From ec64e16dfc579175ff9d84f0303d1d65c5c11d61 Mon Sep 17 00:00:00 2001
From: David Crompton <david.crompton@mail.utoronto.ca>
Date: Thu, 27 Jul 2023 16:15:53 -0400
Subject: [PATCH] Secrets Support

---
 .sops.yaml                        | 11 +++++++++++
 flake.lock                        | 25 ++++++-------------------
 flake.nix                         |  8 +++++++-
 machines/kcnhub/configuration.nix |  5 +++++
 4 files changed, 29 insertions(+), 20 deletions(-)
 create mode 100644 .sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..d91cd2f
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+  - &root age1cvmffz227lhsvy4ufh0gnkfsvs5f27hv5l90m0lf4558uphteefsj2t74j
+creation_rules:
+  - path_regex: secrets/[^/]+$
+    key_groups:
+    - age:
+      - *root
+  - path_regex: machines/[A-z]+/secrets/[^/]+$
+    key_groups:
+    - age:
+      - *root
diff --git a/flake.lock b/flake.lock
index aeac126..a43fd02 100644
--- a/flake.lock
+++ b/flake.lock
@@ -32,22 +32,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1690026219,
-        "narHash": "sha256-oOduRk/kzQxOBknZXTLSEYd7tk+GoKvr8wV6Ab+t4AU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "f465da166263bc0d4b39dfd4ca28b777c92d4b73",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "nixpkgs": "nixpkgs",
@@ -56,7 +40,9 @@
     },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
@@ -68,8 +54,9 @@
         "type": "github"
       },
       "original": {
-        "id": "sops-nix",
-        "type": "indirect"
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 5b232fa..45e3360 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,12 +3,18 @@
     nixpkgs = {
       url = "github:NixOS/nixpkgs/release-23.05";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      # Follow the system nixpkgs
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   outputs = { self, nixpkgs, sops-nix }: {
     nixosConfigurations.kcnhub = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [ 
-         ./machines/kcnhub/configuration.nix 
+         ./machines/kcnhub/configuration.nix
+         sops-nix.nixosModules.sops
       ];
     };
   };
diff --git a/machines/kcnhub/configuration.nix b/machines/kcnhub/configuration.nix
index b45d5e1..c676176 100644
--- a/machines/kcnhub/configuration.nix
+++ b/machines/kcnhub/configuration.nix
@@ -59,7 +59,12 @@
 
   # TODO: Make set of themed packages for packages that are available, e.g. Python packages, Matlab, Octave, etc.
   environment.systemPackages = with pkgs; [
+    # Needed to manage Flake
     git
+    # Needed to use secrets
+    sops
+    # Used for Key Generation
+    age
   ];
 
   # TODO: Make services directory for with a nix for each service that is enabled and what options it has