From 32822bcc3a19a6cf9b8ad2e45d6a191f5af1d646 Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Sun, 5 Apr 2026 00:16:33 +0200
Subject: [PATCH] sops-nix: basic key setup

---
 .sops.yaml | 14 ++++++++++++++
 flake.lock | 21 +++++++++++++++++++++
 flake.nix  |  7 +++++++
 3 files changed, 42 insertions(+)
 create mode 100644 .sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..5263e08
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,14 @@
+# XXX: missing: macbook, thinknix?, at some point mobile
+keys:
+  - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  # Generate AGE keys from SSH keys with:
+  # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+  - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+creation_rules:
+  # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
+  - path_regex: hosts/framenix/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admins
+        - *machine_framenix
+
diff --git a/flake.lock b/flake.lock
index 200348c..23a1065 100644
--- a/flake.lock
+++ b/flake.lock
@@ -439,6 +439,7 @@
         "nixos-unstable": "nixos-unstable",
         "nixpkgs": "nixpkgs_2",
         "nur": "nur",
+        "sops-nix": "sops-nix",
         "treefmt-nix": "treefmt-nix_3",
         "utils": "utils"
       }
@@ -464,6 +465,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1775188331,
+        "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index 84dbbcf..b99a396 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,10 @@
       flake = false;
       url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nix-direnv = {
       url = "github:nix-community/nix-direnv";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -51,6 +55,7 @@
       treefmt-nix,
       nix-darwin,
       angrr,
+      sops-nix,
       ...
     }@inputs:
     let
@@ -81,6 +86,7 @@
         };
       defaultModules = system: [
         inputInjection
+        sops-nix.nixosModules.sops
 
         # for some reason, `imports`-ing the home-manager module via inputInjection
         # from a sub-module causes infinite recursion, so importing it here instead
@@ -99,6 +105,7 @@
           modules = [
             {
               imports = [
+                sops-nix.homeManagerModules.sops
                 ./home/common.nix
                 ./home/${confName}.nix
               ];