fix(nix-secrets): use simplified signing key setup
This commit is contained in:
30
flake.lock
generated
30
flake.lock
generated
@@ -121,11 +121,11 @@
|
|||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"dir": "pkgs/firefox-addons",
|
"dir": "pkgs/firefox-addons",
|
||||||
"lastModified": 1775966594,
|
"lastModified": 1776225785,
|
||||||
"narHash": "sha256-pnRtaqTr7ut8dz8b04OWAanUM4tGhDUJz8SWmeTRp7U=",
|
"narHash": "sha256-yrRZkEEtTwJcIXzxL/nCFpyGsz7VmkOJSoyx/AX6Ri8=",
|
||||||
"owner": "rycee",
|
"owner": "rycee",
|
||||||
"repo": "nur-expressions",
|
"repo": "nur-expressions",
|
||||||
"rev": "000d1d2322d28fa0a51b8db9f85a227aa5413b52",
|
"rev": "c09a1a34c147aefac0ff10017644ca17a3230e8c",
|
||||||
"type": "gitlab"
|
"type": "gitlab"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -342,11 +342,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775983377,
|
"lastModified": 1776184304,
|
||||||
"narHash": "sha256-ZeRjipGQnVtQ/6batI+yVOrL853FZsL0m9A63OaSfgM=",
|
"narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "e0ca734ffc85d25297715e98010b93303fa165c4",
|
"rev": "3c7524c68348ef79ce48308e0978611a050089b2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -398,10 +398,10 @@
|
|||||||
"nix-secrets": {
|
"nix-secrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1776003473,
|
"lastModified": 1776276250,
|
||||||
"narHash": "sha256-v87721Nfc5qnevsgGkaAO+MpeJdfgPtBpazs6N5dUiI=",
|
"narHash": "sha256-j7Bs6ZHkOrCM4GKVmeOJDTYgxWPOys9saCkiQ+BExPU=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "d95fb37764e5033ad2cdf543f7d8acccb36146c8",
|
"rev": "d27bff628f13bedfaad5011437e00ec62feceb56",
|
||||||
"shallow": true,
|
"shallow": true,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@github.com/hektor/nix-secrets"
|
"url": "ssh://git@github.com/hektor/nix-secrets"
|
||||||
@@ -665,11 +665,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775971308,
|
"lastModified": 1776119890,
|
||||||
"narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
|
"narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
|
"rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -714,11 +714,11 @@
|
|||||||
"tinted-zed": "tinted-zed"
|
"tinted-zed": "tinted-zed"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775936757,
|
"lastModified": 1776170745,
|
||||||
"narHash": "sha256-KJO/7qoxJ+hlsb3WlFSl6IGrExBIf1GvKdrhOlnGdKY=",
|
"narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
|
||||||
"owner": "danth",
|
"owner": "danth",
|
||||||
"repo": "stylix",
|
"repo": "stylix",
|
||||||
"rev": "d3e447786b74d62c75f665e17cb3e681c66e90c7",
|
"rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@@ -64,11 +64,6 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.settings.trusted-users = [
|
|
||||||
"root"
|
|
||||||
"@wheel"
|
|
||||||
];
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
vim
|
vim
|
||||||
git
|
git
|
||||||
|
|||||||
@@ -39,6 +39,9 @@ in
|
|||||||
"nix-command"
|
"nix-command"
|
||||||
"flakes"
|
"flakes"
|
||||||
];
|
];
|
||||||
|
settings.trusted-public-keys = [
|
||||||
|
"nix-signing-key:M6ouQRFl/bZ5QQrceQUyar6P7o8qg4wwVkxD1SSLL2k="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
system.autoUpgrade = {
|
system.autoUpgrade = {
|
||||||
|
|||||||
@@ -29,10 +29,6 @@ in
|
|||||||
|
|
||||||
nixSigningKey = {
|
nixSigningKey = {
|
||||||
enable = lib.mkEnableOption "nix signing key configuration";
|
enable = lib.mkEnableOption "nix signing key configuration";
|
||||||
name = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "${config.host.name}-nix-signing-key";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
yubikey = {
|
yubikey = {
|
||||||
@@ -52,8 +48,9 @@ in
|
|||||||
secrets = lib.mkMerge [
|
secrets = lib.mkMerge [
|
||||||
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
|
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
|
||||||
(lib.mkIf cfg.nixSigningKey.enable {
|
(lib.mkIf cfg.nixSigningKey.enable {
|
||||||
${cfg.nixSigningKey.name} = {
|
nix-signing-key = {
|
||||||
sopsFile = "${sopsDir}/${cfg.nixSigningKey.name}.yaml";
|
sopsFile = "${sopsDir}/nix.yaml";
|
||||||
|
key = "signing-key";
|
||||||
inherit owner;
|
inherit owner;
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
@@ -61,7 +58,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
|
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
|
||||||
config.sops.secrets.${cfg.nixSigningKey.name}.path
|
config.sops.secrets.nix-signing-key.path
|
||||||
];
|
];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|||||||
Reference in New Issue
Block a user