feat(nixos): add sops module for secrets

Adds .sops.yaml file and sops module to nixos to manage secrets.
2025-07-07 16:55:37 +08:00 · 2025-07-07 16:55:37 +08:00 · 85f2cee212
commit 85f2cee212
parent d7b8edd054
2 changed files with 59 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+creation_rules:
+  - path_regex: \.(yaml)$
+    key_groups:
+    - age:
+      - *rafiq
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@ -0,0 +1,52 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+let
+  cfg = config.flake;
+  inherit (builtins) readFile;
+  inherit (lib.meta) getExe;
+  inherit (lib.strings) trim;
+  inherit (cfg.admin) username pubkey;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    {
+      imports = [ inputs.sops-nix.nixosModules.sops ];
+      config.sops = {
+        defaultSopsFile = "${cfg.root}/secrets/secrets.yaml";
+        age.sshKeyPaths = [
+          "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
+        ];
+      };
+    };
+  perSystem =
+    { pkgs, ... }:
+    {
+      files.files = [
+        {
+          path_ = ".sops.yaml";
+          drv =
+            pkgs.writeText ".sops.yaml" # yaml
+              ''
+                keys:
+                  - &${username} ${trim (
+                    readFile "${
+                      pkgs.runCommand "" { } ''
+                        mkdir $out; echo ${pubkey} | ${getExe pkgs.ssh-to-age} > $out/agepubkey
+                      ''
+                    }/agepubkey"
+                  )}
+                creation_rules:
+                  - path_regex: \.(yaml)$
+                    key_groups:
+                    - age:
+                      - *${username}
+              '';
+        }
+      ];
+    };
+}