feat: soaps

2026-02-02 17:22:40 +02:00 · 2026-02-02 17:22:40 +02:00 · 462c8ea585
commit 462c8ea585
parent 9846d0680a
7 changed files with 108 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,11 @@
+keys:
+  - &admin_teesh age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h
+  - &host_taki   age1crm9ztzjuhg8yeudnqnrg9ljzc88x0tr79srjtyvt5vxnevpveaq9ggk7d
+  - &host_krembo age16yxzdjmlcwhkx3azmczuq9lvwyzsj6xvfpklp09aya2nwl7rfatsd7jcvs
+creation_rules:
+  - path_regex: secrets.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin_teesh
+      - *host_taki
+      - *host_krembo
--- a/flake.lock
+++ b/flake.lock
@ -446,10 +446,31 @@
        "niri-flake": "niri-flake",
        "nixpkgs": "nixpkgs_3",
        "noctalia": "noctalia",
+        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix",
        "stylix": "stylix"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769921679,
+        "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "spicetify-nix": {
      "inputs": {
        "nixpkgs": "nixpkgs_4",
--- a/flake.nix
+++ b/flake.nix
@ -32,6 +32,11 @@
    };

    spicetify-nix.url = "github:Gerg-L/spicetify-nix";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = inputs@{ flake-parts, ... }:
--- a/modules/base/sops.nix
+++ b/modules/base/sops.nix
@ -0,0 +1,20 @@
+{ inputs, ... }:
+
+{
+  flake.modules.nixos.base = { pkgs, ... }: {
+    imports = [
+      inputs.sops-nix.nixosModules.sops
+    ];
+
+    sops.defaultSopsFile = ../../secrets.yaml;
+    sops.age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      sops
+      age
+    ];
+  };
+}
--- a/modules/desktop/apps/halloy.nix
+++ b/modules/desktop/apps/halloy.nix
@ -3,6 +3,10 @@
 {
  flake.modules.nixos.desktop = { pkgs, ... }: {
    environment.systemPackages = [ pkgs.halloy ];
+
+    sops.secrets."irc/password" = {
+      owner = config.flake.meta.user.name;
+    };
  };

  flake.modules.homeManager.desktop = { lib, ... }: {
@ -25,7 +29,7 @@
          sasl.plain =
            lib.mkIf (config.flake.meta.irc.server.isBouncer or false) {
              username = config.flake.meta.user.name;
-              password = config.flake.meta.irc.password; # dont commit this yet, please use sops-nix
+              password_file = "/run/secrets/irc/password";
            };
        };

--- a/modules/server/soju.nix
+++ b/modules/server/soju.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:

 {
  flake.modules.nixos.server = {
@ -6,5 +6,15 @@
    services.soju.listen = [
      "irc+insecure://0.0.0.0:6667"
    ];
+
+    # we may not use this in the configuration, however
+    # we still declare this for the sysadmin to then go and
+    # create the user using:
+    #
+    # sojuctl user create -name ${config.flake.meta.user.name} -password $(cat /run/secrets/irc/password)
+    # or whatever, i dont exactly remember the command
+    sops.secrets."irc/password" = {
+      owner = config.flake.meta.user.name;
+    };
  };
 }
--- a/secrets.yaml
+++ b/secrets.yaml
@ -0,0 +1,35 @@
+irc:
+    password: ENC[AES256_GCM,data:2ygTfVViSUw=,iv:Gj/43g2FPStdaxhvPt/cFZYxprmw1GeCPLr1X2hu5JU=,tag:EMMYsLI7az9r3rTc+YzRwA==,type:str]
+sops:
+    age:
+        - recipient: age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTmJ3TW04SnlKQWcrUy83
+            YW1NbFZOaXNQODFNUHl2UThkb3dleWZsTjBVClVOWXN1UE81dW1kZmdOTVF5bUxt
+            NkRidGJzbFVkeXJnV1pUUmhPZTVsQlkKLS0tIExoK2ZxMmFsQlR5UVVlbjdTa2h1
+            djNyL29KcThBNGRLdFVUWndJb013bncKWHJy/o7WwCofBVDDDcCBlJEO6HN8EIO7
+            1UiSceMgS/E3dZCf5rDvMvkt98LWpFN9apzvJvVS5FHyksOFT3ZA+w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1crm9ztzjuhg8yeudnqnrg9ljzc88x0tr79srjtyvt5vxnevpveaq9ggk7d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUEJnY2M2WDcxNlIxUWZX
+            R3pJSFE3QnJkR2RCSzh6cHJZTVV3ZytJVDFVCjFjWjFIbU81VVVHS2JQcUNjd2sw
+            c3R0NEtXMmVuTEpsMDg4a2hvZkcrS3MKLS0tIHJqN0dPRTRRUnByRHZTckN5L1Bt
+            bWdMUjU5SHhicnU5a3lZNTdrMkh6ODgKJJeQx93EN6VbWLQWoZylt62ZLhyRxP6c
+            zMx8NSmbaCLO+3FrzFK7OUOZV6r9U2T6Ec6yNypstGRjD5JrATwoGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16yxzdjmlcwhkx3azmczuq9lvwyzsj6xvfpklp09aya2nwl7rfatsd7jcvs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiM2V6eFVvTHVMbFk1QXlC
+            T3RDWHJWbS8rcW5kTEE5elBtWnoyUExQN2tJClpJNWdWZFRtbXBmZCtVR3RNVGFx
+            QmpQRkZudk5WOC9CT3BjY0I4UkZnc3MKLS0tIE5GaEJrTDhTWEhMYjRDYXFWMVdX
+            MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U
+            cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-02T14:10:01Z"
+    mac: ENC[AES256_GCM,data:+9LkPoOVneK1k8SionYYVbl/+4Ulxc7xeKKlRWOsERc7uGrnj1ED+yROrhhTcKJuzlNdi/1xjJPpw7Suks3+vArPH2mO1rA5yX5PihSGr8enjLTPYa7gcRD55vJ2HyEhyr1KhbeqZXr98yRZVzrQzG+Zhb4KMpn4qoWWg0glbp4=,iv:AsNYRTWOa1az3eYyPz2IFcqDX4jqtQdbCBbo8o4QXDU=,tag:ExEl0qW4Xab6hSr7jwGq7Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0