From d934db762263cb326d44d30ee89fff20c6ac3ae2 Mon Sep 17 00:00:00 2001
From: Jermeiah S <owner@arouzing.xyz>
Date: Sat, 14 Jun 2025 13:55:51 -0400
Subject: [PATCH] feature: added basic sops support

---
 .sops.yaml                    | 11 +++++++++++
 modules/flake/devshell.nix    | 21 ++++++++++++---------
 modules/nixos/common/sops.nix | 13 +++++++++++++
 secrets.yaml                  | 25 +++++++++++++++++++++++++
 4 files changed, 61 insertions(+), 9 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 modules/nixos/common/sops.nix
 create mode 100644 secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..0d7bb80
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+# This example uses YAML anchors which allows reuse of multiple keys
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &A_sky age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w
+creation_rules:
+  - path_regex: secrets\.yaml
+    key_groups:
+      - age:
+          - *A_sky
diff --git a/modules/flake/devshell.nix b/modules/flake/devshell.nix
index 0b06c85..85fbfb0 100644
--- a/modules/flake/devshell.nix
+++ b/modules/flake/devshell.nix
@@ -1,12 +1,15 @@
 {
-  perSystem = { pkgs, ... }: {
-    devShells.default = pkgs.mkShell {
-      name = "nixos-unified-template-shell";
-      meta.description = "Shell environment for modifying this Nix configuration";
-      packages = with pkgs; [
-        just
-        nixd
-      ];
+  perSystem =
+    { pkgs, ... }:
+    {
+      devShells.default = pkgs.mkShell {
+        name = "nixos-unified-template-shell";
+        meta.description = "Shell environment for modifying this Nix configuration";
+        packages = with pkgs; [
+          sops
+          just
+          nixd
+        ];
+      };
     };
-  };
 }
diff --git a/modules/nixos/common/sops.nix b/modules/nixos/common/sops.nix
new file mode 100644
index 0000000..beb3ad4
--- /dev/null
+++ b/modules/nixos/common/sops.nix
@@ -0,0 +1,13 @@
+{
+  flake,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    flake.inputs.sops-nix.nixosModules.sops
+  ];
+  sops.defaultSopsFile = ../../../secrets.yaml;
+}
diff --git a/secrets.yaml b/secrets.yaml
new file mode 100644
index 0000000..7a2d112
--- /dev/null
+++ b/secrets.yaml
@@ -0,0 +1,25 @@
+hello: ENC[AES256_GCM,data:Rq1GdoMwMFgQ7Bvy78aMmM6DferRk0Bn5J4VVI8a5x2PaaFbZBAfsADZewD8,iv:sgJJM2UO4KZ+qE8uzNmdhsBhJ3/arEZd4kNvqnK2bqo=,tag:FZHKmkX1VfQLYPP0mDTIiQ==,type:str]
+example_key: ENC[AES256_GCM,data:h6UKojkibcw0wegDOQ==,iv:XVb8m9Ek4pNl6CCFU1MlxYusIOY6MBq9Z7lqoaG1/cM=,tag:FolHw4euj4PoqnTuuhlh4w==,type:str]
+#ENC[AES256_GCM,data:2ivQ7NDtZHDNMiyK8hf/7Q==,iv:sFv9WyyHJb+tkbjRGnD4OfEYJWt8PQIGteIViVyihEU=,tag:chbHtXfFQb5OJsB3rrMQbg==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:EQKOFW+qJ0Z/ooEr9Y0=,iv:732cR53nJfxctdVH0AZmfD/qBPoI7oPxemsYo4B92jQ=,tag:VMSYfVzTUAODwNtdz0xI6g==,type:str]
+    - ENC[AES256_GCM,data:3N1qsEA4L4YTw4qZjvs=,iv:mdCoLmqRA5OX3VpNM/f1AhmRIxOBvTswEvwPRadeYCQ=,tag:z9nueE2d4Kb/uWSCvK55jA==,type:str]
+example_number: ENC[AES256_GCM,data:PSY/N8noNaQYug==,iv:189g+CnKC5lBdJBBTcA4HUC3i98ZXa5thARY8U42DyI=,tag:hdWoyngTGnBszqCW3I+wXQ==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:SFFumQ==,iv:G2iEbkil+oUuJCyxQAfaAMaXHPsOdAtdw8l8dnvqviY=,tag:WPfOOyjrWf/4p2UjoiILAQ==,type:bool]
+    - ENC[AES256_GCM,data:2GWLfxY=,iv:nSqxDcqvUeIDbvOoJlhW/lQs9j2iENsazpuZFUoOKc8=,tag:eh3HVtgzBrJjf0S9lGiqGQ==,type:bool]
+sops:
+    age:
+        - recipient: age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFBMUWVvV1UzRlgvaGd5
+            TWtUd1VEa0RyYmxRUy9MVzA0OXdLOFU2MkhrCmMxYlVSZjFlSW9lN3RvUm8rUUht
+            N05aSUZ5UU51ZSt0Vzg3ZjkwRXVKSzAKLS0tIFJIaUtqMXhLcDZ3cnYyWFJRZ20z
+            cVpseXdzZHh6amduSFBUT1RMdkcxS2MKJhBQbcufwWc+kxFf/k/pHLClnPJkUucH
+            6kEbeF+T49PoyxWyR1oXWhxC6Xuwcx+w3vA59gvP54Bx2Mrj2ylYwQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-14T17:54:53Z"
+    mac: ENC[AES256_GCM,data:wxaNv7XOLCWKkrvESr4R09sVTxbm9Otm6ImuaCbFMKuZlvAsp93wi54W5YK+aOugZtMfEBrz648A7GaR0ahb0ggvuhiHgCH667dMGBUZCp81vVBvF5RMhoPaR6IXnrdlQN4ypmbj3p07T+1BBMG6MJVieoI/liHMn//UDbWWOKQ=,iv:Y1ZS1gIGnwABpTNx3afjTHMGRxr3iu2t9uvwZ6RR0Wc=,tag:+uwoTYioDywkke9gMhEkkA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2