From 097078172e88a91506e60a57ad3e22c145de1142 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Elias=20Schr=C3=B6ter?= <elias.schroeter@e.email>
Date: Tue, 24 Mar 2026 18:57:04 +0100
Subject: [PATCH] sops homemanager

---
 .sops.yaml                  |  7 +++++++
 configuration.nix           |  5 +++--
 flake.nix                   |  5 +++++
 home/default.nix            |  1 +
 home/extras/sops-HM.nix     |  9 +++++++++
 home/extras/sops.nix        | 10 ++++++++++
 home/programs/git.nix       | 13 +++++++++----
 home/programs/zsh.nix       |  5 +++++
 home/services/ssh-agent.nix |  3 +--
 secrets/secrets.yaml        | 20 ++++++++++++++++++++
 10 files changed, 70 insertions(+), 8 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 home/extras/sops-HM.nix
 create mode 100644 home/extras/sops.nix
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..8699302
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &host age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *host
diff --git a/configuration.nix b/configuration.nix
index 45dd9c9..ae2dd2c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 let
   images = pkgs.callPackage ./home/themes/images.nix { };
@@ -8,6 +8,7 @@ in
   imports = [
     ./builds/steam/default.nix
     ./home/extras/printer.nix
+    ./home/extras/sops.nix
   ];
 
   # ── Use the systemd-boot EFI boot loader. ─────────────────────────────
@@ -98,7 +99,7 @@ in
         "render"
         "adbusers"
       ];
-      hashedPassword = "$6$pdAJt1f0v7Zb13Ri$1WpKrErAp5JCb7eXs7EeeWYRMBLu5/WKDdMyGzJyYQDijG2NiywUXpAkl/8p1noxOOqYbb.MTw7JmTzhWGsT21";
+      hashedPassword = config.sops.secrets.user_password.path;
     };
   };
 
diff --git a/flake.nix b/flake.nix
index 6e94d60..e4df975 100644
--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,9 @@
                   ./home/default-laptop.nix
                   catppuccin.homeModules.catppuccin
                 ];
+                sharedModules = [
+                  inputs.sops-nix.homeManagerModules.sops
+                ];
               };
               nixpkgs.overlays = [
                 # (import ./overlays/river-status.nix)
@@ -95,6 +98,7 @@
                 users.elias.imports = [
                   ./home/default-desktop.nix
                   catppuccin.homeModules.catppuccin
+                  sops-nix.homeManagerModules.sops
                 ];
               };
               nixpkgs.overlays = [
@@ -120,6 +124,7 @@
                 users.elias.imports = [
                   ./home/default-desktop.nix
                   catppuccin.homeModules.catppuccin
+                  sops-nix.homeManagerModules.sops
                 ];
               };
               nixpkgs.overlays = [
diff --git a/home/default.nix b/home/default.nix
index 1b6cfb1..225fb58 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -48,6 +48,7 @@
 
       # sops
       sops
+      age
     ];
 
     stateVersion = "23.11";
diff --git a/home/extras/sops-HM.nix b/home/extras/sops-HM.nix
new file mode 100644
index 0000000..480cb89
--- /dev/null
+++ b/home/extras/sops-HM.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = "./secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/etc/sops/keys.txt";
+  };
+}
diff --git a/home/extras/sops.nix b/home/extras/sops.nix
new file mode 100644
index 0000000..9daabd6
--- /dev/null
+++ b/home/extras/sops.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  sops = {
+    defaultSopsFile = "./secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/etc/sops/keys.txt";
+    secrets.user_password.neededForUsers = true;
+  };
+}
diff --git a/home/programs/git.nix b/home/programs/git.nix
index cb56a51..00afcae 100644
--- a/home/programs/git.nix
+++ b/home/programs/git.nix
@@ -1,4 +1,9 @@
-{ lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
   home.packages = with pkgs; [
@@ -15,12 +20,12 @@
           defaultBranch = "main";
         };
         user = {
-          email = "elias.schroeter@e.email";
-          name = "Elias Schröter";
+          email = config.sops.secrets.git.email.path;
+          name = config.sops.secrets.git.name.path;
         };
       };
       signing = {
-        key = "04F3A2ED4B33F254";
+        key = config.sops.secrets.git.signingkey.path;
         format = lib.mkForce "openpgp";
         signByDefault = true;
       };
diff --git a/home/programs/zsh.nix b/home/programs/zsh.nix
index b1d6141..737aa3e 100644
--- a/home/programs/zsh.nix
+++ b/home/programs/zsh.nix
@@ -13,12 +13,17 @@
     enable = true;
     dotDir = "${config.xdg.configHome}/zsh";
     shellAliases = {
+      encryptSops = "sops --age age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd -e -i secrets/secrets.yaml";
       update = "sudo nixos-rebuild switch";
       conWG = "ssh elias@logout.nonagon.dev -p 6969";
       conWS = "ssh elias@192.168.31.200";
       setupPC = "wlr-randr --output HDMI-A-2 --on --mode 1920x1080 --pos 0,0;wlr-randr --output DVI-D-1 --on --mode 1920x1080 --pos 1920,0;wlr-randr --output DP-2 --on --mode 1920x1080 --pos 3840,0 --primary";
     };
     autosuggestion.enable = true;
+    localVariables = {
+      EDITOR = "nvim";
+      SOPS_AGE_KEY_FILE = "/etc/sops/keys.txt";
+    };
     enableCompletion = true;
     enableVteIntegration = true;
     history = {
diff --git a/home/services/ssh-agent.nix b/home/services/ssh-agent.nix
index ef3841e..044c963 100644
--- a/home/services/ssh-agent.nix
+++ b/home/services/ssh-agent.nix
@@ -1,6 +1,5 @@
 { ... }:
 
 {
-  services.ssh-agent.enable = true;
+  services.ssh-agent.enable = false;
 }
-
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..dc2f5cc
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,20 @@
+user_password: ENC[AES256_GCM,data:+y3eoDmYNSRA5b/ywkZdJ6ai4DbU19LKIk0EbvRt9qXyfswr5fhGEgHPa+vpdbSCEaUukcW1Ch1JcLpDV/EhiI+gErjxl4iB44ul1naUT+yVqZ00Q2s9OCjI9VpWH+fVcRpJpYdOGFsztg==,iv:6t+pKJxT00kSCF6QdR319oKXXtCbKQdkXW5lDaJotBE=,tag:DO8XyiwdGrg2wpRObo7law==,type:str]
+git:
+    email: ENC[AES256_GCM,data:kYE+lvW+oEUdC4ZDW402NmMJMSQO/kM=,iv:ZoOnRzpRRiWRQMWNF1ZG1cHdA2p7QZZ+GwPEKxopF8s=,tag:cQ+oD/WxQEM+NQ97fvjvpA==,type:str]
+    name: ENC[AES256_GCM,data:7wUAFW1wi3ToC3jZqUlw,iv:gSjo4uAEyznh805vpl8foQuV59ym0v5o0fANTb+YN0A=,tag:DXaZFwlYHQf4G1rJRC+uqA==,type:str]
+    signingkey: ENC[AES256_GCM,data:E8p3Y0Tzr1SnxAimkg5ktQ==,iv:eLdSOFB1m82dFYY+FG9BFuhOnWokVrKbfC+skT9umB4=,tag:Zb6OxpR6E6DwLQO0AN6T1A==,type:str]
+sops:
+    age:
+        - recipient: age1ammls20r5t3dx4cvhpt8n5dejxcpdmpqt37sa9r9fuztd8c43g4sz889zd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOVE0cDNvSElzcEZhVlc3
+            NDY0OGRmd1FSMTFFblhOOTQwcmxJU0pnenkwCnFaMUtvWDFSeHhOYVd4MG9ZVDhH
+            Ym52c0FqQnVTR1B6TzJhdW9ZMmRTYm8KLS0tIDdaN08vS2NnRkV5dnVDUEFEaXZZ
+            WWc2ZXl4Mmpjck1JTXYvbTB2bzFnRmMKU7tLqqHSPpmwQluuxQ3UIhrGARneQc9+
+            8hJ4b8/KH9PczWlSqwhx1nOO+/e4ZNDjd6635CQlWWghBI3p/UjhqA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-23T10:14:56Z"
+    mac: ENC[AES256_GCM,data:JlqAMVVW4kaIlf2m9SasUW9n2DSvLNaZU00X6BUNtnYUA8bHJWpx4cg4A93Bo9n/EsR13Onw8JvAiDVE3GyILBe9OzpN2avNOvuR+/FVFBhJ8UMJwQcfd9VOcAwibCLZb8esw/bgvdNpy5sDJYGIr+DA2Io3kex19xMAFLBEZZg=,iv:XhUh3Z6Omzy5fu0JDikxYrUdvLEAsJZG1FIglKSDZP4=,tag:54SJxkShXCA+WZinjCXKsA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1