secrets: split lappy.yaml into per-secret files

2023-05-14 02:33:21 +00:00 · 2023-05-14 02:33:21 +00:00 · 974656a80a
parent 318efe09e2
commit 974656a80a
4 changed files with 35 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -32,7 +32,7 @@ creation_rules:
      - *user_desko_colin
      - *user_lappy_colin
      - *host_desko
-  - path_regex: secrets/lappy.yaml$
+  - path_regex: secrets/lappy*
    key_groups:
    - age:
      - *user_lappy_colin
--- a/hosts/by-name/lappy/default.nix
+++ b/hosts/by-name/lappy/default.nix
@ -22,7 +22,8 @@
  ];

  sops.secrets.colin-passwd = {
-    sopsFile = ../../../secrets/lappy.yaml;
+    sopsFile = ../../../secrets/lappy/colin-passwd.bin;
+    format = "binary";
    neededForUsers = true;
  };

--- a/secrets/desko/README.md
+++ b/secrets/desko/README.md
@ -1,2 +1,6 @@
 - nix_serve_privkey.bin:
    - generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem`
+- colin-passwd.bin:
+    - see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.passwordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
+    - update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
+    - N.B.: you MUST do `sudo passwd colin` instead of just `passwd`, i guess because of immutable users or something
--- a/secrets/lappy/colin-passwd.bin
+++ b/secrets/lappy/colin-passwd.bin
@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:W7xHuJ3ho/mHPzKWv0gUdWglfXFzSqpYpIxLXs8lsJB0v3krbAE9qFBmUs6/SHwhoPzbG7rdqtvr3vQ2lb8HSoQT1/KIr6iFnDXmgcHYwWcVphuiVLaoyG0ItWMDB9LM1N40cWxH8oPtDeA=,iv:29TiYxS8rcRbfDKrcNZbyHT4aIuSIBgqLIbgZhDoz3U=,tag:KWxHdYXlTk4Qz5ARNZ00VQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdGN1NWp5MXZzTU9QSFky\nYUVqeDJRUFJHL2M5RUhaOXJGYWZuRFIxMEUwCmRIcUZKV1c0Ym9oS1NiS0cxQW05\ndzlXY1UyZWdKb0RGRWtIZ0g5OGxJWnMKLS0tIFpicm1IYmNubDlEdGNhUVhvNHo2\neVpYNDgrcHkrYk1kSFVmRWY3RklDbjQK3KAogqfqO50ePP0Y4s3MtI8w0WhJ8XLy\nGBh5oBSfRF2ZPi6RkM2orS2KMZ9RYJUvWFxmJ/BXCoWIK6db06e50Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRE9rcW9TaCtodGZTNDlu\neU9DV0tiWUNESEVFUjVUQ3Y5RFA5MkZtYVVrClIzK1BtcjlyMUhoNVVYVHJqWHp0\nYmU3MTRMYUVlTEJaWkVlTVpRVU9ZYzQKLS0tIDRzK3NlNS9OQW9oOEhhenN0ZlYx\nT2p1QS9BUGpMY0VPK2hnYUF4VmhUSjAKzvfYXnecRin7PFuM0gD7GZFXO69iHd0E\nibBANVpZzl+8IP4HlCWTtIQqfhWO0vG1jqaWdrk2d3hdR8BHUCvp8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWejBzK3FWbklkekxkdmpm\ndlhzYWtpNXZ4dGwwMk85L2JWS3Mzd2t1eFU4ClZ6V25OSEVBNzJVa2NFU2M4VTAr\nQXZqK0s1V0xVaXZqMmVsajdPTTU1a2MKLS0tIEQ4K0VwUDJwTE9melUvYjlSV0V0\nM1ZibDhzTzNhUjN0NCtxUDlTN3hFVzAKlpBaCCRM5a/PsV69QlN4Yuyk3L9omD0a\nZu3T7vFkHU3GgsX3F0Or5ocDdoZiQiax5mu4HXNXIZix+NKypdp9Pw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-05-14T02:32:01Z",
+		"mac": "ENC[AES256_GCM,data:XoW5mume3kEABRoVr7YHQ6MeL2zyojLoQY5I51rMBcUnoOHbN6YUM1m7helWt/Ctc5oQO5hux79Mpo7zfd94CoWpoxxd8rJppwGefyRjQIld8cPW6iYF5C3z8+u3L6O/sqkBdkO+EG+AXcIH8SzwD4/lwCmhb7b8XLRq6qMxfYQ=,iv:zAkHdws6jylx4lhLfMcjBxgGqJpQ4js2DVKKWtNAiA0=,tag:+//AMU7Bb8ZSNYn2lKskrg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}