From b5f2e1738fccb0e728848969748b780b05b01331 Mon Sep 17 00:00:00 2001
From: John Ogle <john@ogle.fyi>
Date: Sat, 28 Sep 2024 09:04:25 -0700
Subject: [PATCH] [secrets] Setup initial example secrets

---
 .sops.yaml                | 11 +++++++++
 flake.lock                | 40 +++++++++++++++++++++++++++++-
 flake.nix                 | 51 +++++++++++++++++++++------------------
 roles/default.nix         |  1 +
 roles/secrets/default.nix |  8 ++++++
 secrets/secrets.yaml      | 48 ++++++++++++++++++++++++++++++++++++
 6 files changed, 134 insertions(+), 25 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 roles/secrets/default.nix
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..b18b7ea
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+  - &admin_johno age1ls6a033d4p4u8h4rwazjwt8w4c4xg73wq0mdnm64jajxzcz4k9asvjnks3
+  - &host_z790prors age12l5u7sw59u5pkwp83qm8t3ff7uv0ld2c9k3zh5j4ame9k2szcynqu7ftqe
+  - &host_nixbook age1fa3zqavfmqk4ssa22yne9td90gyqv9q5a8y0s8jp3xak8q7p3yjqyn7rkg
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *admin_johno
+          - *host_z790prors
+          - *host_nixbook
diff --git a/flake.lock b/flake.lock
index 3a79460..49a3714 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,10 +36,48 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1727423009,
+        "narHash": "sha256-+4B/dQm2EnORIk0k2wV3aHGaE0WXTBjColXjj7qWh10=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "127a96f49ddc377be6ba76964411bab11ae27803",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 08fac7d..945cd15 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,60 +4,63 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, ... } @ inputs: {
+  outputs = { self, nixpkgs, ... } @ inputs: let
+    baseModules = [
+      ./roles
+      inputs.sops-nix.nixosModules.sops
+      inputs.home-manager.nixosModules.home-manager
+      {
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+      }
+    ];
+  in {
     nixosConfigurations.z790prors-nix = nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
-      modules = [
-        ./roles
-        ./machines/z790prors/configuration.nix 
-        inputs.home-manager.nixosModules.home-manager
+      specialArgs = { inherit inputs; };
+      modules = baseModules ++ [
+        ./machines/z790prors/configuration.nix
         {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
           home-manager.users.johno = import ./home/home-z790prors.nix;
-          home-manager.extraSpecialArgs = {
-            customPkgs = nixpkgs.legacyPackages."${system}".callPackage ./packages {};
-          };
+          home-manager.extraSpecialArgs.customPkgs =
+            nixpkgs.legacyPackages."${system}".callPackage ./packages {};
         }
       ];
     };
 
     nixosConfigurations.nix-book = nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
-      modules = [
-        ./roles
+      modules = baseModules ++ [
         ./machines/nix-book/configuration.nix
-        inputs.home-manager.nixosModules.home-manager
         {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
           home-manager.users.johno = import ./home/home-nix-book.nix;
-          home-manager.extraSpecialArgs = {
-            customPkgs = nixpkgs.legacyPackages."${system}".callPackage ./packages {};
-          };
+          home-manager.extraSpecialArgs.customPkgs =
+            nixpkgs.legacyPackages."${system}".callPackage ./packages {};
         }
       ];
     };
 
     nixosConfigurations.boxy = nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
-      modules = [
-        ./roles
+      modules = baseModules ++ [
         ./machines/boxy/configuration.nix
         # inputs.home-manager.nixosModules.home-manager
         # {
-        #   home-manager.useGlobalPkgs = true;
-        #   home-manager.useUserPackages = true;
         #   home-manager.users.johno = import ./home/home-default.nix;
-        #   home-manager.extraSpecialArgs = {
+        #   home-manager.extraSpecialArgs.customPkgs =
+        #     nixpkgs.legacyPackages."${system}".callPackage ./packages {};
         #     customPkgs = nixpkgs.legacyPackages."${system}".callPackage ./packages {};
-        #   };
         # }
       ];
     };
diff --git a/roles/default.nix b/roles/default.nix
index cd55e7b..1634b41 100644
--- a/roles/default.nix
+++ b/roles/default.nix
@@ -13,6 +13,7 @@ in
     ./kodi
     ./nfs-mounts
     ./printing
+    ./secrets
     ./users
     ./virtualisation
   ];
diff --git a/roles/secrets/default.nix b/roles/secrets/default.nix
new file mode 100644
index 0000000..c864234
--- /dev/null
+++ b/roles/secrets/default.nix
@@ -0,0 +1,8 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" "/home/johno/.ssh/id_ed25519" ];
+  sops.secrets.example_key = {};
+}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..4dcef72
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,48 @@
+hello: ENC[AES256_GCM,data:5ZpbPx3D8gQc1fOhViUqiCr0zLWYotB+vIBixqTbqP9XLS52y6tr5DXus0aV9mTgka5deqc=,iv:yPJaCqDD9WD56swfBjSm7A62ZTTIQDqyAKOgP1ese+U=,tag:bo8+7Ne2f9aEZSvpkt1fzA==,type:str]
+example_key: ENC[AES256_GCM,data:v15bEcb0H3vaj13blg==,iv:9P3IA7ChBamo41VE8G8tj46sZqeijsO1LcvwLtEPVPA=,tag:o/lAyAYYGNLP9EjQNa/K8Q==,type:str]
+example_array:
+    - ENC[AES256_GCM,data:3Vwa7dfNfKzRc/xpk6I=,iv:IevBgxwWdaBvZY1ywteWcfWwDIA8lK3FTWs67lLBKxw=,tag:Mx5lzUeNZ/3wJBWAl5XSBw==,type:str]
+    - ENC[AES256_GCM,data:epkT6WPGW5Oe/S+4HtU=,iv:N0yoDuieAaEi+NuCoCL4zrkhaDDdkttboI89m+UccjQ=,tag:OoERRByb0OM4un9oGLJQgA==,type:str]
+#ENC[AES256_GCM,data:YzMFXxn3sbbHpGB4jPRtRw==,iv:TN6ogQuH7c6xtDoWt0Ew9B2f7wuaipJynvscZmaJYoU=,tag:No0UwEktEyMNBg/46P+Zmg==,type:comment]
+example_number: ENC[AES256_GCM,data:jmLoVC+8YIlB2A==,iv:u9GztD/aE9UN5zWq3Am2nhYwmYt3sf8sy65MHbhVoD0=,tag:wKuf1mMr5XBJveJrz0uHPA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:ZacILA==,iv:xo+7aFFQXzbJzKDY0mYTeFLf10AlnHkywDRAMHeprEM=,tag:F/OnJdqjrZP02sTLWLmnbg==,type:bool]
+    - ENC[AES256_GCM,data:NaFrvrs=,iv:kKDmGs9u/w5qrZ/379Jlx8AotUVADvH+eHwHCqykmkE=,tag:nD9TsmkXUm4ABaT1ABWmcg==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ls6a033d4p4u8h4rwazjwt8w4c4xg73wq0mdnm64jajxzcz4k9asvjnks3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjak9vRVJtVmJoanhEZ0hQ
+            MFJwMEE4UDcrRkdPRmZ6R09FSDY1aTk3Y1dNClZJYXRLNU5senR3Qzh6VmZGMlhu
+            bnl6VjlaUEFISnBtSTVrcEd0ZjI5Q2MKLS0tIFl1b3A5ZWVqc1gvWVZnZis0ZHFk
+            bWhnNVB2TUJ4YzY4NHdSVXhPc3dReTgKWRYBbBE3+oGsRNw1CROhFY+btENbShfv
+            gw3IdW7OoZV6JpJBOcI82eOuOkIxrmgSGDGeyy10/a5MA/cB1umm+w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12l5u7sw59u5pkwp83qm8t3ff7uv0ld2c9k3zh5j4ame9k2szcynqu7ftqe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcmV3TDlNL2Zxb0h5QTYx
+            QkVmczA0MDc2ZnpNNU1YeFVzSXJwc3RWUmk4CjF4bHIrVU9VM3htTUxGZ2FUR256
+            UEovdVV2cmNIbkloS1VobTNFSDVyRG8KLS0tIEFhUk5kL3hCNGs4MGJBTmNJaVFm
+            b2ZBUGJ1K0lKTitKYTRUMWszQzhBU0UKBaM6t6JmWfiG+wPorGea1gqvV5RSIPyw
+            6yb2PcH2oZ0HrjJM5sjfu7XOWY3KneiZZikR1BpD5KvevfagWTSR/w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fa3zqavfmqk4ssa22yne9td90gyqv9q5a8y0s8jp3xak8q7p3yjqyn7rkg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMFJiNjVOb0lTcmJ3VnhH
+            WlRKZERRZFM3TFZBZGNSZC9GdHlHakMza21zClJ3SDdFUkVRc3oyVVU3WEtDQzBu
+            OEFqS3NwbHZFUlpCYlN6RW84N0F1amcKLS0tIHFZK21aTHdwZ2dWbVRrWEZDWFZj
+            aU1IQzdTMVhnbHhsNENwMG05dXhOU2MK8fEJea9sL5JLgltVlTI6mRDb+Tl83Iz7
+            4wPYvo68cn8vimXqSk45ldHRrNa3zhYai3CalQaGtDT3fkWGvSq0zQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-28T15:44:39Z"
+    mac: ENC[AES256_GCM,data:YUi+AbS6DQTmrSyOXsbkZWfWaMyKGR8fYm/MHcxmqChi8hng+UWHBZjsLBe6ef/FLH3rnP6bhfwK8KYnVS6fHvHahoqIq/BHydTsqrclnSgRAGl8Lh0yuhwISNRvP1AuW5pd50sdQaS0uGOtzOCharI/pZ9H+cmt2SB5WOCdeLs=,iv:2nBG6it3tNSLSia8hGzCcesuK9QwzB9EzfjWegjQ2kw=,tag:RGGPAPw/rQKhWA2OqLjTJw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0