From 15234fa2bb998352acd659114c0061c8fd24f610 Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Sun, 5 Jan 2025 20:10:30 -0500
Subject: [PATCH] basic sops setup

---
 .gitignore                |  1 -
 .sops.yaml                | 19 +++++++++++++
 flake.lock                | 21 +++++++++++++++
 flake.nix                 | 26 +++++++++++++++---
 users/richie/secrets.yaml | 57 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 119 insertions(+), 5 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 users/richie/secrets.yaml

diff --git a/.gitignore b/.gitignore
index 523ddd1..af5dd9d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -162,4 +162,3 @@ cython_debug/
 #.idea/
 
 test.*
-secrets.*
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..3024f26
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,19 @@
+keys:
+  - &admin_richie age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
+
+  - &system_bob age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
+  - &system_jeeves age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
+  - &system_muninn age1yxx8uwxkugvncseatftkxttnmy8888wxemtygdkzhfzj5fzzfvgsuj3hn2
+  - &system_router age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
+  - &system_rhapsody age1ufnewppysaq2wwcl4ugngjz8pfzc5a35yg7luq0qmuqvctajcycs5lf6k4
+
+creation_rules:
+  - path_regex: users/richie/secrets\.yaml$
+    key_groups:
+      - age:
+          - *admin_richie
+          - *system_bob
+          - *system_jeeves
+          - *system_muninn
+          - *system_router
+          - *system_rhapsody
diff --git a/flake.lock b/flake.lock
index ab9266c..e624851 100644
--- a/flake.lock
+++ b/flake.lock
@@ -254,6 +254,7 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable_2",
+        "sops-nix": "sops-nix",
         "system_tools": "system_tools",
         "systems": "systems_3"
       }
@@ -279,6 +280,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736064798,
+        "narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "system_tools": {
       "inputs": {
         "flake-utils": "flake-utils_2",
diff --git a/flake.nix b/flake.nix
index 2630018..c46ae1e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,11 @@
       url = "github:lilyinstarlight/nixos-cosmic";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -50,6 +55,7 @@
     home-manager,
     systems,
     nixos-cosmic,
+    sops-nix,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -71,19 +77,31 @@
 
     nixosConfigurations = {
       bob = lib.nixosSystem {
-        modules = [./systems/bob];
+        modules = [
+          ./systems/bob
+          sops-nix.nixosModules.sops
+        ];
         specialArgs = {inherit inputs outputs;};
       };
       jeeves = lib.nixosSystem {
-        modules = [./systems/jeeves];
+        modules = [
+          ./systems/jeeves
+          sops-nix.nixosModules.sops
+        ];
         specialArgs = {inherit inputs outputs;};
       };
       rhapsody-in-green = lib.nixosSystem {
-        modules = [./systems/rhapsody-in-green];
+        modules = [
+          ./systems/rhapsody-in-green
+          sops-nix.nixosModules.sops
+        ];
         specialArgs = {inherit inputs outputs;};
       };
       muninn = lib.nixosSystem {
-        modules = [./systems/muninn];
+        modules = [
+          ./systems/muninn
+          sops-nix.nixosModules.sops
+        ];
         specialArgs = {inherit inputs outputs;};
       };
     };
diff --git a/users/richie/secrets.yaml b/users/richie/secrets.yaml
new file mode 100644
index 0000000..6e34fb3
--- /dev/null
+++ b/users/richie/secrets.yaml
@@ -0,0 +1,57 @@
+my_secret: ENC[AES256_GCM,data:90kRHkDdhuBhskNGeA==,iv:2LTCXQyPJoddxbgCDX+sA8YPEZjS+2V9ZVKYu0dD1WE=,tag:d7wDFBnBwcCuhX+w8gOvaA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTE5lQ001N3dBTTluU3Bq
+            TWNwWG5SVURnMFJ3Z21UemlNVHI0dDVMVTB3CjVtK1VBZXFQQlZUckRGM3QyQnhs
+            eVdhc2c2dHQ1MXFWMmlpS2JpZTBGZWcKLS0tIEluL0ZKZWJXVGtlbUJCcEFTYWtB
+            ZU5rSHUyR0doWUQyMjJWaUZ0NzNPYncKXnx2/Kg+NGO1ApyVjd2CeWXphgg4zZSL
+            D79j5NhPrk6Bhr3IcwD6hc0OPZ74pw6mg14yzBFglrw82WZdDnAHxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1q47vup0tjhulkg7d6xwmdsgrw64h4ax3la3evzqpxyy4adsmk9fs56qz3y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WFhiMURJSkdOUVhoNGxo
+            R3NWdVJvSUZKMFduM29wTkJDNGszOHdRRTBvCmUxQkhrV1dyV2tJMmcwZHNjOXcv
+            NUdIeDl3R0o2d2M1R3AzV3k1SkZhc00KLS0tIGhEVEtvVGtBdEcrK3ZMVUhuYklv
+            WXMyUkZZVmRERENOSldCcDB4OHQ4NVEK81zddZggn7+TzANzjMkjbpnCOHtX4TcA
+            2F/Uin4RVD8ECdcoLLeTddo8ILIC4dQ9bD1TA3Wu23v0qsP6KkhczA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13lmqgc3jvkyah5e3vcwmj4s5wsc2akctcga0lpc0x8v8du3fxprqp4ldkv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQelZhczRxNHJPdFNPd2R1
+            VkFTUFJ2N3FLN1VvU1BqN0JqV2VyVVFUUzJnCndQWjYrS2lYbzRROFg3VGtMb3BP
+            NDlYYkhuRGZCdjVncHlXV3ZHcHZ1U0EKLS0tIEM4MUVkaDU4QlphWm5VM1RjbWR2
+            R0Y0d3lJNlMvZVEvTnNwbC91YmNoMU0KErYP7q4xGVCyF4GGGEkaydMjFQ8759ER
+            o9+vtEjJme9AQosa3T4uuATIebxBzqpheRHmvxyNwdt9pZtWvaROng==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yxx8uwxkugvncseatftkxttnmy8888wxemtygdkzhfzj5fzzfvgsuj3hn2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSWFkeHI2UHdZN1RhSlV3
+            dlNtWGlkWW95WjdhZTl1VzBvT0V4VytNOVN3Cmd6ZTEvNmJEMUt6bVRKM1hlUE1n
+            ZlA5TVNpWm9PUWpXOG9JMUhtRk5aUnMKLS0tIDJBd1RWQ3RmSzJPNjZ5ZTdMZFlZ
+            UHhwbURCdHdFOGppZXVJcGFvMWNWTVkK90smB4htJ4aN52zFVpGUYwkledxpGdUr
+            so6rQ3FfXsE7ik/+f89hPXZJUZLxpO+ENIWitMvH1ZNFmjz3uT+NYA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xzxryqq63x65yuza9lmmkud7crjjxpnkdew070yhx6xn7xe4tdws5twxsv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVCTGRWY0trNnViTm1u
+            NVFBUW1GbVVxOUtpRUt1dElPNFU3clhLUngwCldWa1UzUms0QlJFRngzQitPek9O
+            c3Z3S2FpRXMrYWU1bFdrUDlzdUwxSW8KLS0tIHg0M1NWWXRTY0swUmw3MXpQQ21o
+            Q2IyU01yUjVYWFUzVEsyR1dyYlVVTWMK7+3zPVmkQ1lpFmD7f+rpDHVCtmBrZ/sH
+            5D8FEbUfqu4l7LDCrtJ8LBBSvntwkcVKQlBu3fwBIDqhgOy9fGjZWA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-05T20:53:12Z"
+    mac: ENC[AES256_GCM,data:FbzvVgRSBBQ39ppKY7CmPghmkwgvSH8tW3aEC2VD90Xb7YypthnCYTos6Igmv/LkF77F4gkpoF3IT2KqkXJbAZ478ZD412sSkKtOl/A3dWtVkdMSgO8Lv/jvyC6/HtF3MEFHtUM8eG+2brQOUIwWg9fcT+4iaxfEBvJV8duW/XE=,iv:WRWaBWRrB8AthHbtHlNVfcrL0N31g3Z5uAYbeEN1jm4=,tag:qQW69HfEKNmPkeZw4nncwg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2