megamanmalte/nixos
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Restructure secrets, add restic secrets

Browse source
This commit is contained in:
Malte Tammena 2022-01-13 21:20:59 +01:00
parent 169cb95e5f
commit 4446faf53a
9 changed files with 173 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
.sops.yaml
View file

@ -1,37 +1,55 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
- &malte 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
- &helix-texta age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j
- &elysia-clarki age1gg85h42mndpuc5qpxg2a794pj9szp6g020ry05tmy9rxgh2aa4asq4vfh4
- &achatina-fulica age1320r0g70sgmprz0dzk9n7nkuhcmf3ju0pmv002mgd5rgghvazyxqtt9c80
- &trochulus-hispidus age1un55h66zlhm4vmf7800q0c5n24zwpwvyllhmu68x33kkf2kwu9dsts8ztg
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *elysia-clarki
- *helix-texta
- *achatina-fulica
- path_regex: secrets/elysia-clarki/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *elysia-clarki
- path_regex: secrets/helix-texta/[^/]+\.yaml$
- *achatina-fulica
- *trochulus-hispidus
- path_regex: secrets/hosts/helix-texta/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *helix-texta
- path_regex: secrets/achatina-fulica/[^/]+\.yaml$
- path_regex: secrets/hosts/elysia-clarki/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *elysia-clarki
- path_regex: secrets/hosts/achatina-fulica/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *achatina-fulica
- path_regex: secrets/hosts/trochulus-hispidus/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *trochulus-hispidus
- path_regex: secrets/users/malte/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *helix-texta
#- *murex-pecten
- path_regex: secrets/users/marie/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *trochulus-hispidus

2
hosts/achatina-fulica.nix
View file

@ -27,7 +27,7 @@
systemd.services.glados.serviceConfig.SupplementaryGroups =
[ config.users.groups.keys.name ];
sops.defaultSopsFile = ../secrets/achatina-fulica/secrets.yaml;
sops.defaultSopsFile = ../secrets/hosts/achatina-fulica/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is the actual specification of the secrets.
sops.secrets.gladosEnv = { };

11
hosts/helix-texta.nix
View file

@ -194,10 +194,15 @@ in {
services.fwupd.enable = true;
services.devmon.enable = true;
sops.defaultSopsFile = ../secrets/helix-texta/secrets.yaml;
sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is the actual specification of the secrets.
#sops.secrets."multimc/clientID" = { };
# TODO: Improve this
sops.secrets."restic-backup-malte" = {
sopsFile = ../secrets/users/malte/secrets.yaml;
owner = "malte";
mode = "0400";
key = "restic-backup";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions

10
hosts/trochulus-hispidus.nix
View file

@ -57,6 +57,16 @@
fontconfig = { enable = true; };
};
sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# TODO: Improve this
sops.secrets."restic-backup-marie" = {
sopsFile = ../secrets/users/marie/secrets.yaml;
owner = "marie";
mode = "0400";
key = "restic-backup";
};
# Regularly clear the store, since the storage is quite small
# The store is optimized ~04:00, so let's clear it before that
nix.gc = {

0
secrets/achatina-fulica/secrets.yaml → secrets/hosts/achatina-fulica/secrets.yaml
View file

0
secrets/hosts/elysia-clarki/secrets.yaml Normal file
View file

41
secrets/hosts/helix-texta/secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
restic-backup-malte: ENC[AES256_GCM,data:EvXMU+x2BEjxIuaxXor5cEx12FQcyNQ4dNCG0055oM+dp18=,iv:TtxhGd7phZt0Bvm8ggo5GOWn6qMVoDtIHXmimoGTinc=,tag:/8PYj6cLgYvf/2xjUgf1hQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEtQRmNNRExscGtXNVlN
WEZjU1ZkRkFIaE1jTk1HYkYvRWpTbnRuQm0wCmMvQkJxMGEwcXlWbXJ2UGl4ZkRr
aFZIMWpTdlNVWkcvNXJxcU1CcWg1cDAKLS0tIGNPWEFKc1NEaWdId01MK2pvRXVZ
NnZ2bHRWZ1RlYmwxRmMrWE1yVTNzUmsKJkvy5uq+xy3ezc2kJA9KSYj9WeHzqbwA
N3eJC0qJgx+F1pqty/Xl2PxjqYFmxAxx+creu9kD/RS+mo1jYNmwxw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-01-13T17:34:43Z"
mac: ENC[AES256_GCM,data:y5nOxKQ6ltlUgRx9LTr3FxVhpjf3dtHJa0JO+MwuqxK04Ry4E3sfWkGiEv2wpPmOmXwfxM4yRSfho7S0P7fjr45OBHeyFpT+a8r8fNV1X1kHM/rfTXJShqOEAXhZLCq2Qfiqq5v2JniQGx/agyQSyVq5xnQwfgjSMqeFdU35Dag=,iv:nXFepk8hg/K9fwQnEtbW/isEGO+5//qeb22QUvdV010=,tag:LxFBNZzPCFiRDcglN950sw==,type:str]
pgp:
- created_at: "2022-01-13T17:33:57Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/qNfAqOZjDMAQ/+Jp35S3bU9shi5X1DOIce4V346HTmm/PxNBfEAx9VHAva
mRKW2d7tnie3LYgfkDqe+JCkp66KJpXsAhZai3SkliQAtgspn564KtOtDA2+o8h2
zgiempkqaEHimjemmRwPdFQRHLoN5gGamXqW6+4j+VhHltgYVttYYiOZgsccsGIG
/AikrKUfcF+pGDuYcGToCXhiESU+e7sAzkZJQKa8A1tqVSVASyTaM46c+/ksSwzb
OVk/9zdBp4Xs8FcfaxnKYvaH4tHjaay6Yz16mHoi11vZRHktDbvtnPeCnKBSrnAo
6YqKcljqJqrCNyi29R57wk2ZCEH6boRg7d/ccH1Vo0yEPc7q5Ojv2HSvFFiiakuh
VhK7vNCkmafpz4SU5MIOSdYQNPcGWzSNM68niM+KtQZ+Xqetfp3eUSIXkjHZu95u
8nXFw8VpKbm5JRxdys9OrjH2+nkhJp6tRbBN005ZLf4bAa0iv0UCEXxQzcUrodHI
MmOpO2aosXBtTebjUffxdO90YKuhSUfCe2j2Qb6P/K6mW/Nzv8s5Q0ov+Vfq06AM
+vB64C5ETE2BuFSckueF6OaDgV/6IB97H/BduhNP7IxDdYCLzYtfG5zE+PAvekKs
M0yWYLWdN3d1Xj5yHFL6XL5ite3HolrvePMWNIBKqWHp/WCCPm2Fl5dtqLxXFZzS
XgFLAFFjc81SZ8whP5fH/BfEErva6lQYxmCgYbNOHQV2eqN1HV0kk5f12znxRBaW
GXaqcxiEplHeOJhfVDahV0jEZ08rLavWl+SOAvzuN/fOSUP2s0edAXZ7+gPruiU=
=7OQW
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.1

41
secrets/users/malte/secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
restic-backup: ENC[AES256_GCM,data:vPcT9crBvPykqoYtRxnBAueg0xHtI5WXdo9IX0hZ+UxNirk=,iv:auE2JL8BMdmMr/8HiVll3JVQekGQZ9cwCm+MnBfZsdo=,tag:zec5C1xarAWsCpMh0LosYg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n5cse9mz50hxc2syzpjhkw9kar3eq9lr00ju4el9fu32nvqjzq5s5j4r4j
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaOVc2Y2VBRzNsWVBwYzM1
cFI1NjZxU3dZVllTSUc3dk92WmkzYklWM1dVCklZS3B1RTk1bStjczN4QnNZdFRH
aVVRV0VvU09tbVA3M1lqczJGSEJlcEkKLS0tIExTaWNaYko4Ri96SjJCNGpTRzlp
dEJXZnlrWkliSStkaStRWkNHK1BaRkUKSYcHTljq50LMWVmHZS7y03/pKv8n/5of
lGBZVpwhLFRIP2U8v6jWNrPJ6g5QkqBEfj36whQZUO+CsZbqP9mP6A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-01-13T18:41:14Z"
mac: ENC[AES256_GCM,data:CNpZw3Anq3oXfcfqTACvpm/EsvG0LkyHojjMGlt0/wwjWqemJlTbG4+AUjv5Y1e25zaA8c6BPeqmrrr/f/q6U71hLqy+M9NuFSmjupluJSQ7K1NfsptNFLqnTmWEulxxG4xWWn6OKz8Wb3r4EzvjxK6OL8HRysk5xdswokxGqoc=,iv:t8mEUx1OJSVfNvBLZLaSBC1hpyA/AeRsOcaVcC5V8uE=,tag:PdsUzc51dtHydUEuAfKBRA==,type:str]
pgp:
- created_at: "2022-01-13T18:39:59Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/qNfAqOZjDMAQ/+MtqjUjLsg4yqZnPoLJpywlc3qTSsgPv9EmBA0wvMG/uo
jnuHtC6vbOiPGMt8p48ZkExLlqZ2dvHiUHIvqohEwbskUtbbltZgu0mfjPelY2bn
8IgJ6O3a25MAQwSk2AyS5659dan5eWHWnsJCBbULY2xPrPNZzqT9/7u8oKJ9HGmj
B/6N1LuF8Wcn8/1IRpVBp08+ptagrZE0HBYVaJm3Sfz+FSctTnTxKWKpyrdcctXW
brBRHmOtWqqk+EXhNGxxowpDFMGNgYwqxhMmUkzO7dRWkeYK9qewNbKmN1XFpt2/
WQzS5Q2kCKQNNStrbXKmPQHeVUml6q0hfzZSlgnzVM/wD+ORCrmiPZeBl7mLHUDR
wVoHDF2zLkGHBIbt/FeD2E+mdJJQ63zvJgCYK4vUEnvO0vJR6kJl22AmZERdXrT+
F0ldtbuHMq5QY8llc6G2Cy5bR6wTv6MXxUsH994DB082RP9deM5Ug9G57N72ktBR
Az5zmwJD0s0FwQ1x+UBzt7BAqXhxWxRoZds+85IAn+RWtx0PI+cR75170qlkGkx+
HuSp3FqjQ2PfYJCubr0PxL7L/0M8Qz5UXt1WyQD2RUV3+Kd42noz0PNgp66JcS8U
7GVWY/Gd9GmBAT5qvNLCJnJCLRre4VOqrq5M8a1unbMkwfqTicIaTVTqBehtIWjS
XgGXv8uOIfLKixCC9ntAeLETWvwUjKnsh/YUAZzcAAp5EEJY8T0URI5Amibfe6S3
4Ep3o58DBY8aS9XMLdb24PL/cG0DfF25BKguc2WT5hR3pOMEyLMaI4lk4j3vE9U=
=u3v1
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.1

41
secrets/users/marie/secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
restic-backup: ENC[AES256_GCM,data:kZJ/1pUYxRowRfjQj5wSQAlHwZPO0yfN6qcQWtBSoWI=,iv:ll56IJhqejkTFH53FGH8orFpoelbCzOe698jgafM1h0=,tag:/4Z6f5ygN6gbild/7Wi/cQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1un55h66zlhm4vmf7800q0c5n24zwpwvyllhmu68x33kkf2kwu9dsts8ztg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZWVxSFpsaGtzU0thV1J5
VVhKNDlMb2ZNaFJuVk1FZk5oaHhVUS9adHpVCk1qVFlRdnViSzBWSjdiOFh6S3Qr
SENOY3pnT2x5YXVoV0xKYm1xcUJ4UnMKLS0tIFhvVFVTRUlZa1VPM0FXcm54bW5q
eGtvTXR4T1VMSERBd1dkVE9HSjcxbG8KbK3iv86ZiespC/OW86PZ1gohJkD40Waz
Bk6jML4YkMQdsJd6BqvJyx6fAa140vLyO6d6zmI7H6UAvcY1nZt0Rg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-01-13T19:23:50Z"
mac: ENC[AES256_GCM,data:u04zcXFhEsjQ0w00ashtjrKybQGbqizoibJvNyr1TxIRtc6uhKuqqviY1jqFFpn4I2T2iefCnoiZJv//YbPXSstZGF9VEE9T38mQ5ZFS5o8GybxiyoWtgLWs2tbQX5S8ML7lUBuyRXO1d25Ts0Qt4tTkKRNVkgraM2UwPX0m6B8=,iv:QRwioLOqNOzAArGfcgqsfmm1AHNCUvNOyeNO4gK8SW0=,tag:bRiELZ8XkMLTBBHyaAMKAQ==,type:str]
pgp:
- created_at: "2022-01-13T19:23:03Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/qNfAqOZjDMAQ/7BE/JuxiUiqYQ3yZ822Dzaf/l31tm0Mr1EyQh6kDKM3oZ
3cYHsq4KXV11DZi95zcra+oJGuZ101rRS95ZnKh9VzJ9GtCHiRyT6yiIeCVbvfE+
2E4ftaMMtD5U47l0daQtXK1shM632K+fDMHhvUzehmiR4RatlvtKaw9fiBzWGkzL
dj6uTjvJc1aEyu6P58/qAqUk8j5bd2k/KbTb+MFOernzNxzh3uoMHiJTPc/QnurE
x4txF4cOp7ek/rMkY+c/W5Gk52+ovhRfUUJDKu4bpaIRpkHtIPyJ7EiZwRQBnng3
ZIl3+LGhgplwwxInfcj21V3i/4zJzCMe87F4KY6tLqiJUwwVUvGqkjONyxgXD0ZO
DMDpwduR2/L29DSdlzR3sIoB4tIUaU/1lkWLEDkZ5AwKImiCSIrgmh/PPlS5YNGY
X0JODyqOkC4G60uJCudp+2ZczsH3WL51eM8i74C7jN3hIYk1odWjagUldWkmWzSI
cHstoKASMAkFDy7ezo2gMyvTfLqQQSWh8g+5sTxAwSBLT5bA08busdWWb5i112B6
HVWyG89wg0ll6zNAkus3qHUEImXCGcjB/bglX0dA6meUKkaAbTBuKvb8RFdgMsJU
JFXy6i0wPRum22xi2WgcfX/iT3abs4KNkuKa1kajoRiP4y7Ecc7u23gpeVNehGLS
XgGMBmrNOCLDyIPuc/X7nh5OMS06rcM+EuKMpT7rAweuQh1CzAPnaPrZK+eyYkHK
Oiu5iFZayDvDnBgXVTFLRHWyVJST1cNRxjr79gNmjeF3nUGL8oFZ8ntzzeNXRNU=
=VCct
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.1