From 4aacdc1ee454c5df49c997a3b51a2b322eab9b09 Mon Sep 17 00:00:00 2001 From: Julian Mutter Date: Tue, 26 Nov 2024 14:05:15 +0100 Subject: [PATCH] Update sops config --- .sops.yaml | 6 +++- modules/nixos/sops/default.nix | 35 +++++++++++++++-------- secrets/secrets.yaml | 51 ++++++++++++++++++++++++++-------- 3 files changed, 67 insertions(+), 25 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index a116ab9..9aaeffa 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,11 @@ keys: - - &primary age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w + - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg + - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4 + - &pianonix-ssh age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct creation_rules: - path_regex: secrets/secrets.yaml$ key_groups: - age: - *primary + - *aspi-ssh + - *pianonix-ssh diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index 08436dc..085a873 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -24,23 +24,34 @@ let cfg = config.modules.sops; in { - imports = [ inputs.sops-nix.nixosModules.sops ]; - options.modules.sops = { }; config = { - #sops.defaultSopsFile = ../../../secrets/secrets.yaml; - #sops.defaultSopsFormat = "yaml"; - #sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt"; + sops.defaultSopsFile = ../../../secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + # Automatically generate age key from ssh key + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt"; + # Generate key if none of the above worked. With this, building will still work, just without secrets + sops.age.generateKey = true; # List of defined secrets - #sops.secrets."aspi/password" = { - # neededForUsers = true; - #}; + # They all become files linked inside the "/run/secrets/" directory + sops.secrets."wifi/pianonix" = { }; + + sops.secrets."password/aspi" = { + neededForUsers = true; # necessary for setting password + }; + sops.secrets."password/pianonix" = { + neededForUsers = true; # necessary for setting password + }; + + sops.secrets."syncthing/pianonix/key" = { }; + sops.secrets."syncthing/pianonix/cert" = { }; + sops.secrets."syncthing/public-keys/aspi-nix" = { }; + sops.secrets."syncthing/public-keys/pianonix" = { }; - # sops.secrets."aspi/syncthing/key" = { - # neededForUsers = true; - # }; - # sops.secrets."ngrok/terraria" = { }; }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 9fbecfb..aa69515 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,24 +1,51 @@ -aspi: - syncthing: - cert: ENC[AES256_GCM,data:AByFKHdW0/kW5LdMdAlvB8O0OBtTSolnIs1o8V94b5H/Mqyy52HwaxTLu4I5BttlK4dd43dCRploUs7LwBiilmI5SlO1RFU2MupzBlGMiun4UbXC9dFW7iDY+lfX3fwlR6uUfmkm+iW8tSAii+G8KS7eBjyq2EqJ2KzXuEBS74pDJKQ5+hlKWa3dBSCfz3o+on1lfQYqjD9Sgf5x/irEhdCsGFTRM7pnEqdwHhJ87mrv//qrGU9ZWgvOEAQc3mJClGZniF1ePAGnCa9fMu3JKXbsKzLKC2QgIa576k0pgnIK5dEyLUaUemnS2fidbRGz6rAp0tPK8Nm/pbROjkReCfPZ2IjKHX8CAG7VcZokJX8pry+NWCq2/vRnkz6tgAIZu1nykVcRTM0TGDNlXNolK1tCycx3BDRzKFQunp0FdvcN3QTrVsA1sRInZve5x3Y1XVukQjgMk/uyfvQ4ktt3io5PcVmeTWBugJaNC6WlCUwee2o7b2kJGsshk2N+FgfAWZS9bGIxi/ijC87IGZu0bSvqlg4D1bsTCfODte/l+bTW+CZ96eu/8fbcQ+S4ClDeqzzjvIjFiGxSq/KXB3RLGP8aORbdI6y6AkLdwzhb2icFGzVHo/pU3VqHGYhFHbxbpRBs8iJ+EBMoL9AZJi/wh9Hg/gWHtpfWr06nySIEjQkqzEgTzC5O3A1mltkBaHP0XXp1WxyHq2id2dehB+xFpwA8h+Yg25HXMgJowNPpU0Z9a4BNmjdQl9cMWBytGP/20wwQEc9gwweFw5/kFRV0BVtfKUHYerwNoR+yWWURhPl0eUgn3tt77vVhwsuJcKlzbu8XRe0fj/1CFV8mmR8T3zBss4K7sZiDGAWgknRUAdhBV3HincmXdwkT4HWfgT4OSKk156BJof40xJNMpkk+CXFd2M0Trb9UcQQEneldnnvvDe1rML2FFrURRwTCKekCr7Wfsij6cvfz90Qs8NqkfWiAhwsZLwlfHcQrZn1gYHepW6OY/5knB5QWUuexGgRKUQmPQsiaVOgcz8zmSBWtYhLQEXenTg==,iv:n/8CkSiZu666RcOtMXB+Fg5rU2Un77OhxD0wtwfRNYc=,tag:Gy5i2UbBpckO6beyn8gv6Q==,type:str] - key: ENC[AES256_GCM,data:81YkG2zWuYIrpC9BMm/+79Ad7gXLHqHqtxnNbUox7E/oii9nNlbR4YqQJfegkDijrV/PK+UjgeiySHfxUzH0MFnVQ4XTDVFiuQ31s1ft/TZlZmOs7JmElc2i8AbdJM31+NCLoH8nDxGOcoqfErFmf4hbRFprnamItYrDqjq/vIbtPbpjm2cTZw3qwKT1HTPpZfvM6b2xDBd9BqjaoOqwhRUVg45Z0gjKXyKqMv0d9JfpoY5lGp6x6SoSlIzM+a5CpKM3v5I1lxN6DtAlh8hO/dCJZCkXCjuIgWWhl3DVol3h6XzDeNsUvgmjhMSjMmEg4utpIMAYzDCTF5GzHyogPdrhqSejnHG1Y6GQnYqniwobabU/6tcY/6nTkLjMpSbM,iv:Nn5LpyxvsvHnxY39Bg205chZ4nhNsHbBstGcJ2Nf2mc=,tag:fslhHkp3gspRnNZNlA7fbg==,type:str] +#ENC[AES256_GCM,data:NSxfTl2hTXEoGl23aQnElG+df/1YzA==,iv:+oy9oITMGzdM2muDUPjwxJqUu1Bdyregl65/0hiulZ0=,tag:VKjforpyahKj0ktIN36gNw==,type:comment] +wifi: + pianonix: ENC[AES256_GCM,data:Ty1wElfVj+CU9bTbpuYIk2dA4fgFm59PkQGqvODn51Q=,iv:bLomyTlOW2Z4rPbue7Klo6Jt5lR+44AuL+dIMFgDNAE=,tag:DuH2ayeb19dkPi9xmbAu3A==,type:str] +password: + aspi: ENC[AES256_GCM,data:vh7eCsrz2VSn/DLLSG7p3Qn/OGWkVo4+54GpkukOwJ4G+jaE4wrIsKBGxON1uIxWLcR1LkR7g4vZc/sY1D+4JvDlvBfjzGKPkw==,iv:Jwk2THv0V3jsFbEIBJnGMlSOR89yaVKOW97fpgfAWcM=,tag:1WQMM9i3yL20hUJ+VvCTIA==,type:str] + pianonix: ENC[AES256_GCM,data:BWTSuDE2YozRKuK4PW0vhIzojTCi0qb0dChiiNvjv/D+71TsnZ8NuWlasY/2OBfv1VgID4xFWDqBvD7BgVh+/rvVnE544UzaiQ==,iv:On1J//kCuVvpPyj+NyWu7lyMzr7I/ouWGzL9xDbT+wo=,tag:RO87P4YgMjmD8TzgGJvwrw==,type:str] +syncthing: + public-keys: + aspi-nix: ENC[AES256_GCM,data:ZTykdQCyh4DMuQUCy1DSKsGNxxn1dinaqztpDdJY53pkWcW4YcWRHk94iGJQZgG1oLfr3AB2S3J6b9w2WuV3,iv:9z2ovHzq6JjRtHzNMIQtcUCinIjG/ImSGqqC7KPhpuw=,tag:No2LCjD+XXB77Su+s98MIA==,type:str] + pianonix: ENC[AES256_GCM,data:pUJPXH47VG363aIoxZwmbVe3uBoO7EO2TflK4f761C7PwD0tFNthZt9HRE6gQXAMQMF6qWzNK3CNGspSzKsE,iv:E89oz8BG5iQW/mRzdxSrYewGeVLiCrTcAF+c9ny6gPc=,tag:rLqwUmFDsaOMClR1tbE1sA==,type:str] + pianonix: + key: ENC[AES256_GCM,data:IaCXIRDMWCHj3lTKpkLg1Nd3pX4bktWg4WjZPGKgTBCLVkMi/SDtlaoNhDz+a+Vt6jYTXHS4exFnIVJ878nWSrA1sD2NHXmfsMh1kkLhub68qv0M33dBXvgX0vQ51Z1WMoti73yDUjJH8Ym5yF/SCg2+RbkVf+4pe2hSlAzwkGP6YC2rbCE5sZG31C55MkaGC6zwo2ZpZXdVhCW845SqAc11cF/OeEHb9B1FS3rd+El7rlJHrIEVQTkomNLshcspb13H0z3vNhtfu9pPkGxee8Hp/hEhFQ+waWBAg4w15yKihjHJmhzdjhDHCilvwYaceb7b5OwARuuiruQ+cJ40bdnStDpi2ouP8QJjEi7tmKWeplZ0X70PVZJFH/e/mTH5,iv:3hQMB4ka31w3chXXwjl/1IHF8ES/RobZVeugMC3ddlU=,tag:j8wwrNQUQbCEGtcriSpc4g==,type:str] + cert: ENC[AES256_GCM,data:v9LO8qpeGDDV6I+AJU5iTYKKBV6qgr1ddwLvBVEOYyvmtPNeqaatYaK6vMBCabBIhxQu2NC96pREvWu1UHbxaMWvSCT1TzrIPrcFm+gKCH6PIPhqcnQpdGa3OYn01ohThpLp8hEmVUpJ0FO/AnE1QHK0VfPqJ3S0uHLjSCBJtxLmcBWNVvlcTU/P68QIQkrYAQRAtz9aDS+JNpUKhwCJBgjpY1Thj8Lj/fpc1t0qWo3BKIL3eW5iSlUW0iEriFS0bkMr4Bi9mNqpO26l1eZ3IXFJy/7pkqhmXXW83qOaF9AFXgg41p1Kjw4G6isB/obuhR7Z4oQ/AtkSU0wxHP4mF0AWrvC7/YGlrDG9aPYUEWOexTTBHkm89PhgEa69sekbzac7mYYFi/MIdU34ks4oc8ZIChWpT+V66mbo4f+3mn7raih5SLnyEMS7ENBes9cQC7SghSpB7D8c/2+q74A5aEZHUWRhqiDEx9IggP43SiWuNnb/HyZw16RUB7xnQKPs7LzAVlLC6M7ZETUmyEDEWWOsDY8+0Li4wuD3z4WXLAD9nP43TMx4GNoafjG+0Gu05hSR8fWv8strRCtIWjzK3wMaD9VT/cbt2oqOBkJcaqIW8+lM+ktk1WsD4Kc1DQ4q5O2oMrdPOWI9xZOs7DQTFshLHuvxutN05vgEUovI1vbMOl7SIzUW8YUY9PN0ofC7zwQlEJxfOdqT0nwv9vmqikSMP6V3jXgP5OnPb4KVx8G27X0oCjN++dJgDxdkh2JiLR9JaJHNmYPtLlP7hU4NsBpRpd9ObxRlv+uIbF2o0I8PGXMo3IVnRjrFDrRyoth2UJ+YUMGCVuonoS+nZLMCNz1xwRMaZBYjSEESmxc2Ilwdu3XTzd1KF282UvumBpRwcNxvsmPhI84v/XV8TJE8Z7YxyO3RYBQHD5+OuHOHKTtlajnKpSp/m0p0QR7rrGFoDuDKp+Z81MKz8wz3/8GG+sDh0pgniUfNyrmLroLPdT6nj0brvSVWYmOIJHDHKqM+6HZok5PyS+uHlb5dzwnmrd9OmhmwPVdkP5s=,iv:X9VNz2nsN4ywu3E0c+agwZCl43I4bt6jHz0jMoMFTJQ=,tag:RZUWa4h5JoIiZaDrYgcAeg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w + - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByL0l4a0ZHcjFEQk5ETXk0 - dlZJWktVS2pQVjBoZkxyNlo0R3pMM2JkdTNJCk11VEs0U0xleFI3dGkrZEVwWWtz - S1dOV1NYcEtOMFFkMWVhM3poNXhTdVkKLS0tIEp2Zk4wanp2M0pIT1Y1eDBYbW1y - NUNKTTA1VGhOVFRiV0RDSDJGREgzWFUKvW4A3/CPoTGb6gdrbEQN9NgXSQ+L4wXp - NOxR56TemX6fmSZhQU7wyxMmD1rZ64b9cIedauEWr91iYbKjhNpw2A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTY3lFZlIyRnZOMzNQdnJ2 + Z0xQQnY1eHFYekVMV3M0UE5hK2xkbStveFRnCncwVVduSEFFQkpwME5XQzF2Z0tK + MnhFQ3ZZMk51aGJHUmJFbHA4d1dmdkEKLS0tIHBkVEhaZEY5ZGtYcXRkZzREa0xR + eUNsNjE2VS9MTjNtYWluUjJhYXVuTmcKq175s9vx1tPVS+voO+HSkyaT+GbjC/Z+ + PyKVKyqFAJCRcNP2byaFgAHjXtDFZdipt/0lbw+4UfHrZGpn+9B59Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-12T17:14:51Z" - mac: ENC[AES256_GCM,data:XiTeyln5B9lpxUr903mSNBlCw9EsJwQEDVV18NMdHJ3e6Ryq+VkSVYOB60rl2E4C9KiFnh+ibU6KnSmi+bpWBKZ2KjkqxK7jhLnD3FdWFvruJKwf+SZxhd1UAKYjT7yssvQLc971ExVk18zFHRLJwPoPE8ukU9cixlA5PjDUbbY=,iv:w1t+4noBUhirZCcp4FgNQw6Ip+P58OW7HgR39vcOjoY=,tag:bZWznsdm3edevNyZSeQLgQ==,type:str] + - recipient: age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRmxCNUE4MTdZNWlOcmxX + RmhDS2NpQ0hoWG83SDlIeVhXaFdxNE4yTUVzCkRxS3M5aU5mdWZkYnpNeC9YR3BX + N1NEdzlyTm9YT3NQSnowWTZUc1FvYWsKLS0tICs2OVo2djNjUW0yOG41ZTJQeFFB + djFENU5USG1QSnRVdlErN1h5bXJhYzQKPDvAHIMR/vT47zbeK3NsS+jSl4HSFRIA + NbSKwTbEGn963metTh4HJItdWBAOyiCc3l1Ye49ms9JhYM8n4wHLRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeHJ3NmMzaTh0Zm13Vm1r + RmNtMi9FYmJGUmxXeEppM3Fnazl1NTl3ajJjCjFrbXM4WGdOV05qckhkbjlSODZR + a0VuakllVTdOc2Uxd3BqRmtsN3NJdHcKLS0tIHRRMXFEcWNZOFE4dFJycGdGTzdP + WittUTFFNU5kUWdGcncwdWRQSi9STTgK3GuwolsItCEt3Dh5Lycb8TjfaHTuV/JB + P2KSuVsbgjYuCJSknYmSZ+9gdTYC8cVqDnKo7HYFNrCDHZ0P4QwGSg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-25T10:20:02Z" + mac: ENC[AES256_GCM,data:5bw+S6T99ZxY9jWtlfShtQLwgl5OusHU1tXQ88iVW3EmWAiGLEr8/45S0DtQfjz9rmaEpMwa0ZC7kyXgubE7RopxirG7p5w6h/S0G8nJk0SPPKL/mvTL0cfdeOEGSNfVZNcScCVXZ/if3TZzVZQ+dsNkUWXN7bDYqrJO3dfVk30=,iv:1xm9L708K1Q6WzfZKNlJavLK24lsoBzU1qTRLg9APjs=,tag:GWwNBSiNl9EUYOt1Vn10/g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1