From ae4a2e5b72c552be77c0ec35bc3eb963093f5430 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Fri, 5 Jul 2024 15:04:57 +0200
Subject: [PATCH] Manage github ssh-keys with sops

---
 .sops.yaml                                    |  6 +++-
 flake.nix                                     |  4 +--
 modules/home-manager/git.nix                  |  7 ++++-
 modules/home-manager/sops.nix                 |  9 ++++--
 .../{@inspiron.nix => @inspiron/default.nix}  |  8 +++--
 users/seb/@inspiron/secrets.yaml              | 30 +++++++++++++++++++
 users/seb/{@north.nix => @north/default.nix}  |  8 +++--
 users/seb/@north/secrets.yaml                 | 30 +++++++++++++++++++
 users/seb/home.nix                            |  1 -
 users/seb/secrets.yaml                        |  0
 10 files changed, 92 insertions(+), 11 deletions(-)
 rename users/seb/{@inspiron.nix => @inspiron/default.nix} (71%)
 create mode 100644 users/seb/@inspiron/secrets.yaml
 rename users/seb/{@north.nix => @north/default.nix} (78%)
 create mode 100644 users/seb/@north/secrets.yaml
 delete mode 100644 users/seb/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index d9eeb70..07f9642 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,9 +15,13 @@ creation_rules:
     - age:
       - *admin
       - *inspiron
-  - path_regex: users/seb/secrets.yaml$
+  - path_regex: users/seb/@north/secrets.yaml$
     key_groups:
     - age:
       - *admin
       - *seb-north
+  - path_regex: users/seb/@inspiron/secrets.yaml$
+    key_groups:
+    - age:
+      - *admin
       - *seb-inspiron
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 531d622..60d0f1b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,7 +58,7 @@
           };
           modules = [
             ./hosts/north
-            "${self}/users/seb/@north.nix"
+            "${self}/users/seb/@north"
           ];
         };
         inspiron = nixpkgs.lib.nixosSystem {
@@ -67,7 +67,7 @@
           };
           modules = [
             ./hosts/inspiron
-            "${self}/users/seb/@inspiron.nix"
+            "${self}/users/seb/@inspiron"
           ];
         };
       };
diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix
index 456600e..9d7fff5 100644
--- a/modules/home-manager/git.nix
+++ b/modules/home-manager/git.nix
@@ -9,7 +9,12 @@
       userEmail = "sebastian.stork@pm.me";
       extraConfig.init.defaultBranch = "main";
     };
-
     programs.lazygit.enable = true;
+
+    sops.secrets.github-ssh-key.path = "${config.home.homeDirectory}/.ssh/github";
+    programs.ssh = {
+      enable = true;
+      matchBlocks."github.com".identityFile = "~/.ssh/github";
+    };
   };
 }
diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix
index 25fc19e..e3235b9 100644
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@@ -4,7 +4,7 @@
   config,
   lib,
   ...
-}:
+}@moduleArgs:
 {
   imports = [ inputs.sops-nix.homeManagerModules.sops ];
 
@@ -13,7 +13,12 @@
   config = lib.mkIf config.myConfig.sops.enable {
     sops = {
       age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
-      defaultSopsFile = "${self}/users/${config.home.username}/secrets.yaml";
+      defaultSopsFile =
+        let
+          hostName = moduleArgs.osConfig.networking.hostName or "";
+          hostDir = if hostName != "" then "/@" + hostName else "";
+        in
+        "${self}/users/${config.home.username}${hostDir}/secrets.yaml";
     };
   };
 }
diff --git a/users/seb/@inspiron.nix b/users/seb/@inspiron/default.nix
similarity index 71%
rename from users/seb/@inspiron.nix
rename to users/seb/@inspiron/default.nix
index e0efe27..5363d34 100644
--- a/users/seb/@inspiron.nix
+++ b/users/seb/@inspiron/default.nix
@@ -1,10 +1,14 @@
 { wrappers, ... }:
 {
-  imports = [ ./default.nix ];
+  imports = [ ../default.nix ];
 
   home-manager.users.seb = {
     home.stateVersion = "23.11";
-    myConfig.theme = "light";
+
+    myConfig = {
+      theme = "light";
+      sops.enable = true;
+    };
 
     home.packages = [ wrappers.hyprlock ];
 
diff --git a/users/seb/@inspiron/secrets.yaml b/users/seb/@inspiron/secrets.yaml
new file mode 100644
index 0000000..48318ee
--- /dev/null
+++ b/users/seb/@inspiron/secrets.yaml
@@ -0,0 +1,30 @@
+github-ssh-key: ENC[AES256_GCM,data:ahboYxvvd8QuDT7BKpAfqCJzUnhoWpsHmAP5RIy0fVnetIEZFVMgf1tAgchqkisG05mQRPp17xMIsGaeZG0WrPEct1l5VhLjC7cgxBgFM/pMlfxAJUaZQG8pIKUMtlpDmpdRO1SW+8wUOwNNyWoo2yd513XGM04L91QdUYXRe12YsGz+JddJSGgQd/3PZJknDhI/NGCBCj25u9oIfhw6aYdsrEYTbeFIO8lomCgLb1AlITwwQFqcyCzV42Ifk/v2KoCK6JO7mvAb1rtOqwCUm6r6rfyv8Hy2P5ckGmu8/h4ZzaccuhWZQyFhhxFMYJFHEejqnZFehGL+EV4JxXzBQuL2mrZmDfC9sNsresZSkM9CL6+ZvYq3X9eldLLGt9m3Hx6a7+dTTnLVvqz2ycmbR/EHY6BkQ6rd2FomjBIFWubBCa76UPOT7uuwY3ebtB/aHtKf+nqrkYiWDpoIpI7o7hr85j65IMEGvyqJqYxJN4mI/z3yreOfbUTv+3ymExeqeTdQLb/ryD9Kk/GzZtXa,iv:9yf3/tzhvKbI2T5NA5cWdjuVVfPCVKDou84SKvEVG4M=,tag:437owh8BgJ7urnVuW2PzyQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycGk0NkU2Tk0yeE44SkdM
+            d2o1dEc0L3ZCdzR3K01yWEUremE0bU5VYWw0Ci9VTWFWRmZaNW5QTWIzRWVOTXZJ
+            NnhBRjB6NjdkWTJjRFFxSWtCV3JiajAKLS0tIHZ2ZmwvMEpKMVJENW1SL0l3djg3
+            eTJzVWRRUGVnbCtKeHl1RUZyQVpYVjQKsEONBZ4osct2OGT1n43MM3ghYtXyjXi0
+            L7GXOOEHXEDrQh9mfUCmv0yiBB3J3WGO+BIcnrinLPVoyICP6pKHqg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDN1T05ZL3hwdXZlTi91
+            QmR1UmdVa1BRNjZOc0FWY2xYTE0welE1OVVjCjdQUWxBWFFQLzYzSGZjSWx5Nk9Q
+            QWZ5cGx3UkY3WkIwYmd2cWYycXlySFkKLS0tIHdDdURYZ3RIRGRNNTdQZ0E0REVN
+            LzNhelFLTWhqd1FxazMzdmNXZnVwODAKQqwbkhPmBliuWpvrDbMn50yxYx8izVGE
+            XsSeOv9OEKmxiWUJX928vxBNUm8cLtOazvRbdTxgbiAgHWIoEv4mUg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-04T22:45:41Z"
+    mac: ENC[AES256_GCM,data:8spcUd/bcvLIWU+a9Zbf9TKfWAHhqdkU0vtsuiTY6CkXmja5HsTiQ0kqfUgcmE2c+vM7PaXqIRV/4j/6tcaAiYly/+Y9uKGIhjs8QoRsP7NVvnUsNO1rc13yEFPe5c1DVZrTxbKAFWV9N66h6Qm1ZVkpCS2YqTUa7Jdo006oGNI=,iv:jc2F3IcXR1bCNNvvnCvNMS+UfnKWuxHvOhis0bQ6Yuc=,tag:la5RA3dCisEwUWbgRf9OHA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/users/seb/@north.nix b/users/seb/@north/default.nix
similarity index 78%
rename from users/seb/@north.nix
rename to users/seb/@north/default.nix
index f948333..322da3c 100644
--- a/users/seb/@north.nix
+++ b/users/seb/@north/default.nix
@@ -1,10 +1,14 @@
 { pkgs, ... }:
 {
-  imports = [ ./default.nix ];
+  imports = [ ../default.nix ];
 
   home-manager.users.seb = {
     home.stateVersion = "23.11";
-    myConfig.theme = "dark";
+
+    myConfig = {
+      theme = "dark";
+      sops.enable = true;
+    };
 
     home.packages = [
       pkgs.ffmpeg
diff --git a/users/seb/@north/secrets.yaml b/users/seb/@north/secrets.yaml
new file mode 100644
index 0000000..a2d5131
--- /dev/null
+++ b/users/seb/@north/secrets.yaml
@@ -0,0 +1,30 @@
+github-ssh-key: ENC[AES256_GCM,data:j8+ZA2oLeRbd8SeOELiV8UUYIreKUqg5SEkpaRshZDeiEoHEd7JCrShFY378aqWPBKqi6OZOI69dU/oBqXRnVzRhJCJb0GdeWItcOt85EtwPdMg6zDno3h3pnnkxd+9BsUZRx9WPh9uihxfk78tB/I9XN9Xl3kjBEBZrV0PUJQkYzbZ6HXHOIzz0k5ysEiGkscP/NQNQ8nnYpDZDz/BHhyJEcbaUXDgIVlbIskzfoWFIjRH+kpxgkwikwhAV7DBFex/CbLqwUvT53q0S8k0tHKf/HPdc84vPfl5sNT0iy4qxLt/l1mJZYjGyFJYdz5G7xSZnTE05bEEOLPAfAt7gIOzTETi+ZByzvEyu3VJah4SiJCbel9DZxqF1fxBXGhAExA6Lo6Q5QbuJZISCXFK4SZW+M30cA2WbRKL1aThix2eFRI9XJKvWMscyqo1do8xhdSy1ZZwRHD+MHWTuh8L/gVLevf4CuZLAQfguNhKGzpCBZNPABx2vSLxwtS+brJxyJOPSdNa3+Wuh+N01aJv3,iv:Tr2mM8/uQjORcXi3g2dcEPp1lXBOC/1ykKUJkNFOLZI=,tag:LPiiFUeu0Csjb6qrGdXsAA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3emxtSHRwaTE2c3VJamxz
+            OUl3TkRUbmE2d2h5a0tLQ2ozc1RMdWZ1UXl3CnhuaUU1Um1pRUtpcFlPeEtKdkRB
+            UHFsT3RDSFBHR3BrVkxnYTk1ZFRjN1EKLS0tIEpLVFEyRk94dFQzanlpT2VpT08r
+            M2ZIaUFuajdUYld0VW5BaTY3VnptNkUKVI5zsOnQv8pAqjpvyFaRhYDROXlb9v4N
+            zQG2C/GiZYiBIIw8KqAcuAxpH6FmBZ2S6hx7gd045l8uhv2hO6zT+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWExIaWprNmNlVXpXM09E
+            b1JsWG14L05BVXVCdzNDQmgxQ0VsMis5ZnhrCjVOS0VpRi9DbEF2OXUwbTUvOEJH
+            eG1PYnJLc01MbzFnVXFHcWtTY3d2bVUKLS0tIERHcmxmK2RtUmNDdHV4Zm9kWHlT
+            RWtJdlNqRkU3OC9KVGhpcC9QcW5WTG8K+TYbo8tudt7mYuBce5n5ShuqcXkPA80e
+            avMoxXZ74tZEWz8qaQtgMR6ayeUU+3p2sHoY5ayHfmzmjljt/CCwvw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-04T22:03:44Z"
+    mac: ENC[AES256_GCM,data:sDT9OQf1hNWaARnsdL1K5S1uthySEtrPauRkeEEgpUo0Li4DhqAUY9TJHKG8UIG9eZ8WduIKm8ciUGx7zSkgWflGx3o3dmkVpTRKz73HLmU5SqQoZ0r8xLR2mVtqxhy3c5WWVp9mKRKt+lH98SyPVpU5aXX5KWAuTm+nBdQu4+E=,iv:bWWUklD5CWHoOGTY3/J34mtV430xCfX6QvVigXgrFIE=,tag:eM3sXD1o2K1hYqcSatU2qw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/users/seb/home.nix b/users/seb/home.nix
index 73ebb22..2c9ae00 100644
--- a/users/seb/home.nix
+++ b/users/seb/home.nix
@@ -10,7 +10,6 @@
     git.enable = true;
     vscode.enable = true;
     equalizer.enable = true;
-    sops.enable = false;
     night-light.enable = true;
   };
 
diff --git a/users/seb/secrets.yaml b/users/seb/secrets.yaml
deleted file mode 100644
index e69de29..0000000