sops: 配置多机器标准密钥流程

hosts/eris/configuration.nix

@@ -9,9 +9,9 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      inputs.sops-nix.nixosModules.sops
       ../modules/nix-cache.nix
       ../modules/users/origami.nix
+      ../modules/sops.nix
     ];
 
   boot.loader = {
@@ -150,13 +150,14 @@
   users.users.origami.extraGroups = [ "wheel" "networkmanager" ];
   security.sudo.wheelNeedsPassword = false;
 
-  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
-
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+
+  # 密钥管理: 这是日用机器
+  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
+  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
+
   system.stateVersion = "23.11";
 }

hosts/modules/sops.nix

@@ -0,0 +1,11 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
+
+  sops.defaultSopsFormat = "yaml";
+}

hosts/oparic-local-dev/configuration.nix

@@ -4,9 +4,9 @@
   imports =
     [
       ./hardware-configuration.nix
-      inputs.sops-nix.nixosModules.sops
       ../modules/nix-cache.nix
       ../modules/users/origami.nix
+      ../modules/sops.nix
     ];
 
   # BIOS + GRUB, 安装到 MBR
@@ -83,11 +83,11 @@
   users.users.origami.extraGroups = [ "wheel" ];
   security.sudo.wheelNeedsPassword = false;
 
-  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
-
   services.openssh.enable = true;
 
+  # 密钥管理: 这是对外机器
+  sops.defaultSopsFile = ../../secrets/hosts/oparic-local-dev.yaml;
+  sops.age.keyFile = "/var/lib/sops/age/keys.txt";
+
   system.stateVersion = "23.11";
 }