Add sops-nix package and mount configuration

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &yousiki_hakase_age age1v2f38zx3fyn789lemwf8jm2wcx2d7krjc82z74t2qwcrk6hsjsqs8xsjhh
+  - &server_hakase_age age13m8rakh7w2zkawjuqgd29sp7wtceqt4mkw38mcg9fsrurs5x2urq9dgqg0
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *yousiki_hakase_age
+      - *server_hakase_age

flake.nix

@@ -8,6 +8,7 @@
       nixpkgs.overlays = with inputs; [
         fenix.overlays.default
         nvfetcher.overlays.default
+        sops-nix.overlays.default
       ];
       nixpkgs.config = {
         allowUnfree = true;
@@ -105,8 +106,6 @@
     flake-utils.url = "github:numtide/flake-utils";
 
     systems.url = "github:nix-systems/default";
-    linux-systems.url = "github:nix-systems/default-linux";
-    darwin-systems.url = "github:nix-systems/default-darwin";
 
     flake-root.url = "github:srid/flake-root";
 
@@ -123,6 +122,9 @@
 
     nvfetcher.url = "github:berberman/nvfetcher";
     nvfetcher.inputs.nixpkgs.follows = "nixpkgs";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   nixConfig = rec {

secrets/nas-credentials.env

@@ -0,0 +1,10 @@
+username=ENC[AES256_GCM,data:8gZalPCVDA==,iv:12Y10hEuzWenggQMEjbxa5YAAHJLsx+KYhRWPlkwt8E=,tag:oOHpcPB78Y21QAwyLLo70w==,type:str]
+password=ENC[AES256_GCM,data:eWGddyp059xaPA==,iv:cXbb7ZvrfFsWIc3RLHCP774fozxRGWvIPQhdexfX4I4=,tag:tHt16yDBddv3QSoKwDMwfA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTFlDRnBTS1h5VmxEY1Bv\nS2VvTm5BYW5Td2J4UDRaMERhV3NFZE9zLzBjCkZmd2g5SGdzTTZGRUN3L2FKZEl0\nWDRSV2ZBZ1RYWWNheFVsa2xBYTVxODAKLS0tIEJTbG8vWWM4dHNiZEg4YUp6SExV\nZW9abDFPUkxLTENLRFlPWlE3TlQvNEUKYQVTElCEA0AlidDs3bwy8RDPSn2qFaCa\nRRV0ARons6Va1aR23SVkguRHT3N8bhOgc8o6qxxQUzwyifJzhSqyAg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1v2f38zx3fyn789lemwf8jm2wcx2d7krjc82z74t2qwcrk6hsjsqs8xsjhh
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHK092M0lWZ0trdDVMU0VZ\nT2JxUUVqMnNzY1dXVEdjaW13UFArbVVvTURZCjhKbGMrenZBTGIycFc4Wjc1T1Jx\neDdBVk54bzI2cncyMlhHZ1ErcTZsQkEKLS0tIFJXMzVXSXZadU1HUTEwWGVwRHVh\nODVuOUNHWUo1SU1Rd3dsdnZFSFhneUEK8McuE1NILDGA/HZmBWPGfomCLyNcPt/w\n09+6THvxfcZVxVNnWRv8FOGG4U8BH5ueAa6Qh+Jz/vW0zrn2c8UuEQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age13m8rakh7w2zkawjuqgd29sp7wtceqt4mkw38mcg9fsrurs5x2urq9dgqg0
+sops_lastmodified=2024-03-16T10:33:14Z
+sops_mac=ENC[AES256_GCM,data:nxL6UhKRjx5fBFuSlToBRTtgO9eybjn30X5NzW0uuGnTp/OPeZuA4tQLOU+qut0sktrRLwNRjyQ+kKj5ifhbSuKi4dWgBjbk63784zzzCHuCDLGG5KiGPkV7kfxQfiDyXV0MQrPxWNB4Pe48AKVz4ptP6NTxwhH0uiR8u3G/7Pg=,iv:1DVrKiZIScGBTcc4a3HtrI2zL/LS3j+tgor+7ULoS5M=,tag:TtoV0mW4uQg/U9KfNGZ7uQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

secrets/secrets.yaml

@@ -0,0 +1,38 @@
+example_key: ENC[AES256_GCM,data:op+NuE1waSekImzi3g==,iv:DhqCLJ3dEJbRzufMgHjC12utCBabhE1lvLhxCEFI2z8=,tag:22RJ6u8jLuliqmNT4ppW4Q==,type:str]
+#ENC[AES256_GCM,data:LbZBkYs00jAYW+FoHjEZEA==,iv:CRCp0LEEP8j0jiXkm+NpwoDzb7PzIf9JmSJQMhLLP2E=,tag:ST1NEVuJFNUF4awXmDUP5w==,type:comment]
+example_array:
+  - ENC[AES256_GCM,data:vFl2UKgZOROuJ0yPAWQ=,iv:XJFZP4O4UUo8+lcYfmxvCtA9X3L7WaIz4xqBlFik8BM=,tag:5hzvNn4cX8vAjei1FmTGzg==,type:str]
+  - ENC[AES256_GCM,data:thB9jWGS2iQTDC2guTQ=,iv:KAVcsaPm+faRN/cl6Vbp+Yq59fTRFFmvMgBsaFQ8Op4=,tag:sVS/K0tuuD1v/YN+4RjEDA==,type:str]
+example_number: ENC[AES256_GCM,data:bjvadVuwl4NAOg==,iv:o79c/e400WG45fklNeVfcn/LESEkBbDypNwjMFdZqoc=,tag:RH0ssUkIxcQpcPSNxHWCMw==,type:float]
+example_booleans:
+  - ENC[AES256_GCM,data:weSoEA==,iv:hGj2amD97uI+UPwxYmbCNZI1PftEIvzPgHEheYbA2pQ=,tag:rLb4q8mRNWu6suMXLzKXBQ==,type:bool]
+  - ENC[AES256_GCM,data:qToUhcw=,iv:hefuP+LFwr+9tyJb5a432PyFRjAubbyQDURYAKXJcLg=,tag:UrE5xFYFyuZV5PL4FoOGpA==,type:bool]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1v2f38zx3fyn789lemwf8jm2wcx2d7krjc82z74t2qwcrk6hsjsqs8xsjhh
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZndlVVpPbGZuOVg4eVNJ
+        bmprM2MzdHlweThDdXF0dHdVbVlwNkRxald3CnJORmFKR3luL1Y0TFFuVXhNb3Fu
+        ZTdPc0RvT3BRb082N3RjZXhqbzUrNkEKLS0tIFJhelU0K052MWVJME5jMmJNYTlZ
+        T0xpdENSMElPTnlTb245cDFtaUxobWMKv5LisVNkoMPK0P4qFeG/ITEP9YLBKGa7
+        6YO50HCzukgkxkvZDgJbLhTdndKa4B9Vys8VoJXMaq2WJBPNNX4JFw==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age13m8rakh7w2zkawjuqgd29sp7wtceqt4mkw38mcg9fsrurs5x2urq9dgqg0
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWY1MmhYWFkvOC9XRU5t
+        bVRvOFY3dTZCWWd2WTkwNGc5MWNnTHRablQwCnpQaDNRamJKMVBnc1I0MERuUVpz
+        L0hGcUJEaiswWFFGMEl0ajRhejh2cVkKLS0tIFNBSS9Kc2wwd05BSlJQTEJ4K2U1
+        bkVwOVNnL01nYnpkVEhXNlY0RTFjTVUKb5vVnExaTegCJ+mRsn2t/39FB4LQHNv9
+        pA0CxLcluI/sFd/d6k7RmHcSmPecT4McQob45qHRuhruVTH8huQYZA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-03-16T10:35:53Z"
+  mac: ENC[AES256_GCM,data:WFcUdSjJZ06DzcfTyGxloirOluugSAfFSwPyNbWVkFy8LHyHia1TIM7q/ZkhubhnDbowsujaIqt7jcE6RWGDwo1UoX0m4fM/gS/+8evIhlMwnjbKsVO0tksxgQvSzd00nCSlXidyAyBCWHfR/PPxU1ftKR8C/ZPTZ4BGddAFDxs=,iv:MzbswI3RZlE+LSTwDU05jryerviFdtNjr/vx5ta6N9E=,tag:AAkdjhQs0N6l0OUZZTDwjg==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.8.1

src/configurations/nixos/hakase/_hardware-configuration.nix

@@ -35,25 +35,64 @@
   ];
 
   # Mount multiple-device bcachefs.
-  systemd.services.mount-data-volume = {
+  systemd.services.mount-data-volume = let
+    target = "/mnt/data";
+  in {
     description = "mount data volume";
     bindsTo = ["dev-nvme0n1p3.device" "dev-sda1.device" "dev-sdb1.device"];
     after = ["dev-nvme0n1p3.device" "dev-sda1.device" "dev-sdb1.device" "local-fs-pre.target"];
     before = ["umount.target" "local-fs.target"];
     conflicts = ["umount.target"];
     wantedBy = ["local-fs.target"];
     unitConfig = {
-      RequiresMountsFor = "/data";
+      RequiresMountsFor = target;
       DefaultDependencies = false;
     };
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
-      ExecStart = "${pkgs.util-linux}/bin/mount -t bcachefs -o noatime /dev/nvme0n1p3:/dev/sda1:/dev/sdb1 /data";
-      ExecStop = "${pkgs.util-linux}/umount /data";
+      ExecStart = "${pkgs.util-linux}/bin/mount -t bcachefs -o noatime /dev/nvme0n1p3:/dev/sda1:/dev/sdb1 ${target}";
+      ExecStop = "${pkgs.util-linux}/umount ${target}";
     };
   };
 
+  # Mount NAS satoshi.
+  fileSystems."/mnt/nas-mck-home" = {
+    device = "//nas-changping.ybh1998.space/home";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},noperm,credentials=${config.sops.secrets.nas-credentials.path}"];
+  };
+
+  fileSystems."/mnt/nas-mck-share" = {
+    device = "//nas-changping.ybh1998.space/share";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},noperm,credentials=${config.sops.secrets.nas-credentials.path}"];
+  };
+
+  fileSystems."/mnt/nas-yyp-home" = {
+    device = "//nas.ybh1998.space/home";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},noperm,credentials=${config.sops.secrets.nas-credentials.path}"];
+  };
+
+  fileSystems."/mnt/nas-yyp-share" = {
+    device = "//nas.ybh1998.space/share";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},noperm,credentials=${config.sops.secrets.nas-credentials.path}"];
+  };
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

src/configurations/nixos/hakase/default.nix

@@ -10,6 +10,7 @@
     commonProfiles.packages
     nixosProfiles.desktop
     nixosProfiles.nvidia-gpu
+    nixosProfiles.sops
     nixosProfiles.vscode-server
 
     # Home-manager module

src/profiles/nixos/sops.nix

@@ -0,0 +1,35 @@
+# Configure sops-nix for NixOS.
+{globals, ...}: {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    globals.inputs.sops-nix.nixosModules.sops
+  ];
+
+  environment.systemPackages = with pkgs; [
+    age
+    gnupg
+    sops
+    ssh-to-age
+    ssh-to-pgp
+  ];
+
+  # This will add secrets.yml to the nix store
+  # You can avoid this by adding a string to the full path instead, i.e.
+  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
+  # sops.defaultSopsFile = globals.root + /secrets/secrets.yaml;
+  # This will automatically import SSH keys as age keys
+  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  # This is using an age key that is expected to already be in the filesystem
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # This will generate a new key if the key specified above does not exist
+  sops.age.generateKey = true;
+  # This is the actual specification of the secrets.
+  sops.secrets.nas-credentials = {
+    sopsFile = globals.root + /secrets/nas-credentials.env;
+    format = "dotenv";
+  };
+}