Origami404/flake
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

接入 sops 管理 SSH 配置与私钥

Browse Source
This commit is contained in:
Origami404
2026-01-19 23:36:42 +08:00
parent e195cbc591
commit 2f31fbcd6e
13 changed files with 114 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.sops.yaml
+6 -2
View File
@@ -1,7 +1,11 @@
keys: keys:
- &primary age1npdfwkrrq89585wjamxxthdswwh4fmmfs5a07v70g7n6vhdhvf3sc0rv5r - &primary age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy
creation_rules: creation_rules:
- path_regex: secrets/secrets.yaml$ - path_regex: secrets/ssh-config.yaml$
key_groups:
- age:
- *primary
- path_regex: secrets/ssh-private.yaml$
key_groups: key_groups:
- age: - age:
- *primary - *primary
flake.nix
+3
View File
@@ -45,6 +45,7 @@
pkgs = nixpkgs-linux.legacyPackages.x86_64-linux; pkgs = nixpkgs-linux.legacyPackages.x86_64-linux;
modules = [ modules = [
{ nixpkgs.config.allowUnfreePredicate = _: true; } { nixpkgs.config.allowUnfreePredicate = _: true; }
inputs.sops-nix.homeManagerModules.sops
./home/hosts/eris.nix ./home/hosts/eris.nix
]; ];
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = { inherit inputs; };
@@ -54,6 +55,7 @@
pkgs = nixpkgs-linux.legacyPackages.x86_64-linux; pkgs = nixpkgs-linux.legacyPackages.x86_64-linux;
modules = [ modules = [
{ nixpkgs.config.allowUnfreePredicate = _: true; } { nixpkgs.config.allowUnfreePredicate = _: true; }
inputs.sops-nix.homeManagerModules.sops
./home/hosts/metis.nix ./home/hosts/metis.nix
]; ];
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = { inherit inputs; };
@@ -63,6 +65,7 @@
pkgs = nixpkgs-darwin.legacyPackages.aarch64-darwin; pkgs = nixpkgs-darwin.legacyPackages.aarch64-darwin;
modules = [ modules = [
{ nixpkgs.config.allowUnfreePredicate = _: true; } { nixpkgs.config.allowUnfreePredicate = _: true; }
inputs.sops-nix.homeManagerModules.sops
./home/hosts/hypnos.nix ./home/hosts/hypnos.nix
]; ];
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = { inherit inputs; };
home/hosts/eris.nix
+1
View File
@@ -11,6 +11,7 @@
../modules/shell-develop.nix ../modules/shell-develop.nix
../modules/vscode.nix ../modules/vscode.nix
../modules/gnome-dconf.nix ../modules/gnome-dconf.nix
../modules/ssh.nix
]; ];
home.packages = with pkgs;[ home.packages = with pkgs;[
home/hosts/hypnos.nix
+1
View File
@@ -14,6 +14,7 @@
../modules/shell-develop.nix ../modules/shell-develop.nix
../modules/zsh.nix ../modules/zsh.nix
../modules/llm.nix ../modules/llm.nix
../modules/ssh.nix
]; ];
programs.zsh.shellAliases = { programs.zsh.shellAliases = {
home/hosts/metis.nix
+1
View File
@@ -8,5 +8,6 @@
../modules/shell.nix ../modules/shell.nix
../modules/zsh.nix ../modules/zsh.nix
../modules/shell-develop.nix ../modules/shell-develop.nix
../modules/ssh.nix
]; ];
} }
home/modules/ssh.nix
+29
View File
@@ -0,0 +1,29 @@
{ config, lib, ... }:
{
sops = {
age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
defaultSopsFile = ../../secrets/ssh-config.yaml;
};
home.file.".ssh" = {
source = ./ssh;
recursive = true;
};
home.activation.sshDirPerms = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -d "$HOME/.ssh" ]; then
chmod 700 "$HOME/.ssh"
fi
'';
sops.secrets."ssh-config" = {
path = "${config.home.homeDirectory}/.ssh/config";
mode = "600";
};
sops.secrets."ssh-private" = {
sopsFile = ../../secrets/ssh-private.yaml;
path = "${config.home.homeDirectory}/.ssh/id_ed25519";
mode = "600";
};
}
home/modules/ssh/ssh/id_ed25519.pub
+1
View File
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyrUiSdpTC+vP+pNDChehLG+ChYL2By2LtjmVJiHmaf origami@eris
home/modules/zsh/.zsh.d/nix.zsh
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/env zsh
sops-update-file() {
local src_file="$1"
local yaml_file="$2"
local age_key_file="$HOME/.config/sops/age/keys.txt"
if [[ -z "$src_file" || -z "$yaml_file" ]]; then
echo "用法: sops-update-file <原文件> <yaml文件>" >&2
return 1
fi
if [[ ! -f "$src_file" ]]; then
echo "找不到原文件: $src_file" >&2
return 1
fi
if [[ ! -f "$age_key_file" ]]; then
echo "找不到 age 私钥: $age_key_file" >&2
return 1
fi
local key_name="${yaml_file:t:r}"
local age_pub
age_pub="$(nix-shell -p age --run "age-keygen -y $age_key_file")" || return 1
local tmp
tmp="$(mktemp /tmp/sops-update.XXXXXX.yaml)" || return 1
{
echo "${key_name}: |"
sed 's/^/ /' "$src_file"
} > "$tmp"
nix-shell -p sops --run "sops --encrypt --input-type yaml --output-type yaml --age $age_pub --config /dev/null $tmp" > "$yaml_file"
local rc=$?
rm -f "$tmp"
return $rc
}
home/modules/zsh/.zshrc
+1
View File
@@ -12,6 +12,7 @@ source "$ZSHD/pdf.zsh"
source "$ZSHD/completion.zsh" source "$ZSHD/completion.zsh"
source "$ZSHD/modern-utils.zsh" source "$ZSHD/modern-utils.zsh"
source "$ZSHD/develop.zsh" source "$ZSHD/develop.zsh"
source "$ZSHD/nix.zsh"
# allow using # at begin # allow using # at begin
setopt interactivecomments setopt interactivecomments
hosts/eris/configuration.nix
+1 -2
View File
@@ -161,7 +161,7 @@
]; ];
}; };
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
sops.defaultSopsFormat = "yaml"; sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt"; sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
@@ -171,4 +171,3 @@
services.openssh.enable = true; services.openssh.enable = true;
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }
secrets/secrets.yaml
-21
View File
@@ -1,21 +0,0 @@
ssh-private-key: ENC[AES256_GCM,data:6FGOhPZQOJ8=,iv:RB+wxIUupe8GSzTzprH3C1naMq9XyBcEJYpWvY+8kWk=,tag:phDITUcI3+zgpJfKS/tpHQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1npdfwkrrq89585wjamxxthdswwh4fmmfs5a07v70g7n6vhdhvf3sc0rv5r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMVg5b2FTTkU2eGJ1U21B
TExGWi9RSFNqMTlXQlBKODV6RzAzWGppbHhVCmhwaHBZY0FqbmpCZkhYTFExT05t
cExOT0V3T1V5UEN2M0FTaFJLb2NDb0kKLS0tIFJrVVFVdEtzMC9PZ09MdzJSTktG
MW4wQS80V3VpWlpYMWdDYWFTMk81VEkK0bBT2NFCNd4OpMbi8jq/mnOM/1Qa3pWT
P0JVrJSJM3pfrYaLfeRbmKvTh/NwX1IygqrNZ6BqduhQs/xRsZtCQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-21T21:50:37Z"
mac: ENC[AES256_GCM,data:ObwmSRiLU/OBTUX0k0SftiwDwmkKxVOziI2KLBR1p4wL/Me/Qp5wOzJYd83p+cBlxIpn8rjtUxbS+bz0p3mMckeTfoJjyElnn8gx/fJYLsdnXSIqcyfUOA9XWV16t7jeQj2ZW8OcTns0+O1+A1TCucvwXX4xugB2h4kzcFuZS6U=,iv:q0N7HdlWN9MltUI3N5nXU1FzTPz1oi0jl/T8YvGSP8Q=,tag:U1HkWvheOM8D0gQ/yWBJ+A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
secrets/ssh-config.yaml
+16
View File
@@ -0,0 +1,16 @@
ssh-config: ENC[AES256_GCM,data:pIpoWvlplGJRsvpNpA9ZgXHzDXZXL/VLd18v5VTjhF3dEi1MgqBjzgkfq6TqqqzB9fxz1XnrfCftSg61UDQNfbOLGIYXyy+lGGgG+fLFzhTMVAx3fWFoRrXb29buzdlGM6FduW5b8xLOpoAItpqpBiT2ukMm9hzOCuG9BDOoZ/tMvHs/wLoiuyegv1je2PNagfqHUITTbNjZy9n+FpsP8ddfwYpeOmmn2/JYrm1rggmQi2WzZgJznIoWh0b+xV82YyVNEmdoO+4dQRzSjFZL4A3iEqh1+UXXhyX5Xom1ebOacfCu4i58gFe1FW5GEvtg/FgdypdA4BsRh9lsrMReJwbuAecuRHWNafVHYeN8ySA5LanwYcga7En8b1DZ+s6Iny0r02olNcYhObZD47rpqpRBeeZAhFpK8vPbCmYpiPyW73E5cUHfhcVaeDVIm3LiK9PK06/WuK4qMBeCl95b0lA6uwFhXCm2m49bOik8OKVUrWbUJrzwPXTsaTx8xwA7VKEdVTuxqVL/SQck9nvNGIFY94KE1ZS5s9LWBuMbjxJsvsNhHtehFl+bW/Ta/cpz7UrmxVyC5nDOk/iTSim1px0DtbxoWeb8J9cG16DF4OK58HYM4k4vJhQ01A7hYjk4hlNbGVEk6gibU6viQLQPjRyjUy0ulklksSqqVDgY5hjptNWDZ7AXmIcA1iRKaEb6RFuJaGySLOkyBOI4P6CRpaIbNsmPvgtsC3sGXYPN1wbXGOT5QHlx+YcC3y2TIl1uyE9r26St7b4Y51D7eD4EUgex8qN4+DDtqNA6vWOsRtSp9ipXz+BF2ZsmIwoFIEgmaGK74ugWzV4l3s0uuUdixSx1tFNU8Uxucdxx/xeaXn5FE02Vofy8LzULLR631kEp05+A0VEybZYY1YJ9rnYXeaIH5wWl5GW7KA+HyaIfkrna5p/n2QgfypqZXMlMWEJyUZclFCT3icIzSKIt2PzamLNSVpOp5bN8B6+yQwOoLR7XOwRjscmHeLcADSiVqI0OTWiez2pghZclGuhn1T63aMZii3J7I6gGBqh5vDkp0z21ogmqiIniEPmEZdyKUsdMY/+Nz7qf5RlrEuGLc+JapuBHUD10pTqYtoBHb0MgW7kV2hQESqvl4/1xiu4UgA5jgsAAmaJ2AiRBkJYK9vKATE9sBRBxxXCM9KPvON/wrycMO/nsqE6u9Btn2OVi7Hzo2ACDPWqS1sAKbPOFBuc34hVfOBQBWbJgo51BTwF/uYmJBqiNwN9LHYrhvMYgZolAjKPFoeUsjcZ9CAlQ0o1PuMlzrOtbcSo8C2nnYVKKaoug19Kkr/kseOY6z3wfw6OkNoLqz4kT39Tkg1SseGgkelHVpbj5dNn+wlKMPwRC5Tf0aYQHE/nCDvo1FDIbJq4iBpACYT6IVrzuO2AEBrajOfSqCu6ZvPuN3aCYZugKD+UuRg37gfuEmTmNv6UqwTxqguxBA/5eJGRv4+zlo/ocvWafMD31dJepfl7eezokAER435rpsswlVtIXm8Z0rFzL1bmtX1QPGD+mPsjUbkjgCfbzBxhfaQJFgZzIGfu0Lu6woZo1ysuQ7Ay73smytniJ+gKX7N7wv95GrOrbApcFOtQeZ4bPyNYh9Aoj4MKIehddp4s9JFrBjyXpqbyrZLeB/RNC9tm7/2qmp7WW33V3xx6qTqcQapOX2HXvQtX/ckeezIk+6hNFwMvF+PbI4ggnl/GFQx3EQS693LjoLtpUd6ZpODHT3AP2EnUx1byxI3j8oxrpqZhkFpxFCsdK/NSQ+DHO2Cv4Ox/rKfpdcAti6r+0mtUJuMuDWS96RsZ/5Hu35cTmzBdFT3iCKlodbqxoTFMzcmxkWvRIhiHiJoYEPHf4n+C+vUAAof7LoTEhmBwvdypWD+zfQwlp7LnY94ber5Bvclk0nxIAlwoCd1bFQVUOMEwbXjXDiF9Ie8+7f7UGg1Imyf31to3N8Jk45ShdTqsaAd+55crOK61tbV6IPsX4iuKstzj6hdmtzMVgOCjN9lc8gOV8HTgh+Qf9Ed1BTmMHbXzRzvoBdgcCTkTKMiw2M3kL4jNz3TXSXLb/ZJ1OUmQMMojG4Qr6tare8QPABU//qKPnVy4EGi8v/+AMFf4ybNXGpy0jUQVxeH9KCPXLkvLJnlqmFDViLuMO7gBY4qXIrmeSu5/3Z2eUiJLlCTHeeNvBITQb0UPJHCujlP5k7Cg6k7rseL+zvItX/kwTghRy+6Er9cPnFxxRlqNcw2zc/oETN+dNpjMA/+bY7IgFN1udfg+3SG4pP4kUGlP+1+VE8p4atj1cDtjbvkGv8kI2y6yHrlBUsaZvWKjYIvzD5lwNzGewZVFUsnlKENZ0Xaom8qBT8n8cnZIy5XzkLZ/JELFwMK6LprJ2DuU67xvKJORrkUmkyZ8hG3mI9aTURlBR44vegq/HMTViV4CbN77Tn6fiqKf1gvNvffSqeIVS3uSLKF82uGfgulxhaRfTktVQzA7vjKWOdrGrBgJIfFxNbaNlea2US6c1NUaGnJQoP4QocAqOemFwH7N+l4qIeMZhaDmpdfIe2V9Myvhm/gwCe99o3gpqUsot3UVWqDlXoSbso9rBqw7q+TzQLpGozj6b/jbsm8l4nTV1HFMQqk3nEoRYUqp0EkG1MiuwcdJphgKLn+IRbaoWn0Ahk6vtnw95f73dO4G3IDkizCc5N/JC06MMvhOsWSR8NN/fqmc9DQvNDRbYoUKBjlEJ0nE81KTXl4tbvNpgbpv4c4P0JVomTl4vREQtLgoOV7HzIlNAZiRMQKsI03kVi4y+icKrfo01Pp/0e0uzxgo1l5JcqeFIac3w3xA9tUmHmOpnyIJNyTSG4WmUj2v7Eibr1YCCusm/iQvqqfrJeKr0/GnZzQeSs8wipqgutCcDAI/0z9EO5KviiFgSCcX+w9t2Nwq6hO+ojMWv3kPCz5Mk7DsEPJHgbU08n+OslQtlL85tBe4YiXTn5efyLpUTtIVRCSxOpRiImRncxW6Jm6QPUgQE,iv:JUz+fCkz1j+AjAqKR/9HJ7qPpMsIRDZxTtrS9XQu0YM=,tag:R4fcq059iv71EhX1Kt6NUg==,type:str]
sops:
age:
- recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYVBYWEpycEJuQVJsbURT
eGRWOVVDWkloWmd6OEYxNWhUOEdWdGR0aEZJCkVGWEw3bFhkVkt3b3l2TWtNTzRh
dVFmZ0swU1hBRTdLQThEUmNZMjVSMHcKLS0tIFNja3dic3JEY1g2dk1nZkw3bDdu
cHN6Y3paV2JRcVQ3TElya1FYTkhRS3MKnoUf8RKqrkuPoeZQZDiBNa0pqVZsOMcI
9k81scGkhKOd3Cu0/NcEFhBFIoTlnC1nDwyLsqUDNXqkmMaS70uDTQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-19T15:17:37Z"
mac: ENC[AES256_GCM,data:lZrL3yIEUYdlkO+/XaJFmLOZq+4TRVCsunNpjfmDLqLeAnzhJU2YF3xKZQzTxOl/VHkHmL36GkIJ3umzuGR4Sc3IpbB6O3iqLeZFZUNRdwqLD4bDZHEadVlWzY26oUn4aqeBnVbjo1IoiuhQ2yTvodLEmi2TMIiEGN+mFTrzR4I=,iv:0OuQm/Q9i7kd7s7eZBx4ZAH0/GTN/kbQB81rzlpi0xQ=,tag:r/yOxisNKG1u6e8ZFOcB7Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0
secrets/ssh-private.yaml
+16
View File
@@ -0,0 +1,16 @@
ssh-private: ENC[AES256_GCM,data:9W1PuAvO0j9M8/VAKitMnw1OU0s5agfQYoupU4KQDlq95r1vfTKfy7sD2zMa01Pyym9FqfYJpqq2h2Mki6zdmN9/fqvhCc9cxG4gXLR50m/ny/ue2A6TqakTM+jlzP79tqwBGpxQOicI9PyK7GgX0ltbghk5Il3lC5VzlcwDd9koCEAaVapB8hbqTUOw0cjInqXIBV4QLNhLei2gSeT1R8LdxAhS6B0fsDc2+OvErYfKfdbXTurefX6/IJlhvGsanYo92wVoL+LouAQNBVmybQGq0PHNf9tETBw1TCt9LurtHQt5J+A5zuMJoRKNt+ExN/ABE1dMub4912JkR3UKe+HONp4v98wsPm7E4ai5dgD4zW4TGXPr826w6F8bxQ9H4/rv872cqdhvM4iBoX+KxJ43qXMHrGVmo6HCfwRf7SGNhppvlOl//fB/hrqGoY4enWATq/HaPvkeCTotJBJu+lqx7lhngpl4ale3QSvgeEAvSWMBfTfQUDSik9jkZ/wLRh8U8LrPnQ4nbve7wlhW,iv:tR8UGAEVNYBX3U6h4meWPvfqjggwsNdQuPBbI8WyQe4=,tag:atNiYWHtxnTUweM0RCWQgg==,type:str]
sops:
age:
- recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRjZTaFRhMSszN0tycDRT
OHhxa2ZmODFxRXZYRXd1eVVndnhhd0lhK2pnCi80RzlGUTZUdHp4TzVkaWRhNmMz
eXFGbW9hM3VYR0VlSEdFUWdBelJiK1kKLS0tIGpSb2RRZXZOV2tWVnpzNDA5WElE
cDVvOW9SWmFGRTdIK3NsUmJOaWplOTgK43U297tGKfh+FcJcJDbMyvyYd2HBU5ug
84lYRcTq3jbfJNStD4k3I5S+VLWQ8cqe4PCrr+gb4Omibs3xh5Zitg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-19T15:17:38Z"
mac: ENC[AES256_GCM,data:HEkeqnAslF0ojApjEk5Z8nGGHWbZmSRrvOv1N0ojjYUR+TfDSK/0Atx9rc4Klz7Xc3FAAeZzskYyU8VjQ3sfB7P6pe18Fg0m1+yGtEmPSiunaTm6Nh3LlUOvzHkGEdVpjANtTXmhUEbgvmY06JaAq1da6QvrelZFs2tKlC3hMR8=,iv:vVzvhPSkLCPeRP5j1RueFBQdKFweVJOpRxn0blAX4ZQ=,tag:NlYnLqpWXtRsPjWq6ud2xg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0