From d53e395d4216972906c6ef25ba8870180c0d9fbf Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Fri, 30 May 2025 13:56:50 +0200
Subject: [PATCH] Added a module for SOPS

---
 modules/home/utilities/secrets.nix | 39 ++++++++++++++++++++++++++++++
 modules/nixos/secrets.nix          | 39 ++++++++++++++++++++++++++++++
 profiles/nixos/base.nix            |  1 -
 profiles/nixos/vm.nix              |  8 +++++-
 4 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 modules/home/utilities/secrets.nix
 create mode 100644 modules/nixos/secrets.nix

diff --git a/modules/home/utilities/secrets.nix b/modules/home/utilities/secrets.nix
new file mode 100644
index 0000000..d9cddc1
--- /dev/null
+++ b/modules/home/utilities/secrets.nix
@@ -0,0 +1,39 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.config/sops/sops_ed25519_key" ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ ".config/" ];
+  };
+}
diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix
new file mode 100644
index 0000000..eb57763
--- /dev/null
+++ b/modules/nixos/secrets.nix
@@ -0,0 +1,39 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [ "/etc/sops/sops_ed25519_key" ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ "/etc/sops" ];
+  };
+}
diff --git a/profiles/nixos/base.nix b/profiles/nixos/base.nix
index 980b894..915001a 100644
--- a/profiles/nixos/base.nix
+++ b/profiles/nixos/base.nix
@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
diff --git a/profiles/nixos/vm.nix b/profiles/nixos/vm.nix
index 8f51fae..6b07d98 100644
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
@@ -30,6 +29,13 @@ in
           zfs rollback -r tank/root@blank
         '';
       };
+      secrets = {
+        enable = true;
+        secrets = {
+          "ssh-keys/deploy/private-key" = { };
+          "ssh-keys/deploy/public-key" = { };
+        };
+      };
       ssh.enable = true;
     };