From f845b093f157076d9a3e6a8237dfa7bc42879e11 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Wed, 24 Dec 2025 01:03:15 +0100
Subject: [PATCH 1/2] sops: Streamline bitwarden integration

---
 flake-parts/install-anywhere.nix | 6 ++----
 flake-parts/sops.nix             | 9 +++------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/flake-parts/install-anywhere.nix b/flake-parts/install-anywhere.nix
index 8030b1e..aee7ef8 100644
--- a/flake-parts/install-anywhere.nix
+++ b/flake-parts/install-anywhere.nix
@@ -8,9 +8,7 @@ _: {
         runtimeInputs = [
           pkgs.sops
           pkgs.ssh-to-age
-
           pkgs.bitwarden-cli
-          pkgs.jq
         ];
 
         text = ''
@@ -40,10 +38,10 @@ _: {
             sed -i -E "s|(agePublicKey\s*=\s*\")[^\"]*(\";)|\1$new_age_key\2|" "hosts/$host/default.nix"
 
             echo "==> Updating SOPS secrets..."
-            if BW_SESSION="$(bw login --raw)"; then
+            if BW_SESSION="$(bw unlock --raw || bw login --raw)"; then
               export BW_SESSION
             fi
-            SOPS_AGE_KEY="$(bw get item 'admin age-key' | jq -r '.notes')"
+            SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
             export SOPS_AGE_KEY
             SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
             export SOPS_CONFIG
diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix
index 015cd23..19772de 100644
--- a/flake-parts/sops.nix
+++ b/flake-parts/sops.nix
@@ -47,15 +47,12 @@
           pkgs.ssh-to-age
         ];
 
-        nativeBuildInputs = [
-          pkgs.bitwarden-cli
-          pkgs.jq
-        ];
+        nativeBuildInputs = [ pkgs.bitwarden-cli ];
         shellHook = ''
-          if BW_SESSION="$(bw login --raw)"; then
+          if BW_SESSION="$(bw unlock --raw || bw login --raw)"; then
             export BW_SESSION
           fi
-          SOPS_AGE_KEY="$(bw get item 'admin age-key' | jq -r '.notes')"
+          SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
           export SOPS_AGE_KEY
           SOPS_CONFIG="${self'.packages.sops-config}"
           export SOPS_CONFIG

From c8db179bda254cb03b9c713e2bf4e690f3475051 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Wed, 24 Dec 2025 01:10:51 +0100
Subject: [PATCH 2/2] nebula: Add laptop to network

---
 hosts/laptop/default.nix     | 4 ++++
 hosts/laptop/keys/nebula.crt | 6 ++++++
 hosts/laptop/keys/nebula.pub | 3 +++
 hosts/laptop/secrets.json    | 9 ++++++---
 4 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 hosts/laptop/keys/nebula.crt
 create mode 100644 hosts/laptop/keys/nebula.pub

diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix
index 1523a62..2ddcf5c 100644
--- a/hosts/laptop/default.nix
+++ b/hosts/laptop/default.nix
@@ -36,6 +36,10 @@
         enable = true;
         ssh.enable = true;
       };
+      nebula.node = {
+        enable = true;
+        address = "10.254.250.3";
+      };
       syncthing = {
         enable = true;
         deviceId = "Q4YPD3V-GXZPHSN-PT5X4PU-FBG4GX2-IASBX75-7NYMG75-4EJHBMZ-4WGDDAP";
diff --git a/hosts/laptop/keys/nebula.crt b/hosts/laptop/keys/nebula.crt
new file mode 100644
index 0000000..b9041ae
--- /dev/null
+++ b/hosts/laptop/keys/nebula.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
+TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
+rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
+nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
+-----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/laptop/keys/nebula.pub b/hosts/laptop/keys/nebula.pub
new file mode 100644
index 0000000..21d14de
--- /dev/null
+++ b/hosts/laptop/keys/nebula.pub
@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PUBLIC KEY-----
+NCyMgP4M5eBJeQCSQjJJmql7yoPBz9FJ73+tSqgavTs=
+-----END NEBULA X25519 PUBLIC KEY-----
diff --git a/hosts/laptop/secrets.json b/hosts/laptop/secrets.json
index e0cc189..359a568 100644
--- a/hosts/laptop/secrets.json
+++ b/hosts/laptop/secrets.json
@@ -14,6 +14,9 @@
     "cert": "ENC[AES256_GCM,data:laxunEiRygs7Bq2TYCQSakI2piTb2Qwat+ltKT6bjd3RdZ7/HGJOkP+ogubH07VEzebL3KMUFzTL+q3Nuo39wzprktAtgX1bF46p2HEf5eIHwYwzPMOS7pKilCLX1zNpwS9jEcjrIzI1pv2Qc7XhE7N2nzEEu8lJt+n3xKzSuQZo9hhHcQI/WjuI+8dSDkLGi3QgyVj8XB0eAixprjNU5G3aEG79v+qamTDMJz91joH1yhyU71cxsZNRDSElIRnZnGUD04VrHBqkaU5JEv5LTOnvrId8V3KoIEAZiWTkWq/NQIKkjo7BPzTb3P6yAAvCisIwnpuPT6tILCCVycvJ7q0wAJAgJqf8jJhyuLXf+6vhT6e7XvuItJratMoDO1ncMJ4u44i9713XBl5bUM9QJ4PirtbRxrJ9HqaujOiBLiPc5oFYxvOr/e6K59aBsnDS/KsO3rNbe5SBttbP5LLvq6/ZhlvUls6SifLp9isr1hbEAKk9C43LNzjxv7DxpaPsauagUX3yBkT9qftgzMBO6yF0t0K1N2y5Zj0vDGK2wPz9sJWL0FAVLG7eiknEhdAEVDWNCySqy6en7vYTLGZbstTNmHUvTzAGe7ckw+0VsFMgpRYyFHWKJ9v8CUGomcgIr7uix4rJPgVRGq5qthWjPLmVNXwgz5D6Y+I5vS/UGaLs1LFKR3lzuHWUo3d3wO5TQXfEr1Gfu/ZnZlGPNhtBEeV616oa0/5WYG3yND77Ipvt77ZY5TNNhWJtqyUlu6xiRS3QpmpPl8MiCHnTJSf9WzkOQAVzjJkaVRODSp12NP8IAmXCc/6vGosLDuJkH9JWj1gxkrN00nryPCHYcDgGGeLl/gHVCovHPAzAvW3s32JNHAMZvOS0T6n/8LmuiigV4cAtTxgb4dYphGVT9M/IBUjVwADdSR5GsSjcng6BVwNMlhcirArdgpmqzwzpHbchrQ7waBWPwBWhxjMqsSu9IjEg6hakMg+A1nyH+7kB2YR6ewkXYP2lcO6RUzg45R1T+ri/HApeT+6eucPhnm/VXqBkQahQjrf1Rrg=,iv:W82k3U5tBcGfuSsrY/4RpQmpbw2jYn8NuXKRluB3fyg=,tag:iM+WSkSE/LjEA+rlp1GGkQ==,type:str]",
     "key": "ENC[AES256_GCM,data:C7IWbdaPNYa/TmqOK0BbU5xTk+0EbF3CrWHXYLFW4XdbvAzprITW/xD0jJhCBd/jTnWdmoEdbwdLF4BnYYXhBZcyMZALtfT5sKMk82vAoasTvZLDqBxm0CIA5npXjw+OhpI5a031BNXHaFBoN7cmfwZWmzEN9BwgHwlpExKGDXY/NWThTYp6b2HhWujCA5dTMTrrFOzxu/Wmh3Zv7GhYnnRhtCNONWzKMlSehlSC4R6ERrBG2khxXoPbyerwhhmPSpKbsnknPYcc4hkU4MuSF5zbgD/1m0PMVmSDBY3z1N7WwKO8dqcKETzyaqQ8fjiLuChT85q+mzz/btyXqOJi6pmV6vAcsNIogEMZ4E9va1TbD7vkESruIPrhf5XB1HVx,iv:4GFnhwE+Bp6JmqV6w3s7kd9usNh5eFAKqGR6vk5SSVA=,tag:lrvxVWVG2WBLVrLehao8ng==,type:str]"
   },
+  "nebula": {
+    "host-key": "ENC[AES256_GCM,data:bj+rc2zDOWvQODR7fggh9IfVbqhKx0ejTT519ZRrrwJuQWCqno4g2LC9CvD1fStktl3jqtKtvP5XM4PkNRCtzTVmyQaQ7XJDQpUHd4O6o6mLOJFa4Hr72PGSTU/5cyALe/28sLIDLR183U1se3tPbSykZWt8OJA/eA2LXNuumw==,iv:jpMP9Asa0xaTvm+kaMim9CuGkje4gdTn5es6l/52Y1A=,tag:NsRz9Svswa2soH7YINPQ6w==,type:str]"
+  },
   "sops": {
     "age": [
       {
@@ -25,9 +28,9 @@
         "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPM1k5U2pCM0JkKytwSE16\nek1zdVVuQjdKS1MyZ29xSUZkK1FId2JVZ0dFCng5bjV3SGlGRHdvaHkvWnNQcWpk\ndGlMbWl6STdERmtHeXVMYTJ6NjQzSU0KLS0tIFBza3d4eVlsVHB3YS9ySUNFMjUx\neUkwQlExdGNwWU1hbHlzS0RkS3NLbFkKLiP/N/5jOnsQhRCOkZ/BieX3OLJOq82e\ngp57skqFeG0k22sPpbgOS0Uz7jckv7/C3kFpuwXQGpEHdzp3QZ+Owg==\n-----END AGE ENCRYPTED FILE-----\n"
       }
     ],
-    "lastmodified": "2025-10-11T15:48:45Z",
-    "mac": "ENC[AES256_GCM,data:vhDLrAXe7RuLiHREyjV2LVkPzRqOpQ1LCOKW1Rd0UWVRxo0NY2UeZ5gSEFRDLAeJ/mQZcJkXS89GFnLlIoniN44xAesEq/G0KC58oTioQ25GGbmWMkjsGihJ3L0ydwmckURFSBQloP7Oa1DcSllUljZ67e5kDBXnoTtfyWy2rWg=,iv:8GXxKP6YR0wH3/5AN5VUPRCxdv5pzqgxdYOkYU1ICe0=,tag:mGc45QcR0ljkI/ifR5u4sg==,type:str]",
+    "lastmodified": "2025-12-23T23:35:27Z",
+    "mac": "ENC[AES256_GCM,data:+4U7yeb/0mDHuVz/DcGzg3whECVm3HJChE/T1NNJKCkbc1lkdIfLvI7p68IBe5QtkTsGtm2pGqJn8ztbOCAJJ1feoZyHMdcDqGbJG+IpDSrPRdmwqvey5CGtrGgIdgW0vZUMCCywmbASzEmsVoFvOzBp5GAxeJsJZRuPU8ditRc=,iv:dkqg3210wXfVAjXPmXYkerLJX14muxeKPMKU65PrKMc=,tag:TPbzWHamgoVBbAyshiRahg==,type:str]",
     "unencrypted_suffix": "_unencrypted",
-    "version": "3.10.2"
+    "version": "3.11.0"
   }
 }