sops-nix proof of concept
this is currently deployed and appears to be working. please everyone have a look at it & then decide if we want to use this for the other secrets as well.
This commit is contained in:
parent
a3689d1c76
commit
49fa2325f3
6 changed files with 122 additions and 25 deletions
19
.sops.yaml
Normal file
19
.sops.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
keys:
|
||||||
|
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||||
|
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||||
|
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||||
|
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||||
|
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||||
|
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||||
|
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets.yaml
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *parsons
|
||||||
|
- *hexchen-backup
|
||||||
|
- *stuebinm-ilex
|
||||||
|
- *stuebinm-surltesh-echer
|
||||||
|
- *stuebinm-abbenay
|
||||||
|
- *moira-2022-06
|
||||||
|
- *moira-openpgp
|
34
flake.lock
34
flake.lock
|
@ -511,7 +511,9 @@
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs-unstable"
|
"nixpkgs-unstable"
|
||||||
],
|
],
|
||||||
"sops-nix": "sops-nix",
|
"sops-nix": [
|
||||||
|
"sops-nix"
|
||||||
|
],
|
||||||
"waybar-iceportal": "waybar-iceportal"
|
"waybar-iceportal": "waybar-iceportal"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -601,22 +603,6 @@
|
||||||
"type": "indirect"
|
"type": "indirect"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1677560965,
|
|
||||||
"narHash": "sha256-Tqwt5alTtMnbYUPKCYRYZqlfbjprLgDWqjMhXpFMQ6k=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "40968a3aa489191cf4b7ba85cf2a54d8a75c8daa",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "NixOS",
|
|
||||||
"ref": "release-22.11",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1678843226,
|
"lastModified": 1678843226,
|
||||||
|
@ -753,6 +739,7 @@
|
||||||
"nixos-mailserver": "nixos-mailserver",
|
"nixos-mailserver": "nixos-mailserver",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"tracktrain": "tracktrain"
|
"tracktrain": "tracktrain"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -791,17 +778,18 @@
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nix-hexchen",
|
"nixpkgs-unstable"
|
||||||
"nixpkgs"
|
|
||||||
],
|
],
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1677833841,
|
"lastModified": 1681821695,
|
||||||
"narHash": "sha256-yHZFGe7dhBE43FFWKiWc29NuveH+nfyTT6oKyFDEMys=",
|
"narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "128e9b29ddd88ceb634a28f7dbbfee7b895f005f",
|
"rev": "5698b06b0731a2c15ff8c2351644427f8ad33993",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -16,6 +16,9 @@
|
||||||
|
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
|
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
|
||||||
|
|
||||||
# these exist mostly to make the flake.lock somewhat more human-friendly
|
# these exist mostly to make the flake.lock somewhat more human-friendly
|
||||||
# note that in theory doing this might break things, but it seems fairly unlikely
|
# note that in theory doing this might break things, but it seems fairly unlikely
|
||||||
|
@ -26,6 +29,7 @@
|
||||||
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
|
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
|
||||||
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
|
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
|
||||||
flake-utils.follows = "/deploy-rs/utils";
|
flake-utils.follows = "/deploy-rs/utils";
|
||||||
|
sops-nix.follows = "sops-nix";
|
||||||
};
|
};
|
||||||
nixos-mailserver.inputs = {
|
nixos-mailserver.inputs = {
|
||||||
"nixpkgs-22_05".follows = "nixpkgs";
|
"nixpkgs-22_05".follows = "nixpkgs";
|
||||||
|
@ -33,7 +37,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs:
|
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
|
||||||
let modules = nix-hexchen.nixosModules;
|
let modules = nix-hexchen.nixosModules;
|
||||||
profiles = nix-hexchen.nixosModules.profiles // {
|
profiles = nix-hexchen.nixosModules.profiles // {
|
||||||
container = import ./modules/container-profile.nix;
|
container = import ./modules/container-profile.nix;
|
||||||
|
@ -61,6 +65,7 @@
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/parsons/configuration.nix
|
./hosts/parsons/configuration.nix
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
{ nixpkgs.pkgs = pkgs; }
|
{ nixpkgs.pkgs = pkgs; }
|
||||||
{ environment.etc."haccfiles".source = self.outPath; }
|
{ environment.etc."haccfiles".source = self.outPath; }
|
||||||
];
|
];
|
||||||
|
|
|
@ -37,6 +37,9 @@
|
||||||
networkDrivers = [ "igb" ];
|
networkDrivers = [ "igb" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ../../secrets.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
boot.loader.grub.version = 2;
|
boot.loader.grub.version = 2;
|
||||||
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||||
|
|
76
secrets.yaml
Normal file
76
secrets.yaml
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
hedgedoc-hacc:
|
||||||
|
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByREd2cmhXSUhNMWxEa3FB
|
||||||
|
em5WZ0lkaVVka2c5RUdidC9UQ2F5N2FXWGhBCmY2dUlHUmtpZkFZTitlaTVxMS8y
|
||||||
|
RFM0cHQwOFBwZFpSS0JWRXFVbUxMbTQKLS0tIFBNU2YxYUM4Y0U1NSt4Lzg1SnRF
|
||||||
|
N2Z1ZUpxKzBwV3Q0T0ppQis3UFJmT3cKRa4o6e0hNCSqZibQ8yjUMntXDaZxrmMc
|
||||||
|
tKAr9uGbSWQMbfjK26JKiOFt7QgF0olNvv7MxVD/kFScJBr1AerBQg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlQyeGtWeUx2R25oVFFr
|
||||||
|
ckh0UlRCTkt5aEg5MUREOEpIUzN4aWovVFFnCjIxREF0RTBHUStBS3hFSUtUVC9y
|
||||||
|
ZXVyVlUwSlJKRTMyOG5CS0d6amFjU3cKLS0tIDZFdisyM0xEbHl1LzhJL2VwNVhR
|
||||||
|
d2RWMHdTS2hDNUpDOHFxNmNQVDZmNFEKgo3vmIWXFYsYSohZxh1eGhuq6kh3j/n1
|
||||||
|
R5kN1Rs46/Id0lkFkySXUfuAzOqCWlnJYYgMtqOmxVI3UQhJAtWXOg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUi8zQ2lPZS9nZHByQVBl
|
||||||
|
eU05WDRaUjlCVzZlbDI4K0ZhMkFNVFg5UlQwCkNuakpJTStvZFpTZkQ5UWFoWHVH
|
||||||
|
RzRqTzlpNjNlMHlGbEFheFRTV1ByencKLS0tIDNHWEE4SENqRWZwNVpHcHN0TzY5
|
||||||
|
NkpFTXFoLzUrcjEvbVBNSzdINzZHQ2MKb3knCvuJ1ivuGMZ+0bmLJoi5nUXMRNVf
|
||||||
|
l50GRm4JVZ210wwQq0vqf86HLIUE0hwaXiWsb7Sn3VvdsgE4x7wEmQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNUY4c25EN3BBSTFTMEU0
|
||||||
|
Vjg3RjFkS1FzZ2NXTUlZZHJNR3pTa0MzNVRNCkZhS1FMY2RlNGlCN3hoSm9yN0RL
|
||||||
|
UHAwNlFQNWN5UWp0TUJybjVhMjY1TW8KLS0tIEJ3VGFQOEkrU01lbWYvQnRYdkx1
|
||||||
|
VzFDbm9zMk4rVWlMQm5Sdk9uMEF1OTgK1d0syR0MY4DNA059QApJess94MZTulNQ
|
||||||
|
THZ2S/BmEJGPoyvjKot5clX0Lm6s7LyNoYDjBypo+6OI8Cvjo5Qjgg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK0luUmtzZXdGOTY4bU51
|
||||||
|
V016dTFaRkxyNksyMXJiUmY5QkJjcXdoSXd3CnpoQVVXVTNZWnZmajUzMlNJN2Fz
|
||||||
|
dDN1NThmS0IyREIvQSt2SlJKYmgwR1kKLS0tIFU5dHJYNzdydDkwT3FyQzRCRlFh
|
||||||
|
VUpXYTFRK3FTRlJYd1B3Qm5HMEQzMWMK5IqzmCIdUphR2W6y6UtZLo2cPRW2L0d4
|
||||||
|
X0qmWnDxa4ghD1CMlIi2spIS/0mE2+tu+XmxYnWYtfMggCtJpZen6g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNEUvL2ZQbEo4SytWYnRJ
|
||||||
|
a1ZMdS9FR1JsUUpsMlZTdXRzOGtDeTdIcFI4ClhxaFN0dXVmR3RhOHVpdFNxNEVE
|
||||||
|
UzBxYStNMGZjNFJmTllxdlg2R1RIRm8KLS0tIFRJYzVrdE9mTGJZeXdpWnBUSkll
|
||||||
|
QmZtNmtabkVYQVNNZFRtWnE3LzR3Z3cKKOUqRmH5OzXSLNJAwCylXDMxoHJFT4Dn
|
||||||
|
5iuRwydc9VvI/XKLmK/rR2XXeXzxESWu1OJVXPV87VIFh1jF71lCbQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ3VRd1lNYVZpRHNsRWti
|
||||||
|
eEM5NjlOaEc4L29yRlA1eVdEZzFWbThXR2xFCngwN0YzWXdpTk4rY0h6VDBzQWtM
|
||||||
|
TGhPYk8wRWRqd0ttRm5zSTBMbVAzNWcKLS0tIFBsQnQ3TTJqQUZXQVlVZTcxWXJG
|
||||||
|
bVFISHFrRnZHVE9YbGVlakxJSFE1aTgKsddkeIFwHckApYhK53/qzG8bUYm3JXiI
|
||||||
|
amI6nq+0nNoU2bzOTO4FLW7gYssxWFxdSVV153BWGJHSNh/JItvDHg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-04-19T14:56:57Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Mw5SUPLqVhq3bEjYj7v7qZO2RqEKDzC6u+lzLsFXdnJ+pLSUslulzGgIerkKbe9wXM3m7LgPIEeCdRhmRfjuDbqdvE8RifuE3UpJ1F0497RmGPAVsxZeUh8YaHzKe/fij3QGgGAaahLYs413WUZNvGPrnJSIISlRdJ2JNlTQw8c=,iv:2vEUSrdr30gEZh/wqSDDuakK3W+ZY6iJS5BgUpYKkk8=,tag:p8X8exlJoutmUW3WaP68Tw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
|
@ -1,6 +1,11 @@
|
||||||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"hedgedoc-hacc/env" = {};
|
||||||
|
};
|
||||||
|
|
||||||
containers.pad-hacc = {
|
containers.pad-hacc = {
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.100.1";
|
hostAddress = "192.168.100.1";
|
||||||
|
@ -11,6 +16,7 @@
|
||||||
hostPath = "/persist/containers/pad-hacc";
|
hostPath = "/persist/containers/pad-hacc";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
|
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
|
||||||
};
|
};
|
||||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||||
imports = [ profiles.nopersist profiles.container ];
|
imports = [ profiles.nopersist profiles.container ];
|
||||||
|
@ -43,7 +49,7 @@
|
||||||
clientSecret = "lol nope";
|
clientSecret = "lol nope";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
environmentFile = "/persist/secrets.env";
|
environmentFile = "/secrets/env";
|
||||||
};
|
};
|
||||||
systemd.services.hedgedoc.environment = {
|
systemd.services.hedgedoc.environment = {
|
||||||
"CMD_LOGLEVEL" = "warn";
|
"CMD_LOGLEVEL" = "warn";
|
||||||
|
|
Loading…
Reference in a new issue