From ea49a3f258cf684832bbf56460b0081d91d868ba Mon Sep 17 00:00:00 2001 From: oqyude Date: Fri, 10 Oct 2025 00:12:13 +0300 Subject: [PATCH] 123 --- .sops.yaml | 4 ++-- nixosModules/users.nix | 47 ++++++++++++++++-------------------------- secrets/age.yaml | 16 -------------- secrets/default.yaml | 18 +++++++++------- 4 files changed, 30 insertions(+), 55 deletions(-) delete mode 100644 secrets/age.yaml diff --git a/.sops.yaml b/.sops.yaml index c65bddb..633ec5a 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,7 @@ keys: - - &oqyude age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm + - &default age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *oqyude \ No newline at end of file + - *default \ No newline at end of file diff --git a/nixosModules/users.nix b/nixosModules/users.nix index 865838a..b32b8b2 100755 --- a/nixosModules/users.nix +++ b/nixosModules/users.nix @@ -12,7 +12,8 @@ name = "${xlib.device.username}"; isNormalUser = true; description = "Jor Oqyude"; - initialPassword = "1234"; + # initialPassword = "1234"; + hashedPasswordFile = config.sops.secrets.hashed_password.path; # hashed_password homeMode = "700"; home = "/home/${config.users.users.main.name}"; extraGroups = [ @@ -37,45 +38,33 @@ age = { sshKeyPaths = [ "/etc/ssh/id_ed25519" - "${config.users.users.main.home}/.ssh/id_ed25519" ]; # keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = true; + # generateKey = true; }; - defaultSopsFile = ../secrets/default.yaml; # наш зашифрованный файл - # Указываем секрет SSH-ключа: + defaultSopsFile = ../secrets/default.yaml; secrets = { - age_key = { + hashed_password = { + key = "hashed_password"; format = "yaml"; - sopsFile = ../secrets/age.yaml; - key = "age_key"; - + }; + age_key_private = { + format = "yaml"; + key = "age_key_private"; path = "${config.users.users.main.home}/.config/sops/age/keys.txt"; - owner = config.users.users.main.name; # владелец – наш пользователь - group = config.users.users.main.group; # группа пользователя + owner = config.users.users.main.name; + group = config.users.users.main.group; mode = "0600"; }; - age_key_root = { + ssh_key_private = { format = "yaml"; - sopsFile = ../secrets/age.yaml; - key = "age_key"; - - path = "/var/lib/sops-nix/key.txt"; - owner = "root"; # владелец – наш пользователь - group = "root"; # группа пользователя - mode = "0600"; - }; - ssh_key = { - # формат секрета (YAML по умолчанию) - format = "yaml"; - sopsFile = ../secrets/default.yaml; - # (имя ключа в YAML: "ssh_key", т.е. ключ из файла выше) - key = "ssh_key"; + # sopsFile = ../secrets/default.yaml; + key = "ssh_key_private"; path = "${config.users.users.main.home}/.ssh/id_ed25519"; - owner = config.users.users.main.name; # владелец – наш пользователь - group = config.users.users.main.group; # группа пользователя - mode = "0600"; # права 600 + owner = config.users.users.main.name; + group = config.users.users.main.group; + mode = "0600"; }; }; }; diff --git a/secrets/age.yaml b/secrets/age.yaml deleted file mode 100644 index 64e64fe..0000000 --- a/secrets/age.yaml +++ /dev/null @@ -1,16 +0,0 @@ -age_key: ENC[AES256_GCM,data:zkeyDB6KWGatWCly5s6z17KtCN/w0h8zVnqUkz3JlXpwvDrOmD5acIX9qqTTkum/tt2EU8Aof0e2WWTvpS9q2ZTkkAQLgyJdr8Y=,iv:bitawysyfoODALSaxDPCGVdh3QhaAScArSNWp3KcSUg=,tag:ehLgaw7pglCfQ8cBAANtyA==,type:str] -sops: - age: - - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeDlqOGZtMVk5dmlRZ1Zl - L1A0NStjcUIwdi9SNHp6bVpCVWZ4T2lkUGdnCmdiS3J4WWRBVmhwQTAyYk41NXRX - U3IzOElUUG9xNmVEYUtWY3k3ejA2MGcKLS0tIHdreWRVYlI5YUE5a1FmQXB0VTVI - S2F2K1RZc1dLdGpxemNNbWpZc3B1aTAKZiyQrcZzzvBvupy1viYVhsWHP7KOs1+k - KYC/XDNU5unaYY5XVcm5UY7YBBkqPR4wtzL7HJX5pJ/Wv3y/RmM8Jw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-09T13:06:43Z" - mac: ENC[AES256_GCM,data:IoFqi6IpkJ1F1IjQoUH1vVChIfmflW8RMdXGstAvghaHr3/WyuzEj8oxKjCgf9rNeEVIJDEO98tPIZxBED7ke7l7AEG/NuoIZH86v5KCht0BSQArfCmI4BRYttvtp3plnZIUX+FcctUTPd3RqJ9japAFm8VJnGXD7eN+ib31Ma4=,iv:0bMATVRXSHVmyGR0MYstdZ1bkSIil/e18XL7Kj4xfJA=,tag:XqMzY/wdxAyzorjedgdaVw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/secrets/default.yaml b/secrets/default.yaml index 89db7f9..e0389d0 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -1,16 +1,18 @@ -ssh_key: ENC[AES256_GCM,data:2iywNSQqIUtl/LQQSGf96ctzMD9DqF8GT2M+cq5pI2IEuQnsGLdZF3l2ENYPgD2066+BxYHMcmCKE42t3BfLT6lTJJqm2xS5zWecqrkXXZKi6K+smeieNU/wGuYyEvkH6Jk4fWzNrwSxmucy6NzJxhsvrhfb7LBjJyvwuU9YLlo9xPvcfNoy/Y6MZZePXbDRT7HTWP1culIVNSvPyk7AiqMvBTQO1jgV8vupFADgKUJbmoYnwnOWMP9Mzr9/8XhxjLNzln6I0MpKC63dyxlWSI73xwllDpPw7MtDdsOreJtXX4CUgxvV4+nq9wxCOhV5BcI/vExy6bCB4EBTJPDh0czBxKPV9Q43blPbH64OWff+5WxaBBSaKN6RLCDnBZTsoMg2EijjzOdm+6DasFLnix/9QmfHd7JRJhaQ58DJSxhPqfBE9dkLFx4/aJQ7b3e3aI3R/GuLhdXAmB8cRKIoXEg6SFYxRHvGGo4yPtZxzIfRoU6k5OeVRq/4IuxOLy6kQBw2a/XZ167XbmzO9ef9,iv:fawmM6PQHsjG0M4odbxmHCtg2Qn1V2LL0osI7FqxN7M=,tag:NM58To7p0sFgkwRtrKstcA==,type:str] +ssh_key_private: ENC[AES256_GCM,data:cyqjgPmj9rAR1n25ICRM8V+46rb9iZ3r15ujnrulh775MwjhDjKy1wPnDYlCl+YNIWxmsQnxmEYoRi3jHYOwaItQsH47D3velK9BVuBGo/srWsE1D7Sd8olAWFqeM5n1LLlLzm3zB9Jvl1rE1VhkaLj/q0arnTvTGMnkgmpCxTn0x6J9PydV4zNzNyVz2ejtnb2fnYm6fhfF5nCyKlwFQ5k922k5EOnnK57JF6zQEsLV83Rh0hu/vjbwPYeKjeLUsaFTIMtoCfuQg8p+1EEGTt4FUPsSaXaax/5WWtKccSl2Ky6QM+4kHocpEIxcLZlbWVfpY/sfisDBdxNEzq+EeXBc7I3oV8SsvZ7EraCjuDIY17DJjyTxgduZmorVHwQVwGqfTJcunAQ6NTX2FmCrGINPlduIXI5ENHO/ki+XweMugYYGCVxg/A/wBkWdqqGFMkxneXK9e9LNu66Cx3WIALWY0eZJQapo0AaxCb8IFPLtidyxhmBulR50T2SMQFchY0mtbVhUtnWXZmdffbX6,iv:irfuVOG/3kJto9Bfo9kfWuAiMnSDv2lEIgHgS74sNPI=,tag:WMz84t/fUyUokm5WYoNAOQ==,type:str] +age_key_private: ENC[AES256_GCM,data:x0B/ch6jnR91pUoh+l299zkLkon8EVdpv43Y9ZaO5UGtoHZTz4WNv+bFlx8JeKpIi225yafviEwDkjXSNVSOyEiKX96AMdITWEQ=,iv:/IPQF64nEXsR6WAFnKRVn9xNLJxnPFkl4zy3Y1SAbow=,tag:OOR+kdQcRIelf2u+MHRT+g==,type:str] +hashed_password: ENC[AES256_GCM,data:4XLEKKrBy6J+WVcOOgQLrxyPgkNuqd2QBpE2IZUSe9rxNL8E+hA39EDXzlR/p08VX83Y8SsCc9AP4Lc+E4461fCt7G5JDDVBdqWhWDhRxdiUfQMcjRbj5WoNBCuB85VixwIYNgR2drGvKA==,iv:BbSSWimBybfwc9ICXuQwPn6SENAqbwvW1zfFtcG/RJ8=,tag:bC2xPTVX/rYzAhRuoiKwbA==,type:str] sops: age: - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTk4xRjJ2UlgwWVFEb3Vq - QU92UTdhSHM4bzJRUCtnc3JMdCtHNGlLdDFzCnlSYXkvV1dRaVNtaDFOdzJuUEpB - VjZRdU9jUURoWXltaWF4aTRQRFliTDQKLS0tIGFrNDJMV3ZGNmlHdW53OENsSXd6 - eU9oaUJid0wzR011UlpmSE5PV2N4TWcKBLTGq3uKMEKqkiuuILRlAZELTVvUVcTm - cIgBl8mDufx3f0YhOeq7FGOHiPA1cCfZ8JpQpayAEZDCm2regT2g4w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZkU4c1hVTDJFbDkwQlFO + aXZqU1JGd2F1OTRESTB5SFhQZFRDc281ZFd3CmVCcVI0Q0hVOVlMYVpIbVEzc0F2 + Z3FlSURDNzc4M2k1eTRtZnpaUHBHajQKLS0tIDkzMVVqTVFpU3VJcWlDS1BMdVQ1 + bk9jY0J0dE9jd1gxRzhNUlNBaHc3QlkKFDdWVhqMUgRjndhph+UvkSPcvsP0Z92+ + 5U9lYlHnWwTIUKnFM8pVxdrLDE7O8Q5qw/H33ECttyMD4NZIYjmmyA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-09T13:59:25Z" - mac: ENC[AES256_GCM,data:gCiw2r3dmNcs+zI9i/frIxOy1SnCqu0wW0Apoi4dHgwM6WbatHJYHZVRkyKALSmKrJpO6eVryn0jD4qkyb7D7Frj/C/JHbuW7ngyUlTSQ8p70Fo+AU+EQUAMlzuHx7O8AWsIu/sOHJGHyZVWRCf8FJODwNNFruvu+e85/jsC41M=,iv:qT4S/eueHT8ZgJRATP1VdV/bI422eiOrl3VtlZ1Kweo=,tag:xhG6o7Tpm3GTE2ZUFKu6dQ==,type:str] + lastmodified: "2025-10-09T21:06:50Z" + mac: ENC[AES256_GCM,data:sRMK7HtFr2tPXZd47h1sKyK3fPaoFzmAhS80RwqHSEfu+gg1Su1fIda+5stG27+WqvKE0+IqBSCotiJ02WaxYbxaf4OpoMHar/+DEteugotSL/fMnsphZHYPil+Gj4f+iubc0ynsuRv8ej2Xw5pBmAV4V4OGxeOuoahyb7va8Vo=,iv:Trggj7IZEGMOHArlBk92cUO8t77OfRx9EUy0gne4LaI=,tag:LZt2SLYaNDYZog+8e2oWCQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0