Started to integrate sops-nix into my configuration

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &terra age167thunwadsswd0u37tajk85wy4x7sgw6sg3j2aspcax7essmge6qwen0uz
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *terra

flake.lock

@@ -36,6 +36,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1716061101,
+        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "plasma-manager": {
       "inputs": {
         "home-manager": [
@@ -63,7 +79,29 @@
       "inputs": {
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
-        "plasma-manager": "plasma-manager"
+        "plasma-manager": "plasma-manager",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1716400300,
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -1,19 +1,22 @@
 {
-  description = "Your new nix config";
-
   inputs = {
-    # Nixpkgs
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
-    # Home manager
-    home-manager.url = "github:nix-community/home-manager";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     plasma-manager = {
       url = "github:pjones/plasma-manager";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -21,6 +24,7 @@
     nixpkgs,
     home-manager,
     plasma-manager,
+    sops-nix,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -60,6 +64,7 @@
         modules = [
           ./machines/luna/configuration.nix
           home-manager.nixosModules.home-manager
+          sops-nix.nixosModules.sops
           {
             home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ];
           }
@@ -70,6 +75,7 @@
         modules = [
           ./machines/terra/configuration.nix
           home-manager.nixosModules.home-manager
+          sops-nix.nixosModules.sops
           {
             home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ];
           }
@@ -79,6 +85,7 @@
         specialArgs = {inherit inputs outputs;};
         modules = [
           ./machines/solis/configuration.nix
+          sops-nix.nixosModules.sops
         ];
       };
     };

home-manager/apps.nix

@@ -58,6 +58,7 @@
     reaper
     retext
     solaar
+    sops
     spotify
     thunderbird
     whatsapp-for-linux

home-manager/server-apps.nix

@@ -33,6 +33,7 @@
     gnupg
     jdk
     python3
+    sops
     tailscale
     tmux
     wakeonlan

machines/common/configuration.nix

@@ -8,6 +8,7 @@
 }: {
   imports = [
     ../../pkgs/zsh.nix
+#    inputs.sops-nix.nixosModules.sops
   ];
 
   nixpkgs = {
@@ -51,6 +52,22 @@
     fallbackDns = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
   };
 
+#  sops = {
+#    defaultSopsFile = ../../secrets/secrets.yaml;
+#    defaultSopsFormat = "yaml";
+#    age = {
+#      sshKeyPaths = [ "/etc/ssh/id_ed25519" ];
+#      keyFile = "/home/horseman/.config/sops/age/keys.txt";
+#      generateKey = true;
+#    };
+#
+#    secrets = {
+#      "syncthing/solis".owner = "horseman";
+#      "syncthing/terra".owner = "horseman";
+#      "syncthing/luna".owner = "horseman";
+#    };
+#  };
+
 #  services.syncthing = {
 #    enable = true;
 #    user = "horseman";

secrets/secrets.yaml

@@ -0,0 +1,27 @@
+syncthing:
+    #ENC[AES256_GCM,data:LJUC,iv:MlEcsaCuH7W/cj/JQhYAKJVwyQ+Uqk7I4/WFZeBpr04=,tag:hlEgSpdtXx1Twt+SIIckGg==,type:comment]
+    solis: null
+    #ENC[AES256_GCM,data:6MOB,iv:7Rmzh5LYM7wD+K6Idi2DLkyKSSm8/rgQtUWf8gPEMzQ=,tag:EmCkhFO7016xszMogrNUpg==,type:comment]
+    terra: null
+    #ENC[AES256_GCM,data:1EoT,iv:ytmfI03F4A4qMtk3l7HYGyng/NIWHho+Riq8Fj6vtCE=,tag:U/4qWsZYA+dU4dcJ7lkx5Q==,type:comment]
+    luna: null
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age167thunwadsswd0u37tajk85wy4x7sgw6sg3j2aspcax7essmge6qwen0uz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3hLRWQrSHBQdjNhbDV2
+            VmwrbUVsc0IwaDZKUndOTEMxN0kwWUtaYzJrCjJtNUdBMkhDVDB0akg2TTlqS1lF
+            NWJESlorR28rUGZHeEh6dFJYcEFsQnMKLS0tIFY3b0ZDSzM3SGVCZW9xcnJLc296
+            ckJwQ3EzU2JzdGhnWkNnRExRNlprM28KUHkZe8FvLOAt+UVqvgOxBQdApbEXQ44v
+            vXW8UtZuq7GjsP5qD2MK6oKs/ZDfe+PhqiWl4ONNHvpn8rmfbQDcRw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-24T19:11:16Z"
+    mac: ENC[AES256_GCM,data:UAz/pCKzV0HPFfus7tKafOLr1DWIBWWBVNDs6C43m+QdWpUHQ99jgK7yyq8YbAglGIfWB3AIlriQkcem9Wx3ExVh1BPKtCzwnfjFBEhzPws428JIzEOIZzrSk6tho2bvjaaOTQOWOERmbJhiL/e1pXdX+pln+kEtLdeq/9TDRK8=,iv:QtJPxvq9mGCu2Df5m+E+2+XD25so1cyDga/mdjBaH5c=,tag:TGllydw+4XGLIqnZ5QDxdg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1