Initial guix-sops configuration

This allows us to deploy secrets without making them publicly accessible
in the store.

Author: jchristgit

.gitattributes

@@ -5,3 +5,4 @@ secret.yaml filter=git-crypt diff=git-crypt
 secret.yml filter=git-crypt diff=git-crypt
 ghcr-pull-secrets.yaml filter=git-crypt diff=git-crypt
 ssh-secrets.yaml filter=git-crypt diff=git-crypt
+guix/resources/age-key filter=git-crypt diff=git-crypt

guix/.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &user_pydis age1knt932vn0rgunzh9zzjs8cf7yjdx233gy2dt3w3uzm3apkp3g3qsralf2e
+  - &host_turing age1gtw67lnhtcxnut3dl2keqm684zxy27cydc42xj5fazaq56uclvrslf6vta
+
+creation_rules:
+  - path_regex: .*secrets\.yaml$
+    key_groups:
+      - age:
+        - *user_pydis
+        - *host_turing

guix/README.md

@@ -16,9 +16,39 @@ as a playground for ideas.
     --generate-key` as root.
   - This is needed for the remote Guix instance to accept packages we build
     locally.
+- `sops-guix` configured as a channel. For this, add:
+
+  ```scheme
+  (cons* (channel
+        (name 'sops-guix)
+        (url "https://github.com/fishinthecalculator/sops-guix.git")
+        (branch "main")
+        ;; Enable signature verification:
+        (introduction
+         (make-channel-introduction
+          "0bbaf1fdd25266c7df790f65640aaa01e6d2dbc9"
+          (openpgp-fingerprint
+           "8D10 60B9 6BB8 292E 829B  7249 AED4 1CC1 93B7 01E2"))))
+       %default-channels)
+  ```
+
+  to your `~/.config/guix/channels.scm`. After adding it, run `guix pull`.
+- [`sops`](https://github.com/getsops/sops) installed locally, along with
+  [`age`](https://github.com/FiloSottile/age).
+
+
+**Host prerequisites**
+
+One-time setup for Turing:
+
+- `sudo age-keygen -o /root/pydis.txt`
+
+Note down the public key and add it to `.sops.yaml`.
 
 **Testing**
 
+It is recommended to test building the image locally first to catch errors.
+
 ```sh
 # Note that you presently need to run this as root, see
 # https://codeberg.org/guix/guix/issues/4788

guix/machines/turing.scm

@@ -4,14 +4,17 @@
 (use-modules (gnu)
              (guix)
              (gnu packages databases)
+             (gnu packages golang-crypto)
              (gnu packages linux)
              (gnu packages tmux)
              (gnu packages vim)
              (gnu services admin)
              (gnu services certbot)
              (gnu services databases)
              (gnu services networking)
-             (gnu services web))
+             (gnu services web)
+             (sops secrets)
+             (sops services sops))
 (use-service-modules networking ssh)
 (use-package-modules bootloaders)
 
@@ -29,6 +32,8 @@
 
 (define %guix-dir (dirname (dirname (canonicalize-path (current-filename)))))
 
+(define %secrets-yaml (local-file (string-append %guix-dir "/secrets.yaml")))
+
 (define (resource path)
   (local-file (string-append %guix-dir "/resources/" path)))
 
@@ -119,6 +124,17 @@
 ;                                           (uri "/.well-known")
 ;                                           (body (list "root /var/www; "))))))))))
 ;
+                (service sops-secrets-service-type
+                         (sops-service-configuration
+                           (generate-key? #f)
+                           (secrets
+                             (list
+                               (sops-secret
+                                 (key '("good"))
+                                 (file %secrets-yaml)
+                                 (user "root")
+                                 (group "root")
+                                 (permissions #o400))))))
                 (service certbot-service-type
                          (certbot-configuration
                           (email "ops@owlcorp.uk")
@@ -171,7 +187,7 @@
                     (home-directory "/home/j")
                     (supplementary-groups '("wheel" "netdev" "audio" "video")))
                   %base-user-accounts))
-    (packages (cons* %base-packages))
+    (packages (cons* age %base-packages))
     (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL
 %wheel ALL=NOPASSWD: ALL
 "))