From beb00a571833108b78899dd3fa4e68081cf87375 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Tue, 15 Jul 2025 01:54:01 -0400
Subject: [PATCH] configured sops-nix

---
 .sops.yaml                              |  6 ++--
 src/system/machines/server/secrets.yaml | 43 +++++++++++++++++++++++++
 src/system/machines/server/system.nix   | 15 +++++++++
 src/system/modules/frigate/default.nix  |  2 +-
 4 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 src/system/machines/server/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 7dd86b7..afee4a8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,9 +4,9 @@ keys:
   - &hosts:
     - &server age1jvqcc984v5xr8yhwm72arsy2hx6rm9gvsr7zeeasvcl0k2l9efmsgys3eg
 creation_rules:
-  - path_regex: src/system/machines/server/secrets.ya?ml$
+  - path_regex: src/system/modules/frigate/secrets.ya?ml$
     key_groups:
-      age:
+      - age:
         - *server
-      pgp:
+      - pgp:
         - *bryan
diff --git a/src/system/machines/server/secrets.yaml b/src/system/machines/server/secrets.yaml
new file mode 100644
index 0000000..ca9e5ad
--- /dev/null
+++ b/src/system/machines/server/secrets.yaml
@@ -0,0 +1,43 @@
+camera_user: ENC[AES256_GCM,data:wEsLmNE=,iv:v+iPUD9pTMroUfCi6Q/fr38WUIV6nQkSKRwTlaWAE8g=,tag:YpHjExxYBN9h96rilf9oQg==,type:str]
+camera_pass: ENC[AES256_GCM,data:n2r7rGMoEZmWnsc=,iv:7pZvNvanU2XqSgKcPqKD+beqXbdkDP8e2bdO+xCACLA=,tag:zA426rjuUp6v6WfvSbiGJQ==,type:str]
+sops:
+    shamir_threshold: 2
+    key_groups:
+        - hc_vault: []
+          age:
+            - recipient: age1jvqcc984v5xr8yhwm72arsy2hx6rm9gvsr7zeeasvcl0k2l9efmsgys3eg
+              enc: |
+                -----BEGIN AGE ENCRYPTED FILE-----
+                YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJc3hwWEY1YlRCckM5cTRJ
+                em1kMUtGZFdwMzkzek9MdlB1TGwyOHorb2l3ClpMYmtPQkNHcGphcnIrVVdQc1R3
+                a3p4c1NvK2gvTEZRWEQ4VTR4OFpFZWMKLS0tIFpSdTRxcVl3WHgrVlk4N1VXOGUv
+                YUYydFpLeUxENW1HeGlua1VMYnRlN2sKLq7rx6l5bkSdiAACJFlozCBjVJP2wiJQ
+                jQAzLUzkOJVSc3Qnnbsn8FuQjCRp25HKMYKd2pxOfAbT0CCh+yFKU8s=
+                -----END AGE ENCRYPTED FILE-----
+        - pgp:
+            - created_at: "2025-07-15T05:20:56Z"
+              enc: |-
+                -----BEGIN PGP MESSAGE-----
+
+                hQIMAwTOId9Kyu/jAQ//bJERY8tWurpRZ8CScN6Wj/Q7fR1jUJzn2ZDwJll+/ooM
+                fV1U6UJoD76hyrhNi8Nx1IGqVKooZ51PWaUy3EXuSlkECQ04ApxM37uiEFmgU2mH
+                HYIveY1i7ebkaAsjD6a+BuK0Dj04KwQpzAZE+CphUTVgbzS8Z1F/ToYQY9taPcuz
+                aYVbuETl1CRyEeJjuJbRnPdndINFgIhSOM/27cgZBSo/dzS6CQZbZXz4nBmSCXpM
+                j/b6STe2dw/fr9wx8Xwqs520w2bmEBYTAaYP6pkQ2xrUiaGAGyHvqSIr97Dm/a5L
+                i3PrXWmdfDLco+dKXtE0FnXa2lcANarIR9xd1QEzI8iby3VIvJx49ScrnETrOupW
+                eekho9t0LwZFHP6PrWtKtB3WxKkvyXqu8f0BrUkEZ2aUFhZW15ax1k/kNiyZJFy6
+                vevAjmYtLtHBTUomm9cKxZcxWbwKwDWn7sN5qWSyjz+rgiLE1Wi98K7pKwKzWTVs
+                E8sb5MUf49KXEISBkQgfdAEV92Ia47aopg+S2RaNNBGbjfZahQhkrBsi5ap8VLMN
+                skgbysaG+WY6sYYP4zoFrQFMXKvf146oAqNEs5/QoAi33oj0SZyaV+VgreDYGfrI
+                VnpgUJM2OLSgcIej8eveT5Gu8MrPBqlKa8+n9gRdaVz7d0g4hdT1EpfJN8YXRaTS
+                XQGTAxb9OoYD/KcTZAxhD0hYJKUHixFyOL96w+k06TXpkqdRveThthT0n6x8ynlO
+                mxF9u6aLvfLpjZxgaDWYO/I3ypy5Fx0N/3JtC1wt8AGrEbHW4Y6iciFu2bPDig==
+                =OBwx
+                -----END PGP MESSAGE-----
+              fp: F1F3466458452B2DF351F1E864D12BA95ACE1F2D
+          hc_vault: []
+          age: []
+    lastmodified: "2025-07-15T05:21:09Z"
+    mac: ENC[AES256_GCM,data:JDlohVG3MM6KwrnWhBXAiM5dCNtmDyyO03vrbAG32JbWjXbdnzqgG95cTe+X17pbilc3p3F/IQRjNxt1EziIDeLmrTszLPxpdBUEUuNUOJ2RBZ6IlBdBo4gitTOwlOAxh/Uo7qr+gvJCsyiyHvr4Zti27ZDcExe2oVxcLf3M988=,iv:ntCT1a+FSpOKCtmCXyXIdQJ08qrONaMu/+qMUiz0DRQ=,tag:d6T9BpVdy1cnYVHb7PczBw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix
index ebb42bc..a2b77b9 100644
--- a/src/system/machines/server/system.nix
+++ b/src/system/machines/server/system.nix
@@ -19,11 +19,13 @@
     };
   };
 
+  users.mutableUsers = false;
   users.users = {
     "${config.user.name}" = {
       isNormalUser = true;
       extraGroups = config.user.groups;
       openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ];
+      password = "123";
     };
   };
 
@@ -114,4 +116,17 @@
       PasswordAuthentication = false;
     };
   };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    secrets = {
+      camera_user = {};
+      camera_pass = {};
+    };
+  };
 }
diff --git a/src/system/modules/frigate/default.nix b/src/system/modules/frigate/default.nix
index 4ec04ec..8905aca 100644
--- a/src/system/modules/frigate/default.nix
+++ b/src/system/modules/frigate/default.nix
@@ -20,7 +20,7 @@ in
           "Doorbell" = {
             ffpmeg.inputs = [
               {
-                path = "rtsp://admin:th3bigbl4ck@192.168.0.108/cam/realmonitor?channel=1&subtype=0";
+                path = "rtsp://$(cat /run/secrets/camera_user):$(cat /run/secrets/camera_pass)@192.168.0.108/cam/realmonitor?channel=1&subtype=0";
                 roles = [ "detect" "record" ];
               }
             ];