From cf537f3c7b6e005a1f2e14871576827e7f9246b6 Mon Sep 17 00:00:00 2001
From: Dennis Frieberg <dennis@frieberg.de>
Date: Mon, 25 Sep 2023 21:03:23 +0200
Subject: [PATCH] [#5] adding sops support

---
 .sops.yaml              | 16 ++++++++++++++++
 README.md               | 25 +++++++++++++++++++++++++
 flake.lock              | 40 +++++++++++++++++++++++++++++++++++++++-
 flake.nix               |  4 ++++
 nixos/flake-module.nix  |  2 +-
 nixos/roles/default.nix |  4 ++++
 6 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 nixos/roles/default.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..825333b
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,16 @@
+keys:
+  - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+
+  - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
+
+creation_rules:
+  - path_regex nixos/machines/nyarlathotep/.*
+    key_groups:
+      - age:
+          *nerf
+          *nyarlathotep
+  # this is the catchall clause if nothing above machtes. Encrypt to users but not
+  # to machines
+  - key_groups:
+      - age:
+          *nerf
diff --git a/README.md b/README.md
index 03dc6fa..44e28aa 100644
--- a/README.md
+++ b/README.md
@@ -11,3 +11,28 @@ nix build .#nixosConfiguration.<name>.config.system.build.toplevel
 ### On the machine
 clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select
 the appropriate machine based on hostname
+
+
+### sops
+
+We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
+As of right now we use only `age` keys.
+The machine keys are derived from their server ssh keys, that they generate at first boot.
+User keys are generated by the users.
+New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
+
+To make a secret available on a given machine you need to do the following. Configure the following keys
+
+```
+sops.secrets.example-key = {
+  sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
+  path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
+  owner = user that owns the secret file: config.users.users.nerf.name (for example)
+  group = same as user just with groups: config.users.users.nerf.group
+  mode = "premission in usual octet: 0400 (for example)"
+```
+afterwards the secret should be available in `/run/secrets/example-key`.
+If the accessing process is not root it must be member of the group `config.users.groups.keys`
+for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
+it the service config.
+
diff --git a/flake.lock b/flake.lock
index 4f71017..e3f7e40 100644
--- a/flake.lock
+++ b/flake.lock
@@ -104,11 +104,49 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1694908564,
+        "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "596611941a74be176b98aeba9328aa9d01b8b322",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
         "nixos-mailserver": "nixos-mailserver",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1695284550,
+        "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "utils": {
diff --git a/flake.nix b/flake.nix
index d2c7384..727dd91 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,6 +10,10 @@
         nixpkgs.follows = "";
       };
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs@{ flake-parts, ... }:
diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix
index cca5849..ef87e41 100644
--- a/nixos/flake-module.nix
+++ b/nixos/flake-module.nix
@@ -11,7 +11,7 @@
         pkgs.nixos {
           imports = [
             (import (./. + "/machines/${name}/configuration.nix") inputs)
-            # inputs.secrets.nixosModules.default
+            inputs.sops-nix.nixosModules.sops
           ];
         };
     in lib.genAttrs machines makeSystem);
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
new file mode 100644
index 0000000..3c24242
--- /dev/null
+++ b/nixos/roles/default.nix
@@ -0,0 +1,4 @@
+{ ... } : {
+
+sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+}