4 files changed, 78 insertions, 0 deletions

diff --git a/hosts/kaitain/default.nix b/hosts/kaitain/default.nix
index defaa13..72aadff 100644
--- a/hosts/kaitain/default.nix
+++ b/hosts/kaitain/default.nix
@@ -51,6 +51,15 @@
   services.openssh.openFirewall = false;
   services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ];
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/kaitain.yaml;
+
+    secrets = {
+      "nix-access-token-github" = {};
+    };
+  };
+
   system.stateVersion = "23.11";
 
   #systemd.user.services = let
diff --git a/hosts/richese/default.nix b/hosts/richese/default.nix
index a57e142..b049cde 100644
--- a/hosts/richese/default.nix
+++ b/hosts/richese/default.nix
@@ -48,6 +48,15 @@
   services.openssh.openFirewall = false;
   services.xserver.videoDrivers = lib.mkForce [ "vmware" "virtualbox" "modesetting" ];
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/richese.yaml;
+
+    secrets = {
+      "nix-access-token-github" = {};
+    };
+  };
+
   system.stateVersion = "23.11";
 
   #systemd.user.services = let
diff --git a/hosts/secrets/kaitain.yaml b/hosts/secrets/kaitain.yaml
new file mode 100644
index 0000000..255695a
--- /dev/null
+++ b/hosts/secrets/kaitain.yaml
@@ -0,0 +1,30 @@
+nix-access-token-github: ENC[AES256_GCM,data:OcAY30aGdCEHyl6DW6mYOLI166w/bGBeTKQ645EG3lL0k1IHvu/ox/PG28AjlcCj4pZHeYxEVIYut6a9VoPNjRT3ohA=,iv:8kRcGkGm+6hWAQ0/0FwqDeS7i0GE8cyd0YsC9J6kl54=,tag:G1J/5pK9dQ2N29oz5byVuA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fptscuj4qa39238xfvc7envgxr4cf29z3zaejp2v3q703tq45dasf8vadl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQ0hGWkhrVE9jR2Z2NEpn
+            V1djakYwNzBrTHptZ2Fwc1VBdHNhcWJTRFNVCmpDNEgxaDVwQ2lBMk9hb2srSDEv
+            UmQ5MWV5eU9RYmMxL3MvZWU1VGpOQlUKLS0tIGJHbktSMzlETWpaOW9ieDJIZkZW
+            T3RjUlJTTys1MFlLQkZoa3hEVStZSG8KcDg7nsWpi4RReeEchZfEjASqKbvbozoO
+            PINQc7SBopkVahXFu5qJClGwszHecehRbTm6Z+NZmGW3e6zoST0+Eg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcG9Uem9EV242U2xUQXl0
+            TXFtWnluTEh1alJnaElLSEMvN2pKdkY4cmpjCnFhRC9TeHk0SlAvU1VXRHNaOC9R
+            eHhtVEp1UTh5T0RVdWREbU1ablpnU1EKLS0tIE9Dek1iSkgxTTlnYkpqMjlXUDh5
+            RUQzdEkrQTU1cC9OU1B3L1cva0JQTTQKzAuNy/7h5XyOIiQh/8fXfgri90dTW/qt
+            wn/snTnrukwPaeQXsAHQDvzueYxSEtHqk0WYT8sOAfuzOQP7wGoGFg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-18T18:32:59Z"
+    mac: ENC[AES256_GCM,data:YHZ+rkkVX2CX1XgLKFvSEf1Hg6i6wJwNV2IdMx8kjyWSVjAx2PQjKvy/dLFsqspo1FF4Bo++jyaEn0yxuouVful12Q/6RAhf1HRDXK0TjPTWf/vsCw0Mlv/zcPOKMEPG4ltP6bSDG6WtTtFx3Ck6stQwepF2omoVT2E4kj1KONM=,iv:uHs5N9sMfPn4+ZEaU6BlioESWy/BijUfYHu/5UrA4H8=,tag:b/lwx7ex21Jw0knpuy1TPw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/hosts/secrets/richese.yaml b/hosts/secrets/richese.yaml
new file mode 100644
index 0000000..45bb5e0
--- /dev/null
+++ b/hosts/secrets/richese.yaml
@@ -0,0 +1,30 @@
+nix-access-token-github: ENC[AES256_GCM,data:g+9Vi3SOLWFkZGb6KzlYdYmv9JSIoYd4OaOhAYZLrxlJKWqsa66Tc2z5dFWr/wyPbitxRAzQB1xRZI3CUbMWOWb06L8=,iv:kjdbr2KLLWfIsSNTCespLXdQ4BKm4caiRASaCYWKFHA=,tag:DBqjdPHnMCSa6obeSy0WzA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wv08vfv7mlwkhkn2pkq0gd94a3wz0gc3x3eq0szxem05xg05nfhq2glvv9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTlJRaW10L2xsYUNLcmNY
+            K2ltQ1MzdWRzdEovZDN6eS9SNEIzWTJGQzBjCm1aMW00Tlc5OXlrdmlQNXJ0dU0r
+            SG5XNGRCTGVuTWV2cmpoZ2trZmE4RjgKLS0tIGcyMGpqejVLYVpYOFRaTlNzMXJB
+            UTVnbHNYNm5SNzVZR1NpNWp0WXhoRkEKcdkvqxMNqWX2S8Yrne6blNgr7T3AbEoH
+            2QNqkFinLqhvUWHIpZA+WE2+DF8JQckmmOr/TuS7J/2lYw4ImQEf2A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXT01vVUsvUDhJQ0dDcTY5
+            eU9FN0hSQ2hLRUd2d1B4SVBIWlphMStHU3hrCmFJeEJJVmRHYmF5VnJjcVVYT1Fy
+            Qk1kQWcwOWphMlNZcHhpcXNGWEE0WGcKLS0tIERUMlJGaHRQN0QvdGJtYlNXYlhi
+            MGt6VkNzc3hGU2FDVWxsM1Rqdk9qTkEKA5viW8YGBdqvLVLYEdzLWWggxQ2BrDOa
+            atzlSR0WjUsK316X4HtVMyllk0FvLy4QdUP40/XLgd5DpxZZds3OiQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-18T18:32:48Z"
+    mac: ENC[AES256_GCM,data:VvcWlUPFgdQ/YAioKnZzK69PYulZanKNQOan3cHLF8BRehkw1VvVFAmPW0cPLY66cMXFma9rFxaP5XAdRojs2J4ViOgzbhrCHYTVCSA3VTcgBZRTPAfTggztwoPKic0EhE2HxfykhQCrPVxqa23Z25x4q1LuWskE+BMbGubPSP0=,iv:bJnO2oE3ogvpXjCUFKd/+5RXO2udL5a2UXdBdb5Wfec=,tag:dbZR0/BQpPAL996Siyta/A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1