From ade7bdd89215a02e69e2f7f8b752d7d91441f908 Mon Sep 17 00:00:00 2001
From: Corwin Perren <caperren@gmail.com>
Date: Sat, 13 Dec 2025 02:36:20 -0800
Subject: [PATCH] Add default.yaml for sops and set as such

---
 .sops.yaml                  | 21 ++++++++++++++++++---
 modules/system/security.nix |  5 +++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 7ecb3e8..d0a79f3 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -16,12 +16,27 @@ keys:
       - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
       - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
 creation_rules:
+  - path_regex: secrets/default.yaml
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+          - *cap_clust_01
+          - *cap_clust_02
+          - *cap_clust_03
+          - *cap_clust_04
+          - *cap_clust_05
+          - *cap_clust_06
+          - *cap_clust_07
+          - *cap_clust_08
+          - *cap_clust_09
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
       - age:
-        - *caperren
-        - *cap_slim7
-        - *cap_nr200p
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
   - path_regex: secrets/cluster.yaml
     key_groups:
       - age:
diff --git a/modules/system/security.nix b/modules/system/security.nix
index 29f162f..a501dc2 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -4,6 +4,11 @@
     sops
     age
   ];
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    defaultSopsFile = ../../secrets/default.yaml;
+  };
 
   security.sudo = {
     enable = true;