chore: cleanup flake and add nix tests for sops

Author: weriomat

flake.nix

@@ -165,13 +165,13 @@
         };
       in
       {
-        packages.default = self.packages."${system}".deploy-rs;
+        packages.default = self.packages.${system}.deploy-rs;
         packages.deploy-rs = pkgs.deploy-rs.deploy-rs;
 
-        apps.default = self.apps."${system}".deploy-rs;
+        apps.default = self.apps.${system}.deploy-rs;
         apps.deploy-rs = {
           type = "app";
-          program = "${self.packages."${system}".default}/bin/deploy";
+          program = "${self.packages.${system}.default}/bin/deploy";
         };
 
         devShells.default = pkgs.mkShell {

nix/tests/default.nix

@@ -20,11 +20,11 @@ let
     done <$refs
   '';
 
-  mkTest = { name ? "", user ? "root", flakes ? true, isLocal ? true, deployArgs }: let
+  mkTest = { name ? "", user ? "root", flakes ? true, isLocal ? true, sops ? false, deployArgs }: let
     nodes = {
       server = { nodes, ... }: {
         imports = [
-         ./server.nix
+         (import ./server.nix { inherit pkgs sops; })
          (import ./common.nix { inherit inputs pkgs flakes; })
         ];
         virtualisation.additionalPaths = lib.optionals (!isLocal) [
@@ -36,7 +36,7 @@ let
       };
       client = { nodes, ... }: {
         imports = [ (import ./common.nix { inherit inputs pkgs flakes; }) ];
-        environment.systemPackages = [ pkgs.deploy-rs.deploy-rs ];
+        environment.systemPackages = [ pkgs.deploy-rs.deploy-rs ] ++ lib.optionals sops [ pkgs.sops ];
         # nix evaluation takes a lot of memory, especially in non-flake usage
         virtualisation.memorySize = lib.mkForce 4096;
         virtualisation.additionalPaths = lib.optionals isLocal [
@@ -61,6 +61,8 @@ let
 
       enable-flakes.url = "${builtins.toFile "use-flakes" (if flakes then "true" else "false")}";
       enable-flakes.flake = false;
+      enable-sops.url = "${builtins.toFile "use-sops" (if sops then "true" else "false")}";
+      enable-sops.flake = false;
     '';
 
     flake = builtins.toFile "flake.nix"
@@ -97,6 +99,14 @@ let
       client.succeed("cp ${./server.nix} ./server.nix")
       client.succeed("cp ${./common.nix} ./common.nix")
       client.succeed("cp ${serverNetworkJSON} ./network.json")
+
+      # Prepare sops keys
+      client.succeed("cp ${./sops/.sops.yaml} ./.sops.yaml")
+      client.succeed("cp ${./sops/password.yaml} ./password.yaml")
+      # this is where sops looks for private keys
+      client.succeed("mkdir -p /root/.config/sops/age/")
+      client.succeed("cp ${./sops/age_private.txt} /root/.config/sops/age/keys.txt")
+
       client.succeed("nix --extra-experimental-features flakes flake lock")
 
       # Setup SSH key
@@ -173,4 +183,9 @@ in {
     flakes = true;
     deployArgs = "--file . --targets server";
   };
+  sops = mkTest {
+    name = "sops";
+    sops = true;
+    deployArgs = "-s .#server --sudo-file ./password.yaml --sudo-secret deploy";
+  };
 }

nix/tests/deploy-flake.nix

@@ -15,7 +15,7 @@
   in {
     nixosConfigurations.server = nixpkgs.lib.nixosSystem {
       inherit system pkgs;
-      specialArgs = { inherit inputs; flakes = import inputs.enable-flakes; };
+      specialArgs = { inherit inputs; flakes = import inputs.enable-flakes;  sops = import inputs.enable-sops; };
       modules = [
         ./server.nix
         ./common.nix

nix/tests/server.nix

@@ -1,23 +1,25 @@
 # SPDX-FileCopyrightText: 2024 Serokell <https://serokell.io/>
 #
 # SPDX-License-Identifier: MPL-2.0
-{ pkgs, ... }:
+{ pkgs, sops, ... }:
 {
   nix.settings.trusted-users = [ "deploy" ];
-  users = let
-    inherit (import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs) snakeOilPublicKey;
-  in {
-    mutableUsers = false;
-    users = {
-      deploy = {
-        password = "";
-        isNormalUser = true;
-        createHome = true;
-        openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+  users =
+    let
+      inherit (import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs) snakeOilPublicKey;
+    in
+    {
+      mutableUsers = false;
+      users = {
+        deploy = {
+          password = if sops then "rootIsAGoodRootPassword" else "";
+          isNormalUser = true;
+          createHome = true;
+          openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+        };
+        root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
       };
-      root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
     };
-  };
   services.openssh.enable = true;
   virtualisation.writableStore = true;
 }

nix/tests/sops/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+creation_rules:
+  - path_regex: password.yaml
+    key_groups:
+      - age:
+          - *primary

nix/tests/sops/age_private.txt

@@ -0,0 +1,3 @@
+# created: 2025-06-05T11:36:08+02:00
+# public key: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+AGE-SECRET-KEY-1L8HTRL2THGGZLXQQDTDLDG0U8EL4RSSAMVT9RYUG5JWPUJW49N9QS0EFSZ

nix/tests/sops/age_public.txt

@@ -0,0 +1 @@
+age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm

nix/tests/sops/password.yaml

@@ -0,0 +1,16 @@
+deploy: ENC[AES256_GCM,data:/9Y3WUsK5aamlfW7ImSkEb24IGE0wiE=,iv:+gz2H5b2BlLhmGMIPKHInM/p0eJrnhRz07KKro0nOPM=,tag:q2upCUnqXN4DlGsh8aWHcA==,type:str]
+sops:
+    age:
+        - recipient: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMckNqSWF3MUpNOU91T2Zh
+            dU9ZQlozVWd3bnhsakZRSlFxcGVCZ3Z1dGpvCkVtbkhDNkNhTU5PUHhuVm5BaTJa
+            dGRhU0c5MmQ2bVdyc1JnVVB0aCt1YW8KLS0tIHd4NWlDZEQvdEhxb2lVaUtmSktO
+            MDExNzUwUG5KZ2JyZHhKTmFLZEpleWcKDNxV1CKbEeQ4ixX4PMSj60egj31bN2KG
+            Zm0wfO8UtuGkLVcPKLL7jUhgQXzN9jHg/fDzT11tTnmFaEwtfhHzWg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-05T16:22:23Z"
+    mac: ENC[AES256_GCM,data:Q7ctfJ2UaY7F8eNYDG4Qt5/vLQL2btNU4USe1UEwf8hnSiPJ8Fh8eDgZnXo8F5RZsx3/tPJq+5F1r/ENIturr8ZXYW+101r1pnwEIXz6BEABotCIJArnm3dOR4C4OwrvOPKLNMI0OkDCSTWL2WV3aNIq41TnjBrTrPVP4aZZPlU=,iv:tiDMG0LfAgjoXz8hFhCisZx59BZQRVWFeCuRhQdYiUI=,tag:qQ6vPzCJ7S6j0wIA+/ilxw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4