From 5598e96a8065b925f9e8740dc41a32c9a86dbe29 Mon Sep 17 00:00:00 2001
From: blahai <github@blahai.gay>
Date: Fri, 25 Oct 2024 16:45:25 +0300
Subject: [PATCH] sops

---
 .sops.yaml                             |  7 +++++++
 hosts/nyx/configuration.nix            |  3 +++
 modules/nixos/default.nix              |  1 +
 modules/nixos/services/cloudflared.nix | 24 ++++++++++++++++++++++++
 modules/nixos/services/default.nix     |  6 ++++++
 secrets/secrets.nix                    | 12 ++++++++++++
 secrets/secrets.yaml                   | 23 +++++++++++++++++++++++
 7 files changed, 76 insertions(+)
 create mode 100644 .sops.yaml
 create mode 100644 modules/nixos/services/cloudflared.nix
 create mode 100644 modules/nixos/services/default.nix
 create mode 100644 secrets/secrets.nix
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..32f442f
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age15lv6n403mscyyrfe9a059n5064ncse66taw89mpcf6ut55zfsq0qfh5n02
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+        - *primary
diff --git a/hosts/nyx/configuration.nix b/hosts/nyx/configuration.nix
index adf4c3f..511cf1c 100644
--- a/hosts/nyx/configuration.nix
+++ b/hosts/nyx/configuration.nix
@@ -193,6 +193,9 @@
   };
 
   environment.systemPackages = with pkgs; [
+    age
+    ssh-to-age
+    sops
     cloudflared
     inputs.zen-browser.packages."${pkgs.system}".specific
     btrfs-progs
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index cbe9a94..a6fddc0 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./catppuccin.nix
     ./games/default.nix
+    ./services/default.nix
   ];
 }
diff --git a/modules/nixos/services/cloudflared.nix b/modules/nixos/services/cloudflared.nix
new file mode 100644
index 0000000..457d5ac
--- /dev/null
+++ b/modules/nixos/services/cloudflared.nix
@@ -0,0 +1,24 @@
+{ pkgs, inputs, ... }: 
+let
+  secrets = import ../../../secrets/secrets.nix;
+in 
+{
+
+  users.users.cloudflared = {
+    group = "cloudflared";
+    isSystemUser = true;
+  };
+  users.groups.cloudflared = { };
+
+  systemd.services.my_tunnel = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" "systemd-resolved.service" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=${secrets.cloudflared.nyx.token}";
+      Restart = "always";
+      User = "cloudflared";
+      Group = "cloudflared";
+    };
+  };
+
+}
diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
new file mode 100644
index 0000000..554524b
--- /dev/null
+++ b/modules/nixos/services/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./cloudflared.nix
+  ];
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..19c6c81
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,12 @@
+{ pkgs, inputs, config, ... }:
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/home/pingu/.config/sops/age/keys.txt";
+  };
+}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..ec95b63
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,23 @@
+cloudflared:
+    nyx:
+        token: ENC[AES256_GCM,data:WqwknTZwdxjlGbCbbU2S34L8IjX+qVhTbA6NgPcLdEl6bGOlqZSMVCcICiR/X5R5gikz/iJoTJ4T1ECP+clSKuc124VJrCfB9AggB8CXTEgzdCWXyzpP9svcZjmJlkTwc6pHdeM3SgolXS8E05EY535rt4E2mT4xd9PhUfD4CE7Im9ct8aV917iFc68Zg0JhTXsZtxiciDPakHJfe50Ix/GdDSS1d0CJPK9hOop6rB7f9Qwz0lmIKQ==,iv:MySjVlFbj52J0geGlFBL2GAtRZzb0ImtewADTkgtp6w=,tag:hWccRob0R/n8bbNA3PdADg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15lv6n403mscyyrfe9a059n5064ncse66taw89mpcf6ut55zfsq0qfh5n02
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMEMzRGdiQTNXMzFoRi95
+            QlZ0UTRmQ3JyQktYbzJ2cWxaakhKZzFmaXc4CmRYK1VaamowbnZvTU4yN3ZHTTgx
+            M1MxMGFSTFl0b1VydnVaZ3RzeUZGYzAKLS0tIGJqRGpSdDVRQzhxZFo5UUhGZWtS
+            dERTMHFTUHBXNkczcVcrb0lTVXdTcDQKcgynRtVEs27vbtstdYj323Jn85U8o5Fd
+            fxGFj88mpFaipMU9IT9xXjzJhqKOmKqOVVw/M8tD8oEh8Chtj8y3PQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-25T12:15:03Z"
+    mac: ENC[AES256_GCM,data:lZhWh6CUtbCV73Iued+i4HcokDUjFb4NpdG3UH2lzOJ+MigYUX7QiRPavjfI5x7hXm0aNB+kKlZvGyklYJJ7yskYR82MfcWaCsZau0j1y/sIQEGSEK7dPoE39PnttG+m2KbH/ln9Df604NiiB4TUu68x6yhXZK53lGUBF9hk+T4=,iv:GpdU/VY+OZmoWap/s404t6xCug7OXBnqHljljXOE2a4=,tag:Q7lSt+MBANzQa202oIjrMA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1