Add sops

2022-01-14 15:13:55 +01:00 · 2022-01-14 15:13:55 +01:00 · 8f7ca40b9d
commit 8f7ca40b9d
parent a3246f97c1
6 changed files with 52 additions and 4 deletions
--- a/.sops.yml
+++ b/.sops.yml
@ -0,0 +1,9 @@
+keys:
+  - &lotte age1k5emdjljm5amrquky2tn3khqt38wq62s797nujxuhp8j6x7k5p0sedv0q2
+  - &nixos-8gb-fsn1-1 age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
+creation_rules:
+  - path_regex: secrets/nixos-8gb-fsn1-1/[^/]+$
+    key_groups:
+      - age:
+          - *lotte
+          - *nixos-8gb-fsn1-1
--- a/config/default.nix
+++ b/config/default.nix
@ -3,6 +3,7 @@
    ./zfs.nix
    ./users/darkkirb.nix
    ./nix.nix
+    ./sops.nix
  ];
  services.openssh.enable = true;
  environment.systemPackages = [ pkgs.git ];
--- a/config/sops.nix
+++ b/config/sops.nix
@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/config.yaml";
+}
--- a/flake.lock
+++ b/flake.lock
@ -22,11 +22,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1642154755,
-        "narHash": "sha256-hutfaWfSjrZgcJrLx7cpqofxv6By0pEU4K2xrGGgdPU=",
+        "lastModified": 1642167199,
+        "narHash": "sha256-KvwIaVwoa90jn8E0PhHlpnLxRHQFKb7nfpE0t8KCokU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c9101439cd6e924ee1e09888e0a110973ec56dfa",
+        "rev": "790b76e23d6ec303916e190b5400b27e7ca82620",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -8,7 +8,7 @@ rec {
  inputs.sops-nix.url = github:Mic92/sops-nix;
  inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";

-  outputs = { self, nixpkgs, ... } @ args: {
+  outputs = { self, nixpkgs, sops-nix, ... } @ args: {
    nixosConfigurations =
      let
        systems = [
@ -24,6 +24,7 @@ rec {
              modules = [
                (./config + "/${name}.nix")
                ./config/default.nix
+                sops-nix.nixosModules.sops
              ];
            };
        })
--- a/secrets/nixos-8gb-fsn1-1/secrets.yaml
+++ b/secrets/nixos-8gb-fsn1-1/secrets.yaml
@ -0,0 +1,32 @@
+network:
+    wireguard:
+        privkey: ENC[AES256_GCM,data:+avWYsJmrVYFnwi6T6NqQiXH1U+q3DsvMUT+pG4P2zJ+typzA3dQ+85HBVc=,iv:mdf2+p+7FOUPUNAmfS+CAMkw6xTHrjxQDTVDAHF4qbA=,tag:Ano//8t7dDjqfFVmdQXsfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1k5emdjljm5amrquky2tn3khqt38wq62s797nujxuhp8j6x7k5p0sedv0q2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4akg2SDcvV1d2Q1JaRWxS
+            clV4YlY4aWUrY1U3ejIxSTQrSmNrQzE1bm5RCldJeGxFdEpzVzFzSVZEczdIeHJD
+            MDl6TlJUUTBmcjE3UVBRYSt5eTZWbUEKLS0tIHZ6b1ZyQXNSWWZoZHRPSm5FdWN4
+            ZkZVdk5jL0xxT3haRFg0WVJCNXJHYkUKlHrEyD0atydLMEX3S9F6b897G1YY88zu
+            l6gfV2/si4TXJPUwhfJej56RLq40i2uA2ZQT/I3XMccojMm5DvtS0A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSGxIb2VFQ1BqWU9BWng2
+            NHhRc1A4TlZtTlhtYlNFYWczaUsxbW90bXpzCkRGYWVScXZkVFFuRVV2RGdJbW1B
+            ZzFFYUNzMHdpSTIzQnh5c2RaYUw5cTAKLS0tIDRLQ211Z3JuUE9DaUZGWWh5S1VS
+            QkkzbUVrVWtYMWhLa0N5MzJ2KzV4MW8KEAtd2cnwNH01rYUFr+qWyAhHvUsqsxXg
+            not2RQLEIGbo80Z7CMIwqCIpUYOL4m70KlEKrFzflXFbOFX2en82iA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-01-14T14:10:36Z"
+    mac: ENC[AES256_GCM,data:IJi2TNEG41bgjekGE67iwQrt1ZlmtN7QS8A4M4i417hao+g7IORArXSHDRTWrYT0Gw9xE7NEWtrnRue9ompPcgTV1bGt0Re2EAB+5TI4/7fFbxuIvpYZqhqIFUFEmOyYl+QqkvUH6yKdfdsVj4WgVI8mucxF890F5cWJ1abMaww=,iv:Rr9R3whv7gdBcj/nrsmqTm/JhqvhzdIgMh/Q8EFKP1s=,tag:sFlL5fyP/HWckrmZSgj5zA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1