8 files changed, 100 insertions, 0 deletions

diff --git a/.sops.yaml b/.sops.yaml
index 4e69c3b..3402464 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -17,7 +17,9 @@ keys:
   - &arrakis age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de
   - &darkstar age1z6g6etwcer433v97lwjrruetdh9fswkgjh9w702wzdc2ydvy5q8ssrfy9r
   - &ginaz age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh
+  - &kaitain age1fptscuj4qa39238xfvc7envgxr4cf29z3zaejp2v3q703tq45dasf8vadl
   - &nipsy age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+  - &richese age1wv08vfv7mlwkhkn2pkq0gd94a3wz0gc3x3eq0szxem05xg05nfhq2glvv9
 
 creation_rules:
   - path_regex: ^home/nipsy/secrets/arrakis.yaml$
@@ -48,3 +50,13 @@ creation_rules:
     - age:
       - *ginaz
       - *nipsy
+  - path_regex: ^hosts/secrets/kaitain.yaml$
+    key_groups:
+    - age:
+      - *kaitain
+      - *nipsy
+  - path_regex: ^hosts/secrets/richese.yaml$
+    key_groups:
+    - age:
+      - *richese
+      - *nipsy
diff --git a/flake.nix b/flake.nix
index f87cd07..79444cf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -119,6 +119,7 @@
             home-manager.users.root = import ./home/root/kaitain.nix;
             home-manager.users.nipsy = import ./home/nipsy/kaitain.nix;
           }
+          sops-nix.nixosModules.sops
         ];
       };
 
@@ -174,6 +175,7 @@
             home-manager.users.root = import ./home/root/richese.nix;
             home-manager.users.nipsy = import ./home/nipsy/richese.nix;
           }
+          sops-nix.nixosModules.sops
         ];
       };
 
diff --git a/home/root/kaitain.nix b/home/root/kaitain.nix
index 83c92cd..72dbda0 100644
--- a/home/root/kaitain.nix
+++ b/home/root/kaitain.nix
@@ -3,4 +3,8 @@
   imports = [
     common/core
   ];
+
+  nix.extraOptions = ''
+    !include /run/secrets/nix-access-token-github
+  '';
 }
diff --git a/home/root/richese.nix b/home/root/richese.nix
index 83c92cd..72dbda0 100644
--- a/home/root/richese.nix
+++ b/home/root/richese.nix
@@ -3,4 +3,8 @@
   imports = [
     common/core
   ];
+
+  nix.extraOptions = ''
+    !include /run/secrets/nix-access-token-github
+  '';
 }
diff --git a/hosts/kaitain/default.nix b/hosts/kaitain/default.nix
index defaa13..72aadff 100644
--- a/hosts/kaitain/default.nix
+++ b/hosts/kaitain/default.nix
@@ -51,6 +51,15 @@
   services.openssh.openFirewall = false;
   services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ];
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/kaitain.yaml;
+
+    secrets = {
+      "nix-access-token-github" = {};
+    };
+  };
+
   system.stateVersion = "23.11";
 
   #systemd.user.services = let
diff --git a/hosts/richese/default.nix b/hosts/richese/default.nix
index a57e142..b049cde 100644
--- a/hosts/richese/default.nix
+++ b/hosts/richese/default.nix
@@ -48,6 +48,15 @@
   services.openssh.openFirewall = false;
   services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ];
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/richese.yaml;
+
+    secrets = {
+      "nix-access-token-github" = {};
+    };
+  };
+
   system.stateVersion = "23.11";
 
   #systemd.user.services = let
diff --git a/hosts/secrets/kaitain.yaml b/hosts/secrets/kaitain.yaml
new file mode 100644
index 0000000..255695a
--- /dev/null
+++ b/hosts/secrets/kaitain.yaml
@@ -0,0 +1,30 @@
+nix-access-token-github: ENC[AES256_GCM,data:OcAY30aGdCEHyl6DW6mYOLI166w/bGBeTKQ645EG3lL0k1IHvu/ox/PG28AjlcCj4pZHeYxEVIYut6a9VoPNjRT3ohA=,iv:8kRcGkGm+6hWAQ0/0FwqDeS7i0GE8cyd0YsC9J6kl54=,tag:G1J/5pK9dQ2N29oz5byVuA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fptscuj4qa39238xfvc7envgxr4cf29z3zaejp2v3q703tq45dasf8vadl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQ0hGWkhrVE9jR2Z2NEpn
+            V1djakYwNzBrTHptZ2Fwc1VBdHNhcWJTRFNVCmpDNEgxaDVwQ2lBMk9hb2srSDEv
+            UmQ5MWV5eU9RYmMxL3MvZWU1VGpOQlUKLS0tIGJHbktSMzlETWpaOW9ieDJIZkZW
+            T3RjUlJTTys1MFlLQkZoa3hEVStZSG8KcDg7nsWpi4RReeEchZfEjASqKbvbozoO
+            PINQc7SBopkVahXFu5qJClGwszHecehRbTm6Z+NZmGW3e6zoST0+Eg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcG9Uem9EV242U2xUQXl0
+            TXFtWnluTEh1alJnaElLSEMvN2pKdkY4cmpjCnFhRC9TeHk0SlAvU1VXRHNaOC9R
+            eHhtVEp1UTh5T0RVdWREbU1ablpnU1EKLS0tIE9Dek1iSkgxTTlnYkpqMjlXUDh5
+            RUQzdEkrQTU1cC9OU1B3L1cva0JQTTQKzAuNy/7h5XyOIiQh/8fXfgri90dTW/qt
+            wn/snTnrukwPaeQXsAHQDvzueYxSEtHqk0WYT8sOAfuzOQP7wGoGFg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-18T18:32:59Z"
+    mac: ENC[AES256_GCM,data:YHZ+rkkVX2CX1XgLKFvSEf1Hg6i6wJwNV2IdMx8kjyWSVjAx2PQjKvy/dLFsqspo1FF4Bo++jyaEn0yxuouVful12Q/6RAhf1HRDXK0TjPTWf/vsCw0Mlv/zcPOKMEPG4ltP6bSDG6WtTtFx3Ck6stQwepF2omoVT2E4kj1KONM=,iv:uHs5N9sMfPn4+ZEaU6BlioESWy/BijUfYHu/5UrA4H8=,tag:b/lwx7ex21Jw0knpuy1TPw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/hosts/secrets/richese.yaml b/hosts/secrets/richese.yaml
new file mode 100644
index 0000000..45bb5e0
--- /dev/null
+++ b/hosts/secrets/richese.yaml
@@ -0,0 +1,30 @@
+nix-access-token-github: ENC[AES256_GCM,data:g+9Vi3SOLWFkZGb6KzlYdYmv9JSIoYd4OaOhAYZLrxlJKWqsa66Tc2z5dFWr/wyPbitxRAzQB1xRZI3CUbMWOWb06L8=,iv:kjdbr2KLLWfIsSNTCespLXdQ4BKm4caiRASaCYWKFHA=,tag:DBqjdPHnMCSa6obeSy0WzA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wv08vfv7mlwkhkn2pkq0gd94a3wz0gc3x3eq0szxem05xg05nfhq2glvv9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTlJRaW10L2xsYUNLcmNY
+            K2ltQ1MzdWRzdEovZDN6eS9SNEIzWTJGQzBjCm1aMW00Tlc5OXlrdmlQNXJ0dU0r
+            SG5XNGRCTGVuTWV2cmpoZ2trZmE4RjgKLS0tIGcyMGpqejVLYVpYOFRaTlNzMXJB
+            UTVnbHNYNm5SNzVZR1NpNWp0WXhoRkEKcdkvqxMNqWX2S8Yrne6blNgr7T3AbEoH
+            2QNqkFinLqhvUWHIpZA+WE2+DF8JQckmmOr/TuS7J/2lYw4ImQEf2A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXT01vVUsvUDhJQ0dDcTY5
+            eU9FN0hSQ2hLRUd2d1B4SVBIWlphMStHU3hrCmFJeEJJVmRHYmF5VnJjcVVYT1Fy
+            Qk1kQWcwOWphMlNZcHhpcXNGWEE0WGcKLS0tIERUMlJGaHRQN0QvdGJtYlNXYlhi
+            MGt6VkNzc3hGU2FDVWxsM1Rqdk9qTkEKA5viW8YGBdqvLVLYEdzLWWggxQ2BrDOa
+            atzlSR0WjUsK316X4HtVMyllk0FvLy4QdUP40/XLgd5DpxZZds3OiQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-18T18:32:48Z"
+    mac: ENC[AES256_GCM,data:VvcWlUPFgdQ/YAioKnZzK69PYulZanKNQOan3cHLF8BRehkw1VvVFAmPW0cPLY66cMXFma9rFxaP5XAdRojs2J4ViOgzbhrCHYTVCSA3VTcgBZRTPAfTggztwoPKic0EhE2HxfykhQCrPVxqa23Z25x4q1LuWskE+BMbGubPSP0=,iv:bJnO2oE3ogvpXjCUFKd/+5RXO2udL5a2UXdBdb5Wfec=,tag:dbZR0/BQpPAL996Siyta/A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1