schickling · schickling · Mar 26, 2023
diff --git a/.envrc b/.envrc
@@ -7,6 +7,8 @@ then
     use_flake
 fi
 
+export SOPS_AGE_KEY_FILE="$XDG_CONFIG_HOME/sops/age/keys.txt"
+
 # export AWS_ACCESS_KEY_ID=""
 # export AWS_SECRET_ACCESS_KEY=""
 # export AWS_DEFAULT_REGION=""

diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,9 @@ nvim
 # nix
 environment.d
 
+sops
+.decrypted~*
+
 # set up by nix HM
 git/config
 

diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  # Personal SSH from 1Password
+  - &personal_schickling_1pw age19v8zkzv2ut8t3yz6zcvu5u93lf7h0gwn0w9a0srhk2gnm936s94q9qfsqh
+  # TODO other keys
+creation_rules:
+  - path_regex: .*\/secrets\.yaml$
+    key_groups:
+      - age:
+          - *personal_schickling_1pw
+  # - path_regex: .*\/ssh\.nix$
+  #   key_groups:
+  #     - age:
+  #         - *personal_schickling_1pw
diff --git a/flake.nix b/flake.nix
@@ -35,6 +35,8 @@
               buildInputs = [
                 pkgs.home-manager
                 pkgs.nixos-rebuild # needed for remote deploys on macOS
+                pkgs.sops
+                pkgs.ssh-to-age
               ];
             };
           };

diff --git a/nixpkgs/home-manager/mbp2021.nix b/nixpkgs/home-manager/mbp2021.nix
@@ -28,6 +28,8 @@
 
     set -x PATH $PATH "/Applications/Visual Studio Code.app/Contents/Resources/app/bin"
 
+    set -x SOPS_AGE_KEY_FILE "$XDG_CONFIG_HOME/sops/age/keys.txt"
+
     # nix-darwin binaries
     set -x PATH $PATH "/run/current-system/sw/bin/"
 

diff --git a/nixpkgs/home-manager/modules/common.nix b/nixpkgs/home-manager/modules/common.nix
@@ -44,6 +44,8 @@
     # nodejs # Node 18
     # (yarn.override { nodejs = nodejs-18_x; })
 
+    # https://github.com/mozilla/sops
+    sops # secrets management
 
     python38
     jq
@@ -88,4 +90,13 @@
     enable = true;
   };
 
+  # https://wiki.archlinux.org/title/XDG_Base_Directory
+  xdg = {
+    enable = true;
+    configHome = "${config.home.homeDirectory}/.config";
+    cacheHome = "${config.home.homeDirectory}/.cache";
+    dataHome = "${config.home.homeDirectory}/.local/share";
+    stateHome = "${config.home.homeDirectory}/.local/state";
+  };
+
 }
diff --git a/todo/secrets.yaml b/todo/secrets.yaml
@@ -0,0 +1,21 @@
+hello: ENC[AES256_GCM,data:OyOusr00,iv:X066T3OuqTYuzWx2rKEnoen6qxQ8hS3DVmkLmb4+s4s=,tag:7dgyruclS26CorHiCVy2HA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age19v8zkzv2ut8t3yz6zcvu5u93lf7h0gwn0w9a0srhk2gnm936s94q9qfsqh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzN0MDduTUsxdzYxVTM1
+            dnI0RkZkWi9sMjlmdVVyeHdndEZwaVFXdnljCk1rb1NzY3FsejNBbnJvWVd4cW5M
+            VUlBTEFwOUlLQklIRGplWHZvSmM2TTgKLS0tIEpOMjMyL3VhQ2NnZnFwaXZPYXZi
+            NzNUMkxhTENWU25DRTRDWktkcUdNVncK8AKGoeN5rYEyyJDERv2c9kW7j+V9cQns
+            k+1QD9b1CQSk1fVZbur+QpCmGe/Xi9DfQiVwcxkJvYrCYl8vb1FCxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-26T21:12:46Z"
+    mac: ENC[AES256_GCM,data:eo7vLs5bZ3WqNFuWBwOFPXLIsV5vxDszvvHRfsjdL4qaUJxBgP6dpx8dBRpdOHm0+r9W1yNFsrdYDyXgi9YNDYYSLls0EjHekBQrTKYum0tNNCvIZIWS5N6NoKMjz9MbixmFk8fd4609zZX1atwq4ftcioCSZ8XRTirBw5zotd0=,iv:tzOj9RB/FYwFhXEDjCO64Gi1fxBbuyJUXmv7KVl/mS8=,tag:2BQRjH3xcZ8YmlBRjOVhyw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3