From 591c0cd6b588e7a826c8ae81b5681b440e7e109c Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 16 Nov 2023 13:29:18 +0100
Subject: [PATCH] start replacing sops with agenix

---
 flake.lock                                    |   6 +++---
 flake.nix                                     |   2 ++
 hosts/thinkpad/default.nix                    |   5 +++--
 hosts/thinkpad/modules/backup/default.nix     |   6 ++++--
 hosts/thinkpad/modules/networks/default.nix   |  15 ++++++++++-----
 hosts/thinkpad/modules/networks/uni.nix       |   9 ++++++---
 secrets.nix                                   |  14 ++++++++++++++
 secrets/thinkpad/borg/key.age                 | Bin 0 -> 1302 bytes
 secrets/thinkpad/borg/passphrase.age          | Bin 0 -> 480 bytes
 secrets/thinkpad/tud.age                      |   9 +++++++++
 secrets/thinkpad/wireguard/dorm/preshared.age | Bin 0 -> 510 bytes
 secrets/thinkpad/wireguard/dorm/private.age   |   9 +++++++++
 secrets/thinkpad/wireless.age                 | Bin 0 -> 754 bytes
 shared/default.nix                            |   1 -
 shared/zsh.nix                                |   2 +-
 15 files changed, 61 insertions(+), 17 deletions(-)
 create mode 100644 secrets.nix
 create mode 100644 secrets/thinkpad/borg/key.age
 create mode 100644 secrets/thinkpad/borg/passphrase.age
 create mode 100644 secrets/thinkpad/tud.age
 create mode 100644 secrets/thinkpad/wireguard/dorm/preshared.age
 create mode 100644 secrets/thinkpad/wireguard/dorm/private.age
 create mode 100644 secrets/thinkpad/wireless.age

diff --git a/flake.lock b/flake.lock
index e4ad16a..14b6436 100644
--- a/flake.lock
+++ b/flake.lock
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699783872,
-        "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=",
+        "lastModified": 1700087144,
+        "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "280721186ab75a76537713ec310306f0eba3e407",
+        "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 9e94b4f..a9cd5b5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -112,6 +112,7 @@
             impermanence.nixosModules.impermanence
             ./hosts/nuc
             ./shared
+            ./shared/sops.nix
             sops-nix.nixosModules.sops
             {
               nixpkgs.overlays = [ self.overlays.default ];
@@ -124,6 +125,7 @@
           modules = [
             ./hosts/falkenstein-1
             ./shared
+            ./shared/sops.nix
             {
               nixpkgs.overlays = [ self.overlays.default ];
             }
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index 01d43fa..e721bc4 100755
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -49,8 +49,9 @@
     ];
   };
   # impermanence fixes
-  sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
-  sops.gnupg.sshKeyPaths = lib.mkForce [ ];
+  # sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  # sops.gnupg.sshKeyPaths = lib.mkForce [ ];
+  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
 
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "en_US.UTF-8";
diff --git a/hosts/thinkpad/modules/backup/default.nix b/hosts/thinkpad/modules/backup/default.nix
index 8794cf2..3bd4286 100644
--- a/hosts/thinkpad/modules/backup/default.nix
+++ b/hosts/thinkpad/modules/backup/default.nix
@@ -1,6 +1,8 @@
 { config, pkgs, ... }:
 {
-  sops.secrets."borg/passphrase" = { };
+  age.secrets."borg/passphrase" = {
+    file = ../../../../secrets/thinkpad/borg/passphrase.age;
+  };
   environment.systemPackages = [ pkgs.borgbackup ];
   services.borgmatic = {
     enable = true;
@@ -32,7 +34,7 @@
         "/home/*/.local/share"
         "/home/*/Linux/Isos"
       ];
-      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
+      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
       compression = "lz4";
       keep_daily = 7;
       keep_weekly = 4;
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index 4c446b7..65e6e7e 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -2,14 +2,19 @@
 {
   imports = [ ./uni.nix ];
 
-  sops.secrets = {
-    "wireless-env" = { };
+  age.secrets = {
+    wireless = {
+      file = ../../../../secrets/thinkpad/wireless.age;
+    };
     "wireguard/dorm/private" = {
+      file = ../../../../secrets/thinkpad/wireguard/dorm/private.age;
       owner = config.users.users.systemd-network.name;
     };
     "wireguard/dorm/preshared" = {
+      file = ../../../../secrets/thinkpad/wireguard/dorm/preshared.age;
       owner = config.users.users.systemd-network.name;
     };
+
   };
   services.lldpd.enable = true;
   services.resolved = {
@@ -32,7 +37,7 @@
     wireless = {
       enable = true;
       userControlled.enable = true;
-      environmentFile = config.sops.secrets."wireless-env".path;
+      environmentFile = config.age.secrets.wireless.path;
       networks = {
         "@HOME_SSID@" = {
           psk = "@HOME_PSK@";
@@ -109,14 +114,14 @@
         Name = "wg0";
       };
       wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path;
+        PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
         ListenPort = 51820;
       };
       wireguardPeers = [
         {
           wireguardPeerConfig = {
             PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
-            PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path;
+            PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
             Endpoint = "141.30.227.6:51820";
             AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
           };
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index f048184..f0bca5e 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -1,6 +1,9 @@
 { config, ... }:
 {
-  sops.secrets."uni/zih" = { };
+  # sops.secrets."uni/zih" = { };
+  age.secrets.tud = {
+    file = ../../../../secrets/thinkpad/tud.age;
+  };
   networking = {
     wireless.networks = {
       eduroam = {
@@ -60,7 +63,7 @@
         protocol = "anyconnect";
         gateway = "vpn2.zih.tu-dresden.de";
         user = "rose159e@tu-dresden.de";
-        passwordFile = config.sops.secrets."uni/zih".path;
+        passwordFile = config.age.secrets.tud.path;
         autoStart = false;
         extraOptions = {
           authgroup = "A-Tunnel-TU-Networks";
@@ -71,7 +74,7 @@
         protocol = "anyconnect";
         gateway = "vpn2.zih.tu-dresden.de";
         user = "rose159e@tu-dresden.de";
-        passwordFile = config.sops.secrets."uni/zih".path;
+        passwordFile = config.age.secrets.tud.path;
         autoStart = false;
         extraOptions = {
           authgroup = "C-Tunnel-All-Networks";
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..be768fa
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,14 @@
+let
+  thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2X5hdT9/6BIrRWSE+XBbc4+ocVkPqoAGO2DMSYiJB/";
+  nuc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6pI2rVvnEMG7oHzA47NRahEKQj99pagrat+Q7pOT2v";
+  falkenstein = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxar1P+KXVPzHCaIcGg33Gvog+a5Z8snHWSFqbY3WC6";
+  rouven = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP";
+in
+{
+  "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ];
+  "secrets/thinkpad/borg/key.age".publicKeys = [ rouven thinkpad ];
+}
diff --git a/secrets/thinkpad/borg/key.age b/secrets/thinkpad/borg/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..74e3a032035e5c9b07ed3c97a843e42c2fca2777
GIT binary patch
literal 1302
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vi6x2upPd
zswy(ED9EYQ*AMk5E6*%953ULeNldj2c1-nh@(Fi~2sf<Au;B6vPR~yAtjw~stn!Zv
z$c-|}N>7gP^AAWf@+i{QuPn7paSKbSbn?vfFGjb`HLR+{GEl+PF~=n@)vc<s(9ke2
zr8uPAsKU?B)W0ZDyU@_n+&NO)Br7n-FD25zJ(SDb)VIJn*f88MH{UtM*fB7;qQbl~
zG2Gb2qAb8U$FQs-+_W&oIXo}1*Z^dku7SUeZhBE_VsWa1N=34Uhk|2{uBEDzoxXyr
zL0~XfwnbS^iD`seetM2}VV;?RMO9T*W|m__N}_*dU{0ZXP+_olc15|rS*Br-g=JQO
zPkLx}rCCt0bCA1>Nl`%wS5c*Bc0r!DS!h6hMWCZko{xE1X>zt@fS+@oM_!(*lW%};
zK(@9;QI@xvcV<p@WL|Q5X;49`NlJE@MS4(<BNvyhuC79=i<6g0USgiVeyWSJewn_L
zS+H5CNl{*Actl!uYQBHDk402Lez0MNc{$f@lhaD?vOQLv>JY!W$#ap>W$B26v%dIm
zZaMS&l66VXl-EfsK5kJ}{*@_pk8wH2YJp!5ctq`jlvckpH*-7L{N`|(CbQ3C@wI1P
zb{~J;|CC)U@Vc+Dq2Kp=N$bm^{i=h6|A%c^W%jLoY2=C(uKOJhWH7sJ6kPKsE^pb5
z$zLS)ZB4p4zw|_L@%5`xtCSjLRjyr_Ata#0TE(j!QTWn=_0QI~^LcU&?-tCyW#h3l
z`P*Ob{o6FII%LkW<J0207_zs2=eyZ=Pp@GrJ>?kVa$aF^qzq5`!Sp6>wKBH-F1c@~
zeCpqu`JRW9c@e9T(1hfKdG}7HNu7Q1=D{NO|HnSPXkpU`w&(Ma3lsYJHOKSn!pS9t
zS2k$$t~tT{MDXnkk&VYs=+tdp?j}_}V@kQ$oX&vBvCH37Imm5sh>31{c!yPdRdCSP
z!z>$5mR?*FX_UU^@lNGM6QZ_k?B0CI=ibyuimyLtCq0?A`ngBPCdFBku6<eez2y6g
zh5Pb+ozi|rEqEipu3azKyHiAb_JLIbKdN5r?z%Yt9~1Zgcb*sGPsGif5X*CC)uV4q
z{$GD_ApW+@lbnPg(SGC7|C46R**0vLd}5iJ_z4E}=+__qPkFL$Mn~|H>htHnoUwB|
zXS;WWg3rwbFB17~A2u-mnBUm;N@>fNGdq6WG77$PhTA;R{3q`rkqrV@KQCLxTYY{_
zOhn8rZ~xclYoq2ap4N2C{V{u+sF}NV@n&<q)+BbP_cdZmI|H&Wv!3AcRlj4iYq9V~
zukxJbJ3rVR7E;s~>^}M;(R{Txn>YXK{r>qsU+S*^@WE-~8)nv(<`pNLUu_a7RMw94
z56=&Ju=a(|(PX15vG=a6yz;@2|GCeC{ZrYk1JuKw`8}DZA|(0E?C2I|E&1T;w>P&X
zzKzVVn_KOD+G|EZM#$3_OiuiNrv&KRJ6k#jeCFBR*(NY??y;XDZ?>jiO5%!}cP&FO
zM6KwkT#x82$-4{O#D%86J!EF%?;n3Es6Y2K)9uYX2lp*{K82-kZ;^Smo>7N93lD=`
z+N0${bK>rnE1Elg-Mwu3V!O+`CT^=OSaFxRMpE;K=^5|*tKv;dXY-4>C@zcM8hOL)
qc=PA^*Cmz+NNzbOo4>Msc8bb5iQG>c&+ReV>dL1)J44am+Xw(uZ#hf=

literal 0
HcmV?d00001

diff --git a/secrets/thinkpad/borg/passphrase.age b/secrets/thinkpad/borg/passphrase.age
new file mode 100644
index 0000000000000000000000000000000000000000..7c291252799e76f60e2d7601415f5818af45ff34
GIT binary patch
literal 480
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vl%QD=o0J
zh|2QzGjvbO%C<BMFY)!rsIqh^_74uw4m33|GWWG~&F~90F6VM_GPX>tD0B}A3^NKb
z&M7lb^9XVD^ta45waib+OD_%eD@rx3imFUc3PrcgHLR+{GEkwYT;IRQH@Gx3Ki|yM
z$Sfc!(AdDF(AdqiqR_1>Bh|<_&$Z0A*vv90FObX0)Ggf5$F0~eJJLTXJF?OuEXCBs
zuq-{G%B(y)(<QwyD8RzRFg@Kj$`@ptuY<n3Wx0~2ZhBE_VsWZMZG}NW7?)SFL2hD3
zac*9Cj&Fp8XOw%no0GG9W^Q0<ZiIHYS!iyFyHi?du~%S7hJ|5zsYSk}Z-HM$cy6JS
znRBSAi5Ztuv8%C@c0_qZR7qsEsYQxoQATC9Ym`BjXMtmeUv_w;OIe<)enfIvI+w1l
zu7X8=QIdy;r>j$jVY*vrMQCY}rEhMObD3Xwm6>IDc2RbClxc;wX<C4`3738Hl%AlV
zq~AFwU+vj>zx$|<_nse37Z^G(uB@n@v2@z<9rx^>h2^akKdi4;|9atTHMM4chl#CM
GMMVIKkEF2x

literal 0
HcmV?d00001

diff --git a/secrets/thinkpad/tud.age b/secrets/thinkpad/tud.age
new file mode 100644
index 0000000..5b64041
--- /dev/null
+++ b/secrets/thinkpad/tud.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ 8qDAQ233j/CRqJRSjx0CIMNyBl5y/D03ujizUlyeDQk
+YvxS49YognMr1d9ldJP0R4RKxZMLKxLk4G6juMpufag
+-> ssh-ed25519 EVzt9Q z5q719PZfij/wMAzL/Co+zn5fItb2d1ixaLETSYBcHc
+GHe/BBkAva/H3XE7Es6quxcVetNPhrjQvhqpskHzRuc
+-> <AuSD0{0-grease D,\j%9Iu l<5 f3evt DjX
+hfGCrRLXCdgz5Ea+9PRFfzWR8Jakr9MayFqQkdZMKeCjBCHH6g
+--- WZqO7QcXXC135yLGJq0UjANeM1StWqscMgS6fQ7rQJE
+Ķa-þ5¦É	ñ9q‰6‹†Èt³ö»ù­û4’î”b2±t9h›Ð”b4¾o¤Å‘«–cˆ7Q
\ No newline at end of file
diff --git a/secrets/thinkpad/wireguard/dorm/preshared.age b/secrets/thinkpad/wireguard/dorm/preshared.age
new file mode 100644
index 0000000000000000000000000000000000000000..9f31aee8e243574eaff346793d2a1507148b123c
GIT binary patch
literal 510
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vjICbg%Sq
zP1P<i53BG_(KpS^%Fc4Da4RbJ_0RImNOLrD@wY5UPWKDRD(5OO@Cf&F4l6YEb}x3+
z_H~WOs>=0GcgoBRaICNhFRTdm2@R-Bi%3t*@kF=HHLR+{GEl)e!o?^oB*Zr}KhobN
ztI*WDB*W7yq_|MuAj-$h!@xTuG%+POH?k_%IG-yqJU=rcCAio#x5TW<uR=S&*vzRY
z*~KIyD#^sx+_cE7JlClx)G(*qHydP|PJFFtxl*iddQoa(aVl3yfwP;xX@Eh#n|DOH
zS(rtJfq{Whm3cvqMP){zqj|Y$TBcK4s-wAfR*7q%qd|GLX=G_cMSw}3ML@E7U}^xD
zW01CUd8AWTeqvZeMR9g+RB1t}iD6-cc1nh!WsyrnMyOeNqIsoLNs)_Dl$lS3c2b^!
zd0<#^lzusvuCA_vNoYw$u)DjXi+;Mdw@;Brpu3?#ewu5FrE_9Nc)GuDL|T@Kp-+%W
zNJTo=BlgAx47!RprUW@MPQDP9Tk!ZdPk{1S`HOE-CQBSQP>r`fTq5W#q#{{)Ym0ze
lfVaxI3)O1tH*cL%d9l34m*c-vkNr2s8?P5;J(y;Z0RVs$uDk#M

literal 0
HcmV?d00001

diff --git a/secrets/thinkpad/wireguard/dorm/private.age b/secrets/thinkpad/wireguard/dorm/private.age
new file mode 100644
index 0000000..8351a12
--- /dev/null
+++ b/secrets/thinkpad/wireguard/dorm/private.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uWbAHQ wNqtwu/45ALrTdTmuEhYq2HpRA8s2DnHX1Hocw3zFCM
+1QvOewuqXACyFTJqzypf6cxZdM0MgXl9KACvl40qTN0
+-> ssh-ed25519 EVzt9Q fXLkwuPJ5y8ODKFpmDWVsma5sgx3WUMeqM/NRXiIbys
+VM8XIkPplNiFxjKvHjjVWkBHt2EyLD3Ngdjtlor3yzs
+-> (+cA16G-grease b`HZ0&CK
+CjJd2a8z/BrTQXKduxMh1vc9AaHJT8O+jEyxHBrKBpHIF2Q
+--- V/8tACrExnaGyEr7LJgeMtnfi+YGe631Z/FG7qoI/VM
+Ó@Ö¤À1ŽÝýNÌ
ØpÌ5$‰ê×zƒf°fQ«½8ÑCâ”òKJ׸òûzØ.}îÌ›E-â¹¥¯ü²ó›ÖPª+ó”r0
\ No newline at end of file
diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age
new file mode 100644
index 0000000000000000000000000000000000000000..3d89e87e0d5bb510c72eb4443ff47814c55a7a42
GIT binary patch
literal 754
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vn%>_wcBQ
z%E^teO!LuBj|dCT@sIE<HLNl)b}vuU&Mq^_@brr`@zM{<GvIOwH49C3iwbg04~R5%
z4b!i5OONvQEGsJtsmLfxHcd;ltjNqTNGsA0C`Px<HLR+{GEl)H*g3c;siMNq*gM=$
zzt~gT$+sY-s65QqxX{DE&)hGk%s3#~v^3nK+>t9dv&hUvUpvh|!#l#nvY_0u(9yua
z)y&B;CpA#pI6pfx(jqiCG$Oz^1#DYXrbkGCkBe@4QEFmwszRnkO>nM;LA*kciH=I9
zO`WoWO=+Q>rh%S@g0_W|ouW2ZVTpFRPo<f;bBU#ENri8exnFo>WtyXJNvVZnqH(HQ
zl0jK`k+FZ8PnCyPwyAHBzpG({o1<k_a#V(kwufIhmv^LrNm96JuCI5XnVE56iIZ7@
zZ(<;quCA^^fKO4CNuhqOdt_>fyLYIkmz!s#Ye1&2X_%pzUshteepPXhaZZV=OKLe+
znZ~=nH){m)RXul}3v;!KEOj}&=}k<U-uLXcD_>VWk<PK@tiM?NH>Neq@5^P0$oZ;Q
zlN>XapYgE|uX;DNmhpRq%h~0tmU(<)n${8d)%xkKuiyD%6tDdLzVK9{^vpjZ8}+T!
z16ZF<wRpQQfs<jmkJZD6Z-V|WT&?{n>i@y}S(edxmL?h(%sDFfB3c!muR3>FZ?(AR
z;;qlCOf1S=JnwZXeA8p%yI+1+Ztc;KY1xLy%jbXH7`rECx#Y!lIoG%!KJ*X&uK#WB
zk)XvdzS-Q+@_M{H{e^Ty)$=LVf^25DUq4M?icXuE_G_;GJ;jZ;<bR~Q&k?@=;*pYJ
zak{9;&32L4cF}1qmS2r#rkUsbob>9emywRg$%22gztvg`tXh6oaJyari|1-p^J7PT
joM&3Je>(HE&x$`KB(tvGlV6wl=0s)nx8VERWp)Dq0AVXG

literal 0
HcmV?d00001

diff --git a/shared/default.nix b/shared/default.nix
index 86b38d0..8659bc7 100644
--- a/shared/default.nix
+++ b/shared/default.nix
@@ -4,7 +4,6 @@
   imports = [
     ./activation.nix
     ./gpg.nix
-    ./sops.nix
     ./vim.nix
     ./nix.nix
     ./tmux.nix
diff --git a/shared/zsh.nix b/shared/zsh.nix
index 09aab50..3b50c9a 100644
--- a/shared/zsh.nix
+++ b/shared/zsh.nix
@@ -25,7 +25,7 @@
       la = "ls -a";
       less = "bat";
       update = "cd /etc/nixos && nix flake update";
-      mosh = "f() {mosh $1 zsh};f";
+      msh = "f() {mosh $1 zsh};f";
     };
     histSize = 100000;
     histFile = "~/.local/share/zsh/history";