Create helper option for deploying sops keys

Update public key of sue-root because I lost the private key
2024-11-21 22:27:29 +01:00 · 2024-11-21 22:27:29 +01:00 · 0812586942
commit 0812586942
parent 544cf42357
8 changed files with 102 additions and 107 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,6 +1,6 @@
 # Public keys are combination of host + user
 keys:
-  - &sue_root age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+  - &sue_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
  - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
  - &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
  - &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
--- a/machines/gamepc/configuration.nix
+++ b/machines/gamepc/configuration.nix
@ -1,15 +1,15 @@
 {
-  self,
-  pkgs,
  config,
  lib,
  ...
-}: let
-  sops = lib.getExe pkgs.sops;
-in {
+}: {
  config = {
    pim = {
      cinnamon.enable = true;
+      sopsKeys = {
+        root = ./nixos.sops.yaml;
+        pim = ./pim.sops.yaml;
+      };
    };

    facter.reportPath = ./facter.json;
@ -30,22 +30,6 @@ in {
      targetHost = "gamepc";
      targetUser = "root";
      tags = ["desktop"];
-
-      keys = {
-        root-sops-age-key = {
-          keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/nixos.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/root/.config/sops/age";
-        };
-
-        pim-sops-age-key = {
-          keyCommand = [sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/pim.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/home/pim/.config/sops/age";
-          user = "pim";
-          group = "users";
-        };
-      };
    };

    services = {
--- a/machines/gamepc/nixos.sops.yaml
+++ b/machines/gamepc/nixos.sops.yaml
@ -8,29 +8,29 @@ sops:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFlYWjZSQkZPczV2cllX
-            a3RBL3FSbHZGaW5vUFdKVTdSNUJmSEQwdlc4ClBScDZBVk1qYTc4UzFpc3k4Z3N6
-            VzkwYXVBWVFCYUFqSHAyZjhUck8xY0kKLS0tIDdQdENRaDVKVTRUQ0dLWUNUL0tk
-            cjJMNG9vU1N4V2dqZWZjN21OMFJUZTAKzunMmG+NR2sFbVsl8qzdv1HEg4Ph5TFw
-            oIr5WWQ6RTzXTy6CwlTucnok/jwZHUloCTUeXECcSJUadeKE6MZyLA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMkRLNHNYTm55TjA4YWhF
+            SENVSlVVYWRQUVZNU29iWmk4dVgvSHk3Z1RNClFqcTlUcTlqNjZrMFdUTGQyU2hO
+            ZktIWXh5VVVsR3d2dUhDQ296RXBJSGsKLS0tIGtWQ1Jwd3U5VmxyMjExMXlQVVZ4
+            aTNmRFhEaE9nbGduK2tLallTcFBSWVEKMhULgc6jkA+qJ9LrYtxcUO2k78L4LxHl
+            7Okpr5UJlTVn96swt/aFEEfA1gnzGgPWU6Oir5uETBiqTVVytW16wQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWG0remtrVHloU25PNFVw
-            eWxMZ3pmUG1YSFVZZ0MzNEFweTJNbDVSUUQ0CklBT1NheGtmZDZkMUo4RTlHM0ow
-            TTdITzVJbFFQcGNLM0xxUS91K056VTAKLS0tIEpWOTZJQjN2REV0RTB5YWpjWDZa
-            UUxiazdLa1ZZbTcraWsvYTBsTUNQbmcKKkQnPOkD3vifcQpwzgP9wvNaYtuUZpLE
-            mbILfB24Ox7dmLmI9ONVDIMM12HfE2lx4cj/xndk0//izPVZgrBTdQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHp6WkhjdDRkeWpTeTBN
+            ejRXMUwrSkFTTUlGMC9LNTRwemcxWXVzN1FBCkZlazlBbVM4RlJuTUtZQ1hoWkd3
+            SUs5RS9Ba2k2cjhsOGkxaUt5TzF5cjQKLS0tIHFRcWFIL1EvcURURmR3a2FSSjRW
+            OUpUcFJ1N003OUJlMDJha09nQ1l0OWsKuxMX8dZbn75yUs5E5/hu+LjHRslcUldL
+            YmQl7phWnWMfgwphERpOhdMn2pczVGygriG7c0LOe6SiEiXxnUHiWw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDFMS293SUZqTXZtZlRT
-            Q0JHWmZrSHZVZmlPeUFDRG8wakdSWDF2b3pRCm83NFV1STlqQXdQMTR0Vm52ZEgy
-            eVlROWt0ZDE0TW1reElGQnplUENZclEKLS0tIG9ITTZiSEE4cDNxdnBQRW5tVFJk
-            bU9rLzRjVzBObkxocGp4UEJYMGVnckkKDQhr3qLLDrQkXa1Ei9c43irQh3suRNCK
-            mZPtRJc+kaUmhmF8HxVAHG4S4a5sN6sBHBFGbIGXtQzBajQreg/pYQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArc1pmV1cwTmt1RnFBb1VO
+            Yzd4OHNwbVBORHU1ZVRpVFpsMHlYM3BSaVhnCm5vbURWZ1kzbVZIdE9FY01Qc2tI
+            cVFtQTY4WnpNOEI2T1BTYkp4OWQydm8KLS0tIFE0eXpJMWxCMC9yOGNRdGNKUmll
+            S3I4UmRYZzRBUk5jcGtoUzFjcWdGeEEKGYB4kTpjNaAZWuu/wnBNYcSFwFEtX+pu
+            zzt9Nd2ahPnTMdcSLz/mwOHxyiAgBDUGsNm60EitKxl+LgmR7mBjnw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-17T21:42:29Z"
    mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str]
--- a/machines/gamepc/pim.sops.yaml
+++ b/machines/gamepc/pim.sops.yaml
@ -8,38 +8,38 @@ sops:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTAxNUVSS1BRUTlYc2xm
-            TFFHRkVHZkwvMS9xOE9GY1BHaXorTHpNWkdJCmlKVzdvb21VYUpwcUZ0SExKbTRj
-            MkpPcG4rd2I2ZWlsc0VvVDNxNm82TjgKLS0tIDdCNXlMYklNc0EyMmpST1JFSTVy
-            aW04VUpta2JMKzlRSmVHeUg1ejNrdW8KGsBSzeMkHE2y2TfzTTBdJJ73IankxnR0
-            dfZmtQyxejH4W1+v2wGTOc9EZ8R4dJX1ZdqncshWJWl2Uq36YMjuZg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlpYcTV2TEw3TmwyaHhZ
+            M3hJY3VOT2NwaVZUU1cvNnRHVnhOZFRCd1cwCi8zM09icUZEUlIwTy9jVE9Takhr
+            T1ZuWWtkOHBGVGpHeU1VdXpvV2RRSE0KLS0tIDNyL24vWmZhRzBBRW5iMW1tSXhs
+            ZDhDVTcyVzk1bzVOcjJ1aDlOWEt4RzAKCuuSJ/aLZldfysSFhmUNNZULcSiBrNe9
+            hTRra+FLCbNqsNt2iuImkOQwINqdlUIaC36TtXUucV3C2SyDdLo1rA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGUvQ3VWRnBsZ0syTXFh
-            Nm5TUC8vYkMvdDZ0SjErMjZwOHUrVy9vT1RvCndMa1V4bTJMKy9qMjY3M2FaWWMw
-            d2RrVDY2UWNLRjVQNTRMdU96TEFmNmMKLS0tIFFTbmhzS3UrS2crTGxlSmczcGUz
-            QlZQa0R5NHBLMzdVcC9WeEtBUm1tbVUK07gb5E1YyN5Sck1DWeUHQ8oB4CQOFaES
-            AJ8F+IrGdJ+0nsvm8d9VJ9UiluO74egettQPGDgEt4wdqFnHucmYzA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZXkyN1FxMzFiSzlVYjV4
+            U0E0TWNkb3VFMjJZYUdxM0QzZmg1cUxuMWxVCnFZNkM0SmFDRFE4aHJuQnNzOHNW
+            ZVc2MTBMWENYeFpYT3dPZERiMHpRUVEKLS0tIHhFL0JjdURYcldTbVNUYkNKN3VR
+            aUQ2ckVrb3k0L2hnSUdTb3ZzeE54SkEKzh55hsegd28yvwI93xQUYCFBHz7LFQ60
+            mrkrWHDBjzxH0VnKT/59YFI1QitLgxI2db6PGQl5i5LYzeBVzG58LQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDS1dkMUFiSlc2ZzVzRWts
-            ZGxIejgwZkd2NHd1elhGL1p5ZDF0OWpuRkV3ClpNRkhuQ2dNazh3dG9lSUVCVTBz
-            RU9yaFhTc1dmMVg3bUlhMXNLU1RDTncKLS0tIHdVNUxTOEh2Mmk0eHFFNnQ5dU1l
-            S1pXZDVDbm5Za3dPUWR2SnlGekNuYkkKHvcAOL6khPmcAQYj+15lVHepLUnFQdAp
-            UyhJ12OohAuqfFTG6QxytdA1u648IaAZyj5qcm7z2bpV/F7Oy7i8WQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUTR2enVtK3hEcExSL0lL
+            VWVHQ290WTB1cmlWbFB4TTRQaVdPRjQ2bGlRClNWeWtWMSsvL2NMbE54aDNTMmhJ
+            aWNSazdMMlJUaE5teDh1SWlBMFFMbVkKLS0tIG5QaktGZitaem1DaU5mL2hDZUUr
+            RW5RNXhpQklCQ3B5K0VoRUFZK3JEQUkKRCGn35rQOpgwxxUSvpWVxJG3gMu+aTnW
+            B3a/0I0QqAgcPZ3Lj/HIUDN5GUDxdmZhuMdBRKtm5uHMPzDDOXJOKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWS9IeFVBVEVqcWZBNDlz
-            QUpGSGs2Q01CVXZmQ3N0VCtFNW5RT0JTaG5nCnJFQzg0Z2VHN25GYlRXVllYRDd2
-            bFZ4L202cjRyWlpLbUxMTDJyaTQ4ajgKLS0tIGF2UUY5MVFsbG1RL3drbERKeFd2
-            dnhVMXBnYjlxWWxYcm03N094a0cxWm8KDsLFtfF8ZVels+3Dnb8x6DuUBmckRkhe
-            t3PWOci4IzNbMBCnrUCDrBPPi6Lm/k+gp0i/U1hvPyHvbPujztT/RQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSzhDb29pUmNvZ2Q5a3hO
+            R09lRThlNFpTd1FiZjdFajNMekxvQ3gvekQ0Cnd0SytUVi9JZUcvZGt4YjU3MENX
+            RWxMcUlRR3ZiUnVacGhBUTVseTQ4dkUKLS0tIDFabnNQbDlUcHRjUVRTVTFkTkJE
+            SURWUVdNYVdNRXpXYVpBVDZRS204ZVUK9DcgnwXI4cBcnl2xZWrJ1uLY8GHqL6HG
+            1cGGG6WEI/EyRH0x80/Djj1d3mEUs7H66uVjbNgid6vOjLi4qTS83g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-17T21:42:43Z"
    mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str]
--- a/machines/sue/configuration.nix
+++ b/machines/sue/configuration.nix
@ -1,11 +1,4 @@
-{
-  self,
-  pkgs,
-  lib,
-  ...
-}: let
-  sops = lib.getExe pkgs.sops;
-in {
+{pkgs, ...}: {
  config = {
    pim = {
      lanzaboote.enable = true;
@ -14,6 +7,14 @@ in {
      stylix.enable = true;
      wireguard.enable = true;
      compliance.enable = true;
+
+      sopsKeys = {
+        # This is the root of our secret system.
+        # Don't deploy this though; if it fails,
+        # the key will be wiped.
+        # root = ./nixos.sops.yaml;
+        pim = ./pim.sops.yaml;
+      };
    };

    users.users.pim = {
@ -25,23 +26,6 @@ in {
      allowLocalDeployment = true;
      targetHost = null;
      tags = ["desktop"];
-
-      keys = {
-        # TODO: Create macro for this
-        root-sops-age-key = {
-          keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/root/.config/sops/age";
-        };
-
-        pim-sops-age-key = {
-          keyCommand = [sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/pim.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/home/pim/.config/sops/age";
-          user = "pim";
-          group = "users";
-        };
-      };
    };

    services.tailscale.enable = true;
--- a/machines/sue/nixos.sops.yaml
+++ b/machines/sue/nixos.sops.yaml
@ -1,25 +1,25 @@
-sops_age_key: ENC[AES256_GCM,data:3PebFyNHLlycKPN0L/MAL5NpKWqUiEFxivqnPtuavnET13NEEgPvyD9ZyuSYlQRefgKNHuKaAgaMNULOyL+mWF+AV+YYiVyrp14=,iv:gvxb6BK+i270b4Pr/dwRpwno+vqVplyyWdxEQIEVjmc=,tag:5LJ609yQOBkLCCwluI3AUg==,type:str]
+sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str]
 wireguard:
    home:
-        presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str]
-        privateKey: ENC[AES256_GCM,data:YQZvCfXR3Gc21SDFmypBonTaVZztJm9RtO/Aaiy51PV5BfPg4Rgw5+bCuGg=,iv:K6hMqcgmhJPOfT/DGWpDb+5n2CB2nblZrIKxfRZGRek=,tag:UNsrY+WzSnh2Mh6GlY7p0A==,type:str]
+        presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
+        privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bDRqNDNqYnRDZno2QnFo
-            MjlvNWpZNjhabDBFV2VJSGFCaWlvd21Ybmc4ClhOS3VRQ1VySFJYZWZ5ZHV4RUFs
-            NVo4WlFrai9CTi9uTWJGUExKWnpGN2cKLS0tIFc0UStVRGpHR3hsQUR3elFIK3Nu
-            ekZEZEZVTzJJYXRIT2k0OVJmZUhzN1EKVK307/rhSMQA89hHUD0MH/vhzKnmWF7K
-            QoTpJ20WxzLfNuGqqv9IpdRTKOrxCDbj3MUEv6d6k+X4sSEaOGVQ1A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
+            TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
+            NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
+            N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
+            QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-17T21:25:05Z"
-    mac: ENC[AES256_GCM,data:qgPbH0i6difL063Nmy9EIAdkv9mq/ztGk8S8OAahDTddoUbJkC3EQUgS6lsd3KHbFBGopn1yMpuWkkOgNFc7nGy4QP0Mm8DpRaawA4vq5+QOh91CRTvQDujDw4EXEHqa27iR5dnbscU5zYMmta4Dl5FnK3ujraifdp67H1RCH0I=,iv:IZvXt93K54xshv5YcXur5MeDGPq+ROTxuFSC/B7eheM=,tag:ZFhh/yMfEMFqlerQNvMhCg==,type:str]
+    lastmodified: "2024-11-21T21:16:17Z"
+    mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.8.1
--- a/machines/sue/pim.sops.yaml
+++ b/machines/sue/pim.sops.yaml
@ -12,20 +12,20 @@ sops:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTENnd2J2VXFoeHhWZE5Q
-            MEU2Mi9hM1p3SWpRbzZNY2Zja2tFN0ZVTkVRCnVIckx3Qlo5c3M0alJPVjZaa1Y3
-            RW5mamV6bmdIZ2pJZzB5KzBLTGtuUlEKLS0tIFFtT2JmZDI5V0RsL0ZxenlpWGlr
-            dmdiRmlxMWdmTmZUUTM1alRrMGdzYTAKbViJnEFIO3dpHYWyJxqXRkWqqpDCKV/L
-            jwNbatnwksT2RW6ecHUF6R/kL7YQJ5Vv3iTdCHfpcW7qRQvl0ZJEzQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSDNyUW9aSmVIcWdnSWFw
+            cWdwekVzQkdjcTVRVGRzWVpHT00vZHFjRVY4Ck1OREhEN3FMQXdrQ0pjUXR3ZllY
+            ekhpQVJCbnZCVUNBeGVscEZPTFFqQTQKLS0tIFVVaTdOa2dxbHVGSzUyblpneXd0
+            MUd4RGczTkIwRVZ6WVRQVFJSQ250SnMKhCjTAatvqkVBNcAE5lBERReKkFqlOfEG
+            UHzOOM+gJ6khu3Pe2+PAZbLMxkm4a+ZHruPRIl4qxzDSwQmlih1P3Q==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MTlnM2VyeDhPR0lkUGtB
-            d0hJSHdEYUptTjBySUhUYUpVOU00QWh5ams0CkJrYWRNMFZDRkZZUGFWbnlFcXdH
-            dzhwZGdNU1BYWnJLUFpodzBWcHJZV1UKLS0tICtiUVVqY0loQlpTYjUzRk5YR2Vo
-            RkVRSHQ2cVJRdWNpZzZCd2laL1R2NjgKhaY90NYGLTuYs4hJs1so24WFvFhquD4V
-            KwVKoyFdni0jWOaULvA0+xausV2Hx4C1xk7b4SsuT3YkDZdOT41gHA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UzgycnJEMTcrYXcxSXMy
+            VnViVFZSbVZVNnN0V3AwVXBtRW1CT2hvTDBNCkQ1MUtPRmYvWmtTRVBiWGtaMWxM
+            TTN3U3ZFMDRJZmtvQW5ONmsyNTlSWjgKLS0tIG1RRWI1aGpYR1hTUEd0K0JtYk5Z
+            TFdneXZpaVZKdUsrWnludHpCQW9Mc2cKElhSussywXB3XAEN5cE6QVqXpQsebMqF
+            t4CmpKyxzi+JSX1S5Jy2RgHCSHafW4WFeQTt9qseBKQOQPVdwGWVhQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-17T21:12:25Z"
    mac: ENC[AES256_GCM,data:m9TJL1G7D0l5f6ZIC6NfKvRDuHY1l0cp9hFbsFy9f2f/ixCRM2JFuAZ4muL6eyvZqAiGgB76u26hFU+yO/E3vtnAYSrLCk1JaRe3rajZIpu+Dwe4zht7ysJ/NeybWB7KzetS8BijDjp8YDHDcX35xwT8ScWBVqj/hjxls4JRe/c=,iv:Z3tRizJNpVHyErL2iFo6ALGO97IarZPiKzyBDPm7sQA=,tag:1sH+wHJoAHfsIju+OWMTHQ==,type:str]
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -22,11 +22,38 @@
    ./desktop.nix
  ];

+  options = {
+    pim.sopsKeys = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {};
+    };
+  };
+
  config = {
    time.timeZone = "Europe/Amsterdam";
    i18n.defaultLocale = "en_US.UTF-8";
    hardware.pulseaudio.enable = false;

+    deployment.keys =
+      lib.mapAttrs' (user: sopsFile: let
+        homeDirectory =
+          if user == "root"
+          then "/root"
+          else "/home/${user}";
+        maybeSudo = lib.optional (user == "root") "sudo";
+        sops = lib.getExe pkgs.sops;
+      in {
+        name = "${user}-sops-age-key";
+        value = {
+          keyCommand = maybeSudo ++ [sops "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
+          name = "keys.txt";
+          destDir = "${homeDirectory}/.config/sops/age";
+          inherit user;
+          group = "users";
+        };
+      })
+      config.pim.sopsKeys;
+
    systemd = {
      services.NetworkManager-wait-online.enable = lib.mkForce false;
      network.wait-online.enable = lib.mkForce false;