flake.lock: Update

Flake lock file updates: • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/80afbd13eea0b7c4ac188de949e1711b31c2b5f0?narHash=sha256-6MWaMLXK9QMndI94CIxeiPafi3wuO%2BimCtK9tfhsZdw%3D' (2026-04-03) → 'github:NixOS/nixos-hardware/c775c2772ba56e906cbeb4e0b2db19079ef11ff7?narHash=sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM%3D' (2026-04-06) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e?narHash=sha256-d3Yx83vSrN%2B2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA%3D' (2026-04-01) → 'github:NixOS/nixpkgs/36a601196c4ebf49e035270e10b2d103fe39076b?narHash=sha256-/74n1oQPtKG52Yw41cbToxspxHbYz6O3vi%2BXEw16Qe8%3D' (2026-04-04) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8f093d0d2f08f37317778bd94db5951d6cce6c46?narHash=sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8%3D' (2026-04-03) → 'github:Mic92/sops-nix/a4ee2de76efb759fe8d4868c33dec9937897916f?narHash=sha256-f50qrK0WwZ9z5EdaMGWOTtALgSF7yb7XwuE7LjCuDmw%3D' (2026-04-05)
sops: darwin: switch to SSH host keys
2026-04-06 23:44:37 +02:00 · 2026-04-06 23:43:19 +02:00
5 changed files with 49 additions and 49 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,21 +1,24 @@
-# XXX: missing: macbook, thinknix?, at some point mobile
+# XXX: missing: thinknix?, at some point mobile
+# XXX: consider key groups
 keys:
-  - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
-  - &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
+  - &admin_framenix age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  - &admin_workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
  # Generate AGE keys from SSH keys with:
  # nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
  - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+  - &machine_workmac age1rpygw5lkhc0a5hq8fuhjzy57ls7pn5u76097z6g2p4nmlctl8pvsxrztd8
 creation_rules:
  # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
  - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
    key_groups:
      - age:
-        - *admins
+        - *admin_framenix
        - *machine_framenix
  - path_regex: common/secrets\.(yaml|json|env|ini)$
    key_groups:
      - age:
-        - *admins
-        - *workmac
+        - *admin_framenix
+        - *admin_workmac
+        - *machine_workmac
        - *machine_framenix

--- a/common/secrets.yaml
+++ b/common/secrets.yaml
@ -5,29 +5,38 @@ sops:
        - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRnd4VXRwWXpaK2piQW5C
-            b2xHSlYzb0VzLzJrNlFhanhTa2VScEIxc0RjCkhMSXJvbkR6Z3hUb2NzSmlTSUpJ
-            YWIwMTN3OXNWVi9IczRXK0ppSmtINk0KLS0tIGtHQmg0cnhIR2NkbC9QSzV4aGs2
-            OGs2S295VklPUW1TSlJZWGVqbmJFbmMK42pKH+iTIhkKjgLuEtZamK0vxThXzmET
-            521yJh5mOaJu7H55Fp+F4TWWjnwVKKqmipJ0k5eMXVoMTldcYWoOhg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuc0xqeEx2eUNZVkpaQXhY
+            a1BDOTUwRHZkU2M4Z0cvUTFCcjNEN2RKa1JVCmZlYlY5djQ2SnJSZnBWd1JIVXJS
+            K2hPT3JXRjIyUzFoRmZhdnUveVFlOGMKLS0tIEQ2SElPTUdxR1dEeUxBVHF3di9u
+            aDBzbzZMMlF2USszeS9mTGFIalhpOU0KNUrIv6ffhifLcgdk+/CXgXQ4Aod587aL
+            kB/y59HdprNelD2Uzw4/PkalOHSO1OVpi+NLRGgYw8IOPdV7iNVo3Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFRLdFdOS2UzbWwrNDRu
-            Y0YwRDBkd2lnN1FyR0w1MTNYTldzUndqckNFCnlzSVQvNkx4WDk3RXhWNkdGMjFL
-            bjVsbHJ3VjZqRXFTZE9ma2lCQ2ZXNlkKLS0tIHlCMS8vYUhqMklGbk5oT2dEd2pl
-            MlJLSkt4azdkcW5rOWVIMm1HVW1uazAK45zntYris4tcP26DGCBmjIAIKUxMVrsR
-            mpSTAfK1nt8/UcGft+qqqrAEVzvYooUvBa5vxDsY7qTyAzibP4MFWw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5MzlIUENGemVXbjZ2ZXpw
+            RDkvZnF5aUxmWjU2Sk5pS1dQaW81ZnpYNkZnCjh5czF4cVVMd0xxejkzMWs2QkFF
+            K0lxcEY4cHpnblZ6Tk1BSHJhUEF2dVUKLS0tIEFxcUxtOE85TitoVWM2RlYxSi9S
+            YXpTLysxR3FzNHEzZ0tMdHI0SVk1UmMKZT3hZNrUkh803EYaYfdhiAfJOljTFUsp
+            JqmxLLBnxclCFsHtq678+4akr7tFlEnQi8aWeH+HjK+R8ngSa1G7ew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rpygw5lkhc0a5hq8fuhjzy57ls7pn5u76097z6g2p4nmlctl8pvsxrztd8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R0lDdjMxZDRGM1RucE9R
+            eUtwQW84RlZNUmEvbUpGRTduYTdIMk5FN1I4CmFtMWEyVEhmYitiY0ZpUDZuQVo2
+            VTVZcjlQVi93RTdLb2RJL0s0Q3FjRm8KLS0tIG5SOEVXRGpMQnNnS3IrUUNpUjZw
+            L1A0emlvWndoNVNTaW43NlhHSXFqQUUKhvkRYZV6QADm+pYIdfeg4s56YyDSUhJn
+            Az9wpLX8G8iesFgEHl/TsN8jZZls+LxMoMg5NxfIzQgdvR5I/s8BzQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUg1eUFuczJaR29UMyta
-            c0ZiNDNBTkxQSDNIZThhQ3ZUSmc4dGdKTkRjCmtlUTV0d3JkQzJXemxDMFEvM3Qr
-            UVRqdkZ2UDB5MVpva2FhUTlpelN2cjQKLS0tIE1kOVVXRjlFNDhxdC9HTGFjTENh
-            Zm9Wb1lrSSsvZ2gzVnZ0UnN0cUFVbUUK2Xqn6cjrUxK+ku3LgfbpUt+Vkdv9vEGe
-            R8iG40k2T4RSa53dHwfRG3eg3ubTA8d1NFZ5qUpkmhFPZ5cq89x4ig==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUytMcmJiUHhEZWVRYmhE
+            ZFdWSlIxeHFiTkFzLzlmbEpNMkFzVFRDUEc4ClhXVEtjbXJDdENkb2QraWxJWnF2
+            RmxrbEdSSXlnUkdjTXVVRUZjMHF1V3MKLS0tIGFUUncvc2NtV2JUbG50VHIyYlM0
+            RFVNWXRrVTI1cmtoUWphLzVXMFA3RDAKD+72BEHYBhm9ncbO/F5AclbvT9hU5kZb
+            LGm6HK/Yw+b73Odix+0UDAGV8QTdXweWfb6L406WSkJjaR3F7Ki6SQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-04-05T22:12:29Z"
    mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@ -6,8 +6,7 @@
 }:
 {
  sops = {
-    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
-    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    #age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
    defaultSopsFile = lib.mkDefault ./secrets.yaml;
    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
--- a/flake.lock
+++ b/flake.lock
@ -304,11 +304,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1775203647,
-        "narHash": "sha256-6MWaMLXK9QMndI94CIxeiPafi3wuO+imCtK9tfhsZdw=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "80afbd13eea0b7c4ac188de949e1711b31c2b5f0",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
        "type": "github"
      },
      "original": {
@ -352,11 +352,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1775002709,
-        "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=",
+        "lastModified": 1775305101,
+        "narHash": "sha256-/74n1oQPtKG52Yw41cbToxspxHbYz6O3vi+XEw16Qe8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e",
+        "rev": "36a601196c4ebf49e035270e10b2d103fe39076b",
        "type": "github"
      },
      "original": {
@ -472,11 +472,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775188331,
-        "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
+        "lastModified": 1775365543,
+        "narHash": "sha256-f50qrK0WwZ9z5EdaMGWOTtALgSF7yb7XwuE7LjCuDmw=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
+        "rev": "a4ee2de76efb759fe8d4868c33dec9937897916f",
        "type": "github"
      },
      "original": {
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@ -12,21 +12,10 @@ let
    else
      "/home/${config.home.username}/.config/sops/age/keys.txt";
 in
-lib.mkMerge [
-  {
-    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
-    sops = {
-      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
-      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
-    };
-  }
-  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
-  (lib.mkIf pkgs.stdenv.isLinux {
+{
+  home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
+  sops = {
    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  })
-
-  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
-  (lib.mkIf pkgs.stdenv.isDarwin {
-    sops.age.keyFile = homeKeys;
-  })
-]
+    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
+  };
+}