feat: add nix store signing for remote deploys

merge: sops-nix setup
feat: add initial sops config
2026-03-30 00:21:37 +02:00 · 2026-03-29 23:27:42 +02:00 · 2026-03-29 23:27:19 +02:00 · 2026-03-29 23:12:43 +02:00 · 2026-03-29 23:12:11 +02:00 · 2026-03-29 23:09:15 +02:00
9 changed files with 96 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,30 @@
+keys:
+  - &matej AF349EECC849D87B790E88FF6318FFB7DB374B7D
+
+  # host age keys (via: ssh-keyscan <host> | ssh-to-age)
+  - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
+  - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
+  - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+
+creation_rules:
+  # per-host secrets
+  - path_regex: ^secrets/tower\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*tower]
+
+  - path_regex: ^secrets/fw16\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*fw16]
+
+  - path_regex: ^secrets/floo\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*floo]
+
+  # shared secrets (all hosts)
+  - path_regex: ^secrets/common\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*tower, *fw16, *floo]
--- a/flake.lock
+++ b/flake.lock
@@ -521,6 +521,7 @@
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nvim": "nvim",
+        "sops-nix": "sops-nix",
        "stylix": "stylix"
      }
    },
@@ -545,6 +546,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774760784,
+        "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "stylix": {
      "inputs": {
        "base16": "base16",
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
  };

  outputs =
--- a/flake/devshell.nix
+++ b/flake/devshell.nix
@@ -99,6 +99,8 @@ _: {
            pkgs.shellcheck
            pkgs.shfmt
            pkgs.qemu
+            pkgs.sops
+            pkgs.ssh-to-age
          ];
        };
      }
--- a/hosts/tower/configuration.nix
+++ b/hosts/tower/configuration.nix
@@ -1,4 +1,5 @@
 {
+  config,
  lib,
  inputs,
  userKeys,
@@ -10,6 +11,10 @@
    inputs.lanzaboote.nixosModules.lanzaboote
  ];

+  # nix store signing
+  sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
+  nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
+
  localisation = {
    timeZone = "Europe/Ljubljana";
    defaultLocale = "en_US.UTF-8";
--- a/lib/mkHost.nix
+++ b/lib/mkHost.nix
@@ -54,6 +54,7 @@ nixpkgs.lib.nixosSystem {
  inherit system;
  modules = [
    ../nix.nix
+    inputs.sops-nix.nixosModules.sops

    { nixpkgs.overlays = overlays; }
    { nixpkgs.config.allowUnfree = true; }
--- a/nix.nix
+++ b/nix.nix
@@ -7,6 +7,10 @@
      ];
      download-buffer-size = 2 * 1024 * 1024 * 1024;
      warn-dirty = false;
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
+      ];
    };

    gc = {
--- a/secrets/.gitkeep
+++ b/secrets/.gitkeep
--- a/secrets/tower.yaml
+++ b/secrets/tower.yaml
@@ -0,0 +1,28 @@
+nix-signing-key: ENC[AES256_GCM,data:V/mFaYQazqn3KkbDSt5Fnrl/IFvS9kEe10uhkPHeBluZGjFphKD+2dFCQrPPcXreX0UWklQA9Dokd2cGQBGZIUihJE9o9lH+Q6nrmqk3xsi1fzPS5l8zbn4RITmL3rNkmycXBw==,iv:g/jbUS88IBXnb9e6jGiWYHGfCZtdgI1X167hNmzUQEY=,tag:vO5kiN01FzU7s5jOCGW3Fg==,type:str]
+sops:
+    age:
+        - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbkdXUW5YSTA4c3MyZzdi
+            ZlF0L2FQZmttbFBaVmlaWWppaXUxUVdYZEZZCmJHT25IZVBESHVqUWE2bnBYWXQ5
+            UTFLeXg3eUpyWngxc1FXUzhXRCs3R2MKLS0tIGxkbzFMaEUycCtpOC9mTitpVEZh
+            c0pROVJpMjJ6bHd1aEQ2QVE5MUUwdnMK/3tXEStP8JF/2c5nAJ19uA+P1cMG1X+v
+            H5b49uBJ+0UUGMzUpCLgMKz8bq+L8Se0b92iMW5bGW1Fdg/zwJWXOw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-29T21:47:29Z"
+    mac: ENC[AES256_GCM,data:573t4NH/764zZKzhhpVbzNzpN4QrBjwesIBMyHe7aB47ptGceLhnm+cHOhty3J89VBgn8jgHv5WCBzXFER0LDuQUMFPg6snJ0DK+IgRwuAwNbZdKdSR6VnjqOSBnaijU/Wx93kd/gcMqerYo6rEOLNjVadKgs+NYPLKC/dY4sVs=,iv:kOTr9CIvp6haV8BxTpQfdndYTjZRcmyg+7yjPjHRNLU=,tag:1odj8DYHSnOatRnqyZAcgg==,type:str]
+    pgp:
+        - created_at: "2026-03-29T21:46:47Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DPaEEpDtHdk8SAQdA4NO+XFIyWa8YNV24yrosJKMQ60rmiEWYLjFdIkPrKz8w
+            cj1x62iDXeO6DYvyCZnw2h0WstIrXziX6PySveTVnCri90QdLl3jsolIW+V13b8V
+            0lEB5LFvx7OdZJPzrs32qiPv+ofleSMKAokPEhSTKccFI2GbyUiIw7ge2vHSjNpT
+            T9E3tA7HOglyopKTjFw/ujEhKDSRGXwdD2VEYH426Dt8JjU=
+            =E3fO
+            -----END PGP MESSAGE-----
+          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
Author	SHA1	Message	Date
Matej Janežič	27b7b2abf2	feat: add nix store signing for remote deploys	2026-03-30 00:21:37 +02:00
Matej Janežič	29053f4ec2	merge: sops-nix setup	2026-03-29 23:27:42 +02:00
Matej Janežič	b50c574342	feat: add initial sops config	2026-03-29 23:27:19 +02:00
Matej Janežič	666f7f35a6	feat: add sops and ssh-to-age to devshell	2026-03-29 23:12:43 +02:00
Matej Janežič	50533cc737	feat: wire sops into mkHost	2026-03-29 23:12:11 +02:00
Matej Janežič	42c2a1604c	feat: add sops-nix flake input	2026-03-29 23:09:15 +02:00