diff --git a/.sops.yaml b/.sops.yaml index 857ca3a..eab1515 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,11 @@ keys: - - &primary age1npdfwkrrq89585wjamxxthdswwh4fmmfs5a07v70g7n6vhdhvf3sc0rv5r + - &primary age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy creation_rules: - - path_regex: secrets/secrets.yaml$ + - path_regex: secrets/ssh-config.yaml$ + key_groups: + - age: + - *primary + - path_regex: secrets/ssh-private.yaml$ key_groups: - age: - *primary diff --git a/flake.nix b/flake.nix index 62600ce..d5bb2c4 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,7 @@ pkgs = nixpkgs-linux.legacyPackages.x86_64-linux; modules = [ { nixpkgs.config.allowUnfreePredicate = _: true; } + inputs.sops-nix.homeManagerModules.sops ./home/hosts/eris.nix ]; extraSpecialArgs = { inherit inputs; }; @@ -54,6 +55,7 @@ pkgs = nixpkgs-linux.legacyPackages.x86_64-linux; modules = [ { nixpkgs.config.allowUnfreePredicate = _: true; } + inputs.sops-nix.homeManagerModules.sops ./home/hosts/metis.nix ]; extraSpecialArgs = { inherit inputs; }; @@ -63,6 +65,7 @@ pkgs = nixpkgs-darwin.legacyPackages.aarch64-darwin; modules = [ { nixpkgs.config.allowUnfreePredicate = _: true; } + inputs.sops-nix.homeManagerModules.sops ./home/hosts/hypnos.nix ]; extraSpecialArgs = { inherit inputs; }; diff --git a/home/hosts/eris.nix b/home/hosts/eris.nix index b7c7ffc..c0d2125 100644 --- a/home/hosts/eris.nix +++ b/home/hosts/eris.nix @@ -11,6 +11,7 @@ ../modules/shell-develop.nix ../modules/vscode.nix ../modules/gnome-dconf.nix + ../modules/ssh.nix ]; home.packages = with pkgs;[ diff --git a/home/hosts/hypnos.nix b/home/hosts/hypnos.nix index b511a77..2b9a2dd 100644 --- a/home/hosts/hypnos.nix +++ b/home/hosts/hypnos.nix @@ -14,6 +14,7 @@ ../modules/shell-develop.nix ../modules/zsh.nix ../modules/llm.nix + ../modules/ssh.nix ]; programs.zsh.shellAliases = { diff --git a/home/hosts/metis.nix b/home/hosts/metis.nix index c9b7f99..a615a95 100644 --- a/home/hosts/metis.nix +++ b/home/hosts/metis.nix @@ -8,5 +8,6 @@ ../modules/shell.nix ../modules/zsh.nix ../modules/shell-develop.nix + ../modules/ssh.nix ]; } diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix new file mode 100644 index 0000000..4300204 --- /dev/null +++ b/home/modules/ssh.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: +{ + sops = { + age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + defaultSopsFile = ../../secrets/ssh-config.yaml; + }; + + home.file.".ssh" = { + source = ./ssh; + recursive = true; + }; + + home.activation.sshDirPerms = lib.hm.dag.entryAfter [ "writeBoundary" ] '' + if [ -d "$HOME/.ssh" ]; then + chmod 700 "$HOME/.ssh" + fi + ''; + + sops.secrets."ssh-config" = { + path = "${config.home.homeDirectory}/.ssh/config"; + mode = "600"; + }; + sops.secrets."ssh-private" = { + sopsFile = ../../secrets/ssh-private.yaml; + path = "${config.home.homeDirectory}/.ssh/id_ed25519"; + mode = "600"; + }; + +} diff --git a/home/modules/ssh/ssh/id_ed25519.pub b/home/modules/ssh/ssh/id_ed25519.pub new file mode 100644 index 0000000..4b00e43 --- /dev/null +++ b/home/modules/ssh/ssh/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyrUiSdpTC+vP+pNDChehLG+ChYL2By2LtjmVJiHmaf origami@eris diff --git a/home/modules/zsh/.zsh.d/nix.zsh b/home/modules/zsh/.zsh.d/nix.zsh new file mode 100644 index 0000000..bf41fd0 --- /dev/null +++ b/home/modules/zsh/.zsh.d/nix.zsh @@ -0,0 +1,38 @@ +#!/usr/bin/env zsh + +sops-update-file() { + local src_file="$1" + local yaml_file="$2" + local age_key_file="$HOME/.config/sops/age/keys.txt" + + if [[ -z "$src_file" || -z "$yaml_file" ]]; then + echo "用法: sops-update-file <原文件> " >&2 + return 1 + fi + + if [[ ! -f "$src_file" ]]; then + echo "找不到原文件: $src_file" >&2 + return 1 + fi + + if [[ ! -f "$age_key_file" ]]; then + echo "找不到 age 私钥: $age_key_file" >&2 + return 1 + fi + + local key_name="${yaml_file:t:r}" + local age_pub + age_pub="$(nix-shell -p age --run "age-keygen -y $age_key_file")" || return 1 + + local tmp + tmp="$(mktemp /tmp/sops-update.XXXXXX.yaml)" || return 1 + { + echo "${key_name}: |" + sed 's/^/ /' "$src_file" + } > "$tmp" + + nix-shell -p sops --run "sops --encrypt --input-type yaml --output-type yaml --age $age_pub --config /dev/null $tmp" > "$yaml_file" + local rc=$? + rm -f "$tmp" + return $rc +} diff --git a/home/modules/zsh/.zshrc b/home/modules/zsh/.zshrc index 09aea6e..49fac91 100644 --- a/home/modules/zsh/.zshrc +++ b/home/modules/zsh/.zshrc @@ -12,6 +12,7 @@ source "$ZSHD/pdf.zsh" source "$ZSHD/completion.zsh" source "$ZSHD/modern-utils.zsh" source "$ZSHD/develop.zsh" +source "$ZSHD/nix.zsh" # allow using # at begin setopt interactivecomments diff --git a/hosts/eris/configuration.nix b/hosts/eris/configuration.nix index e69d5dc..d0d3968 100644 --- a/hosts/eris/configuration.nix +++ b/hosts/eris/configuration.nix @@ -161,7 +161,7 @@ ]; }; security.sudo.wheelNeedsPassword = false; - sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFile = ../../secrets/ssh-private.yaml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt"; @@ -171,4 +171,3 @@ services.openssh.enable = true; system.stateVersion = "23.11"; } - diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index c55b51f..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -ssh-private-key: ENC[AES256_GCM,data:6FGOhPZQOJ8=,iv:RB+wxIUupe8GSzTzprH3C1naMq9XyBcEJYpWvY+8kWk=,tag:phDITUcI3+zgpJfKS/tpHQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1npdfwkrrq89585wjamxxthdswwh4fmmfs5a07v70g7n6vhdhvf3sc0rv5r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMVg5b2FTTkU2eGJ1U21B - TExGWi9RSFNqMTlXQlBKODV6RzAzWGppbHhVCmhwaHBZY0FqbmpCZkhYTFExT05t - cExOT0V3T1V5UEN2M0FTaFJLb2NDb0kKLS0tIFJrVVFVdEtzMC9PZ09MdzJSTktG - MW4wQS80V3VpWlpYMWdDYWFTMk81VEkK0bBT2NFCNd4OpMbi8jq/mnOM/1Qa3pWT - P0JVrJSJM3pfrYaLfeRbmKvTh/NwX1IygqrNZ6BqduhQs/xRsZtCQQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-21T21:50:37Z" - mac: ENC[AES256_GCM,data:ObwmSRiLU/OBTUX0k0SftiwDwmkKxVOziI2KLBR1p4wL/Me/Qp5wOzJYd83p+cBlxIpn8rjtUxbS+bz0p3mMckeTfoJjyElnn8gx/fJYLsdnXSIqcyfUOA9XWV16t7jeQj2ZW8OcTns0+O1+A1TCucvwXX4xugB2h4kzcFuZS6U=,iv:q0N7HdlWN9MltUI3N5nXU1FzTPz1oi0jl/T8YvGSP8Q=,tag:U1HkWvheOM8D0gQ/yWBJ+A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/ssh-config.yaml b/secrets/ssh-config.yaml new file mode 100644 index 0000000..d647219 --- /dev/null +++ b/secrets/ssh-config.yaml @@ -0,0 +1,16 @@ +ssh-config: ENC[AES256_GCM,data:pIpoWvlplGJRsvpNpA9ZgXHzDXZXL/VLd18v5VTjhF3dEi1MgqBjzgkfq6TqqqzB9fxz1XnrfCftSg61UDQNfbOLGIYXyy+lGGgG+fLFzhTMVAx3fWFoRrXb29buzdlGM6FduW5b8xLOpoAItpqpBiT2ukMm9hzOCuG9BDOoZ/tMvHs/wLoiuyegv1je2PNagfqHUITTbNjZy9n+FpsP8ddfwYpeOmmn2/JYrm1rggmQi2WzZgJznIoWh0b+xV82YyVNEmdoO+4dQRzSjFZL4A3iEqh1+UXXhyX5Xom1ebOacfCu4i58gFe1FW5GEvtg/FgdypdA4BsRh9lsrMReJwbuAecuRHWNafVHYeN8ySA5LanwYcga7En8b1DZ+s6Iny0r02olNcYhObZD47rpqpRBeeZAhFpK8vPbCmYpiPyW73E5cUHfhcVaeDVIm3LiK9PK06/WuK4qMBeCl95b0lA6uwFhXCm2m49bOik8OKVUrWbUJrzwPXTsaTx8xwA7VKEdVTuxqVL/SQck9nvNGIFY94KE1ZS5s9LWBuMbjxJsvsNhHtehFl+bW/Ta/cpz7UrmxVyC5nDOk/iTSim1px0DtbxoWeb8J9cG16DF4OK58HYM4k4vJhQ01A7hYjk4hlNbGVEk6gibU6viQLQPjRyjUy0ulklksSqqVDgY5hjptNWDZ7AXmIcA1iRKaEb6RFuJaGySLOkyBOI4P6CRpaIbNsmPvgtsC3sGXYPN1wbXGOT5QHlx+YcC3y2TIl1uyE9r26St7b4Y51D7eD4EUgex8qN4+DDtqNA6vWOsRtSp9ipXz+BF2ZsmIwoFIEgmaGK74ugWzV4l3s0uuUdixSx1tFNU8Uxucdxx/xeaXn5FE02Vofy8LzULLR631kEp05+A0VEybZYY1YJ9rnYXeaIH5wWl5GW7KA+HyaIfkrna5p/n2QgfypqZXMlMWEJyUZclFCT3icIzSKIt2PzamLNSVpOp5bN8B6+yQwOoLR7XOwRjscmHeLcADSiVqI0OTWiez2pghZclGuhn1T63aMZii3J7I6gGBqh5vDkp0z21ogmqiIniEPmEZdyKUsdMY/+Nz7qf5RlrEuGLc+JapuBHUD10pTqYtoBHb0MgW7kV2hQESqvl4/1xiu4UgA5jgsAAmaJ2AiRBkJYK9vKATE9sBRBxxXCM9KPvON/wrycMO/nsqE6u9Btn2OVi7Hzo2ACDPWqS1sAKbPOFBuc34hVfOBQBWbJgo51BTwF/uYmJBqiNwN9LHYrhvMYgZolAjKPFoeUsjcZ9CAlQ0o1PuMlzrOtbcSo8C2nnYVKKaoug19Kkr/kseOY6z3wfw6OkNoLqz4kT39Tkg1SseGgkelHVpbj5dNn+wlKMPwRC5Tf0aYQHE/nCDvo1FDIbJq4iBpACYT6IVrzuO2AEBrajOfSqCu6ZvPuN3aCYZugKD+UuRg37gfuEmTmNv6UqwTxqguxBA/5eJGRv4+zlo/ocvWafMD31dJepfl7eezokAER435rpsswlVtIXm8Z0rFzL1bmtX1QPGD+mPsjUbkjgCfbzBxhfaQJFgZzIGfu0Lu6woZo1ysuQ7Ay73smytniJ+gKX7N7wv95GrOrbApcFOtQeZ4bPyNYh9Aoj4MKIehddp4s9JFrBjyXpqbyrZLeB/RNC9tm7/2qmp7WW33V3xx6qTqcQapOX2HXvQtX/ckeezIk+6hNFwMvF+PbI4ggnl/GFQx3EQS693LjoLtpUd6ZpODHT3AP2EnUx1byxI3j8oxrpqZhkFpxFCsdK/NSQ+DHO2Cv4Ox/rKfpdcAti6r+0mtUJuMuDWS96RsZ/5Hu35cTmzBdFT3iCKlodbqxoTFMzcmxkWvRIhiHiJoYEPHf4n+C+vUAAof7LoTEhmBwvdypWD+zfQwlp7LnY94ber5Bvclk0nxIAlwoCd1bFQVUOMEwbXjXDiF9Ie8+7f7UGg1Imyf31to3N8Jk45ShdTqsaAd+55crOK61tbV6IPsX4iuKstzj6hdmtzMVgOCjN9lc8gOV8HTgh+Qf9Ed1BTmMHbXzRzvoBdgcCTkTKMiw2M3kL4jNz3TXSXLb/ZJ1OUmQMMojG4Qr6tare8QPABU//qKPnVy4EGi8v/+AMFf4ybNXGpy0jUQVxeH9KCPXLkvLJnlqmFDViLuMO7gBY4qXIrmeSu5/3Z2eUiJLlCTHeeNvBITQb0UPJHCujlP5k7Cg6k7rseL+zvItX/kwTghRy+6Er9cPnFxxRlqNcw2zc/oETN+dNpjMA/+bY7IgFN1udfg+3SG4pP4kUGlP+1+VE8p4atj1cDtjbvkGv8kI2y6yHrlBUsaZvWKjYIvzD5lwNzGewZVFUsnlKENZ0Xaom8qBT8n8cnZIy5XzkLZ/JELFwMK6LprJ2DuU67xvKJORrkUmkyZ8hG3mI9aTURlBR44vegq/HMTViV4CbN77Tn6fiqKf1gvNvffSqeIVS3uSLKF82uGfgulxhaRfTktVQzA7vjKWOdrGrBgJIfFxNbaNlea2US6c1NUaGnJQoP4QocAqOemFwH7N+l4qIeMZhaDmpdfIe2V9Myvhm/gwCe99o3gpqUsot3UVWqDlXoSbso9rBqw7q+TzQLpGozj6b/jbsm8l4nTV1HFMQqk3nEoRYUqp0EkG1MiuwcdJphgKLn+IRbaoWn0Ahk6vtnw95f73dO4G3IDkizCc5N/JC06MMvhOsWSR8NN/fqmc9DQvNDRbYoUKBjlEJ0nE81KTXl4tbvNpgbpv4c4P0JVomTl4vREQtLgoOV7HzIlNAZiRMQKsI03kVi4y+icKrfo01Pp/0e0uzxgo1l5JcqeFIac3w3xA9tUmHmOpnyIJNyTSG4WmUj2v7Eibr1YCCusm/iQvqqfrJeKr0/GnZzQeSs8wipqgutCcDAI/0z9EO5KviiFgSCcX+w9t2Nwq6hO+ojMWv3kPCz5Mk7DsEPJHgbU08n+OslQtlL85tBe4YiXTn5efyLpUTtIVRCSxOpRiImRncxW6Jm6QPUgQE,iv:JUz+fCkz1j+AjAqKR/9HJ7qPpMsIRDZxTtrS9XQu0YM=,tag:R4fcq059iv71EhX1Kt6NUg==,type:str] +sops: + age: + - recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYVBYWEpycEJuQVJsbURT + eGRWOVVDWkloWmd6OEYxNWhUOEdWdGR0aEZJCkVGWEw3bFhkVkt3b3l2TWtNTzRh + dVFmZ0swU1hBRTdLQThEUmNZMjVSMHcKLS0tIFNja3dic3JEY1g2dk1nZkw3bDdu + cHN6Y3paV2JRcVQ3TElya1FYTkhRS3MKnoUf8RKqrkuPoeZQZDiBNa0pqVZsOMcI + 9k81scGkhKOd3Cu0/NcEFhBFIoTlnC1nDwyLsqUDNXqkmMaS70uDTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-19T15:17:37Z" + mac: ENC[AES256_GCM,data:lZrL3yIEUYdlkO+/XaJFmLOZq+4TRVCsunNpjfmDLqLeAnzhJU2YF3xKZQzTxOl/VHkHmL36GkIJ3umzuGR4Sc3IpbB6O3iqLeZFZUNRdwqLD4bDZHEadVlWzY26oUn4aqeBnVbjo1IoiuhQ2yTvodLEmi2TMIiEGN+mFTrzR4I=,iv:0OuQm/Q9i7kd7s7eZBx4ZAH0/GTN/kbQB81rzlpi0xQ=,tag:r/yOxisNKG1u6e8ZFOcB7Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/secrets/ssh-private.yaml b/secrets/ssh-private.yaml new file mode 100644 index 0000000..ffcb941 --- /dev/null +++ b/secrets/ssh-private.yaml @@ -0,0 +1,16 @@ +ssh-private: ENC[AES256_GCM,data:9W1PuAvO0j9M8/VAKitMnw1OU0s5agfQYoupU4KQDlq95r1vfTKfy7sD2zMa01Pyym9FqfYJpqq2h2Mki6zdmN9/fqvhCc9cxG4gXLR50m/ny/ue2A6TqakTM+jlzP79tqwBGpxQOicI9PyK7GgX0ltbghk5Il3lC5VzlcwDd9koCEAaVapB8hbqTUOw0cjInqXIBV4QLNhLei2gSeT1R8LdxAhS6B0fsDc2+OvErYfKfdbXTurefX6/IJlhvGsanYo92wVoL+LouAQNBVmybQGq0PHNf9tETBw1TCt9LurtHQt5J+A5zuMJoRKNt+ExN/ABE1dMub4912JkR3UKe+HONp4v98wsPm7E4ai5dgD4zW4TGXPr826w6F8bxQ9H4/rv872cqdhvM4iBoX+KxJ43qXMHrGVmo6HCfwRf7SGNhppvlOl//fB/hrqGoY4enWATq/HaPvkeCTotJBJu+lqx7lhngpl4ale3QSvgeEAvSWMBfTfQUDSik9jkZ/wLRh8U8LrPnQ4nbve7wlhW,iv:tR8UGAEVNYBX3U6h4meWPvfqjggwsNdQuPBbI8WyQe4=,tag:atNiYWHtxnTUweM0RCWQgg==,type:str] +sops: + age: + - recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRjZTaFRhMSszN0tycDRT + OHhxa2ZmODFxRXZYRXd1eVVndnhhd0lhK2pnCi80RzlGUTZUdHp4TzVkaWRhNmMz + eXFGbW9hM3VYR0VlSEdFUWdBelJiK1kKLS0tIGpSb2RRZXZOV2tWVnpzNDA5WElE + cDVvOW9SWmFGRTdIK3NsUmJOaWplOTgK43U297tGKfh+FcJcJDbMyvyYd2HBU5ug + 84lYRcTq3jbfJNStD4k3I5S+VLWQ8cqe4PCrr+gb4Omibs3xh5Zitg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-19T15:17:38Z" + mac: ENC[AES256_GCM,data:HEkeqnAslF0ojApjEk5Z8nGGHWbZmSRrvOv1N0ojjYUR+TfDSK/0Atx9rc4Klz7Xc3FAAeZzskYyU8VjQ3sfB7P6pe18Fg0m1+yGtEmPSiunaTm6Nh3LlUOvzHkGEdVpjANtTXmhUEbgvmY06JaAq1da6QvrelZFs2tKlC3hMR8=,iv:vVzvhPSkLCPeRP5j1RueFBQdKFweVJOpRxn0blAX4ZQ=,tag:NlYnLqpWXtRsPjWq6ud2xg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0