use sops to encrypt vals secrets
This commit is contained in:
parent
6e608e6ca8
commit
db0303f4d8
9 changed files with 49 additions and 11 deletions
2
.sops.yaml
Normal file
2
.sops.yaml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
creation_rules:
|
||||||
|
- age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
|
@ -29,7 +29,7 @@
|
||||||
SSH_PORT = 56287
|
SSH_PORT = 56287
|
||||||
SSH_LISTEN_PORT = 22
|
SSH_LISTEN_PORT = 22
|
||||||
LFS_START_SERVER = true
|
LFS_START_SERVER = true
|
||||||
LFS_JWT_SECRET = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/lfsJwtSecret
|
LFS_JWT_SECRET = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret
|
||||||
OFFLINE_MODE = false
|
OFFLINE_MODE = false
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
|
@ -72,7 +72,7 @@
|
||||||
SECRET_KEY =
|
SECRET_KEY =
|
||||||
REVERSE_PROXY_LIMIT = 1
|
REVERSE_PROXY_LIMIT = 1
|
||||||
REVERSE_PROXY_TRUSTED_PROXIES = *
|
REVERSE_PROXY_TRUSTED_PROXIES = *
|
||||||
INTERNAL_TOKEN = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/internalToken
|
INTERNAL_TOKEN = ref+sops://secrets/sops.yaml#/forgejo/internalToken
|
||||||
PASSWORD_HASH_ALGO = pbkdf2
|
PASSWORD_HASH_ALGO = pbkdf2
|
||||||
|
|
||||||
[service]
|
[service]
|
||||||
|
|
|
@ -7,8 +7,7 @@
|
||||||
PUBLISHED_PORT = "443";
|
PUBLISHED_PORT = "443";
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: encrypt this with sops and commit to git repo.
|
secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";
|
||||||
secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml#/freshrss/password";
|
|
||||||
|
|
||||||
deployments.freshrss = {
|
deployments.freshrss = {
|
||||||
metadata.labels.app = "freshrss";
|
metadata.labels.app = "freshrss";
|
||||||
|
|
|
@ -20,8 +20,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
secrets.hedgedoc.stringData = {
|
secrets.hedgedoc.stringData = {
|
||||||
databaseURL = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/databaseURL";
|
databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
|
||||||
sessionSecret = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/sessionSecret";
|
sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
|
||||||
};
|
};
|
||||||
|
|
||||||
deployments.hedgedoc = {
|
deployments.hedgedoc = {
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
BACK_URL = "kitchenowl-backend.default.svc.cluster.local:5000";
|
BACK_URL = "kitchenowl-backend.default.svc.cluster.local:5000";
|
||||||
};
|
};
|
||||||
|
|
||||||
secrets.kitchenowl.stringData.jwtSecretKey = "ref+file:///home/pim/.config/home/vals.yaml#/kitchenowl/jwtSecretKey";
|
secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";
|
||||||
|
|
||||||
deployments = {
|
deployments = {
|
||||||
# TODO: this is quite a lot of boilerplate to create these deployments
|
# TODO: this is quite a lot of boilerplate to create these deployments
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
POSTGRES_HOST = "lewis.dmz";
|
POSTGRES_HOST = "lewis.dmz";
|
||||||
};
|
};
|
||||||
|
|
||||||
secrets.nextcloud.stringData.databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/nextcloud/databasePassword";
|
secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";
|
||||||
|
|
||||||
deployments.nextcloud = {
|
deployments.nextcloud = {
|
||||||
metadata.labels.app = "nextcloud";
|
metadata.labels.app = "nextcloud";
|
||||||
|
|
|
@ -17,8 +17,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
secrets.paperless-ngx.stringData = {
|
secrets.paperless-ngx.stringData = {
|
||||||
databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/databasePassword";
|
databasePassword = "ref+sops://secrets/sops.yaml#/paperless-ngx/databasePassword";
|
||||||
secretKey = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/secretKey";
|
secretKey = "ref+sops://secrets/sops.yaml#/paperless-ngx/secretKey";
|
||||||
};
|
};
|
||||||
|
|
||||||
deployments = {
|
deployments = {
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
PIHOLE_DNS_ = "192.168.30.1";
|
PIHOLE_DNS_ = "192.168.30.1";
|
||||||
};
|
};
|
||||||
|
|
||||||
secrets.pihole.stringData.webPassword = "ref+file:///home/pim/.config/home/vals.yaml#/pihole/password";
|
secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password";
|
||||||
|
|
||||||
deployments.pihole = {
|
deployments.pihole = {
|
||||||
metadata.labels.app = "pihole";
|
metadata.labels.app = "pihole";
|
||||||
|
|
37
secrets/sops.yaml
Normal file
37
secrets/sops.yaml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
freshrss:
|
||||||
|
password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str]
|
||||||
|
pihole:
|
||||||
|
password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str]
|
||||||
|
hedgedoc:
|
||||||
|
databaseURL: ENC[AES256_GCM,data:8VS1+EWCWAA3uQ8MVloSD57o3QKPmhvww8utnE2JJGDFMKb6irCNVwkwjRxr8fSnV+wjUvTONfAv+Wm/VBI2PfYgyaSgQD66BdjnQDicTPR9UHqB,iv:d2VHutdOkeyM1Sqwn3khHPOdZkV43RyDb0jQQUe5AxE=,tag:L3EFLzFW6KJNuWqK8IZ3yw==,type:str]
|
||||||
|
sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str]
|
||||||
|
nextcloud:
|
||||||
|
databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str]
|
||||||
|
paperless-ngx:
|
||||||
|
databasePassword: ENC[AES256_GCM,data:tQcxQbp5WT3AmR6qqdSmfeIGu40=,iv:xSq5kXp8RqOUXR9kK3hr38YjATWoAxmKqPO59B1sdlg=,tag:pft3KrmLgIbSebAY2DBtPQ==,type:str]
|
||||||
|
secretKey: ENC[AES256_GCM,data:Ue409vICe/ULoEM15mh9hOdIFl4=,iv:QU3NmPknqeNxUqJi44mGVtL0yiyNOu9pVW08jHYuVec=,tag:zjUO2s4BoMMJrEttq7Cd/w==,type:str]
|
||||||
|
kitchenowl:
|
||||||
|
jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str]
|
||||||
|
forgejo:
|
||||||
|
lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
|
||||||
|
internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM0xTM1pFNDMwYW1FSDRB
|
||||||
|
SGk3dXl6RzVPVXF5N2NYSWxYVXpTYm1UUUZNCkkwOEJZbnVTanRRSXFWWXpJQ0lK
|
||||||
|
T0Z6QnMyZUl1WGEwaEsrbitUUFNoa2MKLS0tIHArQkIrRWlWcU9yUFVaa3pJMDlo
|
||||||
|
dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
|
||||||
|
EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-14T12:05:53Z"
|
||||||
|
mac: ENC[AES256_GCM,data:T4Uvkt28ACuLZv7FkJt9Nlhes1fVxasOnGgXpdhvMyf8DS4SFHBUQ0o6UsDcmjHixs/GFEkHNLa22V1PomNlPbpZ+ysNeYN0M/q8fguhpINMoJQlXQ6HXTEy7JQ9IBRfx010/1imjiNJ8QXkTYnDqDKk9sMhpJxubX8rBnGccJ4=,iv:rACUx2Nn8R8KgTF+OSP9MaW7yfNH8fOhlEEAynsdHsE=,tag:K2+iK/i0mDt7eNJlcE96NA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue