commit 2e42e67ebd2ad5af8387588ff127a9d66719b198
author Samuel Shuert <coded@clicks.codes> Wed Feb 21 21:49:28 2024 +0000
committer Skyler Grey <minion@clicks.codes> Wed Feb 21 23:25:55 2024 +0000
tree aa626822fecd27627c32d750e0521f192364f509
parent 700d8f26deb9c2c8e53b468371e61373c2136e86

Add sops and setup sops-nix

We want to store secrets, and due to the shortcomings of git-crypt (not
working, not being able to push to public caches, etc.) we have decided
to use sops.

Change-Id: I9ed38a93879ca5ff4a452e6e8017b500a4d2cbb6
Reviewed-on: https://git.clicks.codes/c/Chimera/NixFiles/+/414
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>

.sops.nix

diff --git a/.sops.nix b/.sops.nix
new file mode 100644
index 0000000..ae58c94
--- /dev/null
+++ b/.sops.nix
@@ -0,0 +1,38 @@
+nixpkgs: let
+  keys = {
+    users = {
+      coded = "BC82DF237610AE9113EB075900E944BFBE99ADB5";
+      minion = "76E0B09A741C4089522111E5F27E3E5922772E7A";
+    };
+    hosts = {
+        shorthair = "B5237D6B63AB2E13FDA07170E5AED9775DD21543";
+        greylag = "047bf8897df877fe86133e98522c6d280d545c00";
+    };
+};
+in {
+  creation_rules = [
+    {
+      path_regex = ''.*\.sops\.chimera\.(yaml|json|env|ini|[^.]*\.bin)$'';
+      pgp = nixpkgs.lib.concatStringsSep "," [
+        keys.users.coded
+        keys.users.minion
+        keys.hosts.shorthair
+        keys.hosts.greylag
+      ];
+    }
+    {
+      path_regex = ''.*\.sops\.coded\.(yaml|json|env|ini|[^.]*\.bin)$'';
+      pgp = nixpkgs.lib.concatStringsSep "," [
+        keys.users.coded
+        keys.hosts.shorthair
+      ];
+    }
+    {
+      path_regex = ''.*\.sops\.minion\.(yaml|json|env|ini|[^.]*\.bin)$'';
+      pgp = nixpkgs.lib.concatStringsSep "," [
+        keys.users.minion
+        keys.hosts.greylag
+      ];
+    }
+  ];
+}
\ No newline at end of file