diff options
| author | Tim Keller <tjk@tjkeller.xyz> | 2025-07-18 14:47:10 -0500 |
|---|---|---|
| committer | Tim Keller <tjk@tjkeller.xyz> | 2025-07-18 14:47:10 -0500 |
| commit | 19ecf4423b5e7ba8f4d22a776315bf65a23ce8df (patch) | |
| tree | d18ed5985d4e0f40d2666a3996f7d8781b304fd3 | |
| parent | 842e31b4acbb591dc413f30fce139f1e51a26d3e (diff) | |
| download | nixos-19ecf4423b5e7ba8f4d22a776315bf65a23ce8df.tar.xz nixos-19ecf4423b5e7ba8f4d22a776315bf65a23ce8df.zip | |
cleanup secrets
| -rw-r--r-- | modules/root/normaluser.nix | 14 | ||||
| -rw-r--r-- | modules/root/secrets.nix | 12 | ||||
| -rw-r--r-- | modules/root/wifi.nix | 5 |
3 files changed, 17 insertions, 14 deletions
diff --git a/modules/root/normaluser.nix b/modules/root/normaluser.nix index ec266c4..50e9236 100644 --- a/modules/root/normaluser.nix +++ b/modules/root/normaluser.nix @@ -4,13 +4,20 @@ }; config = { - users.users.root = lib.mkIf config.users.setPassword.enable { - hashedPasswordFile = config.sops.secrets.hashed-root-password.path; + # Load hashed root password secret + sops.secrets.hashed-root-password = lib.mkIf config.users.setPassword.enable { + sopsFile = ./resources/secrets/hashed-root-password.yaml; + neededForUsers = true; }; + + # Set hashed password file if the setPassword option is enabled + users.users.root.hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path; + + # Setup normal user users.users.${userDetails.username} = { + home = userDetails.home; description = userDetails.fullname; isNormalUser = true; - hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path; extraGroups = [ "i2c" "libvirtd" @@ -18,6 +25,7 @@ "video" "wheel" ]; + hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path; }; }; } diff --git a/modules/root/secrets.nix b/modules/root/secrets.nix index 38346b2..416bcde 100644 --- a/modules/root/secrets.nix +++ b/modules/root/secrets.nix @@ -1,18 +1,8 @@ -{ lib, pkgs, inputs, config, userDetails, ... }: { +{ inputs, config, userDetails, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFormat = "yaml"; age.sshKeyPaths = [ "${userDetails.home}/.ssh/id_ed25519" "/root/.ssh/id_ed25519" ]; - - secrets = { - wpa_supplicant-conf = lib.mkIf config.wifi.enable { - sopsFile = ./resources/secrets/wpa_supplicant-conf.yaml; - }; - hashed-root-password = lib.mkIf config.users.setPassword.enable { - sopsFile = ./resources/secrets/hashed-root-password.yaml; - neededForUsers = true; - }; - }; }; } diff --git a/modules/root/wifi.nix b/modules/root/wifi.nix index 96fe5c8..9dbf233 100644 --- a/modules/root/wifi.nix +++ b/modules/root/wifi.nix @@ -10,6 +10,11 @@ allowAuxiliaryImperativeNetworks = true; # Networks defined in aux imperitive networks (/etc/wpa_supplicant.conf) }; + # Load wpa_supplicant.conf secret config + sops.secrets.wpa_supplicant-conf = { + sopsFile = ./resources/secrets/wpa_supplicant-conf.yaml; + }; + # Link /etc/wpa_supplicant.conf -> secret config environment.etc."wpa_supplicant.conf" = { source = config.sops.secrets.wpa_supplicant-conf.path; |