From b83c4f77c73f2bcd76fcbaf6b881a954bc270cb6 Mon Sep 17 00:00:00 2001
From: Aleksandr Lebedev <alex.lebedev2003@icloud.com>
Date: Wed, 18 Dec 2024 09:27:31 +0100
Subject: [PATCH] added sops-nix

---
 flake.nix                               |  2 +-
 nixos/configuration.nix                 | 25 ++++++++++++++++++-------
 nixos/modules/impermanence/default.nix  |  2 --
 nixos/modules/sops/.sops.yaml           |  7 +++++++
 nixos/modules/sops/default.nix          | 15 +++++++++++++++
 nixos/modules/sops/secrets/secrets.yaml | 22 ++++++++++++++++++++++
 6 files changed, 63 insertions(+), 10 deletions(-)
 create mode 100644 nixos/modules/sops/.sops.yaml
 create mode 100644 nixos/modules/sops/default.nix
 create mode 100644 nixos/modules/sops/secrets/secrets.yaml

diff --git a/flake.nix b/flake.nix
index 9565ae4..ca7ba14 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,7 +47,7 @@
        username = "kylekrein";
 
        general-modules = [
-	    #inputs.sops-nix.nixosModules.sops
+	    inputs.sops-nix.nixosModules.sops
 	    inputs.home-manager.nixosModules.default
 	    stylix.nixosModules.stylix
 
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 1411a0b..4b9a178 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -10,6 +10,7 @@
       inputs.nixvim.nixosModules.nixvim
       ./firefox.nix
       ./modules/services/autoupgrade
+      ./modules/sops
     ];
     kylekrein.services.autoUpgrade = {
 	enable = true;
@@ -82,13 +83,23 @@
   
   services.udisks2.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.${username} = {
-    isNormalUser = true;
-    description = "Aleksandr Lebedev";
-    extraGroups = [ "networkmanager" "wheel" ];
-    initialPassword = "1234";
-    packages = with pkgs; [];
+  users = {
+    mutableUsers = false;
+    users = {
+	root = {
+	    # disable root login here, and also when installing nix by running nixos-install --no-root-passwd
+	    # https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
+	    hashedPassword = "!";  # disable root logins, nothing hashes to !
+	};
+	${username} = {
+	    isNormalUser = true;
+	    description = "Aleksandr Lebedev";
+	    extraGroups = [ "networkmanager" "wheel" ];
+	    #initialPassword = "1234";
+	    hashedPasswordFile = config.sops.secrets."users/${username}".path;
+	    packages = with pkgs; [];
+	    };
+	};
   };
 
   qt = {
diff --git a/nixos/modules/impermanence/default.nix b/nixos/modules/impermanence/default.nix
index 0e70cb6..3353259 100644
--- a/nixos/modules/impermanence/default.nix
+++ b/nixos/modules/impermanence/default.nix
@@ -15,8 +15,6 @@
     ];
     files = [
 	"/etc/machine-id"
-	"/etc/shadow"
-	"/etc/passwd"
 	{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
 	];
     };
diff --git a/nixos/modules/sops/.sops.yaml b/nixos/modules/sops/.sops.yaml
new file mode 100644
index 0000000..2c2fa2b
--- /dev/null
+++ b/nixos/modules/sops/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
diff --git a/nixos/modules/sops/default.nix b/nixos/modules/sops/default.nix
new file mode 100644
index 0000000..2cdb98e
--- /dev/null
+++ b/nixos/modules/sops/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, inputs, username, hwconfig, ... }:
+{
+    environment.systemPackages = with pkgs; [sops];
+    sops.defaultSopsFile = ./secrets/secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+    sops.age.keyFile = (if hwconfig.useImpermanence then "/persist/sops/age/keys.txt" else "/home/${username}/.config/sops/age/keys.txt");
+    # This will generate a new key if the key specified above does not exist
+    sops.age.generateKey = true;
+
+    sops.secrets = {
+	"users/kylekrein" = {
+	    neededForUsers = true;
+	};
+    };
+}
diff --git a/nixos/modules/sops/secrets/secrets.yaml b/nixos/modules/sops/secrets/secrets.yaml
new file mode 100644
index 0000000..d6255e6
--- /dev/null
+++ b/nixos/modules/sops/secrets/secrets.yaml
@@ -0,0 +1,22 @@
+users:
+    kylekrein: ENC[AES256_GCM,data:DNLVQ4IPFhUG9MR9hk2BuElvfNZIky3nMGWgilutRwvT3wl25vOLEETrBFoWUO+2ZgLSnhtwWtIJhNlRlTK/rsrUNVTOdwq9AA==,iv:Z+dhr33Wotm064IcwtNfFpvQeL03T29Dn3Bl9VqPL1g=,tag:Qe3sOY0DegSKDptBjnbFrQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1l8euy4w4nccrpdmfdfct468parcrulkqcts2jcljajs2as0k7passdv2x4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOEtvVCtWRzN6S1BBTkJR
+            aDM2T2x6MFo2aUFXOXVJNXJ2eWVucWltRjB3Cmc5SFJiOURLeWRDcGUvTzcyR2w2
+            OXBlb1lRNi9vdHAyb2V6TUJRQ3M3TEUKLS0tIHpMdEtzUi9rTWFvUU9xQXptSmtu
+            M0hSNWNYbGM3a21McUVMaGNqWTdmNTQK3VRFV4EaC8K8AJi2PUt6TeBgueEmPLI8
+            Vdwwbh89+xD5xf4Zm0LctPRlxxM6diubv0gIZZPy/ZXZfiU32ZnM0w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-18T08:09:37Z"
+    mac: ENC[AES256_GCM,data:nnzosChLt1mPHdbLktddccs1lTp0LQAJs36KkYXHxW+sL+QYZu+jIEWm6IaGJ/5xHk99upo3eoZu3o8DrEMvKmiICrXy6hLFipgANTuzV4Ug8bs5aSXuKjqVAs3aMLNJR5+CZZTCFDc7NM12Fy+U33Sn8hMimIC0JQmypdAWXoI=,iv:5ShY+sSHK8DjURndEDdV1g5d9TdGnAI82+qx0pQx9lg=,tag:4p/1h4TzKSuVG72zIn4Uqw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2