From 4faa28d561c0b978c21d375f82cdb1bd3ee278ff Mon Sep 17 00:00:00 2001
From: polsevev <rolf.martin@glomsrud.no>
Date: Thu, 22 May 2025 22:24:20 +0200
Subject: [PATCH] Initial sops setup

---
 nixos/poseidon/configuration.nix | 29 ++++------------------
 nixos/poseidon/flake.lock        | 42 +++++++++++++++++++++++++++++++-
 nixos/poseidon/flake.nix         | 20 +++++++++++++--
 nixos/shared/sops.nix            | 17 +++++++------
 nixos/shared/ssh.nix             |  2 +-
 nixos/shared/tailscale.nix       |  3 ++-
 6 files changed, 77 insertions(+), 36 deletions(-)

diff --git a/nixos/poseidon/configuration.nix b/nixos/poseidon/configuration.nix
index 62a51d9..a83576d 100644
--- a/nixos/poseidon/configuration.nix
+++ b/nixos/poseidon/configuration.nix
@@ -5,10 +5,9 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+  imports = [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
 
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -52,7 +51,6 @@
 
   # Configure console keymap
   console.keyMap = "no";
-  
 
   # Configure keymap in X11
   # services.xserver.xkb.layout = "us";
@@ -81,22 +79,14 @@
       "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDpeouwzFZoYA7AYARaJ/qdQHORJB2h1V73PXQYEAI7sDrc3kYwgZPbrZ3pGkGKaHBl45kiV6SYsC7191OCwIl8AAAAEc3NoOg== A"
       "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBHlAtX4mBifZZ8u6sJckCgA6skwN7aamVK+lQuXLQ6kQWJy7GlEXEmoR9RW/0UIrQYLC+wd8Q5MROkYpn+cHLSoAAAAEc3NoOg== B"
     ];
-    packages = with pkgs; [
-    ];
+    packages = with pkgs; [ ];
   };
 
-  environment.systemPackages = with pkgs; [
-    btop
-    vim
-    tailscale
-    python3
-    htop
-  ];
+  environment.systemPackages = with pkgs; [ btop vim tailscale python3 htop ];
   nixpkgs.config.allowUnfree = true;
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   # programs.firefox.enable = true;
-  services.tailscale.enable = true;
   # Enable the OpenSSH daemon.
   # List packages installed in system profile. To search, run:
   # $ nix search wget
@@ -115,15 +105,6 @@
 
   # List services that you want to enable:
 
-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings = {
-      PermitRootLogin = "no";
-      PasswordAuthentication = true;
-    };
-  };
-
   nix.settings.trusted-users = [ "poseidon" ];
   # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
diff --git a/nixos/poseidon/flake.lock b/nixos/poseidon/flake.lock
index 3e99f19..9c9f6a0 100644
--- a/nixos/poseidon/flake.lock
+++ b/nixos/poseidon/flake.lock
@@ -21,6 +21,24 @@
         "type": "github"
       }
     },
+    "homelabSecrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747945363,
+        "narHash": "sha256-gKUhfQzbwtXTEQoPIAkOhlbyu/WQBPk+Tl2va7iwjKQ=",
+        "ref": "master",
+        "rev": "cc48a631fb9470e3a6a07ca8660b7caf56b0ae06",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://forgejo@code.polsevev.dev/polsevev/nix-secrets-homelab.git"
+      },
+      "original": {
+        "ref": "master",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://forgejo@code.polsevev.dev/polsevev/nix-secrets-homelab.git"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1747676747,
@@ -40,7 +58,29 @@
     "root": {
       "inputs": {
         "disko": "disko",
-        "nixpkgs": "nixpkgs"
+        "homelabSecrets": "homelabSecrets",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/nixos/poseidon/flake.nix b/nixos/poseidon/flake.nix
index c50eca0..bec9ce3 100644
--- a/nixos/poseidon/flake.nix
+++ b/nixos/poseidon/flake.nix
@@ -4,16 +4,28 @@
   inputs = {
     # NixOS official package source, using the nixos-24.11 branch here
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
-    disko = { 
+    disko = {
       url = "github:nix-community/disko/latest";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+
+    };
+    # Personal Repositories
+    homelabSecrets = {
+      url =
+        "git+ssh://forgejo@code.polsevev.dev/polsevev/nix-secrets-homelab.git?ref=master&shallow=1";
+      flake = false;
+    };
   };
 
   outputs = { self, nixpkgs, disko, ... }@inputs: {
     # Please replace my-nixos with your hostname
     nixosConfigurations.poseidon = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
       modules = [
         # Import the previous configuration.nix we used,
         # so the old configuration file still takes effect
@@ -21,7 +33,11 @@
         ./configuration.nix
         ./disko-config.nix
         ./hardware-configuration.nix
+        ../shared/tailscale.nix
+        ../shared/ssh.nix
+        ../shared/sops.nix
       ];
+
     };
   };
-}
\ No newline at end of file
+}
diff --git a/nixos/shared/sops.nix b/nixos/shared/sops.nix
index ff6bd9f..36d8274 100644
--- a/nixos/shared/sops.nix
+++ b/nixos/shared/sops.nix
@@ -1,13 +1,16 @@
-{ config, pkgs, homelabSecrets, ... }:
-let secretsPath = inputs.homelabSecrets;
+{ config, inputs, ... }:
+let secretsPath = builtins.toString inputs.homelabSecrets;
 in {
-  imports = [
-    inputs.sops-nix.nixosModules.sops
-  ];
+  imports = [ inputs.sops-nix.nixosModules.sops ];
 
   sops = {
     defaultSopsFile = "${secretsPath}/secrets.yaml";
-    validateSopsFile = false;
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+  sops.secrets = { "tailscale/preauthkeys/poseidon" = { }; };
 
-  }
 }
diff --git a/nixos/shared/ssh.nix b/nixos/shared/ssh.nix
index fac1e16..81e611f 100644
--- a/nixos/shared/ssh.nix
+++ b/nixos/shared/ssh.nix
@@ -4,7 +4,7 @@
     enable = true;
     settings = {
       PermitRootLogin = "no";
-      PasswordAuthentication = true;
+      PasswordAuthentication = false;
     };
   };
 }
diff --git a/nixos/shared/tailscale.nix b/nixos/shared/tailscale.nix
index 8298604..d6bb8a4 100644
--- a/nixos/shared/tailscale.nix
+++ b/nixos/shared/tailscale.nix
@@ -5,9 +5,10 @@
   services.tailscale = {
     enable = true;
     openFirewall = true;
-    authKeyFile = config.sops.secrets."tailscale.preauthkeys.poseidon".path;
+    authKeyFile = config.sops.secrets."tailscale/preauthkeys/poseidon".path;
     extraUpFlags =
       [ "--login-server=https://headscale.polsevev.dev" "--accept-dns=false" ];
   };
 
 }
+