diff --git a/.sops.yaml b/.sops.yaml index 9373c3d..e8a8b4b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,2 +1,7 @@ keys: - - &stefan_ellmauthaler 3B39 8B08 6C41 0264 A14F B353 B1E6 F030 30A4 AEAA + - &stefan_ellmauthaler 3B39 8B08 6C41 0264 A14F 3B53 B1E6 F030 30A4 AEAA +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *stefan_ellmauthaler diff --git a/flake.nix b/flake.nix index 7ac0493..be743b4 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; #nix = { - # url = "github:NixOS/nix?ref=latest-release"; + # url = "github:NixOS/nix?ref=latest-release"; # url = "github:NixOS/nix"; # inputs.nixpkgs.follows = "nixpkgs"; #}; @@ -97,9 +97,7 @@ inputs.home-manager.nixosModules.home-manager inputs.sops-nix.nixosModules.sops inputs.dwarffs.nixosModules.dwarffs - ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)) ++ [ - ./secrets - ]; + ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)); specialArgs = { nixos-hardware = inputs.nixos-hardware.nixosModules; inherit inputs; diff --git a/secrets/default.nix b/modules/secrets.nix similarity index 52% rename from secrets/default.nix rename to modules/secrets.nix index 004da7b..c9bf130 100644 --- a/secrets/default.nix +++ b/modules/secrets.nix @@ -8,8 +8,10 @@ with lib; { in mkIf cfg.enable { sops = { - defaultSopsFile = ./secrets.yaml; - + defaultSopsFile = ../secrets/secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.keyFile = "/var/lib/sops-nix/key.txt"; + age.generateKey = true; }; }; } diff --git a/modules/ssh.nix b/modules/ssh.nix index 3fd9d84..85899ed 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -10,7 +10,7 @@ with lib; { services.openssh = { enable = true; passwordAuthentication = false; - permitRootLogin = false; + permitRootLogin = "no"; }; }; }