Secrets with sops

.envrc

@@ -1,3 +1 @@
-PASSWORD_STORE_DIR=${PWD}/secrets
+use flake
-
-export PASSWORD_STORE_DIR

.gitignore

@@ -1,3 +1,4 @@
 /backup
 /result
 /secrets.nix
+/.direnv

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &erwin b785a9688947edabb9ec8933ee7adefe1d943c7b
+  - &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
+creation_rules:
+  - path_regex: machines/loki/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+          - *erwin
+          - *loki

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1637673792,
+        "lastModified": 1637880148,
-        "narHash": "sha256-4hbA3vng5ARWu/rg62h73bwSJeKeIYOLcTvZ2gxazhk=",
+        "narHash": "sha256-L2h6t3u6SjDNGF+X3i8Cm7ivqej0xVmqX4Z6fX5p0AE=",
         "ref": "main",
-        "rev": "dd2894089ae666bdd7fabacf5b7de4dc24ecc7cb",
+        "rev": "1cc03904328e4c9414fa67d99370a338cba55219",
-        "revCount": 8,
+        "revCount": 11,
         "type": "git",
         "url": "ssh://git@git.datarift.nl/erwin/ha-now-playing.git"
       },
@@ -49,11 +49,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1637721183,
+        "lastModified": 1637875789,
-        "narHash": "sha256-4CAKKxrt9l0Hbl57Uypo7ol93Ko+5Yn+7xWWCMUyHQ8=",
+        "narHash": "sha256-kwW26kGhqNsWpTz+prw/pAfqz673GojbxZuB0boc1eM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "df931a59a5864d6ff0c5d83598135816f8593647",
+        "rev": "579f2e8bebb954a103a96b905c27b10f15ef38c7",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1637595801,
+        "lastModified": 1637841632,
-        "narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=",
+        "narHash": "sha256-QYqiKHdda0EOnLGQCHE+GluD/Lq2EJj4hVTooPM55Ic=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "263ef4cc4146c9fab808085487438c625d4426a9",
+        "rev": "73369f8d0864854d1acfa7f1e6217f7d6b6e3fa1",
         "type": "github"
       },
       "original": {
@@ -132,7 +132,28 @@
         "home-manager": "home-manager",
         "naersk": "naersk",
         "nixpkgs": "nixpkgs",
-        "pamedia": "pamedia"
+        "pamedia": "pamedia",
+        "sops": "sops"
+      }
+    },
+    "sops": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1637735079,
+        "narHash": "sha256-VC6FEfYHkNMrCd9+0nATtUQAtkWOrkH4gzwGHNG4TTQ=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "871408582627f43d0ecc5e4595dcf20cfe2ee227",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -16,6 +16,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    sops = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ha-now-playing = {
       url = "git+ssh://git@git.datarift.nl/erwin/ha-now-playing.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -31,7 +36,7 @@
     };
   };
 
-  outputs = { self, ha-now-playing, pamedia, ... }@inputs:
+  outputs = { self, sops, ha-now-playing, pamedia, ... }@inputs:
     with inputs;
     let
 
@@ -62,6 +67,7 @@
               system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
               nix.registry.nixpkgs.flake = nixpkgs;
             })
+            sops.nixosModules.sops
           ];
         };
 
@@ -128,6 +134,10 @@
             rofi-wayland = flake-utils.lib.mkApp { drv = packages.rofi-wayland; };
             nix-plugins = flake-utils.lib.mkApp { drv = packages.nix-plugins; };
           };
+
+          devShell = with pkgs; mkShell {
+            nativeBuildInputs = [ sops ssh-to-pgp ];
+          };
         }
       );
 }

home-manager/modules/waybar/default.nix

@@ -2,7 +2,6 @@
 with lib;
 let
   cfg = config.eboskma.programs.waybar;
-  token = "";
 in
 {
   options.eboskma.programs.waybar.enable = mkEnableOption "Enable waybar";
@@ -91,12 +90,12 @@ in
 
             # TODO: package as nix thingy
             "custom/now_playing" = {
-              exec = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token}";
+              exec = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token";
               format = " ♪ {}";
               interval = 2;
-              on-click = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} play-pause";
+              on-click = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token play-pause";
-              on-scroll-down = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} volume-up";
+              on-scroll-down = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token volume-up";
-              on-scroll-up = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} volume-down";
+              on-scroll-up = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token volume-down";
             };
 
             "sway/window" = {

machines/loki/configuration.nix

@@ -1,6 +1,6 @@
 { self, ... }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [ ./hardware-configuration.nix ../../users/erwin.nix ../../users/root.nix ];
 
   eboskma = {
     base = {
@@ -44,6 +44,12 @@
   # };
 
   services.openssh.enable = true;
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.ha_now_playing_token = {
+    owner = "erwin";
+  };
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

machines/loki/secrets.yaml

@@ -0,0 +1,52 @@
+ha_now_playing_token: ENC[AES256_GCM,data:2NKdfEn0tQx+DTE6HBVo79Ico8+afqJ2XFaBVOgIikaL4eMa34CqHwhX91T64VVdmWyjvhaC1kRzxsALoJvw1ZHEnSG2va6lX0vN36j/n8R3ulcX23ZJetMHYQQE6ss7A+gvnBHTnTBG+F9XyrPFT7xnfQ363lWHQ3nRFiGAZJjj6eYqLxSuG7KMWHtfSozy5gSy2JKoxyV4KnqpDs39PhBmNA7OSh3FRYZPIaq+i4qhdCfHRET+,iv:Znl6IW36aqhL/KBr0cRgPBPtqkhuc1GtoqCQEQJ/cXI=,tag:ubvLck9m9qiutU2zcQtdDw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-11-25T22:00:28Z"
+    mac: ENC[AES256_GCM,data:yhO2fjE5BwdAF9Hj69k2tTgxr/gOVTZrkWNCJD/bkSX6rZLuMWQ4XqUSPiZ1/lRTliUnvnpOWqm3Fnvh7Nbhydyd6wyzwI799mSczLu4OUAImpCAfF6X95RGJ50lXQE+e/rO6+YwuWqS8FaRdgjWRBT3fvqoSYhqypiTRxVw0ew=,iv:+XxbiT49RnC+lqrbnLvzkH1nljNindQjYiCZ2cPyHDE=,tag:k3WIVby2WjSpDrv4SjYoRQ==,type:str]
+    pgp:
+        - created_at: "2021-11-25T22:00:17Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6BoiFpcAxNSAQ//R7e0KvxQrF+UBrs2TA7vP5LvPHAB+Isnn1VueHDxLj5j
+            UcLi1ts4rDquDiWdkJVN+A53hOee3IvOe+m0BkVJyetEbocEaFgwpRmzhSIhTFvX
+            jQI3C+Mn+WtYmq6vUcC7mhLiBgvGFRueQNcroYEAZFwLSYKLUM7nT01Njn4ADSIi
+            EJj1Ogssgt/jptB71jA3DD56+yMayCKsB+5XtaooZn7uEPPxZKyhcGcmx8a7anBr
+            V8bil0FLGqx3QaRGgXqj23kL8NOOCuJGdyQFeNfRVXyXjK3FQixCXfYKv/li3hOZ
+            Ge+gh3o3aiQexmfxh5Yi0u+KiyF5jlG/FVN9VSGi2sDrnjNUW3KX/eS2Rkd553EA
+            XhnVMoMztKpQ0DhZmvcTT9ynKTJrG28OXsWkWRe4zfrwHgBnfyEnP4TXRlAgO3TS
+            6giORbtWTdTVedYW+tbwK1XLxrqDfkMsSBVYgL+x96A1RQMYZfRvpA8kKsefN54p
+            stKeOySSo9ypquxzA0mdogyvhhIa5Cg0fSCzOE+Y7P4GRUe+OGqP0rMpIBzZsfyF
+            lefXRxBGL+1wtaE/zNqI1Rf0jxzFlF0DExfAcqveIaElCQJbTWvhalTGSD+O+oVj
+            Q1HDpa/iu0BqlzBMEKGxUhwqtsl/prpYMSKxLTgjqfCOecwNyVEpKTRFnFlP12/S
+            XgHa43zpA5RYfcp4hcB/3XeAt69AKwnJKD+C0Pv5l2rTveD8/jgZnt1NfJohTm58
+            chz6V0qSeGro41CjP3HEdzD+iIez+Dyv8BWahLvznTNeHROCHat5SLeEf9FNm9E=
+            =onPc
+            -----END PGP MESSAGE-----
+          fp: b785a9688947edabb9ec8933ee7adefe1d943c7b
+        - created_at: "2021-11-25T22:00:17Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+2dauVNvLn3ARAAmQgafR035XrvwMSOaGq+N5VbSC0FhQ0dJbNkew8ixQqT
+            iR3AIHKDv8Uvdi3XlMtupVD5YIlazc+NoOKJk1xzrvYGO4bouH1k0KinXbea3Wm2
+            5NHSPWwzkRkA+S1GawsTgBx3IrWlDagsCADZ7B4TGuEuZt/i6J/C56JikG7aIpM4
+            qgm+KZBTbyW8IHcVjoDqTTtEdhU+1IN3MtgzQeI362nKTn27LnoLsLxhXg2mHQcM
+            8zu3D246mRriwPgfXAyADwx57k7G06t63JwSCXzzY20H2m3DFc0Woxcbo8zrkLLp
+            NZKirM/LS3wLELg+e+NYk7dZG/s1tR3ZL000wss97jZlTbRUr9aEj6YVklG4kxiW
+            v0IsovsFqqE+IgYEuMacYqteBpaKduixxooPsRYTvsqJubhAPWD7oe5bGgojF0i3
+            elTT1nUY9w9JMfutzUSzYBV+1ld2hpMXDGKZ1uNUionfk3+8NBXql/NE90mvlVhv
+            FDmnpVF/DsuS68tkb5FvZ+gI1prjz6D0TBX9CKbQTGNef6mm2Jshx7zzRGx1w90X
+            M9sN/KGEkeYI+htxw9zC5ulsuKZTf00omsl6mKX7cPOr0tQgRCN+TMpGwGbRjP2d
+            31uXUPJMyMDQpO3qFq5Ak0iVHBp0C9FyRyLFD1E2AJGnOVTKXFDgPZCViAWIGdHS
+            UAHR6gC+bPX66ZEOjMFqDl0IsWyz/tphkdIbVce2j+/KcMbntqNxUI0uP5sWySmp
+            Wke3WX8EENOQUbjr9KHNg+n4Er5NRyJ3czSU6jtydo87
+            =Cpa9
+            -----END PGP MESSAGE-----
+          fp: a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1

modules/desktop/default.nix

@@ -5,7 +5,7 @@ let
   bt = config.eboskma.bluetooth;
 in
 {
-  imports = [ ../../users/erwin.nix ../../users/root.nix ];
+  # imports = [ ../../users/erwin.nix ../../users/root.nix ];
 
   options.eboskma.desktop = {
     enable = mkEnableOption "Enable default desktop configuration";