From 5e18975b9b87262713e6c5dcb36b343f17b70d52 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Tue, 22 Jul 2025 22:18:34 +0200
Subject: [PATCH] sops: generate the config with nix

---
 .sops.yaml                | 53 ---------------------------------------
 flake.nix                 |  1 +
 flake/packages.nix        | 37 +++++++++++++++++++++++++++
 hosts/alto/default.nix    |  6 +++--
 hosts/cirrus/default.nix  |  6 +++--
 hosts/cumulus/default.nix |  6 +++--
 hosts/fern/default.nix    |  6 +++--
 hosts/north/default.nix   |  6 +++--
 modules/home/sops.nix     | 16 ++++++++----
 modules/system/sops.nix   | 16 ++++++++----
 users/seb/@fern/home.nix  |  1 +
 users/seb/@north/home.nix |  5 +++-
 12 files changed, 85 insertions(+), 74 deletions(-)
 delete mode 100644 .sops.yaml
 create mode 100644 flake/packages.nix

diff --git a/.sops.yaml b/.sops.yaml
deleted file mode 100644
index a905bf4..0000000
--- a/.sops.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-keys:
-  - &admin age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
-
-  # Hosts
-  - &alto age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t
-  - &cirrus age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4
-  - &cumulus age1dnru7l0agvnw3t9kmx60u4vh5u4tyd49xdve53zspxkznnp9f34qtec9dl
-  - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
-  - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
-
-  # Users
-  - &seb-fern age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr
-  - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
-
-creation_rules:
-  # Hosts
-  - path_regex: hosts/alto/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *alto
-  - path_regex: hosts/cirrus/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *cirrus
-  - path_regex: hosts/cumulus/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *cumulus
-  - path_regex: hosts/fern/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *fern
-  - path_regex: hosts/north/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *north
-
-  # Users
-  - path_regex: users/seb/@fern/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *seb-fern
-  - path_regex: users/seb/@north/secrets.json$
-    key_groups:
-      - age:
-          - *admin
-          - *seb-north
diff --git a/flake.nix b/flake.nix
index e2a548e..09f7be5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -74,6 +74,7 @@
         ./flake/formatter.nix
         ./flake/hosts.nix
         ./flake/modules.nix
+        ./flake/packages.nix
       ];
     };
 }
diff --git a/flake/packages.nix b/flake/packages.nix
new file mode 100644
index 0000000..0c26f25
--- /dev/null
+++ b/flake/packages.nix
@@ -0,0 +1,37 @@
+{ self, ... }:
+{
+  perSystem =
+    { pkgs, lib, ... }:
+    {
+      packages.sops-config =
+        let
+          adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
+
+          mkCreationRule = sopsCfg: {
+            path_regex = sopsCfg.secretsFile;
+            key_groups = lib.singleton {
+              age = [
+                adminKey
+                sopsCfg.agePublicKey
+              ];
+            };
+          };
+
+          hostCreationRules =
+            self.nixosConfigurations
+            |> lib.filterAttrs (_: value: value.config.custom.sops.enable or false)
+            |> lib.mapAttrsToList (_: value: mkCreationRule value.config.custom.sops);
+
+          userCreationRules =
+            self.nixosConfigurations
+            |> lib.filterAttrs (_: value: value.config.home-manager.users.seb.custom.sops.enable or false)
+            |> lib.mapAttrsToList (_: value: mkCreationRule value.config.home-manager.users.seb.custom.sops);
+
+          jsonConfig = { creation_rules = hostCreationRules ++ userCreationRules; } |> builtins.toJSON;
+        in
+        pkgs.runCommand "sops-config" { buildInputs = [ pkgs.yj ]; } ''
+          mkdir $out
+          echo '${jsonConfig}' | yj -jy > $out/sops.yaml
+        '';
+    };
+}
diff --git a/hosts/alto/default.nix b/hosts/alto/default.nix
index f907d41..7015a33 100644
--- a/hosts/alto/default.nix
+++ b/hosts/alto/default.nix
@@ -8,9 +8,11 @@
   };
 
   custom = {
-    sops.enable = true;
+    sops = {
+      enable = true;
+      agePublicKey = "age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t";
+    };
     boot.loader.systemdBoot.enable = true;
-
     users.seb.enable = true;
 
     services = {
diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
index 1400119..81e5120 100644
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@@ -8,9 +8,11 @@
   };
 
   custom = {
-    sops.enable = true;
+    sops = {
+      enable = true;
+      agePublicKey = "age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4";
+    };
     boot.loader.grub.enable = true;
-
     users.seb.enable = true;
 
     services = {
diff --git a/hosts/cumulus/default.nix b/hosts/cumulus/default.nix
index 3bd157a..afb4d3e 100644
--- a/hosts/cumulus/default.nix
+++ b/hosts/cumulus/default.nix
@@ -13,9 +13,11 @@
   };
 
   custom = {
-    sops.enable = true;
+    sops = {
+      enable = true;
+      agePublicKey = "age1dnru7l0agvnw3t9kmx60u4vh5u4tyd49xdve53zspxkznnp9f34qtec9dl";
+    };
     boot.loader.grub.enable = true;
-
     users.seb.enable = true;
 
     services = {
diff --git a/hosts/fern/default.nix b/hosts/fern/default.nix
index c863c3f..9e48c51 100644
--- a/hosts/fern/default.nix
+++ b/hosts/fern/default.nix
@@ -4,12 +4,14 @@
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   custom = {
-    sops.enable = true;
+    sops = {
+      enable = true;
+      agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e";
+    };
     boot = {
       loader.systemdBoot.enable = true;
       silent = true;
     };
-
     users.seb = {
       enable = true;
       zsh.enable = true;
diff --git a/hosts/north/default.nix b/hosts/north/default.nix
index 62ad8b1..e4cd694 100644
--- a/hosts/north/default.nix
+++ b/hosts/north/default.nix
@@ -4,12 +4,14 @@
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   custom = {
-    sops.enable = true;
+    sops = {
+      enable = true;
+      agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc";
+    };
     boot = {
       loader.systemdBoot.enable = true;
       silent = true;
     };
-
     users.seb = {
       enable = true;
       zsh.enable = true;
diff --git a/modules/home/sops.nix b/modules/home/sops.nix
index 73cc8ef..37c1a56 100644
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@@ -7,30 +7,36 @@
 }@moduleArgs:
 let
   cfg = config.custom.sops;
+
+  absoluteSecretsPath = "${self}/" + cfg.secretsFile;
 in
 {
   imports = [ inputs.sops-nix.homeManagerModules.sops ];
 
   options.custom.sops = {
     enable = lib.mkEnableOption "";
+    agePublicKey = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "";
+    };
     hostName = lib.mkOption {
       type = lib.types.nonEmptyStr;
       default = moduleArgs.osConfig.networking.hostName or "";
     };
-    defaultSopsFile = lib.mkOption {
-      type = lib.types.path;
-      default = "${self}/users/${config.home.username}/@${cfg.hostName}/secrets.json";
+    secretsFile = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "users/${config.home.username}/@${cfg.hostName}/secrets.json";
     };
     secrets = lib.mkOption {
       type = lib.types.anything;
-      default = cfg.defaultSopsFile |> builtins.readFile |> builtins.fromJSON;
+      default = absoluteSecretsPath |> builtins.readFile |> builtins.fromJSON;
     };
   };
 
   config = lib.mkIf cfg.enable {
     sops = {
       age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = absoluteSecretsPath;
     };
   };
 }
diff --git a/modules/system/sops.nix b/modules/system/sops.nix
index df3a9bf..1de270a 100644
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@@ -7,26 +7,32 @@
 }:
 let
   cfg = config.custom.sops;
+
+  absoluteSecretsPath = "${self}/" + cfg.secretsFile;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
   options.custom.sops = {
     enable = lib.mkEnableOption "";
-    defaultSopsFile = lib.mkOption {
-      type = lib.types.path;
-      default = "${self}/hosts/${config.networking.hostName}/secrets.json";
+    agePublicKey = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "";
+    };
+    secretsFile = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "hosts/${config.networking.hostName}/secrets.json";
     };
     secrets = lib.mkOption {
       type = lib.types.anything;
-      default = cfg.defaultSopsFile |> builtins.readFile |> builtins.fromJSON;
+      default = absoluteSecretsPath |> builtins.readFile |> builtins.fromJSON;
     };
   };
 
   config = lib.mkIf cfg.enable {
     sops = {
       age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = absoluteSecretsPath;
     };
   };
 }
diff --git a/users/seb/@fern/home.nix b/users/seb/@fern/home.nix
index 03f55ae..42cf1aa 100644
--- a/users/seb/@fern/home.nix
+++ b/users/seb/@fern/home.nix
@@ -4,6 +4,7 @@ _: {
   home.stateVersion = "24.11";
 
   custom = {
+    sops.agePublicKey = "age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr";
     theme = "light";
     programs.brightnessctl.enable = true;
   };
diff --git a/users/seb/@north/home.nix b/users/seb/@north/home.nix
index 0bec4b6..393dfe9 100644
--- a/users/seb/@north/home.nix
+++ b/users/seb/@north/home.nix
@@ -4,7 +4,10 @@
 
   home.stateVersion = "23.11";
 
-  custom.theme = "dark";
+  custom = {
+    sops.agePublicKey = "age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf";
+    theme = "dark";
+  };
 
   home.packages = [
     pkgs.ffmpeg