wip sops
This commit is contained in:
parent
ee691ca62f
commit
eddb3395ed
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
keys:
|
||||||
|
- &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||||
|
- &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *motiejus
|
||||||
|
- path_regex: secrets/hel1-a/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *motiejus
|
||||||
|
age:
|
||||||
|
- *server_hel1a
|
||||||
@ -2,6 +2,7 @@
|
|||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
sops-nix,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
gitea_uidgid = 995;
|
gitea_uidgid = 995;
|
||||||
@ -68,6 +69,8 @@ in {
|
|||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./zfs.nix
|
./zfs.nix
|
||||||
|
#<sops-nix/modules/sops>
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
|
|||||||
62
flake.lock
generated
62
flake.lock
generated
@ -1,26 +1,5 @@
|
|||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"agenix": {
|
|
||||||
"inputs": {
|
|
||||||
"darwin": [],
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1680281360,
|
|
||||||
"narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
|
|
||||||
"owner": "ryantm",
|
|
||||||
"repo": "agenix",
|
|
||||||
"rev": "e64961977f60388dd0b49572bb0fc453b871f896",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "ryantm",
|
|
||||||
"repo": "agenix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
@ -92,12 +71,49 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1680390120,
|
||||||
|
"narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-22.11",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1680404136,
|
||||||
|
"narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "b93eb910f768f9788737bfed596a598557e5625d",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|||||||
20
flake.nix
20
flake.nix
@ -5,9 +5,8 @@
|
|||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
|
||||||
agenix.url = "github:ryantm/agenix";
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
agenix.inputs.darwin.follows = "";
|
|
||||||
|
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
@ -24,7 +23,7 @@
|
|||||||
outputs = {
|
outputs = {
|
||||||
self,
|
self,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
agenix,
|
sops-nix,
|
||||||
deploy-rs,
|
deploy-rs,
|
||||||
flake-utils,
|
flake-utils,
|
||||||
}: let
|
}: let
|
||||||
@ -38,12 +37,7 @@
|
|||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./zfs.nix
|
./zfs.nix
|
||||||
|
|
||||||
agenix.nixosModules.default
|
sops-nix.nixosModules.sops
|
||||||
|
|
||||||
#{
|
|
||||||
# age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age;
|
|
||||||
# age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
|
|
||||||
#}
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -67,9 +61,9 @@
|
|||||||
devShells.default = with pkgs;
|
devShells.default = with pkgs;
|
||||||
mkShell {
|
mkShell {
|
||||||
packages = [
|
packages = [
|
||||||
pkgs.rage
|
pkgs.age
|
||||||
pkgs.age-plugin-yubikey
|
pkgs.ssh-to-age
|
||||||
agenix.packages.${system}.agenix
|
pkgs.sops
|
||||||
deploy-rs.packages.${system}.deploy-rs
|
deploy-rs.packages.${system}.deploy-rs
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|||||||
41
secrets/hel1-a/borgbackup.yaml
Normal file
41
secrets/hel1-a/borgbackup.yaml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
password: ENC[AES256_GCM,data:IVoMD1bSp15bPfPPws6k6u7SXioMPibxqg==,iv:U0zLdK4XEvty8eS/G80NcGlQrEn9M2fDH2oWv5cXIvI=,tag:IU3P9SjexZGGiOOxseUnLg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2
|
||||||
|
aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda
|
||||||
|
eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5
|
||||||
|
YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
|
||||||
|
1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-04-05T19:33:58Z"
|
||||||
|
mac: ENC[AES256_GCM,data:hqQoErSGafMyD43nQBInX1+wrCGlln1KvH6w1NLMw6GQwZ6EzdTBJKH05S67KjA1UtxLGi8MquBnjymHSctsuWtBiM0T+7dSQlF+FEvkGcRVf1aGbCWtZgNWS07iROAhCNxHpHaPMPUHj5Y0ih3zBh6q9OuDkXG/up1zvN4YRwM=,iv:qGgT5qj7dX82NWOb/s3Pj1n13nFn73p3fOiVJrbpav0=,tag:VjPMmLUmasq54xNqMeAvlQ==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2023-04-05T19:33:35Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX
|
||||||
|
3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy
|
||||||
|
o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB
|
||||||
|
g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy
|
||||||
|
ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG
|
||||||
|
zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky
|
||||||
|
p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf
|
||||||
|
w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W
|
||||||
|
M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c
|
||||||
|
7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF
|
||||||
|
m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS
|
||||||
|
XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c
|
||||||
|
YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C
|
||||||
|
=KfCh
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
||||||
Loading…
Reference in New Issue
Block a user