feat: add sops, gpg agent, yubikey tools

.sops.yaml

@@ -0,0 +1,8 @@
+keys:
+  - &luca age1qu9y0dn5a704dggwmpaaurxqrhxm0qn8czgv5phka56y48sw7u8qkyn637
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *luca

nix/flake.lock

@@ -76,6 +76,38 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "revCount": 57,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -97,6 +129,21 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1731533336,
+        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nixos-wsl": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -156,7 +203,8 @@
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix",
-        "status-bar": "status-bar"
+        "status-bar": "status-bar",
+        "winapps": "winapps"
       }
     },
     "sops-nix": {
@@ -195,6 +243,44 @@
         "type": "path"
       },
       "parent": []
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "winapps": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils",
+        "nix-filter": "nix-filter",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756049206,
+        "narHash": "sha256-H1CB1nXPlwDL4VNGjR2+ovBwPdXPHe3xRc20d3VkPNU=",
+        "owner": "winapps-org",
+        "repo": "winapps",
+        "rev": "09288b135eee8ab8ca08d6170441c4c9b3d457b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "winapps-org",
+        "repo": "winapps",
+        "type": "github"
+      }
     }
   },
   "root": "root",

nix/hosts/usahara/configuration.nix

@@ -54,7 +54,10 @@
 
   users.users.luca = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
     packages = with pkgs; [
       tree
     ];

nix/modules/commonPackages.nix

@@ -56,11 +56,26 @@
       openssl
       gnupg
       nixd
+      sops
+      yubikey-personalization
+      yubikey-manager
+      gnupg
+      (pass.withExtensions (exts: with exts; [ pass-import ]))
     ];
     programs.nix-ld.enable = lib.mkDefault true;
     programs.zsh.enable = lib.mkDefault true;
     services.openssh.enable = lib.mkDefault true;
     hardware.enableAllFirmware = true;
+    sops.defaultSopsFile = ../../secrets/sops.yaml;
+    sops.age.sshKeyPaths = [ "/etc/ssh/id_ed25519" ];
+    sops.secrets.win_pw = { };
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = pkgs.pinentry-gtk2;
+    };
+    services.pcscd.enable = true;
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
 
     programs.neovim = lib.mkDefault {
       enable = true;

nix/modules/desktop.nix

@@ -50,7 +50,16 @@
       htop
       lm_sensors
       fanctl
+      libnotify
     ];
+    boot.kernelModules = [
+      "iptables"
+      "iptable_nat"
+    ];
+    virtualisation.docker = {
+      enable = true;
+      rootless.enable = true;
+    };
     programs.hyprland = {
       enable = true;
       withUWSM = true;

secrets/sops.yaml

@@ -0,0 +1,16 @@
+win_pw: ENC[AES256_GCM,data:TGsPs+6wFQ==,iv:7KTF9YuPGDRJE3zcZgt6WJVIKEOp1DkOckP6QY4c9Rk=,tag:kVzkKEuSoP3vEakQT46/aQ==,type:str]
+sops:
+    age:
+        - recipient: age1qu9y0dn5a704dggwmpaaurxqrhxm0qn8czgv5phka56y48sw7u8qkyn637
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReVNmSm82KzF1dHYrWlRj
+            ZnRLMU4yK2ZBQ0huRmNPL3NZV05lWXBaVG1vCm5vcFJOQ3hUeUMzUTI2TDd2TUJq
+            NGdVbEtncTdWczVjWWxWNFh2Z3g4Q28KLS0tIFBkUnlTdEZNZkszQi9yQTg5K0hl
+            RmQzN1Y2SUVlT1pGYXV0SW1vb0dHNDgKWchy7XFkxpGuhly4ZefRFZc6+oqcWJzI
+            HJqnVLiGI6jSKOXT7WV1d+g0Qt4zHGe9tquHxi4BNdxu81lNPVE3iQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-26T05:15:00Z"
+    mac: ENC[AES256_GCM,data:670OWObSti3BN4AigbDcRvwud/JH/lUzQeWnUXgaST//FIfX6fY293AN0GJ2+3+C+K4Jd80QYh0DThaagMeTBw9/uJTQ10sER7MeknlWzOxmBEBl0fbvHn/t5v6H1yZ4XtcNV8p3RSiSC93k3z2tI4ERLsDzqBGyzkHXZGww4hc=,iv:oq4DxQWzPb80XiCD2WYaRDkqHNeBNUDiKWEMzQSDD/w=,tag:jT3JFUcC8DmHCh4Y6L++Vg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2