wip sops
This commit is contained in:
parent
ee691ca62f
commit
eddb3395ed
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
keys:
|
||||
- &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||
- &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *motiejus
|
||||
- path_regex: secrets/hel1-a/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *motiejus
|
||||
age:
|
||||
- *server_hel1a
|
@ -2,6 +2,7 @@
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
sops-nix,
|
||||
...
|
||||
}: let
|
||||
gitea_uidgid = 995;
|
||||
@ -68,6 +69,8 @@ in {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./zfs.nix
|
||||
#<sops-nix/modules/sops>
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [
|
||||
|
62
flake.lock
generated
62
flake.lock
generated
@ -1,26 +1,5 @@
|
||||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": [],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1680281360,
|
||||
"narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "e64961977f60388dd0b49572bb0fc453b871f896",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
@ -92,12 +71,49 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1680390120,
|
||||
"narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"deploy-rs": "deploy-rs",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1680404136,
|
||||
"narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b93eb910f768f9788737bfed596a598557e5625d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
20
flake.nix
20
flake.nix
@ -5,9 +5,8 @@
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.inputs.darwin.follows = "";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||
@ -24,7 +23,7 @@
|
||||
outputs = {
|
||||
self,
|
||||
nixpkgs,
|
||||
agenix,
|
||||
sops-nix,
|
||||
deploy-rs,
|
||||
flake-utils,
|
||||
}: let
|
||||
@ -38,12 +37,7 @@
|
||||
./hardware-configuration.nix
|
||||
./zfs.nix
|
||||
|
||||
agenix.nixosModules.default
|
||||
|
||||
#{
|
||||
# age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age;
|
||||
# age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
|
||||
#}
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
};
|
||||
|
||||
@ -67,9 +61,9 @@
|
||||
devShells.default = with pkgs;
|
||||
mkShell {
|
||||
packages = [
|
||||
pkgs.rage
|
||||
pkgs.age-plugin-yubikey
|
||||
agenix.packages.${system}.agenix
|
||||
pkgs.age
|
||||
pkgs.ssh-to-age
|
||||
pkgs.sops
|
||||
deploy-rs.packages.${system}.deploy-rs
|
||||
];
|
||||
};
|
||||
|
41
secrets/hel1-a/borgbackup.yaml
Normal file
41
secrets/hel1-a/borgbackup.yaml
Normal file
@ -0,0 +1,41 @@
|
||||
password: ENC[AES256_GCM,data:IVoMD1bSp15bPfPPws6k6u7SXioMPibxqg==,iv:U0zLdK4XEvty8eS/G80NcGlQrEn9M2fDH2oWv5cXIvI=,tag:IU3P9SjexZGGiOOxseUnLg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2
|
||||
aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda
|
||||
eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5
|
||||
YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
|
||||
1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-05T19:33:58Z"
|
||||
mac: ENC[AES256_GCM,data:hqQoErSGafMyD43nQBInX1+wrCGlln1KvH6w1NLMw6GQwZ6EzdTBJKH05S67KjA1UtxLGi8MquBnjymHSctsuWtBiM0T+7dSQlF+FEvkGcRVf1aGbCWtZgNWS07iROAhCNxHpHaPMPUHj5Y0ih3zBh6q9OuDkXG/up1zvN4YRwM=,iv:qGgT5qj7dX82NWOb/s3Pj1n13nFn73p3fOiVJrbpav0=,tag:VjPMmLUmasq54xNqMeAvlQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-04-05T19:33:35Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX
|
||||
3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy
|
||||
o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB
|
||||
g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy
|
||||
ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG
|
||||
zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky
|
||||
p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf
|
||||
w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W
|
||||
M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c
|
||||
7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF
|
||||
m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS
|
||||
XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c
|
||||
YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C
|
||||
=KfCh
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue
Block a user