From 2de0ec60326a9b46ba665228dc789c5ffbc39da8 Mon Sep 17 00:00:00 2001
From: Mike Vink <mike1994vink@gmail.com>
Date: Sun, 8 Oct 2023 03:36:39 +0200
Subject: figured out some sops stuff

---
 profiles/core/secrets.nix | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'profiles')

diff --git a/profiles/core/secrets.nix b/profiles/core/secrets.nix
index e69de29..e09a1fb 100644
--- a/profiles/core/secrets.nix
+++ b/profiles/core/secrets.nix
@@ -0,0 +1,42 @@
+{inputs,config,lib,pkgs,...}: with lib; {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+    (mkAliasOptionModule [ "secrets" ] [ "home-manager" "users" "mike" ])
+  ];
+  sops = {
+    gnupg = {
+      home = config.hm.programs.gpg.homedir;
+      sshKeyPaths = [];
+    };
+    age.sshKeyPaths = [];
+
+    # Taken from: https://github.com/ncfavier/config/blob/main/modules/secrets.nix
+    # GPG running as root can't find my socket dir (https://github.com/NixOS/nixpkgs/issues/57779)
+    environment.SOPS_GPG_EXEC = pkgs.writeShellScript "gpg-mike" ''
+      exec ${pkgs.util-linux}/bin/runuser -u mike -- ${pkgs.gnupg}/bin/gpg "$@"
+    '';
+
+    secrets = mapAttrs' (name: _: let
+      parts = splitString "." name;
+      base = head parts;
+      format = if length parts > 1 then elemAt parts 1 else "binary";
+    in
+       {
+           name = base;
+           value = {
+               sopsFile = "${inputs.self}/secrets/${name}";
+               inherit format;
+               key = "lemptop"; # TODO: get actual hostname from somewhere
+           };
+    }) (builtins.readDir "${inputs.self}/secrets"); # keep it out of the store
+  };
+
+  environment = {
+    systemPackages = [ pkgs.sops ];
+    sessionVariables.SOPS_PGP_FP = "95B594256E6684F46B337254CE5CD59ACAB73E44";
+  };
+
+  hm = {
+    programs.password-store.enable = true;
+  };
+}
-- 
cgit v1.2.3