From 516034c19f6b0126df71c27a775c2c77aa83f58c Mon Sep 17 00:00:00 2001
From: Julien Malka <julien.malka@me.com>
Date: Tue, 21 Dec 2021 22:55:20 +0100
Subject: [PATCH] First step with sops

---
 .sops.yaml                         | 11 +++++++++
 base.nix                           |  9 +++++--
 machines/macintosh/home-julien.nix |  2 ++
 secrets/secrets.yaml               | 39 ++++++++++++++++++++++++++++++
 users/julien.nix                   |  9 +++++--
 5 files changed, 66 insertions(+), 4 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..fc3ffcc
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+  - &macintosh age1z7ysc378s6rymamdawzav4jg5scl0ufg0lfgx7zuyh234lsnfsrqw9s0cn
+  - &newton age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45
+  - &lisa age14shnplzdf2uatzd7wkvnquqw00zjfly3404ak5lqevajanzdw5qqedjw0y
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *macintosh
+      - *newton
+      - *lisa
diff --git a/base.nix b/base.nix
index d6d0d1d..a290ce6 100644
--- a/base.nix
+++ b/base.nix
@@ -1,10 +1,15 @@
-{ config, pkgs, ... }:
+{ config, pkgs, sops-nix, ... }:
 
 {
 
-  imports = [ ./users/julien.nix ];
+  imports = [ 
+    ./users/julien.nix 
+  ];
   luj.nix.enable = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/home/julien/.ssh/id_ed25519"];
+
   time.timeZone = "Europe/Paris";
     i18n.defaultLocale = "en_US.UTF-8";
     console = {
diff --git a/machines/macintosh/home-julien.nix b/machines/macintosh/home-julien.nix
index 7be37e8..3c3a87a 100644
--- a/machines/macintosh/home-julien.nix
+++ b/machines/macintosh/home-julien.nix
@@ -20,12 +20,14 @@
       neomutt
       htop
       evince
+      brightnessctl
       wireguard
       mosh
       signal-desktop
       flameshot
       ctags
       ungoogled-chromium
+      networkmanagerapplet
     ];
 
 
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..5db3fbc
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,39 @@
+user-julien-password: ENC[AES256_GCM,data:CnAfCPKEG2OUcM8pyICaZ7ZwclTouENCh1pl4LqFads8yOezvOYDwZSWVGM6P6z79kEL6o5Jt4dnHvRdln8gcANElJtqk1C7zfXlp47SegqzKa7QAEMKVURsO0RQj27I7cRbRaAkBWeFCg==,iv:Gv6y9DnKuxVz+QxSIW9IVCv9DdU5cA6+WR/OSA0SNfQ=,tag:ae0jTJFelKlSSGgVkFjHww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z7ysc378s6rymamdawzav4jg5scl0ufg0lfgx7zuyh234lsnfsrqw9s0cn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHY0xEUDBCcUhCKzNIbUlm
+            enZrV2MyZytSNkRFNDJLd3hsMlFvc2V2Qnd3ClQ0U2JYY0M5clJtU1NyQTJNNEVG
+            UEpUOUJELzByTHJqcXIvWE5HMjN5SHMKLS0tIHhLOStlYnVnbmVBSkdOY083TFR4
+            Zk9FUG5lR0Q4L3V1M1FmRHBtbGc4YVUK2TCeXI+GrRz72JEud0tT/V8uryF0rVOU
+            gDEotieLsd4MSWsYYALvHHAx7uKDtEhIdliPohqM9IAKRq+3GGKtsg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age162v5365xrnzm9tlxy4w3e6fqds7k3h029qezvl73z6rs5skcn9hs7vml45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUlhUeE1saC9zRm5FczRh
+            NGx4Umx6SXZJdHBIcURoMmlEY2JtdU1jMlY4CjlKenFxV1J3blR0ZVByQVpEYU1U
+            UUlCSmJRdHZJNGpWNFpqQ1lBajBPY0UKLS0tIEo4aDlScjl2MmYrQ1NYYVE3N1RU
+            MytabnVhSGlqdFQ4RGF0OE9va28weDQKawBOw62DucCBFbkxL6/NuYBPcxyc7sCu
+            JvzAComgfSmp5ROSuigAbjs5stz7hn2yNHKtBD3UxqTtDKblXaSN8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14shnplzdf2uatzd7wkvnquqw00zjfly3404ak5lqevajanzdw5qqedjw0y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTWFiU1FweDNQQjl1ODBC
+            STUyOGpZdmE2d0p1ZnQrblB5TzJFY05lV0NZCnhSUWpzdW1wb05rZFdVWmM1ZTkr
+            TDdnWU1KcEYxTWNuTUoxSlVpL1VsSDQKLS0tIE5GbWZsZk9sdmtFNkVtc2VKejV2
+            dStVUTRYUnlDTXk5UXN1NDJYN29KeG8KhdZjc591xMCYGAIvhhq5fcT79ozAyo7F
+            89Zjm96eVH+r9g5QOc6+A1GWeQrp90l7/m3TNmCRZnAa1TiWe6sYiQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-12-21T21:53:13Z"
+    mac: ENC[AES256_GCM,data:PYGLtjwSVX+Pi/fRQNcSYWKlXNg/KT1oo4UNd0+ZfsY9BhSSgtQFb9CAgQiQIhq89jNhtYhpI4Yedqw7RbNM0uTErF0fyYEpjvTRRnxumYKLVGNrPMjtWI5jyZROmmvFV67OmCvfEL5JjK87aIG5ygMPYVlJrWQ7ZRSc6LJ9Od4=,iv:q+o9VePVlYxP3bmIWLOK0QyPxDzkTfGeUC3orkUqM+4=,tag:gDnn33NNsz7OujJtK5+mpA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/users/julien.nix b/users/julien.nix
index 6c1dbd6..35021a0 100644
--- a/users/julien.nix
+++ b/users/julien.nix
@@ -1,10 +1,15 @@
 { config, pkgs, lib, ... }: {
 
+
+  users.mutableUsers = false;
+  sops.secrets.user-julien-password.neededForUsers = true;
+
   users.users.julien = {
     isNormalUser = true;
     home = "/home/julien";
-    extraGroups = [ "wheel" ]; 
+    extraGroups = [ "wheel" "keys"]; 
     shell = pkgs.fish;
+    passwordFile = config.sops.secrets.user-julien-password.path;
     openssh.authorizedKeys.keyFiles = [
       (pkgs.fetchurl {
         url = "https://github.com/JulienMalka.keys";
@@ -13,5 +18,5 @@
     ];
   };
 
-  nix.allowedUsers = [ "julien" ];
+  nix.allowedUsers = [ "lol" "julien" ];
 }