feat: add sops-nix

2025-10-03 23:05:40 +00:00 · 2025-08-23 21:38:58 +09:00 · 2025-08-23 21:38:58 +09:00 · 4a948cc348
commit 4a948cc348
parent 7e57ae8088
10 changed files with 85 additions and 5 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &primary age1mggj0wsszz92kfpvq7pjlf0mthkljl9usu7u98jrmyxh85q4pecs6zz4ll
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+        - *primary
--- a/flake.lock
+++ b/flake.lock
@ -239,7 +239,28 @@
        "nix-flatpak": "nix-flatpak",
        "nixcord": "nixcord",
        "nixpkgs": "nixpkgs",
-        "nixvim": "nixvim"
+        "nixvim": "nixvim",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1754988908,
+        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -14,19 +14,26 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-flatpak.url = "github:gmodena/nix-flatpak";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = { self, nixpkgs, home-manager, ... } @ inputs:
+    let
+      rootPath = ./.;
+    in
    {
      nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
-        specialArgs = { inherit inputs; };
+        specialArgs = { inherit inputs rootPath; };
        modules = [
          ./hosts/nixos/configuration.nix
 	      ];
      };
      homeConfigurations."toast@nixos" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages.x86_64-linux;
-        extraSpecialArgs = { inherit inputs; };
+        extraSpecialArgs = { inherit inputs rootPath; };
        modules = [
          ./home/toast/home.nix
        ];
--- a/home/toast/home.nix
+++ b/home/toast/home.nix
@ -4,6 +4,7 @@
    inputs.nixvim.homeManagerModules.nixvim
    inputs.nixcord.homeModules.nixcord
    inputs.nix-flatpak.homeManagerModules.nix-flatpak
+    inputs.sops-nix.homeManagerModules.sops
    
    ./modules/kitty.nix
    ./modules/git.nix
@ -24,6 +25,7 @@
    ./modules/hypridle.nix
    ./modules/obsidian.nix
    ./modules/xdg.nix
+    ./modules/sops.nix
  ];
  
  home = {
--- a/home/toast/modules/sops.nix
+++ b/home/toast/modules/sops.nix
@ -0,0 +1,10 @@
+{ rootPath, ... }:
+
+{
+  sops.defaultSopsFile = rootPath + /secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+
+  sops.age.keyFile = "/home/toast/.config/sops/age/keys.txt";
+
+  sops.secrets."tailscale/authkey" = { };
+}
--- a/hosts/nixos/configuration.nix
+++ b/hosts/nixos/configuration.nix
@ -4,6 +4,7 @@
  imports =
    [ 
      inputs.nix-flatpak.nixosModules.nix-flatpak
+      inputs.sops-nix.nixosModules.sops
      ./hardware-configuration.nix

      ./modules/boot.nix
@ -15,8 +16,9 @@
      ./modules/hardware.nix
      ./modules/environment.nix
      ./modules/programs.nix
+      ./modules/sops.nix
    ];

  system.stateVersion = "25.05";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-}
+}
--- a/hosts/nixos/modules/services.nix
+++ b/hosts/nixos/modules/services.nix
@ -18,7 +18,10 @@
      }; 
    };
  };
-  services.tailscale.enable = true;
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets."tailscale/authkey".path;
+  };
  services.flatpak = {
    enable = true;
    packages = [
--- a/hosts/nixos/modules/sops.nix
+++ b/hosts/nixos/modules/sops.nix
@ -0,0 +1,10 @@
+{ rootPath, ... }:
+
+{
+  sops.defaultSopsFile = rootPath + /secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+
+  sops.age.keyFile = "/home/toast/.config/sops/age/keys.txt";
+
+  sops.secrets."tailscale/authkey" = { };
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,17 @@
+tailscale:
+    authkey: ENC[AES256_GCM,data:ssxd13QKzXbezZs9ewR0CRsN0T6FMzQjGyJ5czjv4lHP6ODM1hAkS728vInfgq2hwUwVzs17I0C4017MGg==,iv:r/M4WtjrQZLdqidlFNUvY9NQhDSntNka2iYOAu+RQc8=,tag:kycZLagUboZ31ryQ3exi3w==,type:str]
+sops:
+    age:
+        - recipient: age1mggj0wsszz92kfpvq7pjlf0mthkljl9usu7u98jrmyxh85q4pecs6zz4ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VXJQZ2RkQ0F4aHNSRVh5
+            OTVFdDJ5bTFoM3M4Q2VBVE5EU1NlRkNJZURFCm9hOGJUZmpHNzNhQkxzdjh3aW1q
+            VWtPNVhoVzRoMjl3ZFhHaDdlYnVqN00KLS0tIFRiNmF5a2pZbnI4Q3p1Z1pHZGN5
+            Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW
+            j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-23T08:50:02Z"
+    mac: ENC[AES256_GCM,data:nlUuYj6F960mebfQEER+ZyUfulIRRC1Uo1U0ZvKLA/YeemIzbbS/PlVawncsYEmhl6dyQ3RsXTEEqV7dAr0Bz3Ds5TFf4zz5kvRAf++1ho8TGyjBC88qR6hEoShJsuTfjFUn6NWiYetIKbmnLsuclE2aQU+8fo54PvIx8ut8mpo=,iv:qOHR8lXg9IeSHHq5StrwVsgIC4tIOAzvcSGS6bO7MXc=,tag:tZ7PByMZAPwe10sr3YLRgw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/shell.nix
+++ b/shell.nix
@ -5,5 +5,6 @@ pkgs.mkShell {
    nix
    home-manager
    git
+    sops
  ];
 }