secrets: add an example sops secret
This commit is contained in:
parent
73cd1d9242
commit
1c16348724
|
@ -0,0 +1,9 @@
|
|||
keys:
|
||||
- &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
|
||||
- &host_desko age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_desko_colin
|
||||
- *host_desko
|
|
@ -8,7 +8,7 @@
|
|||
# nix-option ## query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
|
||||
# nixos-rebuild switch --upgrade ## pull changes from the nixos channel (e.g. security updates) and rebuild
|
||||
|
||||
{ pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
|
@ -21,5 +21,52 @@
|
|||
experimental-features = nix-command flakes
|
||||
'';
|
||||
};
|
||||
|
||||
# SOPS configuration:
|
||||
# docs: https://github.com/Mic92/sops-nix
|
||||
#
|
||||
# for each new user you want to edit sops files:
|
||||
# create a private age key from ssh key:
|
||||
# $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
|
||||
# if the private key was password protected, then first decrypt it:
|
||||
# $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
|
||||
# $ ssh-keygen -p -N "" -f /tmp/id_ed25519
|
||||
#
|
||||
# for each user you want to decrypt secrets:
|
||||
# $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
|
||||
# add the result to .sops.yaml
|
||||
#
|
||||
# for each machine you want to decrypt secrets:
|
||||
# $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||
# add the result to .sops.yaml
|
||||
# you may need to re-encode all the secrets (even physically deleting and recreating them).
|
||||
#
|
||||
# to create a new secret:
|
||||
# $ sops secrets/example.yaml
|
||||
# control access below (sops.secret.<x>.owner = ...)
|
||||
#
|
||||
# to read a secret:
|
||||
# $ cat /run/secrets/example_key
|
||||
|
||||
# sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
|
||||
# This will add secrets.yml to the nix store
|
||||
# You can avoid this by adding a string to the full path instead, i.e.
|
||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||
sops.defaultSopsFile = ./secrets/example.yaml;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
# "/home/colin/.ssh/id_ed25519_dec"
|
||||
];
|
||||
# This is using an age key that is expected to already be in the filesystem
|
||||
# sops.age.keyFile = "/home/colin/.ssh/age.pub";
|
||||
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
# This will generate a new key if the key specified above does not exist
|
||||
# sops.age.generateKey = true;
|
||||
# This is the actual specification of the secrets.
|
||||
sops.secrets.example_key = {
|
||||
owner = config.users.users.colin.name;
|
||||
};
|
||||
# sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||
}
|
||||
|
||||
|
|
71
flake.lock
71
flake.lock
|
@ -52,6 +52,54 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-21_11": {
|
||||
"locked": {
|
||||
"lastModified": 1654346688,
|
||||
"narHash": "sha256-Y7QtZkfdxTvACCvWmDjpN6qOf4OKkZATufHcJP2VMKM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2de556c4cd46a59e8ce2f85ee4dd400983213d45",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-21.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-22_05": {
|
||||
"locked": {
|
||||
"lastModified": 1654373220,
|
||||
"narHash": "sha256-3vKFnZz2oYHo4YcelaNOhO4XQ2jiIEXrp1s4w+e773c=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d6cb04299ce8964290ae7fdcb87aa50da0500b5c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1654245945,
|
||||
"narHash": "sha256-PV6MZ+HuNnyLxQGa2rwt0BmCRkQS2xqhc+SeJLQM+WU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "442db9429b9fbdb6352cfb937afc8ecccfe2633f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nurpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1654488445,
|
||||
|
@ -72,7 +120,28 @@
|
|||
"home-manager": "home-manager",
|
||||
"mobile-nixos": "mobile-nixos",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nurpkgs": "nurpkgs"
|
||||
"nurpkgs": "nurpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-21_11": "nixpkgs-21_11",
|
||||
"nixpkgs-22_05": "nixpkgs-22_05"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1654401128,
|
||||
"narHash": "sha256-uCdQ2fzIPGakHw2TkvOncUvCl7Fo7z/vagpDWYooO7s=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "f075361ecbde21535b38e41dfaa28a28f160855c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -15,9 +15,10 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nurpkgs.url = "github:nix-community/NUR";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs }: {
|
||||
outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix }: {
|
||||
machines.uninsane = self.decl-bootable-machine { name = "uninsane"; system = "aarch64-linux"; };
|
||||
machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
|
||||
machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
|
||||
|
@ -68,6 +69,7 @@
|
|||
./machines/${name}
|
||||
(import ./helpers/set-hostname.nix name)
|
||||
(self.overlaysModule system)
|
||||
sops-nix.nixosModules.sops
|
||||
] ++ extraModules;
|
||||
});
|
||||
|
||||
|
|
|
@ -472,6 +472,7 @@
|
|||
# pkgs.nettools
|
||||
pkgs.nmap
|
||||
pkgs.obsidian
|
||||
pkgs.openssl
|
||||
pkgs.parted
|
||||
pkgs.pciutils
|
||||
# pkgs.ponymix
|
||||
|
@ -482,6 +483,8 @@
|
|||
pkgs.smartmontools
|
||||
pkgs.snapper
|
||||
pkgs.socat
|
||||
pkgs.sops
|
||||
pkgs.ssh-to-age
|
||||
pkgs.sudo
|
||||
pkgs.usbutils
|
||||
pkgs.wget
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
#ENC[AES256_GCM,data:AAbDZxW7S1fPR86UqIUvZZEKp9LPhZFBz6WtBFmRqeYaPKOJpQMr0UqJzF1r9Qy8Mhl9Ruc=,iv:8CkXkab3jkLx1F6yFGwvS8AObP0+zVqthuEZxD6fVFQ=,tag:NTXhSKgr3nLEuqVUU2qPeg==,type:comment]
|
||||
example_key: ENC[AES256_GCM,data:gag/QcjPTiwcnOTs6w==,iv:3WbDtKwoZdZl0M87pWFxGCEsdbEDoCpnN9nJ0s+4uFg=,tag:UmDD/dTU96QsvSjKVLm8nQ==,type:str]
|
||||
#ENC[AES256_GCM,data:qwFF9yIBquSi77GLsqoh5Vg=,iv:hJCpayOTOJndiwmxb32pO4RhH+92C8tFo3CThLBUzg4=,tag:I+fM3LE+8a7sSiNhA9xPIg==,type:comment]
|
||||
#ENC[AES256_GCM,data:pOJQW/WI9kB9oBRBZUk=,iv:nbc7gmgwvp2+e81gXJb7oGJFxd0IL3ezEzTRhZvZPks=,tag:Xeeh+LYR8IrVjSQMxCDR/A==,type:comment]
|
||||
#ENC[AES256_GCM,data:cFpWD8Ul9rZovu+gXHUK5qY2T74=,iv:wE1ykWPxNegTOBrOZKuXDS/ToTQ7uSQ5Ipk77zBeva4=,tag:HoW8U9HZGSG7qwVr10gBHA==,type:comment]
|
||||
#ENC[AES256_GCM,data:lNhCWy1l2tZ5smucunZFszd7dIY=,iv:vHOxwiyubDskeoENEwlzDV3pmxEKU0P+KJmwLijzj/Q=,tag:3iLW04LWFiznc+gKOOCYtw==,type:comment]
|
||||
#ENC[AES256_GCM,data:DE55QRx9NQjaPoTFVPDHtmxEvNSJRZTdQIo=,iv:MI67iZuHlwuKg4gkeSCutaNGWaFmF7eymuGkPsZSi94=,tag:YUb+62kKPcKU/WunbwqrzQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:XiLZ7+vIX4bpeeEbsP0DpAA=,iv:HsmzKRESXMStssiECODj9bcsahmzxqtzOfodQ3Ze4Fo=,tag:gUBEreck3v9ySvAle9LIyQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:exigJhzg3dKrLw==,iv:ZiTyNtYSbJpy7k86oOm5jNp/Aj+u+WVjr4hoDha3Jfw=,tag:e1IrQ7GL9StnLXeSeMN6vQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:pwKO2o2lgbAFR9g=,iv:GF0NtijdFrXLPbKN6nMXavvdSV0jCaey3qm+8JxC9bk=,tag:XZ80r545lJEdTZ9XWhBABg==,type:comment]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUWdZeHhjQnU0MVpQNTNy
|
||||
WTEyVVVMVlpaL3duWkNnRE55RFltcWo0SzAwCkYra2hMdk9hdGR2dXo0SDVDb0Zy
|
||||
Y3lvblhzSy9aWjQzOE5nR1lvaXg5dVEKLS0tIDhlVERraFgzeVlBbmxPZit5MzAv
|
||||
dEIzelZ0M1Nuektzb1lSWXl1bGVWYVEK1sbgSBu/yjtbgAMUNO/U7vX++zuUoCj5
|
||||
IZqsQ1Jofw4VGukUt+vUloWJ9W+uysRveDbqTX2x2XiRLqJXaKVIZQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNL1NKVjRRbFUzYUZzakw0
|
||||
S1Jhc1Y3dlJ5WWxYcHNUVytDZ25jU1ZIWkdJCkRpY3dwakk4NWw0VWVGYllNQ0x5
|
||||
ZTB1aVh1QlJBdmZld0EzVXVCZkpqZlEKLS0tIG1kcHVwNjhLaVFsVk9vWXpJZmhN
|
||||
RHAyR2poZWkydUpVTEo4NXNvS1RwUE0KDWF9jDZP1cOMxE4iZzhN+eKJakEYK4g8
|
||||
RQX7A5W1chN8Qh7KYPWZiGOL6FfcWUxFt8mfrUPKrxkGnM7zcz9Xrw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-06-06T23:21:20Z"
|
||||
mac: ENC[AES256_GCM,data:pU5882gcNu2hmINn/xnDriHX8PvrEqepnf8/B+WGYrkd6yqpsVPCivlhGFmPvPaRt/o0AVMuH7Wbwm3+rmOpR1LFfJUtnFcejWVpVNE6BuxuWTdF90EENUStKg3DWV4uspRlQds856GR7pkDblkmAOgWZ7zD3ILS3sF/fLuFLr0=,iv:TCsuetCjhhJc/0K4UQrCD9+zWEVssI6Yx0AQ/+eDSn0=,tag:ZsKZZB5S9bgLIRJBLO/KgQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue