From c3f13735c92bb889c81fab5ed5862e3bcfc35022 Mon Sep 17 00:00:00 2001
From: foglar <kohout.fi.2023@skola.ssps.cz>
Date: Sat, 11 Jan 2025 23:02:22 +0100
Subject: [PATCH] sops update

---
 TODO.md                                       |  1 +
 nixos/system/packages.nix                     |  2 ++
 .../system/packages/sops/secrets/secrets.yaml |  6 ++---
 nixos/system/packages/sops/sops.nix           | 26 ++++++++++++-------
 4 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/TODO.md b/TODO.md
index 60a3b02..7aef92d 100644
--- a/TODO.md
+++ b/TODO.md
@@ -37,6 +37,7 @@
 - [ ] add notification management for bluetooth etc...
 - [ ] add syncthing configuration
 - [ ] qutebrowser configuration
+- [ ] script dir set environment variable
 
 - [ ] update my home page and create new web
 - [ ] fix kde theme in stylix
diff --git a/nixos/system/packages.nix b/nixos/system/packages.nix
index 7f00b94..47e7471 100644
--- a/nixos/system/packages.nix
+++ b/nixos/system/packages.nix
@@ -8,6 +8,7 @@
     ./packages/yubikey.nix
     ./packages/sops/sops.nix
     ./packages/ssh-client.nix
+    ./packages/syncthing.nix
   ];
 
   program = {
@@ -24,6 +25,7 @@
       notify = lib.mkDefault false;
     };
     ssh.client.enable = lib.mkDefault true;
+    syncthing.enable = lib.mkDefault true;
   };
   sys.desktop.steamdeck.enable = lib.mkDefault false;
   sys.security.sops.enable = lib.mkDefault true;
diff --git a/nixos/system/packages/sops/secrets/secrets.yaml b/nixos/system/packages/sops/secrets/secrets.yaml
index 0813856..52555f1 100644
--- a/nixos/system/packages/sops/secrets/secrets.yaml
+++ b/nixos/system/packages/sops/secrets/secrets.yaml
@@ -1,6 +1,6 @@
 kogami:
     password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str]
-    syncthing: ENC[AES256_GCM,data:699bwajY9/0=,iv:YXmw613vRfWlbjiex6LfACZD+otES3E6Mm0e+66dfA8=,tag:H3QCsg0VvZpxkhWKyGH8Gg==,type:str]
+    syncthing: ENC[AES256_GCM,data:ero9yQ==,iv:lPpT2WMB9BVb1o8VL0X9hDtzCZv76fLIZh7+5Tkv+Ik=,tag:SVLwrE9MK+nSpJVvEEaByw==,type:str]
 ginoza:
     password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str]
 yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int]
@@ -22,8 +22,8 @@ sops:
             T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY
             JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-07T17:20:45Z"
-    mac: ENC[AES256_GCM,data:oENblUlcgDrZaNV2/XggaPoGavqHBXv4i3DpcfFFKiymifmITHj5m6HflVePDqtkBceTnMyCNCzQ6Ijmrt8Xkr4wbEQpoLhjyfWW/4QOlKjT3GAxfWEth7uzCHxuqd24aHs1jRyphua7bgbVLLuI0khHiL5s8b+9wkkTmV9Y3WE=,iv:eDglG+RMUagzE0qVi73dGXMerup8ipg/rFxV+qJfNXM=,tag:wZyMqxZLUh4B6JuQL4GXFA==,type:str]
+    lastmodified: "2025-01-07T17:58:06Z"
+    mac: ENC[AES256_GCM,data:SnuO2BSpo3Zs0FatGLC3pT9X92/CUB/D7UE0X7FkK/CLXFMZFT1FRS7Ru+FgHXzCnQIUDtVNdJDOkatt0CdgjMKPxNXSOZRSv4A1NCGhzVDGX9/BjLYmdTWlJ2KEbirvPTi8SffIJt2YkaAqhBvRo9EByAZV/AnokA/Oi9xdO0I=,iv:qEXAbN6388LWUnEx/L6Rgzrnxis3KT2gB0AI9raGWJA=,tag:9oLpm5TgGIxPev12PTTb+g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2
diff --git a/nixos/system/packages/sops/sops.nix b/nixos/system/packages/sops/sops.nix
index c212997..088477a 100644
--- a/nixos/system/packages/sops/sops.nix
+++ b/nixos/system/packages/sops/sops.nix
@@ -14,6 +14,7 @@
       defaultSopsFormat = "yaml";
 
       age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt";
+      age.generateKey = true;
 
       # SSH private keys
       secrets = {
@@ -32,24 +33,31 @@
           group = "users";
         };
 
-        templates = {
-          "${userSettings.hostname}/syncthing".content = ''${config.sops.placeholder."${userSettings.hostname}/syncthing"}'';
+        "yubikey_id" = {
+          owner = userSettings.username;
+          group = "users";
         };
       };
+
+      templates = {
+        "syncthing-password".content = ''${config.sops.placeholder."${userSettings.hostname}/syncthing"}'';
+        "yubikey-id".content = ''${config.sops.placeholder.yubikey_id}'';
+      };
     };
 
     # Password hash
     users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}";
 
     # YubiKey IDs
-    security.pam.yubico.id = [17032113];
-    #++ (
-    #  if config.program.yubikey.enable
-    #  then ["${config.sops.secrets.yubikey_id}".value]
-    #  else []
-    #);
+    security.pam.yubico.id =
+      []
+      ++ (
+        if config.program.yubikey.enable
+        then [config.sops.templates."yubikey-id".content]
+        else []
+      );
 
     # Syncthing password
-    #services.syncthing.settings.gui.password = config.sops.templates."${userSettings.hostname}/syncthing".content;
+    services.syncthing.settings.gui.password = config.sops.templates."syncthing-password".content;
   };
 }