wip

.sops.yaml

@@ -0,0 +1,12 @@
+keys:
+  - &lelgenio 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+  - &lelgenio-age ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
+  - &monolith ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *lelgenio
+    - age:
+      - *lelgenio-age
+      - *monolith

flake.lock

@@ -722,6 +722,7 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "plymouth-themes": "plymouth-themes",
         "ranger-icons": "ranger-icons",
+        "sops-nix": "sops-nix",
         "tlauncher": "tlauncher",
         "tomater": "tomater",
         "treefmt-nix": "treefmt-nix",
@@ -775,6 +776,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1741043164,
+        "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -26,6 +26,11 @@
       inputs.home-manager.follows = "home-manager";
     };
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nixos-mailserver = {
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -100,6 +105,7 @@
           { login-manager.greetd.enable = desktop == "sway"; }
 
           inputs.agenix.nixosModules.default
+          inputs.sops-nix.nixosModules.default
           inputs.home-manager.nixosModules.home-manager
           inputs.disko.nixosModules.disko
           (

overlays/default.nix

@@ -47,6 +47,8 @@ rec {
       demoji = inputs.demoji.packages.${prev.system}.default;
       tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher;
       wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default;
+
+      sops = final.sops-master;
     }
   );
 

pkgs/default.nix

@@ -11,4 +11,6 @@ rec {
   factorio-headless = pkgs.callPackage ./factorio-headless {
     inherit (pkgs.unstable) factorio-headless;
   };
+
+  sops-master = pkgs.callPackage ./sops/package.nix { };
 }

pkgs/sops/bash_autocomplete

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/bash_autocomplete
+
+_cli_bash_autocomplete() {
+    if [[ "${COMP_WORDS[0]}" != "source" ]]; then
+        local cur opts
+        COMPREPLY=()
+        cur="${COMP_WORDS[COMP_CWORD]}"
+        if [[ "$cur" == "-"* ]]; then
+            opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" "${cur}" --generate-bash-completion)
+        else
+            opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" --generate-bash-completion)
+        fi
+        IFS=$'\n' read -d '' -ra COMPREPLY < <(compgen -W "${opts}" -- "${cur}")
+        return 0
+    fi
+}
+
+complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete sops

pkgs/sops/package.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  buildGo123Module,
+  fetchFromGitHub,
+  installShellFiles,
+  versionCheckHook,
+  nix-update-script,
+}:
+
+buildGo123Module rec {
+  pname = "sops";
+  version = "3.9.4-unstable";
+
+  src = fetchFromGitHub {
+    owner = "getsops";
+    repo = "sops";
+    rev = "024b94f67afa967ed758ae17433d7da600e87599";
+    hash = "sha256-rNO9+gIxxH4sYoemFbOD8HaKWL48VnbdCOKvQ0FoTgI=";
+  };
+
+  vendorHash = "sha256-wdsPuUpYHEBkZ80d7L3iXIbBsnK4to0zDUOOlvOtde4=";
+
+  postPatch = ''
+    substituteInPlace go.mod \
+      --replace-fail "go 1.22" "go 1.23.0"
+  '';
+
+  subPackages = [ "cmd/sops" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/getsops/sops/v3/version.Version=${version}"
+  ];
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  postInstall = ''
+    installShellCompletion --cmd sops --bash ${./bash_autocomplete}
+    installShellCompletion --cmd sops --zsh ${./zsh_autocomplete}
+  '';
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "--version";
+  doInstallCheck = true;
+
+  passthru.updateScript = nix-update-script { };
+
+  meta = {
+    homepage = "https://getsops.io/";
+    description = "Simple and flexible tool for managing secrets";
+    changelog = "https://github.com/getsops/sops/blob/v${version}/CHANGELOG.rst";
+    mainProgram = "sops";
+    maintainers = with lib.maintainers; [
+      Scrumplex
+      mic92
+    ];
+    license = lib.licenses.mpl20;
+  };
+}

pkgs/sops/zsh_autocomplete

@@ -0,0 +1,25 @@
+#compdef sops
+
+## based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/zsh_autocomplete
+
+_cli_zsh_autocomplete() {
+
+  local -a opts
+  local cur
+  cur=${words[-1]}
+  if [[ "$cur" == "-"* ]]; then
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}")
+  else
+    opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}")
+  fi
+
+  if [[ "${opts[1]}" != "" ]]; then
+    _describe 'values' opts
+  else
+    _files
+  fi
+
+  return
+}
+
+compdef _cli_zsh_autocomplete sops

secrets/test.yaml

@@ -0,0 +1,72 @@
+hello: ENC[AES256_GCM,data:InrQC1cwHNYwCshr2RYZTRbeNWSHNr0Z319xqxQMZRf3BjAwtJ3FZ0y120P7dQ==,iv:/M6Hi3C29GySJO0XD9jnJuSbW0uwZ3DkD981leAoDFA=,tag:4fG3hrA4JWlCXEC4HCoVOA==,type:str]
+example_key: ENC[AES256_GCM,data:rS8hhFYHFG5HuF052A==,iv:Ec1wMtt6Z2VMgI2pH3j17cwVtpxWOPHm+nhhbstwhto=,tag:iustehiDFbzNYsrSQt020A==,type:str]
+#ENC[AES256_GCM,data:zMrmQNws4x9Tk4JV7tze4A==,iv:glvnI1ZxdSFWzDypM74uPbucyEbCyVmrKiGlUjuygXw=,tag:evh2xI6hWKQLDlrJIcviog==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:H6pL++V+9HBdboEOeeU=,iv:ZduKwwgZfdhli5aMIbJu/WUi5qdvZhENcV9G6A3ukG0=,tag:5YRywD1SensTM0hsg6qeDQ==,type:str]
+    - ENC[AES256_GCM,data:/GRa1ZYqGj4x+cbmQSo=,iv:bj9WussUEMyF61grr1AXeGyumyPO2pjXdEWdlMuBQGk=,tag:3PtjHeEUJApdiVjcQCAuHQ==,type:str]
+example_number: ENC[AES256_GCM,data:j+7tF6HOYjEUfg==,iv:VDQPA+Ium+S9voKiQPNQ+HxayM0bRf6txSX7zsED+6Y=,tag:RyP8MlNKpJTiFq4yki3IHA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:vsYeAQ==,iv:MIUmFU7UJdkixIKCb0CCMAzhJ5uvkEZZlWHhleoZIEA=,tag:jMpWcJSwJv+yzkBB2/uvmg==,type:bool]
+    - ENC[AES256_GCM,data:0aq01xA=,iv:wF7WwrDVFG0hful9S5284olMTKlS+RnNnySAsw5UZp8=,tag:KqD1Quq0i0xeRiCMEC9yTQ==,type:bool]
+sops:
+    shamir_threshold: 2
+    key_groups:
+        - pgp:
+            - created_at: "2025-03-05T17:47:53Z"
+              enc: |-
+                -----BEGIN PGP MESSAGE-----
+
+                hQEMAzy6JxafzLr5AQgAl3m6zci5ipAkoy6mJKHCs8lq7s+wyvZ2tuHmUarbGxUP
+                Jg98Btnr4VTMdy116TeuRte+upGIN3bJLBSEYPGodpKkHhmFmInSmR2gXQCEvxAP
+                2JQQLceYVTyHqtlxrgyRKQwMJQd4J44TZ0WUTUEOH5M2x+tnTrdG0cWug+unKr9G
+                omomiO3PQF5ImGKwdsPfyEK2/80j0Zu2+wBzbPuPIiBgHhk+SfUc/iLzUH6UupdQ
+                DYPGWwbFXptVLt/sqeZ1jQAivtFlu+NlcF2/Qd5vXZ636oKWSth9degTdYX4RKfW
+                osXzWAlvftUE/ZY6bQ14sV0Ug8/Y35BCrInh+I2ZENJSAUouvWfmsrqWsoXn9Kcp
+                3UCfpQnlPmcK0I5pzROL8sE4n5/BpTEYx2iZe0bbY7xSnGC5N5VEP/s/OODLMpaQ
+                RnQUAsNJrQ9Iely+OS2K7jo7HA==
+                =5CNC
+                -----END PGP MESSAGE-----
+              fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
+          hc_vault: []
+          age: []
+        - hc_vault: []
+          age:
+            - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
+              enc: |
+                -----BEGIN AGE ENCRYPTED FILE-----
+                YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCmtodG9TZ0ph
+                MjM0dnVMa2c4L0wvRXJmSkRYVFpYYnloYktBamw4VXR6anRBaHJxckR2MXNqdXB0
+                QnJleGdFVjEKQkdlanc3T0YvWWJiMVFVTm9sNmM5RXUvVjhyLytqeHJ6eVJPZ3Vw
+                VDdYaUJlSmlMZFVCQmd3MmhROWdJSXlNeApHN3c2dUwwNDVBUURTREo3b2hpRG9K
+                azZTYXhFbGtzYmZURTM2WVA2NUREOHdwZFZncWF2TXhsK0hJNWNYeFVBCmtiTWtv
+                aStUcW1IVDVIb2ZxQ0E2U29Jd1ZXc1NHMEg5aVpMSHJDVU5KQk15N1lZVkJNdWpS
+                ZzZVNlFVSWg2bHMKMXRnU3o2RnV5blVlL0ZlYlFIeHp4aXFUTjBpSUIyeERDNmZI
+                a1h3c1RjOUdZOXhNaU5ueVhKaGFCZFpZMm9mcApCNEZwUTk5dEc5NTlXei9ZZ1A4
+                WVc5ckt3YldXb3dCSzBjK3UySVhRNmlRVlVSNVlsSlppVThPVXBHN0JlT3F0CjA0
+                THVDZ1hqcmROODlNWjB0aGxPM1J0MzYxQnd5ejJlUnppZ1JQOUR5ckY0VXZTSkND
+                dzd3S3JYdngzeEx3djUKb2xJRXVBd0lVbEZ5MEdQN2FEaloxc05zYTYrMWJpVmU4
+                OHRlc0ZpNVJoWDJkOGErYVFrZlpmZS9wZUIvWU1mLwoKLS0tIHNqUFZCQ3RqVjIw
+                WTVxR21vUjdxWWdDa3F6QmRvQUdQTEllcTdpdGlKZHcKeFppXJ/3fVylNSYT3utw
+                5MErQHe5ATw0kWH1Sq6dmuRuCNRTFIrozk+wWvZCEehRZoP7Fr9yieTtWlRsgL6J
+                O5k=
+                -----END AGE ENCRYPTED FILE-----
+            - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith
+              enc: |
+                -----BEGIN AGE ENCRYPTED FILE-----
+                YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFl3cDFOZyBidkUr
+                dDNqem5qNS9UUUNMSEl2M3JIcU5MYzgzdG5HQTZoMUZMc1liNTBZCm9veDZ6MlQv
+                Rm5NbzljWG1kRlRIV09iaVl2c2JPUGpqT1Y1YkNSZHRjQWsKLS0tIENDVXl3cTVs
+                MGtReUpHTDBqNTBpM09FWU1ETHJzTlJHa1UyUXk3bTIrRFUK7zV5PlkcUpgQCWqm
+                DVpUxUzh6tNWSwOqFsCKSXwxRdVPTZwHiO8+fpYKyk5gNA1WyhgkJl34qvcyh2rN
+                ZqPElPc=
+                -----END AGE ENCRYPTED FILE-----
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-03-05T16:50:53Z"
+    mac: ENC[AES256_GCM,data:Q0oAUxQb29WCm6HBhR2RTfNUA3upKHFYEiVOGftGd9MUMRGW4WP9jLgFZ9NQah1hIpdJWv9nNKNaJslpA5LmrYOIFMLCORbk8hJC+/Mg8HZa+mRARUGvGOebNC7p10rgsAIloaOK8/eFteENMcIhDqFBfWlqX+yoXJb5XsaHx4U=,iv:Tf8yIqyLA1wDx/dXj6KhU4eG6CLsrAaZjEVIm8uFZpo=,tag:hxJgbyMQ6cWboIs/40C7Xg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

system/secrets.nix

@@ -1,5 +1,22 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    sops-master
+    gnupg
+  ];
+
+  sops = {
+    package = pkgs.sops-master;
+
+    defaultSopsFile = ../secrets/test.yaml;
+
+    secrets.hello = { };
+  };
+
+  environment.etc."teste-sops" = {
+    text = config.sops.secrets.hello.path;
+  };
+
   age = {
     identityPaths = [ "/root/.ssh/id_rsa" ];
     secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;