From 153bd77227079284fbd98bc60f3aea3837e7919e Mon Sep 17 00:00:00 2001
From: Origami404 <Origami404@foxmail.com>
Date: Sun, 17 May 2026 12:14:00 +0800
Subject: [PATCH] =?UTF-8?q?sops:=20=E9=85=8D=E7=BD=AE=E5=A4=9A=E6=9C=BA?=
 =?UTF-8?q?=E5=99=A8=E6=A0=87=E5=87=86=E5=AF=86=E9=92=A5=E6=B5=81=E7=A8=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hosts/eris/configuration.nix             | 11 ++++++-----
 hosts/modules/sops.nix                   | 11 +++++++++++
 hosts/oparic-local-dev/configuration.nix | 10 +++++-----
 3 files changed, 22 insertions(+), 10 deletions(-)
 create mode 100644 hosts/modules/sops.nix

diff --git a/hosts/eris/configuration.nix b/hosts/eris/configuration.nix
index 4a54c12..1c7c6ed 100644
--- a/hosts/eris/configuration.nix
+++ b/hosts/eris/configuration.nix
@@ -9,9 +9,9 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      inputs.sops-nix.nixosModules.sops
       ../modules/nix-cache.nix
       ../modules/users/origami.nix
+      ../modules/sops.nix
     ];
 
   boot.loader = {
@@ -150,13 +150,14 @@
   users.users.origami.extraGroups = [ "wheel" "networkmanager" ];
   security.sudo.wheelNeedsPassword = false;
 
-  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
-
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+
+  # 密钥管理: 这是日用机器
+  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
+  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
+
   system.stateVersion = "23.11";
 }
diff --git a/hosts/modules/sops.nix b/hosts/modules/sops.nix
new file mode 100644
index 0000000..1f6a586
--- /dev/null
+++ b/hosts/modules/sops.nix
@@ -0,0 +1,11 @@
+{ inputs, pkgs, ... }:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
+
+  sops.defaultSopsFormat = "yaml";
+}
diff --git a/hosts/oparic-local-dev/configuration.nix b/hosts/oparic-local-dev/configuration.nix
index 633fbfe..349bddc 100644
--- a/hosts/oparic-local-dev/configuration.nix
+++ b/hosts/oparic-local-dev/configuration.nix
@@ -4,9 +4,9 @@
   imports =
     [
       ./hardware-configuration.nix
-      inputs.sops-nix.nixosModules.sops
       ../modules/nix-cache.nix
       ../modules/users/origami.nix
+      ../modules/sops.nix
     ];
 
   # BIOS + GRUB, 安装到 MBR
@@ -83,11 +83,11 @@
   users.users.origami.extraGroups = [ "wheel" ];
   security.sudo.wheelNeedsPassword = false;
 
-  sops.defaultSopsFile = ../../secrets/ssh-private.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/home/origami/.config/sops/age/keys.txt";
-
   services.openssh.enable = true;
 
+  # 密钥管理: 这是对外机器
+  sops.defaultSopsFile = ../../secrets/hosts/oparic-local-dev.yaml;
+  sops.age.keyFile = "/var/lib/sops/age/keys.txt";
+
   system.stateVersion = "23.11";
 }