SK-Development-Studios/Nixos-Configuration
2
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: SK-Development-Studios:125465767960e25e6f73ef293be18eec1028d70d
Branches Tags
SK-Development-Studios:main
...
compare: SK-Development-Studios:717c5b98808b6c08b24cfd7642d440c0d5126a2c
Branches Tags
SK-Development-Studios:main

4 commits
1254657679 ... 717c5b9880

Author SHA1 Message Date
Jermeiah S
717c5b9880
secrets: now fully reliant 2025-06-14 14:58:50 -04:00
Jermeiah S
136d9cb3fa
secrets: add server 2025-06-14 14:42:32 -04:00
Jermeiah S
f204577de7
added ssh-to-age devtool 2025-06-14 14:42:15 -04:00
Jermeiah S
3196a30c4d
prep: setup sops demo for otf 2025-06-14 14:35:19 -04:00
6 changed files with 43 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -4,8 +4,10 @@
# for a more complex example. # for a more complex example.
keys: keys:
- &A_sky age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w - &A_sky age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w
- &S_tofu age1mfsjys8gzazkzurcpz2grcdljmzq0zvsllk8j7ssse6wt52jrglq5t59u8
creation_rules: creation_rules:
- path_regex: secrets\.yaml - path_regex: secrets\.yaml
key_groups: key_groups:
- age: - age:
- *A_sky - *A_sky
- *S_tofu

8
configurations/nixos/tofu/default.nix
View file

@ -1,6 +1,11 @@
# See /modules/nixos/* for actual settings # See /modules/nixos/* for actual settings
# This file is just *top-level* configuration. # This file is just *top-level* configuration.
{ flake, modulesPath, ... }: {
flake,
modulesPath,
config,
...
}:
let let
inherit (flake) inputs; inherit (flake) inputs;
@ -15,6 +20,7 @@ in
tty-ips.enable = true; tty-ips.enable = true;
otf = { otf = {
enable = true; enable = true;
environmentFile = config.sops.secrets.otfenv.path;
}; };
}; };
networking = { networking = {

1
modules/flake/devshell.nix
View file

@ -6,6 +6,7 @@
name = "nixos-unified-template-shell"; name = "nixos-unified-template-shell";
meta.description = "Shell environment for modifying this Nix configuration"; meta.description = "Shell environment for modifying this Nix configuration";
packages = with pkgs; [ packages = with pkgs; [
ssh-to-age
sops sops
just just
nixd nixd

15
modules/nixos/common/otf.nix
View file

@ -19,7 +19,7 @@ in
}; };
package = lib.mkPackageOption pkgs "otf" { }; package = lib.mkPackageOption pkgs "otf" { };
pgPackage = lib.mkPackageOption pkgs "postgresql_16" { }; pgPackage = lib.mkPackageOption pkgs "postgresql_16" { };
environmentFile = lib.mkEnableOption { environmentFile = lib.mkOption {
type = with lib.types; nullOr path; type = with lib.types; nullOr path;
default = lib.types.null; default = lib.types.null;
}; };
@ -36,14 +36,11 @@ in
); );
default = { default = {
OTF_ADDRESS = "localhost:9000"; OTF_ADDRESS = "localhost:9000";
OTF_SITE_TOKEN = "my-token"; # OTF_SITE_TOKEN = "my-token";
OTF_SSL = "false"; # OTF_SSL = "false";
# the application needs a secret for encryption and other things # OTF_SECRET = "";
# TODO: make mechanism to load via file # OTF_CERT_FILE = "";
OTF_SECRET = "f73e55eada59bd1c37d69ae3bbacd982"; # OTF_KEY_FILE = "";
# more options can be set but these are a reminder for myself
OTF_CERT_FILE = "";
OTF_KEY_FILE = "";
}; };
description = "Environment variables for the OTF service."; description = "Environment variables for the OTF service.";
}; };

11
modules/nixos/common/sops.nix
View file

@ -9,5 +9,14 @@
imports = [ imports = [
flake.inputs.sops-nix.nixosModules.sops flake.inputs.sops-nix.nixosModules.sops
]; ];
sops.defaultSopsFile = ../../../secrets.yaml; sops = {
defaultSopsFile = ../../../secrets.yaml;
secrets = {
otfenv = {
owner = "otf";
group = "otf";
mode = "0440";
};
};
};
} }

34
secrets.yaml
View file

@ -1,25 +1,25 @@
hello: ENC[AES256_GCM,data:Rq1GdoMwMFgQ7Bvy78aMmM6DferRk0Bn5J4VVI8a5x2PaaFbZBAfsADZewD8,iv:sgJJM2UO4KZ+qE8uzNmdhsBhJ3/arEZd4kNvqnK2bqo=,tag:FZHKmkX1VfQLYPP0mDTIiQ==,type:str] otfenv: ENC[AES256_GCM,data:HwZC2IPM9w5FqFlpc/zLA+m9bSC6m19hnvuS103Iwct84QM/HHkez3pdLdCZM5tNZN+oItxMHcIizbcA7mQn1eezdt+Pb9RC4hk=,iv:rcvPhmVEg79XPpJ6o8/DBP4YgN+lgjvxLB1mJYARdCo=,tag:SSZiiKngO+vWjcEppnhARg==,type:str]
example_key: ENC[AES256_GCM,data:h6UKojkibcw0wegDOQ==,iv:XVb8m9Ek4pNl6CCFU1MlxYusIOY6MBq9Z7lqoaG1/cM=,tag:FolHw4euj4PoqnTuuhlh4w==,type:str]
#ENC[AES256_GCM,data:2ivQ7NDtZHDNMiyK8hf/7Q==,iv:sFv9WyyHJb+tkbjRGnD4OfEYJWt8PQIGteIViVyihEU=,tag:chbHtXfFQb5OJsB3rrMQbg==,type:comment]
example_array:
- ENC[AES256_GCM,data:EQKOFW+qJ0Z/ooEr9Y0=,iv:732cR53nJfxctdVH0AZmfD/qBPoI7oPxemsYo4B92jQ=,tag:VMSYfVzTUAODwNtdz0xI6g==,type:str]
- ENC[AES256_GCM,data:3N1qsEA4L4YTw4qZjvs=,iv:mdCoLmqRA5OX3VpNM/f1AhmRIxOBvTswEvwPRadeYCQ=,tag:z9nueE2d4Kb/uWSCvK55jA==,type:str]
example_number: ENC[AES256_GCM,data:PSY/N8noNaQYug==,iv:189g+CnKC5lBdJBBTcA4HUC3i98ZXa5thARY8U42DyI=,tag:hdWoyngTGnBszqCW3I+wXQ==,type:float]
example_booleans:
- ENC[AES256_GCM,data:SFFumQ==,iv:G2iEbkil+oUuJCyxQAfaAMaXHPsOdAtdw8l8dnvqviY=,tag:WPfOOyjrWf/4p2UjoiILAQ==,type:bool]
- ENC[AES256_GCM,data:2GWLfxY=,iv:nSqxDcqvUeIDbvOoJlhW/lQs9j2iENsazpuZFUoOKc8=,tag:eh3HVtgzBrJjf0S9lGiqGQ==,type:bool]
sops: sops:
age: age:
- recipient: age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w - recipient: age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFBMUWVvV1UzRlgvaGd5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MGZ5Z25rZjh1b2E5eWZk
TWtUd1VEa0RyYmxRUy9MVzA0OXdLOFU2MkhrCmMxYlVSZjFlSW9lN3RvUm8rUUht ZUpyZXhrZVdtRTlCTUovMFd5dWpmZERtc0NvCk01UUdxVHFFZVliTDU2bmpSeWpK
N05aSUZ5UU51ZSt0Vzg3ZjkwRXVKSzAKLS0tIFJIaUtqMXhLcDZ3cnYyWFJRZ20z My84a1Q3SzcyR0xQSHlQQmROaFlkOEEKLS0tIFBMaCtEbVhRb2tRcDBkS2Nkc3hO
cVpseXdzZHh6amduSFBUT1RMdkcxS2MKJhBQbcufwWc+kxFf/k/pHLClnPJkUucH eGtzRVVLamtXOEJEbDUvRHVaNDlaOVUKGDG+gUXU7GcvpfkgIStYg8KIW0jY2NTh
6kEbeF+T49PoyxWyR1oXWhxC6Xuwcx+w3vA59gvP54Bx2Mrj2ylYwQ== /eKWOfuH/8zz25Ye8zS1s7Yp5WiXi3rJSY2qS8PFq9PTmBzVEFoVpQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-14T17:54:53Z" - recipient: age1mfsjys8gzazkzurcpz2grcdljmzq0zvsllk8j7ssse6wt52jrglq5t59u8
mac: ENC[AES256_GCM,data:wxaNv7XOLCWKkrvESr4R09sVTxbm9Otm6ImuaCbFMKuZlvAsp93wi54W5YK+aOugZtMfEBrz648A7GaR0ahb0ggvuhiHgCH667dMGBUZCp81vVBvF5RMhoPaR6IXnrdlQN4ypmbj3p07T+1BBMG6MJVieoI/liHMn//UDbWWOKQ=,iv:Y1ZS1gIGnwABpTNx3afjTHMGRxr3iu2t9uvwZ6RR0Wc=,tag:+uwoTYioDywkke9gMhEkkA==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VjRvcjQyV25McEZYSEVV
d0pON0NnUDlFdGZzaE9KZitSY09ISCt3VlhRCkx6MitueW5PYUdMWU4wRmVhTTJU
RkpWakNlYVlzcHVOT3gxdHZKUjJla1UKLS0tIG9SYTlUOXcwNFNzT29FazE4Z0g0
MlJ1bjRvS0VQMkRFSG0yNDc5Y3lSM28KS50BUA6S61AJYZRefGbW76TotkDOv1FD
Q1CyfEDDkrhbUPtPeOagG3tStP9ZfkRRfmm7TzkB4PfHDTpfAg6V/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-14T18:56:57Z"
mac: ENC[AES256_GCM,data:oPKok5QCr8edihXzZUZl3+5Abss6OMas4rYqQZWeLkkIX+b3uzCi0p6KJsZK1SyxZC48Wa4ax8cGLb1BOIQVCjyR80OkXDzQACee9War2LVceXcoT1ARqgl21nthmckLxYzs+YOxWbB3gFQNOD09aeenLpSJUzMM7kDV901sCVg=,iv:ywJaJYj2xrNkgQsWZJF51ZUAwBwMk14eQDe9EC6EXaQ=,tag:GQlHIofanq/yETLbAqS2Nw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2