From b0a106b332e0260671c708e8af4a4398b94d8908 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sun, 17 Nov 2024 22:50:00 +0100
Subject: [PATCH] Deploy sops keys for gamepc

---
 .sops.yaml                      | 17 +++++++++++-
 colmena.nix                     | 33 +++++++++++++++++++++--
 machines/gamepc/home.sops.yaml  | 48 +++++++++++++++++++++++++++++++++
 machines/gamepc/nixos.sops.yaml | 39 +++++++++++++++++++++++++++
 4 files changed, 134 insertions(+), 3 deletions(-)
 create mode 100644 machines/gamepc/home.sops.yaml
 create mode 100644 machines/gamepc/nixos.sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 6412a23..791d154 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,7 +1,9 @@
 # Public keys are combination of host + user
 keys:
-  - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
   - &sue_root age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+  - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+  - &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
+  - &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
 
 creation_rules:
   - path_regex: machines/sue/nixos.sops.yaml
@@ -13,3 +15,16 @@ creation_rules:
       - age:
         - *sue_pim
         - *sue_root
+  - path_regex: machines/gamepc/nixos.sops.yaml
+    key_groups:
+      - age:
+        - *sue_pim
+        - *sue_root
+        - *gamepc_root
+  - path_regex: machines/gamepc/home.sops.yaml
+    key_groups:
+      - age:
+        - *sue_pim
+        - *sue_root
+        - *gamepc_root
+        - *gamepc_pim
diff --git a/colmena.nix b/colmena.nix
index 71ad8b5..1e196d7 100644
--- a/colmena.nix
+++ b/colmena.nix
@@ -15,19 +15,26 @@ inputs @ {
     };
 
     sue = {
+      pkgs,
+      lib,
+      ...
+    }: let
+      sops = lib.getExe pkgs.sops;
+    in {
       deployment = {
         allowLocalDeployment = true;
         targetHost = null;
 
         keys = {
+          # TODO: Create macro for this
           root-sops-age-key = {
-            keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
+            keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
             name = "keys.txt";
             destDir = "/root/.config/sops/age";
           };
 
           pim-sops-age-key = {
-            keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/home.sops.yaml"];
+            keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/home.sops.yaml"];
             name = "keys.txt";
             destDir = "/home/pim/.config/sops/age";
             user = "pim";
@@ -43,9 +50,31 @@ inputs @ {
     };
 
     gamepc = {
+      pkgs,
+      lib,
+      ...
+    }: let
+      sops = lib.getExe pkgs.sops;
+    in {
       deployment = {
         targetHost = "gamepc";
         targetUser = "root";
+
+        keys = {
+          root-sops-age-key = {
+            keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/nixos.sops.yaml"];
+            name = "keys.txt";
+            destDir = "/root/.config/sops/age";
+          };
+
+          pim-sops-age-key = {
+            keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/home.sops.yaml"];
+            name = "keys.txt";
+            destDir = "/home/pim/.config/sops/age";
+            user = "pim";
+            group = "users";
+          };
+        };
       };
 
       imports = [
diff --git a/machines/gamepc/home.sops.yaml b/machines/gamepc/home.sops.yaml
new file mode 100644
index 0000000..f8d7b6e
--- /dev/null
+++ b/machines/gamepc/home.sops.yaml
@@ -0,0 +1,48 @@
+sops_age_key: ENC[AES256_GCM,data:acf7kA1ceRLqw0TYPFzkNAMLz0TbNTFBN8MtsYX2y0+xuyFX0oJzIZAMTP7fjVBEcuPE55ewoXjXpP18iDwRUDT4f9Y1dorQD/g=,iv:vx4Inly+Vg8pENlBvijTv2hgTJTFLAfp+f4Nn2leO3A=,tag:i+KXl1V4OxqDnjK62ijBbQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTAxNUVSS1BRUTlYc2xm
+            TFFHRkVHZkwvMS9xOE9GY1BHaXorTHpNWkdJCmlKVzdvb21VYUpwcUZ0SExKbTRj
+            MkpPcG4rd2I2ZWlsc0VvVDNxNm82TjgKLS0tIDdCNXlMYklNc0EyMmpST1JFSTVy
+            aW04VUpta2JMKzlRSmVHeUg1ejNrdW8KGsBSzeMkHE2y2TfzTTBdJJ73IankxnR0
+            dfZmtQyxejH4W1+v2wGTOc9EZ8R4dJX1ZdqncshWJWl2Uq36YMjuZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGUvQ3VWRnBsZ0syTXFh
+            Nm5TUC8vYkMvdDZ0SjErMjZwOHUrVy9vT1RvCndMa1V4bTJMKy9qMjY3M2FaWWMw
+            d2RrVDY2UWNLRjVQNTRMdU96TEFmNmMKLS0tIFFTbmhzS3UrS2crTGxlSmczcGUz
+            QlZQa0R5NHBLMzdVcC9WeEtBUm1tbVUK07gb5E1YyN5Sck1DWeUHQ8oB4CQOFaES
+            AJ8F+IrGdJ+0nsvm8d9VJ9UiluO74egettQPGDgEt4wdqFnHucmYzA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDS1dkMUFiSlc2ZzVzRWts
+            ZGxIejgwZkd2NHd1elhGL1p5ZDF0OWpuRkV3ClpNRkhuQ2dNazh3dG9lSUVCVTBz
+            RU9yaFhTc1dmMVg3bUlhMXNLU1RDTncKLS0tIHdVNUxTOEh2Mmk0eHFFNnQ5dU1l
+            S1pXZDVDbm5Za3dPUWR2SnlGekNuYkkKHvcAOL6khPmcAQYj+15lVHepLUnFQdAp
+            UyhJ12OohAuqfFTG6QxytdA1u648IaAZyj5qcm7z2bpV/F7Oy7i8WQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWS9IeFVBVEVqcWZBNDlz
+            QUpGSGs2Q01CVXZmQ3N0VCtFNW5RT0JTaG5nCnJFQzg0Z2VHN25GYlRXVllYRDd2
+            bFZ4L202cjRyWlpLbUxMTDJyaTQ4ajgKLS0tIGF2UUY5MVFsbG1RL3drbERKeFd2
+            dnhVMXBnYjlxWWxYcm03N094a0cxWm8KDsLFtfF8ZVels+3Dnb8x6DuUBmckRkhe
+            t3PWOci4IzNbMBCnrUCDrBPPi6Lm/k+gp0i/U1hvPyHvbPujztT/RQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-17T21:42:43Z"
+    mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/machines/gamepc/nixos.sops.yaml b/machines/gamepc/nixos.sops.yaml
new file mode 100644
index 0000000..931f2ec
--- /dev/null
+++ b/machines/gamepc/nixos.sops.yaml
@@ -0,0 +1,39 @@
+sops_age_key: ENC[AES256_GCM,data:v0/grOgffNcl1IbfdHr7uzbwvIL1CpfvSSFnuQS1ZEkuuE2Bfbvl8G0i6dHQSnFBtNJXkgAajCdapUlRcaX60EuXToKB14nHP1A=,iv:ZruuYlZJszgmztMXqya7InCLlyihS59QJCoSk685q34=,tag:bN3NZsWeg12GfUTjubb4Ug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFlYWjZSQkZPczV2cllX
+            a3RBL3FSbHZGaW5vUFdKVTdSNUJmSEQwdlc4ClBScDZBVk1qYTc4UzFpc3k4Z3N6
+            VzkwYXVBWVFCYUFqSHAyZjhUck8xY0kKLS0tIDdQdENRaDVKVTRUQ0dLWUNUL0tk
+            cjJMNG9vU1N4V2dqZWZjN21OMFJUZTAKzunMmG+NR2sFbVsl8qzdv1HEg4Ph5TFw
+            oIr5WWQ6RTzXTy6CwlTucnok/jwZHUloCTUeXECcSJUadeKE6MZyLA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWG0remtrVHloU25PNFVw
+            eWxMZ3pmUG1YSFVZZ0MzNEFweTJNbDVSUUQ0CklBT1NheGtmZDZkMUo4RTlHM0ow
+            TTdITzVJbFFQcGNLM0xxUS91K056VTAKLS0tIEpWOTZJQjN2REV0RTB5YWpjWDZa
+            UUxiazdLa1ZZbTcraWsvYTBsTUNQbmcKKkQnPOkD3vifcQpwzgP9wvNaYtuUZpLE
+            mbILfB24Ox7dmLmI9ONVDIMM12HfE2lx4cj/xndk0//izPVZgrBTdQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDFMS293SUZqTXZtZlRT
+            Q0JHWmZrSHZVZmlPeUFDRG8wakdSWDF2b3pRCm83NFV1STlqQXdQMTR0Vm52ZEgy
+            eVlROWt0ZDE0TW1reElGQnplUENZclEKLS0tIG9ITTZiSEE4cDNxdnBQRW5tVFJk
+            bU9rLzRjVzBObkxocGp4UEJYMGVnckkKDQhr3qLLDrQkXa1Ei9c43irQh3suRNCK
+            mZPtRJc+kaUmhmF8HxVAHG4S4a5sN6sBHBFGbIGXtQzBajQreg/pYQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-17T21:42:29Z"
+    mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1