From eddb3395edbe3012386c360b41cccdd7f5b6732a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Wed, 5 Apr 2023 22:48:04 +0300 Subject: [PATCH] wip sops --- .sops.yaml | 14 ++++++++ configuration.nix | 3 ++ flake.lock | 62 +++++++++++++++++++++------------- flake.nix | 22 +++++------- secrets/hel1-a/borgbackup.yaml | 41 ++++++++++++++++++++++ 5 files changed, 105 insertions(+), 37 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/hel1-a/borgbackup.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9ee981d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7 + - &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *motiejus + - path_regex: secrets/hel1-a/[^/]+\.yaml$ + key_groups: + - pgp: + - *motiejus + age: + - *server_hel1a diff --git a/configuration.nix b/configuration.nix index 05d4d8e..4348b7b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + sops-nix, ... }: let gitea_uidgid = 995; @@ -68,6 +69,8 @@ in { imports = [ ./hardware-configuration.nix ./zfs.nix + # + sops-nix.nixosModules.sops ]; nixpkgs.overlays = [ diff --git a/flake.lock b/flake.lock index eaa4d68..eae80cb 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": [], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1680281360, - "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", - "owner": "ryantm", - "repo": "agenix", - "rev": "e64961977f60388dd0b49572bb0fc453b871f896", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -92,12 +71,49 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1680390120, + "narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "agenix": "agenix", "deploy-rs": "deploy-rs", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1680404136, + "narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b93eb910f768f9788737bfed596a598557e5625d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 700a468..05d3ad8 100644 --- a/flake.nix +++ b/flake.nix @@ -5,9 +5,8 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small"; flake-utils.url = "github:numtide/flake-utils"; - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; - agenix.inputs.darwin.follows = ""; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; @@ -24,7 +23,7 @@ outputs = { self, nixpkgs, - agenix, + sops-nix, deploy-rs, flake-utils, }: let @@ -38,12 +37,7 @@ ./hardware-configuration.nix ./zfs.nix - agenix.nixosModules.default - - #{ - # age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age; - # age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; - #} + sops-nix.nixosModules.sops ]; }; @@ -67,10 +61,10 @@ devShells.default = with pkgs; mkShell { packages = [ - pkgs.rage - pkgs.age-plugin-yubikey - agenix.packages.${system}.agenix - deploy-rs.packages.${system}.deploy-rs + pkgs.age + pkgs.ssh-to-age + pkgs.sops + deploy-rs.packages.${system}.deploy-rs ]; }; diff --git a/secrets/hel1-a/borgbackup.yaml b/secrets/hel1-a/borgbackup.yaml new file mode 100644 index 0000000..0846ed9 --- /dev/null +++ b/secrets/hel1-a/borgbackup.yaml @@ -0,0 +1,41 @@ +password: ENC[AES256_GCM,data:IVoMD1bSp15bPfPPws6k6u7SXioMPibxqg==,iv:U0zLdK4XEvty8eS/G80NcGlQrEn9M2fDH2oWv5cXIvI=,tag:IU3P9SjexZGGiOOxseUnLg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2 + aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda + eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5 + YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD + 1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-05T19:33:58Z" + mac: ENC[AES256_GCM,data:hqQoErSGafMyD43nQBInX1+wrCGlln1KvH6w1NLMw6GQwZ6EzdTBJKH05S67KjA1UtxLGi8MquBnjymHSctsuWtBiM0T+7dSQlF+FEvkGcRVf1aGbCWtZgNWS07iROAhCNxHpHaPMPUHj5Y0ih3zBh6q9OuDkXG/up1zvN4YRwM=,iv:qGgT5qj7dX82NWOb/s3Pj1n13nFn73p3fOiVJrbpav0=,tag:VjPMmLUmasq54xNqMeAvlQ==,type:str] + pgp: + - created_at: "2023-04-05T19:33:35Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX + 3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy + o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB + g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy + ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG + zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky + p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf + w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W + M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c + 7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF + m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS + XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c + YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C + =KfCh + -----END PGP MESSAGE----- + fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7 + unencrypted_suffix: _unencrypted + version: 3.7.3