From 42c2a1604c57de09a71e1e3c6231384bbc14ca4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Sun, 29 Mar 2026 23:09:15 +0200 Subject: [PATCH 1/4] feat: add sops-nix flake input --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 5 +++++ 2 files changed, 26 insertions(+) diff --git a/flake.lock b/flake.lock index 00e767b..a533b28 100644 --- a/flake.lock +++ b/flake.lock @@ -521,6 +521,7 @@ "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", "nvim": "nvim", + "sops-nix": "sops-nix", "stylix": "stylix" } }, @@ -545,6 +546,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1774760784, + "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", diff --git a/flake.nix b/flake.nix index 27fa128..d6172a9 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; outputs = From 50533cc7376830dfdd9f81db09d7618420154ff6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Sun, 29 Mar 2026 23:12:11 +0200 Subject: [PATCH 2/4] feat: wire sops into mkHost --- lib/mkHost.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/mkHost.nix b/lib/mkHost.nix index bcb28ec..db0faf8 100644 --- a/lib/mkHost.nix +++ b/lib/mkHost.nix @@ -54,6 +54,7 @@ nixpkgs.lib.nixosSystem { inherit system; modules = [ ../nix.nix + inputs.sops-nix.nixosModules.sops { nixpkgs.overlays = overlays; } { nixpkgs.config.allowUnfree = true; } From 666f7f35a64b336af38b186a7afdf4b5a0459331 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Sun, 29 Mar 2026 23:12:43 +0200 Subject: [PATCH 3/4] feat: add sops and ssh-to-age to devshell --- flake/devshell.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake/devshell.nix b/flake/devshell.nix index eda9995..60fd6f9 100644 --- a/flake/devshell.nix +++ b/flake/devshell.nix @@ -99,6 +99,8 @@ _: { pkgs.shellcheck pkgs.shfmt pkgs.qemu + pkgs.sops + pkgs.ssh-to-age ]; }; } From b50c574342c3698052e4981a770f02529629f7fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Sun, 29 Mar 2026 23:27:19 +0200 Subject: [PATCH 4/4] feat: add initial sops config --- .sops.yaml | 30 ++++++++++++++++++++++++++++++ secrets/.gitkeep | 0 2 files changed, 30 insertions(+) create mode 100644 .sops.yaml create mode 100644 secrets/.gitkeep diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..c2c129b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,30 @@ +keys: + - &matej AF349EECC849D87B790E88FF6318FFB7DB374B7D + + # host age keys (via: ssh-keyscan | ssh-to-age) + - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65 + - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4 + - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl + +creation_rules: + # per-host secrets + - path_regex: ^secrets/tower\.yaml$ + key_groups: + - pgp: [*matej] + age: [*tower] + + - path_regex: ^secrets/fw16\.yaml$ + key_groups: + - pgp: [*matej] + age: [*fw16] + + - path_regex: ^secrets/floo\.yaml$ + key_groups: + - pgp: [*matej] + age: [*floo] + + # shared secrets (all hosts) + - path_regex: ^secrets/common\.yaml$ + key_groups: + - pgp: [*matej] + age: [*tower, *fw16, *floo] diff --git a/secrets/.gitkeep b/secrets/.gitkeep new file mode 100644 index 0000000..e69de29