From 521f4ee5bc1af03496a9c56a1e5d4806dffc79fc Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Mon, 18 Sep 2023 23:07:03 +0200
Subject: [PATCH] secrets sops: deploy age key

---
 nixosModules/clanCore/secrets/sops.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix
index 25d0af6..b67f0a2 100644
--- a/nixosModules/clanCore/secrets/sops.nix
+++ b/nixosModules/clanCore/secrets/sops.nix
@@ -66,7 +66,14 @@ in
       '') "" config.clanCore.secrets}
     '';
     system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
-      echo upload is not needed for sops secret store, since the secrets are part of the flake
+      #!/bin/sh
+      set -efu
+
+      tmp_dir=$(mktemp -dt populate-pass.XXXXXXXX)
+      trap "rm -rf $tmp_dir" EXIT
+      clan secrets get ${config.clanCore.machineName}-age.key > "$tmp_dir/key.txt"
+
+      cat "$tmp_dir/key.txt" | ssh ${config.clan.networking.deploymentAddress} 'mkdir -p "$(dirname ${lib.escapeShellArg config.sops.age.keyFile})"; cat > ${lib.escapeShellArg config.sops.age.keyFile}'
     '';
     sops.secrets = builtins.mapAttrs
       (name: _: {
@@ -76,5 +83,6 @@ in
       secrets;
     # To get proper error messages about missing secrets we need a dummy secret file that is always present
     sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
+    sops.age.keyFile = lib.mkDefault "/var/lib/sops-nix/key.txt";
   };
 }