feat(sops): setup sops-nix

3 files changed, 80 insertions, 0 deletions

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..6577ebc
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+  - age: age16pq5hgqmcm04xenxfy3ec4pxzn99ayypva9t6jamfsk4x2qta4gs25whaz
\ No newline at end of file
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..81f7a40
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,56 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.secrets = { config, ... }: {
+    imports = [ inputs.sops-nix.nixosModules.sops ];
+    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
+    sops.age.keyFile = "/etc/sops/age_key";
+  sops.secrets."borgbase_ssh_key" = {
+    owner = "root";
+    mode = "0600";
+  };
+  sops.secrets."nextcloud-admin-pass" = {
+    owner = "root";
+    mode = "0600";
+  };
+  sops.secrets."ssh_github_key" = {
+    owner = "schererleander";
+    mode = "0600";
+  };
+  sops.secrets."ssh_jonsbo_key" = {
+    owner = "schererleander";
+    mode = "0600";
+  };
+  sops.secrets."ssh_sachiel_key" = {
+    owner = "schererleander";
+    mode = "0600";
+  };
+  sops.secrets."ssh_borgbase_unraid_key" = {
+    owner = "root";
+    mode = "0600";
+  };
+  sops.secrets."ssh_config" = {
+    owner = "schererleander";
+    mode = "0600";
+  };
+  sops.secrets."borg_repo" = {
+    owner = "root";
+    mode = "0600";
+  };
+  };
+
+  flake.modules.darwin.secrets = { config, ... }: {
+    imports = [ inputs.sops-nix.darwinModules.sops ];
+    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  flake.modules.homeManager.secrets = { config, ... }: {
+    imports = [ inputs.sops-nix.homeManagerModules.sops ];
+    sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+
+    programs.ssh = {
+      enable = true;
+      includes = [ config.sops.secrets."ssh_config".path ];
+    };
+  };
+}
\ No newline at end of file
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..9eaf5ce
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,22 @@
+borgbase_ssh_key: ENC[AES256_GCM,data:xtqV/Lgp5ShdoIwuEwFQ949cAUYVjhdVUtkruJN5rtiAW1yGZ5Utynhh2Wcwh4XUrvXxZjh8eu3qy01qokqImSBNp/C2jej5vr+8/IGkkDXiZEQ+fpP8X4C7nnng1RrWQeiO+nouvsN4D9zHOPf7n9haWv1EU48J3MA5iH9ANWgDSG+fw+QT/9i/Dfwky+2plZmSR9h+HwVYstG0eDFbxt0LyszXsgRu5arK9qa7rr2HEFXOQyfJ99l+m5eXjgo39Cx6BpCfguCH3hYLTuutbKnlF9rOyQlQdRUaY1tiPq2xv7figMP0RfNGghMr/BwW+5CyCZLP1Uqeq4TgU41wLHs/VdY6GtNBLqQplfxW+Dqz0Ea/CwMmtd/CRnwJyA7298p5ZXQqQJec08Se4fex8gv1aw/lF7Bl03QlrgbE0Jaxucygp7RhbvCeyhwTjSZ4BdTi7ATuKBfExWIiLJRx+RSd7hxg9j1xIQt7wSYlnoHhjCHfQEDv2ORbnMO9NHN1fRHod9h975u+2Q2BrknbOdfgTGdsJzRWLHpy,iv:m2vl3ho9xT11s0hBZaHDAKg9Bg69dWIEHf6rtocGVPc=,tag:c7Nim4x7Xtlp+NIZB7ngGA==,type:str]
+nextcloud-admin-pass: ENC[AES256_GCM,data:j+/gi7C1NYKYv91wuz3DdBGDiy8=,iv:xfiinkelR/31K2//dlf06pDo72hO8oAt6ZVuGAYoflQ=,tag:APpG9mo93Xy0ZN6YXeS3qA==,type:str]
+ssh_borgbase_unraid_key: ENC[AES256_GCM,data:TWEk75k/HVldPDJ9ZbtbIuPZaTJ3w0N+X0KDRtMWAroU7fjMfOcL1aGKEiaAbUUbaoMscJJN3bnSYL7JzbKBYYEjs6GrkMWVy/1O277UC+73EsvSTILZYqpPbnndVDdPpRxB7qB2rZVdfEAcu0b96hbIhtlE2peljvJPoDCuoNaWQbN4DKMo/1U3z3yjgABm+tjhS1Qch4fUYa2v6j95d5svBSYYLHqsFiowKUyjDNQWqzeaN38uQ09o0ZgW3EGPOy6vbwFiph1XF8EOTdzR8TSdVc3qTHvwKTsh0b8MMMMadh1jceTRwbDmOFaPwIwhOSYpmD2mEc8b5Dmll2VWJEOloLPs9lKpuMEEjaY4NmPyzeo6Qwe1Jlc0aHiN4JZ/sNHYP4BKluT+4Bg5DjS70vVG8p8fXRRD6Lu/fU8q1OyX3YJh8JA9EZ+PoRv08UPWSfY3oGaygRgHKe9rnOA2ypa1mGn3vB3m0hUW2IvRNLD9BUUCt5HHCC2Z/YO99CSStNhRkBY+IOYvXT5IVA76,iv:Tee1+ZAXfQ89qpCkboNd+/SJPG8AOvbog6KQewacmrE=,tag:ruQA4unquRR5w5TNGUfkGg==,type:str]
+ssh_config: ENC[AES256_GCM,data:pWPXnVS7K2aelNG5/eDATYqzHpKZTXFgOnfF4a0tb5q7+mVaz6yC6YttTVM4qQ7TgNBFTdz7qBOu3rs135XX6qOgl0wD6pVJTAr+obeLw5r2gLL82tcrxwO6NQvVAmOWyD1J9S6XyhslD2Y5TZ6KLNeBb0cmFSE1woMXdVbAwfVxEm0L0WVTGISJCAES0Q3DD/4Ooi5W4nPVK3YThL72oMcO4ravtnzcH7c9My4NGUMxGH7P/BFO0RQDIi9Aidg9EVd7J0oiqCCA1DEfFTfxjpMaTu04z0PQFZQOW2ek/x0g13IFaDwqOOacPex8C3KotJHP2gg9yU6uoQ35W9sJcHJl+p6AxJHG2ZM6o71G9uJy1E9yiezAQRpkcXmwN6rbIjJIP8nd8U0Kdf6tiHTF0YBlLa6ud5Iuan5nLrtQsur5y6/kBQNcjkefbjaQGfjDb66Ilwnl2TVSILWpXHsGYsaSAhnNTbch+lsiYqqcaHGy4nEtGX66v7CO2hQ2uTu9MEUphz+daan1SfEoY2Xb+K48AabPQr8SrQrzWaQTXdx9bhEo/UiobF5j/boS1cMcYX0yaXvwrjkPpahhusFIInfljQ7uK8DMI6wEi7wyJhPAIasqTtZptcsFc8oEPvZceMjYYYtcNJPuXhwl9u04ZVDFPL1HXySpwRZrQxOsoVqxhOw1b5YcD7b+5VM=,iv:RkA4bXndc9+ceIMj4qtf6JgaItOfLaafW/g9EVR9Fe4=,tag:gxS1lQjNIfsjQ/ty1uXV7w==,type:str]
+ssh_github_key: ENC[AES256_GCM,data:kK4XaE+TogKgqBSvC/IeznJU2g9iZ7PFMiuVnOkJGUUOPf0ZJPjhmiQ+tVMgdWOXyt15Im1YD+tl184q6TKIxnQpPOhTMDuwzXbWLGZ9noehMUsl7qte2iPhN1Bd+t3fD9UX5kCpgmzgXbA6C0bmiCzg4yF5QFhElHY9qRqQXseCUOzunn7Gd/7Dj+trGe/v2ceCF0P3AiNPFTQnL7xlHoIykkpwLubzuCCeZJ2DU0HUMaeh2CGMmFBgxf9fien62/tqrmA2TGLHkGWaudd1XEJGgjB5JJCHsYDXhCUxRoSY/MjQ1IA3L3b/GUpYpItXDUqTb3PNy2XRe6vN7mk+do7aktsIFHbwktqOi1FnItyjdvGAK1MORo7VUQT/OrtSRICnmFPv2/6NRflAjQdUb/ex0MwdVFkis9cmctn/lzORfMAUhoDSMmQRDmVJqLiNX6OFEXZjj7cZge/GtZ5ABDtH/czPAj5JpOa0CFv1CoU9dJX9a+SIB1pPvBdfcdA0K9DWXakL4yXi22Ro8rU4oqynkMLhoeJGV5UawBxwXkJxf4M=,iv:TMPxSQaieK1hxh6dAbqhMR3MSZ4ARWRbGgTQpr/hFRE=,tag:YzPOUAMyZsQ4PmdcHRr/TA==,type:str]
+ssh_jonsbo_key: ENC[AES256_GCM,data:UYJ6tzuWMRgtyCDldXGGy7fmfgxLnbkIT3JlqFZmdhdFfEOmv8QQZXPBB3RWstzkc5iByvdVTeoKYDqJ6UqHrDp1S5uLupLSphrbVfV2oKq1MN3/lreI3HrMmBtvk6Yt1KjPlkPKq4n+12FNzJYHnwB6fdCLOZuKPKbqs4O8DzeAl0PdAOV4mpkY7jpVqGXiVIUz2lN86Wqx9MDSJg/w4Onxu0SWVIZTNw7A91UKdFyI4NIe4ZR2WmBnUnLs8LQ5RgWm76I1slXiTtDypusgmSYTf6Hg1ULf9zfDmD6u6pIZVmeZQmqntx3mKYLmdWe08Z3ks2eZmEMYm2lKcBnox6FDui5K48bcda8nya+qE1EVCNiR/W2UAsc+SeD2YVp9dTiRv6uAb/kGhjy72Ziw39YwlhevBkvI3SHSALoD+zQZPkDjOah5Yfi9cPYwvdu+QqDt93u5KJP0qYuwgrWfezh93gW4FFbIfLeosTUU7rAzKpHXM0GEIciE+swXBr5gUj2FNfBLc1B7wIBllv78kdOFHqkhkWN4wNya7sjSV9EXbS3EoXMYmilMqlvNo5jJq77s2yFbgw4DMXZV,iv:kJ+3H1KHUSdLzjGCBReinFUScpOuThkplYoJHnq9SV0=,tag:aNyfznf5AOO0n/KQJl7GhA==,type:str]
+ssh_sachiel_key: ENC[AES256_GCM,data:phkcZkf9E/hGoR05QtUZND9Vh1x2+dRlkYGPbBh3Q7qZI69avrgBnYVFaOYzoZuWP9QazqP6STIURH/cIgteHVCVtDVEQ0gI8MDvPx4eEaEv6VmsOYt4KqnC7aorpEgnZ9Jlmv+HWeKPsrPhn4kmbrOTpj/M0gW2YcYfCvFVK0VP/VT+M8BCJX0qUMmV8JBoJob9Pzd/wSa+kG7VDXmFREYe1FPt4+RZszBGQ12ULaNuAm179ZotRg0g092E1JUEzF6K+nSmtxrhhKaURNrrqjIt59v0F9dHHUIMc1jTNt6iti8vbLbgAzcfh2mYd+0nxsni7uICq7WsNFd6QinaSgDulm1BGyAyqbu+JOjdichynht6s+OpoGOhnXlsHhSkr0WdSWdj/E3YiakeQK/EK3ZWv1JMC+evaffrSOwbPhCZiry9b2tVBVMqosw2OvXIcRZx0nfXO+7zpo/VasvHMXAehhnnESr5kenR4eZLHXZgSr4y7Ius/OocbX2XamcyH85QiGVI2z/xNJWGiLzJ9NZoz9Yeb04PdvSItaaxx3vLNvvJu6YIJfUgn+rjOPmSyXmwWM0TtBgGrdYy,iv:/1hpgoyv9+i2wZ34beMvRmMcLvWKoxJLZ+DtYZe2ahg=,tag:D7Ao7RtO5ju32ilFLt9+Vg==,type:str]
+sops:
+    age:
+        - recipient: age16pq5hgqmcm04xenxfy3ec4pxzn99ayypva9t6jamfsk4x2qta4gs25whaz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNHZ0RWJReEZ1RTB0aHZi
+            REhBMTRBeWVQZWp4UUkvbHlGT2Z5NkpSVUVZCndUNEt6c0R2ZlZveDdXVURvdy9G
+            cG1jRUd5bktBTUZvb1U2Q0psblhraVUKLS0tIGJiUFQvdHFucVlvOFU4NmtQVjQ5
+            Zk16ZnVGRWtkY2l3NzJoY1dFL21hOEEKCNO/S8cCK+fJqcQ/eS0BczMyAa9l9qO5
+            w0N/8Z50gDcLgrrbhdju1dBtCJe2By6WjSALq16qoZoKAhvenEtYpw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-31T22:12:38Z"
+    mac: ENC[AES256_GCM,data:E1zJPT1lG4iVR2/XFBHnTFCD2Ty6UdIg8P4Jqr2lBkRYyoGkbbf4QwJIDYVITg6vKCkP5TJQK3HwJKygdXo98+eXnVeypiYDbaRJ8je5+6beOdQ1ZF3pwvhNdK751ngv/lIrwWBUDmHNmLB6yJ6NuzBZaLow1tA87grjVEAXg8U=,iv:TkBSoHpxTONRmfhtccFPbVdSV4fJExDQh2htzEyogiY=,tag:ZbTcoeghLlOavkSj+jBb/Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0