added README

2025-12-24 16:47:32 -06:00
parent be4b66fdd2
commit 3135e1cec4
3 changed files with 70 additions and 15 deletions
@@ -0,0 +1,52 @@
+# HakaseOS
+HakaseOS is an opinionated NixOS configuration heavily inspired by OmarchyOS.
+
+## How to Use SOPS
+SOPS is an important aspect of this operating system. Learning to use it is important for security and modularity. It is impertinent that you do not lose the `private key`, as it is irrecoverable.
+
+To get started, follow the instructions below.
+1. Create a folder.
+```sh
+mkdir -p ~/.config/sops/age
+```
+2. Generate a private key using `age`
+```sh
+nix-shell -p age --run "age-keygen -o ~/.config/sops/age/keys.txt"
+```
+**OR**
+Use `ssh-to-age` to convert `id_ed22519` to `age`.
+```sh
+nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+```
+There are other ways of generating a private key. Refer to [sops-nix](https://github.com/Mic92/sops-nix).
+3. Get a **public key**.
+```sh
+nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"
+```
+4. On the same directory as `flake.nix`, create `.sops.yaml` and paste the following below.
+```yaml
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &admin_alice 2504791468b153b8a3963cc97ba53d1919c5dfd4
+  - &admin_bob age12zlz6lvcdk6eqaewfylg35w0syh58sm7gh53q5vvn7hd7c6nngyseftjxl
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *admin_alice
+      age:
+      - *admin_bob
+
+```
+Replace as according to your needs.
+5. Create a sops `.yaml` file.
+```sh
+nix-shell -p sops --run "sops secrets/example.yaml"
+```
+NOTE: If you add a new host to your `.sops.yaml`, you will need to update the keys for all secrets.
+```sh
+nix-shell -p sops --run "sops updatekeys secrets/example.yaml"
+```
@@ -1,25 +1,26 @@
-hello: ENC[AES256_GCM,data:38nel/vZi9SaRxw98yPKhq7NEs+jtII7ZS5cX9i1h5Iw73S+oUDnXYw7v9aa8Q==,iv:vLTjMCeA/FJmb0LmjWDnHjpWpG5sRldrvhG03Kreujo=,tag:GWGYTmgNgQWWnlPiKq+9vw==,type:str]
-example_key: ENC[AES256_GCM,data:UF/a/+f6T6RayR67Yg==,iv:WAOwW5BUhbdBrvcYHJ0wCaxEcVpM6l4b783qSIl5JV4=,tag:+Wad6zUE9ioqmd3RPG1VoQ==,type:str]
-#ENC[AES256_GCM,data:CtX2GMcSxD5+bziAgAzoNA==,iv:QaLhxAbp2hO2NcD5QXc7afhcs8PeSWH+03u02+Xz9oA=,tag:Dfh5WpmrSwqk7THu333rLw==,type:comment]
+hello: ENC[AES256_GCM,data:0NxDMh13g5abuc46q8WYpcVxZalJalE+dIhWZr0Ta6u1pbcrA1HH/8PQnRUIew==,iv:lQz0qVjjWJ6jajApiJ8x/fhAhpPLpDICR4eZnu0dCVw=,tag:F9brrGmlpOGaeFxTEJA54w==,type:str]
+example_key: ENC[AES256_GCM,data:IJeH/2DXBN/WL7SMOQ==,iv:SFhmVUSiMTWrNxCRbSnQj1/Q4L1J+1H+YDWXRqQGgfk=,tag:T0LxlvqPc0ajqWFe1NR+Vw==,type:str]
+#ENC[AES256_GCM,data:BFKNA5aiPIt5oWQIF6a9Cw==,iv:ez3Omp4B6bBYlt1tlpTYSXAfi/SrbJ03ILDUetAnf20=,tag:CFd05yXHZhu+lzLIe95azg==,type:comment]
 example_array:
-    - ENC[AES256_GCM,data:ewSxVYXxF+csyS4Mzek=,iv:1ZmQwbhJtYDt5rZUdlZ/DzWygBK0Tp0jmAw48pS5cv4=,tag:WNX+SVgTAwHrT2rfpBqyfA==,type:str]
-    - ENC[AES256_GCM,data:Sidp1Dj8jNlpKnz3jFM=,iv:FLQ/n5uW0HbNFuamoZdKStuZcs4KJ3vvfirUi42at3U=,tag:FL7MvMpKdJDXX8XQbScW9g==,type:str]
-example_number: ENC[AES256_GCM,data:nm2Zjf+aDSAB2w==,iv:bwrxPbdQzOoSvSGCtX/Nr8NG86pOJAHjg47obYGO7Xs=,tag:tqQ35rtS0Mq4CeKCC9Km+w==,type:float]
+    - ENC[AES256_GCM,data:bh+AhmfAe9Tp0D6WGLI=,iv:WSOnTzHWhkNJUcyhvHizb9RheYFNESZbJJ+G79GMQJs=,tag:chpWcINudyQIiWgdgrzSXA==,type:str]
+    - ENC[AES256_GCM,data:U+vm05ISl8ldk21+vwk=,iv:MKrw0o1FZ6Hzt0c6/gagbZb1jV12FSOUwiLoXr3QPac=,tag:LXOGzJSxkbEDbrIQuzWMog==,type:str]
+example_number: ENC[AES256_GCM,data:ZVyoML4H0yZF3g==,iv:WTEu085WG5byuAPaPbAR0wCkBoMwvL2F6A6pFGkiuck=,tag:ZDdUBzl7tUJUhXv3bUlnZg==,type:float]
 example_booleans:
-    - ENC[AES256_GCM,data:TTbYrA==,iv:jG0BICY3Rc1z0hVuUVwgzOZ02pUxGhDhdLERqu2bi5U=,tag:F0TgOm50LVNbVaVKOnuTUA==,type:bool]
-    - ENC[AES256_GCM,data:M+ccBn0=,iv:vPRaIEELkypw53gkUmr8Lb+TNwtfDBO8y5yQNpF42Pw=,tag:dxOKj16ctBbgyul/Pr6rxA==,type:bool]
+    - ENC[AES256_GCM,data:kPkHPw==,iv:dgj2RjGkfsRJoEB+cju5ceZa3/IBXccR0rcS+uYa4LA=,tag:8uDEVNqnq4DbiVHYTCvGFQ==,type:bool]
+    - ENC[AES256_GCM,data:mHvy44o=,iv:4KI2SHpq+as27W77puR7NEi5ILeYD0/YnYcF5/4Uq3I=,tag:QB5D0JOFZqZX5mVGf7j3NQ==,type:bool]
+default_password: ENC[AES256_GCM,data:h+D4/V4Dstnlhut5LBIg9A==,iv:yrckE1BCwjvCGZYp/WlpYyRMZeWJMZE26QNQ/tvZIyY=,tag:S5it0ySU1MUNrItWNeYW/A==,type:str]
 sops:
    age:
        - recipient: age1dhmt5tdyxd9zam542zkr9hq4tku7lzmf6j057sjtepk80deky5fqemczs5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHU2hZUlMvQ0xVOWlWaEwv
-            UCt5ZzRmNHc0dDRLWkkwVWZRa2o2N25rbHo0CnhFcFVTT1gzdjVzTzlVSGFFUkNu
-            QVBOOEFLM0hDQWV5RXhzTjFhbGZrQzAKLS0tIFoxeFFzcHdFTlF2c0toTUlxT1lM
-            eFZFRkMvVG5qeVZOZmRvNkQ5cUpnOUEKfA5lu9DY+EklFzZGwdZv3hModXN8fzKE
-            RVnWoNcAbQ83ZH87XwqkGSgmP2Vzumm9gBrJ013Zs6yWFUCvVBLI0Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKR0x1eHFCV1FvODF6MDVr
+            bXlQcTdQOUIyZW90RDhzYWxjU2pMQS84eFg4CjJvdDRyY1g3VmFzVUVMZFhwcEFv
+            OUk4U0U2SHFUWXVRTmcxdGpiSHhJZ00KLS0tICt1VjBvZWJRVlRqOHF2MTZyWmZq
+            UHFNTUdHdE9WaGJraW5OY25DQUdiYmMK2yANe44uUYavGc9UvLwOzpQH/kuY/g5D
+            8lNECUT7gfna7T0lEuBqafiUtRMJFgWLPqSk83pVg0FhQ5PJVtEqzw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-24T22:19:06Z"
-    mac: ENC[AES256_GCM,data:AWu5bQctk6f+IgagtDPtPnaYEOLPwdby8El9b+cCgLNxHASD4cybbkr7ishBxBdDd8Xj4zhTvQFeOSgazoclPBoPx264AVHRNhYkQT0rPwGpizTcmolla2v4wika4ZRWGr9oR9xwer6OpB9y0vIe5TxLkzrtgVk1Fr6LKATiq8s=,iv:mxRIXpZ2cEv6b9v/U783Tbfwg5L/EsH40l7aBS7E/Pc=,tag:O9Zn1cTj/qEy3X0U+ouvRg==,type:str]
+    lastmodified: "2025-12-24T22:27:52Z"
+    mac: ENC[AES256_GCM,data:etJw5g4joy063Y64ohU3H7KH6gpN1FBCbnlvf/HiMQW48rlHI8RnGWZDxMUAa0oO/cTcWpbQU9U6wLrn5lT2879m2lTqa/MuoibeViWdNMb9HrJ7nzlceWJlhCGq3feC91R1o/d3E90EXm3PC0s0AXx9PsaJ5k3rHdeITs7zbZQ=,iv:zUvj2+rS/T0lvzVbL/eFwTOMqd2pVwE9LtWEpxMaw6k=,tag:2SWFeV8dSI4wkbIYaA6IzA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
@@ -1,6 +1,7 @@
 {
  pkgs,
  myConfig,
+  config,
  ...
 }: {
  users = {
@@ -8,6 +9,7 @@
      ${myConfig.nixos.username} = {
        isNormalUser = true;
        extraGroups = ["wheel" "networkmanager" "input" "video"];
+        hashedPasswordFile = config.sops.secrets.default_password.path; # FIXME: may not work!
        useDefaultShell = true;
      };
    };