merge: sops-nix setup

.sops.yaml

@@ -0,0 +1,30 @@
+keys:
+  - &matej AF349EECC849D87B790E88FF6318FFB7DB374B7D
+
+  # host age keys (via: ssh-keyscan <host> | ssh-to-age)
+  - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
+  - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
+  - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+
+creation_rules:
+  # per-host secrets
+  - path_regex: ^secrets/tower\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*tower]
+
+  - path_regex: ^secrets/fw16\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*fw16]
+
+  - path_regex: ^secrets/floo\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*floo]
+
+  # shared secrets (all hosts)
+  - path_regex: ^secrets/common\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*tower, *fw16, *floo]

flake.lock

@@ -521,6 +521,7 @@
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nvim": "nvim",
+        "sops-nix": "sops-nix",
         "stylix": "stylix"
       }
     },
@@ -545,6 +546,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774760784,
+        "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",

flake.nix

@@ -42,6 +42,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
   };
 
   outputs =

flake/devshell.nix

@@ -99,6 +99,8 @@ _: {
             pkgs.shellcheck
             pkgs.shfmt
             pkgs.qemu
+            pkgs.sops
+            pkgs.ssh-to-age
           ];
         };
       }

lib/mkHost.nix

@@ -54,6 +54,7 @@ nixpkgs.lib.nixosSystem {
   inherit system;
   modules = [
     ../nix.nix
+    inputs.sops-nix.nixosModules.sops
 
     { nixpkgs.overlays = overlays; }
     { nixpkgs.config.allowUnfree = true; }