home lab init

nixos/secrets/.gitignore

@@ -0,0 +1 @@
+*.key

nixos/secrets/README.md

@@ -0,0 +1,51 @@
+
+🔑 2. Generate an age Keypair
+
+age-keygen -o secrets/age.key
+
+This will output something like:
+
+# created: 2025-06-02T22:00:00Z
+# public key: age1abcdefghijk...
+
+Copy that public key somewhere — you’ll need it for encrypting.
+
+✅ You should now have:
+
+secrets/
+├── age.key        # keep this safe and private!
+
+📝 3. Create Encrypted Secrets File
+
+sops --age age1abcdefghijk... secrets/secrets.yaml
+
+This opens a YAML file in your $EDITOR. Add secrets like:
+
+forgejo-admin-password: "my-super-secret-password"
+
+Save and close the file — it’s now encrypted using the public key.
+
+✅ Now you should have:
+
+secrets/
+├── age.key
+├── secrets.yaml   # encrypted file (safe to commit)
+
+You can commit secrets.yaml, but do not commit age.key unless you're OK with putting it on a VM.
+
+
+🧪 Test Decryption Locally
+
+export SOPS_AGE_KEY_FILE=secrets/age.key
+
+To test:
+
+sops -d secrets/secrets.yaml
+
+To edit:
+
+sops secrets/secrets.yaml
+
+
+
+[plasmagoat@forgejo:~]$ sudo chmod 400 /etc/sops/age.key && sudo chown root:root /etc/sops/age.key

nixos/secrets/secrets.yaml

@@ -0,0 +1,27 @@
+forgejo-admin-password: ENC[AES256_GCM,data:cLC4JQC8PMF4/aeVBzOROupPLzd7TbYwvudr7yVx4YpLCGSmYXRwJQAoXg==,iv:tG2kL66ZshwZkJodZQ5K8SZKfG1eJYeX9eYsZ7yM7rA=,tag:0roW0M9eUmzejkH6pwN/IA==,type:str]
+forgejo-db-password: ENC[AES256_GCM,data:0KZJHmNuxpO8TmLNuryipICPTjG9h56+II1Azk+v3fkE5MAb9g==,iv:zb14BvbC2OehCYATgMMoPXv742jjD4v0B12cVhNCWBw=,tag:pnrboj5IvwXYXaZJbZpxTQ==,type:str]
+hello: ENC[AES256_GCM,data:XkOLnE2Mkunc0zNF1932jOuz1olAwWf56lkqL2dt+h99WoL/vNLfSQ0al8NfEA==,iv:WC2xbB9WmB/khOVjdClFerJ8kjtHjaR/p6rDYaaDZhY=,tag:tT92FNrRm74XoZxoFFXm5g==,type:str]
+example_key: ENC[AES256_GCM,data:kBk87OXu+qfJjP/2EA==,iv:64WcHaVfQrVCouUCZoHk0z/4ii8U9m61/E9SqLeB3Ms=,tag:MZJ6m7m4+s6BNGhtNs+ZFQ==,type:str]
+#ENC[AES256_GCM,data:lM4LNQNU2S66a73pUymyUA==,iv:pAHgR+ViSO3Ff2zSaZQcXNGb2r2KH+ZbRd33vpq8ncs=,tag:WTNQCjaESLXTXwcwZePU2A==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:Sc1q0Yd3sQ6eOzSwfQA=,iv:L4YBbWWeQZAYROHpiNEtHLDCdcuW+vvEpYhGxD0b62g=,tag:82L6MlHWIMpxKb4B3+Lszg==,type:str]
+    - ENC[AES256_GCM,data:Ud9dpSAcHc8NOq48wQI=,iv:9ERTBUQqKHPUIG57KXbRPMXN37cx+WcxOCDxCWpbE1k=,tag:ftTGF/obIJVZSTodIGoABw==,type:str]
+example_number: ENC[AES256_GCM,data:1Xvp578L4rjW6g==,iv:82z/MQM586y4WilPZgmisa2C7GTdG0vmIEkyx/aMCXw=,tag:UtNDNKbu0tuhSyu1OQiJJA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:RkxG/g==,iv:RNZpV/1KRWOazIuHj+SH7r3AmwnRBIUgXgfDplrk5X0=,tag:cKv0dVJGQcluscNspIrPgg==,type:bool]
+    - ENC[AES256_GCM,data:PvghSeY=,iv:xPlMb1LMsg5gAWsCXT3UnMyOfQmSKDKdDrjt+n9+Nqs=,tag:B2aROAGdcupDmoOHAiXeTg==,type:bool]
+sops:
+    age:
+        - recipient: age1n20y9kmdh324m3tkclvhmyuc7c8hk4w84zsal725adahwl8nzq0s04aq4y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVElvVXluZCsxK1BiT3c2
+            Zm9kaURNdnZ2Nk9EM0dld2tjdFhrZlFiSEVnCk8zZVpWWlFXS3JYS0Q2WHExLzFU
+            WkFwcDFmR3VrdHFmS2JmVC95TnZIMjQKLS0tIGsyVmp1Sm1uL3FKVWlERUZHdmVw
+            TG9HYXdUdlZNYXJUZng2ejBwbjJoNVkK0ER6mqLdz0hEaovWME4p56tjuYbPIuhb
+            X1smwLmHxgcRboeFU5dyp3wZKBg7ccRPneQKsgJvYb929BesynHr6g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-03T16:03:32Z"
+    mac: ENC[AES256_GCM,data:mLCtH1EPm1cD7KD/fCVO0hrIfG6AOl396kcwdahyr326IRvTneT+6lr+f0XAHSkPXtRsmSCiD9WNhLYAh/kCfsP7tVPKl4X17OHkK9blUJ5JpuqnZJfOQ3PXNitYFvcSUUi1Y1/vIQmDf52oTPlcZgxmTgsQj4MEJIIni7d0SOc=,iv:MhAJ0QAdyHv8BzHIBQ/lZ7zV/MKjcsicbBOw9kwo7Nc=,tag:qrfTfCPxAMvXOm69BMWJ4g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

nixos/secrets/sops.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.keyFile = "/etc/sops/age.key";
+    #secrets."forgejo-admin-password".owner = "forgejo";
+  };
+}