From 53212c293ee183e5057aac354bd849ccde22e319 Mon Sep 17 00:00:00 2001
From: Tyler Starr <starrtyler88@gmail.com>
Date: Sun, 19 Nov 2023 22:55:56 -0800
Subject: [PATCH] initial try with github and sops-nix

---
 home/dot_gitconfig.tmpl                   |  3 ---
 home/private_dot_ssh/config               |  4 ++--
 provision/.sops.yaml                      |  9 +++++++++
 provision/hosts/kestrel/configuration.nix |  1 +
 provision/modules/system/default.nix      |  2 +-
 provision/modules/system/secrets.nix      | 17 +++++++++++++++++
 provision/secrets/secrets.yaml            | 22 ++++++++++++++++++++++
 7 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 provision/.sops.yaml
 create mode 100644 provision/modules/system/secrets.nix
 create mode 100644 provision/secrets/secrets.yaml

diff --git a/home/dot_gitconfig.tmpl b/home/dot_gitconfig.tmpl
index a838c349..add8468b 100644
--- a/home/dot_gitconfig.tmpl
+++ b/home/dot_gitconfig.tmpl
@@ -15,7 +15,4 @@
 
 [github]
     user = "starr-dusT"
-
-[core]
-    sshCommand = "ssh -i ~/.ssh/keys/github_personal"
 {{ end }}
diff --git a/home/private_dot_ssh/config b/home/private_dot_ssh/config
index d3774cce..5346f648 100644
--- a/home/private_dot_ssh/config
+++ b/home/private_dot_ssh/config
@@ -1,3 +1,3 @@
-Host *
+Host github.com
   AddKeysToAgent yes
-  IdentityFile ~/.ssh/keys/github_personal
+  IdentityFile /run/secrets/github/private 
diff --git a/provision/.sops.yaml b/provision/.sops.yaml
new file mode 100644
index 00000000..5f44b69b
--- /dev/null
+++ b/provision/.sops.yaml
@@ -0,0 +1,9 @@
+# .sops.yaml 
+
+keys:
+  - &primary age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix
index 25ba039b..e6305ca2 100644
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@@ -97,6 +97,7 @@
       virt-manager.enable = true;
     };
     system = {
+      secrets.enable = true;
       ssh.enable = true;
       terminal.enable = true;
       wireguard-client = {
diff --git a/provision/modules/system/default.nix b/provision/modules/system/default.nix
index 77e42076..a322d1f3 100644
--- a/provision/modules/system/default.nix
+++ b/provision/modules/system/default.nix
@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./ssh.nix ./backup.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./secrets.nix ./ssh.nix ./backup.nix ./terminal.nix ./wireguard-client.nix ];
 }
diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix
new file mode 100644
index 00000000..9413dbc9
--- /dev/null
+++ b/provision/modules/system/secrets.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, user, ... }:
+
+let cfg = config.modules.system.secrets;
+in {
+  options.modules.system.secrets.enable = lib.mkEnableOption "secrets";
+  config = lib.mkIf cfg.enable {
+    
+    sops = {
+      defaultSopsFile = ../../secrets/secrets.yaml;
+      defaultSopsFormat = "yaml";
+      age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
+
+      # Github private key
+      secrets."github/private" = { owner = "${user}"; };
+    };
+  };
+}
diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml
new file mode 100644
index 00000000..c2d8909f
--- /dev/null
+++ b/provision/secrets/secrets.yaml
@@ -0,0 +1,22 @@
+github:
+    private: ENC[AES256_GCM,data:DIIKWqeqCAKJKCffAEIbPKvYiJ1j/zqIzpeBPwJUEXlDgcKHCb7fdIwuHMGYYocNX7hKwGQQWsI/48Karot6EGJ+TbsTlD6WG3tintS2R9Gw3PFdvuKVKybjQ/3yDvFm/CJlEl0+2XG5sjHoanMtJPXEIIeRbbLxgrH2uu5W6Xt8DgT8R0BR69+rJ6U4tBcfBgrssYNHTOC/aOCAltq2tS5XoZ4i8tv94iZPZPdV5dntoXDiSNnJwFRvofrakVCuCt/8MBZMNzzUPlbkR73gwNUWMJDgr1OZCzJJNDXhl6H+LsW3DRy9/8wFeAlwb0oGOn0j+DR9VmYKSxjJYeS3LxulslEtCFNirLlK1Ht5vKjeMUAVSS8ALHKFw0VeCYitF+IYev8opcWwU7ZLWZgi/iAIP+WzLLzEhYPnTfvindtffSOzBmRLbPmtjwiNe3SJTR8UA/APlilRYDruO7jVgftFB3iAnw5vCEjBsnGYvloe5Q4qBlGsJLSUS1xoeAyvHL2rVh9Pirs3BA==,iv:8WSRbanE8hM1O039BjsXsxnAUKFrvPxyZhFEYpJ7kSk=,tag:34VH6H600ow+B0CV8hQNTA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTFNMDd5K3Vza0plMFJr
+            ZFdpZ2VWV2JEdE1yOUdtS1FLbFp3alpIR25NCkN0dVhYaFZkY1pUQWRhaEY0SjYx
+            MFlaTjlYWFVLSnY1UmtJcmZobUZUUWcKLS0tIHBJb1lPRkJvcHNiVXhZeStuN2c1
+            ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
+            3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-20T06:27:54Z"
+    mac: ENC[AES256_GCM,data:U15biwKX1mCmnqqutKTOigSzdF5MyS6WrfpMvAW1n5fx0CGMZY07FWRK52ACHNP/eF5Zayq+BfzIAtkyMVfF37J8q5PO6o/G1F6OvldXagvMY4UbqUIb64kHr1aCeQAp+Yd4tGxmsyprkRDLZsJb0Q9Dj8PX30ZiWKUyoWfSlkE=,iv:GRjli6tHFUXAHoc+K4IRP9iAOWEwUlKHQHcdeNyWV3Y=,tag:kntSZLX/te2o6SCmJxhK9g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3