Add sops-nix
This commit is contained in:
parent
6b06f1f0ca
commit
bf7e4e9e03
GPG key ID:
5B2020A0F9921EF4
13
os/linux/nix/.sops.yaml
Normal file
13
os/linux/nix/.sops.yaml
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
keys:
|
||||||
|
- &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
|
||||||
|
- &sshd-at-beefcake age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *daniel
|
||||||
|
- path_regex: secrets/beefcake/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *daniel
|
||||||
|
- *sshd-at-beefcake
|
||||||
|
|
@ -17,6 +17,11 @@
|
||||||
# use the version of nixpkgs we specified above rather than the one HM would ordinarily use
|
# use the version of nixpkgs we specified above rather than the one HM would ordinarily use
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs: {
|
outputs = inputs: {
|
||||||
|
|
@ -26,6 +31,7 @@
|
||||||
modules = [
|
modules = [
|
||||||
./machines/beefcake.nix
|
./machines/beefcake.nix
|
||||||
inputs.home-manager.nixosModules.home-manager
|
inputs.home-manager.nixosModules.home-manager
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
{
|
{
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,49 @@ in
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
|
<sops-nix/modules/sops>
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ../secrets/example.yaml;
|
||||||
|
age = {
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
secrets = {
|
||||||
|
example-key = {
|
||||||
|
# see these and other options' documentation here:
|
||||||
|
# https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
|
||||||
|
|
||||||
|
# set permissions:
|
||||||
|
# mode = "0440";
|
||||||
|
# owner = config.users.users.nobody.name;
|
||||||
|
# group = config.users.users.nobody.group;
|
||||||
|
|
||||||
|
# restart service when a secret changes or is newly initialized
|
||||||
|
# restartUnits = [ "home-assistant.service" ];
|
||||||
|
|
||||||
|
# symlink to certain directories
|
||||||
|
path = "/var/lib/my-example-key/secrets.yaml";
|
||||||
|
|
||||||
|
# for use as a user password
|
||||||
|
# neededForUsers = true;
|
||||||
|
};
|
||||||
|
"myservice/my_subdir/my_secret" = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: non-root processes and services that access secrets need to be part of
|
||||||
|
# the 'keys' group
|
||||||
|
|
||||||
|
# systemd.services.some-service = {
|
||||||
|
# serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
|
||||||
|
# };
|
||||||
|
# or
|
||||||
|
# users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
|
||||||
|
|
||||||
# TODO: directory attributes for /storage subdirectories?
|
# TODO: directory attributes for /storage subdirectories?
|
||||||
# example: user daniel should be able to write to /storage/files.lyte.dev and
|
# example: user daniel should be able to write to /storage/files.lyte.dev and
|
||||||
# caddy should be able to serve it
|
# caddy should be able to serve it
|
||||||
|
|
|
||||||
25
os/linux/nix/secrets/example.yaml
Normal file
25
os/linux/nix/secrets/example.yaml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
example-key: ENC[AES256_GCM,data:8/LalMfi+YsJaF1P+A==,iv:/Kkul1a1gBiAd447/A/yVzfUJi7rb8nAoBWXiokQZEs=,tag:gN5VnfNFyiKplMpip54YEw==,type:str]
|
||||||
|
#ENC[AES256_GCM,data:zF3Eji+GV/e/lxQ8IFpu2Q==,iv:wTfGJmuJ08HXstXGofLbUcl3vSKOsSv1Ai0kQM57sF4=,tag:U94wjTY7mTpafjkA4hOh0g==,type:comment]
|
||||||
|
myservice:
|
||||||
|
my_subdir:
|
||||||
|
my_secret: ENC[AES256_GCM,data:0oxmwRaS6wYg,iv:7fn84cOkL9F1yhbGOOJZLgkIphI4ZjA0pdzFFNFDh50=,tag:mwbFqGbLa+H47jOyfiNQBQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UUdpZU8zMloweWhZbmxI
|
||||||
|
aFZNL1M3eWNpMjBKMGxRMDYwUnZpd2k0NG1RCnVvcjJsU1dJQTVIcFlmMmFKeEI2
|
||||||
|
bEJVdldxektybGtLYmprRG9OenFnRjgKLS0tIGtBOWFrWXgvc2l0QThQczlWMkxW
|
||||||
|
bjM4enBEbUlkYlZFOHIvQW80VktsTDgKZMYE95nKgmU+whtU2xrJnuNlwZqrjpfN
|
||||||
|
e5LKNQ6lLqIzsmCdAlyPcKVW5hCbtaT/Ac1TvZWq7+cF6SbPa/51Ew==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-07-27T17:08:21Z"
|
||||||
|
mac: ENC[AES256_GCM,data:HO9P7Z3edo5FyaTenyKjphxnKcke4dqXiUyBveAPd2KP489Hh+fXrugx7+w47UiYsfgBCgFM/ED9xzRKLV7IMIYFtdtL5LwTizPF9H/VUnvRM420VUy/OMPiuludSSoL3WNpTM0UBQi4l7FSjKGpz5AdzLJE65Px05lPJQ/KGFY=,iv:TNtp3/A5lDanNQ0Ghi1Q1yyQc6glcYyYYeDkeEXNkVw=,tag:L5lmerkR3SarF/NLXYMURQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
||||||
Reference in a new issue