From ea715d7924b03ee4ce3793a971b8cb4c13fab91a Mon Sep 17 00:00:00 2001
From: Polen <polensky@pm.me>
Date: Thu, 7 Nov 2024 09:57:00 -0500
Subject: [PATCH] secrets hidden / ready to be public

---
 .sops.yaml                   |  9 ++++++
 Makefile                     |  4 +++
 devices/pi/configuration.nix | 11 ++++++--
 flake.lock                   | 54 +++++++++++++++++++++++++++++++++++-
 flake.nix                    |  4 ++-
 secrets/secrets.yaml         | 18 ++++++------
 6 files changed, 86 insertions(+), 14 deletions(-)
 create mode 100644 .sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..9b0bac5
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &xps13 age1x8qsd7kxxjvan4psvnvua3r0emljsnq07agxnu6jqw56ky8z6faqyjq0e3
+  - &pi age1y2s7ah49jmhd8n05q7tw0gjcnv3390s0uxp3ewjqueekq7a7rvdqzytgd2
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+        - *xps13
+        - *pi
diff --git a/Makefile b/Makefile
index 0549fd4..7a7fd27 100644
--- a/Makefile
+++ b/Makefile
@@ -1,2 +1,6 @@
 build-pi-image:
 	nix build .#nixosConfigurations.pi.config.system.build.sdImage --print-out-paths
+
+# Doest work yet
+rebuild-pi:
+	nixos-rebuild switch --flake .#pi --target-host polen@192.168.1.241 --use-remote-sudo
diff --git a/devices/pi/configuration.nix b/devices/pi/configuration.nix
index c70b039..5d1115b 100644
--- a/devices/pi/configuration.nix
+++ b/devices/pi/configuration.nix
@@ -2,7 +2,6 @@
 
 let
   user = "polen";
-  password = "password";
   hostname = "pi";
 in {
   boot = {
@@ -22,12 +21,20 @@ in {
     };
   };
 
+	sops.defaultSopsFile = ../../secrets/secrets.yaml;
+	sops.defaultSopsFormat = "yaml";
+	sops.age.keyFile = "/home/polen/.config/sops/age/keys.txt";
+
+	sops.secrets.pi_user_pass.neededForUsers = true;
+
   networking = {
 		networkmanager.enable = true;
 		wireless.enable = false;
     hostName = hostname;
   };
 
+	nix.settings.trusted-users = [ "polen" ];
+
   environment.systemPackages = with pkgs; [ 
 		neovim 
 		tmux 
@@ -45,7 +52,7 @@ in {
     mutableUsers = false;
     users."${user}" = {
       isNormalUser = true;
-      password = password;
+      hashedPasswordFile = config.sops.secrets.pi_user_pass.path;
       extraGroups = [ "wheel" "docker" ];
     };
   };
diff --git a/flake.lock b/flake.lock
index 16d5981..09d782c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,9 +16,61 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1730272153,
+        "narHash": "sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z+w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1730883027,
+        "narHash": "sha256-pvXMOJIqRW0trsW+FzRMl6d5PbsM4rWfD5lcKCOrrwI=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c5ae1e214ff935f2d3593187a131becb289ea639",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 44c1acd..3120a63 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,9 +3,10 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+		sops-nix.url = "github:Mic92/sops-nix";
   };
 
-  outputs = {nixpkgs, ...} @ inputs: {
+  outputs = {nixpkgs, sops-nix ,...} @ inputs: {
     nixosConfigurations = {
       default = nixpkgs.lib.nixosSystem {
         specialArgs = {inherit inputs;};
@@ -21,6 +22,7 @@
         modules = [
           "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
           ./devices/pi/configuration.nix
+					sops-nix.nixosModules.sops
           {
             sdImage.compressImage = false;
 						nixpkgs.overlays = [
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index d915753..31da3d2 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,6 +1,4 @@
-home_ssid_password: ENC[AES256_GCM,data:HIa5aXWpKOplJEnoU7Zb,iv:iHlZacIaxQAU4R1tYa/pe3hSDZ362V5xzUS6Vzq+WrM=,tag:1KimN0cbHO4rsa8oEgodZQ==,type:str]
-pi:
-    password: ENC[AES256_GCM,data:b0v9Y6WBhlBadiEvtA==,iv:xgQm/eDyOPQnTGN18OJhsJLnrRId08X+weuL1MaSxVA=,tag:ljIVNf3F9Wog6YIo8KoyoA==,type:str]
+pi_user_pass: ENC[AES256_GCM,data:X5u07UvEov5eYWks,iv:SPDFU01/5WThCSZjj1pExNZENhmIG2W6LvHfpPH5TS0=,tag:z5bhJ2TrX6Bevd40O1nPxg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -10,14 +8,14 @@ sops:
         - recipient: age1x8qsd7kxxjvan4psvnvua3r0emljsnq07agxnu6jqw56ky8z6faqyjq0e3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRERMSmlNaW9IS2JnTjZ4
-            R05QR0RiSDF5VEFKTnZxUFJhR2hLTEwrNVhVCk1XUFhSb0lnUzYrOUxTSVpCaHpI
-            MWFDc0k2QS9VQ3oyb1A1OHhJWW9MUFEKLS0tIHpRYWY0R1ZEVHhTR3BWV0JFZ255
-            YVRBRytnc3VtM1NtbTNaN29DZjU0TmcKPrRqR+UbN/WjSCk15AVIlVW9dv8H+CLQ
-            /YJUKHsgMaspBDipyPL5YJX/jGNZYgRrOGepCaUGUMaGmd6yEnZBVg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN2ZzTUpSeWRWejVxVm4y
+            dzF3MU9DOTBTZUF0Y3I2SUVURGZCZDBqTVV3ClNwL29hejN2OFdVaHk2TEppNWFj
+            V3NYcEM4RHNyWUszWFlLa2pXa2FyVmsKLS0tIExOL254cGh4RkJDandqZzJ2RjRi
+            b3AxOTd2VmdHdXd5c3NNTkJoYW12bUUKbX199Z7jI6nornm0erzm7dSQ+XuxAnXb
+            glw60TnUSnLUWIHTTx/jVSRR4uO5I6FzxUUfVJ2BMOn/eUNa5BJ70A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-28T15:37:46Z"
-    mac: ENC[AES256_GCM,data:SlzSXZdB37Iohns3WDLeQ5tS25utXcCSjXYuGgK8NPz3E1IGVM7dwZoQ7A2n0SHw5+j9gDuw6aPEP7ediBwgS0882uzBBgCHNLZCDwVf3uAdn1CvqTT5DeXfjBufrziuxnLpYo3ajqwdh0j54ILkad5iltXiwlYkGK/qj/wYJTo=,iv:OKudO04rv66DE2vYPleOy377jVn+sRLIazbs2A8ywgQ=,tag:Zy6oyaZm+5ukH78fbm5rVA==,type:str]
+    lastmodified: "2024-11-07T04:04:03Z"
+    mac: ENC[AES256_GCM,data:7UGKhfZg3SNg1f74nQiax4F7CB8NC12uIpTlQDtb8d1iiu5AdPZHwzlkpXbzkIp26g61pI8qXcvdjmToWjaWzsbUZ2Mo8/HEzOtV8HzxAeQFAyYBhIFAS0q0WzN/yijI7fQeHKnhZ/YCUuHQAZ94bBBSnkVTVOKf6mR7Pu1klr4=,iv:DzOwKxrcJse6yyOw+l7+wgEGBI36HWnebLE7js4VRiE=,tag:BIR67kZzZJZo+Kfie4wIvw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1