[#5] adding sops support

.sops.yaml

@@ -0,0 +1,16 @@
+keys:
+  - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+
+  - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
+
+creation_rules:
+  - path_regex nixos/machines/nyarlathotep/.*
+    key_groups:
+      - age:
+          *nerf
+          *nyarlathotep
+  # this is the catchall clause if nothing above machtes. Encrypt to users but not
+  # to machines
+  - key_groups:
+      - age:
+          *nerf

README.md

@@ -11,3 +11,28 @@ nix build .#nixosConfiguration.<name>.config.system.build.toplevel
 ### On the machine
 clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select
 the appropriate machine based on hostname
+
+
+### sops
+
+We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
+As of right now we use only `age` keys.
+The machine keys are derived from their server ssh keys, that they generate at first boot.
+User keys are generated by the users.
+New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
+
+To make a secret available on a given machine you need to do the following. Configure the following keys
+
+```
+sops.secrets.example-key = {
+  sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
+  path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
+  owner = user that owns the secret file: config.users.users.nerf.name (for example)
+  group = same as user just with groups: config.users.users.nerf.group
+  mode = "premission in usual octet: 0400 (for example)"
+```
+afterwards the secret should be available in `/run/secrets/example-key`.
+If the accessing process is not root it must be member of the group `config.users.groups.keys`
+for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
+it the service config.
+

flake.lock

@@ -104,11 +104,49 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1694908564,
+        "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "596611941a74be176b98aeba9328aa9d01b8b322",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
         "nixos-mailserver": "nixos-mailserver",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1695284550,
+        "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "utils": {

flake.nix

@@ -10,6 +10,10 @@
         nixpkgs.follows = "";
       };
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs@{ flake-parts, ... }:

nixos/flake-module.nix

@@ -11,7 +11,7 @@
         pkgs.nixos {
           imports = [
             (import (./. + "/machines/${name}/configuration.nix") inputs)
-            # inputs.secrets.nixosModules.default
+            inputs.sops-nix.nixosModules.sops
           ];
         };
     in lib.genAttrs machines makeSystem);

nixos/roles/default.nix

@@ -0,0 +1,4 @@
+{ ... } : {
+
+sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+}