From 796010071bde426c37441efed5f2fd807aeff3b8 Mon Sep 17 00:00:00 2001 From: Kevin Kandlbinder Date: Mon, 27 Feb 2023 13:59:02 +0000 Subject: [PATCH] Add initial secrets --- nixos/.sops.yaml | 9 +++++++++ nixos/flake-module.nix | 2 +- nixos/kevin-tp/configuration.nix | 5 +++++ nixos/kevin-tp/secrets/secrets.yaml | 30 +++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 nixos/.sops.yaml create mode 100644 nixos/kevin-tp/secrets/secrets.yaml diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml new file mode 100644 index 0000000..8734535 --- /dev/null +++ b/nixos/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin_kevin age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6 + - &target_kevin-tp age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s +creation_rules: + - path_regex: kevin-tp/secrets/[^/]+\.yaml$ + key_groups: + - age: + - *admin_kevin + - *target_kevin-tp \ No newline at end of file diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index a3cf1a8..4175a9e 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -14,7 +14,7 @@ let #services.envfs.enable = true; imports = [ - #inputs.sops-nix.nixosModules.sops + inputs.sops-nix.nixosModules.sops ./modules/users.nix ./modules/common.nix ]; diff --git a/nixos/kevin-tp/configuration.nix b/nixos/kevin-tp/configuration.nix index 3bc1296..38afceb 100644 --- a/nixos/kevin-tp/configuration.nix +++ b/nixos/kevin-tp/configuration.nix @@ -15,6 +15,11 @@ ../modules/yubikey.nix ]; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.example-key = {}; + + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/nixos/kevin-tp/secrets/secrets.yaml b/nixos/kevin-tp/secrets/secrets.yaml new file mode 100644 index 0000000..9110cdc --- /dev/null +++ b/nixos/kevin-tp/secrets/secrets.yaml @@ -0,0 +1,30 @@ +example_key: ENC[AES256_GCM,data:D1ZZuTM914KfLtRhfw==,iv:VZ05Gqfd24f044AEwdELTWpeTBg0/Q4slHJneYu9TJU=,tag:uIn+7cHXXUyObrpvxSKSXw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRFlvUXUrTFR0SEZnbjdH + R3kzaU4xRFlMNmNwNXgrM3JqenFOK2VwU3hnCmMzb0N1eWNZUW9ONnlyRFdHRGw3 + Snl5ZXdiVWZ5VXoySW4zZExHdytiU0EKLS0tIGR6dFBVeVBqWU8wMHVjcnEyWElx + QmRDVkU3R0pneUdZNEpEY2o4Tm13ODAKs0/Xw3e/mvW3kZpYcwUsl9JPOUTDFpG3 + KJBdRLPx0wNgqbqs7FX4zHpUTML02Huc2vzC2KsWE3XG/9ibMpze3w== + -----END AGE ENCRYPTED FILE----- + - recipient: age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRkdlNmdORUNkbkl4OFdU + MElzZCt4dEpWVDBKRElKVW5jNkFCUUJ1eFJrCnJmKzBZekRSU0JBVGNEOWFkSDZt + eVhsOFRBeW93RHdqSnd1VU5IWDByOHcKLS0tIFJDUzlFbTZqandrSmpmNHRDK0RQ + RFhCUi9oSkpWbEZMSm81SUt0czZobGsKT6g6sl9sf0olO79YLZuIiLqmySH4Vy+a + bnapUeXAg6DQ/Vo5g71j6faF+3/FDPVzTYIvRhCWG71o/nvu1ZPqrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-27T13:52:50Z" + mac: ENC[AES256_GCM,data:9fbP+dv878yWqVbx486ZWcVmF/vei6upy0o2stUmtlnN/j5gSPwvizvwELobgbh2WnEUE+CN/Rc9UQ69ovAa/mrGC4CSn+xM9ElsRG14Pg140Vt5w5o7KFLrF/GJzTCzuS0CcB+68iVZyGcnOnovWTW/HzuWHJW0CsxJlPd8TAM=,iv:QEo1UBx4Zn0XTU468Mali0LbsFO+mCfGSd73iAVXvuA=,tag:uKnQcAuJF5BFHONgaVH5Iw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3