home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 59d37efcac302140b429592e723be30d2a4720af
parent a76448406215243e9ebee001e1905fe6fc591370
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Mon, 13 Sep 2021 18:47:27 +0200

nix: trying sops-nix 🙃

This seems to work nicely, the only trick is to make sure we are
provisioning the machine with the correct set of host key (but that's doable)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
M.envrc | 1+
A.sops.yaml | 29+++++++++++++++++++++++++++++
Mnix/default.nix | 1+
Asecrets/syncthing.yaml | 108+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mshell.nix | 7+++++++
Msystems/hosts/aomi.nix | 5+++++
Msystems/modules/default.nix | 1+
7 files changed, 152 insertions(+), 0 deletions(-)

diff --git a/.envrc b/.envrc @@ -2,6 +2,7 @@ use_nix shell.nix watch_file ./shell.nix watch_file ./nix/sources.json +watch_file ./nix/default.nix test -f .secrets && source .secrets || echo "no secrets" export QEMU_OPTS="-m 8096 -cpu host" diff --git a/.sops.yaml b/.sops.yaml @@ -0,0 +1,29 @@ +keys: + - &vincent 8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA + - &aomi b14ab1e44008e7d4c39875324d5981054462545d + - &wakasu 3f65577842cabda3955d1f5603286b3ea9ac52bb + - &sakhalin 8b80ab02638ab9c34f6c21bd69928b5908e10cbf + - &kerkouane b8b02c0885a74753f8fb53f031f0386f20f3e4ec +creation_rules: + # - path_regex: secrets/admins/[^/]+\.yaml$ + # key_groups: + # - pgp: + # - *joerg + # - path_regex: eve/secrets/[^/]+\.yaml$ + # key_groups: + # - pgp: + # - *joerg + # - *eve + # - path_regex: eva/secrets/[^/]+\.yaml$ + # key_groups: + # - pgp: + # - *joerg + # - *eva + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *vincent + - *aomi + - *wakasu + - *sakhalin + - *kerkouane diff --git a/nix/default.nix b/nix/default.nix @@ -13,4 +13,5 @@ rec { gitignore = import sources.gitignore; nixos-hardware = import sources.nixos-hardware; nur = import sources.NUR; + sops-nix = import sources.sops-nix; } diff --git a/secrets/syncthing.yaml b/secrets/syncthing.yaml @@ -0,0 +1,108 @@ +hello: ENC[AES256_GCM,data:SP1j6ufze8hWvMXtYm/2PsrF5WHzaLrWG2hoO/xAgzljSz4+qBjzNMqd4nnFmA==,iv:R6/0/+wc1hpBowUYFYeSEoUBNdsHh8h5WiH1JyGnUHk=,tag:fZWDiLCsaU9wjMUdjMf2kA==,type:str] +example_key: ENC[AES256_GCM,data:PhOUQjKQTXWUR9G1Iw==,iv:D46k5Eq2tSYeUTC2OKxlBZqDlX3Ly2LYAGAuJXZZbQY=,tag:EX/I0CZE5rcYVJnQ3sbp0A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2021-09-13T16:10:56Z" + mac: ENC[AES256_GCM,data:S4idl0hkBWWKqX2V0wFr1NJW+wZDjHsAMxgcBEB62Z/uubCdUSbL9NFJw88ZNYEXXBWC+NYmm/jIE6xLsa9AYFT5x0EEsOiIrIx+YXUQfWG7yNwHpEcciYcFQdKnM1edVcRpyXTNbf/OAUliPAzLbWEMExvJIzYRdswQs0lvKRA=,iv:VAbVCn0T2cK26OMFD1HOgy0zTLea8swdy6b9tG33fuM=,tag:+RyGa/DVg+/18DxZUikWuQ==,type:str] + pgp: + - created_at: "2021-09-13T16:10:44Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z3oSgzL9TxAQgAWJKNRHXmZVg5Uens6dHkrDn1lpCnE59Y5PI8c30I2F8h + 2YuJbIIuf+U9lteZHefmWq4ZuuaBU3Uh5VxH0wCrpxixRvcBCQzi4xVV4MkOBXEM + X+dQGBLVEJu9XevJtw/4+XmQCciIVXuWSMlRAZ3S7CSHC5UOp+l5y5Ye+Ofvyv8F + 1JfazqyBThBNi7t0fxVMiTAwgwFVeLv1aPfuhDjvfxf1qKxuDxNN4NtLTp3HolV9 + nlKazSiVDPLusGlKjOC83bhebWbErfmJeIUvZOf2wTisn+YqNXjj/XRbsbb8bOxx + MbggUclnD54UrCHAUbBRiYi5IJYAyf7HyMRzfjGFntLmAanXCPVLUhkbrBHRtdP0 + zWpUzIQxNRjuxxodsRa3Kcnommc1UNUEVsB6Xss49+TqX4SfCEU/b87OO6m6m7HG + jeSUNjYBeR0xOSdBHa2VowXE4kPxXMUA + =zOsa + -----END PGP MESSAGE----- + fp: 8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA + - created_at: "2021-09-13T16:10:44Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA01ZgQVEYlRdAQ/+NFbIzNDLJ3Bw4VwUVqL57fPh9bEn8TilHy0+uZEeXIEU + vPKQvtw7U8btZN60arpV1d3U7T4R1s2qOg7jXEhxwvgySLNadsbHXzp4T4Kh07iL + foYGFS+3TzZsZ89gGfdUQsdCyNwbhS2iL6uvJ5ys78JdqX25vLeKcSmmMLZiA7S+ + dn8FOfKSKOATVZKIF6klmOJooUzwpVfDUgc4YxDLFpqqevkkZNVWu4GrLRbkGxto + lY0AK3BqHtxKQ5ywnnVxTEZ1sOSEVwM1cWKiiGH4fRx1dhGnKb/kaFUwmokQ55eQ + WQNIv9fglHZsD0imhir8wZJ2PFmSe4ciNPUjxKDkkmoXXqWMLUsaXpiLFSxDF8N6 + KMHYxiOyaDiKQH5gryxJlLeQWgJWd4K871DIrBanUp4Y9Fe9wdMm2eLFPHk8D770 + SzD2B5FpmzkawP0yzdPz8eLMh50XdXvVqxFWe19la0DFjyN9HcH1tQOEPDAoUAAn + rcm7dTkfdjdVB7cVEHNgGILHhJhkermnWxH1hXI1E8HdUQJEPuhf4eWYw5LJnmvH + KZqUSWPfY/ebj3FGFMKzKHxxqANzbhC8idYhQjEoVUKUHf1faW1VQyKrNY6nnepw + BxH4bEEQyseZ5Ty0ucdwFs2RcA/HxIXd1QyFvl4Sw16x62UAQNTMkuZVujMrNqvS + UAF20jqRl1JlAsPcajxAmEgJ1HrmYKqfCF2UMmVhtnVmy76vbviiXAJkj3a1ew0p + NLR/bh1ravKq041b5wtqj8si+if9W1MzmGxj2wqLgVJC + =6FRY + -----END PGP MESSAGE----- + fp: b14ab1e44008e7d4c39875324d5981054462545d + - created_at: "2021-09-13T16:10:44Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwMoaz6prFK7ARAAgfciQm4eMoqDH/bHd9v0OYR1cxrFhJacjUNxHeL80K8/ + S6IySMektldQWA68VTUAO13z21IAafv4/hfYRem8VpzroI2uaohHw6ijdV42N15K + zxlkj1St9rMjxciFGGwi7Tor2/lEXSq136BBbC5m+v52HOUPjUdQnIJUSkSsOdYy + bg0IJanPG/Unh4EO2O//8GLOxjMe0HdttKHe6pfXDC0XTLfkO6+clbCwQU6JCsNQ + a5e7iNHOoYEB0rP53zKgUCdO6Qw72b7pk3yoR4WppmgczShb7MYQuQP1rXmNZWhn + /77QWS1kK4FwMV+GEhoMQ14/+1kQG2/F8ouqDV/6Hb2L/uq70tuNacyRVrL3+tPM + QnSYl/NQ50RIe72IZg5kdHN++TSrd/c6ZKWMyEekrExfSPL6XDUn5NOsU5SGDIDT + 2DCcCV1eAmsF4qi7ohhd1Eb02KC0f+L6jq1puKmqzgAJrIvWKMIVA80KWdbJfFOH + sZvSLc3UTUDh5c4002Pn+s4G/zTcNZdm8n1DeZb/QOhHYMiqt11dXoETWliwfSr5 + CTA0IPUBIdiLtGRqXkvRb9Up+PkFALgiQ4uZMAjBikEw0DCNtYm7a/j4sB4GrbF/ + 7BNsN+Nb57xlmnC28pzVtSkVWp+cYuK4m9amhzrc2Jkq2yYrVDPj55r5fRTXIb3S + UAGgiVctxs90cR7DN+IhwfAQwLKMv7nQVYE76A2ngdjGYvWbq0nvJfJRB9m/q/xz + sIdDpDFL3zvB1NetjI1tmzt49v9G/VlK5AAag/kbHQrV + =kFXm + -----END PGP MESSAGE----- + fp: 3f65577842cabda3955d1f5603286b3ea9ac52bb + - created_at: "2021-09-13T16:10:44Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA2mSi1kI4Qy/AQ//fb8Trp40hD2xUOBY1jO/sjHZuTIYwa4/S0togTa/Rj/o + 2xYfDB6/UszdmpNaBRQQLbbrmYMYOOoEVskr2ZgZ7lvddxiG3QedgIJN0pHfrdX5 + GHZkYZB/Ujd2pnQpA1Ii/fb0tjMj+tyQogrTGdMK4DfHJGEl7z6qXC3ItDiV4htc + wrRSEOnVPad6AXGPmeEgMwJwIT+kohfi2/a7+IX2aPH+eJSBbP4ZD/nKW0Dtb0di + 3p4QUDP/hK7w1bB6pPuuJKYNO1SzRpnj7CITIftouQ530KehxtsJdl+4BAXBC9LU + A12KiOM97j2RfKhU2MBpA5Or/aipwhNd1xsENyMBycUxA4tEMg2UHeJMpy3r2C5i + zaKScoKjS6we7rw5J9k58HjFSGxvGM6DipyCtO1cQeRT+wODo4oxoHyRy9ZcU4h5 + AuVONU3qbhIq8yadU3x1TOvrClHTfUVeZbfbD1RTsf/1wVFYM3YmjIp/H/WSzrvr + Udc3nhvs3jY+QopVOUtS5tai4iSUvdTSuw0Cic0hz+Xbx87kOgE7txx1pkzCxTpY + +b8a5QYhgqqD0StmVZRR32kaIAhVKumK5PysD/2beKsGbL0xtKX9wxmhuzrK+xJL + 2Vo/cN7wwAHWJ+ISUsUUVev6dqqiCp3FbNkXPgkHF4Ue9CD7e8oO474mDiPJVmXS + UAHP7QM1VeRhimbwbCuT24u+sdKSS8NUrkxxHWYYyQVTQ7i46RrgVsfa3joYfxMB + Z1YOSos18AV6cz8jROuhj1hHco9XQ0fmKKpOa1SeNB9y + =mt9Q + -----END PGP MESSAGE----- + fp: 8b80ab02638ab9c34f6c21bd69928b5908e10cbf + - created_at: "2021-09-13T16:10:44Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzHwOG8g8+TsARAAu669eo0niKximjYTFHrKy07CSGE72AU4ZCOrbBLuumKG + 82wgLwKcHQZVhJHe2acnSuP+WfdLoeq6Z08fIGmIoCxgXTb6x9IQwkNf/a9TL73T + 6hADqFpAJ8LLx+/YspZS9+1Zn0MlwkFPSirRuoy02slmmUj303KU7FcocAnzRitp + qD76tUDLvmHHVg3ixokuF85M+4TOmjcTWSBlyESiZY5SqfQWukAK2b1R2KPvfDjn + QUByUrepXtQPg63E9ypTMX9WggdjCOYIGU7shGhKKEVUVqJ3OF/X2jbRRagKb8yL + e7O3JkprOJcOHZf3Ww/gxjgdKifMn4UEdJUXR8wgG7EN4nL0u94dxkqoRzzCjema + lmaH3wOm0G5CTaGuCrbipoVZ6RRLh6bzcdOcf56+om8PMs0FKMfrUx/hs75S6CPG + 77Cmt4JrP+SJaJTgetmo0YfWb4ZRpo3iaFU7UdeS95nbRZRQ5xoD6dvfYlkyc+A1 + hRSUkv9aadGKcUjzLeNJG3id7HuzDx3BoqxwhmZZGHstAD5Y8wBdkZTBvsG8poEQ + ZTjST3YSt0VphLHhj9k35di6/ciJzFvYaHxRhh70usKV9wkUQkJqbZYrvOXxdaUO + YfE6wRjPibqD+rKiRcfgvljduCOazOVOcV+7quXFboMSWLJQ5q2bRhqXNbYjDYDS + UAEP0GQnvNRO8dj20HgFc2NU+asK4Cz+2uOHfMO0wIs8tX+9KoS4s1pOq2/s7/oZ + TetG3ox4vemf6uZu9hhwWoU6QHtoEd+Gy15S9lc/qfat + =cJr8 + -----END PGP MESSAGE----- + fp: b8b02c0885a74753f8fb53f031f0386f20f3e4ec + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/shell.nix b/shell.nix @@ -3,10 +3,17 @@ let pkgs = sources.nixpkgs { }; nixos-unstable = sources.pkgs-unstable { }; nixos = sources.pkgs { }; + sops-nix = sources.sops-nix; in pkgs.mkShell { name = "nix-config"; + sopsPGPKeyDirs = [ + "./secrets/keys" + ]; + nativeBuildInputs = [ + (pkgs.callPackage sops-nix { }).sops-import-keys-hook + ]; buildInputs = with pkgs; [ cachix morph diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix @@ -50,6 +50,11 @@ in hostName = hostname; }; + sops.defaultSopsFile = ../../secrets/secrets.yaml; + sops.secrets.example_key = { + sopsFile = ../../secrets/syncthing.yaml; + }; + boot = { kernelPackages = pkgs.linuxPackages_latest; tmpOnTmpfs = true; diff --git a/systems/modules/default.nix b/systems/modules/default.nix @@ -6,5 +6,6 @@ ./programs ./services ./virtualisation + "${(import ../../nix/sources.nix).sops-nix}/modules/sops" ]; }