From 7291fa354a266d2c01ea769f9c5276e2d69797ba Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Thu, 6 Feb 2025 13:39:42 -0800 Subject: [PATCH] Feature: Add sops-encrypted SMB credentials. --- dotfiles/systems/fighter/network-shares.nix | 8 +++++- dotfiles/systems/fighter/smb.secrets | 29 +++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 dotfiles/systems/fighter/smb.secrets diff --git a/dotfiles/systems/fighter/network-shares.nix b/dotfiles/systems/fighter/network-shares.nix index 9f200ea0..7af9d507 100644 --- a/dotfiles/systems/fighter/network-shares.nix +++ b/dotfiles/systems/fighter/network-shares.nix @@ -44,13 +44,19 @@ in { }; }; + sops.secrets."smb" = { + sopsFile = ./smb.secrets; + key = ""; + mode = "0440"; + owner = sys.username; + }; environment.systemPackages = with pkgs; [ cifs-utils ]; fileSystems = let fsType = "cifs"; options = [ "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s" - "credentials=/etc/nixos/smb-secrets,uid=1000,gid=1000" + "credentials=/run/secrets/smb,uid=1000,gid=1000" ]; in { "${sys.dataDirs.library.av}" = { diff --git a/dotfiles/systems/fighter/smb.secrets b/dotfiles/systems/fighter/smb.secrets new file mode 100644 index 00000000..d6864d0a --- /dev/null +++ b/dotfiles/systems/fighter/smb.secrets @@ -0,0 +1,29 @@ +{ + "username": "ENC[AES256_GCM,data:3+OdL7uFvA==,iv:BmsEVTZonXqel5trzcTNEW6TMmIS1fjDiAog2emUF2k=,tag:pbCJuCvxdGhSD92EaDsRsQ==,type:str]", + "password": "ENC[AES256_GCM,data:U9C7j1/9N+iHa+AwKRbT9di05aM=,iv:A0cZde3iGcrubNroGFec99CtioLd8qg8V1KYHATeiMc=,tag:oVV4uy59doNs6s2VUaT/JA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eEcxWEI5MUFvRGIwQVRW\nUDlGMEJyaFBnS3JQQ244YUt3Q2dqYW5UWVg4CjhnaWVPTkthUk5tVkUxNmxBZ2Fo\nTVVOa1BPaU1vSm91bWtUdUhIOXdXSHcKLS0tIEM4SG1FRjhPb1ZtU0RNdXY0QUJX\nR3dTSGpaQllITkh5ZTRJRlRyNkQzejQKHJWEYc00LNZf8a1ID+uyoeGSco5rG0eF\n0IxTGurLXtY0267RFWRxbS8vSj3/EhnCcpkV1dMyxlmSzJRNAsw54w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdThqUytHK1lWZWwyVzh4\nMUgxSTAvdW9YTEhZdmxVYXNicm95bWp1eWxzClBWT2w3OS81ZTlyN01STjg5d1di\nOG1sS2tZUzBsYVVxZjFrYlF6cmQrSGsKLS0tIGtpdlNvS0lsNnNnL3A4cEtaeHNM\nMGRTMnI4TW5IdVlFMHY2dmkrMG1kcEEKXF5KgYf9sKxq2BH5kmLaiwAoVaf+BIOq\nCfgOQK96yxiYZ3aAcQHZsEU+J5Tmor2cF8CDn7qIp2szDP3LNfoMkg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nq652a3y063dy5wllucf5ww29g7sx3lt8ehhspxk6u9d28t8ndgq9q0926", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweFM1WU9nL25Qa2xVNDlN\nUlozUnQyRHdkRGdocHRXV3MrSVNqWTVPd2lvCm1CcTNYVUlTcHY2ZFA1Y0pxVVVa\nd2xMYTdxUDhvVjFlcEdQdWR4TWNPQTQKLS0tIGxNclAvcEhzZ3lycEtuZThrMHlJ\nTDFJK0V4REJaN0pVQUlmT0tJYkJDUEEKXlpGjZgUdr8XXMq4GyxMyf0xqgQFPDJ9\n9YdnG92gnNDUKy4T75ElI6LchkfomLwt6USmvG4D0YORnsEXw2HReA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-06T21:39:18Z", + "mac": "ENC[AES256_GCM,data:3sQuKP6t5ara1yDt+lwro2JSZIsVKybVWJcW+NwEO8zT8mm3v1u3W8ZOYccdGPHimxe+sWShLoKBb/lnyX1AvKw8vNNqYJqUbjHYb4w/tAD9DRbAaPpAQ++90i74Pb2KEPYkJwCi/UFYdCkV3NbbjzfyFBJGWQp4WlWZFZhy3Hc=,iv:VU4YxiEwnydCj1C6axKn1TKy0rgmVNk6q8ZBo7b3Rd8=,tag:RWpLHKu8V6sywkRkrFUjAw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file