[water7] feat: Add sops + age secret handling, still wip

I'm kinda lost, but we'll get there lol soon forgejo secrets will be fixed! Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>
[water7] feat: Add obs-studio
2025-10-12 09:19:44 +02:00 · 2025-10-11 16:46:52 +02:00 · 2025-10-09 19:40:29 +02:00
7 changed files with 126 additions and 5 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
 keys:
  - &primary age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
 creation_rules:
  - path_regex: shared/secrets/secrets.yaml$
    key_groups:
      - age:
          - *primary
--- a/flake.lock
+++ b/flake.lock
@ -61,9 +61,30 @@
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "sops-nix": "sops-nix",
        "zen-browser": "zen-browser"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1760240450,
        "narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
        "owner": "mic92",
        "repo": "sops-nix",
        "rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
        "type": "github"
      },
      "original": {
        "owner": "mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
--- a/flake.nix
+++ b/flake.nix
@ -13,6 +13,11 @@
      url = "github:0xc000022070/zen-browser-flake";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, ... }@inputs: {
--- a/hosts/arabasta/configuration.nix
+++ b/hosts/arabasta/configuration.nix
@ -78,8 +78,62 @@
    tailscale
  ];
-	services.tailscale.enable = true;
+  services = {
-	
+    tailscale.enable = true;
    forgejo = {
      enable = true;
      database.type = "postgres";
      lfs.enable = true;
      settings = {
        server = {
          APP_NAME = "forgejo";
          APP_SLOGAN = "Ah well, it's just my programming.";
          RUN_MODE = "prod";
          SSH_DOMAIN = "code.kjelsrud.dev";
          DOMAIN = "code.kjelsrud.dev";
          HTTP_PORT = 3000;
          HTTP_ADDR = "0.0.0.0";
          ROOT_URL = "https://code.kjelsrud.dev";
          DISABLE_SSH = true;
          LFS_START_SERVER = true;
          LFS_JWT_SECRET = "CHANGEME";
          OFFLINE_MODE = true;
        };
        session = {
          COOKIE_SECURE = true;
          PROVIDER = "file";
        };
        security = {
          INSTALL_LOCK = true;
          PASSWORD_HASH_ALGO = "pbkdf2_hi";
          INTERNAL_TOKEN = "CHANGEME";
        };
        service = {
          DISABLE_REGISTRATION = true;
          REQUIRE_SIGNIN_VIEW = false;
          REGISTER_EMAIL_CONFIRM = false;
          ENABLE_NOTIFY_MAIL = false;
          ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
          ENABLE_CAPTCHA = false;
          DEFAULT_KEEP_EMAIL_PRIVATE = false;
          DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
          DEFAULT_ENABLE_TIMETRACKING = true;
          NO_REPLY_ADDRESS = "noreply.localhost";
        };
        mailer.ENABLED = false;
        openid = {
          ENABLE_OPENID_SIGNIN = false;
          ENABLE_OPENID_SIGNUP = false;
        };
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
        };
        oauth2.JWT_SECRET = "CHANGEME";
      };
    };
  };
 	fileSystems."/mnt/media" = {
    device = "/dev/disk/by-uuid/956ec2bb-357c-4959-917f-ece881c4615c";
    fsType = "ext4";
--- a/hosts/water7/configuration.nix
+++ b/hosts/water7/configuration.nix
@ -7,7 +7,8 @@
 {
  imports = [
    ./hardware-configuration.nix
-    inputs.home-manager.nixosModules.default	
+    inputs.home-manager.nixosModules.default
    inputs.sops-nix.nixosModules.sops
  ];
 	nix.settings.experimental-features = [ "nix-command" "flakes" ];
@ -95,7 +96,12 @@
 	home-manager = {
 		extraSpecialArgs = { inherit inputs; };
 		users = {
-			"sid" = import ./home.nix;
+			sid = {
  			imports = [
  			  ./home.nix
  				inputs.sops-nix.homeManagerModules.sops
  			];
 			};
 		};
 	};
@ -121,6 +127,7 @@
    libreoffice-qt6-fresh
    komikku
    joplin
    obs-studio
    # Only related to this laptop - above to be moved to a more common config when ive added more hosts
    kdePackages.dolphin
    prismlauncher
--- a/hosts/water7/home.nix
+++ b/hosts/water7/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, inputs, lib, ... }:
 {
  # Home Manager needs a bit of information about you and the paths it should
@ -22,8 +22,16 @@
    pinentry-curses
    hyprpaper
    inputs.zen-browser.packages."x86_64-linux".default
    sops
    age
  ];
  sops = {
    defaultSopsFile = "../../.sops.yaml";
    defaultSopsFormat = "yaml";
    age.keyFile = "/home/sid/.config/sops/age/keys.txt";
  };
  # Home Manager is pretty good at managing dotfiles. The primary way to manage
  # plain files is through 'home.file'.
  home.file = {
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@ -0,0 +1,19 @@
 forgejo:
    LFS_JWT_SECRET: ENC[AES256_GCM,data:qdYhKX+SRnpy5ur5XkBmQ9gN6dNCOw3q2dliUssWaNHP7RWATwsTcdsApQ==,iv:EazZrHXvDUM1z2UcqbH6tHmTs7+COv4CFNo04fDgAWw=,tag:ZJZn8d1yuHnB/1CHyuuTyg==,type:str]
    INTERNAL_TOKEN: ENC[AES256_GCM,data:Wg+VeKKZK/EIjREIWQuWKCUB7CoL4SlPwBC3ldyul3EWu+YAzc6nouWqp1Q4eH9ib9nNztnOQ66cru8u513TMJfNA7F9BuCGf3b2MjIRwcf12aXJR7yHc15nPD0/LwJ6PXQQBAXZNnfh,iv:STOtNKSxF5LzexsYVvWUQDa/ZXkWV2CJRFD0nYr9U+g=,tag:yKfUIkKVZXWJ5zDOCseLNw==,type:str]
    oauth2.JWT_SECRET: ENC[AES256_GCM,data:lypGzbbbXhXc75Gi1I6LVQIDAgsQseuvz60Um+YglkMkDMuMfpEAX1AkhQ==,iv:uMzIu0+O8f98074BP8V8tkNQKhCc+jAGPCf3ZSVuUS4=,tag:GFIIZYiKqgfZ/C+9iiVxvQ==,type:str]
 sops:
    age:
        - recipient: age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraGdMYXBEZGMvbGVqSkJE
            aWJRRUtBN3Q1cVR3S0xHTU00akhOL0hhSlc0Clh5SVlycit2b3pPMVMzV3BPdTNM
            S3lNRFVCZFZwaWwzc1QxdSthYTdsNlEKLS0tICtJem9UaXp4cFJWMWU2cmRXL2pV
            Yk9ETmxVV3Ezb0ZUQXViNkNxaHk1bmcKwBkyJN6IFH59THyuhYydP7lqfki26rNX
            Eb0/GmRLhx9P9EfA+eMwL5rox4nksoqktOxDB8MATASOAH3EM/+e5A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-10-12T07:11:43Z"
    mac: ENC[AES256_GCM,data:Ox0JQ/90f5uey1+CEXBexVkTDd0PsLDqRdKZNi3OHoUJG9B3Oty5NRqsOdowlGQdGJ7Hn0gxprwO4/QQ/SS45rZFX1bNWywSxTtNuKK9HeOG5DFFaLaJTGUa2UHxjb3Owu2ScHUUOzEWxZt2h1mBpnxEKvdxajq5X8ww+hgXd7s=,iv:SMY3PANRZq33KNn8JwnBdqRFMOWwfxTz7l7ZKA/suFg=,tag:JVGqCRkUw12k7wwqc1vI8g==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
Author	SHA1	Message	Date
SindreKjelsrud	a3e8fe8ab8	[water7] feat: Add sops + age secret handling, still wip I'm kinda lost, but we'll get there lol soon forgejo secrets will be fixed! Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>	2025-10-12 09:19:44 +02:00
SindreKjelsrud	306737d73d	[water7] feat: Add obs-studio Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>	2025-10-11 16:46:52 +02:00
SindreKjelsrud	dcad4ec4b5	[arabasta] feat: Add forgejo Signed-off-by: SindreKjelsrud <sindre@kjelsrud.dev>	2025-10-09 19:40:29 +02:00