[water7] feat: Add sops + age secret handling, still wip

I'm kinda lost, but we'll get there lol soon forgejo secrets will be fixed! Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>
2025-10-12 09:19:44 +02:00 · 2025-10-12 09:19:44 +02:00 · a3e8fe8ab8
commit a3e8fe8ab8
parent 306737d73d
6 changed files with 69 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &primary age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
+creation_rules:
+  - path_regex: shared/secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *primary
--- a/flake.lock
+++ b/flake.lock
@ -61,9 +61,30 @@
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
        "zen-browser": "zen-browser"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760240450,
+        "narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
--- a/flake.nix
+++ b/flake.nix
@ -13,6 +13,11 @@
      url = "github:0xc000022070/zen-browser-flake";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = { self, nixpkgs, ... }@inputs: {
--- a/hosts/water7/configuration.nix
+++ b/hosts/water7/configuration.nix
@ -8,6 +8,7 @@
  imports = [
    ./hardware-configuration.nix
    inputs.home-manager.nixosModules.default
+    inputs.sops-nix.nixosModules.sops
  ];

 	nix.settings.experimental-features = [ "nix-command" "flakes" ];
@ -95,7 +96,12 @@
 	home-manager = {
 		extraSpecialArgs = { inherit inputs; };
 		users = {
-			"sid" = import ./home.nix;
+			sid = {
+  			imports = [
+  			  ./home.nix
+  				inputs.sops-nix.homeManagerModules.sops
+  			];
+			};
 		};
 	};

--- a/hosts/water7/home.nix
+++ b/hosts/water7/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, inputs, lib, ... }:

 {
  # Home Manager needs a bit of information about you and the paths it should
@ -22,8 +22,16 @@
    pinentry-curses
    hyprpaper
    inputs.zen-browser.packages."x86_64-linux".default
+    sops
+    age
  ];

+  sops = {
+    defaultSopsFile = "../../.sops.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/home/sid/.config/sops/age/keys.txt";
+  };
+
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@ -0,0 +1,19 @@
+forgejo:
+    LFS_JWT_SECRET: ENC[AES256_GCM,data:qdYhKX+SRnpy5ur5XkBmQ9gN6dNCOw3q2dliUssWaNHP7RWATwsTcdsApQ==,iv:EazZrHXvDUM1z2UcqbH6tHmTs7+COv4CFNo04fDgAWw=,tag:ZJZn8d1yuHnB/1CHyuuTyg==,type:str]
+    INTERNAL_TOKEN: ENC[AES256_GCM,data:Wg+VeKKZK/EIjREIWQuWKCUB7CoL4SlPwBC3ldyul3EWu+YAzc6nouWqp1Q4eH9ib9nNztnOQ66cru8u513TMJfNA7F9BuCGf3b2MjIRwcf12aXJR7yHc15nPD0/LwJ6PXQQBAXZNnfh,iv:STOtNKSxF5LzexsYVvWUQDa/ZXkWV2CJRFD0nYr9U+g=,tag:yKfUIkKVZXWJ5zDOCseLNw==,type:str]
+    oauth2.JWT_SECRET: ENC[AES256_GCM,data:lypGzbbbXhXc75Gi1I6LVQIDAgsQseuvz60Um+YglkMkDMuMfpEAX1AkhQ==,iv:uMzIu0+O8f98074BP8V8tkNQKhCc+jAGPCf3ZSVuUS4=,tag:GFIIZYiKqgfZ/C+9iiVxvQ==,type:str]
+sops:
+    age:
+        - recipient: age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraGdMYXBEZGMvbGVqSkJE
+            aWJRRUtBN3Q1cVR3S0xHTU00akhOL0hhSlc0Clh5SVlycit2b3pPMVMzV3BPdTNM
+            S3lNRFVCZFZwaWwzc1QxdSthYTdsNlEKLS0tICtJem9UaXp4cFJWMWU2cmRXL2pV
+            Yk9ETmxVV3Ezb0ZUQXViNkNxaHk1bmcKwBkyJN6IFH59THyuhYydP7lqfki26rNX
+            Eb0/GmRLhx9P9EfA+eMwL5rox4nksoqktOxDB8MATASOAH3EM/+e5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-12T07:11:43Z"
+    mac: ENC[AES256_GCM,data:Ox0JQ/90f5uey1+CEXBexVkTDd0PsLDqRdKZNi3OHoUJG9B3Oty5NRqsOdowlGQdGJ7Hn0gxprwO4/QQ/SS45rZFX1bNWywSxTtNuKK9HeOG5DFFaLaJTGUa2UHxjb3Owu2ScHUUOzEWxZt2h1mBpnxEKvdxajq5X8ww+hgXd7s=,iv:SMY3PANRZq33KNn8JwnBdqRFMOWwfxTz7l7ZKA/suFg=,tag:JVGqCRkUw12k7wwqc1vI8g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2