Add sops-nix

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

.gitignore

@@ -1,2 +1,8 @@
-**/key.txt
-**/secrets/plaintext/*
+**/secrets/key.txt
+!**/secrets/key.txt.pub
+
+**/secrets/ssh_host_*_key
+!**/secrets/ssh_host_*_key.pub
+
+**/secrets/ssh/id_*_*_*
+!**/secrets/ssh/id_*_*_*.pub

README.md

@@ -6,30 +6,72 @@ NixOS dotfiles and configuration.
 
 The below installation example is for a fresh `eirene-vm` virtual machine.
 
-### Mount NixOS Configuration
+1. Mount NixOS Configuration
 
-```sh
-sudo -i
-mkdir /host
-mount -t virtiofs host /host
-```
+   ```sh
+   sudo -i
+   mkdir /host
+   mount -t virtiofs host /host
+   ```
 
-### Format Disks
+2. Format Disks
 
-```sh
-nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko /host/hosts/eirene/format.nix --arg device '"/dev/vda"'
-```
+   ```sh
+   nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko /host/hosts/eirene/format.nix --arg device '"/dev/vda"'
+   ```
 
-### Install NixOS
+3. Generate Host SSH Key
 
-```sh
-mkdir -p /mnt/etc/nixos
-cp -r /host/* /mnt/etc/nixos
-nixos-install --root /mnt --flake /mnt/etc/nixos#eirene-vm
-```
+   ```sh
+   mkdir -p /mnt/persist/etc/ssh
+   ssh-keygen -t ed25519 -f /mnt/persist/etc/ssh/ssh_host_ed25519_key
+   cp /mnt/persist/etc/ssh/ssh_host_ed25519_key /host/hosts/eirene/vm/secrets/ssh_host_ed25519_key
+   ```
 
-### Reboot
+4. Update `sops` Configuration
 
-```sh
-reboot
-```
+   ```sh
+   nix-shell -p ssh-to-age --run 'cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+
+   find . -type f -name 'sops.yaml' -exec nano {} \;
+
+   export SOPS_AGE_KEY_FILE=/host/users/nick/secrets/key.txt
+
+   find . -type f -name 'sops.yaml' | while read -r sops_file; do
+     dir=$(dirname "$sops_file")
+     find "$dir" -maxdepth 1 -type f -regextype posix-extended -regex '.+\.(yaml|yml|json|env|ini|bin)' | while read -r file; do
+       nix-shell -p sops --run 'sops --config $sops_file updatekeys $file'
+     done
+   done
+   ```
+
+5. Update Nix Configuration Keys
+
+   - Known Hosts
+
+   ```sh
+   # Add to hosts/common/default.nix.programs.ssh.knownHosts
+   cp /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub /host/hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub
+   ```
+
+   - SSH Keys
+
+   ```sh
+   # Generate a new SSH key pair for every user in the current system for every existing host that will connect to the new host
+   # Add to hosts/eirene/vm/default.nix.users.users.nick.openssh.authorizedKeys.keyFiles
+   ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_eirene-vm_nick
+   ```
+
+6. Install NixOS
+
+   ```sh
+   mkdir -p /mnt/persist/etc/nixos
+   cp -r /host/* /mnt/persist/etc/nixos
+   nixos-install --root /mnt --flake /mnt/persist/etc/nixos#eirene-vm
+   ```
+
+7. Reboot
+
+   ```sh
+   reboot
+   ```

flake.lock

@@ -121,11 +121,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718008439,
-        "narHash": "sha256-nlh/2uD5p2SAdkn6Zuey20yaR5FFWvhL3poapDGNE4Y=",
+        "lastModified": 1718242063,
+        "narHash": "sha256-n3AWItJ4a94GT0cray/eUV7tt3mulQ52L+lWJN9d1E8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "c1cfbfad7cb45f0c177b35b59ba67d1b5fc7ca82",
+        "rev": "832a9f2c81ff3485404bd63952eadc17bf7ccef2",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718141734,
-        "narHash": "sha256-cA+6l8ZCZ7MXGijVuY/1f55+wF/RT4PlTR9+g4bx86w=",
+        "lastModified": 1718243258,
+        "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "892f76bd0aa09a0f7f73eb41834b8a904b6d0fad",
+        "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
         "type": "github"
       },
       "original": {
@@ -255,6 +255,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1717880976,
+        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1714912032,
@@ -277,9 +293,31 @@
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "stylix": "stylix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1718137936,
+        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
@@ -295,11 +333,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1718122552,
-        "narHash": "sha256-A+dBkSwp8ssHKV/WyXb9uqIYrHBqHvtSedU24Lq9lqw=",
+        "lastModified": 1718292734,
+        "narHash": "sha256-XAwxzCDfExqIj0PIjEpjt3eOzsosxOCLx6sQWHPSrSg=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "e59d2c1725b237c362e4a62f5722f5b268d566c7",
+        "rev": "73c6955b4572346cc10f43a459949fe646efbde0",
         "type": "github"
       },
       "original": {

hosts/common/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     inputs.impermanence.nixosModules.impermanence
+    inputs.sops-nix.nixosModules.sops
     ./configs/zsh.nix
     ./configs/neovim.nix
     ./configs/tmux.nix
@@ -37,7 +38,7 @@
         "/var/lib/systemd/coredump"
       ];
       files = [
-        "/var/lib/sops-nix/key.txt"
+        "/etc/ssh/ssh_host_ed25519_key"
         "/etc/machine-id"
         "/root/.zsh_history"
       ];
@@ -55,20 +56,31 @@
 
   networking.networkmanager.enable = true;
   i18n.defaultLocale = "en_US.UTF-8";
-  users.defaultUserShell = pkgs.zsh;
+
+  users = {
+    mutableUsers = false;
+    defaultUserShell = pkgs.zsh;
+  };
 
   programs = {
     nix-ld = {
       enable = true;
       libraries = [ ];
     };
+    ssh.knownHosts = {
+      eirene-vm.publicKeyFile = ../eirene/vm/secrets/ssh_host_ed25519_key.pub;
+    };
   };
 
   security.sudo.extraConfig = ''
     Defaults lecture = never
   '';
 
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  sops.age = {
+    generateKey = true;
+    sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+  };
 
   system = {
     autoUpgrade = {
@@ -84,4 +96,6 @@
 
     stateVersion = "24.05";
   };
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
 }

hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/ImO80n4+M8AIkS75leQiju6/zu09qV0keROjE6VC root@eirene-vm

users/common/default.nix

@@ -75,6 +75,7 @@ in
         ];
         files = [
           ".zsh_history"
+          ".key.txt"
         ];
         allowOther = true;
       };

users/nick/default.nix

@@ -3,13 +3,19 @@
 {
   imports = [ ../common ];
 
+  sops.secrets.nick-password = {
+    sopsFile = ./secrets/secrets.yaml;
+    key = "password";
+    neededForUsers = true;
+  };
+
   users.users.nick = {
     isNormalUser = true;
     home = "/home/nick";
     email = "nick@karaolidis.com";
     fullName = "Nikolaos Karaolidis";
     description = config.users.users.nick.fullName;
-    hashedPassword = "***REMOVED***";
+    hashedPasswordFile = config.sops.secrets.nick-password.path;
     extraGroups = [ "wheel" ];
     linger = true;
     uid = 1000;