Reorganize some sops stuff
This commit is contained in:
parent
a29d10e507
commit
6291f8d438
14 changed files with 152 additions and 195 deletions
21
.sops.yaml
21
.sops.yaml
|
@ -8,32 +8,27 @@ keys:
|
||||||
- &niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
- &niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: machines/sue/nixos.sops.yaml
|
- path_regex: secrets/sue/colmena.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *sue_root
|
- *sue_root
|
||||||
- path_regex: machines/sue/pim.sops.yaml
|
- path_regex: secrets/sue/nixos.yaml
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *sue_root
|
||||||
|
- path_regex: secrets/sue/pim.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *sue_pim
|
- *sue_pim
|
||||||
- *sue_root
|
- *sue_root
|
||||||
- path_regex: machines/gamepc/nixos.sops.yaml
|
- path_regex: secrets/gamepc/colmena.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *sue_pim
|
- *sue_pim
|
||||||
- *sue_root
|
- *sue_root
|
||||||
- *gamepc_root
|
- path_regex: secrets/warwick/colmena.yaml
|
||||||
- path_regex: machines/gamepc/pim.sops.yaml
|
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *sue_pim
|
|
||||||
- *sue_root
|
|
||||||
- *gamepc_root
|
|
||||||
- *gamepc_pim
|
|
||||||
- path_regex: machines/warwick/nixos.sops.yaml
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *warwick_root
|
|
||||||
- *sue_pim
|
- *sue_pim
|
||||||
- *sue_root
|
- *sue_root
|
||||||
- *niels
|
- *niels
|
||||||
|
|
|
@ -6,10 +6,7 @@
|
||||||
config = {
|
config = {
|
||||||
pim = {
|
pim = {
|
||||||
cinnamon.enable = true;
|
cinnamon.enable = true;
|
||||||
sopsKeys = {
|
sops-nix.usersWithSopsKeys = ["root" "pim"];
|
||||||
root = ./nixos.sops.yaml;
|
|
||||||
pim = ./pim.sops.yaml;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
facter.reportPath = ./facter.json;
|
facter.reportPath = ./facter.json;
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
sops_age_key: ENC[AES256_GCM,data:v0/grOgffNcl1IbfdHr7uzbwvIL1CpfvSSFnuQS1ZEkuuE2Bfbvl8G0i6dHQSnFBtNJXkgAajCdapUlRcaX60EuXToKB14nHP1A=,iv:ZruuYlZJszgmztMXqya7InCLlyihS59QJCoSk685q34=,tag:bN3NZsWeg12GfUTjubb4Ug==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMkRLNHNYTm55TjA4YWhF
|
|
||||||
SENVSlVVYWRQUVZNU29iWmk4dVgvSHk3Z1RNClFqcTlUcTlqNjZrMFdUTGQyU2hO
|
|
||||||
ZktIWXh5VVVsR3d2dUhDQ296RXBJSGsKLS0tIGtWQ1Jwd3U5VmxyMjExMXlQVVZ4
|
|
||||||
aTNmRFhEaE9nbGduK2tLallTcFBSWVEKMhULgc6jkA+qJ9LrYtxcUO2k78L4LxHl
|
|
||||||
7Okpr5UJlTVn96swt/aFEEfA1gnzGgPWU6Oir5uETBiqTVVytW16wQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHp6WkhjdDRkeWpTeTBN
|
|
||||||
ejRXMUwrSkFTTUlGMC9LNTRwemcxWXVzN1FBCkZlazlBbVM4RlJuTUtZQ1hoWkd3
|
|
||||||
SUs5RS9Ba2k2cjhsOGkxaUt5TzF5cjQKLS0tIHFRcWFIL1EvcURURmR3a2FSSjRW
|
|
||||||
OUpUcFJ1N003OUJlMDJha09nQ1l0OWsKuxMX8dZbn75yUs5E5/hu+LjHRslcUldL
|
|
||||||
YmQl7phWnWMfgwphERpOhdMn2pczVGygriG7c0LOe6SiEiXxnUHiWw==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArc1pmV1cwTmt1RnFBb1VO
|
|
||||||
Yzd4OHNwbVBORHU1ZVRpVFpsMHlYM3BSaVhnCm5vbURWZ1kzbVZIdE9FY01Qc2tI
|
|
||||||
cVFtQTY4WnpNOEI2T1BTYkp4OWQydm8KLS0tIFE0eXpJMWxCMC9yOGNRdGNKUmll
|
|
||||||
S3I4UmRYZzRBUk5jcGtoUzFjcWdGeEEKGYB4kTpjNaAZWuu/wnBNYcSFwFEtX+pu
|
|
||||||
zzt9Nd2ahPnTMdcSLz/mwOHxyiAgBDUGsNm60EitKxl+LgmR7mBjnw==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-11-17T21:42:29Z"
|
|
||||||
mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -1,48 +0,0 @@
|
||||||
sops_age_key: ENC[AES256_GCM,data:acf7kA1ceRLqw0TYPFzkNAMLz0TbNTFBN8MtsYX2y0+xuyFX0oJzIZAMTP7fjVBEcuPE55ewoXjXpP18iDwRUDT4f9Y1dorQD/g=,iv:vx4Inly+Vg8pENlBvijTv2hgTJTFLAfp+f4Nn2leO3A=,tag:i+KXl1V4OxqDnjK62ijBbQ==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlpYcTV2TEw3TmwyaHhZ
|
|
||||||
M3hJY3VOT2NwaVZUU1cvNnRHVnhOZFRCd1cwCi8zM09icUZEUlIwTy9jVE9Takhr
|
|
||||||
T1ZuWWtkOHBGVGpHeU1VdXpvV2RRSE0KLS0tIDNyL24vWmZhRzBBRW5iMW1tSXhs
|
|
||||||
ZDhDVTcyVzk1bzVOcjJ1aDlOWEt4RzAKCuuSJ/aLZldfysSFhmUNNZULcSiBrNe9
|
|
||||||
hTRra+FLCbNqsNt2iuImkOQwINqdlUIaC36TtXUucV3C2SyDdLo1rA==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZXkyN1FxMzFiSzlVYjV4
|
|
||||||
U0E0TWNkb3VFMjJZYUdxM0QzZmg1cUxuMWxVCnFZNkM0SmFDRFE4aHJuQnNzOHNW
|
|
||||||
ZVc2MTBMWENYeFpYT3dPZERiMHpRUVEKLS0tIHhFL0JjdURYcldTbVNUYkNKN3VR
|
|
||||||
aUQ2ckVrb3k0L2hnSUdTb3ZzeE54SkEKzh55hsegd28yvwI93xQUYCFBHz7LFQ60
|
|
||||||
mrkrWHDBjzxH0VnKT/59YFI1QitLgxI2db6PGQl5i5LYzeBVzG58LQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUTR2enVtK3hEcExSL0lL
|
|
||||||
VWVHQ290WTB1cmlWbFB4TTRQaVdPRjQ2bGlRClNWeWtWMSsvL2NMbE54aDNTMmhJ
|
|
||||||
aWNSazdMMlJUaE5teDh1SWlBMFFMbVkKLS0tIG5QaktGZitaem1DaU5mL2hDZUUr
|
|
||||||
RW5RNXhpQklCQ3B5K0VoRUFZK3JEQUkKRCGn35rQOpgwxxUSvpWVxJG3gMu+aTnW
|
|
||||||
B3a/0I0QqAgcPZ3Lj/HIUDN5GUDxdmZhuMdBRKtm5uHMPzDDOXJOKA==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSzhDb29pUmNvZ2Q5a3hO
|
|
||||||
R09lRThlNFpTd1FiZjdFajNMekxvQ3gvekQ0Cnd0SytUVi9JZUcvZGt4YjU3MENX
|
|
||||||
RWxMcUlRR3ZiUnVacGhBUTVseTQ4dkUKLS0tIDFabnNQbDlUcHRjUVRTVTFkTkJE
|
|
||||||
SURWUVdNYVdNRXpXYVpBVDZRS204ZVUK9DcgnwXI4cBcnl2xZWrJ1uLY8GHqL6HG
|
|
||||||
1cGGG6WEI/EyRH0x80/Djj1d3mEUs7H66uVjbNgid6vOjLi4qTS83g==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-11-17T21:42:43Z"
|
|
||||||
mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -1,4 +1,8 @@
|
||||||
{pkgs, ...}: {
|
{
|
||||||
|
self,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
config = {
|
config = {
|
||||||
pim = {
|
pim = {
|
||||||
lanzaboote.enable = true;
|
lanzaboote.enable = true;
|
||||||
|
@ -8,13 +12,7 @@
|
||||||
wireguard.enable = true;
|
wireguard.enable = true;
|
||||||
compliance.enable = true;
|
compliance.enable = true;
|
||||||
|
|
||||||
sopsKeys = {
|
sops-nix.usersWithSopsKeys = ["pim"];
|
||||||
# This is the root of our secret system.
|
|
||||||
# Don't deploy this though; if it fails,
|
|
||||||
# the key will be wiped.
|
|
||||||
# root = ./nixos.sops.yaml;
|
|
||||||
pim = ./pim.sops.yaml;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.pim = {
|
users.users.pim = {
|
||||||
|
@ -36,7 +34,7 @@
|
||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||||
defaultSopsFile = ./nixos.sops.yaml;
|
defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
self,
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
|
@ -22,7 +23,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ./pim.sops.yaml;
|
defaultSopsFile = "${self}/secrets/sue/pim.yaml";
|
||||||
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
|
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
|
||||||
secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
|
secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
config = {
|
config = {
|
||||||
pim = {
|
pim = {
|
||||||
tailscale.advertiseExitNode = true;
|
tailscale.advertiseExitNode = true;
|
||||||
sopsKeys.root = ./nixos.sops.yaml;
|
sops-nix.usersWithSopsKeys = ["root"];
|
||||||
prometheus.enable = true;
|
prometheus.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -31,10 +31,7 @@
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
|
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
|
||||||
|
|
||||||
sops = {
|
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
|
||||||
defaultSopsFile = ./nixos.sops.yaml;
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "/dev/disk/by-label/NIXOS_SD";
|
device = "/dev/disk/by-label/NIXOS_SD";
|
||||||
|
|
|
@ -1,48 +0,0 @@
|
||||||
sops_age_key: ENC[AES256_GCM,data:xoZAEBVDGyq3mpq7+eeXJVYR0LJXktE64aPPayO3BAAeLE9qyfru5LEuJiKmswmT4GehgRV4iDIM35a62nuHkf1SEp4bQXQJ6dE=,iv:DPdp1iuIrGcVjbUbhmiy8dIdnripIC7KU+JGveajwvc=,tag:oqlSl5ydnr4/r9/lFSUlLA==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cWpBQk40cTNZSjFCVW5p
|
|
||||||
ajJlZUpFMFdzZEpJM0VDUTNoUWNVZzdZRkYwCjNNQjJUZThCU2RiQnVKQjhjVWZL
|
|
||||||
V1hNQXNBMGw0bUtmTnJVM2hoWWtyOUkKLS0tIFJFQVBpaXN6WFk2VFVSdExNcUl1
|
|
||||||
KzVQV09IUmFEVFpzbS9tdTE5cjhkVkEKnX1/AvxwSeo6p0EPGU5KnqxwdhEDSQQA
|
|
||||||
FB3JiU12vy0kh1NYWT+roUYT39BJCk/tjRgHJ6E5qc9LKwthXFdi/A==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWkxEV2ViREFzSE1ZOU9w
|
|
||||||
ZDNMYnlSSzdOWVZIc1oveHByVVJrTU1SbGx3CmZjRlF6MkJnTXNHK2k3K0hCcEdW
|
|
||||||
SkcwWE5XakthWHJxWEpud3ZuY2ZFNkUKLS0tIFdRL3JpSWFHZ2hYQXVEOVgvaElN
|
|
||||||
RnFzNUkwVWVhd3RCOFVZaXZRc3hEM1kKlk5bPXaDkVCk5/4hZF2aoFAr8LEVX/Te
|
|
||||||
I90BMUglu4qsUjNNhiZVGMV1LIk9mue4sxBP25BZpDLJVR+Mw7J61g==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YkwyblJRd1dpV3lQSTNr
|
|
||||||
RlI4cHlXYXdleE9HL2E3YThka3pkZlBFcXhzCmtvZWc1cjIraldtazgrZXRod09U
|
|
||||||
WlRoYTFvM2t4ZmI5bzYxcGJlZmlzencKLS0tIEdxZU5QaVZWYkp0WjhKWTZZTXhr
|
|
||||||
REtoU1UxWUR3TUI0RUZaMEpwNEsvbHcKFAaqhhC92VHBr0c1yLlx7f3+yEWVaEtg
|
|
||||||
K+/JE0GTpcvWsrtGRslhcIP7zEFHlJ0hnOH/PUu1E9xEDF09c3gkBQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2U1lwdlFZTlphdTNMTXh2
|
|
||||||
Q3F2UEJQSzBjRC9EY1Y0dExlcW9wUzM4NFc4CmZuaFcwc1hEcmRSQ0lDZ3BUSGQ4
|
|
||||||
Uy9STGVRMVg2NEpOaGVtTzhab3d4RGsKLS0tIFBCN2FtN2dOSjlIejRJNEFqWEVW
|
|
||||||
TTE1QzlIWlBtaFVBdkkvczFtaG82Z1EKlzD1POogze+J3C+e1Wf8n2JcWZxPUGSn
|
|
||||||
SZPp3j2NvvK/OrlcgPYJYt1513QzS5JYY5Sleqoj/GcF48+lq8523A==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-11-30T18:11:28Z"
|
|
||||||
mac: ENC[AES256_GCM,data:Yi0IWmRPVHeO+GptuJN1gfDUldL/nKcx3BsIPuvSCF0/cpwVIWQ3BwfTZFfYOZlWAWTnmVbzuPSdbWmAUNmAb7E8A88VERCjY1z60mQ5uuW+LwbwLS6IY3/mXK6CQrnptH5etTNUoE+PrAVOPT7nBq/MohW0T5X09WW/63t0+Uc=,iv:JF/Yg/i8jtFxfiyk0OjoIdakXjVTLU6JHKiO7c8GwkI=,tag:g8kP1HLxGp8uNYfWpj5wBQ==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.9.1
|
|
|
@ -4,6 +4,7 @@
|
||||||
lib,
|
lib,
|
||||||
inputs,
|
inputs,
|
||||||
self,
|
self,
|
||||||
|
name,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -25,9 +26,16 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
pim.sopsKeys = lib.mkOption {
|
pim.sops-nix = {
|
||||||
type = lib.types.attrsOf lib.types.path;
|
colmenaSopsFile = lib.mkOption {
|
||||||
default = {};
|
type = lib.types.path;
|
||||||
|
default = "${self}/secrets/${name}/colmena.yaml";
|
||||||
|
};
|
||||||
|
|
||||||
|
usersWithSopsKeys = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -53,24 +61,27 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# BUG: this uses root way too much.
|
deployment.keys = lib.pipe config.pim.sops-nix.usersWithSopsKeys [
|
||||||
deployment.keys =
|
(lib.map (
|
||||||
lib.mapAttrs' (user: sopsFile: let
|
user: let
|
||||||
homeDirectory =
|
homeDirectory =
|
||||||
if user == "root"
|
if user == "root"
|
||||||
then "/root"
|
then "/root"
|
||||||
else "/home/${user}";
|
else "/home/${user}";
|
||||||
in {
|
sopsFile = config.pim.sops-nix.colmenaSopsFile;
|
||||||
name = "${user}-sops-age-key";
|
in {
|
||||||
value = {
|
name = "${user}-sops-age";
|
||||||
keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
|
value = {
|
||||||
name = "keys.txt";
|
keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_nix_keys\"][\"${user}\"]" "-d" (builtins.toString sopsFile)];
|
||||||
destDir = "${homeDirectory}/.config/sops/age";
|
name = "keys.txt";
|
||||||
inherit user;
|
destDir = "${homeDirectory}/.config/sops/age";
|
||||||
group = "users";
|
inherit user;
|
||||||
};
|
group = "users";
|
||||||
})
|
};
|
||||||
config.pim.sopsKeys;
|
}
|
||||||
|
))
|
||||||
|
builtins.listToAttrs
|
||||||
|
];
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
services.NetworkManager-wait-online.enable = lib.mkForce false;
|
services.NetworkManager-wait-online.enable = lib.mkForce false;
|
||||||
|
|
32
secrets/gamepc/colmena.yaml
Normal file
32
secrets/gamepc/colmena.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
sops_nix_keys:
|
||||||
|
root: ENC[AES256_GCM,data:mlihmoW4fk6B/TeEC3MbxfZCltUd2WRP6f2zPf6Tr6EEtJgbk4d1cghHNWr5GKp0cqCnayrFTE7ueYdyPfYQjp9tynn43WAt4BY=,iv:q76g1uVT8tlspaOZk/mSpMf42r3spdQse4szRazPdtk=,tag:3tPGB3iU+6K6uBKXPY/z4g==,type:str]
|
||||||
|
pim: ENC[AES256_GCM,data:pCMESWXN+rPXHbP8d3L4yLU4ayRIKfMfziR1ACdcURSTCusnyOFcBswAUqjGWSgrFG7WRPp8Z2rW1vzI3h5ZIk5d+3MuWZrksNY=,iv:mfgG5NVE69IP3AyPvAOFJgdlk54+SDkmSZY6LGR3398=,tag:1HVa3BFHMWXKfonlagAulQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bGc3TTd2SER5azdoMnNt
|
||||||
|
eXF1ZjhVbkxXenF6TGJvekIxc2E1aHlFcTFBCmlrdDdoYStzZFdlRTJaWDN5Z1lM
|
||||||
|
OTBCcEQxUmsrc0U4SHd5ZWxvdUxiTG8KLS0tIDZiSW1IK2liWmV6cDEzWEgrTnZS
|
||||||
|
WCtuK1FienllRVF6SUZ4N3Z2Wk9PUEkK/trGncXxOKLpfJ49etieeo9OVZyNIENm
|
||||||
|
3cODe7/IZbq65yJmtPyKAKRsXjvGngIbhy7YrIqF1+wmo58sZmLgUg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOGdidDFZV3F4UEV5WWlk
|
||||||
|
WHpDRjFNb1JFU25rdmZXRUNLL3V4UEt0SVhBClBSUXBRalI3YTVLMmlaenE0M1NY
|
||||||
|
enNVVDI1ci9sUS9XemVXdmNoUVdaM2cKLS0tIFhIaFc3VERpaDNoWGNDTVA2b0ZZ
|
||||||
|
UVk0S29Ealo3S3RCOWxpWmVpbE9LOFkKm1hofRV8U6EEoffCHCHeRIfSxxiGXbxD
|
||||||
|
LogWwPblnLRC4qch2JAWzMm+CtEvgn1QJB1Wh5ibIEzDusxHFAI5nA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-30T23:31:36Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Bp9KYK17k2XKlgx+PGmXOvZcxCEzmofc7H3Xrmkq3JwH5Gseem8aJwqLF0jfNlrbpNFVwsSzC+mz4dr9GvxEQxhqAsyajFwwVVcq404iY0FZsavP13w7PJ/uxBcTyTXmMJwdegnnE35ll6rCnbzJ69Br29iY434INXPG/eXnwOo=,iv:s6Radz1cdr7ks3oXsuRafTMVthvUv7/4r2ae5KZZ4w4=,tag:c3cCIG8aztytZX7KprRWnQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
23
secrets/sue/colmena.yaml
Normal file
23
secrets/sue/colmena.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
sops_nix_keys:
|
||||||
|
root: ENC[AES256_GCM,data:CxF2wjcQ2OFuS7Pgjnc8zc7sqGEz3dcHt4NXkL+V6w7kGPP+b4wBhOlT7b+bEESNslpK2htLY7x+IZWIA8JQpeRKHAKymAUK86I=,iv:5qNFDb86/Vr9Iqzx1eES4wUVY5XTq3iOR4VQliuP1lg=,tag:gx/Q7t52l9kMhPRXdpsB6A==,type:str]
|
||||||
|
pim: ENC[AES256_GCM,data:PWFlRBaqImbCpj3IXU+BtNIRvwru+GRwxDQO4QwINRvxRqC36LE6JpMqaJNrTdCPy+aQ01brTN8y99qXTDlrul32cZnopc37r78=,iv:1tG7rDB5D7D2myes6Ro8hXC140ugjXpiwNpivWFw/xw=,tag:BNm/Ep55tt7xBWZFyzTR5g==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMWdWZUZQdm9nUWVlUW1w
|
||||||
|
TU81QmRUZ2s5UzdkVVpBZFNZNmJoQlNtM1JBCnZrSE4xV0xuaXRtOG5UbGw1Mk9x
|
||||||
|
ZkpkajBzaVVrSEpuYWtnZ21pa2VWR0kKLS0tIGJTWnAyQ0daVTJJTHU0TmdKcGRJ
|
||||||
|
NkJzL3JSN2sxbnF6NGNhQlJqTHpHRTAKK+3FqqBAGxdlMtnbsySEcZT1lkQwJWvK
|
||||||
|
GFB+6CtH9UtyIGrdK8Pm/0ahsolYGAim2OjeiKBbs3Q8kLm5WAsgRg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-30T23:42:51Z"
|
||||||
|
mac: ENC[AES256_GCM,data:fo856uaz54nxHDJVDpMOPc6GHAzMdVJTfqBiMtJkEwm3AVICtRcI8ucceBnmfKZf9DM2MC2DffU1tvJd5iqpqFZMXCElRnBxWVZGhvrZqIZtmoAin5zBgwOudf1o6msmdNGmZk1ECq/HpHNO/QMQ3rnFdBvOZwL0zu6iZm9XwC0=,iv:T6Tv1ukk0CWbTRVWYdfn/bWQoETk8DRVMOzpJE9mCWE=,tag:eICIYTBvAJLUTpRcMYqc5Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
|
@ -1,4 +1,3 @@
|
||||||
sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str]
|
|
||||||
wireguard:
|
wireguard:
|
||||||
home:
|
home:
|
||||||
presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
|
presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
|
||||||
|
@ -18,8 +17,8 @@ sops:
|
||||||
N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
|
N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
|
||||||
QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
|
QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-11-21T21:16:17Z"
|
lastmodified: "2024-11-30T23:42:09Z"
|
||||||
mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str]
|
mac: ENC[AES256_GCM,data:nHLeqi4DAoyIi0CfARfx9b753BFdMmIR/fkOrhV5yehl7rUWvSh0+H7sb/ncgW6Blrc5g6Ek8BxXAt8a2SXfCEQaFU6tI1wJ/3mPtEPSvWQnZ75wAQLRgaBE3oxdL2FxSu3sjXMRjipPa/ACbau60FpNFzVbGuwNYfQAquwWtFg=,iv:LYn+36pfIw8zCnhQE4nCyt9yhetoHZRVNrBXL8N12Jo=,tag:aZsxtfEdK99+aBQS6OEwWg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.9.1
|
File diff suppressed because one or more lines are too long
40
secrets/warwick/colmena.yaml
Normal file
40
secrets/warwick/colmena.yaml
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
sops_nix_keys:
|
||||||
|
root: ENC[AES256_GCM,data:hu7AbU/RYst/DKBacsRBSpnQY0k3GtvbpB74v0H26FFkbBvAUz9qsW9Mw/5ctwmQ1pIhSWkT9sauAtrvoHRtjYeS43wpnk5qyMk=,iv:4B05pU+pI+MvO3Q6xE8ZYfIJ92q6AOI4KxMIRl0tvfg=,tag:GnbOAHTLaBqx/UxoxSbdIw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcTBrYTdBdEZlNTlSdDl2
|
||||||
|
L05NTmwwY2dGQUdRVG9RS0h3amRQM3dadWg4ClM0Y0NGNWc3aDlwTFhOclJScks3
|
||||||
|
TjZMWjBOdzZWZU1vMXZBVGhBT1UwbmMKLS0tIDVjMkxMeklZbXJvQkpiK3h5bG9s
|
||||||
|
dHpUOW95Z0tWRHNLTXovUTBrNUtxcmcKFcsYkVInDOnioltWt7+EPQ3V75/yqY1H
|
||||||
|
1N/ZdCEvBTrs4K2akaQWFdAhBWExtuIxoQIABEH6mzjVkzvYCR+W0Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV0xzbVhjRWxVWDFjVXdi
|
||||||
|
aU9hbHpzS3dRZE5JaHVaN05MMjRRVVBENFJBClN0V0VBM0RXN21nSElTZmN6dG1k
|
||||||
|
RE1jSFEySUU4NUtadGNqRlQxY0syRU0KLS0tIEVzQ3hWdTN2KzkyVzIwY1ByTEVp
|
||||||
|
L1EyUVNnaHBIWTc3TkR1aEpnVk1FVWsKKYNvixUgDmqeqn3dwj03xvP4BTnUdn0X
|
||||||
|
geXvXzuAByusiSBxFH7xH2C5YURLlgnUM9AH/K52jlKpD0hx6pSQ1g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb0FOS0RscXM1SHMxNTNz
|
||||||
|
QVRuMlJjc0Q3b2dzWS9lRGdrNUVsSW5wb3hJCkE3NGpQck5aQkgrUHNaNVFHeldv
|
||||||
|
U2wySkZRejFMK1V1U0svZ3Y4c2w2N0kKLS0tIE90VDNwNjdGUzZYU0tqMnA1UDN1
|
||||||
|
alhaVkVGUlFFaWVaUFN4NzNrUklQdWMK3USFGZy/XkYx6WNNXlzF+/tfIOFqTZzz
|
||||||
|
gH8EWuRcIbKB+ViTZ6rLZmKDUbSlAzlsKRdWXZCAKZOf19C9SAdtkw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-30T23:14:28Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2aGEk+UkrkMmqxGLnoemDrPfQx8twhNAiIFXlrXYM0dMhQPbtgwonZ57IqPRNXzuG9ycchKLuEq7p3Mdki+2gYK/7Z6AS8lICsMZGLaqa36CkBvSeImfKSWkH822XV8OC4OIzO0ZkMt2R9NFiwMubbQPARtIFYUJwfay7EO/RIE=,iv:oKwSILwmGcU4633mR2FGwaj7d42PBSvUOlQhVZbgoL8=,tag:etx/SEFpLaMWCNTT7L5Axg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
Loading…
Reference in a new issue