configuration/common/nix.nix

@@ -62,7 +62,7 @@
     };
   };
 
-  nix.package = lib.mkDefault pkgs.nixVersions.nix_2_18;
+  nix.package = pkgs.nixVersions.nix_2_18;
 
   documentation.doc.enable = false;
 

configuration/desktop/fonts.nix

@@ -7,7 +7,8 @@
     roboto
     roboto-mono
     noto-fonts
+    noto-fonts-cjk
     noto-fonts-emoji
     comfortaa
-  ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
+  ];
 }

pkgs/clerie-sops/clerie-sops-config.nix

@@ -1,19 +1,37 @@
 { pkgs, lib, ... }:
 
-pkgs.python313Packages.buildPythonPackage rec {
+with lib;
-  pname = "clerie-sops-config";
-  version = "0.0.1";
 
-  src = ./.;
+let
+  hosts = builtins.attrNames (builtins.readDir ../../hosts);
 
-  format = "other";
+  mkAgeKey = hostname: ssh_pub_file:
-
+    pkgs.runCommand "${hostname}.age" {
-  propagatedBuildInputs = with pkgs; [
+      buildInputs = [ pkgs.ssh-to-age ];
-    ssh-to-age
+    } ''
-  ];
+      ssh-to-age -i ${ssh_pub_file} -o $out
-
-  installPhase = ''
-    mkdir -p $out/bin
-    cp clerie-sops-config.py $out/bin/clerie-sops-config
     '';
-}
+
+  ageKeysForHost = hostname: let
+    ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
+  in
+    if builtins.pathExists ssh_pub_file then [
+      (fileContents (mkAgeKey hostname ssh_pub_file))
+    ] else [];
+
+  mkCreationRules = hosts:
+    map (hostname: {
+      path_regex = escapeRegex "hosts/${hostname}/secrets.json";
+      key_groups = [{
+        pgp = [
+          (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
+        ];
+        age = ageKeysForHost hostname;
+      }];
+    }) hosts;
+
+  sops_config = {
+    creation_rules = mkCreationRules hosts;
+  };
+in
+  pkgs.writeText "sops.json" (builtins.toJSON sops_config)

pkgs/clerie-sops/clerie-sops-config.py

@@ -1,55 +0,0 @@
-#!/usr/bin/env python3
-
-import sys
-import json
-from pathlib import Path
-import re
-import subprocess
-
-def generate_sops_config(repo_root):
-    admin_keys = []
-
-    # hardcode fingerprints because we can't really generate them automatically currently
-    admin_keys.append("0C982F87B7AFBA0F504F90A2629E741947C87928") # clerie@clerie.de
-
-    list_of_host_directories = sorted(list(filter(lambda path_object: path_object.is_dir(), (repo_root / "hosts").iterdir())))
-
-    creation_rules = []
-
-    for host_directory in list_of_host_directories:
-        host_secrets_file = host_directory / "secrets.json"
-        host_keys = []
-
-        ssh_host_key_file = host_directory / "ssh.pub"
-
-        if ssh_host_key_file.is_file():
-
-            ssh_to_age_command = subprocess.run(["ssh-to-age", "-i", str(ssh_host_key_file)], capture_output=True, text=True)
-            if ssh_to_age_command.returncode == 0:
-                host_keys.append(ssh_to_age_command.stdout.strip())
-
-        creation_rules.append({
-            "key_groups": [{
-                "age": host_keys,
-                "pgp": admin_keys,
-            }],
-            "path_regex": re.escape(str(host_secrets_file)),
-        })
-
-    return {
-        "creation_rules": creation_rules,
-    }
-
-
-
-
-if __name__ == "__main__":
-    if len(sys.argv) != 2:
-        print("No repo root specified")
-        exit(1)
-
-    repo_root = Path(sys.argv[1])
-
-    sops_config = generate_sops_config(repo_root)
-
-    print(json.dumps(sops_config))

pkgs/clerie-sops/clerie-sops.nix

@@ -4,13 +4,8 @@ pkgs.writeShellApplication {
   name = "clerie-sops";
   runtimeInputs = with pkgs; [
     sops
-    clerie-sops-config
   ];
   text = ''
-    REPO_ROOT="."
+    exec sops --config ${pkgs.clerie-sops-config} "$@"
-    if GIT_ROOT=$(git rev-parse --show-toplevel); then
-      REPO_ROOT="$GIT_ROOT"
-    fi
-    exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
   '';
 }