feat(homeModules): Add initial sops for home manager @ desktop

Joaqim · Nov 30, 2024 · 3c85add · 3c85add
1 parent d55e3ca
commit 3c85add
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 19 deletions.
diff --git a/flake.nix b/flake.nix
@@ -68,7 +68,9 @@
 
         # NixOS home configuration setup lives in
         # ./home-manager/modules` as individual `homeModules`
-        homeConfigurations = {};
+        homeConfigurations = {
+          imports = [inputs.sops-nix.homeManagerModules.sops];
+        };
 
         nixosConfigurations = {
           desktop = inputs.self.lib.mkLinuxSystem [

diff --git a/home-manager/default.nix b/home-manager/default.nix
@@ -45,6 +45,7 @@ let
   nushell = import ./modules/nushell.nix;
   playerctl = import ./modules/playerctl.nix;
   pulse = import ./modules/pulse.nix;
+  sops = import ./modules/sops.nix;
   starship = import ./modules/starship.nix;
   steam-shortcuts = import ./modules/games/steam-shortcuts.nix;
   syncthing = import ./modules/syncthing.nix;
@@ -106,6 +107,7 @@ in {
       nushell
       playerctl
       pulse
+      sops
       starship
       syncthing
       vscode

diff --git a/home-manager/modules/games/boilr-config.toml b/home-manager/modules/games/boilr-config.toml
@@ -2,14 +2,6 @@ debug = false
 config_version = 1
 blacklisted_games = []
 
-[steamgrid_db]
-enabled = true
-#auth_key="" # This value is will be written by steam-shortcuts.nix.
-prefer_animated = false
-banned_images = []
-only_download_boilr_images = false
-allow_nsfw = false
-
 [steam]
 create_collections = false
 optimize_for_big_picture = false
@@ -57,4 +49,12 @@ enabled = false
 
 [minigalaxy]
 enabled = true
-create_symlinks = false
+create_symlinks = false
+
+[steamgrid_db]
+enabled = true
+#auth_key="" # This value is will be appended at the bottom by steam-shortcuts.nix.
+prefer_animated = false
+banned_images = []
+only_download_boilr_images = false
+allow_nsfw = false
diff --git a/home-manager/modules/games/steam-shortcuts.nix b/home-manager/modules/games/steam-shortcuts.nix
@@ -1,11 +1,11 @@
 {
   pkgs,
   lib,
+  config,
   flake,
   ...
 }: let
   inherit (flake.inputs.json2steamshortcut.packages.${pkgs.system}) json2steamshortcut;
-  toTOML = name: data: (pkgs.formats.toml {}).generate name data;
   # Declare our shortcuts natively in our nix configuration
   json = builtins.toJSON [
     {
@@ -30,12 +30,21 @@
     nativeBuildInputs = [json2steamshortcut];
   } "echo '${json}' | json2steamshortcut > $out";
 in {
-  # use home-manager to place our shortcuts.vdf at the correct location (this is user and steam account specific)
-  home.file.".local/share/Steam/userdata/44453327/config/shortcuts.vdf".source = vdf;
-
-  # Boilr Configuration
-  home.file.".config/boilr/config.toml".source = toTOML "boilr-config.toml" (lib.mergeAttrs (builtins.fromTOML (builtins.readFile ./boilr-config.toml)) {steamgrid_db.auth_key = "secret";});
-
+  home.file = {
+    # use home-manager to place our shortcuts.vdf at the correct location (this is user and steam account specific)
+    ".local/share/Steam/userdata/44453327/config/shortcuts.vdf".source = vdf;
+    # use home-manager to place our boilr config at the correct location
+    #".config/boilr/config.toml".source = config.sops.templates."boilr-config".path;
+  };
+  sops.templates."boilr-config" = {
+    content = ''
+      ${builtins.readFile ./boilr-config.toml}
+      auth_key = "${config.sops.placeholder."steamgrid_db_auth_key"}"
+    '';
+    # See: https://github.com/Mic92/sops-nix/issues/681
+    path = "${config.xdg.configHome}/sops-nix/secrets/rendered/boilr-config.toml";
+    mode = "600";
+  };
   # Run Boilr on startup to create Icons and Banners in Steam
   systemd.user.services.boilr = {
     Unit = {

diff --git a/home-manager/modules/sops.nix b/home-manager/modules/sops.nix
@@ -0,0 +1,24 @@
+{lib, ...}: {
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    validateSopsFiles = false;
+    defaultSymlinkPath = "/run/user/1000/secrets";
+    defaultSecretsMountPoint = "/run/user/1000/secrets.d";
+    gnupg = {
+      # Configured with root gnugpg dir, see: https://github.com/Mic92/sops-nix#use-with-gpg-instead-of-ssh-keys
+
+      # Sops needs access to the keys before the persist dirs are even mounted; so
+      # just persisting the keys won't work, we must point at /persist
+      home = lib.mkDefault "/persist/var/lib/sops";
+
+      # disable importing host ssh keys
+      sshKeyPaths = [];
+    };
+    age.generateKey = false;
+    secrets = {
+      "steamgrid_db_auth_key" = {
+        mode = "400";
+      };
+    };
+  };
+}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
@@ -27,6 +27,7 @@ tailscale_auth_keys:
     client_secret: ENC[AES256_GCM,data:3Paz1uJbaQ/eMdJg2VG22dDhEc4msT1XyPW7wjj8Z3nNlCQcuaPhSg1BLsCTRVlXeXXCX87qpodY42dgrETU,iv:0MEf6sx0pQRYhTBKMLTMEQoHMk2PMz3zb1MJjCKKjac=,tag:uagfjHFmYi00ExxWr8pksA==,type:str]
 rcon_web_admin_env: ENC[AES256_GCM,data:KmZ86XkabHECWNMQTDgkTYNgrSLRorEnrcA6gA1ufvDKFHQ57BrEzPwwAfWRwc+LO6RT3NHMWL/wyY5Dqrx8Y2riVHAv23TizNzVDw==,iv:1nS61wPLPDbM83bta7uDkIdDpQE2s66s2UhJ9DwEEGE=,tag:fTvAkXHB5fMEJWU2ru9N6w==,type:str]
 minecraft_server_whitelist: ENC[AES256_GCM,data:SB7Oe7LSsE8Cu0KgkxHpPylQa43vDRtkLIsrmDip/kp0g6OLUGTBkZ3xjIdmoopxey12KFU62sVN/AuO0H6EFuUYEe+WCAbJNBW3Is6G8utjBxhh2fINxf30Bb64NP2E6D/EQ+VScd67jGEqR7WrFQWyXV/RRglOIGlkIxUBnTi8V/1qoAsvq903IVcV/F+QzM97J//hE8ElV8v1piSoW2ZambYpCaGx7jNuHMUBuCtrxxcg/HBTUVV0uiT4XVj+ZL48n02+nv6NiwhMaQ9mqw4KR9tKNOpvcfMZubR3VTcWdNO2FCRqr8FcAI1v3iWb3GpOnUSJPZliyIKzdOGoliKBBkTBslEjdRTdvkNYPfd4ryyPgTZGPxXxNGs1VV5dS3NI0Z12H5UbmLT9e5VLAwQgWuepPNwWCFr1xJ2Zn5fCNtU7iSufraI5oNGMFP1zH3a2DT1huNIw6sHhRV4mQ7wFeDRbHLz2QfYkMVQwEb5xC0jNAq9DDUSqWWVMHq3IbgGBUNPOTeiHu746kKo9X3FQwd7JWHJRtFfbKRwt1b5APYCdiHdSbogss+dH3gtRMxJ0y7hq6DF7vBpxR19bFm0/oKOrqA8jtOgGVOdJJEq7oru5PDR5tPpXPibqYi2SFL5P9pRWvCTDYfGhw3YQwB/kRixmD2z2hgmA1yTQXNSskrx+83ZBk7xUeBM=,iv:H2ZY1FczEHlStTPaR2LaqZgUwHD+3Sn6LJnEyQ5WuEg=,tag:TYFXk7Kw85IKtGtY83CxZA==,type:str]
+steamgrid_db_auth_key: ENC[AES256_GCM,data:fq7F+EBokVVtsVYTrprGcXLDXxNKxWG0LDBEw9Occ3E=,iv:UNC6Itdt5XTxnanLh++K2IQBSm581McN/1fG8btxXXw=,tag:OK1U2ajeOJS8N9PcuV/SHg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -51,8 +52,8 @@ sops:
             MXMrNGs2UFI3MlRCUDdXaHY0VUNDT28KA1CNxnLmdH/Ul0pYloBKs+Zt4vJB62fO
             2ZCn53R5qgy1/F+6kbZDHFRdJ08+5puyGb40ozdeiLzwJZS9IjsIOg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T08:13:11Z"
-    mac: ENC[AES256_GCM,data:tQuHiz/+GJNSqcXaBfZe3vXzulP5wmMxwQPyhmEC/UkExva5v1pOgxCuU5aTLS5zAcFRIodWCxiGzSQNVXEfnYuzRvduuZ3Uq7JxP5tAc+8aN2rw00A/Ov9zWqYRaW14n+jhIyuWjOaUk4lkV1bA1H2gyZQRrDI9++C3nIRQDWI=,iv:bfHkRA9cePzocTzhVDi84Ha2wjPYfF7JOkEbIQw3xsg=,tag:fyc9bviKqzcXM3rALbL/Xw==,type:str]
+    lastmodified: "2024-11-30T12:06:50Z"
+    mac: ENC[AES256_GCM,data:i6X76NkG1mTnlQpdO1Mj/lcsCi3gzKEqRfLD9ifvHYKZ8vWoFGPVA+uxOSgPMTOQz+swAhEsirZylzgQx5BoAWEbgypQu5ncrE15UXFpGv+3EBqV4WQqaxtV7SEqXMWMebVYsiT9bB3rYn123Apfk72+tgQ1dLkqI9bKUBI8ToU=,iv:r8FuC8gLwKfLiKLSo0sX40mESbbcLCkgow0AEruVyE4=,tag:ZAs8Nq/ur9U4vWAoxRVRyw==,type:str]
     pgp:
         - created_at: "2024-11-26T14:04:15Z"
           enc: |-

diff --git a/users/profiles/user0/configs/desktop.nix b/users/profiles/user0/configs/desktop.nix
@@ -2,6 +2,7 @@
   inherit (flake) self;
 in {
   imports = [
+    self.inputs.sops-nix.homeManagerModules.sops
     self.homeModules.calibre
     self.homeModules.commandLine
     self.homeModules.desktopGames
@@ -16,6 +17,7 @@ in {
     self.homeModules.productionCode
     self.homeModules.productionVideo
     self.homeModules.productionWriting
+    self.homeModules.sops
     self.homeModules.syncthing
     self.homeModules.themes
   ];