zaphyra's git: nixfiles

add sops module

diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,17 @@
+keys:
+    - &katja 9D7CACD7039E5AD616FD25879F935DB630A167E7
+    - &huntii age12dxnl4upy7agngqztrnp6wnz5jcq4fp06nxngah9n7umr4v90cvs677azg
+
+creation_rules:
+    - path_regex: secrets/common\.yaml$
+      key_groups:
+          - age:
+                - *huntii
+            pgp:
+                - *katja
+    - path_regex: secrets/huntii\.yaml$
+      key_groups:
+          - age:
+                - *huntii
+            pgp:
+                - *katja

diff --git a/flake.lock b/flake.lock
@@ -413,7 +413,8 @@
         "nixStd": "nixStd",
         "nixSystemsDefault": "nixSystemsDefault",
         "nixpkgs": "nixpkgs",
-        "nixpkgsUnstable": "nixpkgsUnstable"
+        "nixpkgsUnstable": "nixpkgsUnstable",
+        "sopsNix": "sopsNix"
       }
     },
     "rust-overlay": {

@@ -440,6 +441,26 @@
         "repo": "rust-overlay",
         "type": "github"
       }
+    },
+    "sopsNix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746485181,
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

diff --git a/flake.nix b/flake.nix
@@ -77,6 +77,7 @@
             inputs.lixModule.nixosModules.default
             inputs.homeManager.nixosModules.default
             inputs.lanzaboote.nixosModules.lanzaboote
+            inputs.sopsNix.nixosModules.sops
 
             inputs.self.nixosModules.default
             hostConfig.configuration

@@ -121,6 +122,9 @@
     haumea.url = "git+https://git.katja.wtf/haumea";
     haumea.inputs.nixpkgs.follows = "nixpkgs";
 
+    sopsNix.url = "github:Mic92/sops-nix";
+    sopsNix.inputs.nixpkgs.follows = "nixpkgs";
+
     homeManager.url = "github:nix-community/home-manager/release-24.11";
     homeManager.inputs.nixpkgs.follows = "nixpkgs";
 

diff --git a/nixosModules/sapphicCfg/modules/sops.nix b/nixosModules/sapphicCfg/modules/sops.nix
@@ -0,0 +1,28 @@
+{
+  povSelf,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options.enable = {
+    type = types.bool;
+    default = false;
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      defaultSopsFile = ../../../secrets/${config.networking.hostName}.yaml;
+      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    };
+  };
+
+}

diff --git a/nixosModules/sapphicCfg/presets/base.nix b/nixosModules/sapphicCfg/presets/base.nix
@@ -44,6 +44,7 @@ in
         unfree.enable = lib.mkDefault true;
         nix.enable = lib.mkDefault true;
         homeManager.enable = lib.mkDefault true;
+        sops.enable = lib.mkDefault true;
 
         security = {
           enable = lib.mkDefault true;