From 3bdd7e1c502f714edd2810dd956ff69bae5385d3 Mon Sep 17 00:00:00 2001
From: Martin Pander <git@pander-on.de>
Date: Sat, 7 Feb 2026 16:11:52 +0100
Subject: [PATCH] Add secrets

---
 nix/modules/home/secrets.nix  |  1 -
 nix/modules/nixos/secrets.nix |  7 ++-----
 nix/secrets/.sops.yaml        |  2 ++
 nix/secrets/secrets.yaml      | 26 +++++++++++++++++++++++++-
 4 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix
index 6cc4675..9596ada 100644
--- a/nix/modules/home/secrets.nix
+++ b/nix/modules/home/secrets.nix
@@ -10,7 +10,6 @@
     defaultSopsFormat = "yaml";
 
     age = {
-      # This is the default location for the age key
       keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
     };
   };
diff --git a/nix/modules/nixos/secrets.nix b/nix/modules/nixos/secrets.nix
index 7340574..4d8ee12 100644
--- a/nix/modules/nixos/secrets.nix
+++ b/nix/modules/nixos/secrets.nix
@@ -10,12 +10,9 @@
     defaultSopsFormat = "yaml";
 
     age = {
-      # This will automatically import the SSH keys as age keys
       sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      # This is where the age key for sops-nix is stored
-      keyFile = "/var/lib/sops-nix/key.txt";
-      # This will generate a new age key from the SSH key if it doesn't exist
-      generateKey = true;
+      # keyFile = "/var/lib/sops-nix/key.txt";
+      # generateKey = true;
     };
   };
 }
diff --git a/nix/secrets/.sops.yaml b/nix/secrets/.sops.yaml
index 95fb7d6..9f64ca0 100644
--- a/nix/secrets/.sops.yaml
+++ b/nix/secrets/.sops.yaml
@@ -1,8 +1,10 @@
 keys:
   - &macbook age1hmgy68ukugduef75ev72jnpu77ff3lajadpf7u0zv3ex4nt7f5qs5nxx2l
+  - &macnix age1436laad6dysegssvnz3pm8m33tv6hl9xpqymslehfwjqr8c6hfwsn74u42
 
 creation_rules:
   - path_regex: secrets\.yaml$
     key_groups:
       - age:
           - *macbook
+          - *macnix
diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml
index 8b13789..79e0964 100644
--- a/nix/secrets/secrets.yaml
+++ b/nix/secrets/secrets.yaml
@@ -1 +1,25 @@
-
+gemini_api_key: ENC[AES256_GCM,data:nN7Hng==,iv:uOL0UyHpiRpAXfkX8qyVAnJZFm4ljkgYiZycrdSoW9U=,tag:7A/rHJcEykcoyJLeTV/gaw==,type:str]
+sops:
+    age:
+        - recipient: age1hmgy68ukugduef75ev72jnpu77ff3lajadpf7u0zv3ex4nt7f5qs5nxx2l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNGdIVU9CRnJGVVdkREsw
+            OFNiS2tFQmRoUHZiZFR0Z1RVaExSaXZwejBJCk44MWJSalFvckNqckNxZUJGdFpT
+            VlV2eisySzl2aGJVL1hSZ25FMWtTWmMKLS0tIEVvODJxSG1ScllmRC93MHN0MVdZ
+            YW12MmkweUF3TWtiSTVyWkIvdGdXQXMKsEMlf2FRKxSvaaCaBGf3kM5MdsL571aq
+            sITsqoVo+J7CV0XdPjVpctHwSBNMlLUGJh+dM5+Rb96FUqVr9dpEIw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1436laad6dysegssvnz3pm8m33tv6hl9xpqymslehfwjqr8c6hfwsn74u42
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUd0x4MDhVMmhISnN0eFZz
+            c1c2emxRcFVLRWZDSkp2V1VYQUpUbXU3ZFJZCkN1VVRzR2VBeThMckFRZk9ZdFdE
+            czhpb0hybCsxUlJ4WmlXb0pPOG5JaHMKLS0tIDBCR29zbjVpNFJZWVNrSldxT08z
+            TEsvV3l2TEJqUWdVL2krOXlNaXlpR0EKMIaLbDOAx2Zw1rtNT6HSli3Yqw2rFnsa
+            6p5fa97RSDewFhg4MvaVo2L8SVpef65idmRXQ2Eh/ls4tbcpN8r6MA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-07T15:11:34Z"
+    mac: ENC[AES256_GCM,data:Pgi9tYWnrMrlM9NjqDy0+BrH51/0T4c7M6dornLCumnRtR2Y3MZYGyA2E97kbwuqoPJCOWkzhJt7smwCRI+H0rXveO+ps+v5iUxzP+7MQmepn5wjS32HoL5c2Oer4CR7PkKY7YvL7z5IT6QcIgRXMODhsVbWgB8CjPrn/GYqb5Y=,iv:A2AyCNHfQEdx/wvUJQGc9ndL2/OYGGxBMidYOTHXO7Q=,tag:9uzJcu3bogQgVj0bDOPCwg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0