80 lines
2.7 KiB
Nix
80 lines
2.7 KiB
Nix
# SOPS configuration:
|
|
# docs: https://github.com/Mic92/sops-nix
|
|
#
|
|
# for each new user you want to edit sops files:
|
|
# create a private age key from ssh key:
|
|
# $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt
|
|
# if the private key was password protected, then first decrypt it:
|
|
# $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519
|
|
# $ ssh-keygen -p -N "" -f /tmp/id_ed25519
|
|
#
|
|
# for each user you want to decrypt secrets:
|
|
# $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
|
|
# add the result to .sops.yaml
|
|
# since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
|
|
#
|
|
# for each host you want to decrypt secrets:
|
|
# $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
|
# add the result to .sops.yaml
|
|
# $ sops updatekeys secrets/example.yaml
|
|
#
|
|
# to create a new secret:
|
|
# $ sops secrets/example.yaml
|
|
# control access below (sops.secret.<x>.owner = ...)
|
|
#
|
|
# to read a secret:
|
|
# $ cat /run/secrets/example_key
|
|
|
|
{ config, lib, sane-lib, ... }:
|
|
|
|
let
|
|
secretsForHost = host: let
|
|
extraAttrsForPath = path: lib.optionalAttrs (sane-lib.path.isChild "guest" path && builtins.hasAttr "guest" config.users.users) {
|
|
owner = "guest";
|
|
};
|
|
secretsInSrc = (
|
|
if builtins.pathExists ../../secrets/${host} then
|
|
sane-lib.enumerateFilePaths ../../secrets/${host}
|
|
else
|
|
[]
|
|
);
|
|
in sane-lib.joinAttrsets (
|
|
map
|
|
(path: lib.optionalAttrs (lib.hasSuffix ".bin" path) (sane-lib.nameValueToAttrs {
|
|
name = lib.removeSuffix ".bin" path;
|
|
value = {
|
|
sopsFile = ../../secrets/${host}/${path};
|
|
format = "binary";
|
|
} // (extraAttrsForPath path);
|
|
}))
|
|
secretsInSrc
|
|
);
|
|
in
|
|
{
|
|
|
|
# sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
|
|
sops.gnupg.sshKeyPaths = []; # disable RSA key import
|
|
# This is using an age key that is expected to already be in the filesystem
|
|
# sops.age.keyFile = "/home/colin/.ssh/age.pub";
|
|
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
# This will generate a new key if the key specified above does not exist
|
|
# sops.age.generateKey = true;
|
|
# This is the actual specification of the secrets.
|
|
# sops.secrets.example_key = {
|
|
# owner = config.users.users.colin.name;
|
|
# };
|
|
# sops.secrets."myservice/my_subdir/my_secret" = {};
|
|
|
|
sops.secrets = lib.mkMerge [
|
|
(secretsForHost "common")
|
|
(secretsForHost config.networking.hostName)
|
|
{
|
|
"jackett_apikey".owner = config.users.users.colin.name;
|
|
"mx-sanebot-env".owner = config.users.users.colin.name;
|
|
"transmission_passwd".owner = config.users.users.colin.name;
|
|
}
|
|
];
|
|
}
|
|
|
|
|