use sops-nix for secrets

author: Freya Murphy <freya@freyacat.org> 2025-01-24 13:06:22 -0500
committer: Freya Murphy <freya@freyacat.org> 2025-01-24 13:06:22 -0500
commit: d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78 (patch)
tree: af2100aabc890c90c52b26640b07e6d342551794 /nix/programs/sops
parent: refactor home packages, more labels (diff)
download: dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.tar.gz
dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.tar.bz2
dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/nix/programs/sops/default.nix b/nix/programs/sops/default.nix
new file mode 100644
index 0000000..2447935
--- /dev/null
+++ b/nix/programs/sops/default.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, inputs, ... }:
+
+let
+
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+
+in
+{
+    imports = [
+        inputs.sops-nix.nixosModules.sops
+    ];
+
+    environment.systemPackages = with pkgs; [
+        sops
+    ];
+
+    sops = {
+      defaultSopsFile = config.dotfilesPath + "/hosts/${config.hostName}/secrets.yaml";
+      validateSopsFiles = false;
+
+      gnupg.home = config.homePath + "/.gnupg";
+      gnupg.sshKeyPaths = [];
+
+      secrets = {
+        freyanetWg = {};
+      };
+    };
+}
author	Freya Murphy <freya@freyacat.org>	2025-01-24 13:06:22 -0500
committer	Freya Murphy <freya@freyacat.org>	2025-01-24 13:06:22 -0500
commit	d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78 (patch)
tree	af2100aabc890c90c52b26640b07e6d342551794 /nix/programs/sops
parent	refactor home packages, more labels (diff)
download	dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.tar.gz dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.tar.bz2 dotfiles-nix-d999d4d0e68b9d7cfa0f477cdbac8fe82850ae78.zip