commit 59d37efcac302140b429592e723be30d2a4720af
parent a76448406215243e9ebee001e1905fe6fc591370
Author: Vincent Demeester <vincent@sbr.pm>
Date: Mon, 13 Sep 2021 18:47:27 +0200
nix: trying sops-nix 🙃
This seems to work nicely, the only trick is to make sure we are
provisioning the machine with the correct set of host key (but that's doable)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
7 files changed, 152 insertions(+), 0 deletions(-)
diff --git a/.envrc b/.envrc
@@ -2,6 +2,7 @@ use_nix shell.nix
watch_file ./shell.nix
watch_file ./nix/sources.json
+watch_file ./nix/default.nix
test -f .secrets && source .secrets || echo "no secrets"
export QEMU_OPTS="-m 8096 -cpu host"
diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,29 @@
+keys:
+ - &vincent 8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA
+ - &aomi b14ab1e44008e7d4c39875324d5981054462545d
+ - &wakasu 3f65577842cabda3955d1f5603286b3ea9ac52bb
+ - &sakhalin 8b80ab02638ab9c34f6c21bd69928b5908e10cbf
+ - &kerkouane b8b02c0885a74753f8fb53f031f0386f20f3e4ec
+creation_rules:
+ # - path_regex: secrets/admins/[^/]+\.yaml$
+ # key_groups:
+ # - pgp:
+ # - *joerg
+ # - path_regex: eve/secrets/[^/]+\.yaml$
+ # key_groups:
+ # - pgp:
+ # - *joerg
+ # - *eve
+ # - path_regex: eva/secrets/[^/]+\.yaml$
+ # key_groups:
+ # - pgp:
+ # - *joerg
+ # - *eva
+ - path_regex: secrets/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *vincent
+ - *aomi
+ - *wakasu
+ - *sakhalin
+ - *kerkouane
diff --git a/nix/default.nix b/nix/default.nix
@@ -13,4 +13,5 @@ rec {
gitignore = import sources.gitignore;
nixos-hardware = import sources.nixos-hardware;
nur = import sources.NUR;
+ sops-nix = import sources.sops-nix;
}
diff --git a/secrets/syncthing.yaml b/secrets/syncthing.yaml
@@ -0,0 +1,108 @@
+hello: ENC[AES256_GCM,data:SP1j6ufze8hWvMXtYm/2PsrF5WHzaLrWG2hoO/xAgzljSz4+qBjzNMqd4nnFmA==,iv:R6/0/+wc1hpBowUYFYeSEoUBNdsHh8h5WiH1JyGnUHk=,tag:fZWDiLCsaU9wjMUdjMf2kA==,type:str]
+example_key: ENC[AES256_GCM,data:PhOUQjKQTXWUR9G1Iw==,iv:D46k5Eq2tSYeUTC2OKxlBZqDlX3Ly2LYAGAuJXZZbQY=,tag:EX/I0CZE5rcYVJnQ3sbp0A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2021-09-13T16:10:56Z"
+ mac: ENC[AES256_GCM,data:S4idl0hkBWWKqX2V0wFr1NJW+wZDjHsAMxgcBEB62Z/uubCdUSbL9NFJw88ZNYEXXBWC+NYmm/jIE6xLsa9AYFT5x0EEsOiIrIx+YXUQfWG7yNwHpEcciYcFQdKnM1edVcRpyXTNbf/OAUliPAzLbWEMExvJIzYRdswQs0lvKRA=,iv:VAbVCn0T2cK26OMFD1HOgy0zTLea8swdy6b9tG33fuM=,tag:+RyGa/DVg+/18DxZUikWuQ==,type:str]
+ pgp:
+ - created_at: "2021-09-13T16:10:44Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcBMA/Z3oSgzL9TxAQgAWJKNRHXmZVg5Uens6dHkrDn1lpCnE59Y5PI8c30I2F8h
+ 2YuJbIIuf+U9lteZHefmWq4ZuuaBU3Uh5VxH0wCrpxixRvcBCQzi4xVV4MkOBXEM
+ X+dQGBLVEJu9XevJtw/4+XmQCciIVXuWSMlRAZ3S7CSHC5UOp+l5y5Ye+Ofvyv8F
+ 1JfazqyBThBNi7t0fxVMiTAwgwFVeLv1aPfuhDjvfxf1qKxuDxNN4NtLTp3HolV9
+ nlKazSiVDPLusGlKjOC83bhebWbErfmJeIUvZOf2wTisn+YqNXjj/XRbsbb8bOxx
+ MbggUclnD54UrCHAUbBRiYi5IJYAyf7HyMRzfjGFntLmAanXCPVLUhkbrBHRtdP0
+ zWpUzIQxNRjuxxodsRa3Kcnommc1UNUEVsB6Xss49+TqX4SfCEU/b87OO6m6m7HG
+ jeSUNjYBeR0xOSdBHa2VowXE4kPxXMUA
+ =zOsa
+ -----END PGP MESSAGE-----
+ fp: 8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA
+ - created_at: "2021-09-13T16:10:44Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA01ZgQVEYlRdAQ/+NFbIzNDLJ3Bw4VwUVqL57fPh9bEn8TilHy0+uZEeXIEU
+ vPKQvtw7U8btZN60arpV1d3U7T4R1s2qOg7jXEhxwvgySLNadsbHXzp4T4Kh07iL
+ foYGFS+3TzZsZ89gGfdUQsdCyNwbhS2iL6uvJ5ys78JdqX25vLeKcSmmMLZiA7S+
+ dn8FOfKSKOATVZKIF6klmOJooUzwpVfDUgc4YxDLFpqqevkkZNVWu4GrLRbkGxto
+ lY0AK3BqHtxKQ5ywnnVxTEZ1sOSEVwM1cWKiiGH4fRx1dhGnKb/kaFUwmokQ55eQ
+ WQNIv9fglHZsD0imhir8wZJ2PFmSe4ciNPUjxKDkkmoXXqWMLUsaXpiLFSxDF8N6
+ KMHYxiOyaDiKQH5gryxJlLeQWgJWd4K871DIrBanUp4Y9Fe9wdMm2eLFPHk8D770
+ SzD2B5FpmzkawP0yzdPz8eLMh50XdXvVqxFWe19la0DFjyN9HcH1tQOEPDAoUAAn
+ rcm7dTkfdjdVB7cVEHNgGILHhJhkermnWxH1hXI1E8HdUQJEPuhf4eWYw5LJnmvH
+ KZqUSWPfY/ebj3FGFMKzKHxxqANzbhC8idYhQjEoVUKUHf1faW1VQyKrNY6nnepw
+ BxH4bEEQyseZ5Ty0ucdwFs2RcA/HxIXd1QyFvl4Sw16x62UAQNTMkuZVujMrNqvS
+ UAF20jqRl1JlAsPcajxAmEgJ1HrmYKqfCF2UMmVhtnVmy76vbviiXAJkj3a1ew0p
+ NLR/bh1ravKq041b5wtqj8si+if9W1MzmGxj2wqLgVJC
+ =6FRY
+ -----END PGP MESSAGE-----
+ fp: b14ab1e44008e7d4c39875324d5981054462545d
+ - created_at: "2021-09-13T16:10:44Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAwMoaz6prFK7ARAAgfciQm4eMoqDH/bHd9v0OYR1cxrFhJacjUNxHeL80K8/
+ S6IySMektldQWA68VTUAO13z21IAafv4/hfYRem8VpzroI2uaohHw6ijdV42N15K
+ zxlkj1St9rMjxciFGGwi7Tor2/lEXSq136BBbC5m+v52HOUPjUdQnIJUSkSsOdYy
+ bg0IJanPG/Unh4EO2O//8GLOxjMe0HdttKHe6pfXDC0XTLfkO6+clbCwQU6JCsNQ
+ a5e7iNHOoYEB0rP53zKgUCdO6Qw72b7pk3yoR4WppmgczShb7MYQuQP1rXmNZWhn
+ /77QWS1kK4FwMV+GEhoMQ14/+1kQG2/F8ouqDV/6Hb2L/uq70tuNacyRVrL3+tPM
+ QnSYl/NQ50RIe72IZg5kdHN++TSrd/c6ZKWMyEekrExfSPL6XDUn5NOsU5SGDIDT
+ 2DCcCV1eAmsF4qi7ohhd1Eb02KC0f+L6jq1puKmqzgAJrIvWKMIVA80KWdbJfFOH
+ sZvSLc3UTUDh5c4002Pn+s4G/zTcNZdm8n1DeZb/QOhHYMiqt11dXoETWliwfSr5
+ CTA0IPUBIdiLtGRqXkvRb9Up+PkFALgiQ4uZMAjBikEw0DCNtYm7a/j4sB4GrbF/
+ 7BNsN+Nb57xlmnC28pzVtSkVWp+cYuK4m9amhzrc2Jkq2yYrVDPj55r5fRTXIb3S
+ UAGgiVctxs90cR7DN+IhwfAQwLKMv7nQVYE76A2ngdjGYvWbq0nvJfJRB9m/q/xz
+ sIdDpDFL3zvB1NetjI1tmzt49v9G/VlK5AAag/kbHQrV
+ =kFXm
+ -----END PGP MESSAGE-----
+ fp: 3f65577842cabda3955d1f5603286b3ea9ac52bb
+ - created_at: "2021-09-13T16:10:44Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA2mSi1kI4Qy/AQ//fb8Trp40hD2xUOBY1jO/sjHZuTIYwa4/S0togTa/Rj/o
+ 2xYfDB6/UszdmpNaBRQQLbbrmYMYOOoEVskr2ZgZ7lvddxiG3QedgIJN0pHfrdX5
+ GHZkYZB/Ujd2pnQpA1Ii/fb0tjMj+tyQogrTGdMK4DfHJGEl7z6qXC3ItDiV4htc
+ wrRSEOnVPad6AXGPmeEgMwJwIT+kohfi2/a7+IX2aPH+eJSBbP4ZD/nKW0Dtb0di
+ 3p4QUDP/hK7w1bB6pPuuJKYNO1SzRpnj7CITIftouQ530KehxtsJdl+4BAXBC9LU
+ A12KiOM97j2RfKhU2MBpA5Or/aipwhNd1xsENyMBycUxA4tEMg2UHeJMpy3r2C5i
+ zaKScoKjS6we7rw5J9k58HjFSGxvGM6DipyCtO1cQeRT+wODo4oxoHyRy9ZcU4h5
+ AuVONU3qbhIq8yadU3x1TOvrClHTfUVeZbfbD1RTsf/1wVFYM3YmjIp/H/WSzrvr
+ Udc3nhvs3jY+QopVOUtS5tai4iSUvdTSuw0Cic0hz+Xbx87kOgE7txx1pkzCxTpY
+ +b8a5QYhgqqD0StmVZRR32kaIAhVKumK5PysD/2beKsGbL0xtKX9wxmhuzrK+xJL
+ 2Vo/cN7wwAHWJ+ISUsUUVev6dqqiCp3FbNkXPgkHF4Ue9CD7e8oO474mDiPJVmXS
+ UAHP7QM1VeRhimbwbCuT24u+sdKSS8NUrkxxHWYYyQVTQ7i46RrgVsfa3joYfxMB
+ Z1YOSos18AV6cz8jROuhj1hHco9XQ0fmKKpOa1SeNB9y
+ =mt9Q
+ -----END PGP MESSAGE-----
+ fp: 8b80ab02638ab9c34f6c21bd69928b5908e10cbf
+ - created_at: "2021-09-13T16:10:44Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzHwOG8g8+TsARAAu669eo0niKximjYTFHrKy07CSGE72AU4ZCOrbBLuumKG
+ 82wgLwKcHQZVhJHe2acnSuP+WfdLoeq6Z08fIGmIoCxgXTb6x9IQwkNf/a9TL73T
+ 6hADqFpAJ8LLx+/YspZS9+1Zn0MlwkFPSirRuoy02slmmUj303KU7FcocAnzRitp
+ qD76tUDLvmHHVg3ixokuF85M+4TOmjcTWSBlyESiZY5SqfQWukAK2b1R2KPvfDjn
+ QUByUrepXtQPg63E9ypTMX9WggdjCOYIGU7shGhKKEVUVqJ3OF/X2jbRRagKb8yL
+ e7O3JkprOJcOHZf3Ww/gxjgdKifMn4UEdJUXR8wgG7EN4nL0u94dxkqoRzzCjema
+ lmaH3wOm0G5CTaGuCrbipoVZ6RRLh6bzcdOcf56+om8PMs0FKMfrUx/hs75S6CPG
+ 77Cmt4JrP+SJaJTgetmo0YfWb4ZRpo3iaFU7UdeS95nbRZRQ5xoD6dvfYlkyc+A1
+ hRSUkv9aadGKcUjzLeNJG3id7HuzDx3BoqxwhmZZGHstAD5Y8wBdkZTBvsG8poEQ
+ ZTjST3YSt0VphLHhj9k35di6/ciJzFvYaHxRhh70usKV9wkUQkJqbZYrvOXxdaUO
+ YfE6wRjPibqD+rKiRcfgvljduCOazOVOcV+7quXFboMSWLJQ5q2bRhqXNbYjDYDS
+ UAEP0GQnvNRO8dj20HgFc2NU+asK4Cz+2uOHfMO0wIs8tX+9KoS4s1pOq2/s7/oZ
+ TetG3ox4vemf6uZu9hhwWoU6QHtoEd+Gy15S9lc/qfat
+ =cJr8
+ -----END PGP MESSAGE-----
+ fp: b8b02c0885a74753f8fb53f031f0386f20f3e4ec
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1
diff --git a/shell.nix b/shell.nix
@@ -3,10 +3,17 @@ let
pkgs = sources.nixpkgs { };
nixos-unstable = sources.pkgs-unstable { };
nixos = sources.pkgs { };
+ sops-nix = sources.sops-nix;
in
pkgs.mkShell
{
name = "nix-config";
+ sopsPGPKeyDirs = [
+ "./secrets/keys"
+ ];
+ nativeBuildInputs = [
+ (pkgs.callPackage sops-nix { }).sops-import-keys-hook
+ ];
buildInputs = with pkgs; [
cachix
morph
diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix
@@ -50,6 +50,11 @@ in
hostName = hostname;
};
+ sops.defaultSopsFile = ../../secrets/secrets.yaml;
+ sops.secrets.example_key = {
+ sopsFile = ../../secrets/syncthing.yaml;
+ };
+
boot = {
kernelPackages = pkgs.linuxPackages_latest;
tmpOnTmpfs = true;
diff --git a/systems/modules/default.nix b/systems/modules/default.nix
@@ -6,5 +6,6 @@
./programs
./services
./virtualisation
+ "${(import ../../nix/sources.nix).sops-nix}/modules/sops"
];
}