From 908b709439602a388b04da21672dcec1a3c7f1b4 Mon Sep 17 00:00:00 2001
From: derped <derped@ophanim.de>
Date: Sat, 15 Apr 2023 16:27:27 +0200
Subject: [PATCH] WIP sops for Lilim -> enable pure eval.

---
 .sops.yaml                  | 10 ++++++++++
 config/nix.nix              |  3 ++-
 config/users.nix            | 10 +++++-----
 flake.nix                   |  2 +-
 machines/Lilim/secrets.yaml | 36 ++++++++++++++++++++++++++++++++++++
 machines/Lilim/sops.nix     | 13 +++++++++++++
 6 files changed, 67 insertions(+), 7 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 machines/Lilim/secrets.yaml
 create mode 100644 machines/Lilim/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..b5b5429
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+keys:
+  - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+  - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
+creation_rules:
+  - path_regex: machines/Lilim/[^/]+.yaml$
+    key_groups:
+    - pgp:
+      - *admins
+      age:
+      - *lilim
diff --git a/config/nix.nix b/config/nix.nix
index 427d0dd..9b0f94f 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -14,7 +14,8 @@ in {
       trusted-substituters = [
         "https://cache.nixos.org"
       ] ++ cfg.binaryCaches;
-      trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
+      # TODO: integrate into sops
+      # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
       substituters = [
         "https://cache.nixos.org"
       ] ++ cfg.binaryCaches;
diff --git a/config/users.nix b/config/users.nix
index dd3ae24..56c24e9 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -7,7 +7,7 @@ let
     name = user.name;
     value = let
       cfg = config.services;
-      passPath = "${config.machine.secretPath}/${user.name}";
+      passPath = config.sops.secrets."users/${user.name}/password".path;
     in {
       isNormalUser = true;
       name = user.name;
@@ -22,9 +22,10 @@ let
         ++ (optional config.virtualisation.docker.enable "docker");
       shell = "${pkgs.zsh}/bin/zsh";
       passwordFile = passPath;
-      openssh.authorizedKeys.keyFiles = optional
-        (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
-        "${passPath}.pub";
+      # TODO: Fix for sops
+      # openssh.authorizedKeys.keyFiles = optional
+      #   (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
+      #   "${passPath}.pub";
     };
   };
 
@@ -36,7 +37,6 @@ let
        members = [ user.name ];
      };
    };
-
 in {
   users = {
     mutableUsers = false;
diff --git a/flake.nix b/flake.nix
index 9d9339c..f12e59a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
       name = machine;
       value = let
         machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine];
-        machineFiles = fn.lst { p = machinePath; b = true; };
+        machineFiles = lib.filter (name: lib.strings.hasSuffix ".nix" name) (fn.lst { p = machinePath; b = true; });
       in nixpkgs.lib.nixosSystem {
         inherit system;
         specialArgs = attrs;
diff --git a/machines/Lilim/secrets.yaml b/machines/Lilim/secrets.yaml
new file mode 100644
index 0000000..9d79a99
--- /dev/null
+++ b/machines/Lilim/secrets.yaml
@@ -0,0 +1,36 @@
+users:
+    derped:
+        password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
+        mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV
+            ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM
+            VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ
+            MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf
+            S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-16T08:54:15Z"
+    mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str]
+    pgp:
+        - created_at: "2023-04-16T11:36:28Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w
+            SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo
+            1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL
+            Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx
+            Id/w9ez1/+cpfA==
+            =seBV
+            -----END PGP MESSAGE-----
+          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/machines/Lilim/sops.nix b/machines/Lilim/sops.nix
new file mode 100644
index 0000000..6dd02ef
--- /dev/null
+++ b/machines/Lilim/sops.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    # TODO: auto loop over users
+    secrets."users/derped/password".neededForUsers = true;
+  };
+}