From 83f91a7016fa25088c79019c6c534271d62b12c3 Mon Sep 17 00:00:00 2001 From: Zynh Ludwig Date: Tue, 30 Jul 2024 21:47:01 -0700 Subject: [PATCH] sops: host level module --- .sops.yaml | 6 +++++- modules/sops.nix | 25 +++++++++++++++++++++++++ secrets.yaml | 25 ++++++++++++++++++------- 3 files changed, 48 insertions(+), 8 deletions(-) create mode 100644 modules/sops.nix diff --git a/.sops.yaml b/.sops.yaml index bc2151e..11b2a72 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,11 @@ keys: - - &ravenshade age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd + users: + - &ravenshade age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd + hosts: + - &snowhawk age1s549sffdhu2yyfk9h06hhks7xc4mqq9a6k53dleurr7y3rmuudpqwz24gv creation_rules: - path_regex: secrets.yaml$ key_groups: - age: - *ravenshade + - *snowhawk diff --git a/modules/sops.nix b/modules/sops.nix new file mode 100644 index 0000000..82563a9 --- /dev/null +++ b/modules/sops.nix @@ -0,0 +1,25 @@ +{ lib, config, inputs, ... }: + +let + cfg = config.snowhawk.sops; +in +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + options.snowhawk.sops = { + enable = lib.mkEnableOption "sops"; + }; + + config = lib.mkIf cfg.enable { + sops = { + defaultSopsFile = ../secrets.yaml; + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; + }; +} diff --git a/secrets.yaml b/secrets.yaml index 9573dde..c166f35 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -9,6 +9,8 @@ locations: snowhawk: lat: ENC[AES256_GCM,data:N7CsvQ==,iv:BfSp2jXBZDEEyNHhpo3SAwEVIWI0timAT2S1l76ODn0=,tag:Mf99+rM/m3Wh8BmmITKjpg==,type:str] lon: ENC[AES256_GCM,data:dITeYwVzSA==,iv:s+St+As7wgAaUf8/qnAdCM932WY5c9S0qUFhUlzx3W0=,tag:iqqPhmHZ+t+CRZPdZxYVxA==,type:str] +passwords: + ravenshade: ENC[AES256_GCM,data:U0s7qQ4+JI6uzrNygzvMvlBM/W+swtAu6V/iQ1Ggcqq+KJrfrwgVhew7i/E0i8Z5JqSlfeeFGpwptanM0NKKINXYk1h5wF30eA==,iv:KNgx4HfHNi8i8kHBtA9ITy8q+5C8QqAgR69CXB7WPWM=,tag:edRqEMuzNA7aTrCmUCuF3w==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +20,23 @@ sops: - recipient: age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOGRXY1JMN20wK2tvbmNU - eVQ4YitPUVRzZkRubnFORU1oemVkZVRSUW1nCnp2eFBoUjhsVXprMnllVCtZK29K - ajJ6VUJDeXlabjJ3ZDhGWC84aDh6ZzAKLS0tIEdPTnl6bHpOcE1XVVN1WU9EUkZm - SjZNOWNndEIrMDFZRnV3QlRheklvMncK5n4lzgSrEDQ0M8m4SAslQvl2vq39owY9 - s3SrXYCvQo6nsKKJMgaN0fnrSqxdSLbnrDYFchaF2fhdXozR8508PA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaUZNVnZaV3Z6WG9zVmw1 + d0tXNlp0OWVHaHp4OFpNTG1GdStMdUlGakhFClg0TS9RZkFjSlFkUFlXOHRQbm1X + NlZDa0JrMDhQOGM2MWVPRjE2VDBDSDAKLS0tIGg3aWVLTm9DQ2Q0dkdoaFFibHlP + MGgveEdDb1laY3NhUkRyOVVuME9OVlkKUpTeucratE3vrdsHa/Sm0s0ygwD2UBZ7 + 5wNykjQUGUG+7OluUlWrwvnmgzyYKS0BM3BD0NjpzTS4OiSB6VYD5g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-28T14:01:07Z" - mac: ENC[AES256_GCM,data:rxpnMQthkIv2ucefdcEK2bRRN5a+auEsPlItX8QT3GpDI24X/ra+UmszqMIQsxai77KQRBh+flTzuYt+XHzJH5QNVkdxPdV/YLLtlrFZ2iGm5kVkLZ0PDU+O9GHlx8oAB0fxosbq6xYd6nuEwwSNVmiEnPnXdjmu02rkdg8PFfw=,iv:cl0UgfVOspnqaXX2Ipy1h4TDj01p7lIa0zGTSQwCnl0=,tag:sCRcLgBVmC3PAct4qr5uWQ==,type:str] + - recipient: age1s549sffdhu2yyfk9h06hhks7xc4mqq9a6k53dleurr7y3rmuudpqwz24gv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRVphSzg4NEZWenBWSGY3 + L3A5QTVuMFVBOVdrRHlRY3ViK2xjcFpTVkdnCnlCV0dHMmVlRTllbnRpQTdJaVQr + QjFXV1lPV1N4TEZxL05WaStDYmlRRTAKLS0tIFZSdkdTT3JyQmlqZVNEWDRwSFln + Nk1jNmhBV2hFcFVXaVl0TE02L290NDgKq0JV2vKnHUio0d6p8Wo29skOdq1uzjGh + ViIFNODIG8pPVsXQZqCXDWgZIVsAwbavS43d4wkg8iSZ4h6o6sC23Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-31T04:34:15Z" + mac: ENC[AES256_GCM,data:cgZUtls4VWsbWJp4kdQn4Qj39owxOYX0Ujl7V6fQJ2+NAefyGFhh396Q9uss00N7N6gR8cUNnhUBHjuxr/9AE1afzirQxTBbvmNtf57YFhty709yB3nJWgfuBy2WtgfVi26e5BZiRW+2WBREocAR71TIVm6fiyrn1iq0EaqL1yA=,iv:g6yJUQl5eR2OGmhjvileIITSx3zSyhFou2p8/pYFlLQ=,tag:dX3Yy1RiYyZI8eda8bvBrg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0