pim/nixos-configs
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Deploy sops keys for gamepc

Browse source
This commit is contained in:
Pim Kunis 2024-11-17 22:50:00 +01:00
parent 46a99bf13d
commit b0a106b332
4 changed files with 134 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.sops.yaml
View file

@ -1,7 +1,9 @@
# Public keys are combination of host + user
keys:
- &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &sue_root age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
- &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
- &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
creation_rules:
- path_regex: machines/sue/nixos.sops.yaml
@ -13,3 +15,16 @@ creation_rules:
- age:
- *sue_pim
- *sue_root
- path_regex: machines/gamepc/nixos.sops.yaml
key_groups:
- age:
- *sue_pim
- *sue_root
- *gamepc_root
- path_regex: machines/gamepc/home.sops.yaml
key_groups:
- age:
- *sue_pim
- *sue_root
- *gamepc_root
- *gamepc_pim

33
colmena.nix
View file

@ -15,19 +15,26 @@ inputs @ {
};
sue = {
pkgs,
lib,
...
}: let
sops = lib.getExe pkgs.sops;
in {
deployment = {
allowLocalDeployment = true;
targetHost = null;
keys = {
# TODO: Create macro for this
root-sops-age-key = {
keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"];
name = "keys.txt";
destDir = "/root/.config/sops/age";
};
pim-sops-age-key = {
keyCommand = ["sudo" "nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/home.sops.yaml"];
keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/home.sops.yaml"];
name = "keys.txt";
destDir = "/home/pim/.config/sops/age";
user = "pim";
@ -43,9 +50,31 @@ inputs @ {
};
gamepc = {
pkgs,
lib,
...
}: let
sops = lib.getExe pkgs.sops;
in {
deployment = {
targetHost = "gamepc";
targetUser = "root";
keys = {
root-sops-age-key = {
keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/nixos.sops.yaml"];
name = "keys.txt";
destDir = "/root/.config/sops/age";
};
pim-sops-age-key = {
keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/home.sops.yaml"];
name = "keys.txt";
destDir = "/home/pim/.config/sops/age";
user = "pim";
group = "users";
};
};
};
imports = [

48
machines/gamepc/home.sops.yaml Normal file
View file

@ -0,0 +1,48 @@
sops_age_key: ENC[AES256_GCM,data:acf7kA1ceRLqw0TYPFzkNAMLz0TbNTFBN8MtsYX2y0+xuyFX0oJzIZAMTP7fjVBEcuPE55ewoXjXpP18iDwRUDT4f9Y1dorQD/g=,iv:vx4Inly+Vg8pENlBvijTv2hgTJTFLAfp+f4Nn2leO3A=,tag:i+KXl1V4OxqDnjK62ijBbQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTAxNUVSS1BRUTlYc2xm
TFFHRkVHZkwvMS9xOE9GY1BHaXorTHpNWkdJCmlKVzdvb21VYUpwcUZ0SExKbTRj
MkpPcG4rd2I2ZWlsc0VvVDNxNm82TjgKLS0tIDdCNXlMYklNc0EyMmpST1JFSTVy
aW04VUpta2JMKzlRSmVHeUg1ejNrdW8KGsBSzeMkHE2y2TfzTTBdJJ73IankxnR0
dfZmtQyxejH4W1+v2wGTOc9EZ8R4dJX1ZdqncshWJWl2Uq36YMjuZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGUvQ3VWRnBsZ0syTXFh
Nm5TUC8vYkMvdDZ0SjErMjZwOHUrVy9vT1RvCndMa1V4bTJMKy9qMjY3M2FaWWMw
d2RrVDY2UWNLRjVQNTRMdU96TEFmNmMKLS0tIFFTbmhzS3UrS2crTGxlSmczcGUz
QlZQa0R5NHBLMzdVcC9WeEtBUm1tbVUK07gb5E1YyN5Sck1DWeUHQ8oB4CQOFaES
AJ8F+IrGdJ+0nsvm8d9VJ9UiluO74egettQPGDgEt4wdqFnHucmYzA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDS1dkMUFiSlc2ZzVzRWts
ZGxIejgwZkd2NHd1elhGL1p5ZDF0OWpuRkV3ClpNRkhuQ2dNazh3dG9lSUVCVTBz
RU9yaFhTc1dmMVg3bUlhMXNLU1RDTncKLS0tIHdVNUxTOEh2Mmk0eHFFNnQ5dU1l
S1pXZDVDbm5Za3dPUWR2SnlGekNuYkkKHvcAOL6khPmcAQYj+15lVHepLUnFQdAp
UyhJ12OohAuqfFTG6QxytdA1u648IaAZyj5qcm7z2bpV/F7Oy7i8WQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWS9IeFVBVEVqcWZBNDlz
QUpGSGs2Q01CVXZmQ3N0VCtFNW5RT0JTaG5nCnJFQzg0Z2VHN25GYlRXVllYRDd2
bFZ4L202cjRyWlpLbUxMTDJyaTQ4ajgKLS0tIGF2UUY5MVFsbG1RL3drbERKeFd2
dnhVMXBnYjlxWWxYcm03N094a0cxWm8KDsLFtfF8ZVels+3Dnb8x6DuUBmckRkhe
t3PWOci4IzNbMBCnrUCDrBPPi6Lm/k+gp0i/U1hvPyHvbPujztT/RQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-17T21:42:43Z"
mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

39
machines/gamepc/nixos.sops.yaml Normal file
View file

@ -0,0 +1,39 @@
sops_age_key: ENC[AES256_GCM,data:v0/grOgffNcl1IbfdHr7uzbwvIL1CpfvSSFnuQS1ZEkuuE2Bfbvl8G0i6dHQSnFBtNJXkgAajCdapUlRcaX60EuXToKB14nHP1A=,iv:ZruuYlZJszgmztMXqya7InCLlyihS59QJCoSk685q34=,tag:bN3NZsWeg12GfUTjubb4Ug==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFlYWjZSQkZPczV2cllX
a3RBL3FSbHZGaW5vUFdKVTdSNUJmSEQwdlc4ClBScDZBVk1qYTc4UzFpc3k4Z3N6
VzkwYXVBWVFCYUFqSHAyZjhUck8xY0kKLS0tIDdQdENRaDVKVTRUQ0dLWUNUL0tk
cjJMNG9vU1N4V2dqZWZjN21OMFJUZTAKzunMmG+NR2sFbVsl8qzdv1HEg4Ph5TFw
oIr5WWQ6RTzXTy6CwlTucnok/jwZHUloCTUeXECcSJUadeKE6MZyLA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWG0remtrVHloU25PNFVw
eWxMZ3pmUG1YSFVZZ0MzNEFweTJNbDVSUUQ0CklBT1NheGtmZDZkMUo4RTlHM0ow
TTdITzVJbFFQcGNLM0xxUS91K056VTAKLS0tIEpWOTZJQjN2REV0RTB5YWpjWDZa
UUxiazdLa1ZZbTcraWsvYTBsTUNQbmcKKkQnPOkD3vifcQpwzgP9wvNaYtuUZpLE
mbILfB24Ox7dmLmI9ONVDIMM12HfE2lx4cj/xndk0//izPVZgrBTdQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDFMS293SUZqTXZtZlRT
Q0JHWmZrSHZVZmlPeUFDRG8wakdSWDF2b3pRCm83NFV1STlqQXdQMTR0Vm52ZEgy
eVlROWt0ZDE0TW1reElGQnplUENZclEKLS0tIG9ITTZiSEE4cDNxdnBQRW5tVFJk
bU9rLzRjVzBObkxocGp4UEJYMGVnckkKDQhr3qLLDrQkXa1Ei9c43irQh3suRNCK
mZPtRJc+kaUmhmF8HxVAHG4S4a5sN6sBHBFGbIGXtQzBajQreg/pYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-17T21:42:29Z"
mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1