From a45f5a4ccaadc3d21e01e0c1ab02f0c313879c91 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Mon, 23 Mar 2026 17:58:26 -0500
Subject: [PATCH] started soteria-specific secrets

---
 modules/hosts/soteria/secrets.yaml | 26 ++++++++++++++++++++
 modules/hosts/soteria/soteria.nix  | 39 +++++++++++++++++-------------
 modules/nix-tools/rebuild.nix      |  1 +
 modules/programs/sops.nix          | 36 +++------------------------
 4 files changed, 53 insertions(+), 49 deletions(-)

diff --git a/modules/hosts/soteria/secrets.yaml b/modules/hosts/soteria/secrets.yaml
index e69de29..9287590 100644
--- a/modules/hosts/soteria/secrets.yaml
+++ b/modules/hosts/soteria/secrets.yaml
@@ -0,0 +1,26 @@
+janus:
+    admin_password: ENC[AES256_GCM,data:4pnSq0f1iTNFWn/Qcw+J7LWIXXd/j5v3WwFSzXfqgKA=,iv:/usSHYST8zv7AMvDNuW/fFLL+40IrderjL6bUWzBNd4=,tag:V/q1+SjIcYsZ0+PC/Q7c1A==,type:str]
+sops:
+    age:
+        - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0V1JsVDhnMHpaNHRQRCtw
+            V3JMQm1SREZSYUpaYmZNQ1FEVmN0VFZRSlQ0Ck9wQlpqZFBrRUJENWVBbTd5cVVo
+            ZlhYZnhGamk1ZlQ0N001ZWcrQ1Evb3cKLS0tIHpuTWhRTU1QeWFRUytiU21CMW94
+            eFc0ankvcWhqK3Q4MjRCVC9nTlJteU0K1tJvYM2M1XmlsCTpadHyf6EGE2Lg+XBL
+            TGTjMPSWqClWYB9HFZ4nCurEK/JidBanmGkc0Y9eFz9XYKl7rtyXUw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1h0prahyukq4l564yqwgcpg3g6gdrjflk0suklussjjrjstxd9uesws8633
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRzFlWTNxSGpaNU85QTFj
+            SnlRZkpZQTZQVjNqWFhLMHhKVm5ZVXB4Rms0CmZQclFzYkpWLzlqT2xNUTJMd2dJ
+            Wm5PQXNabjRwV1hVRXFGVmxteGk2emMKLS0tIG5kcm5KamxNZmpKVGt5bUo1dVg5
+            dFN2RGdqM29mM3hadXpBakY4QThxZnMKI9RbfXJHIHvYHy/2corfwDq+OHRPrmkA
+            tWLH/KWqwGt0hvc5j8bUfRECgjdXmbC9kpAgDs8PhJF+X1ijVFrIYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-23T22:27:45Z"
+    mac: ENC[AES256_GCM,data:tQ8EMXWqw7wd/QZqUPn/sAczk0G4jSUR96AF83cmJGYuoZkMkOzsMFt448IkWxNWOJHPmIc0vs+c3ngQxHyx6Uf9jVWzMkvfdzMYj82QuLsmXQ9e4/IAE9h+52uagbwgoOJwPCF+AQetSHez/jWPPIQPN5DLfz0edg4xYReX7DA=,iv:GsvotFkehIz5L4I9j0oQ89oM5XjZQAr6vrVd79tqFes=,tag:wLi4sXz8JqvaoUaYjEj/vA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix
index b1a9b84..ab69c3e 100644
--- a/modules/hosts/soteria/soteria.nix
+++ b/modules/hosts/soteria/soteria.nix
@@ -27,6 +27,10 @@ in
           hostname = hostname;
           caURL = caURL;
         };
+        sops.defaultSopsFile = ./secrets.yaml;
+        sops.secrets."janus/admin_password" = {
+          owner = "${hostname}";
+        };
         # mtls = {
         #   enable = true;
         #   subject = hostname;
@@ -61,33 +65,34 @@ in
         # };
 
         home-manager.users."${username}" = {
-          imports = with inputs.self.modules.homeManager; [
-            sops
-            step-ssh-user
+          imports = with inputs.self.modules; [
+            homeManager.sops
+            homeManager.step-ssh-user
+            homeManager"${hostname}"
           ];
-          shell.program = "zsh";
         };
       }
     ];
   };
 
+  flake.modules.homeManager."${hostname}" = { config, ... }: {
+    imports = with inputs.self.modules.homeManager; [
+      rebuild
+      sops
+      mtls
+    ];
+
+    homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
+    home.username = "${username}";
+    home.homeDirectory = "/home/${username}";
+    shell.program = "zsh";
+  };
+
   flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
     pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
     modules = with inputs.self.modules; [
       homeManager."${username}"
-      {
-        imports = with inputs.self.modules.homeManager; [
-          rebuild
-          # sops
-          # step-ssh-user
-          # mtls
-          # restic
-        ];
-
-        home.username = "${username}";
-        home.homeDirectory = "/home/${username}";
-        shell.program = "zsh";
-      }
+      homeManager."${hostname}"
     ];
   };
 }
\ No newline at end of file
diff --git a/modules/nix-tools/rebuild.nix b/modules/nix-tools/rebuild.nix
index 66a0bdd..8ef00c5 100644
--- a/modules/nix-tools/rebuild.nix
+++ b/modules/nix-tools/rebuild.nix
@@ -32,6 +32,7 @@
           '')
           (writeShellScriptBin "nhms" ''
             HOSTNAME=$(hostname -s)
+            echo "Switching to the $HOSTNAME profile"
             ${lib.getExe home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME
           '')
           (writeShellScriptBin "nhmu" ''
diff --git a/modules/programs/sops.nix b/modules/programs/sops.nix
index 6396200..8e5fb94 100644
--- a/modules/programs/sops.nix
+++ b/modules/programs/sops.nix
@@ -11,15 +11,8 @@ in
   };
 
   flake.modules.nixos.sops = {
-    imports = with inputs.sops-nix.nixosModules; [
-      sops
-    ];
-
-    sops.defaultSopsFile = ../../keys/secrets.yaml;
-    sops.secrets."test-nix/ssh_host_key" = {
-      owner = "john";
-      path = "/home/john/.ssh/host_key";
-    };
+    imports = [ inputs.sops-nix.nixosModules.sops ];
+    # sops.defaultSopsFile = ../../keys/secrets.yaml;
   };
 
   # Define the homeModules that are used by flake-parts
@@ -39,6 +32,7 @@ in
       sops # This is necessary to make the sops binary available
       ssh-to-age
       (writeShellScriptBin "gen-age-key" ''
+        mkdir -p "${config.xdg.configHome}/sops/age"
         ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${ageKeyFile}
         echo -n "Created ${ageKeyFile}: "
         echo $(show-age-key)
@@ -55,34 +49,12 @@ in
       inputs'.sops-nix.homeManagerModules.sops
     ];
 
-    home.sessionVariables = {
-      GMAIL_CREDS_PATH = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
-    };
-
     # Option definitions for the sops home-manager module:
     # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
     sops = {
-      defaultSopsFile = sopsSecretsPath;
+      # defaultSopsFile = sopsSecretsPath;
       defaultSopsFormat = "yaml";
       age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
-
-      secrets."api/gmail_client_secret" = { };
-      templates."gmail_creds" = {
-        path = "${config.xdg.configHome}/sops-nix/gmail_api_credentials.json";
-        content = ''
-          {
-              "installed": {
-                  "client_id": "499012320469-vtml6emu6bmujpsj9lud2b44jqu7h26j.apps.googleusercontent.com",
-                  "project_id": "python-apis-423500",
-                  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-                  "token_uri": "https://oauth2.googleapis.com/token",
-                  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-                  "client_secret": "${config.sops.placeholder."api/gmail_client_secret"}",
-                  "redirect_uris": [ "http://localhost" ]
-              }
-          }
-        '';
-      };
     };
   };
 }