From 01f88e905110ae842724b30c4d7523fa43530155 Mon Sep 17 00:00:00 2001
From: Kalle Struik <kalle@kallestruik.nl>
Date: Thu, 26 Dec 2024 19:41:49 +0100
Subject: [PATCH] Add sops-nix

---
 .sops.yaml            |  9 +++++++++
 flake.lock            | 23 ++++++++++++++++++++++-
 flake.nix             |  4 ++++
 secrets/nix-test.yaml | 33 +++++++++++++++++++++++++++++++++
 utils.nix             |  6 +++++-
 5 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 secrets/nix-test.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..8b48cde
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &kalle_laptop age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
+  - &vm_base age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
+
+creation_rules:
+  - key_groups:
+      - age:
+        - *kalle_laptop
+        - *vm_base
diff --git a/flake.lock b/flake.lock
index b7fee96..50afd20 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,7 +34,28 @@
     "root": {
       "inputs": {
         "impermanence": "impermanence",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734546875,
+        "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 3422c5e..34cb0cb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,6 +4,10 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     impermanence.url = "github:nix-community/impermanence";
+
+    # Sops-nix, a secrets manager
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
diff --git a/secrets/nix-test.yaml b/secrets/nix-test.yaml
new file mode 100644
index 0000000..2ae41a2
--- /dev/null
+++ b/secrets/nix-test.yaml
@@ -0,0 +1,33 @@
+traefik:
+    acmeEmail: ENC[AES256_GCM,data:aM2AQADo5s0c1b//UWPXNPlKMXNRRnPFDbM=,iv:RP7Tn8s1nYKJf0B0KO0BQkI4tnz/zUK8KqzQqeNiyZk=,tag:g4+lwK4miUdxOwLHQcUZhg==,type:str]
+    CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:YHQ00Qh0t7owvFE/PXu8o4a8ry1P92/CVA==,iv:z982jUAm8W4Du/5dLopQZE0p5eWi4Ls7TYsiiwUlqvg=,tag:bek2eQ4duYBH8F2LG+Tr+g==,type:str]
+    CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:zyTpv1AGA9GzfGfFyxqO40NKZt8LlHU1YT9kvXPZYAGUc5wE3GVxzg==,iv:W7u5gEeYNkCGO3D0Y+XBZ4PCI081QsNK10ThHKbV68M=,tag:7onKfU+mVz3euCbFrX1mdg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSmIyL2JwZXhJaE13SlJW
+            NXg3Nzg3bjlUOHp4blVBdmFJZmRjUkREa0RnCmhZQTJlaER4KzZHeHc2dkVXQ3RU
+            OFd1c2REMkR0YlVJL2lOcENNM01Ka1EKLS0tIGJFdzFpN2VqdEVQV1ZnQXVwa1Vs
+            enpRZVQ1dVphQmtETlY1UDdleXVRdDAKmUzn+98cPWbKXgsCKHeQzkVysj2eOIx6
+            UTT6+MPOskud/PPrCV9SmBsfwxZ5NJvbkYPtmRHOWr3UgJ7gOSD0ZQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMHllWTBWd2h0c29TT2pF
+            NTNmM2puSG9USUtVU0drNnFmVUxaYXJES2lrCmY1d2hLR2VCVXgrb3k2Z2RJVXBY
+            dUhOMjJ4elhLaUZqK1BNQzh0Z3YvYTAKLS0tICtFSFBsN2FoRURwQVNGNUNRdnAy
+            SitKZlhUek9SM2xuRmc1dEh3N0xJak0K1HrF4CcZhq2DBjiRj8eTRBe1FHas9yep
+            vzEBYsnjsJ3uCtcLCqVu0CApBr6oLXPiwgRouAmRIzBUQfiXtWoEbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-26T18:39:38Z"
+    mac: ENC[AES256_GCM,data:2dr8o3njYlYVHiFItM4MrlHfpiw7AurdedXm614MbMiX6b5bkAoIuSJHWjjwmBsQY52yTUwl5GS0oLztRGOZ9OsxiwvGRoxNG5lAPK83t4pralaWvLKVn7CCClU6fyYnUwqPEfw/YFSxlm00iBPz54zRQNvIigrZhhAM3lHswaM=,iv:sgvpiOwz183/GewbTFsW3EV8bHX7p/13b32sDPxRcMw=,tag:ZHHv4fAOT/lPZg/n9rnMvA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/utils.nix b/utils.nix
index fb8a4cc..02bcbd3 100644
--- a/utils.nix
+++ b/utils.nix
@@ -19,12 +19,16 @@
       };
       modules = [
         inputs.impermanence.nixosModules.impermanence
-        # inputs.sops-nix.nixosModules.sops
+        inputs.sops-nix.nixosModules.sops
 
         ./systems/base/configuration.nix
         (
           { ... }:
           {
+            sops.defaultSopsFile = ./secrets + "/${hostConfig.hostname}.yaml";
+            # Disable automatic pgp key generation based on ssh keys
+            sops.gnupg.sshKeyPaths = [ ];
+
             networking.hostName = hostConfig.hostname;
             system.stateVersion = hostConfig.stateVersion;
           }