infra: add secrets management to base module

monorepo-revid: 1a906a2a1a486db986b9daaa632328579da32522

7 files changed, 95 insertions, 3 deletions

diff --git a/flake.lock b/flake.lock
index e78f754..fa94d59 100644
--- a/flake.lock
+++ b/flake.lock
@@ -110,9 +110,30 @@
         "impermanence": "impermanence",
         "import-tree": "import-tree",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "treefmt-nix": "treefmt-nix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1777944972,
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
diff --git a/flake.nix b/flake.nix
index 4a8daec..6c0c3bd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,16 +10,21 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
     impermanence = {
       url = "github:nix-community/impermanence";
       inputs.nixpkgs.follows = "";
       inputs.home-manager.follows = "";
     };
 
-    flake-parts.url = "github:hercules-ci/flake-parts";
-
     import-tree.url = "github:denful/import-tree";
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/infra/.sops.yaml b/infra/.sops.yaml
new file mode 100644
index 0000000..b2bed47
--- /dev/null
+++ b/infra/.sops.yaml
@@ -0,0 +1,10 @@
+---
+keys:
+  - &users '':
+      - &vkcku "age1jtl0m9t7rtfmh674zres8pecmcugv7yxamv8hkvlf3tk2g8p25nsnccslh"
+
+creation_rules:
+  - path_regex: modules/base/secrets.yaml
+    key_groups:
+      - age:
+          - *vkcku
diff --git a/infra/modules/base/secrets.nix b/infra/modules/base/secrets.nix
new file mode 100644
index 0000000..3f81ea7
--- /dev/null
+++ b/infra/modules/base/secrets.nix
@@ -0,0 +1,28 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.base =
+    { config, lib, ... }:
+    {
+      imports = [ inputs.sops-nix.nixosModules.sops ];
+
+      sops = {
+        defaultSopsFile = ./secrets.yaml;
+        # Cannot use `/etc/host/` directly because then it will not load
+        # the secrets that are marked `neededForUsers` correctly.
+        age.sshKeyPaths = [ "${config.infra.persist.dir}/etc/ssh/ssh_host_ed25519_key" ];
+      };
+
+      virtualisation.vmVariant = {
+        # Use the age key from the host (my development machine) to decrypt
+        # in the VMs.
+        #
+        # TODO: Rework this to use the host SSH key instead.
+        virtualisation.sharedDirectories.host-age = {
+          source = "/home/vkcku/.config/sops/age";
+          target = "/run/sops/age";
+        };
+
+        sops.age.keyFile = lib.mkForce "/run/sops/age/keys.txt";
+      };
+    };
+}
diff --git a/infra/modules/base/secrets.yaml b/infra/modules/base/secrets.yaml
new file mode 100644
index 0000000..361d835
--- /dev/null
+++ b/infra/modules/base/secrets.yaml
@@ -0,0 +1,19 @@
+hosts:
+    indra:
+        users:
+            vkcku: ENC[AES256_GCM,data:/R5i0zj4MbI1fhKLFZqQ1w34JzYE7i4BK/9HzFxdXh3gnZgrMDRPfDF0r++zmsEVhwwQLVqKFM5qo56rzJ5lWOrWE3HpLXXrhjuRyBjNTXRpGYhrjHJozcQZahM2zvb8lUevjGe8WNFS2Q==,iv:ggibCGPV0mQJ8Ds4mTX79fGl0PIwB+TGf1NP4pFHiGM=,tag:8gOR8HGwL5sd7zykAb04mQ==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYm1CTHQyckhYK3Uxa0Za
+            U3gvSUdHcktKRWxtKzJpZWVuOGhtalVBVEVrCjN5UTl1VmdxQ1lEWW9OWDhab1R6
+            aDlER1UwbUZWWFgvMmVMVE5NWW9mYkEKLS0tIDY4RWE3SnVnL3Q1UVM5UzdNUGpx
+            NEYxZzlyRm12RmM3aUV6RjZqRnNmYjAKNoAUckfpEmBeP37W2TBhRITo0v1uFQGt
+            X1SHrCHKm6P6QD5Nminy6tVZWP1BpGC+jcXas2lWq6URovNdMKSdPg==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1jtl0m9t7rtfmh674zres8pecmcugv7yxamv8hkvlf3tk2g8p25nsnccslh
+    lastmodified: "2026-06-01T06:57:19Z"
+    mac: ENC[AES256_GCM,data:DZig1NCkYssUXxrGmKau2BpRr4l/Sap2XwyMwwvoZGj6oedS1oQyQnxSc5nitkNCW7xlkk4OgUYPiHqtxeFVIQ5hnfHdR8+rlkD64RcsPVWq+oyiTe8toWXbzpa9mHG6+XQp3iPybMVHfFrdRP0IZ6hNvbSS54ejH8CFDfZ9pYY=,iv:A1xBgPxWQrlmChD7qF/TpwknrjckuI6Fd/0pgHdM2+g=,tag:WK5kHak7ClTetpwqmollog==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.13.1
diff --git a/infra/nix/_treefmt.nix b/infra/nix/_treefmt.nix
index 2814c0a..1987229 100644
--- a/infra/nix/_treefmt.nix
+++ b/infra/nix/_treefmt.nix
@@ -2,6 +2,10 @@
 let
   conf = {
     imports = [ ../../root/nix/_treefmt-base.nix ];
+
+    settings.excludes = [
+      "modules/base/secrets.yaml"
+    ];
   };
 in
 treefmt-nix.lib.mkWrapper pkgs conf
diff --git a/infra/nix/devshell.nix b/infra/nix/devshell.nix
index 676f663..a09bb0c 100644
--- a/infra/nix/devshell.nix
+++ b/infra/nix/devshell.nix
@@ -9,7 +9,12 @@
         in
         pkgs.mkShellNoCC {
           inputsFrom = [ self.devShells."${system}".common ];
-          packages = [ treefmt ];
+          packages = [
+            # keep-sorted start
+            pkgs.sops
+            treefmt
+            # keep-sorted end
+          ];
         };
     };
 }