Reorganize some sops stuff
This commit is contained in:
parent
a29d10e507
commit
6291f8d438
14 changed files with 152 additions and 195 deletions
|
|
@ -6,10 +6,7 @@
|
|||
config = {
|
||||
pim = {
|
||||
cinnamon.enable = true;
|
||||
sopsKeys = {
|
||||
root = ./nixos.sops.yaml;
|
||||
pim = ./pim.sops.yaml;
|
||||
};
|
||||
sops-nix.usersWithSopsKeys = ["root" "pim"];
|
||||
};
|
||||
|
||||
facter.reportPath = ./facter.json;
|
||||
|
|
|
|||
|
|
@ -1,39 +0,0 @@
|
|||
sops_age_key: ENC[AES256_GCM,data:v0/grOgffNcl1IbfdHr7uzbwvIL1CpfvSSFnuQS1ZEkuuE2Bfbvl8G0i6dHQSnFBtNJXkgAajCdapUlRcaX60EuXToKB14nHP1A=,iv:ZruuYlZJszgmztMXqya7InCLlyihS59QJCoSk685q34=,tag:bN3NZsWeg12GfUTjubb4Ug==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMkRLNHNYTm55TjA4YWhF
|
||||
SENVSlVVYWRQUVZNU29iWmk4dVgvSHk3Z1RNClFqcTlUcTlqNjZrMFdUTGQyU2hO
|
||||
ZktIWXh5VVVsR3d2dUhDQ296RXBJSGsKLS0tIGtWQ1Jwd3U5VmxyMjExMXlQVVZ4
|
||||
aTNmRFhEaE9nbGduK2tLallTcFBSWVEKMhULgc6jkA+qJ9LrYtxcUO2k78L4LxHl
|
||||
7Okpr5UJlTVn96swt/aFEEfA1gnzGgPWU6Oir5uETBiqTVVytW16wQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHp6WkhjdDRkeWpTeTBN
|
||||
ejRXMUwrSkFTTUlGMC9LNTRwemcxWXVzN1FBCkZlazlBbVM4RlJuTUtZQ1hoWkd3
|
||||
SUs5RS9Ba2k2cjhsOGkxaUt5TzF5cjQKLS0tIHFRcWFIL1EvcURURmR3a2FSSjRW
|
||||
OUpUcFJ1N003OUJlMDJha09nQ1l0OWsKuxMX8dZbn75yUs5E5/hu+LjHRslcUldL
|
||||
YmQl7phWnWMfgwphERpOhdMn2pczVGygriG7c0LOe6SiEiXxnUHiWw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArc1pmV1cwTmt1RnFBb1VO
|
||||
Yzd4OHNwbVBORHU1ZVRpVFpsMHlYM3BSaVhnCm5vbURWZ1kzbVZIdE9FY01Qc2tI
|
||||
cVFtQTY4WnpNOEI2T1BTYkp4OWQydm8KLS0tIFE0eXpJMWxCMC9yOGNRdGNKUmll
|
||||
S3I4UmRYZzRBUk5jcGtoUzFjcWdGeEEKGYB4kTpjNaAZWuu/wnBNYcSFwFEtX+pu
|
||||
zzt9Nd2ahPnTMdcSLz/mwOHxyiAgBDUGsNm60EitKxl+LgmR7mBjnw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-17T21:42:29Z"
|
||||
mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
sops_age_key: ENC[AES256_GCM,data:acf7kA1ceRLqw0TYPFzkNAMLz0TbNTFBN8MtsYX2y0+xuyFX0oJzIZAMTP7fjVBEcuPE55ewoXjXpP18iDwRUDT4f9Y1dorQD/g=,iv:vx4Inly+Vg8pENlBvijTv2hgTJTFLAfp+f4Nn2leO3A=,tag:i+KXl1V4OxqDnjK62ijBbQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlpYcTV2TEw3TmwyaHhZ
|
||||
M3hJY3VOT2NwaVZUU1cvNnRHVnhOZFRCd1cwCi8zM09icUZEUlIwTy9jVE9Takhr
|
||||
T1ZuWWtkOHBGVGpHeU1VdXpvV2RRSE0KLS0tIDNyL24vWmZhRzBBRW5iMW1tSXhs
|
||||
ZDhDVTcyVzk1bzVOcjJ1aDlOWEt4RzAKCuuSJ/aLZldfysSFhmUNNZULcSiBrNe9
|
||||
hTRra+FLCbNqsNt2iuImkOQwINqdlUIaC36TtXUucV3C2SyDdLo1rA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZXkyN1FxMzFiSzlVYjV4
|
||||
U0E0TWNkb3VFMjJZYUdxM0QzZmg1cUxuMWxVCnFZNkM0SmFDRFE4aHJuQnNzOHNW
|
||||
ZVc2MTBMWENYeFpYT3dPZERiMHpRUVEKLS0tIHhFL0JjdURYcldTbVNUYkNKN3VR
|
||||
aUQ2ckVrb3k0L2hnSUdTb3ZzeE54SkEKzh55hsegd28yvwI93xQUYCFBHz7LFQ60
|
||||
mrkrWHDBjzxH0VnKT/59YFI1QitLgxI2db6PGQl5i5LYzeBVzG58LQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUTR2enVtK3hEcExSL0lL
|
||||
VWVHQ290WTB1cmlWbFB4TTRQaVdPRjQ2bGlRClNWeWtWMSsvL2NMbE54aDNTMmhJ
|
||||
aWNSazdMMlJUaE5teDh1SWlBMFFMbVkKLS0tIG5QaktGZitaem1DaU5mL2hDZUUr
|
||||
RW5RNXhpQklCQ3B5K0VoRUFZK3JEQUkKRCGn35rQOpgwxxUSvpWVxJG3gMu+aTnW
|
||||
B3a/0I0QqAgcPZ3Lj/HIUDN5GUDxdmZhuMdBRKtm5uHMPzDDOXJOKA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSzhDb29pUmNvZ2Q5a3hO
|
||||
R09lRThlNFpTd1FiZjdFajNMekxvQ3gvekQ0Cnd0SytUVi9JZUcvZGt4YjU3MENX
|
||||
RWxMcUlRR3ZiUnVacGhBUTVseTQ4dkUKLS0tIDFabnNQbDlUcHRjUVRTVTFkTkJE
|
||||
SURWUVdNYVdNRXpXYVpBVDZRS204ZVUK9DcgnwXI4cBcnl2xZWrJ1uLY8GHqL6HG
|
||||
1cGGG6WEI/EyRH0x80/Djj1d3mEUs7H66uVjbNgid6vOjLi4qTS83g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-17T21:42:43Z"
|
||||
mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
@ -1,4 +1,8 @@
|
|||
{pkgs, ...}: {
|
||||
{
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
config = {
|
||||
pim = {
|
||||
lanzaboote.enable = true;
|
||||
|
|
@ -8,13 +12,7 @@
|
|||
wireguard.enable = true;
|
||||
compliance.enable = true;
|
||||
|
||||
sopsKeys = {
|
||||
# This is the root of our secret system.
|
||||
# Don't deploy this though; if it fails,
|
||||
# the key will be wiped.
|
||||
# root = ./nixos.sops.yaml;
|
||||
pim = ./pim.sops.yaml;
|
||||
};
|
||||
sops-nix.usersWithSopsKeys = ["pim"];
|
||||
};
|
||||
|
||||
users.users.pim = {
|
||||
|
|
@ -36,7 +34,7 @@
|
|||
|
||||
sops = {
|
||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||
defaultSopsFile = ./nixos.sops.yaml;
|
||||
defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
|
|
|||
|
|
@ -1,25 +0,0 @@
|
|||
sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str]
|
||||
wireguard:
|
||||
home:
|
||||
presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
|
||||
privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
|
||||
TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
|
||||
NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
|
||||
N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
|
||||
QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-21T21:16:17Z"
|
||||
mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
|
|
@ -22,7 +23,7 @@
|
|||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./pim.sops.yaml;
|
||||
defaultSopsFile = "${self}/secrets/sue/pim.yaml";
|
||||
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
|
||||
secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
|
||||
};
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -9,7 +9,7 @@
|
|||
config = {
|
||||
pim = {
|
||||
tailscale.advertiseExitNode = true;
|
||||
sopsKeys.root = ./nixos.sops.yaml;
|
||||
sops-nix.usersWithSopsKeys = ["root"];
|
||||
prometheus.enable = true;
|
||||
};
|
||||
|
||||
|
|
@ -31,10 +31,7 @@
|
|||
|
||||
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
|
||||
|
||||
sops = {
|
||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||
defaultSopsFile = ./nixos.sops.yaml;
|
||||
};
|
||||
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/NIXOS_SD";
|
||||
|
|
|
|||
|
|
@ -1,48 +0,0 @@
|
|||
sops_age_key: ENC[AES256_GCM,data:xoZAEBVDGyq3mpq7+eeXJVYR0LJXktE64aPPayO3BAAeLE9qyfru5LEuJiKmswmT4GehgRV4iDIM35a62nuHkf1SEp4bQXQJ6dE=,iv:DPdp1iuIrGcVjbUbhmiy8dIdnripIC7KU+JGveajwvc=,tag:oqlSl5ydnr4/r9/lFSUlLA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cWpBQk40cTNZSjFCVW5p
|
||||
ajJlZUpFMFdzZEpJM0VDUTNoUWNVZzdZRkYwCjNNQjJUZThCU2RiQnVKQjhjVWZL
|
||||
V1hNQXNBMGw0bUtmTnJVM2hoWWtyOUkKLS0tIFJFQVBpaXN6WFk2VFVSdExNcUl1
|
||||
KzVQV09IUmFEVFpzbS9tdTE5cjhkVkEKnX1/AvxwSeo6p0EPGU5KnqxwdhEDSQQA
|
||||
FB3JiU12vy0kh1NYWT+roUYT39BJCk/tjRgHJ6E5qc9LKwthXFdi/A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWkxEV2ViREFzSE1ZOU9w
|
||||
ZDNMYnlSSzdOWVZIc1oveHByVVJrTU1SbGx3CmZjRlF6MkJnTXNHK2k3K0hCcEdW
|
||||
SkcwWE5XakthWHJxWEpud3ZuY2ZFNkUKLS0tIFdRL3JpSWFHZ2hYQXVEOVgvaElN
|
||||
RnFzNUkwVWVhd3RCOFVZaXZRc3hEM1kKlk5bPXaDkVCk5/4hZF2aoFAr8LEVX/Te
|
||||
I90BMUglu4qsUjNNhiZVGMV1LIk9mue4sxBP25BZpDLJVR+Mw7J61g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YkwyblJRd1dpV3lQSTNr
|
||||
RlI4cHlXYXdleE9HL2E3YThka3pkZlBFcXhzCmtvZWc1cjIraldtazgrZXRod09U
|
||||
WlRoYTFvM2t4ZmI5bzYxcGJlZmlzencKLS0tIEdxZU5QaVZWYkp0WjhKWTZZTXhr
|
||||
REtoU1UxWUR3TUI0RUZaMEpwNEsvbHcKFAaqhhC92VHBr0c1yLlx7f3+yEWVaEtg
|
||||
K+/JE0GTpcvWsrtGRslhcIP7zEFHlJ0hnOH/PUu1E9xEDF09c3gkBQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2U1lwdlFZTlphdTNMTXh2
|
||||
Q3F2UEJQSzBjRC9EY1Y0dExlcW9wUzM4NFc4CmZuaFcwc1hEcmRSQ0lDZ3BUSGQ4
|
||||
Uy9STGVRMVg2NEpOaGVtTzhab3d4RGsKLS0tIFBCN2FtN2dOSjlIejRJNEFqWEVW
|
||||
TTE1QzlIWlBtaFVBdkkvczFtaG82Z1EKlzD1POogze+J3C+e1Wf8n2JcWZxPUGSn
|
||||
SZPp3j2NvvK/OrlcgPYJYt1513QzS5JYY5Sleqoj/GcF48+lq8523A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-30T18:11:28Z"
|
||||
mac: ENC[AES256_GCM,data:Yi0IWmRPVHeO+GptuJN1gfDUldL/nKcx3BsIPuvSCF0/cpwVIWQ3BwfTZFfYOZlWAWTnmVbzuPSdbWmAUNmAb7E8A88VERCjY1z60mQ5uuW+LwbwLS6IY3/mXK6CQrnptH5etTNUoE+PrAVOPT7nBq/MohW0T5X09WW/63t0+Uc=,iv:JF/Yg/i8jtFxfiyk0OjoIdakXjVTLU6JHKiO7c8GwkI=,tag:g8kP1HLxGp8uNYfWpj5wBQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
Loading…
Add table
Add a link
Reference in a new issue