From 974656a80a69a64badd03a15a251efadef6f462d Mon Sep 17 00:00:00 2001 From: Colin Date: Sun, 14 May 2023 02:33:21 +0000 Subject: [PATCH] secrets: split lappy.yaml into per-secret files --- .sops.yaml | 2 +- hosts/by-name/lappy/default.nix | 3 ++- secrets/desko/README.md | 4 ++++ secrets/lappy/colin-passwd.bin | 28 ++++++++++++++++++++++++++++ 4 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 secrets/lappy/colin-passwd.bin diff --git a/.sops.yaml b/.sops.yaml index 7f3b36e5..cbfaa5d6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -32,7 +32,7 @@ creation_rules: - *user_desko_colin - *user_lappy_colin - *host_desko - - path_regex: secrets/lappy.yaml$ + - path_regex: secrets/lappy* key_groups: - age: - *user_lappy_colin diff --git a/hosts/by-name/lappy/default.nix b/hosts/by-name/lappy/default.nix index bf0c18c5..83454c0a 100644 --- a/hosts/by-name/lappy/default.nix +++ b/hosts/by-name/lappy/default.nix @@ -22,7 +22,8 @@ ]; sops.secrets.colin-passwd = { - sopsFile = ../../../secrets/lappy.yaml; + sopsFile = ../../../secrets/lappy/colin-passwd.bin; + format = "binary"; neededForUsers = true; }; diff --git a/secrets/desko/README.md b/secrets/desko/README.md index 04f61394..f6b8467d 100644 --- a/secrets/desko/README.md +++ b/secrets/desko/README.md @@ -1,2 +1,6 @@ - nix_serve_privkey.bin: - generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem` +- colin-passwd.bin: + - see + - update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow + - N.B.: you MUST do `sudo passwd colin` instead of just `passwd`, i guess because of immutable users or something diff --git a/secrets/lappy/colin-passwd.bin b/secrets/lappy/colin-passwd.bin new file mode 100644 index 00000000..958f406e --- /dev/null +++ b/secrets/lappy/colin-passwd.bin @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:W7xHuJ3ho/mHPzKWv0gUdWglfXFzSqpYpIxLXs8lsJB0v3krbAE9qFBmUs6/SHwhoPzbG7rdqtvr3vQ2lb8HSoQT1/KIr6iFnDXmgcHYwWcVphuiVLaoyG0ItWMDB9LM1N40cWxH8oPtDeA=,iv:29TiYxS8rcRbfDKrcNZbyHT4aIuSIBgqLIbgZhDoz3U=,tag:KWxHdYXlTk4Qz5ARNZ00VQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdGN1NWp5MXZzTU9QSFky\nYUVqeDJRUFJHL2M5RUhaOXJGYWZuRFIxMEUwCmRIcUZKV1c0Ym9oS1NiS0cxQW05\ndzlXY1UyZWdKb0RGRWtIZ0g5OGxJWnMKLS0tIFpicm1IYmNubDlEdGNhUVhvNHo2\neVpYNDgrcHkrYk1kSFVmRWY3RklDbjQK3KAogqfqO50ePP0Y4s3MtI8w0WhJ8XLy\nGBh5oBSfRF2ZPi6RkM2orS2KMZ9RYJUvWFxmJ/BXCoWIK6db06e50Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRE9rcW9TaCtodGZTNDlu\neU9DV0tiWUNESEVFUjVUQ3Y5RFA5MkZtYVVrClIzK1BtcjlyMUhoNVVYVHJqWHp0\nYmU3MTRMYUVlTEJaWkVlTVpRVU9ZYzQKLS0tIDRzK3NlNS9OQW9oOEhhenN0ZlYx\nT2p1QS9BUGpMY0VPK2hnYUF4VmhUSjAKzvfYXnecRin7PFuM0gD7GZFXO69iHd0E\nibBANVpZzl+8IP4HlCWTtIQqfhWO0vG1jqaWdrk2d3hdR8BHUCvp8g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWejBzK3FWbklkekxkdmpm\ndlhzYWtpNXZ4dGwwMk85L2JWS3Mzd2t1eFU4ClZ6V25OSEVBNzJVa2NFU2M4VTAr\nQXZqK0s1V0xVaXZqMmVsajdPTTU1a2MKLS0tIEQ4K0VwUDJwTE9melUvYjlSV0V0\nM1ZibDhzTzNhUjN0NCtxUDlTN3hFVzAKlpBaCCRM5a/PsV69QlN4Yuyk3L9omD0a\nZu3T7vFkHU3GgsX3F0Or5ocDdoZiQiax5mu4HXNXIZix+NKypdp9Pw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-05-14T02:32:01Z", + "mac": "ENC[AES256_GCM,data:XoW5mume3kEABRoVr7YHQ6MeL2zyojLoQY5I51rMBcUnoOHbN6YUM1m7helWt/Ctc5oQO5hux79Mpo7zfd94CoWpoxxd8rJppwGefyRjQIld8cPW6iYF5C3z8+u3L6O/sqkBdkO+EG+AXcIH8SzwD4/lwCmhb7b8XLRq6qMxfYQ=,iv:zAkHdws6jylx4lhLfMcjBxgGqJpQ4js2DVKKWtNAiA0=,tag:+//AMU7Bb8ZSNYn2lKskrg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file