bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-24 00:29:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

configured sops-nix

Browse source
This commit is contained in:
Bryan Ramos 2025-07-15 01:54:01 -04:00
parent a9843c9089
commit beb00a5718
Signed by: bryan
GPG key ID: 6ABDCD144D6643C8
4 changed files with 62 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -4,9 +4,9 @@ keys:
- &hosts: - &hosts:
- &server age1jvqcc984v5xr8yhwm72arsy2hx6rm9gvsr7zeeasvcl0k2l9efmsgys3eg - &server age1jvqcc984v5xr8yhwm72arsy2hx6rm9gvsr7zeeasvcl0k2l9efmsgys3eg
creation_rules: creation_rules:
- path_regex: src/system/machines/server/secrets.ya?ml$ - path_regex: src/system/modules/frigate/secrets.ya?ml$
key_groups: key_groups:
age: - age:
- *server - *server
pgp: - pgp:
- *bryan - *bryan

43
src/system/machines/server/secrets.yaml Normal file
View file

@ -0,0 +1,43 @@
camera_user: ENC[AES256_GCM,data:wEsLmNE=,iv:v+iPUD9pTMroUfCi6Q/fr38WUIV6nQkSKRwTlaWAE8g=,tag:YpHjExxYBN9h96rilf9oQg==,type:str]
camera_pass: ENC[AES256_GCM,data:n2r7rGMoEZmWnsc=,iv:7pZvNvanU2XqSgKcPqKD+beqXbdkDP8e2bdO+xCACLA=,tag:zA426rjuUp6v6WfvSbiGJQ==,type:str]
sops:
shamir_threshold: 2
key_groups:
- hc_vault: []
age:
- recipient: age1jvqcc984v5xr8yhwm72arsy2hx6rm9gvsr7zeeasvcl0k2l9efmsgys3eg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3hwWEY1YlRCckM5cTRJ
em1kMUtGZFdwMzkzek9MdlB1TGwyOHorb2l3ClpMYmtPQkNHcGphcnIrVVdQc1R3
a3p4c1NvK2gvTEZRWEQ4VTR4OFpFZWMKLS0tIFpSdTRxcVl3WHgrVlk4N1VXOGUv
YUYydFpLeUxENW1HeGlua1VMYnRlN2sKLq7rx6l5bkSdiAACJFlozCBjVJP2wiJQ
jQAzLUzkOJVSc3Qnnbsn8FuQjCRp25HKMYKd2pxOfAbT0CCh+yFKU8s=
-----END AGE ENCRYPTED FILE-----
- pgp:
- created_at: "2025-07-15T05:20:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwTOId9Kyu/jAQ//bJERY8tWurpRZ8CScN6Wj/Q7fR1jUJzn2ZDwJll+/ooM
fV1U6UJoD76hyrhNi8Nx1IGqVKooZ51PWaUy3EXuSlkECQ04ApxM37uiEFmgU2mH
HYIveY1i7ebkaAsjD6a+BuK0Dj04KwQpzAZE+CphUTVgbzS8Z1F/ToYQY9taPcuz
aYVbuETl1CRyEeJjuJbRnPdndINFgIhSOM/27cgZBSo/dzS6CQZbZXz4nBmSCXpM
j/b6STe2dw/fr9wx8Xwqs520w2bmEBYTAaYP6pkQ2xrUiaGAGyHvqSIr97Dm/a5L
i3PrXWmdfDLco+dKXtE0FnXa2lcANarIR9xd1QEzI8iby3VIvJx49ScrnETrOupW
eekho9t0LwZFHP6PrWtKtB3WxKkvyXqu8f0BrUkEZ2aUFhZW15ax1k/kNiyZJFy6
vevAjmYtLtHBTUomm9cKxZcxWbwKwDWn7sN5qWSyjz+rgiLE1Wi98K7pKwKzWTVs
E8sb5MUf49KXEISBkQgfdAEV92Ia47aopg+S2RaNNBGbjfZahQhkrBsi5ap8VLMN
skgbysaG+WY6sYYP4zoFrQFMXKvf146oAqNEs5/QoAi33oj0SZyaV+VgreDYGfrI
VnpgUJM2OLSgcIej8eveT5Gu8MrPBqlKa8+n9gRdaVz7d0g4hdT1EpfJN8YXRaTS
XQGTAxb9OoYD/KcTZAxhD0hYJKUHixFyOL96w+k06TXpkqdRveThthT0n6x8ynlO
mxF9u6aLvfLpjZxgaDWYO/I3ypy5Fx0N/3JtC1wt8AGrEbHW4Y6iciFu2bPDig==
=OBwx
-----END PGP MESSAGE-----
fp: F1F3466458452B2DF351F1E864D12BA95ACE1F2D
hc_vault: []
age: []
lastmodified: "2025-07-15T05:21:09Z"
mac: ENC[AES256_GCM,data:JDlohVG3MM6KwrnWhBXAiM5dCNtmDyyO03vrbAG32JbWjXbdnzqgG95cTe+X17pbilc3p3F/IQRjNxt1EziIDeLmrTszLPxpdBUEUuNUOJ2RBZ6IlBdBo4gitTOwlOAxh/Uo7qr+gvJCsyiyHvr4Zti27ZDcExe2oVxcLf3M988=,iv:ntCT1a+FSpOKCtmCXyXIdQJ08qrONaMu/+qMUiz0DRQ=,tag:d6T9BpVdy1cnYVHb7PczBw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

15
src/system/machines/server/system.nix
View file

@ -19,11 +19,13 @@
}; };
}; };
users.mutableUsers = false;
users.users = { users.users = {
"${config.user.name}" = { "${config.user.name}" = {
isNormalUser = true; isNormalUser = true;
extraGroups = config.user.groups; extraGroups = config.user.groups;
openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ]; openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ];
password = "123";
}; };
}; };
@ -114,4 +116,17 @@
PasswordAuthentication = false; PasswordAuthentication = false;
}; };
}; };
sops = {
defaultSopsFile = ./secrets.yaml;
defaultSopsFormat = "yaml";
age = {
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
camera_user = {};
camera_pass = {};
};
};
} }

2
src/system/modules/frigate/default.nix
View file

@ -20,7 +20,7 @@ in
"Doorbell" = { "Doorbell" = {
ffpmeg.inputs = [ ffpmeg.inputs = [
{ {
path = "rtsp://admin:th3bigbl4ck@192.168.0.108/cam/realmonitor?channel=1&subtype=0"; path = "rtsp://$(cat /run/secrets/camera_user):$(cat /run/secrets/camera_pass)@192.168.0.108/cam/realmonitor?channel=1&subtype=0";
roles = [ "detect" "record" ]; roles = [ "detect" "record" ];
} }
]; ];