From 3ed65c6cfaacec85be4a9420f72612c36d4334bb Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Wed, 7 Dec 2022 10:09:17 +0100
Subject: [PATCH] Add sops for secret management

---
 .sops.yaml                    | 17 +++++++++++++++++
 hosts/jokum/configuration.nix |  9 +++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 .sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..d37f814
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,17 @@
+keys:
+  - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+  - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
+creation_rules:
+  # Global secrets
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_danio
+      - *host_jokum
+  # Host specific secrets
+  ## Jokum
+  - path_regex: secrets/jokum/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_danio
+      - *host_jokum
diff --git a/hosts/jokum/configuration.nix b/hosts/jokum/configuration.nix
index 9e24e1a..d1e56c6 100644
--- a/hosts/jokum/configuration.nix
+++ b/hosts/jokum/configuration.nix
@@ -4,6 +4,8 @@ let
 in
 {
   imports = [
+      <sops-nix/modules/sops>
+
       # Include the results of the hardware scan.
       ../../hardware-configuration.nix
 
@@ -23,6 +25,13 @@ in
     inherit unstable;
   };
 
+
+  sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+  
+
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;