Add initial secrets

2025-05-23 11:56:09 +02:00 · 2023-02-27 13:59:02 +00:00 · 2023-02-27 13:59:02 +00:00 · 796010071b
commit 796010071b
parent 78836daf06
4 changed files with 45 additions and 1 deletions
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &admin_kevin age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6
+  - &target_kevin-tp age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s
+creation_rules:
+  - path_regex: kevin-tp/secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *admin_kevin
+      - *target_kevin-tp
--- a/nixos/flake-module.nix
+++ b/nixos/flake-module.nix
@ -14,7 +14,7 @@ let
      #services.envfs.enable = true;

      imports = [
-        #inputs.sops-nix.nixosModules.sops
+        inputs.sops-nix.nixosModules.sops
        ./modules/users.nix
        ./modules/common.nix
      ];
--- a/nixos/kevin-tp/configuration.nix
+++ b/nixos/kevin-tp/configuration.nix
@ -15,6 +15,11 @@
      ../modules/yubikey.nix
    ];

+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.example-key = {};
+
+
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

--- a/nixos/kevin-tp/secrets/secrets.yaml
+++ b/nixos/kevin-tp/secrets/secrets.yaml
@ -0,0 +1,30 @@
+example_key: ENC[AES256_GCM,data:D1ZZuTM914KfLtRhfw==,iv:VZ05Gqfd24f044AEwdELTWpeTBg0/Q4slHJneYu9TJU=,tag:uIn+7cHXXUyObrpvxSKSXw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRFlvUXUrTFR0SEZnbjdH
+            R3kzaU4xRFlMNmNwNXgrM3JqenFOK2VwU3hnCmMzb0N1eWNZUW9ONnlyRFdHRGw3
+            Snl5ZXdiVWZ5VXoySW4zZExHdytiU0EKLS0tIGR6dFBVeVBqWU8wMHVjcnEyWElx
+            QmRDVkU3R0pneUdZNEpEY2o4Tm13ODAKs0/Xw3e/mvW3kZpYcwUsl9JPOUTDFpG3
+            KJBdRLPx0wNgqbqs7FX4zHpUTML02Huc2vzC2KsWE3XG/9ibMpze3w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRkdlNmdORUNkbkl4OFdU
+            MElzZCt4dEpWVDBKRElKVW5jNkFCUUJ1eFJrCnJmKzBZekRSU0JBVGNEOWFkSDZt
+            eVhsOFRBeW93RHdqSnd1VU5IWDByOHcKLS0tIFJDUzlFbTZqandrSmpmNHRDK0RQ
+            RFhCUi9oSkpWbEZMSm81SUt0czZobGsKT6g6sl9sf0olO79YLZuIiLqmySH4Vy+a
+            bnapUeXAg6DQ/Vo5g71j6faF+3/FDPVzTYIvRhCWG71o/nvu1ZPqrg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-27T13:52:50Z"
+    mac: ENC[AES256_GCM,data:9fbP+dv878yWqVbx486ZWcVmF/vei6upy0o2stUmtlnN/j5gSPwvizvwELobgbh2WnEUE+CN/Rc9UQ69ovAa/mrGC4CSn+xM9ElsRG14Pg140Vt5w5o7KFLrF/GJzTCzuS0CcB+68iVZyGcnOnovWTW/HzuWHJW0CsxJlPd8TAM=,iv:QEo1UBx4Zn0XTU468Mali0LbsFO+mCfGSd73iAVXvuA=,tag:uKnQcAuJF5BFHONgaVH5Iw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3