From 5dcb85e56d222028e203f37b2981722def770ef2 Mon Sep 17 00:00:00 2001
From: ashisgreat22 <dev@ashisgreat.xyz>
Date: Tue, 17 Mar 2026 19:34:10 +0100
Subject: [PATCH] Add sops-nix for secrets management

- Add flake.nix with sops-nix input
- Configure sops with age key encryption
- Add .sops.yaml template for age key configuration
- Create secrets/ directory for encrypted secrets
- Add .gitignore for age keys and nix result symlinks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitignore        |  7 +++++++
 .sops.yaml        | 10 ++++++++++
 configuration.nix |  9 +++++++++
 flake.nix         | 19 +++++++++++++++++++
 secrets/.gitkeep  |  0
 5 files changed, 45 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .sops.yaml
 create mode 100644 flake.nix
 create mode 100644 secrets/.gitkeep

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..dee8397
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+# Age keys (never commit these)
+*.key
+key.txt
+
+# Result symlinks
+result
+result-*
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..f834274
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+keys:
+  # Replace with your age public key (from age-keygen)
+  # Example: age1qyqszq...
+  - &vps age1__REPLACE_WITH_YOUR_AGE_PUBLIC_KEY__
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *vps
diff --git a/configuration.nix b/configuration.nix
index cc9e60f..dfb97c8 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -39,6 +39,15 @@
   # === Sudo without password for wheel group ===
   security.sudo.wheelNeedsPassword = false;
 
+  # === SOPS (Secrets Management) ===
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+    # Generate with: nix-shell -p age --run "age-keygen -o key.txt"
+    # Then add the public key to .sops.yaml
+  };
+
   # === Automatic Updates ===
   system.autoUpgrade = {
     enable = true;
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..b75008f
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,19 @@
+{
+  description = "NixOS VPS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, sops-nix, ... }@inputs: {
+    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        sops-nix.nixosModules.sops
+      ];
+    };
+  };
+}
diff --git a/secrets/.gitkeep b/secrets/.gitkeep
new file mode 100644
index 0000000..e69de29