bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-24 00:29:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
Bryan Ramos 2026-03-15 02:43:16 -04:00
commit 259d9ed5a0
111 changed files with 7219 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

140
secrets/README.md Normal file
View file

@ -0,0 +1,140 @@
# Secrets Management
```
secrets/
├── system/ # System-level secrets (WiFi, VPN, etc.)
└── user/ # User-level secrets (password-store, API keys, etc.)
```
## Prerequisites
Age identity files are stored in `src/user/config/keys/age/` and deployed automatically.
```bash
# For testing with a local key:
age-keygen > src/user/config/keys/age/local
# For Yubikey (see "Migrating to Yubikey" below):
age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
# Add the public key to .sops.yaml in repo root
```
After rebuild, the identity is written to `~/.config/sops/age/keys.txt`.
## Adding Secrets
1. Create or edit a YAML file:
```bash
vim secrets/system/example.yaml
```
2. Encrypt in place:
```bash
sops -e -i secrets/system/example.yaml
```
3. Reference in NixOS config:
```nix
sops.secrets."SECRET_NAME" = {
sopsFile = path/to/example.yaml;
};
```
## Editing Secrets
```bash
# Opens decrypted in $EDITOR, re-encrypts on save
sops secrets/system/wifi.yaml
```
## Viewing Secrets
```bash
# Decrypt to stdout
sops -d secrets/system/wifi.yaml
```
## Removing Secrets
1. Remove from NixOS config
2. Delete the encrypted file or remove the key from it via `sops`
## Re-keying (after adding/removing age keys)
```bash
# Update .sops.yaml with new keys, then:
sops updatekeys secrets/system/wifi.yaml
```
## Migrating to Yubikey
### 1. Generate a new age identity on Yubikey
```bash
# Insert Yubikey and run interactive setup
age-plugin-yubikey
# Follow prompts:
# - Select slot (default: 1)
# - Set PIN policy (default: once per session)
# - Set touch policy (recommended: always)
#
# This generates a NEW key on the Yubikey - you will not know the private key.
# Save the identity to the keys directory:
age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
```
The identity file only contains a *reference* to the Yubikey, not the private key.
It will be deployed to `~/.config/sops/age/keys.txt` on rebuild.
### 2. Update .sops.yaml with Yubikey public key
```bash
# Get the public key (age1yubikey1...)
age-plugin-yubikey --list
# Edit .sops.yaml and replace/add the key:
vim .sops.yaml
```
```yaml
keys:
- &yubikey age1yubikey1q... # your Yubikey public key
creation_rules:
- path_regex: secrets/.*\.yaml$
key_groups:
- age:
- *yubikey
```
### 3. Re-key all secrets against the new key
```bash
# This decrypts with your OLD key and re-encrypts with the NEW key
find secrets -name "*.yaml" -exec sops updatekeys {} \;
```
You'll need your old key available during this step.
### 4. Remove the old age key (optional)
```bash
# Once all secrets are re-keyed and tested:
# 1. Remove old key from .sops.yaml
# 2. Delete the old key file from the repo:
rm src/user/config/keys/age/local # or whatever your test key was named
```
### 5. Test decryption with Yubikey
```bash
# Should prompt for Yubikey touch/PIN
sops -d secrets/system/wifi.yaml
# Test a full rebuild
sudo nixos-rebuild switch --flake .#desktop
```
If decryption works, your migration is complete.

17
secrets/system/cameras.yaml Normal file
View file

@ -0,0 +1,17 @@
RTSP_USER: ENC[AES256_GCM,data:yketGXU=,iv:KQVYzBjzkkDepiD+hjGWLjvyC3iySK6JMZ9Fyrdo1Eo=,tag:7sHqOYROk6qNd56xWex1Bw==,type:str]
RTSP_PASS: ENC[AES256_GCM,data:QGfg7bZVdGAjuw==,iv:uS/6XpHlMgpZ812tVxGFjwMeyqX5YvfBNJUVuc0C+z8=,tag:5SIdu/yGVxzhYclyOUrOCg==,type:str]
sops:
age:
- recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSys1ZzdwRmRybkR2TGFn
RG1wVGI4aTNkYTZpOUtUSlBJQTVnU1JsdmpzCklLdUY0K1ZjSzhId3NVNXcvUWl0
eE95cmVHWGNsZVNYWHQvSXlNZjl5WWMKLS0tIFBpek81aGlhUXUxWm91ZjV1RFk0
SzZFalY2NXJOMFNSVFVxbDZPb1Q1amsKaDZqJvFfqxhqVcd5ldRHC+3XC/lBb9N7
VUQ/hQZM5a1WUk321Y2bBXTN6cE/06UYrl6HXwZgxTVydou4eHywww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-15T06:01:25Z"
mac: ENC[AES256_GCM,data:EwPCYlEKUgjcrZ0c75UH7n9FjkbF+WEMQzJ7Xb1+fXkD0zIIVgjudgCNtwwJTbSVupyuCVcJfCKN9n4kBpG+HyIqDZQl1MTy5YzcvvMoj3rkPLIRMfkLXFs4FRe/cFKFdxARbQrlEJqfgQME8/M07Bl+VcZRIq0mz7HlrxZFbgg=,iv:WDGCSNFT8l+MEOQCWSDDtYTj9gdDoCk+kl8UdQg+9mw=,tag:4b9vRle/waBqQX284cIiNA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

19
secrets/system/wifi.yaml Normal file
View file

@ -0,0 +1,19 @@
WIFI_HOME_SSID: ENC[AES256_GCM,data:xZl6DE4=,iv:koEKZTW3O+bctlwoSzZCBLRT4iG380RmP/olukUd8Xc=,tag:4HM6d+FslbM1hRYcn3JTqA==,type:str]
WIFI_HOME_PSK: ENC[AES256_GCM,data:jyC4VXzhpIE=,iv:fN33x0y4kmRrPQe7ydWGdeTQaR5a3ekBaUKHX9FpHk0=,tag:tQUUj5LU6kidYTTI2RWf8w==,type:str]
WIFI_CAMS_SSID: ENC[AES256_GCM,data:yJ/oUCfSbaw=,iv:foswCMqFLOUyPQP9KL08Mhix0j2+Jt4sHHaPV49RFe4=,tag:rBG9IyQDmbNsUp4E+tnmZg==,type:str]
WIFI_CAMS_PSK: ENC[AES256_GCM,data:VlVxqxbHof6rmqSRJrXEQsT15BNl1lrghg==,iv:B6si07a0Z5ZJfMkK0HN9fa5zvQDzf7lvIQt1ZBpBZdk=,tag:21622mki8lITWA5fh7bKrg==,type:str]
sops:
age:
- recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaFRWRnNGVm9TTkhJVFAv
RWQ1Q2Q3RStBa0E4V2hFYUV2ZHFPZnJGdkFJClY0WThYbWk2Nmx6V0g4UU9WSGRZ
bFpNalZJRlZyWjFTMU1JK1dpWndPS3cKLS0tIHI0M3ZUVlI3TTV6c2h1WmdrdW1l
VWtxaFNVUUFHT20xVTZpSjVWRHozTzQKAAsNbFf6bU6eelqOX7Ei+Zrtw0aw0WgQ
5zOWrxd92MaG/AvVpL0jC1LuWtZeK3MK7Qpgtm8t0rgugUas16KYpA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-15T06:25:12Z"
mac: ENC[AES256_GCM,data:+Lhmcr2Jg1htfcMMMPu8AxrDhvlm4yLVIunxAcs4adX8NeJccD+/UVvZO+qtzF6iQmXCdTvRDo3shqmJKHvs6ZUJVe3jokTKMJoQdIbSIS0fSwULUV8evK5Incf8qzpnHd2J1Kg4qCL8oWeN9t4TBJTPVrNJzd/sOF1Kp2g9IBE=,iv:/ORst/Lnj3h16fJQWxAaJ5vMWKMN2lGhGoIQjNxNpGQ=,tag:NURI5mwbfECaWTgbSs6clA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1