From fe50bf0b58eb56f41ee7573857cd74143ca5b838 Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Mon, 6 Apr 2026 23:43:19 +0200
Subject: [PATCH] sops: darwin: switch to SSH host keys

I've decided to just create some ssh host keys via `sudo ssh-keygen -A`
to make the key management parallel to linux hosts.
---
 .sops.yaml            | 15 +++++++++------
 common/secrets.yaml   | 39 ++++++++++++++++++++++++---------------
 darwin/sops.nix       |  3 +--
 home/modules/sops.nix | 25 +++++++------------------
 4 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index adfa8d0..8182fab 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,21 +1,24 @@
-# XXX: missing: macbook, thinknix?, at some point mobile
+# XXX: missing: thinknix?, at some point mobile
+# XXX: consider key groups
 keys:
-  - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
-  - &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
+  - &admin_framenix age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  - &admin_workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
   # Generate AGE keys from SSH keys with:
   # nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
   - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+  - &machine_workmac age1rpygw5lkhc0a5hq8fuhjzy57ls7pn5u76097z6g2p4nmlctl8pvsxrztd8
 creation_rules:
   # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
   - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
     key_groups:
       - age:
-        - *admins
+        - *admin_framenix
         - *machine_framenix
   - path_regex: common/secrets\.(yaml|json|env|ini)$
     key_groups:
       - age:
-        - *admins
-        - *workmac
+        - *admin_framenix
+        - *admin_workmac
+        - *machine_workmac
         - *machine_framenix
 
diff --git a/common/secrets.yaml b/common/secrets.yaml
index 233775d..d88408d 100644
--- a/common/secrets.yaml
+++ b/common/secrets.yaml
@@ -5,29 +5,38 @@ sops:
         - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRnd4VXRwWXpaK2piQW5C
-            b2xHSlYzb0VzLzJrNlFhanhTa2VScEIxc0RjCkhMSXJvbkR6Z3hUb2NzSmlTSUpJ
-            YWIwMTN3OXNWVi9IczRXK0ppSmtINk0KLS0tIGtHQmg0cnhIR2NkbC9QSzV4aGs2
-            OGs2S295VklPUW1TSlJZWGVqbmJFbmMK42pKH+iTIhkKjgLuEtZamK0vxThXzmET
-            521yJh5mOaJu7H55Fp+F4TWWjnwVKKqmipJ0k5eMXVoMTldcYWoOhg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuc0xqeEx2eUNZVkpaQXhY
+            a1BDOTUwRHZkU2M4Z0cvUTFCcjNEN2RKa1JVCmZlYlY5djQ2SnJSZnBWd1JIVXJS
+            K2hPT3JXRjIyUzFoRmZhdnUveVFlOGMKLS0tIEQ2SElPTUdxR1dEeUxBVHF3di9u
+            aDBzbzZMMlF2USszeS9mTGFIalhpOU0KNUrIv6ffhifLcgdk+/CXgXQ4Aod587aL
+            kB/y59HdprNelD2Uzw4/PkalOHSO1OVpi+NLRGgYw8IOPdV7iNVo3Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFRLdFdOS2UzbWwrNDRu
-            Y0YwRDBkd2lnN1FyR0w1MTNYTldzUndqckNFCnlzSVQvNkx4WDk3RXhWNkdGMjFL
-            bjVsbHJ3VjZqRXFTZE9ma2lCQ2ZXNlkKLS0tIHlCMS8vYUhqMklGbk5oT2dEd2pl
-            MlJLSkt4azdkcW5rOWVIMm1HVW1uazAK45zntYris4tcP26DGCBmjIAIKUxMVrsR
-            mpSTAfK1nt8/UcGft+qqqrAEVzvYooUvBa5vxDsY7qTyAzibP4MFWw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MzlIUENGemVXbjZ2ZXpw
+            RDkvZnF5aUxmWjU2Sk5pS1dQaW81ZnpYNkZnCjh5czF4cVVMd0xxejkzMWs2QkFF
+            K0lxcEY4cHpnblZ6Tk1BSHJhUEF2dVUKLS0tIEFxcUxtOE85TitoVWM2RlYxSi9S
+            YXpTLysxR3FzNHEzZ0tMdHI0SVk1UmMKZT3hZNrUkh803EYaYfdhiAfJOljTFUsp
+            JqmxLLBnxclCFsHtq678+4akr7tFlEnQi8aWeH+HjK+R8ngSa1G7ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rpygw5lkhc0a5hq8fuhjzy57ls7pn5u76097z6g2p4nmlctl8pvsxrztd8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R0lDdjMxZDRGM1RucE9R
+            eUtwQW84RlZNUmEvbUpGRTduYTdIMk5FN1I4CmFtMWEyVEhmYitiY0ZpUDZuQVo2
+            VTVZcjlQVi93RTdLb2RJL0s0Q3FjRm8KLS0tIG5SOEVXRGpMQnNnS3IrUUNpUjZw
+            L1A0emlvWndoNVNTaW43NlhHSXFqQUUKhvkRYZV6QADm+pYIdfeg4s56YyDSUhJn
+            Az9wpLX8G8iesFgEHl/TsN8jZZls+LxMoMg5NxfIzQgdvR5I/s8BzQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUg1eUFuczJaR29UMyta
-            c0ZiNDNBTkxQSDNIZThhQ3ZUSmc4dGdKTkRjCmtlUTV0d3JkQzJXemxDMFEvM3Qr
-            UVRqdkZ2UDB5MVpva2FhUTlpelN2cjQKLS0tIE1kOVVXRjlFNDhxdC9HTGFjTENh
-            Zm9Wb1lrSSsvZ2gzVnZ0UnN0cUFVbUUK2Xqn6cjrUxK+ku3LgfbpUt+Vkdv9vEGe
-            R8iG40k2T4RSa53dHwfRG3eg3ubTA8d1NFZ5qUpkmhFPZ5cq89x4ig==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUytMcmJiUHhEZWVRYmhE
+            ZFdWSlIxeHFiTkFzLzlmbEpNMkFzVFRDUEc4ClhXVEtjbXJDdENkb2QraWxJWnF2
+            RmxrbEdSSXlnUkdjTXVVRUZjMHF1V3MKLS0tIGFUUncvc2NtV2JUbG50VHIyYlM0
+            RFVNWXRrVTI1cmtoUWphLzVXMFA3RDAKD+72BEHYBhm9ncbO/F5AclbvT9hU5kZb
+            LGm6HK/Yw+b73Odix+0UDAGV8QTdXweWfb6L406WSkJjaR3F7Ki6SQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-04-05T22:12:29Z"
     mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
diff --git a/darwin/sops.nix b/darwin/sops.nix
index 5692f9e..4ed332c 100644
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@@ -6,8 +6,7 @@
 }:
 {
   sops = {
-    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
-    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    #age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
     gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
     defaultSopsFile = lib.mkDefault ./secrets.yaml;
     defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
diff --git a/home/modules/sops.nix b/home/modules/sops.nix
index 183d3cb..e4d153b 100644
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@@ -12,21 +12,10 @@ let
     else
       "/home/${config.home.username}/.config/sops/age/keys.txt";
 in
-lib.mkMerge [
-  {
-    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
-    sops = {
-      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
-      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
-    };
-  }
-  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
-  (lib.mkIf pkgs.stdenv.isLinux {
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  })
-
-  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
-  (lib.mkIf pkgs.stdenv.isDarwin {
-    sops.age.keyFile = homeKeys;
-  })
-]
+{
+  home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
+  };
+}