use sops to encrypt vals secrets

This commit is contained in:
Pim Kunis 2024-04-14 14:48:27 +02:00
parent 6e608e6ca8
commit db0303f4d8
9 changed files with 49 additions and 11 deletions

2
.sops.yaml Normal file
View file

@ -0,0 +1,2 @@
creation_rules:
- age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw

View file

@ -29,7 +29,7 @@
SSH_PORT = 56287
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/lfsJwtSecret
LFS_JWT_SECRET = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret
OFFLINE_MODE = false
[database]
@ -72,7 +72,7 @@
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/internalToken
INTERNAL_TOKEN = ref+sops://secrets/sops.yaml#/forgejo/internalToken
PASSWORD_HASH_ALGO = pbkdf2
[service]

View file

@ -7,8 +7,7 @@
PUBLISHED_PORT = "443";
};
# TODO: encrypt this with sops and commit to git repo.
secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml#/freshrss/password";
secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";
deployments.freshrss = {
metadata.labels.app = "freshrss";

View file

@ -20,8 +20,8 @@
};
secrets.hedgedoc.stringData = {
databaseURL = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/databaseURL";
sessionSecret = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/sessionSecret";
databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
};
deployments.hedgedoc = {

View file

@ -4,7 +4,7 @@
BACK_URL = "kitchenowl-backend.default.svc.cluster.local:5000";
};
secrets.kitchenowl.stringData.jwtSecretKey = "ref+file:///home/pim/.config/home/vals.yaml#/kitchenowl/jwtSecretKey";
secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";
deployments = {
# TODO: this is quite a lot of boilerplate to create these deployments

View file

@ -6,7 +6,7 @@
POSTGRES_HOST = "lewis.dmz";
};
secrets.nextcloud.stringData.databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/nextcloud/databasePassword";
secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";
deployments.nextcloud = {
metadata.labels.app = "nextcloud";

View file

@ -17,8 +17,8 @@
};
secrets.paperless-ngx.stringData = {
databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/databasePassword";
secretKey = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/secretKey";
databasePassword = "ref+sops://secrets/sops.yaml#/paperless-ngx/databasePassword";
secretKey = "ref+sops://secrets/sops.yaml#/paperless-ngx/secretKey";
};
deployments = {

View file

@ -5,7 +5,7 @@
PIHOLE_DNS_ = "192.168.30.1";
};
secrets.pihole.stringData.webPassword = "ref+file:///home/pim/.config/home/vals.yaml#/pihole/password";
secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password";
deployments.pihole = {
metadata.labels.app = "pihole";

37
secrets/sops.yaml Normal file
View file

@ -0,0 +1,37 @@
freshrss:
password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str]
pihole:
password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str]
hedgedoc:
databaseURL: ENC[AES256_GCM,data:8VS1+EWCWAA3uQ8MVloSD57o3QKPmhvww8utnE2JJGDFMKb6irCNVwkwjRxr8fSnV+wjUvTONfAv+Wm/VBI2PfYgyaSgQD66BdjnQDicTPR9UHqB,iv:d2VHutdOkeyM1Sqwn3khHPOdZkV43RyDb0jQQUe5AxE=,tag:L3EFLzFW6KJNuWqK8IZ3yw==,type:str]
sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str]
nextcloud:
databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str]
paperless-ngx:
databasePassword: ENC[AES256_GCM,data:tQcxQbp5WT3AmR6qqdSmfeIGu40=,iv:xSq5kXp8RqOUXR9kK3hr38YjATWoAxmKqPO59B1sdlg=,tag:pft3KrmLgIbSebAY2DBtPQ==,type:str]
secretKey: ENC[AES256_GCM,data:Ue409vICe/ULoEM15mh9hOdIFl4=,iv:QU3NmPknqeNxUqJi44mGVtL0yiyNOu9pVW08jHYuVec=,tag:zjUO2s4BoMMJrEttq7Cd/w==,type:str]
kitchenowl:
jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str]
forgejo:
lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM0xTM1pFNDMwYW1FSDRB
SGk3dXl6RzVPVXF5N2NYSWxYVXpTYm1UUUZNCkkwOEJZbnVTanRRSXFWWXpJQ0lK
T0Z6QnMyZUl1WGEwaEsrbitUUFNoa2MKLS0tIHArQkIrRWlWcU9yUFVaa3pJMDlo
dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-14T12:05:53Z"
mac: ENC[AES256_GCM,data:T4Uvkt28ACuLZv7FkJt9Nlhes1fVxasOnGgXpdhvMyf8DS4SFHBUQ0o6UsDcmjHixs/GFEkHNLa22V1PomNlPbpZ+ysNeYN0M/q8fguhpINMoJQlXQ6HXTEy7JQ9IBRfx010/1imjiNJ8QXkTYnDqDKk9sMhpJxubX8rBnGccJ4=,iv:rACUx2Nn8R8KgTF+OSP9MaW7yfNH8fOhlEEAynsdHsE=,tag:K2+iK/i0mDt7eNJlcE96NA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1