This commit is contained in:
Motiejus Jakštys 2023-04-05 22:48:04 +03:00
parent ee691ca62f
commit eddb3395ed
5 changed files with 105 additions and 37 deletions

14
.sops.yaml Normal file
View File

@ -0,0 +1,14 @@
keys:
- &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
- &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- pgp:
- *motiejus
- path_regex: secrets/hel1-a/[^/]+\.yaml$
key_groups:
- pgp:
- *motiejus
age:
- *server_hel1a

View File

@ -2,6 +2,7 @@
config,
pkgs,
lib,
sops-nix,
...
}: let
gitea_uidgid = 995;
@ -68,6 +69,8 @@ in {
imports = [
./hardware-configuration.nix
./zfs.nix
#<sops-nix/modules/sops>
sops-nix.nixosModules.sops
];
nixpkgs.overlays = [

62
flake.lock generated
View File

@ -1,26 +1,5 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1680281360,
"narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e64961977f60388dd0b49572bb0fc453b871f896",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
@ -92,12 +71,49 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1680390120,
"narHash": "sha256-RyDJcG/7mfimadlo8vO0QjW22mvYH1+cCqMuigUntr8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c1e2efaca8d8a3db6a36f652765d6c6ba7bb8fae",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1680404136,
"narHash": "sha256-06D8HJmRv4DdpEQGblMhx2Vm81SBWM61XBBIx7QQfo0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b93eb910f768f9788737bfed596a598557e5625d",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},

View File

@ -5,9 +5,8 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
@ -24,7 +23,7 @@
outputs = {
self,
nixpkgs,
agenix,
sops-nix,
deploy-rs,
flake-utils,
}: let
@ -38,12 +37,7 @@
./hardware-configuration.nix
./zfs.nix
agenix.nixosModules.default
#{
# age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age;
# age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
#}
sops-nix.nixosModules.sops
];
};
@ -67,9 +61,9 @@
devShells.default = with pkgs;
mkShell {
packages = [
pkgs.rage
pkgs.age-plugin-yubikey
agenix.packages.${system}.agenix
pkgs.age
pkgs.ssh-to-age
pkgs.sops
deploy-rs.packages.${system}.deploy-rs
];
};

View File

@ -0,0 +1,41 @@
password: ENC[AES256_GCM,data:IVoMD1bSp15bPfPPws6k6u7SXioMPibxqg==,iv:U0zLdK4XEvty8eS/G80NcGlQrEn9M2fDH2oWv5cXIvI=,tag:IU3P9SjexZGGiOOxseUnLg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2
aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda
eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5
YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-05T19:33:58Z"
mac: ENC[AES256_GCM,data:hqQoErSGafMyD43nQBInX1+wrCGlln1KvH6w1NLMw6GQwZ6EzdTBJKH05S67KjA1UtxLGi8MquBnjymHSctsuWtBiM0T+7dSQlF+FEvkGcRVf1aGbCWtZgNWS07iROAhCNxHpHaPMPUHj5Y0ih3zBh6q9OuDkXG/up1zvN4YRwM=,iv:qGgT5qj7dX82NWOb/s3Pj1n13nFn73p3fOiVJrbpav0=,tag:VjPMmLUmasq54xNqMeAvlQ==,type:str]
pgp:
- created_at: "2023-04-05T19:33:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX
3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy
o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB
g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy
ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG
zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky
p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf
w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W
M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c
7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF
m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS
XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c
YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C
=KfCh
-----END PGP MESSAGE-----
fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
unencrypted_suffix: _unencrypted
version: 3.7.3