sops-nix proof of concept

this is currently deployed and appears to be working. please everyone
have a look at it & then decide if we want to use this for the other
secrets as well.
This commit is contained in:
stuebinm 2023-04-19 20:08:45 +02:00
parent a3689d1c76
commit 49fa2325f3
6 changed files with 122 additions and 25 deletions

19
.sops.yaml Normal file
View file

@ -0,0 +1,19 @@
keys:
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
creation_rules:
- path_regex: secrets.yaml
key_groups:
- age:
- *parsons
- *hexchen-backup
- *stuebinm-ilex
- *stuebinm-surltesh-echer
- *stuebinm-abbenay
- *moira-2022-06
- *moira-openpgp

View file

@ -511,7 +511,9 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"sops-nix": "sops-nix", "sops-nix": [
"sops-nix"
],
"waybar-iceportal": "waybar-iceportal" "waybar-iceportal": "waybar-iceportal"
}, },
"locked": { "locked": {
@ -601,22 +603,6 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1677560965,
"narHash": "sha256-Tqwt5alTtMnbYUPKCYRYZqlfbjprLgDWqjMhXpFMQ6k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "40968a3aa489191cf4b7ba85cf2a54d8a75c8daa",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1678843226, "lastModified": 1678843226,
@ -753,6 +739,7 @@
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tracktrain": "tracktrain" "tracktrain": "tracktrain"
} }
}, },
@ -791,17 +778,18 @@
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nix-hexchen", "nixpkgs-unstable"
"nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1677833841, "lastModified": 1681821695,
"narHash": "sha256-yHZFGe7dhBE43FFWKiWc29NuveH+nfyTT6oKyFDEMys=", "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "128e9b29ddd88ceb634a28f7dbbfee7b895f005f", "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -16,6 +16,9 @@
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
# these exist mostly to make the flake.lock somewhat more human-friendly # these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely # note that in theory doing this might break things, but it seems fairly unlikely
@ -26,6 +29,7 @@
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs"; doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay"; emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
flake-utils.follows = "/deploy-rs/utils"; flake-utils.follows = "/deploy-rs/utils";
sops-nix.follows = "sops-nix";
}; };
nixos-mailserver.inputs = { nixos-mailserver.inputs = {
"nixpkgs-22_05".follows = "nixpkgs"; "nixpkgs-22_05".follows = "nixpkgs";
@ -33,7 +37,7 @@
}; };
}; };
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs: outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
let modules = nix-hexchen.nixosModules; let modules = nix-hexchen.nixosModules;
profiles = nix-hexchen.nixosModules.profiles // { profiles = nix-hexchen.nixosModules.profiles // {
container = import ./modules/container-profile.nix; container = import ./modules/container-profile.nix;
@ -61,6 +65,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/parsons/configuration.nix ./hosts/parsons/configuration.nix
sops-nix.nixosModules.sops
{ nixpkgs.pkgs = pkgs; } { nixpkgs.pkgs = pkgs; }
{ environment.etc."haccfiles".source = self.outPath; } { environment.etc."haccfiles".source = self.outPath; }
]; ];

View file

@ -37,6 +37,9 @@
networkDrivers = [ "igb" ]; networkDrivers = [ "igb" ];
}; };
sops.defaultSopsFile = ../../secrets.yaml;
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];

76
secrets.yaml Normal file
View file

@ -0,0 +1,76 @@
hedgedoc-hacc:
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByREd2cmhXSUhNMWxEa3FB
em5WZ0lkaVVka2c5RUdidC9UQ2F5N2FXWGhBCmY2dUlHUmtpZkFZTitlaTVxMS8y
RFM0cHQwOFBwZFpSS0JWRXFVbUxMbTQKLS0tIFBNU2YxYUM4Y0U1NSt4Lzg1SnRF
N2Z1ZUpxKzBwV3Q0T0ppQis3UFJmT3cKRa4o6e0hNCSqZibQ8yjUMntXDaZxrmMc
tKAr9uGbSWQMbfjK26JKiOFt7QgF0olNvv7MxVD/kFScJBr1AerBQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlQyeGtWeUx2R25oVFFr
ckh0UlRCTkt5aEg5MUREOEpIUzN4aWovVFFnCjIxREF0RTBHUStBS3hFSUtUVC9y
ZXVyVlUwSlJKRTMyOG5CS0d6amFjU3cKLS0tIDZFdisyM0xEbHl1LzhJL2VwNVhR
d2RWMHdTS2hDNUpDOHFxNmNQVDZmNFEKgo3vmIWXFYsYSohZxh1eGhuq6kh3j/n1
R5kN1Rs46/Id0lkFkySXUfuAzOqCWlnJYYgMtqOmxVI3UQhJAtWXOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUi8zQ2lPZS9nZHByQVBl
eU05WDRaUjlCVzZlbDI4K0ZhMkFNVFg5UlQwCkNuakpJTStvZFpTZkQ5UWFoWHVH
RzRqTzlpNjNlMHlGbEFheFRTV1ByencKLS0tIDNHWEE4SENqRWZwNVpHcHN0TzY5
NkpFTXFoLzUrcjEvbVBNSzdINzZHQ2MKb3knCvuJ1ivuGMZ+0bmLJoi5nUXMRNVf
l50GRm4JVZ210wwQq0vqf86HLIUE0hwaXiWsb7Sn3VvdsgE4x7wEmQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNUY4c25EN3BBSTFTMEU0
Vjg3RjFkS1FzZ2NXTUlZZHJNR3pTa0MzNVRNCkZhS1FMY2RlNGlCN3hoSm9yN0RL
UHAwNlFQNWN5UWp0TUJybjVhMjY1TW8KLS0tIEJ3VGFQOEkrU01lbWYvQnRYdkx1
VzFDbm9zMk4rVWlMQm5Sdk9uMEF1OTgK1d0syR0MY4DNA059QApJess94MZTulNQ
THZ2S/BmEJGPoyvjKot5clX0Lm6s7LyNoYDjBypo+6OI8Cvjo5Qjgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK0luUmtzZXdGOTY4bU51
V016dTFaRkxyNksyMXJiUmY5QkJjcXdoSXd3CnpoQVVXVTNZWnZmajUzMlNJN2Fz
dDN1NThmS0IyREIvQSt2SlJKYmgwR1kKLS0tIFU5dHJYNzdydDkwT3FyQzRCRlFh
VUpXYTFRK3FTRlJYd1B3Qm5HMEQzMWMK5IqzmCIdUphR2W6y6UtZLo2cPRW2L0d4
X0qmWnDxa4ghD1CMlIi2spIS/0mE2+tu+XmxYnWYtfMggCtJpZen6g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNEUvL2ZQbEo4SytWYnRJ
a1ZMdS9FR1JsUUpsMlZTdXRzOGtDeTdIcFI4ClhxaFN0dXVmR3RhOHVpdFNxNEVE
UzBxYStNMGZjNFJmTllxdlg2R1RIRm8KLS0tIFRJYzVrdE9mTGJZeXdpWnBUSkll
QmZtNmtabkVYQVNNZFRtWnE3LzR3Z3cKKOUqRmH5OzXSLNJAwCylXDMxoHJFT4Dn
5iuRwydc9VvI/XKLmK/rR2XXeXzxESWu1OJVXPV87VIFh1jF71lCbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ3VRd1lNYVZpRHNsRWti
eEM5NjlOaEc4L29yRlA1eVdEZzFWbThXR2xFCngwN0YzWXdpTk4rY0h6VDBzQWtM
TGhPYk8wRWRqd0ttRm5zSTBMbVAzNWcKLS0tIFBsQnQ3TTJqQUZXQVlVZTcxWXJG
bVFISHFrRnZHVE9YbGVlakxJSFE1aTgKsddkeIFwHckApYhK53/qzG8bUYm3JXiI
amI6nq+0nNoU2bzOTO4FLW7gYssxWFxdSVV153BWGJHSNh/JItvDHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-19T14:56:57Z"
mac: ENC[AES256_GCM,data:Mw5SUPLqVhq3bEjYj7v7qZO2RqEKDzC6u+lzLsFXdnJ+pLSUslulzGgIerkKbe9wXM3m7LgPIEeCdRhmRfjuDbqdvE8RifuE3UpJ1F0497RmGPAVsxZeUh8YaHzKe/fij3QGgGAaahLYs413WUZNvGPrnJSIISlRdJ2JNlTQw8c=,iv:2vEUSrdr30gEZh/wqSDDuakK3W+ZY6iJS5BgUpYKkk8=,tag:p8X8exlJoutmUW3WaP68Tw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -1,6 +1,11 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
{ {
sops.secrets = {
"hedgedoc-hacc/env" = {};
};
containers.pad-hacc = { containers.pad-hacc = {
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.100.1"; hostAddress = "192.168.100.1";
@ -11,6 +16,7 @@
hostPath = "/persist/containers/pad-hacc"; hostPath = "/persist/containers/pad-hacc";
isReadOnly = false; isReadOnly = false;
}; };
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
}; };
path = evalConfig ({ config, lib, pkgs, profiles, ... }: { path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
imports = [ profiles.nopersist profiles.container ]; imports = [ profiles.nopersist profiles.container ];
@ -43,7 +49,7 @@
clientSecret = "lol nope"; clientSecret = "lol nope";
}; };
}; };
environmentFile = "/persist/secrets.env"; environmentFile = "/secrets/env";
}; };
systemd.services.hedgedoc.environment = { systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn"; "CMD_LOGLEVEL" = "warn";