From 9305702771389ff847b55381d4ca7e9fc704529b Mon Sep 17 00:00:00 2001
From: deva <hi@dessa.dev>
Date: Sat, 13 Jul 2024 19:04:25 -0400
Subject: [PATCH] add: sops support

---
 flake.lock           | 57 ++++++++++++++++++++++++++++++++++++++++++++
 flake.nix            | 10 ++++++++
 os/configuration.nix | 28 +++++++++++++++++++++-
 os/dev/default.nix   |  7 +-----
 os/users.nix         | 10 +++++---
 5 files changed, 102 insertions(+), 10 deletions(-)

diff --git a/flake.lock b/flake.lock
index 5234fb2..2e4d88b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -416,6 +416,24 @@
         "type": "github"
       }
     },
+    "mysecrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1720910245,
+        "narHash": "sha256-xACM/LGDLmgy8JQIPWojb5KOiIqbQpofX9WUbGQHiZE=",
+        "ref": "main",
+        "rev": "2f617698545719fd26f7fc074a0da1e6673e62d9",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@192.168.1.203:2222/deva/secrets.git"
+      },
+      "original": {
+        "ref": "main",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@192.168.1.203:2222/deva/secrets.git"
+      }
+    },
     "nh": {
       "inputs": {
         "nixpkgs": [
@@ -505,6 +523,22 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720282526,
+        "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1719848872,
@@ -559,14 +593,37 @@
         "home-manager": "home-manager",
         "hyprland": "hyprland",
         "impermanence": "impermanence",
+        "mysecrets": "mysecrets",
         "nh": "nh",
         "nix-gaming": "nix-gaming",
         "nix-index-db": "nix-index-db",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
         "stylix": "stylix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1720321395,
+        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
diff --git a/flake.nix b/flake.nix
index 02478d5..d82c274 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,16 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mysecrets = {
+      url = "git+ssh://git@192.168.1.203:2222/deva/secrets.git?ref=main&shallow=1";
+      flake = false;
+    };
+
     stylix.url = "github:danth/stylix";
   };
 
diff --git a/os/configuration.nix b/os/configuration.nix
index c2d911f..78cf2ca 100644
--- a/os/configuration.nix
+++ b/os/configuration.nix
@@ -5,11 +5,37 @@
   outputs,
   inputs,
   ...
-}: {
+}: let
+  secretspath = builtins.toString inputs.mysecrets;
+in {
   imports = [
     inputs.nix-gaming.nixosModules.pipewireLowLatency
+    inputs.sops-nix.nixosModules.sops
   ];
 
+  sops.defaultSopsFormat = "yaml";
+  sops.defaultSopsFile = "${secretspath}/secrets.yaml";
+  sops.validateSopsFiles = false;
+  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # sops.age.generateKey = true;
+
+  # This file below is the only file that needs to be copied over (for sops support)
+  sops.age.keyFile = "/home/${config.users.users.me.name}/.config/sops/age/keys.txt";
+  sops.secrets = {
+    id_dev = {
+      owner = config.users.users.me.name;
+      inherit (config.users.users.me) group;
+      path = "/home/${config.users.users.me.name}/.ssh/id_dev";
+    };
+    user_password = {
+      neededForUsers = true;
+    };
+  };
+  home-manager.users.me.home.file.".ssh/id_dev.pub".text = builtins.readFile ./id_dev.pub;
+  users.mutableUsers = false;
+  users.users.me.hashedPasswordFile = config.sops.secrets.user_password.path;
+
   nixpkgs.config = {allowUnfree = true;};
   nixpkgs.overlays = [
     outputs.overlays.additions
diff --git a/os/dev/default.nix b/os/dev/default.nix
index 8e97bb5..690adf1 100644
--- a/os/dev/default.nix
+++ b/os/dev/default.nix
@@ -100,17 +100,12 @@
       enable = true;
       matchBlocks = {
         "hi@dessa.dev" = {
-          host = "gitlab.com github.com";
+          host = "gitlab.com github.com 192.168.1.203";
           identitiesOnly = true;
           identityFile = [
             "~/.ssh/id_dev"
           ];
         };
-        "dess_key" = {
-          host = "192.168.1.203";
-          identitiesOnly = true;
-          identityFile = ["~/.ssh/id_dess"];
-        };
       };
     };
     gpg = {
diff --git a/os/users.nix b/os/users.nix
index b1cc813..946f666 100644
--- a/os/users.nix
+++ b/os/users.nix
@@ -1,10 +1,14 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
   imports = [./util/user.nix ./gnome_support.nix];
 
-  user.deva = {
+  user.me = {
+    username = "deva";
     shell = "zsh";
     description = "Deva Waves";
-    initialPassword = "12345";
     sudoer = true;
     developer = true;
     extraGroups = ["networkmanager" "audio" "docker" "input" "libvirtd" "plugdev" "video" "adbusers"];