hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(nix-secrets): use simplified signing key setup

Browse Source
This commit is contained in:
Hektor Misplon
2026-04-15 20:06:44 +02:00
parent 2f1f60b836
commit db5e8855d2
4 changed files with 22 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
flake.lock generated
View File

@@ -121,11 +121,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1775966594,
"narHash": "sha256-pnRtaqTr7ut8dz8b04OWAanUM4tGhDUJz8SWmeTRp7U=",
"lastModified": 1776225785,
"narHash": "sha256-yrRZkEEtTwJcIXzxL/nCFpyGsz7VmkOJSoyx/AX6Ri8=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "000d1d2322d28fa0a51b8db9f85a227aa5413b52",
"rev": "c09a1a34c147aefac0ff10017644ca17a3230e8c",
"type": "gitlab"
},
"original": {
@@ -342,11 +342,11 @@
]
},
"locked": {
"lastModified": 1775983377,
"narHash": "sha256-ZeRjipGQnVtQ/6batI+yVOrL853FZsL0m9A63OaSfgM=",
"lastModified": 1776184304,
"narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e0ca734ffc85d25297715e98010b93303fa165c4",
"rev": "3c7524c68348ef79ce48308e0978611a050089b2",
"type": "github"
},
"original": {
@@ -398,10 +398,10 @@
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1776003473,
"narHash": "sha256-v87721Nfc5qnevsgGkaAO+MpeJdfgPtBpazs6N5dUiI=",
"lastModified": 1776276250,
"narHash": "sha256-j7Bs6ZHkOrCM4GKVmeOJDTYgxWPOys9saCkiQ+BExPU=",
"ref": "main",
"rev": "d95fb37764e5033ad2cdf543f7d8acccb36146c8",
"rev": "d27bff628f13bedfaad5011437e00ec62feceb56",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/hektor/nix-secrets"
@@ -665,11 +665,11 @@
]
},
"locked": {
"lastModified": 1775971308,
"narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
"lastModified": 1776119890,
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
"type": "github"
},
"original": {
@@ -714,11 +714,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1775936757,
"narHash": "sha256-KJO/7qoxJ+hlsb3WlFSl6IGrExBIf1GvKdrhOlnGdKY=",
"lastModified": 1776170745,
"narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
"owner": "danth",
"repo": "stylix",
"rev": "d3e447786b74d62c75f665e17cb3e681c66e90c7",
"rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
"type": "github"
},
"original": {

5
hosts/hecuba/default.nix
View File

@@ -64,11 +64,6 @@
];
};
nix.settings.trusted-users = [
"root"
"@wheel"
];
environment.systemPackages = with pkgs; [
vim
git

3
modules/common/default.nix
View File

@@ -39,6 +39,9 @@ in
"nix-command"
"flakes"
];
settings.trusted-public-keys = [
"nix-signing-key:M6ouQRFl/bZ5QQrceQUyar6P7o8qg4wwVkxD1SSLL2k="
];
};
system.autoUpgrade = {

11
modules/secrets/default.nix
View File

@@ -29,10 +29,6 @@ in
nixSigningKey = {
enable = lib.mkEnableOption "nix signing key configuration";
name = lib.mkOption {
type = lib.types.str;
default = "${config.host.name}-nix-signing-key";
};
};
yubikey = {
@@ -52,8 +48,9 @@ in
secrets = lib.mkMerge [
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
(lib.mkIf cfg.nixSigningKey.enable {
${cfg.nixSigningKey.name} = {
sopsFile = "${sopsDir}/${cfg.nixSigningKey.name}.yaml";
nix-signing-key = {
sopsFile = "${sopsDir}/nix.yaml";
key = "signing-key";
inherit owner;
};
})
@@ -61,7 +58,7 @@ in
};
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
config.sops.secrets.${cfg.nixSigningKey.name}.path
config.sops.secrets.nix-signing-key.path
];
services = {