Set up sops-nix

.sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  - &gpg_h7x4 F7D37890228A907440E1FD4846B9228E814A2AAC
+  - &host_tsuki age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env)$
+    key_groups:
+      - pgp:
+        - *gpg_h7x4
+        age:
+        - *host_tsuki

flake.nix

@@ -29,6 +29,8 @@
       flake = false;
     };
 
+    sops-nix.url = "github:Mic92/sops-nix";
+
     osuchan = {
       url = "git+file:///home/h7x4/git/osuchan-line-bot";
       # inputs.nixpkgs.follows = "nixpkgs";
@@ -83,6 +85,7 @@
     nix-attr-search,
     osuchan,
     secrets,
+    sops-nix,
     vscode-server,
     website
   }: let
@@ -106,6 +109,10 @@
 
     inherit pkgs;
 
+    devShells.${system}.default = pkgs.mkShell {
+      packages = with pkgs; [ sops ];
+    };
+
     homeConfigurations = {
       h7x4 = home-manager.lib.homeManagerConfiguration {
         inherit system;
@@ -148,6 +155,7 @@
             osuchan.outputs.nixosModules.default
             minecraft.outputs.nixosModules.minecraft-servers
             matrix-synapse-next.nixosModules.synapse
+            sops-nix.nixosModules.sops
 
             {
               config._module.args = {

hosts/common.nix

@@ -6,6 +6,8 @@ in {
     allowUnfree = true;
   };
 
+  sops.defaultSopsFile = ../secrets/default.yaml;
+
   nix = {
     package = unstable-pkgs.nixVersions.stable;
     distributedBuilds = config.networking.hostName != "Tsuki";

secrets/default.yaml

@@ -0,0 +1 @@
+

secrets/h7x4.pub

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYuaF5BYJKwYBBAHaRw8BAQdAyCMRV/dIW4dIbUqMNP6nWiyAnB/a4iAtTaEn
+idcbAdy0JGg3eDRhYmszZyA8aDd4NGFiazNnQHByb3Rvbm1haWwuY29tPoiQBBMW
+CgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7j2ICGwEFCwkIBwMFFQoJCAsF
+FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM
++CPpeegRw646eC8A/0l4JRHplPClB4MQfsc3N/0TDbCT4PaEhls9eJQ2KbUKtBRo
+N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA
+Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK
+KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH
+EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3
+eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF
+AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+
+IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB
+3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk
+jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5
+Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs
+xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO
+c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT
+ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7
+Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx
+VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM
+s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss
+gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD
+XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID
+MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu
+MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys
+KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2
+dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU
+aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR
+eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r
+VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ
+dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm
+W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y
+QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW
+RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK
+KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa
+T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR
+SNkE
+=oTMO
+-----END PGP PUBLIC KEY BLOCK-----