
+
+    sops.secrets = {
+	"users/kylekrein" = {
+	    neededForUsers = true;
+	};
+    };
+}

nixos/modules/sops/secrets/secrets.yaml

@@ -0,0 +1,22 @@
+users:
+    kylekrein: ENC[AES256_GCM,data:DNLVQ4IPFhUG9MR9hk2BuElvfNZIky3nMGWgilutRwvT3wl25vOLEETrBFoWUO+2ZgLSnhtwWtIJhNlRlTK/rsrUNVTOdwq9AA==,iv:Z+dhr33Wotm064IcwtNfFpvQeL03T29Dn3Bl9VqPL1g=,tag:Qe3sOY0DegSKDptBjnbFrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOEtvVCtWRzN6S1BBTkJR
+            aDM2T2x6MFo2aUFXOXVJNXJ2eWVucWltRjB3Cmc5SFJiOURLeWRDcGUvTzcyR2w2
+            OXBlb1lRNi9vdHAyb2V6TUJRQ3M3TEUKLS0tIHpMdEtzUi9rTWFvUU9xQXptSmtu
+            M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8
+            Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-18T08:09:37Z"
+    mac: ENC[AES256_GCM,data:nnzosChLt1mPHdbLktddccs1lTp0LQAJs36KkYXHxW+sL+QYZu+jIEWm6IaGJ/5xHk99upo3eoZu3o8DrEMvKmiICrXy6hLFipgANTuzV4Ug8bs5aSXuKjqVAs3aMLNJR5+CZZTCFDc7NM12Fy+U33Sn8hMimIC0JQmypdAWXoI=,iv:5ShY+sSHK8DjURndEDdV1g5d9TdGnAI82+qx0pQx9lg=,tag:4p/1h4TzKSuVG72zIn4Uqw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2