From 0a710faa559799fe93a6420bc2b9ab993285ebd5 Mon Sep 17 00:00:00 2001
From: unexplrd <user@dunamis>
Date: Sun, 2 Mar 2025 18:39:35 +0200
Subject: [PATCH] sops

---
 flake.lock                        | 35 +++++++++++++++++++++++++++++++
 flake.nix                         |  6 ++++++
 hosts/dunamis/configuration.nix   |  1 +
 hosts/dunamis/sops.nix            | 24 +++++++++++++++++++++
 hosts/dunamis/users.nix           | 17 ++++++++++++++-
 hosts/dunamis/users/user/sops.nix | 20 ++++++++++++++++++
 6 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 hosts/dunamis/sops.nix
 create mode 100644 hosts/dunamis/users/user/sops.nix

diff --git a/flake.lock b/flake.lock
index c43171f..f2ec3e7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -541,6 +541,19 @@
         "url": "https://git.lix.systems/lix-project/lix/archive/2.92.0.tar.gz"
       }
     },
+    "mysecrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740932567,
+        "narHash": "sha256-2PfJuyVEUh/4xGTx8MwPFNq3po/TTkDyWz3RJC3JfJc=",
+        "path": "/home/user/nix-secrets",
+        "type": "path"
+      },
+      "original": {
+        "path": "/home/user/nix-secrets",
+        "type": "path"
+      }
+    },
     "neve": {
       "inputs": {
         "flake-utils": "flake-utils_2",
@@ -743,11 +756,13 @@
         "chaotic": "chaotic",
         "home-manager": "home-manager_2",
         "lix": "lix",
+        "mysecrets": "mysecrets",
         "neve": "neve",
         "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs",
         "nixvim": "nixvim",
+        "sops-nix": "sops-nix",
         "stylix": "stylix",
         "walker": "walker"
       }
@@ -769,6 +784,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739262228,
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
diff --git a/flake.nix b/flake.nix
index 9533545..5a10dea 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,10 +31,16 @@
       url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     walker = {
       url = "github:abenz1267/walker";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    mysecrets.url = "path:/home/user/nix-secrets";
+    mysecrets.flake = false;
   };
 
   outputs = inputs: inputs.blueprint {inherit inputs;};
diff --git a/hosts/dunamis/configuration.nix b/hosts/dunamis/configuration.nix
index c16756f..bc36492 100644
--- a/hosts/dunamis/configuration.nix
+++ b/hosts/dunamis/configuration.nix
@@ -12,6 +12,7 @@
     ./programs.nix
     ./stylix.nix
     ./users.nix
+    ./sops.nix
   ];
 
   desktop = {
diff --git a/hosts/dunamis/sops.nix b/hosts/dunamis/sops.nix
new file mode 100644
index 0000000..0d44bfc
--- /dev/null
+++ b/hosts/dunamis/sops.nix
@@ -0,0 +1,24 @@
+{inputs, ...}: let
+  secretsPath = builtins.toString inputs.mysecrets;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    defaultSopsFile = "${secretsPath}/secrets.yaml";
+    secrets = {
+      "user-password-hashed" = {};
+      "ssh-private-dunamis-user" = {
+        path = "/home/user/.ssh/id_ed25519";
+        mode = "0400";
+        owner = "user";
+      };
+    };
+  };
+}
diff --git a/hosts/dunamis/users.nix b/hosts/dunamis/users.nix
index f92dbe9..5d91211 100644
--- a/hosts/dunamis/users.nix
+++ b/hosts/dunamis/users.nix
@@ -1,10 +1,25 @@
-{pkgs, ...}: {
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}: let
+  sopSec = config.sops.secrets;
+  secrets = inputs.mysecrets;
+in {
   nix.settings.trusted-users = ["user"];
+  users.mutableUsers = false;
   users.users = {
     user = {
+      hashedPasswordFile = sopSec."user-password-hashed".path;
+      # passwordFile = config.sops.secrets.user-password.path;
       isNormalUser = true;
       extraGroups = ["wheel" "video" "libvirtd" "dialout"];
       shell = pkgs.fish;
+      openssh.authorizedKeys.keyFiles = [
+        "${secrets}/ssh/id_ed25519_sarien_user.pub"
+        "${secrets}/ssh/id_ed25519_eldrid_user.pub"
+      ];
     };
     # work = {
     #   isNormalUser = true;
diff --git a/hosts/dunamis/users/user/sops.nix b/hosts/dunamis/users/user/sops.nix
new file mode 100644
index 0000000..241c8b0
--- /dev/null
+++ b/hosts/dunamis/users/user/sops.nix
@@ -0,0 +1,20 @@
+{inputs, ...}: let
+  secretsPath = builtins.toString inputs.mysecrets;
+in {
+  imports = with inputs; [
+    sops-nix.homeManagerModules.sops
+  ];
+
+  sops = {
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+
+    defaultSopsFile = "${secretsPath}/secrets.yaml";
+    validateSopsFiles = false;
+
+    secrets = {
+      "ssh/private/dunamis-user" = {
+        path = "/home/user/.ssh/id_ed25519";
+      };
+    };
+  };
+}