Create helper option for deploying sops keys

Update public key of sue-root because I lost the private key
2024-11-21 22:27:29 +01:00 · 2024-11-21 22:27:29 +01:00 · 0812586942
commit 0812586942
parent 544cf42357
8 changed files with 102 additions and 107 deletions
--- a/machines/sue/configuration.nix
+++ b/machines/sue/configuration.nix
@ -1,11 +1,4 @@
-{
-  self,
-  pkgs,
-  lib,
-  ...
-}: let
-  sops = lib.getExe pkgs.sops;
-in {
+{pkgs, ...}: {
  config = {
    pim = {
      lanzaboote.enable = true;
@ -14,6 +7,14 @@ in {
      stylix.enable = true;
      wireguard.enable = true;
      compliance.enable = true;
+
+      sopsKeys = {
+        # This is the root of our secret system.
+        # Don't deploy this though; if it fails,
+        # the key will be wiped.
+        # root = ./nixos.sops.yaml;
+        pim = ./pim.sops.yaml;
+      };
    };

    users.users.pim = {
@ -25,23 +26,6 @@ in {
      allowLocalDeployment = true;
      targetHost = null;
      tags = ["desktop"];
-
-      keys = {
-        # TODO: Create macro for this
-        root-sops-age-key = {
-          keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/root/.config/sops/age";
-        };
-
-        pim-sops-age-key = {
-          keyCommand = [sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/pim.sops.yaml"];
-          name = "keys.txt";
-          destDir = "/home/pim/.config/sops/age";
-          user = "pim";
-          group = "users";
-        };
-      };
    };

    services.tailscale.enable = true;
--- a/machines/sue/nixos.sops.yaml
+++ b/machines/sue/nixos.sops.yaml
@ -1,25 +1,25 @@
-sops_age_key: ENC[AES256_GCM,data:3PebFyNHLlycKPN0L/MAL5NpKWqUiEFxivqnPtuavnET13NEEgPvyD9ZyuSYlQRefgKNHuKaAgaMNULOyL+mWF+AV+YYiVyrp14=,iv:gvxb6BK+i270b4Pr/dwRpwno+vqVplyyWdxEQIEVjmc=,tag:5LJ609yQOBkLCCwluI3AUg==,type:str]
+sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str]
 wireguard:
    home:
-        presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str]
-        privateKey: ENC[AES256_GCM,data:YQZvCfXR3Gc21SDFmypBonTaVZztJm9RtO/Aaiy51PV5BfPg4Rgw5+bCuGg=,iv:K6hMqcgmhJPOfT/DGWpDb+5n2CB2nblZrIKxfRZGRek=,tag:UNsrY+WzSnh2Mh6GlY7p0A==,type:str]
+        presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
+        privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bDRqNDNqYnRDZno2QnFo
-            MjlvNWpZNjhabDBFV2VJSGFCaWlvd21Ybmc4ClhOS3VRQ1VySFJYZWZ5ZHV4RUFs
-            NVo4WlFrai9CTi9uTWJGUExKWnpGN2cKLS0tIFc0UStVRGpHR3hsQUR3elFIK3Nu
-            ekZEZEZVTzJJYXRIT2k0OVJmZUhzN1EKVK307/rhSMQA89hHUD0MH/vhzKnmWF7K
-            QoTpJ20WxzLfNuGqqv9IpdRTKOrxCDbj3MUEv6d6k+X4sSEaOGVQ1A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
+            TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
+            NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
+            N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
+            QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-17T21:25:05Z"
-    mac: ENC[AES256_GCM,data:qgPbH0i6difL063Nmy9EIAdkv9mq/ztGk8S8OAahDTddoUbJkC3EQUgS6lsd3KHbFBGopn1yMpuWkkOgNFc7nGy4QP0Mm8DpRaawA4vq5+QOh91CRTvQDujDw4EXEHqa27iR5dnbscU5zYMmta4Dl5FnK3ujraifdp67H1RCH0I=,iv:IZvXt93K54xshv5YcXur5MeDGPq+ROTxuFSC/B7eheM=,tag:ZFhh/yMfEMFqlerQNvMhCg==,type:str]
+    lastmodified: "2024-11-21T21:16:17Z"
+    mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.8.1
--- a/machines/sue/pim.sops.yaml
+++ b/machines/sue/pim.sops.yaml
@ -12,20 +12,20 @@ sops:
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTENnd2J2VXFoeHhWZE5Q
-            MEU2Mi9hM1p3SWpRbzZNY2Zja2tFN0ZVTkVRCnVIckx3Qlo5c3M0alJPVjZaa1Y3
-            RW5mamV6bmdIZ2pJZzB5KzBLTGtuUlEKLS0tIFFtT2JmZDI5V0RsL0ZxenlpWGlr
-            dmdiRmlxMWdmTmZUUTM1alRrMGdzYTAKbViJnEFIO3dpHYWyJxqXRkWqqpDCKV/L
-            jwNbatnwksT2RW6ecHUF6R/kL7YQJ5Vv3iTdCHfpcW7qRQvl0ZJEzQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSDNyUW9aSmVIcWdnSWFw
+            cWdwekVzQkdjcTVRVGRzWVpHT00vZHFjRVY4Ck1OREhEN3FMQXdrQ0pjUXR3ZllY
+            ekhpQVJCbnZCVUNBeGVscEZPTFFqQTQKLS0tIFVVaTdOa2dxbHVGSzUyblpneXd0
+            MUd4RGczTkIwRVZ6WVRQVFJSQ250SnMKhCjTAatvqkVBNcAE5lBERReKkFqlOfEG
+            UHzOOM+gJ6khu3Pe2+PAZbLMxkm4a+ZHruPRIl4qxzDSwQmlih1P3Q==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MTlnM2VyeDhPR0lkUGtB
-            d0hJSHdEYUptTjBySUhUYUpVOU00QWh5ams0CkJrYWRNMFZDRkZZUGFWbnlFcXdH
-            dzhwZGdNU1BYWnJLUFpodzBWcHJZV1UKLS0tICtiUVVqY0loQlpTYjUzRk5YR2Vo
-            RkVRSHQ2cVJRdWNpZzZCd2laL1R2NjgKhaY90NYGLTuYs4hJs1so24WFvFhquD4V
-            KwVKoyFdni0jWOaULvA0+xausV2Hx4C1xk7b4SsuT3YkDZdOT41gHA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UzgycnJEMTcrYXcxSXMy
+            VnViVFZSbVZVNnN0V3AwVXBtRW1CT2hvTDBNCkQ1MUtPRmYvWmtTRVBiWGtaMWxM
+            TTN3U3ZFMDRJZmtvQW5ONmsyNTlSWjgKLS0tIG1RRWI1aGpYR1hTUEd0K0JtYk5Z
+            TFdneXZpaVZKdUsrWnludHpCQW9Mc2cKElhSussywXB3XAEN5cE6QVqXpQsebMqF
+            t4CmpKyxzi+JSX1S5Jy2RgHCSHafW4WFeQTt9qseBKQOQPVdwGWVhQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-17T21:12:25Z"
    mac: ENC[AES256_GCM,data:m9TJL1G7D0l5f6ZIC6NfKvRDuHY1l0cp9hFbsFy9f2f/ixCRM2JFuAZ4muL6eyvZqAiGgB76u26hFU+yO/E3vtnAYSrLCk1JaRe3rajZIpu+Dwe4zht7ysJ/NeybWB7KzetS8BijDjp8YDHDcX35xwT8ScWBVqj/hjxls4JRe/c=,iv:Z3tRizJNpVHyErL2iFo6ALGO97IarZPiKzyBDPm7sQA=,tag:1sH+wHJoAHfsIju+OWMTHQ==,type:str]