From ca41f6af9e01451d995b6a14c09884003411f19f Mon Sep 17 00:00:00 2001
From: Avery <aveeryy@protonmail.com>
Date: Wed, 3 Apr 2024 23:27:14 +0200
Subject: [PATCH] Set up sops-nix

---
 .sops.yaml                             |  7 ++++
 common/nixos.nix                       | 11 ++++-
 flake.lock                             | 52 +++++++++++++++++++----
 flake.nix                              |  9 +++-
 hosts/greatyamada/services/forgejo.nix | 57 ++++++++++++++++++++++++++
 hosts/totsugeki/nixos.nix              |  6 ++-
 6 files changed, 132 insertions(+), 10 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 hosts/greatyamada/services/forgejo.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..d6fdf6e
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &avery age1rxn337tx2qxa8t5dxrxnnctza8g2awm24pq84nt2w2u72m8yx9lqus0qq9
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *avery
diff --git a/common/nixos.nix b/common/nixos.nix
index e0159ce..babc977 100644
--- a/common/nixos.nix
+++ b/common/nixos.nix
@@ -19,12 +19,13 @@
     users.avery = {
       extraGroups = [ "wheel" ];
       isNormalUser = true;
+      hashedPasswordFile = config.sops.secrets.avery_password.path;
     };
   };
 
   environment = {
     shells = with pkgs; [ zsh ];
-    systemPackages = with pkgs; [ git htop neovim ];
+    systemPackages = with pkgs; [ git htop neovim sops ];
   };
 
   programs.zsh.enable = true;
@@ -43,4 +44,12 @@
   };
 
   services.openssh.enable = true;
+
+  sops = {
+    secrets.avery_password = {
+      sopsFile = "/etc/nixos/secrets/hosts/common.yaml";
+      neededForUsers = true;
+    };
+    validateSopsFiles = false;
+  };
 }
diff --git a/flake.lock b/flake.lock
index 00054fe..b5a1699 100644
--- a/flake.lock
+++ b/flake.lock
@@ -138,11 +138,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711868868,
-        "narHash": "sha256-QpZanlbVu6Gb2K96u3vgu0F2BvZD74+fOsIFWcYEXoY=",
+        "lastModified": 1712016346,
+        "narHash": "sha256-O2nO7pD+krq+4HgkLB4VThRtAucIPfXDs/jJqCGlK1w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "30f2ec39519f4f5a8a96af808c439e730c15aeab",
+        "rev": "4be0464472675212654dedf3e021bd5f1d58b92f",
         "type": "github"
       },
       "original": {
@@ -209,6 +209,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1711819797,
+        "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixvim": {
       "inputs": {
         "devshell": "devshell",
@@ -222,11 +238,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1711888895,
-        "narHash": "sha256-Hykv2DGC5EHzZ89+54w/zkit+CVGLRcdIgOWnB4zW5k=",
+        "lastModified": 1712057047,
+        "narHash": "sha256-o5KSQO82/sCgaaSsZONTeb+P47MXo0bbp+eID9I0CwI=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "db6b61f117c83943f15289ced03674f81d08256a",
+        "rev": "7baefc8aa587931827797db7fbd55a733179dc79",
         "type": "github"
       },
       "original": {
@@ -267,7 +283,29 @@
       "inputs": {
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
-        "nixvim": "nixvim"
+        "nixvim": "nixvim",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1711855048,
+        "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index 5b651d0..7677e27 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,16 +11,22 @@
       url = "github:nix-community/nixvim";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, nixvim }@inputs: {
+  outputs = { self, nixpkgs, home-manager, nixvim, sops-nix }@inputs: {
     nixosConfigurations = {
       totsugeki = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./common/nixos.nix
           ./hosts/totsugeki/nixos.nix
+          ./hosts/greatyamada/services/forgejo.nix
           home-manager.nixosModules.home-manager
+          sops-nix.nixosModules.sops
           {
             home-manager.useUserPackages = true;
             home-manager.users.avery = {
@@ -41,6 +47,7 @@
           ./common/nixos.nix
           ./hosts/greatyamada/nixos.nix
           ./hosts/greatyamada/services
+          sops-nix.nixosModules.sops
         ];
       };
     };
diff --git a/hosts/greatyamada/services/forgejo.nix b/hosts/greatyamada/services/forgejo.nix
new file mode 100644
index 0000000..692145f
--- /dev/null
+++ b/hosts/greatyamada/services/forgejo.nix
@@ -0,0 +1,57 @@
+{ lib, pkgs, ... }:
+let
+  forgejoConfigPath = "/var/lib/forgejo/custom/conf";
+  arrayToSecrets = elements:
+    builtins.listToAttrs (map (x: {
+      name = "forgejo/" + x;
+      value = {
+        path = "${forgejoConfigPath}/" + x;
+        owner = "forgejo";
+      };
+    }) elements);
+in {
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        server = {
+          DOMAIN = "git.rcia.dev";
+          ROOT_URL = "https://git.rcia.dev";
+          HTTP_PORT = 3000;
+          DISABLE_SSH = true;
+          LFS_START_SERVER = true;
+          LFS_JWT_SECRET = "";
+          LFS_JWT_SECRET_URI = "file://${forgejoConfigPath}/lfs_jwt_secret";
+        };
+        security = {
+          INSTALL_LOCK = true;
+          INTERNAL_TOKEN = lib.mkForce "";
+          INTERNAL_TOKEN_URI = "file://${forgejoConfigPath}/internal_token";
+          SECRET_KEY = lib.mkForce "";
+          SECRET_KEY_URI = "file://${forgejoConfigPath}/secret_key";
+        };
+        oauth2 = {
+          JWT_SECRET = lib.mkForce "";
+          JWT_SECRET_URI = "file://${forgejoConfigPath}/oauth2_jwt_secret";
+        };
+      };
+    };
+    nginx = {
+      virtualHosts."git.rcia.dev" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+          clientMaxBodySize = "200M";
+        };
+      };
+    };
+  };
+  systemd.services.forgejo.preStart = ''
+    ${pkgs.forgejo}/bin/gitea migrate
+  '';
+  sops.secrets = arrayToSecrets [
+    "internal_token"
+    "lfs_jwt_secret"
+    "oauth2_jwt_secret"
+    "secret_key"
+  ];
+}
diff --git a/hosts/totsugeki/nixos.nix b/hosts/totsugeki/nixos.nix
index 36433d7..0366919 100644
--- a/hosts/totsugeki/nixos.nix
+++ b/hosts/totsugeki/nixos.nix
@@ -99,8 +99,12 @@
     };
     udisks2.enable = true;
   };
-
   systemd = { services = { NetworkManager-wait-online.enable = false; }; };
 
+  sops = {
+    defaultSopsFile = "/etc/nixos/secrets/hosts/totsugeki.yaml";
+    age.keyFile = "/home/avery/.config/sops/age/keys.txt";
+  };
+
   system.stateVersion = "24.05";
 }