Add sops-nix

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &tlater 535B61015823443941C744DD12264F6BBDFABA89
+  - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
+
+creation_rules:
+  - key_groups:
+      - pgp:
+          - *tlater
+          - *server_tlaternet

configuration/default.nix

@@ -20,6 +20,11 @@
     trustedUsers = [ "@wheel" ];
   };
 
+  sops = {
+    defaultSopsFile = ../keys/external.yaml;
+    secrets.steam = { };
+  };
+
   boot.kernelParams = [ "highres=off" "nohz=off" ];
 
   networking = {

flake.lock

@@ -73,6 +73,7 @@
         "flake-utils": "flake-utils",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "tlaternet-templates": "tlaternet-templates",
         "tlaternet-webserver": "tlaternet-webserver"
       }
@@ -102,6 +103,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1649756291,
+        "narHash": "sha256-KTll8bCINAzIUGaaMrbn9wb5nfhkXRLgmFrWGR/Dku0=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "tlaternet-templates": {
       "inputs": {
         "flake-utils": [

flake.nix

@@ -5,6 +5,11 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
     flake-utils.url = "github:numtide/flake-utils";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     tlaternet-webserver = {
       url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
       inputs = {
@@ -21,8 +26,8 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixos-hardware, flake-utils, tlaternet-webserver
+  outputs = { self, nixpkgs, nixos-hardware, flake-utils, sops-nix
-    , tlaternet-templates, ... }@inputs:
+    , tlaternet-webserver, tlaternet-templates, ... }@inputs:
     let
       overlays = [
         (final: prev: {
@@ -53,6 +58,7 @@
             (import ./configuration)
             (import ./configuration/linode.nix)
             (import ./configuration/hardware-configuration.nix)
+            sops-nix.nixosModules.sops
           ];
         };
 
@@ -68,6 +74,7 @@
             (import ./modules)
 
             (import ./configuration)
+            sops-nix.nixosModules.sops
             ({ lib, ... }: {
               users.users.tlater.password = "insecure";
 
@@ -86,13 +93,20 @@
         };
       };
     } // flake-utils.lib.eachDefaultSystem (system:
-      let pkgs = import nixpkgs { inherit system overlays; };
+      let
+        pkgs = import nixpkgs { inherit system overlays; };
+        sops-pkgs = sops-nix.packages.${system};
       in {
-        devShell = with pkgs;
+        devShell =
-          mkShell {
+          pkgs.mkShell {
-            buildInputs = [
+            sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"];
+            nativeBuildInputs = with sops-pkgs; [
+              sops-import-keys-hook
+            ];
+            buildInputs = with pkgs; with sops-pkgs; [
               nixfmt
               git-lfs
+              sops-init-gpg-key
 
               # For the minecraft mod update script
               (python3.withPackages (pypkgs:

keys/external.yaml

@@ -0,0 +1,52 @@
+steam: ENC[AES256_GCM,data:Jhk91uP3Ixo7H4I9kXEWeA==,iv:s8BcwGNF1vG8KI41FmQXOBbqZl8SnMZ9+YP6GKwHdtY=,tag:dW462jNJCtG4HWrkeQTUzw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-04-23T07:07:21Z"
+    mac: ENC[AES256_GCM,data:E9z+h2kejAobo3wIRBQFGyMfMHoeVREE+pEF9XoVZF8cQM4xC4tHub+eENsBIDeWoIcPtugLE9Xwzn9odyg92Vri/SzcaxrEXzsAcvFj6Ox2cN27h17OrkQBMKeA/tnMVg+uJxQesWZbrfcMsmd99X1W1RH5SMUwNrqjCsNxZ7s=,iv:pfi/EXgacNapdVlKP0UEMKdxi7s4YicfFcSopvwOrNA=,tag:RmMPwBYFZx2M5FJCVyhcLg==,type:str]
+    pgp:
+        - created_at: "2022-04-23T07:07:08Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzWu0p84AOApAQ/8DeQLvWBjQn3mNfmiPyH0NNj0d70FKbm546jFjBuVHW9h
+            P3KWVJF8pWdg17W5Hlu8xDPCCYmX5Rew3JznbEpyxIMUAUPS+HpwEWXvpKUMNhIj
+            VDcQ5cVkfiOc81gRKXLiWNmBP2lRKrjjmFBEbwZgHxW2Y9yzmzqsR97VWrBhkz9r
+            Rsif8Mi29LAbpG0lgVZSji7pzs/4EbclSQsfv6JSJMoA0bD3OdtyAmJh4dfUV31i
+            kzkOJ8WIAwYpvKXI4Jf3DuUS7njzdw4SRCgf5nuC8Ml1Kb4IvCwTsPEOaYRhCZIX
+            jUTmQ4DwiIZ+618Wzi6SHgdH1QZaS5e71n0rxPxsYY6UbCyDhrGNcXgn/p0DHP04
+            p+Hscl75IqJiMzlAnQobx111vw1f3oGgTuWYS78Tccpy/QgMtVf99CeVwp4fVkeU
+            iPGr5oy5KO3WF3EWvuK/A/eoiK208YRMcL+0hrFDuhTB7qnyCRBjTv+4SJdY3FiC
+            KA/syZ/+DioUVyEXNn8cttk0U9Wf5zub7s/9Ei7MQVVUgCvyZZDHFE+50d5UeVRm
+            WW5T38D3G+v6py8gkC4/noKndr6SzRgPBAVW/Ba9CZZtEulhA39U9M4Q9cCSyLCM
+            nAiu0ikOiDif4w+1fxeEA+BXp7uBbW9vz09jetfDkp+i4hvt41a9dwJpTmxWm57S
+            XgFQDuO+HdFs44Yw1gyJQKLK3YejSyoKIo5pN36yMGuYPw9B75Cx+MWJJihL5IHl
+            gTqNPiD3cIyFw9U+FYfvqdQz9Vo/dD8gF0G5Y5MVH0E9xNsSFuSWoA9H2Zl+Ops=
+            =W5PZ
+            -----END PGP MESSAGE-----
+          fp: 535B61015823443941C744DD12264F6BBDFABA89
+        - created_at: "2022-04-23T07:07:08Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9ahl2ynTH87ARAAwKoe5UHRlt86d47oCSvXVV0JvRdw6K5VKDIyZr5FEAZD
+            VHDvZb7a0qlKuJsKiq5+3hZPkw9W9DLtpacxQdEoTUDQVAfVAi1pIKaJIYP7pSC3
+            LbcqNXucqJoKLKXHE0zCPAJdbTYOo804Z6iLRJRYwuLHfE17lVPMoJD9OjwZn1LS
+            ksJnki68YqQcFocRuUF/pq+bcd0ceV7YQiBIdO/89YyVPgviORXzlRZ5+hTpFjqd
+            rYFzgNBkHVRHUso8S9YNiFsU8dKVXBDS6LiykcKe9C6kEYDCe24VVHyrlj2s3isH
+            68PefnfQY5ZIBSDm2uwGmym1pSwhR015Ely/gqRx+T4qfCcAwva9ZPusXHzHu2+z
+            vwO83yeBXFbs4YFdHhh9GNbOfbBKCdPU0FAqQCuU0P7iVrCfjtTXdg622hn7x2YW
+            YwH5nlcm14/U39jOzWNketmyAiaOJ32ko3Ec63ELkGCb8+LR0eCPDNUNCQcnKGaU
+            yrTYnqUG6ODxdkhvq1JCsPKlZ/0pqiSQKBE1dGZBrcshZZ6SvdhO6hSimg3m+Mqn
+            wh5pcx/P5k3VXPovTRkRAU/U6RdYKs+qH1tXCBSMwjz4EU9VCYZbqLb1Bp/NfsPa
+            0CL50HA617ID0ofxOL8eT49xQJZZFFAArOMZmRGgsKrPAEYijnQ/593nci4DdozS
+            UAFrki95hH3EFygU3KkVdpULaOwc/0SWIPLZgmpFq2H5bKOqi9TL0IV3G00qEf5G
+            bOFb1q7pCAWMe5b6JH7MQRmSWwaoE4qhtmOkjHMOuqhA
+            =hTbV
+            -----END PGP MESSAGE-----
+          fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2

keys/hosts/tlaternet.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADkGxU+/uxtkVsX9+Wycp6ikG9177NvCsXqROeuIIJ5nDWD+jrt
+jlO1ngL9vvOfE4mGNY839r86cbSocK2WCirVnPdh8K5o9X+YptA7yHoe8RHn0fZC
+wM1eGSDTMmtGvP00IXoMpktzU+GcrO/1XMFIshj/2KboUGYqRpqhfiNQXPcYlz4J
+QRXsPzPnAphSn9ausYb6f8qYn+ivSo9jKDHZL4FJJ2OkYsoo3sX8lMWCE3ON48QF
+9K4UU0Ru86/1sBW55AT5IzVTF7TKWAjnHi8v9Lzd7lVJy8ZLe1bioP75wCl3aE1N
+owE/H4hPKfYTjKHdNkU4c4HjsATU1Ak9hJXj7zMeI/J7JF+wD7ztYo4RZWZTPPNP
+k1ELmCXMNQp3Dujy54kXLi+d5ii4FK/q/G1n1ZdMjjEhem7LEpZXq8tNsHnzfnlK
+QDazAQvGb3Gnv4OuMe4CvvMNBNRiooikCejsBYswW9QkOguyivQHDx2UMqUVU8L0
+HCBzVi9JQKy2Dn1gKP9SDvotYZmS/VVe++wx+EkIIty3ecl1HpsxtqQgNaUewJiM
+NnBBgnwzKigqCqCUDjg+8KKh6AENtAeGa+LFZWw2pZ6ZiwcqjDIu0zoQVesCuF/Z
+zktNVPjIMTH2Cg4PTKccHIROHRjFJjn1fIAmQPoh3QjDHrUMSbtaTbfWIQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ1qGXbKdMfzsCGw8CGQEAABDNEAAjEKhsm0ukNqHQZzmIlYRL
+6ybTmeGOYczKlTM0h5EDTMSvPn89WuWPZCL/oyIOE+TKqkjEsBc4ej2YmxdHSS/f
+4WLOLqWre6Krs1qZ/eTBLU0LOwEtYYt8x44WN5K1GyyVyZAkGdIYO5NaQPP86m/H
+QzyZ+YRQvcqlUgNUmRIsq2F+X7kRKl9X+6zZDsM72aAEvOlWss/sn3Dca2omxaAB
+/b32P0r1ppCPXLk0QRbZM+D38CUaZIKWhKKvaifKaRhY1eTPv1OG8uFGrkYcxB9m
+GkOZh4Kbz4+Es5uM5uYSxNWWmqU5FX/D8qEzsn7OB+WH1wFLwp75oR8shy8FQ3B0
++JVBwJEmg+kBoYZHPjVHxp/z2h4drTQ/h2uulplWUuCpH8dLjCy3dHukEH1tw803
+34fCUxN5RTyOG3uGC/8cXZ7Xj5RnX0dso6g4/0kmy42S2EAoxB+L1CmuI02SBxCK
+9go7oyP9sUBQ59BA8W5Ab8a5+CpB/kWthGErtMcq56bNqA7S9+UgyqOJze4mqBVs
+qBFjYK1/aYbKIarXuw6cOuCZfXQIRex7IDVdW1ikKs4h3g2h0wBgnY+xOaFNUQxa
+I7gG4e+sBnlvlCyoyzstE/JjAQr9QC9qj30UB3iankyDZD/F1MfEx4HRm7f+V/4P
+PoGnDfqmEEn9P7j7sOJ0iw==
+=z4j4
+-----END PGP PUBLIC KEY BLOCK-----

keys/users/tlater.asc

@@ -0,0 +1,72 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF4nGvQBEAC7BhX6nCHHt/lmxnnu+z/GPJ9QPcNkXZuGtf9+GCBjUfkNpeuf
+4vbyX88jlqhBHYkLKqFeWitNH1bwJtk+0gslPLnXUcYDgKNu+JrWiJd+ygJptrDf
+Kh8wLRVoyKeSVURVMclAkHA328qgEPPQuIrPX6ILa2+xey3gOAW1jKm1teldQ6IB
+dt1OgzaglVWhKENWQt5VamkN+ABnBymalg2Z5nbgE3LO/QW1bnAXM1wpRUcK+v99
+b2KpoPVn44ZjWGXD3jLJAPxZcvanpT2RDaYhPLTrr8nRf2+i8BzA7BUHmzVZFF4h
+8J9N3da/+LINGCFVqHgMT8N7/ZZgXg7PwW+k8s2juhjyv5ycgzJlE2E679LoXJeJ
+jDmZdP/kFqa2FCQjfM4wpflB7EfmdNIbEIJ82kXaZOKG/cGjbEsQ8oZtGBV+Y0aH
+FMU/1LD0M+n+if7Ydw7RsMzgOnr4DEXYLtNtaOgebc/rZRu7Wkix+gvAYSTwV+ph
+eDSnFQZui1QXJ1gnzO6Hi4Xe4ChPwUrcIIAoJ07INWruF6nXo8h9dtpPOtMsIZ02
+Ena7OwfaCuKRf0hwNYERyZN+Lzc105BzUv0d9rsA6qlv4qlaG01Lz+2kdb1zhk7E
+8FYksFrdnSRwd1qYm4KKGJO/dKJat1sJI4ldK2rn2/O5Hrm9O9RaATT1QQARAQAB
+tDpUcmlzdGFuIERhbmnDq2wgTWFhdCAod29yaykgPHRyaXN0YW4ubWFhdEBjb2Rl
+dGhpbmsuY28udWs+iQJMBBMBCgA2FiEEU1thAVgjRDlBx0TdEiZPa736uokFAl4n
+HXICGwEECwkIBwQVCgkIBRYCAwEAAh4BAheAAAoJEBImT2u9+rqJy0oP/1rl/R4n
+oqJbVa4BCkUZI3wyVomibyodWed/nAFRT9BzapVWqrhYsZuOtv7Xy5/qzFHrxMOW
+9aaJ3Rz7lI72uy4o86AqwRdMmSsmgFDj+HEk98eUoZed3ijtAltR83xYzlpQuJ3+
+o+O+Vs+sUUAI57FZ/7RyEPzcxk/+9yU1aSGWGwjDP4tWR+Fe69kqCoCUskydU4IM
+Ss3LbNzEypVGG/GOa/rUlJ3n/XvG0HjjGm1g4tnelkE06zFDIbglhPKJNuLbeH1j
+RDUdj1iX81B5nFDr+ARr4zqS5PJFgyiQDxU7fDx55mTRuqQ8M/X8eYeK7PXn8w5U
+2DQgh1AEgfQrLbPdZ2lwf/aINHf5wRSGvxBKIAxXpsMt98RUfd+L//aPrl5Hwi6H
+ZKe0Pbkn/GwmKZq3iqd5uaN6vLqybl9cHHaQ58MPCb0guYAJD0higgrw1tgNMhX1
+RGAutfQCbgJhkzqgYQ2Ystd9ky+mf4L+d5Ct+ks9J/WkkjQ61A8WbtqR34iytE+P
+clR9Z+p1kgeF0mzN29ZYYrIxVFhxD7abBBZfzNLJPEmRiU7EstH0sqVtuD8G1Uec
+/u/v7NTECtUu1zq5BK09mV8ZkeqTkQKCx1iRyfD8JSFYYb3sGyYtCIaOvLnnQf93
+mhbzdlXAyHLshjzrHoF2TixCIpskMWx1zM/5tC1UcmlzdGFuIERhbmnDq2wgTWFh
+dCAodGxhdGVyKSA8dG1AdGxhdGVyLm5ldD6JAkwEEwEKADYWIQRTW2EBWCNEOUHH
+RN0SJk9rvfq6iQUCXica9AIbAQQLCQgHBBUKCQgFFgIDAQACHgECF4AACgkQEiZP
+a736uon/aA/6A0tn+otsfGfei9QxDgM255R1U76PdSVb2bEl4/IdSq4uw8CtM69b
+CesCoajj/qgXzEFhpijQ9pXZDpMDXk64EZtcO5T96RNXA8Oh5CkpnVXv2MOrFXVL
+Zc05EOh6qxMCRACliii7CyGExAbRU/TdhL86dWc06CAiMt0/vzYgHpy69jpomHsP
+OeWk8TghHsMHPHOpfk4sS8gYlvsKV7QDpW5sNPmbm/nCFr+PoR7R+BKnklhdX9HN
+d/Ha6KSXpEjzqIoI/X3TtYtTyhNdwZ0rbKPtQYqMi08dnr4INjED5kZvrVFr16s1
+nFp8CghrnnUq9t1hzFAnYTWX736/CU/0ZrANRVsaKdJ3tCey2OT+IdprYZlriFvO
+ZO9AD5BV/V/e+QFi7LUZEEmsK3AVFERmRxP+597ZyK4ozjc0s8aLI2q9O8GROGxR
+GHloGMH9Mv5T/gfBfyFtoMU3poYOHCfwvtt9sr5IuiaexsGKTSTqRUWhq9moiGb8
+mQxQnZwIoRuQkmcV1JlfuS2inSpnd/Ar7M+eFUjV/qjW4Pg6LUH5WQoZbTT/3TUS
+9qS1v10wLJNMIniYGZslh71yb937i6BsAKLzVP6VTsZgO4+8eoEpL46l1C/h/sTW
+gdWwG/cB8c3qgcYRTtn9t93TRofnxxr8pSVihe2TAzk6I1EKcf2DzymJAjMEEAEK
+AB0WIQTfYF3xdR5NoZx+auO0Z9GZCjri0AUCXiccgwAKCRC0Z9GZCjri0Mc3D/9X
+/OLjPBrwR2rnv7qGB8jhg304RskvYx/kzcSadp4JQhF8zD6Lzb+F/NRzaN09E9RD
+jsnF595UiOqQ9NUY1Ku0+1HicJHKg7chK11tQWQyjYZKyCc/WxoOye+G7LGjLLl0
+MpJ2uO/fgD5asF6ufXU0XDVPUGUBilM2NiEFuVRK51ZOmP7hrQYjMD+TSz3PfvT5
+xAyggGmDOswQGMYCRj2S/hIbTADkSVwG61OiPHWAKxIPaIK+MBJm04KM7bnZmTly
+4j7ZA9oj2MikMe2z5M99EYIIDauVy5N9R0qzaOcUCFZXDaoZpPfq1fwk5Aj9tG4S
+/FdlMZeYeJNHkk7ZNaZ0vdQf4P7lib6gv9V1XePB4WANoG1KRVSq8eVYQvlxlFhR
+EJjiuahoT59KhX1aC4tEmBo4yC0LwQ+G2Vw2DZMZHDo8IqP/wrAPGblyOlo09vr+
+Hqd7oyDSxiYFekttvLmS3wtD+Fz3X7xZ3NOooqemH1pKd4XYTTX2RNryEx+pIcMh
+Emkmyo9D8P/FgwB7qTj5ANOhEVY4zYWmYKDck8AlDe1VY/yQ8mo2cJWYKo1qdpI3
+mrdHBkDhNANwBfKBUu4zxrapBSrZvIYJd8YJjqvBX/EsqrQHb8Sf71HrZt8UILrQ
+WBhTC0/BETEay2BDgV8tP+9l3/lJyJZzRB8u6x4UtrkBDQReJx0UAQgAk+y5c4DR
+oWSiJvZMQ+w+Hz7hv4s8Q/xxvjVPmp921oYRk+qrMS963Qc9Zstn9RSI8ALZFksD
+gKDPZ+DAgF1FLkv9HqoggcE8iUU+WiYCVkxj4M67nmuOeUf/vIja4fxs/t0vJXkP
+U9/Hn2d5dyRyseZEYbxPdJvQGk6GJ1OO+h6hLos9GNrFB64SQug9j57YY2R5u+fU
+RwE/xg2YDb4xGH8sAyZkKRNFnfQ67cL1TdfcbKs9jrI2U6KFYbdWVbRgeWEQSlLS
+fIzQuUG73iHuo8FD2CKsag5smI9l4iV3W1UHEscc5soeDzLA2lH66sb/yl858bEJ
+KDci3k+wE3RQEwARAQABiQI7BBgBCgAmAhsMFiEEU1thAVgjRDlBx0TdEiZPa736
+uokFAmASBaMFCQPMHA8ACgkQEiZPa736uonUAw/4xh//cHEJ2UBgiei//8vBYR7E
+PB62NUmFXDphoAHB1xRMlFh3ljsU25hzXfTR1SyEvuYN9f7zmmW3ZmH0rV8xn0zb
+BCAORGmFm6auYV5x89Ika/ecoFAew8eeZbKuzT/ZWH9OEmGXoRP0eFAxDpOlEg85
+n+ErkRxnvc3VxUYt1swPhZ9Om/bZ26XzznJ11FztmYht6VXcB9jrpVwMjk5rAAAF
+LuK7Uiw9yQMaW8z7lcKQvAdiQ6j1TmGogIT3XAhVJkBNcMyb5qz+mylupMe69hs3
+L8I3PPMZJhT7ymll09KURChaGR8H3dohS2b/wLNdWoqMAyXqXWHDrZ83Uor/wzGh
+TQ6FHz0z8GMoiUgoU9GEQVu4vy2mjpR4vnHZ0pXP469rYdxQDkrfyuQSvbpYi9br
+ayllJQG8qoHXI92wugslD2CIeI14h8C14ZkOymI4uZCv0kR3mIxV9WVAanJyHVto
+HrYiHVt5TzJMqY0Eu3NPvr9W/B4x0srFOmM9MBivbTo4S3KDZEfRpqC5QCdw79qP
+spm35kqWIEpM+O4gc+zE4EHUbddu/68yXNaqvWRODg8mo8flFTZ5PvpIb/qNkPOG
+GDgPiiIae4ga6KNOS1STroHf63ort4G0zuQPzQg1N9ll4lo62OqDmW+25nzHC7yB
+PhCB2Dz76iQ5nDY4MQ==
+=R7Pm
+-----END PGP PUBLIC KEY BLOCK-----