wip sops

2023-04-06 23:16:17 +03:00 · 2023-04-06 23:16:17 +03:00 · 6ffda9b1c2
commit 6ffda9b1c2
parent c7a0d74cb6
3 changed files with 10 additions and 10 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,11 +2,7 @@ keys:
  - &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
  - &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
 creation_rules:
-  - path_regex: secrets/[^/]+\.yaml$
-    key_groups:
-    - pgp:
-      - *motiejus
-  - path_regex: secrets/hel1-a/[^/]+\.yaml$
+  - path_regex: hosts/hel1-a/secrets.yaml$
    key_groups:
    - pgp:
      - *motiejus
--- a/configuration.nix
+++ b/configuration.nix
@ -72,6 +72,10 @@ in {
    sops-nix.nixosModules.sops
  ];

+  sops.defaultSopsFile = ./hosts/hel1-a/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.secrets.borgbackup-password = {};
+
  nixpkgs.overlays = [
    (self: super: {
      systemd = super.systemd.overrideAttrs (old: {
@ -254,8 +258,8 @@ in {
            repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst";
            encryption = {
              mode = "repokey-blake2";
-              #passCommand = "cat ${config.age.secrets.borgbackup-password.path}";
-              passCommand = "cat /var/src/secrets/borgbackup/password";
+              passCommand = "cat ${config.sops.secrets.borgbackup-password.path}";
+              #passCommand = "cat /var/src/secrets/borgbackup/password";
            };
            paths = value.paths;
            extraArgs = "--remote-path=borg1";
--- a/secrets/hel1-a/borgbackup.yaml
+++ b/secrets/hel1-a/borgbackup.yaml
@ -1,4 +1,4 @@
-password: ENC[AES256_GCM,data:IVoMD1bSp15bPfPPws6k6u7SXioMPibxqg==,iv:U0zLdK4XEvty8eS/G80NcGlQrEn9M2fDH2oWv5cXIvI=,tag:IU3P9SjexZGGiOOxseUnLg==,type:str]
+borgbackup-password: ENC[AES256_GCM,data:igLuxWZujydxdJO8Qt7sIOhIT9SqOkCvjw==,iv:pHk2V/VBb/HzHGieHyL4KY1RpmN6bqjjSDuTTnsH4bM=,tag:36aSlD6zY3AXE5X9ejs6CA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +14,8 @@ sops:
            YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
            1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-05T19:33:58Z"
-    mac: ENC[AES256_GCM,data:hqQoErSGafMyD43nQBInX1+wrCGlln1KvH6w1NLMw6GQwZ6EzdTBJKH05S67KjA1UtxLGi8MquBnjymHSctsuWtBiM0T+7dSQlF+FEvkGcRVf1aGbCWtZgNWS07iROAhCNxHpHaPMPUHj5Y0ih3zBh6q9OuDkXG/up1zvN4YRwM=,iv:qGgT5qj7dX82NWOb/s3Pj1n13nFn73p3fOiVJrbpav0=,tag:VjPMmLUmasq54xNqMeAvlQ==,type:str]
+    lastmodified: "2023-04-06T20:01:44Z"
+    mac: ENC[AES256_GCM,data:PRjs8bZ/DGGlfDjRexvImDdAuE/W74HPa+KdQtE1Qktu6nz1cqlFy8a+CiA/mw+Y3P4NntzXHxU30sONrZWXA+n5RXAn8kMgpOYzRWqZWn0zzIyfhZ9+jPmP7uLpJWGZIEayw8NRfHGthDb7SLTnM9OpbkIP9dl4NgMSvn0A2MA=,iv:ma2ekXqtJGlTE2lAIw9YapvtXns/P1BwSgj+Ly4W+gE=,tag:z/ypCNkpdi2B1BFoZx5Jyw==,type:str]
    pgp:
        - created_at: "2023-04-05T19:33:35Z"
          enc: |