diff --git a/.sops.yaml b/.sops.yaml index 4448b8b..308fc0c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,37 +1,55 @@ -# This example uses YAML anchors which allows reuse of multiple keys -# without having to repeat yourself. -# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml -# for a more complex example. keys: - &malte 71E08E591553F5EA4CB98745BCE9E4BF632E7CED - &helix-texta age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j - &elysia-clarki age1gg85h42mndpuc5qpxg2a794pj9szp6g020ry05tmy9rxgh2aa4asq4vfh4 - &achatina-fulica age1320r0g70sgmprz0dzk9n7nkuhcmf3ju0pmv002mgd5rgghvazyxqtt9c80 + - &trochulus-hispidus age1un55h66zlhm4vmf7800q0c5n24zwpwvyllhmu68x33kkf2kwu9dsts8ztg creation_rules: - path_regex: secrets/[^/]+\.yaml$ key_groups: - pgp: - *malte age: - - *elysia-clarki - *helix-texta - - *achatina-fulica - - path_regex: secrets/elysia-clarki/[^/]+\.yaml$ - key_groups: - - pgp: - - *malte - age: - *elysia-clarki - - path_regex: secrets/helix-texta/[^/]+\.yaml$ + - *achatina-fulica + - *trochulus-hispidus + - path_regex: secrets/hosts/helix-texta/[^/]+\.yaml$ key_groups: - pgp: - *malte age: - *helix-texta - - path_regex: secrets/achatina-fulica/[^/]+\.yaml$ + - path_regex: secrets/hosts/elysia-clarki/[^/]+\.yaml$ + key_groups: + - pgp: + - *malte + age: + - *elysia-clarki + - path_regex: secrets/hosts/achatina-fulica/[^/]+\.yaml$ key_groups: - pgp: - *malte age: - *achatina-fulica + - path_regex: secrets/hosts/trochulus-hispidus/[^/]+\.yaml$ + key_groups: + - pgp: + - *malte + age: + - *trochulus-hispidus + + - path_regex: secrets/users/malte/[^/]+\.yaml$ + key_groups: + - pgp: + - *malte + age: + - *helix-texta + #- *murex-pecten + - path_regex: secrets/users/marie/[^/]+\.yaml$ + key_groups: + - pgp: + - *malte + age: + - *trochulus-hispidus diff --git a/hosts/achatina-fulica.nix b/hosts/achatina-fulica.nix index c81e77a..3ac1073 100644 --- a/hosts/achatina-fulica.nix +++ b/hosts/achatina-fulica.nix @@ -27,7 +27,7 @@ systemd.services.glados.serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ]; - sops.defaultSopsFile = ../secrets/achatina-fulica/secrets.yaml; + sops.defaultSopsFile = ../secrets/hosts/achatina-fulica/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # This is the actual specification of the secrets. sops.secrets.gladosEnv = { }; diff --git a/hosts/helix-texta.nix b/hosts/helix-texta.nix index d46dd54..48d7fb3 100644 --- a/hosts/helix-texta.nix +++ b/hosts/helix-texta.nix @@ -194,10 +194,15 @@ in { services.fwupd.enable = true; services.devmon.enable = true; - sops.defaultSopsFile = ../secrets/helix-texta/secrets.yaml; + sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # This is the actual specification of the secrets. - #sops.secrets."multimc/clientID" = { }; + # TODO: Improve this + sops.secrets."restic-backup-malte" = { + sopsFile = ../secrets/users/malte/secrets.yaml; + owner = "malte"; + mode = "0400"; + key = "restic-backup"; + }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/trochulus-hispidus.nix b/hosts/trochulus-hispidus.nix index f30e436..35d4ee0 100644 --- a/hosts/trochulus-hispidus.nix +++ b/hosts/trochulus-hispidus.nix @@ -57,6 +57,16 @@ fontconfig = { enable = true; }; }; + sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # TODO: Improve this + sops.secrets."restic-backup-marie" = { + sopsFile = ../secrets/users/marie/secrets.yaml; + owner = "marie"; + mode = "0400"; + key = "restic-backup"; + }; + # Regularly clear the store, since the storage is quite small # The store is optimized ~04:00, so let's clear it before that nix.gc = { diff --git a/secrets/achatina-fulica/secrets.yaml b/secrets/hosts/achatina-fulica/secrets.yaml similarity index 100% rename from secrets/achatina-fulica/secrets.yaml rename to secrets/hosts/achatina-fulica/secrets.yaml diff --git a/secrets/hosts/elysia-clarki/secrets.yaml b/secrets/hosts/elysia-clarki/secrets.yaml new file mode 100644 index 0000000..e69de29 diff --git a/secrets/hosts/helix-texta/secrets.yaml b/secrets/hosts/helix-texta/secrets.yaml new file mode 100644 index 0000000..39704cc --- /dev/null +++ b/secrets/hosts/helix-texta/secrets.yaml @@ -0,0 +1,41 @@ +restic-backup-malte: ENC[AES256_GCM,data:EvXMU+x2BEjxIuaxXor5cEx12FQcyNQ4dNCG0055oM+dp18=,iv:TtxhGd7phZt0Bvm8ggo5GOWn6qMVoDtIHXmimoGTinc=,tag:/8PYj6cLgYvf/2xjUgf1hQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEtQRmNNRExscGtXNVlN + WEZjU1ZkRkFIaE1jTk1HYkYvRWpTbnRuQm0wCmMvQkJxMGEwcXlWbXJ2UGl4ZkRr + aFZIMWpTdlNVWkcvNXJxcU1CcWg1cDAKLS0tIGNPWEFKc1NEaWdId01MK2pvRXVZ + NnZ2bHRWZ1RlYmwxRmMrWE1yVTNzUmsKJkvy5uq+xy3ezc2kJA9KSYj9WeHzqbwA + N3eJC0qJgx+F1pqty/Xl2PxjqYFmxAxx+creu9kD/RS+mo1jYNmwxw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-01-13T17:34:43Z" + mac: ENC[AES256_GCM,data:y5nOxKQ6ltlUgRx9LTr3FxVhpjf3dtHJa0JO+MwuqxK04Ry4E3sfWkGiEv2wpPmOmXwfxM4yRSfho7S0P7fjr45OBHeyFpT+a8r8fNV1X1kHM/rfTXJShqOEAXhZLCq2Qfiqq5v2JniQGx/agyQSyVq5xnQwfgjSMqeFdU35Dag=,iv:nXFepk8hg/K9fwQnEtbW/isEGO+5//qeb22QUvdV010=,tag:LxFBNZzPCFiRDcglN950sw==,type:str] + pgp: + - created_at: "2022-01-13T17:33:57Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/qNfAqOZjDMAQ/+Jp35S3bU9shi5X1DOIce4V346HTmm/PxNBfEAx9VHAva + mRKW2d7tnie3LYgfkDqe+JCkp66KJpXsAhZai3SkliQAtgspn564KtOtDA2+o8h2 + zgiempkqaEHimjemmRwPdFQRHLoN5gGamXqW6+4j+VhHltgYVttYYiOZgsccsGIG + /AikrKUfcF+pGDuYcGToCXhiESU+e7sAzkZJQKa8A1tqVSVASyTaM46c+/ksSwzb + OVk/9zdBp4Xs8FcfaxnKYvaH4tHjaay6Yz16mHoi11vZRHktDbvtnPeCnKBSrnAo + 6YqKcljqJqrCNyi29R57wk2ZCEH6boRg7d/ccH1Vo0yEPc7q5Ojv2HSvFFiiakuh + VhK7vNCkmafpz4SU5MIOSdYQNPcGWzSNM68niM+KtQZ+Xqetfp3eUSIXkjHZu95u + 8nXFw8VpKbm5JRxdys9OrjH2+nkhJp6tRbBN005ZLf4bAa0iv0UCEXxQzcUrodHI + MmOpO2aosXBtTebjUffxdO90YKuhSUfCe2j2Qb6P/K6mW/Nzv8s5Q0ov+Vfq06AM + +vB64C5ETE2BuFSckueF6OaDgV/6IB97H/BduhNP7IxDdYCLzYtfG5zE+PAvekKs + M0yWYLWdN3d1Xj5yHFL6XL5ite3HolrvePMWNIBKqWHp/WCCPm2Fl5dtqLxXFZzS + XgFLAFFjc81SZ8whP5fH/BfEErva6lQYxmCgYbNOHQV2eqN1HV0kk5f12znxRBaW + GXaqcxiEplHeOJhfVDahV0jEZ08rLavWl+SOAvzuN/fOSUP2s0edAXZ7+gPruiU= + =7OQW + -----END PGP MESSAGE----- + fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/secrets/users/malte/secrets.yaml b/secrets/users/malte/secrets.yaml new file mode 100644 index 0000000..55e7218 --- /dev/null +++ b/secrets/users/malte/secrets.yaml @@ -0,0 +1,41 @@ +restic-backup: ENC[AES256_GCM,data:vPcT9crBvPykqoYtRxnBAueg0xHtI5WXdo9IX0hZ+UxNirk=,iv:auE2JL8BMdmMr/8HiVll3JVQekGQZ9cwCm+MnBfZsdo=,tag:zec5C1xarAWsCpMh0LosYg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaOVc2Y2VBRzNsWVBwYzM1 + cFI1NjZxU3dZVllTSUc3dk92WmkzYklWM1dVCklZS3B1RTk1bStjczN4QnNZdFRH + aVVRV0VvU09tbVA3M1lqczJGSEJlcEkKLS0tIExTaWNaYko4Ri96SjJCNGpTRzlp + dEJXZnlrWkliSStkaStRWkNHK1BaRkUKSYcHTljq50LMWVmHZS7y03/pKv8n/5of + lGBZVpwhLFRIP2U8v6jWNrPJ6g5QkqBEfj36whQZUO+CsZbqP9mP6A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-01-13T18:41:14Z" + mac: ENC[AES256_GCM,data:CNpZw3Anq3oXfcfqTACvpm/EsvG0LkyHojjMGlt0/wwjWqemJlTbG4+AUjv5Y1e25zaA8c6BPeqmrrr/f/q6U71hLqy+M9NuFSmjupluJSQ7K1NfsptNFLqnTmWEulxxG4xWWn6OKz8Wb3r4EzvjxK6OL8HRysk5xdswokxGqoc=,iv:t8mEUx1OJSVfNvBLZLaSBC1hpyA/AeRsOcaVcC5V8uE=,tag:PdsUzc51dtHydUEuAfKBRA==,type:str] + pgp: + - created_at: "2022-01-13T18:39:59Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/qNfAqOZjDMAQ/+MtqjUjLsg4yqZnPoLJpywlc3qTSsgPv9EmBA0wvMG/uo + jnuHtC6vbOiPGMt8p48ZkExLlqZ2dvHiUHIvqohEwbskUtbbltZgu0mfjPelY2bn + 8IgJ6O3a25MAQwSk2AyS5659dan5eWHWnsJCBbULY2xPrPNZzqT9/7u8oKJ9HGmj + B/6N1LuF8Wcn8/1IRpVBp08+ptagrZE0HBYVaJm3Sfz+FSctTnTxKWKpyrdcctXW + brBRHmOtWqqk+EXhNGxxowpDFMGNgYwqxhMmUkzO7dRWkeYK9qewNbKmN1XFpt2/ + WQzS5Q2kCKQNNStrbXKmPQHeVUml6q0hfzZSlgnzVM/wD+ORCrmiPZeBl7mLHUDR + wVoHDF2zLkGHBIbt/FeD2E+mdJJQ63zvJgCYK4vUEnvO0vJR6kJl22AmZERdXrT+ + F0ldtbuHMq5QY8llc6G2Cy5bR6wTv6MXxUsH994DB082RP9deM5Ug9G57N72ktBR + Az5zmwJD0s0FwQ1x+UBzt7BAqXhxWxRoZds+85IAn+RWtx0PI+cR75170qlkGkx+ + HuSp3FqjQ2PfYJCubr0PxL7L/0M8Qz5UXt1WyQD2RUV3+Kd42noz0PNgp66JcS8U + 7GVWY/Gd9GmBAT5qvNLCJnJCLRre4VOqrq5M8a1unbMkwfqTicIaTVTqBehtIWjS + XgGXv8uOIfLKixCC9ntAeLETWvwUjKnsh/YUAZzcAAp5EEJY8T0URI5Amibfe6S3 + 4Ep3o58DBY8aS9XMLdb24PL/cG0DfF25BKguc2WT5hR3pOMEyLMaI4lk4j3vE9U= + =u3v1 + -----END PGP MESSAGE----- + fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/secrets/users/marie/secrets.yaml b/secrets/users/marie/secrets.yaml new file mode 100644 index 0000000..b074752 --- /dev/null +++ b/secrets/users/marie/secrets.yaml @@ -0,0 +1,41 @@ +restic-backup: ENC[AES256_GCM,data:kZJ/1pUYxRowRfjQj5wSQAlHwZPO0yfN6qcQWtBSoWI=,iv:ll56IJhqejkTFH53FGH8orFpoelbCzOe698jgafM1h0=,tag:/4Z6f5ygN6gbild/7Wi/cQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1un55h66zlhm4vmf7800q0c5n24zwpwvyllhmu68x33kkf2kwu9dsts8ztg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZWVxSFpsaGtzU0thV1J5 + VVhKNDlMb2ZNaFJuVk1FZk5oaHhVUS9adHpVCk1qVFlRdnViSzBWSjdiOFh6S3Qr + SENOY3pnT2x5YXVoV0xKYm1xcUJ4UnMKLS0tIFhvVFVTRUlZa1VPM0FXcm54bW5q + eGtvTXR4T1VMSERBd1dkVE9HSjcxbG8KbK3iv86ZiespC/OW86PZ1gohJkD40Waz + Bk6jML4YkMQdsJd6BqvJyx6fAa140vLyO6d6zmI7H6UAvcY1nZt0Rg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-01-13T19:23:50Z" + mac: ENC[AES256_GCM,data:u04zcXFhEsjQ0w00ashtjrKybQGbqizoibJvNyr1TxIRtc6uhKuqqviY1jqFFpn4I2T2iefCnoiZJv//YbPXSstZGF9VEE9T38mQ5ZFS5o8GybxiyoWtgLWs2tbQX5S8ML7lUBuyRXO1d25Ts0Qt4tTkKRNVkgraM2UwPX0m6B8=,iv:QRwioLOqNOzAArGfcgqsfmm1AHNCUvNOyeNO4gK8SW0=,tag:bRiELZ8XkMLTBBHyaAMKAQ==,type:str] + pgp: + - created_at: "2022-01-13T19:23:03Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/qNfAqOZjDMAQ/7BE/JuxiUiqYQ3yZ822Dzaf/l31tm0Mr1EyQh6kDKM3oZ + 3cYHsq4KXV11DZi95zcra+oJGuZ101rRS95ZnKh9VzJ9GtCHiRyT6yiIeCVbvfE+ + 2E4ftaMMtD5U47l0daQtXK1shM632K+fDMHhvUzehmiR4RatlvtKaw9fiBzWGkzL + dj6uTjvJc1aEyu6P58/qAqUk8j5bd2k/KbTb+MFOernzNxzh3uoMHiJTPc/QnurE + x4txF4cOp7ek/rMkY+c/W5Gk52+ovhRfUUJDKu4bpaIRpkHtIPyJ7EiZwRQBnng3 + ZIl3+LGhgplwwxInfcj21V3i/4zJzCMe87F4KY6tLqiJUwwVUvGqkjONyxgXD0ZO + DMDpwduR2/L29DSdlzR3sIoB4tIUaU/1lkWLEDkZ5AwKImiCSIrgmh/PPlS5YNGY + X0JODyqOkC4G60uJCudp+2ZczsH3WL51eM8i74C7jN3hIYk1odWjagUldWkmWzSI + cHstoKASMAkFDy7ezo2gMyvTfLqQQSWh8g+5sTxAwSBLT5bA08busdWWb5i112B6 + HVWyG89wg0ll6zNAkus3qHUEImXCGcjB/bglX0dA6meUKkaAbTBuKvb8RFdgMsJU + JFXy6i0wPRum22xi2WgcfX/iT3abs4KNkuKa1kajoRiP4y7Ecc7u23gpeVNehGLS + XgGMBmrNOCLDyIPuc/X7nh5OMS06rcM+EuKMpT7rAweuQh1CzAPnaPrZK+eyYkHK + Oiu5iFZayDvDnBgXVTFLRHWyVJST1cNRxjr79gNmjeF3nUGL8oFZ8ntzzeNXRNU= + =VCct + -----END PGP MESSAGE----- + fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED + unencrypted_suffix: _unencrypted + version: 3.7.1