diff --git a/.sops.yaml b/.sops.yaml index 3024f26..c0ef0ea 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,17 +3,15 @@ keys: - &system_bob age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y - &system_jeeves age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv - - &system_muninn age1yxx8uwxkugvncseatftkxttnmy8888wxemtygdkzhfzj5fzzfvgsuj3hn2 - &system_router age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv - &system_rhapsody age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4 creation_rules: - - path_regex: users/richie/secrets\.yaml$ + - path_regex: users/secrets\.yaml$ key_groups: - age: - *admin_richie - *system_bob - *system_jeeves - - *system_muninn - *system_router - *system_rhapsody diff --git a/users/richie/default.nix b/users/richie/default.nix index 9d204ff..dc14b30 100644 --- a/users/richie/default.nix +++ b/users/richie/default.nix @@ -5,8 +5,17 @@ }: let ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; in { + + sops.secrets.richie_password = { + sopsFile = ../secrets.yaml; + neededForUsers = true; + }; + users.users.richie = { isNormalUser = true; + + hashedPasswordFile = "${config.sops.secrets.richie_password.path}"; + shell = pkgs.zsh; group = "richie"; openssh.authorizedKeys.keys = [ diff --git a/users/richie/secrets.yaml b/users/richie/secrets.yaml deleted file mode 100644 index 6e34fb3..0000000 --- a/users/richie/secrets.yaml +++ /dev/null @@ -1,57 +0,0 @@ -my_secret: ENC[AES256_GCM,data:90kRHkDdhuBhskNGeA==,iv:2LTCXQyPJoddxbgCDX+sA8YPEZjS+2V9ZVKYu0dD1WE=,tag:d7wDFBnBwcCuhX+w8gOvaA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTE5lQ001N3dBTTluU3Bq - TWNwWG5SVURnMFJ3Z21UemlNVHI0dDVMVTB3CjVtK1VBZXFQQlZUckRGM3QyQnhs - eVdhc2c2dHQ1MXFWMmlpS2JpZTBGZWcKLS0tIEluL0ZKZWJXVGtlbUJCcEFTYWtB - ZU5rSHUyR0doWUQyMjJWaUZ0NzNPYncKXnx2/Kg+NGO1ApyVjd2CeWXphgg4zZSL - D79j5NhPrk6Bhr3IcwD6hc0OPZ74pw6mg14yzBFglrw82WZdDnAHxw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WFhiMURJSkdOUVhoNGxo - R3NWdVJvSUZKMFduM29wTkJDNGszOHdRRTBvCmUxQkhrV1dyV2tJMmcwZHNjOXcv - NUdIeDl3R0o2d2M1R3AzV3k1SkZhc00KLS0tIGhEVEtvVGtBdEcrK3ZMVUhuYklv - WXMyUkZZVmRERENOSldCcDB4OHQ4NVEK81zddZggn7+TzANzjMkjbpnCOHtX4TcA - 2F/Uin4RVD8ECdcoLLeTddo8ILIC4dQ9bD1TA3Wu23v0qsP6KkhczA== - -----END AGE ENCRYPTED FILE----- - - recipient: age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQelZhczRxNHJPdFNPd2R1 - VkFTUFJ2N3FLN1VvU1BqN0JqV2VyVVFUUzJnCndQWjYrS2lYbzRROFg3VGtMb3BP - NDlYYkhuRGZCdjVncHlXV3ZHcHZ1U0EKLS0tIEM4MUVkaDU4QlphWm5VM1RjbWR2 - R0Y0d3lJNlMvZVEvTnNwbC91YmNoMU0KErYP7q4xGVCyF4GGGEkaydMjFQ8759ER - o9+vtEjJme9AQosa3T4uuATIebxBzqpheRHmvxyNwdt9pZtWvaROng== - -----END AGE ENCRYPTED FILE----- - - recipient: age1yxx8uwxkugvncseatftkxttnmy8888wxemtygdkzhfzj5fzzfvgsuj3hn2 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSWFkeHI2UHdZN1RhSlV3 - dlNtWGlkWW95WjdhZTl1VzBvT0V4VytNOVN3Cmd6ZTEvNmJEMUt6bVRKM1hlUE1n - ZlA5TVNpWm9PUWpXOG9JMUhtRk5aUnMKLS0tIDJBd1RWQ3RmSzJPNjZ5ZTdMZFlZ - UHhwbURCdHdFOGppZXVJcGFvMWNWTVkK90smB4htJ4aN52zFVpGUYwkledxpGdUr - so6rQ3FfXsE7ik/+f89hPXZJUZLxpO+ENIWitMvH1ZNFmjz3uT+NYA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVCTGRWY0trNnViTm1u - NVFBUW1GbVVxOUtpRUt1dElPNFU3clhLUngwCldWa1UzUms0QlJFRngzQitPek9O - c3Z3S2FpRXMrYWU1bFdrUDlzdUwxSW8KLS0tIHg0M1NWWXRTY0swUmw3MXpQQ21o - Q2IyU01yUjVYWFUzVEsyR1dyYlVVTWMK7+3zPVmkQ1lpFmD7f+rpDHVCtmBrZ/sH - 5D8FEbUfqu4l7LDCrtJ8LBBSvntwkcVKQlBu3fwBIDqhgOy9fGjZWA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-05T20:53:12Z" - mac: ENC[AES256_GCM,data:FbzvVgRSBBQ39ppKY7CmPghmkwgvSH8tW3aEC2VD90Xb7YypthnCYTos6Igmv/LkF77F4gkpoF3IT2KqkXJbAZ478ZD412sSkKtOl/A3dWtVkdMSgO8Lv/jvyC6/HtF3MEFHtUM8eG+2brQOUIwWg9fcT+4iaxfEBvJV8duW/XE=,iv:WRWaBWRrB8AthHbtHlNVfcrL0N31g3Z5uAYbeEN1jm4=,tag:qQW69HfEKNmPkeZw4nncwg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.2 diff --git a/users/secrets.yaml b/users/secrets.yaml new file mode 100644 index 0000000..25fdb89 --- /dev/null +++ b/users/secrets.yaml @@ -0,0 +1,58 @@ +richie_password: ENC[AES256_GCM,data:XpDkJ/DXQWVuqzbqod9NsQ44WLwu2wMePjtiT8r0tZBeCUGY4g9hXDUUYdt/W5E62HQ7adpnkrQiqaV4X0OHvZH959rLjcYCRA==,iv:3kOljaQbdvqAjb3QlEy38V6AhWp3Gfn8ny9SnPOaw/w=,tag:JZMkf/C04thmljr76UdTxQ==,type:str] +gaming_password: ENC[AES256_GCM,data:mk3AitOvkCaY/xSmvxi5uXYjGWORlqhfLQSeYBXJwAFv804yIyGyCL14ssTKdChVt+A+db8wRAPEZxplPDQPQoe7IBvLrbNwhw==,iv:z3jS/EhouJTtTP53e01DpJAB6o2h+v6PeVlg+I5txP0=,tag:IDByYmYGGvoA+shFFf0g6Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR1lUREVMR3hyTTFNZ3U0 + NkFkY202RGtMS0taTjRnOEd4OGlsZ1VORUhFCnIxUlV1eS81N0U1NXpOcWYxSUU0 + WER1cFY3a2lWU01tTUQ2Vk5VK2JmSDAKLS0tIHUxL3F5UWZ2aUwxd2JXZG5ybE9w + d29oZ1poZU5ZTlgxMmlsVWpoMUtFYjAKdRoXdqxfxyOL++pP0izdUuZngMcF24ne + OJ6kVJexJF9Hu9InwPeDtRboMhMi01gt6L5a47hOX5FUsi+4HbeVLQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWmJZWDZtWFJaTCtmdVNG + QkNiK1hFdWlnVFp0ZG01V1A3cFdtU2xGN1NBCm1oeXlLT3NYMC9lZDlHSnJGQUc1 + RnppNjc0QnBqSW5XTWUxZExBMHhORDQKLS0tIHpJNDJBU25COGR2dlg5em5YcGZB + VTBqRjhZWkdmdVdoa0V0VmIzdm5hbTgKEa9hW6jU538meU2Sm//b7OUBqqjAHHL5 + rluVCSMcrcoVtui0mB8vMoKeh6/n/qRLe38a/puvAj0q/PolN9ZEhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVlp4clVEb3Y4d0hzSEtW + dUMyb3V1aHlMS0Fvc0lGU3doRjE3SVFrNVdFCkpTQ1k2RTBIb2tzQ3UxajlPSWhY + ZzkwUWlDYWROZXpHMlFVaTM0MFlpMXcKLS0tIFNUN1QyRk41WkhPblZMbVFXNkZi + N1RkUVc0N0hIaUs3RXpXTWpDZTBOUXcKgOW6IV1mh3q8NT2Ky9EKlywWBaaCn5ML + bhfmmvt1Fndh2ys3poxODjNDiow34VxwhS+Ou0HsxsJ7zu7VvmPh0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnOXR6SWh2SlBWdjZVL3F1 + ckd4N3JKNkkzYWtlRWN2QUFob3FJRkxQU1RNClllMDFMRE80ODROZDR3Y2g0Z2xs + aXJORTI1azEzbnhJMkZiNmNKZDBsOVUKLS0tIHZjV3BXaG9WVzNzVDZHYVdmOFdM + S3hZMkgvYkl5Ky9uYmpjVHpFUlMwYTgKIHxHRPMgEAgQNXg5lK2QkdBjMcamlxSp + HEoT/APYI/NN3V2l7mgfiH/fn2FXGdd3Ct5mqwp25GUYIp45zN3pqA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSnNxaDVSbUJ2Y1NSc0hV + TWhzNzNRWTNhV1BBMFhPeVQ5eHkzb3Bkams4Ck1YdDExcU1WdExEQ0M1VXZpUzBV + L0xSTENrOEZlOU1XUHNUbEtHbURSK1UKLS0tIEJkaE9QOUdzN1VDbWFTSWd6RkY4 + UzQzWEFtSDJwR201cmZoeXh5T0RmSk0KWLOpw5cWbtnfVP/ISa7n1vZchoD+nxmn + 7yr7igpEIro0Sd238KinOQYswVaT0NHB9p1dSW/mN+aGQliSNLzkDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-07T05:29:07Z" + mac: ENC[AES256_GCM,data:UQdrRT/SHTxHeX2AORJ3N7oc5MDIE6kcWw/KecYGarQ0+ToUST+WOIiiPauM7xUt0nwT2FpU/sArVpjLsldUd4JjeErh6yvfRfYgW+K3w/m7G5LdRlU7wDB1FoNkX/Caue56Vcd9qcF5mBelp6pwaAvjK+EmTHM0TEf/OKN8Aws=,iv:D+70S9dZerl27sTNb+yDfnue7fufWj6fQIbPmP5V348=,tag:Lvjok0HBVtagverUSuxYQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2