secrets: add an example sops secret

2022-06-06 16:36:22 -07:00 · 2022-06-06 16:36:22 -07:00 · 1c16348724
parent 73cd1d9242
commit 1c16348724
6 changed files with 172 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+  - &host_desko age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_desko_colin
+      - *host_desko
--- a/configuration.nix
+++ b/configuration.nix
@ -8,7 +8,7 @@
 #   nix-option   ##  query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
 #   nixos-rebuild switch --upgrade   ## pull changes from the nixos channel (e.g. security updates) and rebuild

-{ pkgs, ... }:
+{ config, pkgs, ... }:

 {

@ -21,5 +21,52 @@
      experimental-features = nix-command flakes
    '';
  };
+
+  # SOPS configuration:
+  #   docs: https://github.com/Mic92/sops-nix
+  #
+  # for each new user you want to edit sops files:
+  # create a private age key from ssh key:
+  #   $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
+  #   if the private key was password protected, then first decrypt it:
+  #     $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
+  #     $ ssh-keygen -p -N "" -f /tmp/id_ed25519
+  #
+  # for each user you want to decrypt secrets:
+  #   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
+  #   add the result to .sops.yaml
+  #
+  # for each machine you want to decrypt secrets:
+  #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+  #   add the result to .sops.yaml
+  #   you may need to re-encode all the secrets (even physically deleting and recreating them).
+  #
+  # to create a new secret:
+  #   $ sops secrets/example.yaml
+  #   control access below (sops.secret.<x>.owner = ...)
+  #
+  # to read a secret:
+  #   $ cat /run/secrets/example_key
+
+  # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
+  # This will add secrets.yml to the nix store
+  # You can avoid this by adding a string to the full path instead, i.e.
+  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
+  sops.defaultSopsFile = ./secrets/example.yaml;
+  # This will automatically import SSH keys as age keys
+  sops.age.sshKeyPaths = [
+    "/etc/ssh/ssh_host_ed25519_key"
+    # "/home/colin/.ssh/id_ed25519_dec"
+  ];
+  # This is using an age key that is expected to already be in the filesystem
+  # sops.age.keyFile = "/home/colin/.ssh/age.pub";
+  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # This will generate a new key if the key specified above does not exist
+  # sops.age.generateKey = true;
+  # This is the actual specification of the secrets.
+  sops.secrets.example_key = {
+    owner = config.users.users.colin.name;
+  };
+  # sops.secrets."myservice/my_subdir/my_secret" = {};
 }

--- a/flake.lock
+++ b/flake.lock
@ -52,6 +52,54 @@
        "type": "indirect"
      }
    },
+    "nixpkgs-21_11": {
+      "locked": {
+        "lastModified": 1654346688,
+        "narHash": "sha256-Y7QtZkfdxTvACCvWmDjpN6qOf4OKkZATufHcJP2VMKM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2de556c4cd46a59e8ce2f85ee4dd400983213d45",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-22_05": {
+      "locked": {
+        "lastModified": 1654373220,
+        "narHash": "sha256-3vKFnZz2oYHo4YcelaNOhO4XQ2jiIEXrp1s4w+e773c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d6cb04299ce8964290ae7fdcb87aa50da0500b5c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1654245945,
+        "narHash": "sha256-PV6MZ+HuNnyLxQGa2rwt0BmCRkQS2xqhc+SeJLQM+WU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "442db9429b9fbdb6352cfb937afc8ecccfe2633f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nurpkgs": {
      "locked": {
        "lastModified": 1654488445,
@ -72,7 +120,28 @@
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
-        "nurpkgs": "nurpkgs"
+        "nurpkgs": "nurpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-21_11": "nixpkgs-21_11",
+        "nixpkgs-22_05": "nixpkgs-22_05"
+      },
+      "locked": {
+        "lastModified": 1654401128,
+        "narHash": "sha256-uCdQ2fzIPGakHw2TkvOncUvCl7Fo7z/vagpDWYooO7s=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "f075361ecbde21535b38e41dfaa28a28f160855c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -15,9 +15,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nurpkgs.url = "github:nix-community/NUR";
+    sops-nix.url = "github:Mic92/sops-nix";
  };

-  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs }: {
+  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix }: {
    machines.uninsane = self.decl-bootable-machine { name = "uninsane"; system = "aarch64-linux"; };
    machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
    machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
@ -68,6 +69,7 @@
          ./machines/${name}
          (import ./helpers/set-hostname.nix name)
          (self.overlaysModule system)
+          sops-nix.nixosModules.sops
        ] ++ extraModules;
    });

--- a/helpers/home-manager-gen-colin.nix
+++ b/helpers/home-manager-gen-colin.nix
@ -472,6 +472,7 @@
    # pkgs.nettools
    pkgs.nmap
    pkgs.obsidian
+    pkgs.openssl
    pkgs.parted
    pkgs.pciutils
    # pkgs.ponymix
@ -482,6 +483,8 @@
    pkgs.smartmontools
    pkgs.snapper
    pkgs.socat
+    pkgs.sops
+    pkgs.ssh-to-age
    pkgs.sudo
    pkgs.usbutils
    pkgs.wget
--- a/secrets/example.yaml
+++ b/secrets/example.yaml
@ -0,0 +1,39 @@
+#ENC[AES256_GCM,data:AAbDZxW7S1fPR86UqIUvZZEKp9LPhZFBz6WtBFmRqeYaPKOJpQMr0UqJzF1r9Qy8Mhl9Ruc=,iv:8CkXkab3jkLx1F6yFGwvS8AObP0+zVqthuEZxD6fVFQ=,tag:NTXhSKgr3nLEuqVUU2qPeg==,type:comment]
+example_key: ENC[AES256_GCM,data:gag/QcjPTiwcnOTs6w==,iv:3WbDtKwoZdZl0M87pWFxGCEsdbEDoCpnN9nJ0s+4uFg=,tag:UmDD/dTU96QsvSjKVLm8nQ==,type:str]
+#ENC[AES256_GCM,data:qwFF9yIBquSi77GLsqoh5Vg=,iv:hJCpayOTOJndiwmxb32pO4RhH+92C8tFo3CThLBUzg4=,tag:I+fM3LE+8a7sSiNhA9xPIg==,type:comment]
+#ENC[AES256_GCM,data:pOJQW/WI9kB9oBRBZUk=,iv:nbc7gmgwvp2+e81gXJb7oGJFxd0IL3ezEzTRhZvZPks=,tag:Xeeh+LYR8IrVjSQMxCDR/A==,type:comment]
+#ENC[AES256_GCM,data:cFpWD8Ul9rZovu+gXHUK5qY2T74=,iv:wE1ykWPxNegTOBrOZKuXDS/ToTQ7uSQ5Ipk77zBeva4=,tag:HoW8U9HZGSG7qwVr10gBHA==,type:comment]
+#ENC[AES256_GCM,data:lNhCWy1l2tZ5smucunZFszd7dIY=,iv:vHOxwiyubDskeoENEwlzDV3pmxEKU0P+KJmwLijzj/Q=,tag:3iLW04LWFiznc+gKOOCYtw==,type:comment]
+#ENC[AES256_GCM,data:DE55QRx9NQjaPoTFVPDHtmxEvNSJRZTdQIo=,iv:MI67iZuHlwuKg4gkeSCutaNGWaFmF7eymuGkPsZSi94=,tag:YUb+62kKPcKU/WunbwqrzQ==,type:comment]
+#ENC[AES256_GCM,data:XiLZ7+vIX4bpeeEbsP0DpAA=,iv:HsmzKRESXMStssiECODj9bcsahmzxqtzOfodQ3Ze4Fo=,tag:gUBEreck3v9ySvAle9LIyQ==,type:comment]
+#ENC[AES256_GCM,data:exigJhzg3dKrLw==,iv:ZiTyNtYSbJpy7k86oOm5jNp/Aj+u+WVjr4hoDha3Jfw=,tag:e1IrQ7GL9StnLXeSeMN6vQ==,type:comment]
+#ENC[AES256_GCM,data:pwKO2o2lgbAFR9g=,iv:GF0NtijdFrXLPbKN6nMXavvdSV0jCaey3qm+8JxC9bk=,tag:XZ80r545lJEdTZ9XWhBABg==,type:comment]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUWdZeHhjQnU0MVpQNTNy
+            WTEyVVVMVlpaL3duWkNnRE55RFltcWo0SzAwCkYra2hMdk9hdGR2dXo0SDVDb0Zy
+            Y3lvblhzSy9aWjQzOE5nR1lvaXg5dVEKLS0tIDhlVERraFgzeVlBbmxPZit5MzAv
+            dEIzelZ0M1Nuektzb1lSWXl1bGVWYVEK1sbgSBu/yjtbgAMUNO/U7vX++zuUoCj5
+            IZqsQ1Jofw4VGukUt+vUloWJ9W+uysRveDbqTX2x2XiRLqJXaKVIZQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNL1NKVjRRbFUzYUZzakw0
+            S1Jhc1Y3dlJ5WWxYcHNUVytDZ25jU1ZIWkdJCkRpY3dwakk4NWw0VWVGYllNQ0x5
+            ZTB1aVh1QlJBdmZld0EzVXVCZkpqZlEKLS0tIG1kcHVwNjhLaVFsVk9vWXpJZmhN
+            RHAyR2poZWkydUpVTEo4NXNvS1RwUE0KDWF9jDZP1cOMxE4iZzhN+eKJakEYK4g8
+            RQX7A5W1chN8Qh7KYPWZiGOL6FfcWUxFt8mfrUPKrxkGnM7zcz9Xrw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-06T23:21:20Z"
+    mac: ENC[AES256_GCM,data:pU5882gcNu2hmINn/xnDriHX8PvrEqepnf8/B+WGYrkd6yqpsVPCivlhGFmPvPaRt/o0AVMuH7Wbwm3+rmOpR1LFfJUtnFcejWVpVNE6BuxuWTdF90EENUStKg3DWV4uspRlQds856GR7pkDblkmAOgWZ7zD3ILS3sF/fLuFLr0=,iv:TCsuetCjhhJc/0K4UQrCD9+zWEVssI6Yx0AQ/+eDSn0=,tag:ZsKZZB5S9bgLIRJBLO/KgQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3