From 9bcc20b2d0ffe9a49eeb325acab973070e89c0d3 Mon Sep 17 00:00:00 2001
From: Zynh Ludwig <zynh0722@gmail.com>
Date: Fri, 27 Dec 2024 20:57:05 -0800
Subject: [PATCH] sops: user password

---
 .sops.yaml                         | 11 +++++++++++
 flake.lock                         | 23 +++++++++++++++++++++-
 flake.nix                          |  1 +
 hosts/permafrost/configuration.nix | 10 ----------
 modules/sops.nix                   | 16 +++++++++++++++
 modules/users.nix                  | 16 +++++++++++++++
 secrets.yaml                       | 31 ++++++++++++++++++++++++++++++
 7 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 modules/sops.nix
 create mode 100644 modules/users.nix
 create mode 100644 secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..4826b83
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+  users:
+    - &ravenshade age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd
+  hosts:
+    - &permafrost age1scqfsfa4mqs033gt546fxyt6aa8a0ksngqs53lr9h0tt98hl4f9svwmrzj
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+          - *ravenshade
+          - *permafrost
diff --git a/flake.lock b/flake.lock
index fbe2b2c..5b457b0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -138,7 +138,8 @@
       "inputs": {
         "deploy-rs": "deploy-rs",
         "nixpkgs": "nixpkgs_2",
-        "nyazoom": "nyazoom"
+        "nyazoom": "nyazoom",
+        "sops-nix": "sops-nix"
       }
     },
     "rust-overlay": {
@@ -162,6 +163,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734546875,
+        "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index ef7587f..9e6f43f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix = { url = "github:mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
 
     deploy-rs.url = "github:serokell/deploy-rs";
 
diff --git a/hosts/permafrost/configuration.nix b/hosts/permafrost/configuration.nix
index 332d777..f363a42 100644
--- a/hosts/permafrost/configuration.nix
+++ b/hosts/permafrost/configuration.nix
@@ -15,21 +15,11 @@
     auto-optimise-store = true;
     experimental-features = [ "nix-command" "flakes" ];
 
-    trusted-users = [
-      "ravenshade"
-    ];
   };
 
   # Enable networking
   networking.networkmanager.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.ravenshade = {
-    isNormalUser = true;
-    description = "Zynh Ludwig";
-    extraGroups = [ "networkmanager" "wheel" ];
-  };
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
diff --git a/modules/sops.nix b/modules/sops.nix
new file mode 100644
index 0000000..e022a7c
--- /dev/null
+++ b/modules/sops.nix
@@ -0,0 +1,16 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}
diff --git a/modules/users.nix b/modules/users.nix
new file mode 100644
index 0000000..c58cb2d
--- /dev/null
+++ b/modules/users.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+
+{
+  nix.settings.trusted-users = [ "ravenshade" ];
+
+  # users sops setup
+  sops.secrets."passwords/ravenshade".neededForUsers = true;
+  users.mutableUsers = false;
+
+  users.users.ravenshade = {
+    isNormalUser = true;
+    description = "Zynh Ludwig";
+    hashedPasswordFile = config.sops.secrets."passwords/ravenshade".path;
+    extraGroups = [ "networkmanager" "wheel" ];
+  };
+}
diff --git a/secrets.yaml b/secrets.yaml
new file mode 100644
index 0000000..84a8d09
--- /dev/null
+++ b/secrets.yaml
@@ -0,0 +1,31 @@
+passwords:
+    ravenshade: ENC[AES256_GCM,data:zWSMfn1NhvjJ41w8gh8rWHAGhhfx/m19CDT+V8opc/ToDqSC83ajHJ7g9wo5UFuTfVqd3hhw0+CLAINp/QFf10790UPZmiTqrQ==,iv:WYfg7XG1J68IxAaG5HA/9hXaAo3DPdArozUm0WQNtR0=,tag:jfgcLT1/cDxW5AgIbksIgA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WkhTajAvUFFiYlEvc1Zw
+            T2ZwUkwzdk83QkxVWERPalRBNWVuYVNpR2kwCk9oYVlrdlNrTzhNejdncVRodlRq
+            QzhsRHczY3ZTVHpmcHFiYkUvODhsZWcKLS0tIEtYbXJpbm4wekgyeVBvZWRTc2Jr
+            cGN4QUg4ZTFoT1RBMFBiS0QyWExpaTQKaEmohDZCYh1Rbf+e6g1FT9qyOdBVKYmO
+            eFVaLIcRFonu7nBhiiR+wfLPx8MNz8bJqugfGuMVPFs8BCFzeROJpw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1scqfsfa4mqs033gt546fxyt6aa8a0ksngqs53lr9h0tt98hl4f9svwmrzj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbHpGY2pGRjltQWdsWDdp
+            Q1E1OVh4K3dxNmdPM3RlNVREVGRzckZRRlNvCnBrTWhLcTBoclRINUd4UEFuMUhO
+            eHZBRng5UVE4SFdSbVo2dnRScHJ6SVkKLS0tIENMUmJ3aFEzNXpoSWpzai9KUGFj
+            dUk3UkE4dEFTTlNqTmNMbkh2M0ZWSTgKBKhzo5inQL8LXWyiD7ZqjfXZpZFPWgM8
+            b4urS/bu1qvX12Nu4IYls/xLV6Tca5DJ5+cXfYMec4TcydlUVcxJLw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-28T05:25:33Z"
+    mac: ENC[AES256_GCM,data:8fnd7hhq3QplMCIL82VyHaWykHxoOzgovB8ij6B2B1f7C+h20PcaFlEZHWCb15L/kU6Hc3aL2rfkLR6DYAJnWRrTBLPyNHo0CvnUDTqVB0BU2asY27hPnAJZ2zBt6qdkk5enGf3qgKjQI+1HwftALhIstsiyiem8u/f4OX3HE0s=,iv:VU2SKF28hX4BXEFBhjZMiO+ZaNN7z5mVBviuzIc0vMA=,tag:5hJ/zR4r2BCVjQ7ZEM8V4g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2