Seeekrits

2023-07-28 13:06:30 -05:00 · 2023-07-28 13:06:30 -05:00 · 459010f3a9
parent f84a918071
commit 459010f3a9
4 changed files with 57 additions and 39 deletions
--- a/os/linux/nix/.sops.yaml
+++ b/os/linux/nix/.sops.yaml
@ -2,11 +2,11 @@ keys:
  - &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
  - &sshd-at-beefcake age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/[^/]+\.(ya?ml|json|env|ini)$
    key_groups:
    - age:
      - *daniel
-  - path_regex: secrets/beefcake/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/beefcake/[^/]+\.(ya?ml|json|env|ini)$
    key_groups:
    - age:
      - *daniel
--- a/os/linux/nix/machines/beefcake.nix
+++ b/os/linux/nix/machines/beefcake.nix
@ -12,29 +12,20 @@
  services.api-lyte-dev = rec {
    enable = true;
    port = 5757;
-    stateDir = "/var/lib/api-lyte-dev";
+    stateDir = /var/lib/api-lyte-dev;
    configFile = sops.secrets.api-lyte-dev.path;
    user = "api-lyte-dev";
    group = user;
  };
  sops = {
-    defaultSopsFile = ../secrets/beefcake/example.yaml;
+    defaultSopsFile = ../secrets/beefcake/secrets.yaml;
    age = {
      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
    secrets = {
      "beefcake/api-lyte-dev.json" = {
        sopsFile = ../secrets/beefcake/api-lyte-dev.json;
        format = "json";
        path = "${services.api-lyte-dev.stateDir}/secrets.json";
        mode = "0440";
        owner = services.api-lyte-dev.user;
        group = services.api-lyte-dev.group;
      };
      example-key = {
        # see these and other options' documentation here:
        # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
@ -53,7 +44,17 @@
        # for use as a user password
        # neededForUsers = true;
      };
      # subdirectory
      "myservice/my_subdir/my_secret" = { };
      api-lyte-dev = {
        format = "json";
        path = "${services.api-lyte-dev.stateDir}/secrets.json";
        mode = "0440";
        owner = services.api-lyte-dev.user;
        group = services.api-lyte-dev.group;
      };
    };
  };
--- a/os/linux/nix/secrets/beefcake/api-lyte-dev.json
+++ b/os/linux/nix/secrets/beefcake/api-lyte-dev.json
@ -1,26 +0,0 @@
 {
 	"DISCORD_BOT_TOKEN": "ENC[AES256_GCM,data:oRMz8tyyFO/ztTUQTjz+X4VLPJDkpDM8Jn6gCbvZk4FzDHpHI784msX3UPGJFE9ZbvVc5etpXYTMeCQ=,iv:Q0LqiD3+2U48LLb91yrC/hXdXf1jS+Dq7xEtq9qwhAo=,tag:rsNykECJ15SskVOnQxrONg==,type:str]",
 	"DISCORD_OWNER_USER_ID": "ENC[AES256_GCM,data:ImAA85aKgOwdoLSdXTJ6Fodd,iv:1DjAgq5OU56kee6PMRjsHOVCEcQ7XZ3HAWMv51A+OnY=,tag:KfjwuZuWKGOjD2Zi/V1zMw==,type:str]",
 	"OPENAI_TOKEN": "ENC[AES256_GCM,data:mM0D+UXD0cu45gfEeLKaJioHcJ8lM5TA1ao+IzYHdGc8L1IBNiKN+/D8rkr6wFwrpBQQ,iv:99UAkefC+PlAU5bJILQExZAoHR48RhMvvMVJbXRyIwE=,tag:NLYoaJcjFRsjGwmwu37qwA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdXdGQ1Y4UHMzdnpNQ2tJ\nQzNTNHpCN3JyRVdPTmYwQ0ZSQ1E1czZMVnkwCnc0M2ZXbHVscWJIYXA3ejArMTB3\neXZnYWV3b1Q5VzlrRWFMbUVmb3pLNVEKLS0tIGtXVGYrTnh4dCtvVWdVd21VZWQr\nOEdSZk5CYXJDUHBwbFhIZW1Ob0dQU00K7Vc9lRZAljJ4HjHyQqcj82wIRT4MMkuV\n9105iqIbCLW+3Jc9BQkDgq6lIdZ62xhuHMa0vycvD/DOKJuyUwerAQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WWpXeFR6YVZDcXkxcTUz\nbm9KTkF6bVhybDJYR3RuNVlScit2eHAxNmdBCnlPZzB3azA1Nzlhbm84N1czNDZJ\ndjdpdkcvRVgzcTg0UnBOdmo0bnB5eFUKLS0tIFVNZzk3WlEwQTNrVUtFZU5YM2Q3\nRmZDUUw4eHBOZXpwN3B2SDlXZmtPT2sKCgvPtxgRehJmfz4b1qIQLauwh8SddVK3\ndAtU8W5UcNYiDd8de2is2mxzcuNzvD3R0BorrO1SSpulQSdPj6gabw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-07-28T07:39:26Z",
 		"mac": "ENC[AES256_GCM,data:IfjCRLyAPQpMMGqDLFxkw/McYdWeNwVayvcMhzU6XDnC79LFYhUcAw2927pnHawezS6qI1Aaj5rY8eT93MZ5K3Gk1JW0S/wuitmUGvOT0VaRbVskqd9VFgg/5bcFntfpKUDgwmvs7vfDfdFY0v0S2cAQ5nP9GAkcet4+stCYzOM=,iv:CqMhU52vSdhL9jOnaD3mZ2tmo8c3u4dOvr9qsZY/v0U=,tag:wnmTTnW2iq5dowoTROICcA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/os/linux/nix/secrets/beefcake/secrets.yml
+++ b/os/linux/nix/secrets/beefcake/secrets.yml
@ -0,0 +1,43 @@
 hello: ENC[AES256_GCM,data:zFcid19gJKCNO6uThYyDzQ+KCxsBC/Fjma9AhyddOraK9siZtcpBWyPhnIkq9Q==,iv:1j1sEZcZS5+NUbIRHNE5L41lDMuLGAqWw9QJNOmtxuE=,tag:dDPq3rGesiA7khX/GPMVhQ==,type:str]
 example_key: ENC[AES256_GCM,data:EyQzVVXEgm20i62hFA==,iv:Z/gQF3lUcg7Ox66yWgBhi9aJqkN9nwIhcprSbC+fbdI=,tag:enULK/yFVQjNpRk0u4RFAg==,type:str]
 #ENC[AES256_GCM,data:S7g4kg1/4oztGaattpyo1Q==,iv:/JYp8w/ONJLIRXfiyhc7us4BZ+eg6UZeMWYHWSYXiGE=,tag:Ec02qXNPU+TsKf55cV/nlA==,type:comment]
 example_array:
    - ENC[AES256_GCM,data:ava5NqrxDX3u3Tr8vZQ=,iv:Q+c2aZx3buUKNUf8NeMxWsSsXtqk4PLbYM0PzVrgyKs=,tag:kVCv9FMQTkQwvGfH4t3HCg==,type:str]
    - ENC[AES256_GCM,data:ZHOtZT1VPqGUmOG2t3g=,iv:NI/xo4/ws3VSR+Bc3D0ClPqqfKyTHTfyvb48xAPEBvs=,tag:2DddoLwa8i5CdVIxbA+HUA==,type:str]
 example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweTeuXc0qH136tCVK/xOEs=,tag:h60Zz1zQaDZqEO8+I/vZYg==,type:float]
 example_booleans:
    - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool]
    - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool]
 api.lyte.dev:
    DISCORD_BOT_TOKEN: ENC[AES256_GCM,data:lzK6/k1bmEPNg92X27rN6/hslxlFWrqhLwTmyKSedImMglOkx8OVDno43ei+RwufPT1C+9hnlpTVh60=,iv:Ye/RClrP2XPn/Mo3IDYdJ4fHS83JkF+VwUNidOZJjj0=,tag:DfehtzPxfp6SlhezYWjUfA==,type:str]
    DISCORD_OWNER_USER_ID: ENC[AES256_GCM,data:Rfqg6lhXNT2LjgUDKwv6m2P5,iv:weD8F0pR3TeX5eS+7YhK91gRoE525ILn9fUfJpUlhLc=,tag:5aMrfiS0lzS3/HfjagE8GA==,type:str]
    OPENAI_TOKEN: ENC[AES256_GCM,data:ZVZZIYV0DhChmJBqXWnbvPLLQTNwmKhj7wxuehO3JwKdj5UqYoMlKO1GqhZ00hg1zRrZ,iv:4B8VWjcn3o4/iTO2GU+ZANv0aXYelRKZaIKDReIuoKk=,tag:u/3yBi6TyHZvXmrkpcsjIQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOHpnQlJkTWlUNXlxNzVY
            WkF4ci9hTzg3S0tJM2RZMGlIcC9nNlgrdjEwCjRvaDBpb1ZoOWNtNkE1NDVXQVJY
            UGZyZ2FpalQyUlpSU056TFRpUXlBNTgKLS0tIFNCSWdiQ25yNDdsdUtlUGZLS0h1
            N3Z4NWRvcXN2a2xKMjlRM2lPZEhhekEKtolJt3EAZXlqq6UKV43Z2EJW4hkfZMJ8
            06Se+Eim/PS3H1gjRdZ9SV45ghRmLy2OSMKTJxN78HFcJeDpp5CQnA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTittdVRqRTRWSlBpRnpY
            NmlIKzdoOFNxSnNoTFpwRVN3UGdJaHhRMldjCmRrRlo5V1luN0dabFBCWDhZaU9V
            c05VeUxMQi9oM3czaDFFUEw3aHp4T1EKLS0tIHFqTVlXTnE5ZkoxRk9ESGo3MzAr
            b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f
            nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-28T18:02:26Z"
    mac: ENC[AES256_GCM,data:YRKrztKaKWqjnSDqWCd1Bbjhg9fpy3nQJqU7Ilt+wuUHiMp/h7x6uucxwton89LIOimJF/crJOvtweryt1zzXrdwOG8h2bUq+T9SLWqxbh30VXiugPChO/vsAHgCCVZBMsgJnUGvVbUY3lP1TEyxcwZhHvuRXGudDEjDgcEwtFw=,iv:7nkY3gT9CVVnDjuljQ3A4t9Og7h+EDUTx+XVD08UuVA=,tag:NCALXKsU16PLYh0EZuXiDA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3