hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity

sops-nix proof of concept

Browse source 
this is currently deployed and appears to be working. please everyone
have a look at it & then decide if we want to use this for the other
secrets as well.
This commit is contained in:
stuebinm 2023-04-19 20:08:45 +02:00
parent a3689d1c76
commit 49fa2325f3
6 changed files with 122 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.sops.yaml Normal file
View file

@ -0,0 +1,19 @@
keys:
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
creation_rules:
- path_regex: secrets.yaml
key_groups:
- age:
- *parsons
- *hexchen-backup
- *stuebinm-ilex
- *stuebinm-surltesh-echer
- *stuebinm-abbenay
- *moira-2022-06
- *moira-openpgp

34
flake.lock
View file

@ -511,7 +511,9 @@
"nixpkgs": [
"nixpkgs-unstable"
],
"sops-nix": "sops-nix",
"sops-nix": [
"sops-nix"
],
"waybar-iceportal": "waybar-iceportal"
},
"locked": {
@ -601,22 +603,6 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1677560965,
"narHash": "sha256-Tqwt5alTtMnbYUPKCYRYZqlfbjprLgDWqjMhXpFMQ6k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "40968a3aa489191cf4b7ba85cf2a54d8a75c8daa",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1678843226,
@ -753,6 +739,7 @@
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tracktrain": "tracktrain"
}
},
@ -791,17 +778,18 @@
"sops-nix": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
"nixpkgs-unstable"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1677833841,
"narHash": "sha256-yHZFGe7dhBE43FFWKiWc29NuveH+nfyTT6oKyFDEMys=",
"lastModified": 1681821695,
"narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "128e9b29ddd88ceb634a28f7dbbfee7b895f005f",
"rev": "5698b06b0731a2c15ff8c2351644427f8ad33993",
"type": "github"
},
"original": {

7
flake.nix
View file

@ -16,6 +16,9 @@
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
# these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely
@ -26,6 +29,7 @@
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
flake-utils.follows = "/deploy-rs/utils";
sops-nix.follows = "sops-nix";
};
nixos-mailserver.inputs = {
"nixpkgs-22_05".follows = "nixpkgs";
@ -33,7 +37,7 @@
};
};
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs:
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
let modules = nix-hexchen.nixosModules;
profiles = nix-hexchen.nixosModules.profiles // {
container = import ./modules/container-profile.nix;
@ -61,6 +65,7 @@
system = "x86_64-linux";
modules = [
./hosts/parsons/configuration.nix
sops-nix.nixosModules.sops
{ nixpkgs.pkgs = pkgs; }
{ environment.etc."haccfiles".source = self.outPath; }
];

3
hosts/parsons/configuration.nix
View file

@ -37,6 +37,9 @@
networkDrivers = [ "igb" ];
};
sops.defaultSopsFile = ../../secrets.yaml;
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];

76
secrets.yaml Normal file
View file

@ -0,0 +1,76 @@
hedgedoc-hacc:
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByREd2cmhXSUhNMWxEa3FB
em5WZ0lkaVVka2c5RUdidC9UQ2F5N2FXWGhBCmY2dUlHUmtpZkFZTitlaTVxMS8y
RFM0cHQwOFBwZFpSS0JWRXFVbUxMbTQKLS0tIFBNU2YxYUM4Y0U1NSt4Lzg1SnRF
N2Z1ZUpxKzBwV3Q0T0ppQis3UFJmT3cKRa4o6e0hNCSqZibQ8yjUMntXDaZxrmMc
tKAr9uGbSWQMbfjK26JKiOFt7QgF0olNvv7MxVD/kFScJBr1AerBQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlQyeGtWeUx2R25oVFFr
ckh0UlRCTkt5aEg5MUREOEpIUzN4aWovVFFnCjIxREF0RTBHUStBS3hFSUtUVC9y
ZXVyVlUwSlJKRTMyOG5CS0d6amFjU3cKLS0tIDZFdisyM0xEbHl1LzhJL2VwNVhR
d2RWMHdTS2hDNUpDOHFxNmNQVDZmNFEKgo3vmIWXFYsYSohZxh1eGhuq6kh3j/n1
R5kN1Rs46/Id0lkFkySXUfuAzOqCWlnJYYgMtqOmxVI3UQhJAtWXOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUi8zQ2lPZS9nZHByQVBl
eU05WDRaUjlCVzZlbDI4K0ZhMkFNVFg5UlQwCkNuakpJTStvZFpTZkQ5UWFoWHVH
RzRqTzlpNjNlMHlGbEFheFRTV1ByencKLS0tIDNHWEE4SENqRWZwNVpHcHN0TzY5
NkpFTXFoLzUrcjEvbVBNSzdINzZHQ2MKb3knCvuJ1ivuGMZ+0bmLJoi5nUXMRNVf
l50GRm4JVZ210wwQq0vqf86HLIUE0hwaXiWsb7Sn3VvdsgE4x7wEmQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNUY4c25EN3BBSTFTMEU0
Vjg3RjFkS1FzZ2NXTUlZZHJNR3pTa0MzNVRNCkZhS1FMY2RlNGlCN3hoSm9yN0RL
UHAwNlFQNWN5UWp0TUJybjVhMjY1TW8KLS0tIEJ3VGFQOEkrU01lbWYvQnRYdkx1
VzFDbm9zMk4rVWlMQm5Sdk9uMEF1OTgK1d0syR0MY4DNA059QApJess94MZTulNQ
THZ2S/BmEJGPoyvjKot5clX0Lm6s7LyNoYDjBypo+6OI8Cvjo5Qjgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK0luUmtzZXdGOTY4bU51
V016dTFaRkxyNksyMXJiUmY5QkJjcXdoSXd3CnpoQVVXVTNZWnZmajUzMlNJN2Fz
dDN1NThmS0IyREIvQSt2SlJKYmgwR1kKLS0tIFU5dHJYNzdydDkwT3FyQzRCRlFh
VUpXYTFRK3FTRlJYd1B3Qm5HMEQzMWMK5IqzmCIdUphR2W6y6UtZLo2cPRW2L0d4
X0qmWnDxa4ghD1CMlIi2spIS/0mE2+tu+XmxYnWYtfMggCtJpZen6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNEUvL2ZQbEo4SytWYnRJ
a1ZMdS9FR1JsUUpsMlZTdXRzOGtDeTdIcFI4ClhxaFN0dXVmR3RhOHVpdFNxNEVE
UzBxYStNMGZjNFJmTllxdlg2R1RIRm8KLS0tIFRJYzVrdE9mTGJZeXdpWnBUSkll
QmZtNmtabkVYQVNNZFRtWnE3LzR3Z3cKKOUqRmH5OzXSLNJAwCylXDMxoHJFT4Dn
5iuRwydc9VvI/XKLmK/rR2XXeXzxESWu1OJVXPV87VIFh1jF71lCbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ3VRd1lNYVZpRHNsRWti
eEM5NjlOaEc4L29yRlA1eVdEZzFWbThXR2xFCngwN0YzWXdpTk4rY0h6VDBzQWtM
TGhPYk8wRWRqd0ttRm5zSTBMbVAzNWcKLS0tIFBsQnQ3TTJqQUZXQVlVZTcxWXJG
bVFISHFrRnZHVE9YbGVlakxJSFE1aTgKsddkeIFwHckApYhK53/qzG8bUYm3JXiI
amI6nq+0nNoU2bzOTO4FLW7gYssxWFxdSVV153BWGJHSNh/JItvDHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-19T14:56:57Z"
mac: ENC[AES256_GCM,data:Mw5SUPLqVhq3bEjYj7v7qZO2RqEKDzC6u+lzLsFXdnJ+pLSUslulzGgIerkKbe9wXM3m7LgPIEeCdRhmRfjuDbqdvE8RifuE3UpJ1F0497RmGPAVsxZeUh8YaHzKe/fij3QGgGAaahLYs413WUZNvGPrnJSIISlRdJ2JNlTQw8c=,iv:2vEUSrdr30gEZh/wqSDDuakK3W+ZY6iJS5BgUpYKkk8=,tag:p8X8exlJoutmUW3WaP68Tw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

8
services/hedgedoc-hacc.nix
View file

@ -1,6 +1,11 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
{
sops.secrets = {
"hedgedoc-hacc/env" = {};
};
containers.pad-hacc = {
privateNetwork = true;
hostAddress = "192.168.100.1";
@ -11,6 +16,7 @@
hostPath = "/persist/containers/pad-hacc";
isReadOnly = false;
};
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
imports = [ profiles.nopersist profiles.container ];
@ -43,7 +49,7 @@
clientSecret = "lol nope";
};
};
environmentFile = "/persist/secrets.env";
environmentFile = "/secrets/env";
};
systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn";