From e9fef516ecbc90f56d33e7ff2e18313a642f2292 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Thu, 23 Oct 2025 14:47:53 +0200
Subject: [PATCH] feat(sops): finally somewhat properly set up with sops

---
 .just/machine.just    |  9 +++++++++
 .just/vars.just       | 28 ++++++++++++++++++++++++++++
 .justfile             | 15 ++++++++++-----
 .sops.yaml            | 11 +++++++++++
 .sops.yml             |  8 --------
 _secrets/secrets.yaml | 30 ------------------------------
 6 files changed, 58 insertions(+), 43 deletions(-)
 create mode 100644 .just/machine.just
 create mode 100644 .just/vars.just
 create mode 100644 .sops.yaml
 delete mode 100644 .sops.yml
 delete mode 100644 _secrets/secrets.yaml

diff --git a/.just/machine.just b/.just/machine.just
new file mode 100644
index 0000000..65d1a7b
--- /dev/null
+++ b/.just/machine.just
@@ -0,0 +1,9 @@
+@_default: list
+
+[doc('List machines')]
+@list:
+  ls -1 ../systems/x86_64-linux/
+
+[doc('Update the target machine')]
+update machine:
+  nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
\ No newline at end of file
diff --git a/.just/vars.just b/.just/vars.just
new file mode 100644
index 0000000..78b7cb5
--- /dev/null
+++ b/.just/vars.just
@@ -0,0 +1,28 @@
+base_path := invocation_directory() / "systems/x86_64-linux"
+sops := "nix shell nixpkgs#sops --command sops"
+
+@_default:
+  just --list
+
+[doc('list all vars of the target machine')]
+list machine:
+  {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
+  
+@edit machine:
+  {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
+  
+@set machine key value:
+  {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\"
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml
+
+  echo "Done"
+  
+@remove machine key:
+  {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml
+
+  echo "Done"
\ No newline at end of file
diff --git a/.justfile b/.justfile
index 67ac3a4..4e8a323 100644
--- a/.justfile
+++ b/.justfile
@@ -1,7 +1,12 @@
+@_default:
+  just --list --list-submodules
 
-try-again:
-    nix flake update amarth-customer-portal
-    nix flake check --all-systems --show-trace
+[doc('Manage vars')]
+mod vars '.just/vars.just'
 
-update machine:
-    nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
\ No newline at end of file
+[doc('Manage machines')]
+mod machine '.just/machine.just'
+
+[doc('Show information about project')]
+@show:
+  echo "show"
\ No newline at end of file
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..9e7956c
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+keys:
+  - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
+  - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+
+creation_rules:
+  # All Machine secrets
+  - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$
+    key_groups:
+      - age:
+          - *ulmo_1
+          - *ulmo_2
\ No newline at end of file
diff --git a/.sops.yml b/.sops.yml
deleted file mode 100644
index 96e09c3..0000000
--- a/.sops.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-keys:
-  - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-
-creation_rules:
-  - path_regex: secrets/secrets.yml$
-    key_groups:
-      - age:
-          - *primary
diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml
deleted file mode 100644
index 78b1a8c..0000000
--- a/_secrets/secrets.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
-example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
-#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
-#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
-example:
-    my_subdir:
-        my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
-            ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
-            YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
-            dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
-            Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-09T11:37:49Z"
-    mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4
-
-zitadel:
-  masterKey: thisWillBeAnEncryptedValueInTheFuture