From 93d221d79b379a0824ea7c8aaff50a45ba44718b Mon Sep 17 00:00:00 2001
From: Johannes Rothe <mail@johannes-rothe.de>
Date: Thu, 21 Nov 2024 22:47:05 +0100
Subject: [PATCH] Setup sops

---
 .sops.yaml              |  9 +++++++++
 flake.lock              | 37 ++++++++++++++++++++++++++++++++++++-
 flake.nix               | 12 +++++++-----
 nixos/tien/secrets.yaml | 30 ++++++++++++++++++++++++++++++
 vps-configuration.nix   | 19 ++++++++++++++++---
 5 files changed, 98 insertions(+), 9 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 nixos/tien/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..74e92cd
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &admin_age age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+  - &tien_age age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+creation_rules:
+  - path_regex: tien/secrets.yaml$
+    key_groups:
+    - age:
+      - *admin_age
+      - *tien_age
diff --git a/flake.lock b/flake.lock
index 4d2a58f..22c129c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,46 @@
         "type": "github"
       }
     },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1732186149,
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 44e3a3a..8ed0109 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,9 +6,10 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:mic92/sops-nix";
   };
 
-  outputs = { self, nixpkgs, home-manager, disko,...}:
+  outputs = inputs@{ self, nixpkgs,...}:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -24,15 +25,16 @@
         };
         tien = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
+          specialArgs = { inherit inputs; };
           modules = [
-            disko.nixosModules.disko
+            inputs.disko.nixosModules.disko
             ./vps-configuration.nix
             ./vps-hardware-configuration.nix
           ];
         };
       };
       homeConfigurations = {
-        "rothe@lift" = home-manager.lib.homeManagerConfiguration {
+        "rothe@lift" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix
@@ -42,7 +44,7 @@
             mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
           };
         };
-        "rothe@johannes-powermachine" = home-manager.lib.homeManagerConfiguration {
+        "rothe@johannes-powermachine" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix
@@ -51,7 +53,7 @@
             mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
           };
         };
-        "rothe@pdemu1cml000301" = home-manager.lib.homeManagerConfiguration {
+        "rothe@pdemu1cml000301" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix
diff --git a/nixos/tien/secrets.yaml b/nixos/tien/secrets.yaml
new file mode 100644
index 0000000..35ea4e3
--- /dev/null
+++ b/nixos/tien/secrets.yaml
@@ -0,0 +1,30 @@
+foo: ENC[AES256_GCM,data:HqMg,iv:LdYZPucCO7rOgOFtuzSwSoOsW/GvPoysLfZa2w+E03E=,tag:DpE52f6iWiQ691bwJNFBZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdkRUVWpSbjVvRUpiUTNj
+            RDQ5aDNKNGZCd0ZGWkczQWRVUWRraTk3bHlvCjQ2ZGtvM3dJQnl0Wjc2ZmJYNGJV
+            QnhuMG1UVEZDUXdMK2M0L3c5Um4rQ28KLS0tIGtQcGVkQktmUkwwbSsrdC8rVnZE
+            T3VhOFF5NGlER2FCQlUrWFN0RHNSeW8KTFwMDtofyqFrnIFs9qy1gHiw8eVX7pcm
+            2k6yLOeyP2NaksDl74OSrmUECxZKMRPspgn1ZlznibDQKyCVXVVKZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGhZQnBld1lEeGNZVkpi
+            TzFKaFJyVVNqKzNQQkN0M3ZWRUlkY1g3SzE4CmlnVVlMbWRTVHd4KzV3ZHNuR21S
+            bmdJZDJ4YzVDZ3JTcDVucmhpd2xJNFUKLS0tIGRzcUt6cjl3UGpldVBTeG01V1dX
+            eWx2UWdkUXdrSkxPT1NXS2xHengreWsKR31+5SpYGOJyd/SFmzrThBWOVt1GU1hr
+            qTQqyc2/XbMQCc/SrYCa/FhRLboKUFkAO2XbMoH5zEwmkFtuCEoNvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T21:34:05Z"
+    mac: ENC[AES256_GCM,data:xx007JasOAWh2Os1DKkDQ3QMGmxN3oBpmL/t8/UWleYHVR3CTjYOTiSEguurFFIOqW7sK3ZAxnKbIr3mwDXs2VA1LO6L2UvBA0NaFgP6Qws+YvjF+dzRrxl+fXOMJz5wxOJROYo3VVI4zH7xnI22ENGc7VLDholwbx5EZDbUL7Y=,iv:KZxPU6RbLY2wZIX/hsO8OLweAxGe30LOSHWa9MI1ydA=,tag:oewmLJbInGoX7ZwpljRAkA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/vps-configuration.nix b/vps-configuration.nix
index 9bded63..c6e1c70 100644
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@@ -1,9 +1,13 @@
-{  config, modulesPath, lib, pkgs, ... }:
+{  config, inputs, modulesPath, lib, pkgs, ... }:
+let
+  hostname = "tien";
+in
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
     ./vps-disk-config.nix
+    inputs.sops-nix.nixosModules.sops
   ];
   boot.loader.grub = {
     # no need to set devices, disko will add all devices that have a EF02 partition to the list already
@@ -12,13 +16,22 @@
     efiInstallAsRemovable = true;
   };
 
+  sops = {
+    defaultSopsFile = ./nixos/tien/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      foo = {};
+    };
+  };
+
+
   environment.systemPackages = with pkgs; [
     authelia
     curl
     vim
   ];
 
-  networking.hostName = "tien";
+  networking.hostName = hostname;
   # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
   networking.useDHCP = pkgs.lib.mkForce false;
   networking.firewall = {
@@ -177,7 +190,7 @@
     enable = true;
     network.enable = true;
     settings = {
-      hostname = "tien";
+      hostname = hostname;
     };
   };