valkyrie: move secrets

configurations/host/valkyrie/default.nix

@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running `nixos-help`).
 
-{ config, pkgs, materusArg, ... }:
+{ pkgs, materusArg, ... }:
 
 {
   imports =
@@ -10,6 +10,7 @@
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./services
+      ./secrets
     ];
 
   materus.profile.nix.enable = true;
@@ -69,7 +70,7 @@
   users.users.materus = {
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
+    packages = [
     ];
     openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ];
   };

configurations/host/valkyrie/home/materus/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 {
   home.stateVersion = "23.05";
   home.homeDirectory = "/home/materus";
@@ -10,7 +10,7 @@
     enableTerminalExtra = false;
     enableNixDevel = false;
 
-    fish.enable = true;
+    fish.enable = false;
     bash.enable = true;
   };
 }

configurations/host/valkyrie/secrets/default.nix

@@ -0,0 +1,27 @@
+{ materusCfg, ... }:
+{
+  imports =
+    [
+
+    ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]);
+
+  sops.age.generateKey = false;
+  sops.gnupg.home = null;
+  sops.gnupg.sshKeyPaths = [ ];
+  sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml";
+
+  sops.secrets.wireguard = { };
+
+  services.openssh.hostKeys = [
+    {
+      bits = 4096;
+      path = "/materus/root/ssh_host_rsa_key";
+      type = "rsa";
+    }
+    {
+      path = "/materus/root/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+  ];
+
+}

configurations/host/valkyrie/secrets/secrets.yaml

@@ -0,0 +1,33 @@
+wireguard: ENC[AES256_GCM,data:i98U0ugxbNqWNuKR8u+mdWoSMLViHXfsWRBS1lvjb+hgGxveyzjBcagBIeY=,iv:/hF9oH2R6NSeHT/UQTlbmtx+gPX/3CJOLPNnxrzsY/g=,tag:2ub5w8uH2O1B2hoku8Kowg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wscr6kv8393wv0fjaux8juplaxq55znlzrp62qyteq0fauu3yg0s7d7k98
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRXNLdUZaVU13alNhVGgz
+            aXdMb3IzNjNQcHJFV2JLNVM2SUVBa3VNZlRFCkxxd21CTWVDUkVXbzR6ZEkxbm5J
+            VGorSkp6a2xSdHRHcFk5T3VYVlJJa0UKLS0tIE1WdHo5eTlpNEEyN25oSjk1KzdS
+            d2dMUUh1RDB3UnpEdFJsNHpQRXFWemMKc41dlOapTsvH91QLNhdPbrzerPFakOiX
+            J/uoZDMIhsmQxgQM7Fqxr05NywhI/ZjOtJS2bayp73O57xjjMYcyNQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-21T22:56:14Z"
+    mac: ENC[AES256_GCM,data:bh6fCWIn4Ppv0NSa2qXPIi2O0VfRqZCUqcvPFttrh1Q1BISkBFrX5uz7Zq5OTE0HzUMDhHq2/uQGqKjao9qyDYhaP20Ffh2HbQGvIvOZLtyKzT12LVwBLxSAsJ9l6fF+sDLrT98f4vDiu/8dyRnhDAV4V9DUNbDi/gF4imjoyXQ=,iv:Xh+nK7DyogwUxMPO4qbZgL9XptOISH/qTRaml9HjWAw=,tag:gzZ4ZRd6LjvsN9Axd4aykQ==,type:str]
+    pgp:
+        - created_at: "2024-03-21T22:55:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D5fSX77p80GYSAQdA667A9P/3ktuS2iEjxkv3aYMAGSu0oPGIX7dsC23VVgkw
+            OmcwhXxBnipcG+izbtNylXz5VonyyKHwdR2QIgkt9FEuC8lI17GHVyogTCFiP7Dj
+            1GgBCQIQN4EqFdiXqzJUeeE+PdOzVPs+1kStz+S1H22NjrJAFv67cbyIgwpItuXD
+            Sfao+MU1HWDY4iKZrcfWArUgpQj/pvsmUeJ72iXD3bkTTrK61g3GZA+g9lFewl/B
+            SORJMu9btS4GAw==
+            =aBMP
+            -----END PGP MESSAGE-----
+          fp: 28D140BCA60B4FD1
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1