pkgs/clerie-sops: Init sops

pkgs/clerie-sops/clerie-sops-config.nix

@@ -0,0 +1,37 @@
+{ pkgs, lib, ... }:
+
+with lib;
+
+let
+  hosts = builtins.attrNames (builtins.readDir ../../hosts);
+
+  mkAgeKey = hostname: ssh_pub_file:
+    pkgs.runCommand "${hostname}.age" {
+      buildInputs = [ pkgs.ssh-to-age ];
+    } ''
+      ssh-to-age -i ${ssh_pub_file} -o $out
+    '';
+
+  ageKeysForHost = hostname: let
+    ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
+  in
+    if builtins.pathExists ssh_pub_file then [
+      (fileContents (mkAgeKey hostname ssh_pub_file))
+    ] else [];
+
+  mkCreationRules = hosts:
+    map (hostname: {
+      path_regex = escapeRegex "hosts/${hostname}/secrets.json";
+      key_groups = [{
+        pgp = [
+          (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
+        ];
+        age = ageKeysForHost hostname;
+      }];
+    }) hosts;
+
+  sops_config = {
+    creation_rules = mkCreationRules hosts;
+  };
+in
+  pkgs.writeText "sops.json" (builtins.toJSON sops_config)

pkgs/clerie-sops/clerie-sops.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "clerie-sops";
+  runtimeInputs = with pkgs; [
+    sops
+  ];
+  text = ''
+    exec sops --config ${pkgs.clerie-sops-config} "$@"
+  '';
+}

pkgs/overlay.nix

@@ -2,6 +2,8 @@ final: prev: {
   clerie-keys = final.callPackage ./clerie-keys {};
   clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
   clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
+  clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
+  clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
   clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
   chromium-incognito = final.callPackage ./chromium-incognito {};
   iot-data = final.python3.pkgs.callPackage ./iot-data {};