use sops-nix for secrets

7 files changed, 71 insertions, 15 deletions

diff --git a/nix/default.nix b/nix/default.nix
index 3cda7fe..d6e36ec 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -143,6 +143,14 @@ in
   options = {
 
     #
+    # System information
+    #
+    hostName = mkOption {
+      type = types.str;
+      description = "Hostname of the system.";
+    };
+
+    #
     # Primary user of the system
     #
     user = mkOption {
@@ -158,14 +166,14 @@ in
       description = "Primary email of the user";
     };
     homePath = mkOption {
-      type = types.str;
+      type = types.path;
       description = "Home directory path of the user";
-      default = "/home/${config.user}";
+      default = builtins.toPath "/home/${config.user}";
     };
     dotfilesPath = mkOption {
-      type = types.str;
+      type = types.path;
       description = "Dotfiles path inside the users home dir";
-      default = "${config.homePath}/.config/nix";
+      default = builtins.toPath "${config.homePath}/.config/nix";
     };
 
     #
diff --git a/nix/home/default.nix b/nix/home/default.nix
index 86cbfe6..66510fc 100644
--- a/nix/home/default.nix
+++ b/nix/home/default.nix
@@ -1,6 +1,10 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
 
 {
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+  ];
+
   home-manager.users.${config.user} = {
 
     home.username = config.user;
diff --git a/nix/programs/default.nix b/nix/programs/default.nix
index c4a6f61..a6c2996 100644
--- a/nix/programs/default.nix
+++ b/nix/programs/default.nix
@@ -9,6 +9,7 @@
 		./kitty
 		./mako
 		./neovim
+		./sops
 		./ssh
 		./starship
 		./waybar
diff --git a/nix/programs/gpg/default.nix b/nix/programs/gpg/default.nix
index 92549ff..5629995 100644
--- a/nix/programs/gpg/default.nix
+++ b/nix/programs/gpg/default.nix
@@ -1,24 +1,35 @@
 { config, lib, pkgs, ... }:
 
+let
+
+  keysDir = ../../../files/keys;
+  keys = lib.attrsets.mapAttrsToList (name: type: "${keysDir}/${name}") (builtins.readDir keysDir);
+
+in
 {
   home-manager.users.${config.user} = {
+
+    # install keys into gpg keyring
     programs.gpg = {
       enable = true;
-      publicKeys = [
-        {
-          source = ../../../files/keys/freya-gpg.pub;
-          trust = 5;
-        }
-      ];
+      publicKeys = map (file: { source = file; trust = 5; }) keys;
     };
 
+    # global gpg agent
     services.gpg-agent = {
       enable = true;
       enableExtraSocket = true;
       enableSshSupport = true;
-      #updateStartupTty = true;
-
       pinentryPackage = pkgs.pinentry-curses;
     };
+
+  };
+
+  # yubikey support
+  services = {
+    pcscd.enable = true;
+    udev.packages = with pkgs; [
+      yubikey-personalization
+    ];
   };
 }
diff --git a/nix/programs/sops/default.nix b/nix/programs/sops/default.nix
new file mode 100644
index 0000000..2447935
--- /dev/null
+++ b/nix/programs/sops/default.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, inputs, ... }:
+
+let
+
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+
+in
+{
+    imports = [
+        inputs.sops-nix.nixosModules.sops
+    ];
+
+    environment.systemPackages = with pkgs; [
+        sops
+    ];
+
+    sops = {
+      defaultSopsFile = config.dotfilesPath + "/hosts/${config.hostName}/secrets.yaml";
+      validateSopsFiles = false;
+
+      gnupg.home = config.homePath + "/.gnupg";
+      gnupg.sshKeyPaths = [];
+
+      secrets = {
+        freyanetWg = {};
+      };
+    };
+}
diff --git a/nix/programs/wireguard/default.nix b/nix/programs/wireguard/default.nix
index 83c2585..7e4ab7a 100644
--- a/nix/programs/wireguard/default.nix
+++ b/nix/programs/wireguard/default.nix
@@ -9,7 +9,7 @@
     freyanet = {
       address = [ "10.2.0.2/32" "fd:cafe:dead:bee::2/128" "fe80::2/128" ];
       dns = [ "10.2.2.2" ];
-      privateKeyFile = "${config.dotfilesPath}/secrets/freyanet.key";
+      privateKeyFile = config.sops.secrets.freyanetWg.path;
 
       peers = [{
         publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";
diff --git a/nix/system/default.nix b/nix/system/default.nix
index dbc34f5..65e6b73 100644
--- a/nix/system/default.nix
+++ b/nix/system/default.nix
@@ -4,6 +4,9 @@
   # allow flakes
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
+  # hostname
+  networking.hostName = config.hostName;
+
   # common system packages
   environment.systemPackages = with pkgs; [
     # editor
@@ -42,7 +45,6 @@
   networking.networkmanager.enable = true;
   services.fwupd.enable = true;
   services.libinput.enable = true;
-  services.pcscd.enable = true;
   services.printing.enable = true;
   services.pipewire = {
     enable = true;