Merge pull request #24 from caperren/working-branch

Remove home-manager ssh config for now due to bad default permissions
Remove home-manager ssh config for now
2025-12-30 11:04:19 +00:00 · 2025-12-13 16:35:03 -08:00 · 2025-12-13 16:34:13 -08:00 · 2025-12-13 16:22:29 -08:00 · 2025-12-13 15:56:29 -08:00 · 2025-12-13 15:28:48 -08:00
11 changed files with 350 additions and 13 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,60 @@
+keys:
+  - &admin_users:
+    - &caperren       age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+  - &systems:
+    - &personal:
+      - &cap_slim7    age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+      - &cap_nr200p   age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+    - &cluster:
+      - &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+      - &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+      - &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+      - &cap_clust_04 age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+      - &cap_clust_05 age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+      - &cap_clust_06 age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+      - &cap_clust_07 age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+      - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+      - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+creation_rules:
+  - path_regex: users/caperren/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+  - path_regex: secrets/default.yaml$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+          - *cap_clust_01
+          - *cap_clust_02
+          - *cap_clust_03
+          - *cap_clust_04
+          - *cap_clust_05
+          - *cap_clust_06
+          - *cap_clust_07
+          - *cap_clust_08
+          - *cap_clust_09
+  - path_regex: secrets/cluster.yaml$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
+          - *cap_clust_01
+          - *cap_clust_02
+          - *cap_clust_03
+          - *cap_clust_04
+          - *cap_clust_05
+          - *cap_clust_06
+          - *cap_clust_07
+          - *cap_clust_08
+          - *cap_clust_09
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *caperren
+          - *cap_slim7
+          - *cap_nr200p
--- a/flake.nix
+++ b/flake.nix
@@ -5,8 +5,13 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
@@ -15,6 +20,7 @@
    {
      self,
      nixpkgs,
+      sops-nix,
      home-manager,
      nixos-hardware,
      ...
@@ -22,75 +28,92 @@
    {
      nixosConfigurations.cap-clust-01 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-01/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-02 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-02/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-03 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-03/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-04 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-04/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-05 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-05/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-06 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-06/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-07 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-07/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-08 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-08/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };
      nixosConfigurations.cap-clust-09 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-clust-09/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
        ];
      };

      nixosConfigurations.cap-slim7 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
-        specialArgs = {
-          inherit inputs;
-        };
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-slim7/configuration.nix
+          sops-nix.nixosModules.sops
          inputs.home-manager.nixosModules.default
          nixos-hardware.nixosModules.lenovo-legion-16arha7
        ];
@@ -98,9 +121,11 @@

      nixosConfigurations.cap-nr200p = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
        modules = [
          ./hosts/cap-nr200p/configuration.nix
          inputs.home-manager.nixosModules.default
+          sops-nix.nixosModules.sops
        ];
      };
    };
--- a/hosts/cap-clust-01/configuration.nix
+++ b/hosts/cap-clust-01/configuration.nix
@@ -11,5 +11,7 @@
    ../../modules/application-groups/k3s-primary.nix
  ];

+#  sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml;
+
  networking.hostName = "cap-clust-01";
 }
--- a/hosts/cap-clust-03/configuration.nix
+++ b/hosts/cap-clust-03/configuration.nix
@@ -8,7 +8,7 @@
    ../../modules/host-groups/cluster.nix

    # Application Groups
-    ../../modules/application-groups/k3s-primary.nix
+    ../../modules/application-groups/k3s-secondary.nix
  ];

  networking.hostName = "cap-clust-03";
--- a/modules/application-groups/k3s-primary.nix
+++ b/modules/application-groups/k3s-primary.nix
@@ -1,9 +1,11 @@
 { config, pkgs, ... }:
 {
+  sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml;
+
  services.k3s = {
    enable = true;
    role = "server";
-    token = "forinitialtestingonly";
+    tokenFile = config.sops.secrets.k3s_token.path;
    clusterInit = true;
  };
 }
--- a/modules/application-groups/k3s-secondary.nix
+++ b/modules/application-groups/k3s-secondary.nix
@@ -1,9 +1,11 @@
 { config, pkgs, ... }:
 {
+  sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml;
+
  services.k3s = {
    enable = true;
    role = "server"; # Or "agent" for worker only nodes
-    token = "forinitialtestingonly";
+    tokenFile = config.sops.secrets.k3s_token.path;
    serverAddr = "https://cap-clust-01:6443";
  };
 }
--- a/modules/system/home-manager-settings.nix
+++ b/modules/system/home-manager-settings.nix
@@ -1,5 +1,11 @@
-{ config, pkgs, ... }:
+{ inputs, ... }:
 {
-    home-manager.useGlobalPkgs = true;
-    home-manager.backupFileExtension = "bkp";
-}
+  home-manager = {
+    useGlobalPkgs = true;
+    backupFileExtension = "bkp";
+    sharedModules = [
+      inputs.sops-nix.homeManagerModules.sops
+    ];
+  };
+
+}
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -1,5 +1,15 @@
 { pkgs, config, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    defaultSopsFile = ../../secrets/default.yaml;
+  };
+
  security.sudo = {
    enable = true;
    extraRules = [
--- a/secrets/cluster.yaml
+++ b/secrets/cluster.yaml
@@ -0,0 +1,115 @@
+k3s_token: ENC[AES256_GCM,data:UANQ7DzasppB8ZPtGY9wR9lhU+VpTjJE,iv:cvEiUt7zG4Joyd1gkaqi848ES7aPf7VoYc4zDwLKEDQ=,tag:j4EU/srhEL0+nQGhETuerA==,type:str]
+sops:
+    age:
+        - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTWNzM0RMMXpDZnZHSEFz
+            U01jN1FPTFJ6YzBMQlhQMEpSZ0NTNCtteWk4CmhyU1ZTeE1wMzAxRWszS0NKeVpL
+            dmw3TGlvdG80TVVXUWVTYTVHMzcwajgKLS0tIFMraXVmTS9zSkFzRGZjZlhzR1lj
+            eDRubW5hWnQzdjVzRytWTW44Y2xoU2MKA2yvOK0DfKSj6U7094a9+4t7E6nFGD+5
+            p8XlMAkroS8RhdwBi//xn5I05/iJMKJikaeclvsNlvLV5b/GkCE3nw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RzZSTFNPMkprTk00SjBv
+            WTdvcVFuU0hPZ2hteWsrOXp3TTlGdXBvb1FRCjlCbitacFJpV1l3YXMvU0xMMm5Q
+            TjJwR3JtQk9Rbmc1S2J5OVF0WXBRQ1EKLS0tIHBHdzFlN21FZHFoRjc3cHlSZ2FK
+            YnBOOU5Bejl6MjB6MDliZWpPeTdFRncKRXH8gKhKVcSxja+dhIrPBNeeV8rJatSJ
+            +ZlHQL3109Ya/V6Aq9AtEypmLld9Ech7AGMCePNLYvc6DYkDE9bJDA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2eFE4bWRPQitrVDN4Y21J
+            TUJyd214L1JMazNiUzJEb29FTmRORkJmR1QwCjIrVzZ5WllDbGNCd1c0Q09XVDFm
+            UjhudDNCZ1BWSmpmbHkvWjROMnpkb3cKLS0tIFhzdlpiTFRPMFM5Nm1DcVN3djVB
+            SWZtVWNvRVdweWVxZVlQL1k1QVdESXMKc6OdFAyEvxhf5xyBFfiZajgUkwlfMMMJ
+            4KqoZGTmh+4GTedJDAKClKce1TEQTKrf1ePP+5HhcSKOoPTolMh/Sw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUUt4ZCtrU2djKzRkN2h2
+            bHpVSk15M2lTVjRrTi9aVmpETjV3UUN6TWlrCk5rdytrYWoxTmJDQmJITVRMa0ZV
+            UGc3dzhsQlM3T29BenY4VlRqbmdvd2sKLS0tIE9HVmxBMnZOMnUvdFcyNGRjTm1o
+            V29UVXRKWUhERkYwZ0NsOUZna1ErcWsK3ya1FW0WPKrZ4gMVx9M1eAgj6lQiv++M
+            TSZmVJfUMyV1OATtg3MSDFqsppN/i7+aQAP2D0G1fzG30/1qYwCsHA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUVpUW5CTEFGUVlSeVJa
+            QVNpUE9uaFV0eWxyQjhjcUFXOTVqN1JwTm1vCmE5dmVuZnFpeWRXbnh4V0J6eHF2
+            R3l5ZFhTSitzSnFYbXEvbGoyY2R6WFEKLS0tIEwwWWcydmhPdW1wL083NVJncmF3
+            U3lPYm9EZFRUWVhualFNZHhVU1JlQzgKsc4y+hfdGB3WW+NpzvA0RH54Zc46j3zt
+            2Pak/SdxiMnHfF0cw9EP/xrGJ15IUUWvDmRu+om0fEMjg+OBOKLXXQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmamp3Uk40ZGRJQW1MUVJS
+            SUlabWx3Zkd1b0xLMFQ5Y3hUelk1RU1HYW5FCnQ4bG5qRnhQRnlmTm13WXdYUWg5
+            ZUVvRlRaN0NSSWhJV002N2pBL28yQXcKLS0tIEQ3bmJnUHNEUThvM2MvQUlDaUV3
+            ZXd2T1RmM0l4YzZKaGkrRXc4VXBRVnMKnCp42FU0vQOb9VN/+DbsmNHvZc8lH+Rh
+            skZvMvTHgpMWTdhHYFWub+CIXZfUrJfy/vSWBvDw6c81r4p1l+Jyfw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNHNsYjJoTlhRcUJ5UnZw
+            eU9tVW9zVW5XRFR2ZUNaKzlieUNmdDNCS1JFCjVJaGoxdFArU09GMXpYMVdZaVk0
+            TXpKUHo1cEdXZnpCNXpyRHJnYmRldWMKLS0tIFBnSktZWmp3M2NJbVAwTy94bnVx
+            YVlwaEZ0Z09aNFo0OCt1dUxpYzdiZEUKDHKAZYVC9ON48i9p5DZDopgm9afSg069
+            m3mq5d+aBZIrnSdwgIuvyPJH+L8clIUXcJ47QH9ML/4MsFk+d4xvpA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bm15TmhpRXg5V05qWmRn
+            UExicGhXZ0ZWNUxPTUM3OEV2U1JveGRUQ1RVCkpaMXZwVUxiT0pQRkFFSjBMRnFw
+            RnJJalBrSTR5V3IvUnU2a2hWSmM0ajAKLS0tIDJ6ZWpiVlBBdDBxWnhZT2lyRi81
+            dCtqV1ZwQVlHWFgvTkN4eTZmSG5XMzgKKAPm8crJXBvCAIgTCcpLBi74Fq/AT7Uo
+            SREKHWpC3pLtNyfgHuEhm3lCYmyZyxTsZFd/2ezAjqtQZAf29EEUjg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbVhvQlZDWXhmMXpnaDBk
+            YUFwMkhwRDlkMXhjS1NJSVR3QWhBNDY2c0VFCklMaTBaKzQvRjdLQjFlelpkY2Ra
+            R0E3NjNVV1pPOG02WnhLdHhqRytPdlkKLS0tIFBFQlpWL0FEUWNGOThzNW1RdG9S
+            V2lSdVpweWZKM3VYZ01hclV4ZENZbTQKMQ3/EZk82q4oGnFJb49+X5uQzuTji8qV
+            K61/vy40g/1f8wgpJwjvGCHx7VyzsBp4lhXiLODMIW6ubp5kAU4r9A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVJSRmZucDc1Vk5HZ0py
+            NS9BcDlLRkpyYitmd0hZdlVOaFgxS3JyR1ZJCkVBajVBTjlWamNMNFYza2xWaitx
+            V2loazBmaE5kVWRoVWwvR2NQa3Mwb1EKLS0tIFZYNGNRc00rUGlDT2tGUFlCcDc3
+            aFB3SmpjVFVBc3lPWmMyM29URHpaUzQKguiKNjvJayezQ2tAqmFSgA8tY/6tx1Pb
+            OeB5cBtSyXfdZhL8HGYAqiIph9zbO3NId7icJsZ11YTW6XHHr1P7gw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aDJ5UkM1WENoUDZOUld3
+            ZXpTdWJjQzVhNEI4RGs4UlhyVytBcmcwbUdBCkxhNnlzSm5yS21zVVNoSmc3VmJF
+            REE1YXpFSWtPcVhzMnFGckpLZUxQR2cKLS0tIE5DWGFKNUxRZnpFNGpMS0xxVVhq
+            OWIwRXBXMmxHN09pZVcyNElQZVhFWUUKAN0Yd2/RB0ZjE0BGZnVY+bCSEQXVpZrS
+            DwsxXlldtJLVebLxthPaXcPI4UmUFYSPFYWDPijjxQ7gbRYnOsV1eA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaVNQeVd3c0JKakhEWWE0
+            ZDNjUitGaUVxM3h0UjF4Z2ZVR0w2L2xKTlRzCjhVVERodmpFVXF6Tnp5N011Tk9J
+            TVR2akpwRlBKOEs0T3loa0p1cGU5c1EKLS0tIEh5TGYrZ0c3MjQ0bDlsb3J6UGls
+            VWRsQy9BeU1rTmUxd0xwZHA2MjMrZmcKPI2g7B4Ylmbq1Z6WHAhdDx43oB/OeIKY
+            MKpwZ985JUrxwwiM0UC9DfNYaM9ScUf4l3qHFPHjh+N899rf7nW3zA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-13T09:05:22Z"
+    mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -0,0 +1,115 @@
+default: ENC[AES256_GCM,data:hblL4UM//g==,iv:pu+XlfdZl8XZFk16iwV5juImHosUfOhZJ54UAzi9iwo=,tag:8h2ybkmNoqUT85L2JfXLrA==,type:str]
+sops:
+    age:
+        - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWUtjYmxwWVJtekY5RTcz
+            Yno1M0Z6RnRYRkowRmVWMWVTNWRTc0RWWWprCjlRZ0dVYnkzaU1CTmljR2VxVDZX
+            a1lzNUNCb0FrdGhvcUV1NTUxa0RRMG8KLS0tIG9PVWMzbHA4Q2YrbTQ2cWFpTU1F
+            NE9TN3QyNEZEM1BoeFFSRHZqUmF0TlkKSvm5PXarwX2/034Y2LThEVQWgGm4emWU
+            abvCD566vlA+MZdRx0CUo1S8xqXDse9inAwroPs3nZ2TabtvCAqNGA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Y2J5a1V5Q1U0eVZPOGlB
+            R2dBcElMQ0kwQUJCTkJuT0J2Tm9ETVlNcUYwCm0wbndXdFBZUllRZm5zdEVEczl4
+            b1NYVXFqVlhTb0R5YTZSUnBlMGNYSkUKLS0tIGJXOUNYV0NNZUlnd3I2OUhjSCs0
+            QzA3SXcwQmI4WE5qTElVWFhmRVhyN28KE2br0ZBj8dUep8O6hf0W1mrOXTDhTq/X
+            xR6zx93tpGdqg+jT0BS+7GMaxj4jM5VMmrTYQrIZc0g9ah34AbFT6g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQzl1MWtYczd5aEpacFNZ
+            elpwaC90d2xTWUFJeGdMTjkxSVhZTUU4a3hnCnFOZ1ViS0hqbW45aU0vajh5NjVv
+            VmNYcmNGT21lMDl4QnljOS9oSHNpTjAKLS0tIGpndTNQU21PSVU1UzErTjFtOVYw
+            ZU1IRWdacUtKeEloQjM0TFU3Q1A0OUkKiFY+UfTgGtPuQBuHfmRKEVV6nyi7ggLT
+            x81Gl5COm0zCuXJuQw5FQutFXnYRC/9ndlNpO1HmrDHnEDp1osdNqg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSUnFJVWNYYlNLSk1xbFYy
+            WGlBYzZHYVc5USt2eXNKdzlabWhYMWExZTFvCmZTeTJxWVhISWt5cjBwT3gvcnJ6
+            QzNRL0lFUGcraURLVnBGQXpXUzFiVG8KLS0tIEpobkwvaHBRU0FjQ3NIWDc2bWRj
+            ZWpwYURSc2dGTzJGaWgrWDRKZlRDZzQK0BZeC4JAbP8sHVy48O5rTyojRIkL8SUe
+            JPTYEa/wIDWOgp9Kkxa6QwVMr061pdEnIF6pal2efJjtvS0Q8JaegQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVzUwSkQrTGhBQ1VVR25D
+            ZU5BY1NnUVVhVTJ2VUxPTWpqVXNhQWhpc0dnCk5EQ3JYdmUvQWo3QzdqcXVaN2Q4
+            ODFIeVhZWFAwV0hvUm5UTyt3VEZ3NFUKLS0tIElZL2NqQTY0dGJzVjJNWEh2U0pp
+            Nk94MldCTnZQRG00S1NGZWlsbmxLencKkeUHuYFIwQYdAAwfBcJ4F/1oR8mQfK9t
+            ka9WdGJZ+w2UDU0zOdkaD01lnqHenV/MhkzQ+SYnFEETDNLWt+OkwQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdktET3FCUmw2TVhSWXcv
+            MTlHYlR2KzhPS2ZrdHA5ekcxZVZSc1JNM3lVCndQZUFKTFJFZG1GVWJvWllobGJU
+            eERoSmFMZWh5ZmZHM3Z3UWc5aVpab0EKLS0tIFIrdkdyaHg1NFVpM1JGWlBSWWpu
+            N0Q4YzZCbmd6bUc0U3FaZ3lLNUJOTXMKHC/emqz88i9dq+rWaw7Lh92pdu2D1aDD
+            K7G4d5AgRuSZxPWxwQMGTsCS3arsex0KrxdWE2ksZYTwVdi5CU3zTA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM1BWd08zNFNPdTlUa1Vt
+            TzBJcDNIbHl3aXFUMXpkMmE1ajVwVFcrUVZBCkFDUnEyRktNRDlLdmFZT3Y0cVNT
+            UCtQQmhjT2hvbWdSOGh1WkMxcFFBWGMKLS0tIE1NQ3AraGVxVUxvZUVDOC9NY2xE
+            UHJZOWp6RmU2SFR4bU5hTDJnbHo5Rk0K/6Loz0GabBTy1VxePYwiuDtFCiDniGTv
+            RP7SKgMbN0SUjeaXwTmksC9DmfhWzXwDJqh/n/cNrtE2yuKR2AGzQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d1lFaGxEOElxYjBVV2w5
+            dVJyUnNveklTbXJQSzA4UlVHYTlWZUUyVlIwCnRwS1RTejAzNllHdWVaYU5tZXhq
+            bzZVcnpjYXBhWFFnWjY1cFhQZ0JuZ3cKLS0tIE1zYWlJTTV2VWRma2JjWlRZZ2Ro
+            NitqbEFuUENKaDZWY2dVRU9tWUF4b1kKAZAVyohLFZPMC0O6AF7GUXaE/8Q9bF2s
+            o1rS/8Cg0KqmalQ992wSMjUj1Z0y+najuaF6Kp9r2Q+6b9IVe7HQFA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzN01Db01QMVdudC9idjBm
+            N3B4a3hUR2ZNYUQzL3RVVlQvelFFNUZFTlhFCnpaMDFpcVpkcThFanJRcEVxOFNP
+            cC9xL29MVTd0R1FUQzMzazVoNDUvMkkKLS0tIEVYRTlZSkVUcmZIVWJ2dmlBVGxq
+            R0E2MmdSZDFPTG9WMmhzT0dRYWRkclkK6Hg6rNuEhWb1PLA8z5l2YPDBMXxo0VwA
+            GrpQjbrcFKXTxOpi9FU5m1Dy0HSkEkUnmcFiVr98g6xJwWQjp9Xduw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ0tJRDYzMDQvdVBDZ1ZD
+            NjJyc2x4NFhhd3oycjRxSFZhaHZTN25kc1NFCldvMy9IWUNadzRNWFh0QVQrczhB
+            aFhyd1d3cWlad3RCWVN0VWQzNkU5eWsKLS0tIDZSbmxLbnNTYmJhL0l6L1JwRWFN
+            ZUQ4cVlyL3VYQ0RFdHgvalFnWnU1Z1EKTkQZ14qvVykxfkD1smBd7aXzqji4sUGi
+            dI0PoKWAy4rqVbNMsNTOutNk8KMxJG+d9Qw947W2O7fA2XIY7/hnug==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQnNCR2w4YjlzUSt5bDE3
+            c0VMWmQ4M00zMVErd21DYnlPb0JtelFDeml3CjNGV1ZJMVZOTFNpT1RSc3FXV0No
+            d25GUGVzTi9WWlVDeWRzd3BDOXNHb1UKLS0tIHFVdVRRb2l4YjlaY0NlUFpiRmxs
+            aE91WkxSYittL2Y5aWZBUFpYS0tzR28KK7B4TLpgtcRj8zttl/oHaYuedm2r8LDd
+            6C/cMrD+hQEb45OiDcn4V1L444vwbAZJvzgoiQWem6+1Wvepqe+P0A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbjJKSGlLbFBCd011bHBG
+            emM4MVJCKy9UejY3M0E4VWFKTDFUeGZQQkVFCk1ZTkpUYm5adVZOU1hpR0xqOUdi
+            ZXppQ3lFdlBxQWdRdW9TbUFkcDJFbG8KLS0tIEhycFp1WGRCVUxBVzJRamptYnli
+            dW1YMTBIa202Tkp3WC9KRUhTckFCMUEKgUhihP1CN+kNOcbtfsr/gofI0tVzMVwo
+            4aQPOxmvp3gyKdvPtUUTxJ3QrZ3laAHcVmsxPjEPnaAjfmGSUZh/YQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-13T11:02:46Z"
+    mac: ENC[AES256_GCM,data:roAByCemPPNz6kkAX1nOL/TU3p2Jv67paQKlouek40FEf5cwVRMmygKDhs1vV8ZO4Ot0xGjXwiq+ylD0aSzbzvdcD/gG+cZ67XpqcW7CQMMtCrQ3Rt+U7q4rxyUeR55VxJdusjwtPp8qPVutKNJlebOUdBgaSKzDzwbnRppDUxk=,iv:PZVwlU3uUO+hHisHaoQAAfcBR2jlB0UHSU7ZFRXYfPo=,tag:0hPLfuSoSLRR1LiOWHFpfQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/users/caperren/caperren.nix
+++ b/users/caperren/caperren.nix
@@ -25,8 +25,8 @@ in
      "wheel"
    ];
    openssh.authorizedKeys.keys = [
-        sshDesktopPubkey
-        sshLaptopPubkey
+      sshDesktopPubkey
+      sshLaptopPubkey
    ];
  };
Author	SHA1	Message	Date
Corwin Perren	4b886de443	Merge pull request #24 from caperren/working-branch Remove home-manager ssh config for now due to bad default permissions	2025-12-13 16:35:03 -08:00
Corwin Perren	6d8ec5e01c	Remove home-manager ssh config for now	2025-12-13 16:34:13 -08:00
Corwin Perren	4dd1207568	Merge pull request #23 from caperren/sops-testing sops-nix functional, and providing encrypted token for test cluster	2025-12-13 16:22:29 -08:00
Corwin Perren	1fe9c9c9cf	Secondaries need to inherit secondary config	2025-12-13 15:56:29 -08:00
Corwin Perren	d72c3d4e56	Re-enable secondaries	2025-12-13 15:28:48 -08:00
Corwin Perren	307cf5108c	Re-enable nix rebuild service for cluster	2025-12-13 15:23:24 -08:00
Corwin Perren	b110daed58	Re-enable primary server	2025-12-13 15:09:38 -08:00
Corwin Perren	180d6cf1b0	Reset cluster for change to sops-nix managed token	2025-12-13 15:06:11 -08:00
Corwin Perren	b3fd29faef	Fixed home manager inputs, and got sops-nix working for all current hosts	2025-12-13 14:54:15 -08:00
Corwin Perren	a3837016ae	Fixed sops config	2025-12-13 03:03:38 -08:00
Corwin Perren	d40951b6a8	Actually commit default.yaml	2025-12-13 02:36:59 -08:00
Corwin Perren	ade7bdd892	Add default.yaml for sops and set as such	2025-12-13 02:36:20 -08:00
Corwin Perren	420513c859	Had to run sops updatekeys to add new hosts	2025-12-13 02:31:36 -08:00
Corwin Perren	35c0153da9	Temporarily remove git autorebuild	2025-12-13 02:26:00 -08:00
Corwin Perren	154a177a51	Huh, guess it has to be relative	2025-12-13 02:21:29 -08:00
Corwin Perren	439d48d1bf	Absolute secrets path	2025-12-13 02:19:41 -08:00
Corwin Perren	71b9956ecd	Remove home manager sops for now	2025-12-13 02:17:15 -08:00
Corwin Perren	2b77870bda	Add config import	2025-12-13 02:05:26 -08:00
Corwin Perren	c65056be55	Import config for home manager settings	2025-12-13 01:59:07 -08:00
Corwin Perren	353135a2d9	Initial keys, and basic token file for sops cluster testing	2025-12-13 01:55:25 -08:00