From da8d6b77894dbf965fe77fd824512b6f160f906d Mon Sep 17 00:00:00 2001
From: Tim Keller <tjkeller.xyz>
Date: Sun, 20 Oct 2024 20:17:28 -0500
Subject: add age and sops pkgs. reluctantly add sops nix for managing secrets.
 change wifi config to use wpa supplicant and configure with secrets. wpa_gui
 installed.

---
 .sops.yaml                                  |  8 ++++++
 flake.lock                                  | 40 ++++++++++++++++++++++++++++-
 flake.nix                                   |  5 ++++
 modules/root/default.nix                    |  1 +
 modules/root/resources/secrets/secrets.yaml | 21 +++++++++++++++
 modules/root/secrets.nix                    | 13 ++++++++++
 modules/root/software.nix                   |  3 +++
 modules/root/wifi.nix                       | 24 ++++++++++++++---
 8 files changed, 111 insertions(+), 4 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 modules/root/resources/secrets/secrets.yaml
 create mode 100644 modules/root/secrets.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..c20b027
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,8 @@
+keys:
+  - &T430 age1lkv9x8vfjzkffxz95ygqr8sgqrnulplqkghkhq4zas62klgpgd2qt9p59t
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+        - *T430
+
diff --git a/flake.lock b/flake.lock
index a330b7d..708e44e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -148,6 +148,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1729357638,
+        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1727540905,
@@ -189,7 +205,29 @@
       "inputs": {
         "arkenfox": "arkenfox",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1729394972,
+        "narHash": "sha256-fADlzOzcSaGsrO+THUZ8SgckMMc7bMQftztKFCLVcFI=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c504fd7ac946d7a1b17944d73b261ca0a0b226a5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index bdc0487..01dfee0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,6 +4,11 @@
 	inputs = {
 		nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
 
+		sops-nix = {
+			url = "github:Mic92/sops-nix";
+			inputs.nixpkgs.follows = "nixpkgs";
+		};
+
 		home-manager = {
 			url = "github:nix-community/home-manager/release-24.05";
 			inputs.nixpkgs.follows = "nixpkgs";
diff --git a/modules/root/default.nix b/modules/root/default.nix
index 9a7affb..fb327e6 100644
--- a/modules/root/default.nix
+++ b/modules/root/default.nix
@@ -14,6 +14,7 @@
 		./normaluser.nix
 		./pipewire.nix
 		./powerkeys.nix
+		./secrets.nix
 		./software.nix
 		./virtualisation.nix
 		./wifi.nix
diff --git a/modules/root/resources/secrets/secrets.yaml b/modules/root/resources/secrets/secrets.yaml
new file mode 100644
index 0000000..9214cca
--- /dev/null
+++ b/modules/root/resources/secrets/secrets.yaml
@@ -0,0 +1,21 @@
+wireless-env: ENC[AES256_GCM,data:y0o30JxPQxdqkC24qOPYeOOGcXYdjErnv82NzmmeaJFKQe+bsBxm1f24dcAkk4ALjfBIoKaxK96HXs1lx779kJBBgMizgDT4sSgSTE+XJcsvFLLlC5DBEWzW6o5IDoM7rWKKbgYdNlxd8IydsSI/4DVHyZoqQZ9NLzKJznQj/b53o/iTcxc/Vp6UT7y1PpBA7x5qpVtoWclRutcqoRfmUJEEcE1z+/4vtCxYVfHccbnUukcsFEE11tckH4+QUKwjxn/J+mN9Cwc8Yj2rmfn1EsoJxf1S5L7LE7hel5UKcf5031VUKHxbxLwcjcfJrhiPYRpLjJhrFad0wn7pJc0D9b0pzQmPznWjMXSbZdHEzYrQMxHtauL8wn8VpfixLgKHBQMIjlAQU19I4ASZvVO0unGgXgAEMc3aulUSYtBvTBuxZoQS9ryu9uoPgb4xIzs7hSc8/LXXFYqO11BNlumGtKxjCzYhLB9fLfvdj1QMLmROnCnaCYL8BlBs91hW,iv:3YDXflMPieSLq5dlfbiq1zu7GxFSRDfPRIYP52UhMWs=,tag:IX+3X/N/5WuUKTg3WUUXDw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1lkv9x8vfjzkffxz95ygqr8sgqrnulplqkghkhq4zas62klgpgd2qt9p59t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTW9sT2hJNXVEYnQxV2RG
+            NzhSK0JzVlRmMlV0WmlUMDB4b0FkTG1wMmo4CjlJNkRTczB2WDZzOC8zYjdXdGt0
+            MXZDdThvREFoL3lUc3BZQUZWdDIxRkEKLS0tIDliMzNsdTVhSHJtM0piWmpnSFRC
+            STJsY1BEeCswc29NbUg4eFB2VXZ0NHcKfT5NbcKhEw4dD106nCa4gE3UiIWnpRDZ
+            r0cbU0q6qWIbh2SUbkoEvaGTBJ9BQVL2L4isQ42EaPq5LdQDQajp+A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-21T00:36:42Z"
+    mac: ENC[AES256_GCM,data:a3CeKSdfXv/VXJHoQ++qalywvqdl4amdk+FM3dAgJQtMZWzWrIsBOvsqBfojIhak6HEUvfdkyvXKRFlXiZyfYBx10Vv1r4QvSRgogYIQU5HhgsSKyIZAxxlwViJcEl4V0lFAUdwPSLByl37YvrvjVMC2tMRlX395eT0aabFkTmM=,iv:agDd5ADjO8kalJ0lsb9H9C/IZ2F57di0+loSpyNen5I=,tag:btS0AUmWq/mvOF2T0+dsEA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/modules/root/secrets.nix b/modules/root/secrets.nix
new file mode 100644
index 0000000..464a8f2
--- /dev/null
+++ b/modules/root/secrets.nix
@@ -0,0 +1,13 @@
+{ pkgs, inputs, config, userDetails, ... }: {
+	imports = [ inputs.sops-nix.nixosModules.sops ];
+
+	sops = {
+		defaultSopsFile = ./resources/secrets/secrets.yaml;
+		defaultSopsFormat = "yaml";
+		age.keyFile = "${userDetails.home.root}/.config/sops/age/keys.txt";
+
+		secrets = {
+			wireless-env = { };
+		};
+	};
+}
diff --git a/modules/root/software.nix b/modules/root/software.nix
index 19ffe4d..598ff43 100644
--- a/modules/root/software.nix
+++ b/modules/root/software.nix
@@ -28,6 +28,7 @@
 			pcmanfm
 			redshift
 			sxiv
+			wpa_supplicant_gui
 			zathura
 		] ++ pkgs.lib.optionals config.software.desktop.extra.enable [
 			# Desktop Extra
@@ -63,6 +64,7 @@
 			wireguard-tools
 		] ++ pkgs.lib.optionals config.software.utils.enable [
 			# Utilities
+			age
 			ddcutil # TODO
 			fastfetch
 			htop
@@ -75,6 +77,7 @@
 			screen
 			scrot
 			smartmontools
+			sops
 			stress
 			testdisk
 			tmux
diff --git a/modules/root/wifi.nix b/modules/root/wifi.nix
index 54f9089..6de8598 100644
--- a/modules/root/wifi.nix
+++ b/modules/root/wifi.nix
@@ -1,10 +1,28 @@
-{ pkgs, lib, config, ... }: {
+{ pkgs, lib, config, ... }:
+let
+	mkNetworksFromEnvironmentFile = n: builtins.listToAttrs (
+		map (i: {
+			name     = "@SSID_${toString i}@";
+			value = {
+				psk = "@PSK_${toString i}@";
+				priority = n - i;
+			};
+		}) (lib.lists.range 1 n)
+	);
+	environmentFile = config.sops.secrets.wireless-env.path;
+	#networks = mkNetworksFromEnvironmentFile ((builtins.length (lib.strings.splitString "\n" (builtins.readFile environmentFile))) / 2);
+	networks = mkNetworksFromEnvironmentFile 10;  # Number of networks listed in wireless-env
+in {
 	options = {
 		wifi.enable = lib.mkEnableOption "enables wifi";
 	};
 
 	config = lib.mkIf config.wifi.enable {
-		# networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-		networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+		networking.wireless = {
+			enable = true;  # Enables wireless support via wpa_supplicant.
+			userControlled.enable = true;
+			inherit networks;
+			inherit environmentFile;
+		};
 	};
 }
-- 
cgit v1.2.3