pim/nixos-configs
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Split sops keys into root and normal user

Browse source 
Deploy sops keys using Colmena
This commit is contained in:
Pim Kunis 2024-11-17 22:31:57 +01:00
parent 85b41d6722
commit 46a99bf13d
6 changed files with 56 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.sops.yaml
View file

@ -1,8 +1,15 @@
# Public keys are combination of host + user
keys: keys:
- &admin_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &sue_root age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
creation_rules: creation_rules:
- path_regex: machines/sue/.*\.sops\.yaml - path_regex: machines/sue/nixos.sops.yaml
key_groups: key_groups:
- age: - age:
- *admin_pim - *sue_root
- path_regex: machines/sue/home.sops.yaml
key_groups:
- age:
- *sue_pim
- *sue_root

16
colmena.nix
View file

@ -18,6 +18,22 @@ inputs @ {
deployment = { deployment = {
allowLocalDeployment = true; allowLocalDeployment = true;
targetHost = null; targetHost = null;
keys = {
root-sops-age-key = {
keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
name = "keys.txt";
destDir = "/root/.config/sops/age";
};
pim-sops-age-key = {
keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/home.sops.yaml"];
name = "keys.txt";
destDir = "/home/pim/.config/sops/age";
user = "pim";
group = "users";
};
};
}; };
imports = [ imports = [

2
machines/sue/default.nix
View file

@ -15,7 +15,7 @@
networking.hostName = "sue"; networking.hostName = "sue";
sops = { sops = {
age.keyFile = "/home/pim/.config/sops/age/keys.txt"; age.keyFile = "/root/.config/sops/age/keys.txt";
defaultSopsFile = ./nixos.sops.yaml; defaultSopsFile = ./nixos.sops.yaml;
}; };

26
machines/sue/home.sops.yaml
View file

File diff suppressed because one or more lines are too long

19
machines/sue/nixos.sops.yaml
View file

@ -1,3 +1,4 @@
sops_age_key: ENC[AES256_GCM,data:3PebFyNHLlycKPN0L/MAL5NpKWqUiEFxivqnPtuavnET13NEEgPvyD9ZyuSYlQRefgKNHuKaAgaMNULOyL+mWF+AV+YYiVyrp14=,iv:gvxb6BK+i270b4Pr/dwRpwno+vqVplyyWdxEQIEVjmc=,tag:5LJ609yQOBkLCCwluI3AUg==,type:str]
wireguard: wireguard:
home: home:
presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str] presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str]
@ -8,17 +9,17 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZG5oSDZCdjBPalBOTDVU YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bDRqNDNqYnRDZno2QnFo
aDJVaC9lSE9jZ2M3aEVaZTd0YXh3azBQTkdrCjc2QWFUN2U2ZFdRc1VSMXhwRTRu MjlvNWpZNjhabDBFV2VJSGFCaWlvd21Ybmc4ClhOS3VRQ1VySFJYZWZ5ZHV4RUFs
N2VpY0haNElXVmhzVUhoZFNnNXYvc1kKLS0tIFRHRlJzS0J5b1J4a1dTSERmc2hy NVo4WlFrai9CTi9uTWJGUExKWnpGN2cKLS0tIFc0UStVRGpHR3hsQUR3elFIK3Nu
NGxjNVpvQnU1WVoyQ2xDeE16b2JuWEEKiVqccRZfhp1mQ3ecnogxrIkC6EZq4kUG ekZEZEZVTzJJYXRIT2k0OVJmZUhzN1EKVK307/rhSMQA89hHUD0MH/vhzKnmWF7K
kLJbBFwf1FkWZQgFq9tKNBf0vykjF0qnSDXn1xpIqht3B9Vtnggjvw== QoTpJ20WxzLfNuGqqv9IpdRTKOrxCDbj3MUEv6d6k+X4sSEaOGVQ1A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-17T18:33:25Z" lastmodified: "2024-11-17T21:25:05Z"
mac: ENC[AES256_GCM,data:korXgi1xEdCr18DQNFF5XwuFum3GinSLH+L5Mhhy1PHzGJ4S8WuutRONnbX4tw2p16XH/KPszA3u+ypo3IthEEJu8KrmlHhUrZiA2scWpNL3CEaDuNJ6CN9feLgS0FExYxWWQ7qLorTH1JuzRhg0aW3cKoTW32FscrAku/ni3pw=,iv:MskH0LE+xHCNYRvOiBVW173ePQsg22Fm/XUwS7Jzxwk=,tag:MVcDcUVVUtsIKbROWnboGg==,type:str] mac: ENC[AES256_GCM,data:qgPbH0i6difL063Nmy9EIAdkv9mq/ztGk8S8OAahDTddoUbJkC3EQUgS6lsd3KHbFBGopn1yMpuWkkOgNFc7nGy4QP0Mm8DpRaawA4vq5+QOh91CRTvQDujDw4EXEHqa27iR5dnbscU5zYMmta4Dl5FnK3ujraifdp67H1RCH0I=,iv:IZvXt93K54xshv5YcXur5MeDGPq+ROTxuFSC/B7eheM=,tag:ZFhh/yMfEMFqlerQNvMhCg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.9.1

1
nixos/default.nix
View file

@ -86,6 +86,7 @@
yq yq
ncdu ncdu
lshw lshw
sops
]; ];
}; };