Add sops-nix
This commit is contained in:
parent
6b06f1f0ca
commit
bf7e4e9e03
4 changed files with 84 additions and 0 deletions
13
os/linux/nix/.sops.yaml
Normal file
13
os/linux/nix/.sops.yaml
Normal file
|
@ -0,0 +1,13 @@
|
|||
keys:
|
||||
- &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
|
||||
- &sshd-at-beefcake age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *daniel
|
||||
- path_regex: secrets/beefcake/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *daniel
|
||||
- *sshd-at-beefcake
|
|
@ -17,6 +17,11 @@
|
|||
# use the version of nixpkgs we specified above rather than the one HM would ordinarily use
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
}
|
||||
};
|
||||
|
||||
outputs = inputs: {
|
||||
|
@ -26,6 +31,7 @@
|
|||
modules = [
|
||||
./machines/beefcake.nix
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
sops-nix.nixosModules.sops
|
||||
{
|
||||
home-manager.useGlobalPkgs = true;
|
||||
}
|
||||
|
|
|
@ -10,9 +10,49 @@ in
|
|||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
imports =
|
||||
[
|
||||
<sops-nix/modules/sops>
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets/example.yaml;
|
||||
age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
secrets = {
|
||||
example-key = {
|
||||
# see these and other options' documentation here:
|
||||
# https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
|
||||
|
||||
# set permissions:
|
||||
# mode = "0440";
|
||||
# owner = config.users.users.nobody.name;
|
||||
# group = config.users.users.nobody.group;
|
||||
|
||||
# restart service when a secret changes or is newly initialized
|
||||
# restartUnits = [ "home-assistant.service" ];
|
||||
|
||||
# symlink to certain directories
|
||||
path = "/var/lib/my-example-key/secrets.yaml";
|
||||
|
||||
# for use as a user password
|
||||
# neededForUsers = true;
|
||||
};
|
||||
"myservice/my_subdir/my_secret" = {};
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: non-root processes and services that access secrets need to be part of
|
||||
# the 'keys' group
|
||||
|
||||
# systemd.services.some-service = {
|
||||
# serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
|
||||
# };
|
||||
# or
|
||||
# users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
|
||||
|
||||
# TODO: directory attributes for /storage subdirectories?
|
||||
# example: user daniel should be able to write to /storage/files.lyte.dev and
|
||||
# caddy should be able to serve it
|
||||
|
|
25
os/linux/nix/secrets/example.yaml
Normal file
25
os/linux/nix/secrets/example.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
example-key: ENC[AES256_GCM,data:8/LalMfi+YsJaF1P+A==,iv:/Kkul1a1gBiAd447/A/yVzfUJi7rb8nAoBWXiokQZEs=,tag:gN5VnfNFyiKplMpip54YEw==,type:str]
|
||||
#ENC[AES256_GCM,data:zF3Eji+GV/e/lxQ8IFpu2Q==,iv:wTfGJmuJ08HXstXGofLbUcl3vSKOsSv1Ai0kQM57sF4=,tag:U94wjTY7mTpafjkA4hOh0g==,type:comment]
|
||||
myservice:
|
||||
my_subdir:
|
||||
my_secret: ENC[AES256_GCM,data:0oxmwRaS6wYg,iv:7fn84cOkL9F1yhbGOOJZLgkIphI4ZjA0pdzFFNFDh50=,tag:mwbFqGbLa+H47jOyfiNQBQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UUdpZU8zMloweWhZbmxI
|
||||
aFZNL1M3eWNpMjBKMGxRMDYwUnZpd2k0NG1RCnVvcjJsU1dJQTVIcFlmMmFKeEI2
|
||||
bEJVdldxektybGtLYmprRG9OenFnRjgKLS0tIGtBOWFrWXgvc2l0QThQczlWMkxW
|
||||
bjM4enBEbUlkYlZFOHIvQW80VktsTDgKZMYE95nKgmU+whtU2xrJnuNlwZqrjpfN
|
||||
e5LKNQ6lLqIzsmCdAlyPcKVW5hCbtaT/Ac1TvZWq7+cF6SbPa/51Ew==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-07-27T17:08:21Z"
|
||||
mac: ENC[AES256_GCM,data:HO9P7Z3edo5FyaTenyKjphxnKcke4dqXiUyBveAPd2KP489Hh+fXrugx7+w47UiYsfgBCgFM/ED9xzRKLV7IMIYFtdtL5LwTizPF9H/VUnvRM420VUy/OMPiuludSSoL3WNpTM0UBQi4l7FSjKGpz5AdzLJE65Px05lPJQ/KGFY=,iv:TNtp3/A5lDanNQ0Ghi1Q1yyQc6glcYyYYeDkeEXNkVw=,tag:L5lmerkR3SarF/NLXYMURQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Reference in a new issue