add sops-nix

.sops.yaml

@@ -1,15 +1,23 @@
 keys:
+  # To generate new admin key, run (requires [age](https://github.com/FiloSottile/age)):
+  # ```
+  # mkdir -p ~/.config/sops/age/
+  # age-keygen -o ~/.config/sops/age/keys.txt
+  # ```
+  # Provide the generated key to a pre-existing admin and wait for him to re-encrypt all secrets in this repo with it. After pulling the re-encrypted secrets you can read them with `sops some-file`.
   - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
   - &lassulus age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
-# To generate new admin key, run (requires [age](https://github.com/FiloSottile/age)):
-# ```
-# mkdir -p ~/.config/sops/age/
-# age-keygen -o ~/.config/sops/age/keys.txt
-# ```
-# Provide the generated key to a pre-existing admin and wait for him to re-encrypt all secrets in this repo with it. After pulling the re-encrypted secrets you can read them with `sops some-file`.
+  # Downloaded like this: nix-shell -p ssh-to-age --run 'ssh-keyscan clan.lol | ssh-to-age' 
+  - &web01 age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
 creation_rules:
   - path_regex: targets/.*/terraform.tfstate$
     key_groups:
     - age:
       - *joerg
       - *lassulus
+  - path_regex: targets/web01/secrets.yaml$
+    key_groups:
+    - age:
+      - *joerg
+      - *lassulus
+      - *web01

flake.lock

@@ -85,10 +85,32 @@
         "flake-parts": "flake-parts",
         "homepage": "homepage",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "srvos": "srvos",
         "treefmt-nix": "treefmt-nix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": []
+      },
+      "locked": {
+        "lastModified": 1688268466,
+        "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "srvos": {
       "inputs": {
         "nixpkgs": [

flake.nix

@@ -16,6 +16,9 @@
     homepage.inputs.nixpkgs.follows = "nixpkgs";
     homepage.inputs.flake-parts.follows = "flake-parts";
 
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.inputs.nixpkgs-stable.follows = "";
 
     srvos.url = "github:numtide/srvos";
     # Use the version of nixpkgs that has been tested to work with SrvOS

modules/flake-module.nix

@@ -1,13 +1,17 @@
-{ inputs, ... }: {
+{ self, inputs, ... }: {
   flake.nixosModules = {
-    hcloud.imports = [
+    server.imports = [
       inputs.srvos.nixosModules.server
+      inputs.sops-nix.nixosModules.default
+    ];
+
+    hcloud.imports = [
       inputs.srvos.nixosModules.hardware-hetzner-cloud
       ./single-disk.nix
     ];
 
     web01.imports = [
-      inputs.srvos.nixosModules.mixins-nginx
+      self.nixosModules.server
       ./web01
     ];
   };

targets/web01/secrets.yaml

@@ -0,0 +1,39 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVTJrY2hIdis5eGJYQkdM
+            MUdGTmVkc2pxN1NjbkR2NVF6Uk11SnBSSUNrCnY0dXlTMnpTbnNJdjNJZHZtYWE4
+            YmlUWFpkUXdtbFh6R1BvTjd1UEZTRFUKLS0tIEdTMEozMFltVWJ0Q1BZS201eE50
+            UHcwNW5nNkdHL0w2d3g0RzBQZ1RrY3MKCDNdsobZ7wZOjBWOy0FmBR0i0afpHM/x
+            uDax1cdEXnh710TTI0Ck99KGthFRWBIeJH1xioC6TTsgmrgE4VPkNA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRWp6R3B2T3N0aE1GaU8r
+            cUppT0ZrNGJTTXhsZi9EU3dRZTNTR09tYVdvCmVBUFRVWkFTeHZVMDFhSDNQY1dL
+            T09zMjN4ZkZpNFRqZjVqWVRZOGdIaGcKLS0tIGNJbnBFNDAvMS9pdndVRklTNHZ2
+            UjRPRXB5RkxYUDN2TVE2ZTlzV0I5NGsK8tIxBNl0UFkAw1u8Jn7QjnDJ6dcr4+6P
+            iHXTDyxadZAljV5ZXlmzM1dm5p+v86jJ/KvYbA0dkga+CBEOUDt3Yw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDh2OWxJdjcwK0o1M3Nt
+            RXV4UTlnbFphR0JISG9ZcGorb1ppMzd4SVR3CnZTOW9YeHBKR3drTHdGb3pEZVI3
+            S3NtbDFHL2dlZlRKK3FIc0lwMGt1SzQKLS0tIEZrMWNLOEtuTXB5eE93Uy9nalhD
+            Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
+            KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-05T15:15:11Z"
+    mac: ENC[AES256_GCM,data:oLM6L2SAPSypW2sbGnaE0hmRW8BoFxIT6RfGUAr2I8Q+K0wN4dUW1Cq+q8Ecfa4IJ8eI2iCw/7x8ZwlWiUFnreeaEGXIS2SEMMitwOUzfzB0QCXYIuQUxgH1KCpNwNKm/3cEg0GrWFim0SSSZztVsHQh5++Qa7WDXKYFQJLG+Fc=,iv:P9DUDlL9g5Q7fJyi7OvVDMyPQKbX1OzYKgQ19f+wrfI=,tag:An0m7oXeUACxWDVackxXAQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3