From be4b66fdd215456d76160fc3bf6c0455d66aac81 Mon Sep 17 00:00:00 2001
From: kenji <kenji@hakase>
Date: Wed, 24 Dec 2025 16:24:38 -0600
Subject: [PATCH] fully implemented SOPS

---
 secrets/secrets.yaml | 25 +++++++++++++++++++++++++
 system/security.nix  | 10 +++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 secrets/secrets.yaml

diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..00018f0
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,25 @@
+hello: ENC[AES256_GCM,data:38nel/vZi9SaRxw98yPKhq7NEs+jtII7ZS5cX9i1h5Iw73S+oUDnXYw7v9aa8Q==,iv:vLTjMCeA/FJmb0LmjWDnHjpWpG5sRldrvhG03Kreujo=,tag:GWGYTmgNgQWWnlPiKq+9vw==,type:str]
+example_key: ENC[AES256_GCM,data:UF/a/+f6T6RayR67Yg==,iv:WAOwW5BUhbdBrvcYHJ0wCaxEcVpM6l4b783qSIl5JV4=,tag:+Wad6zUE9ioqmd3RPG1VoQ==,type:str]
+#ENC[AES256_GCM,data:CtX2GMcSxD5+bziAgAzoNA==,iv:QaLhxAbp2hO2NcD5QXc7afhcs8PeSWH+03u02+Xz9oA=,tag:Dfh5WpmrSwqk7THu333rLw==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:ewSxVYXxF+csyS4Mzek=,iv:1ZmQwbhJtYDt5rZUdlZ/DzWygBK0Tp0jmAw48pS5cv4=,tag:WNX+SVgTAwHrT2rfpBqyfA==,type:str]
+    - ENC[AES256_GCM,data:Sidp1Dj8jNlpKnz3jFM=,iv:FLQ/n5uW0HbNFuamoZdKStuZcs4KJ3vvfirUi42at3U=,tag:FL7MvMpKdJDXX8XQbScW9g==,type:str]
+example_number: ENC[AES256_GCM,data:nm2Zjf+aDSAB2w==,iv:bwrxPbdQzOoSvSGCtX/Nr8NG86pOJAHjg47obYGO7Xs=,tag:tqQ35rtS0Mq4CeKCC9Km+w==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:TTbYrA==,iv:jG0BICY3Rc1z0hVuUVwgzOZ02pUxGhDhdLERqu2bi5U=,tag:F0TgOm50LVNbVaVKOnuTUA==,type:bool]
+    - ENC[AES256_GCM,data:M+ccBn0=,iv:vPRaIEELkypw53gkUmr8Lb+TNwtfDBO8y5yQNpF42Pw=,tag:dxOKj16ctBbgyul/Pr6rxA==,type:bool]
+sops:
+    age:
+        - recipient: age1dhmt5tdyxd9zam542zkr9hq4tku7lzmf6j057sjtepk80deky5fqemczs5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHU2hZUlMvQ0xVOWlWaEwv
+            UCt5ZzRmNHc0dDRLWkkwVWZRa2o2N25rbHo0CnhFcFVTT1gzdjVzTzlVSGFFUkNu
+            QVBOOEFLM0hDQWV5RXhzTjFhbGZrQzAKLS0tIFoxeFFzcHdFTlF2c0toTUlxT1lM
+            eFZFRkMvVG5qeVZOZmRvNkQ5cUpnOUEKfA5lu9DY+EklFzZGwdZv3hModXN8fzKE
+            RVnWoNcAbQ83ZH87XwqkGSgmP2Vzumm9gBrJ013Zs6yWFUCvVBLI0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-24T22:19:06Z"
+    mac: ENC[AES256_GCM,data:AWu5bQctk6f+IgagtDPtPnaYEOLPwdby8El9b+cCgLNxHASD4cybbkr7ishBxBdDd8Xj4zhTvQFeOSgazoclPBoPx264AVHRNhYkQT0rPwGpizTcmolla2v4wika4ZRWGr9oR9xwer6OpB9y0vIe5TxLkzrtgVk1Fr6LKATiq8s=,iv:mxRIXpZ2cEv6b9v/U783Tbfwg5L/EsH40l7aBS7E/Pc=,tag:O9Zn1cTj/qEy3X0U+ouvRg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/system/security.nix b/system/security.nix
index bac19d0..805b1dc 100644
--- a/system/security.nix
+++ b/system/security.nix
@@ -1,8 +1,16 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  myConfig,
+  ...
+}: {
   security.pam.services.greetd.enableGnomeKeyring = true;
   environment.systemPackages = with pkgs; [
     sops
     age
     ssh-to-age
   ];
+  sops = {
+    defaultSopsFile = ../secrets/secrets.yaml;
+    age.keyFile = "/home/${myConfig.nixos.username}/.config/sops/age/keys.txt";
+  };
 }