From 0739aa0b5e4e419a8232e0c032dc8e45b187b7d4 Mon Sep 17 00:00:00 2001
From: Glen Goodwin <glen.goodwin1992@gmail.com>
Date: Sat, 16 Dec 2023 12:56:02 -0500
Subject: [PATCH] feat: add sops-nix

---
 .sops.yaml                         |  7 ++++
 flake.lock                         | 52 ++++++++++++++++++++++++++++++
 flake.nix                          |  1 +
 hosts/candlekeep/configuration.nix |  3 ++
 secrets/secrets.yaml               | 21 ++++++++++++
 5 files changed, 84 insertions(+)
 create mode 100644 .sops.yaml
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..971379a
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
diff --git a/flake.lock b/flake.lock
index a651e24..8b4a54a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -622,6 +622,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable_4": {
+      "locked": {
+        "lastModified": 1702148972,
+        "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1702312524,
@@ -686,6 +702,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1702029940,
+        "narHash": "sha256-qM3Du0perpLesh5hr87mVPZ79McMUKIWUH7EQMh2kWo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e9ef8a102c555da4f8f417fe5cf5bd539d8a38b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixvim": {
       "inputs": {
         "flake-utils": "flake-utils_2",
@@ -794,9 +826,29 @@
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs_4",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
         "stylix": "stylix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_5",
+        "nixpkgs-stable": "nixpkgs-stable_4"
+      },
+      "locked": {
+        "lastModified": 1702177193,
+        "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
diff --git a/flake.nix b/flake.nix
index 972350c..97e956a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,6 +84,7 @@
         modules = [
           # > Our main nixos configuration file <
           ./hosts/candlekeep/configuration.nix
+          inputs.sops-nix.nixosModules.sops
         ];
       };
     };
diff --git a/hosts/candlekeep/configuration.nix b/hosts/candlekeep/configuration.nix
index abc8dc4..724a76a 100644
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@@ -41,6 +41,9 @@
     ./hardware-configuration.nix
   ];
 
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+
   nixpkgs = {
     # You can add overlays here
     overlays = [
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..1143195
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,21 @@
+restic_key: ENC[AES256_GCM,data:DzpWvFP5gyhrnLVIYgu9ouotWqkOAHehihSKf/TqJE+sHTD4vnIScfhzoKzdkoDoWfkcmQ==,iv:q83qNYuP/3mngvg+kUfOVToogL8VTvZ6HiGIztpnP/s=,tag:YNWwbma0HmPKqYCS1L5kQQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyaTI1ZEhwbDJobnVPTlpm
+            OHRiYklTejE5dFJQaVE1V2xpOHcyRnVwd0MwCjJhQnpOTmdxSk1md0pNbS85L2tC
+            UVpnaUpPY0paaXFkOHZEOS9ZVUkySWsKLS0tIGp4UnZ6b3hXNDAyaHlXaUhMSzBi
+            US9oa0pORXRVWWlyYlZZTGhXdTdOaWsKClqIK/YNJIIGFqOO0t4oni8dRTTXQniG
+            ioIwAOdEgE/n0vcYhHXxLxWlTeqGZF076g7EFfIqiSNqrDtacRnazg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-16T17:19:46Z"
+    mac: ENC[AES256_GCM,data:6nDxe2yQZswjX7LAry3DAfOpVUoQvZ52iIp8F7/Z1r69acXT2Eif/pEtyQ3KXBPl4ape15FrDyzpr0FW2Gmrj7vwITC2xBV68SmTuBp5Ou4QHftVpO6s4Y6ucXcdpkFx+UQ/lpkvNibrV+K6yPB7QfIP+sTpjhREJColwD7Meeo=,iv:WWpmoDXF6yiRsRase2O3HZwixxO9IPwkWLDPwlxNRdo=,tag:KPR5NreED05GK3uCHK5kXg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1