diff --git a/.sops.yaml b/.sops.yaml index eb04ad5..5e72244 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,15 +1,23 @@ keys: + # To generate new admin key, run (requires [age](https://github.com/FiloSottile/age)): + # ``` + # mkdir -p ~/.config/sops/age/ + # age-keygen -o ~/.config/sops/age/keys.txt + # ``` + # Provide the generated key to a pre-existing admin and wait for him to re-encrypt all secrets in this repo with it. After pulling the re-encrypted secrets you can read them with `sops some-file`. - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz - &lassulus age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2 -# To generate new admin key, run (requires [age](https://github.com/FiloSottile/age)): -# ``` -# mkdir -p ~/.config/sops/age/ -# age-keygen -o ~/.config/sops/age/keys.txt -# ``` -# Provide the generated key to a pre-existing admin and wait for him to re-encrypt all secrets in this repo with it. After pulling the re-encrypted secrets you can read them with `sops some-file`. + # Downloaded like this: nix-shell -p ssh-to-age --run 'ssh-keyscan clan.lol | ssh-to-age' + - &web01 age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct creation_rules: - path_regex: targets/.*/terraform.tfstate$ key_groups: - age: - *joerg - *lassulus + - path_regex: targets/web01/secrets.yaml$ + key_groups: + - age: + - *joerg + - *lassulus + - *web01 diff --git a/flake.lock b/flake.lock index 885b3b3..5d7cb08 100644 --- a/flake.lock +++ b/flake.lock @@ -85,10 +85,32 @@ "flake-parts": "flake-parts", "homepage": "homepage", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "srvos": "srvos", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1688268466, + "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 2e08181..e082cad 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,9 @@ homepage.inputs.nixpkgs.follows = "nixpkgs"; homepage.inputs.flake-parts.follows = "flake-parts"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs-stable.follows = ""; srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 63431a0..ab508c2 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -1,13 +1,17 @@ -{ inputs, ... }: { +{ self, inputs, ... }: { flake.nixosModules = { - hcloud.imports = [ + server.imports = [ inputs.srvos.nixosModules.server + inputs.sops-nix.nixosModules.default + ]; + + hcloud.imports = [ inputs.srvos.nixosModules.hardware-hetzner-cloud ./single-disk.nix ]; web01.imports = [ - inputs.srvos.nixosModules.mixins-nginx + self.nixosModules.server ./web01 ]; }; diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml new file mode 100644 index 0000000..7424e38 --- /dev/null +++ b/targets/web01/secrets.yaml @@ -0,0 +1,39 @@ +ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVTJrY2hIdis5eGJYQkdM + MUdGTmVkc2pxN1NjbkR2NVF6Uk11SnBSSUNrCnY0dXlTMnpTbnNJdjNJZHZtYWE4 + YmlUWFpkUXdtbFh6R1BvTjd1UEZTRFUKLS0tIEdTMEozMFltVWJ0Q1BZS201eE50 + UHcwNW5nNkdHL0w2d3g0RzBQZ1RrY3MKCDNdsobZ7wZOjBWOy0FmBR0i0afpHM/x + uDax1cdEXnh710TTI0Ck99KGthFRWBIeJH1xioC6TTsgmrgE4VPkNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRWp6R3B2T3N0aE1GaU8r + cUppT0ZrNGJTTXhsZi9EU3dRZTNTR09tYVdvCmVBUFRVWkFTeHZVMDFhSDNQY1dL + T09zMjN4ZkZpNFRqZjVqWVRZOGdIaGcKLS0tIGNJbnBFNDAvMS9pdndVRklTNHZ2 + UjRPRXB5RkxYUDN2TVE2ZTlzV0I5NGsK8tIxBNl0UFkAw1u8Jn7QjnDJ6dcr4+6P + iHXTDyxadZAljV5ZXlmzM1dm5p+v86jJ/KvYbA0dkga+CBEOUDt3Yw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDh2OWxJdjcwK0o1M3Nt + RXV4UTlnbFphR0JISG9ZcGorb1ppMzd4SVR3CnZTOW9YeHBKR3drTHdGb3pEZVI3 + S3NtbDFHL2dlZlRKK3FIc0lwMGt1SzQKLS0tIEZrMWNLOEtuTXB5eE93Uy9nalhD + Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix + KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-05T15:15:11Z" + mac: ENC[AES256_GCM,data:oLM6L2SAPSypW2sbGnaE0hmRW8BoFxIT6RfGUAr2I8Q+K0wN4dUW1Cq+q8Ecfa4IJ8eI2iCw/7x8ZwlWiUFnreeaEGXIS2SEMMitwOUzfzB0QCXYIuQUxgH1KCpNwNKm/3cEg0GrWFim0SSSZztVsHQh5++Qa7WDXKYFQJLG+Fc=,iv:P9DUDlL9g5Q7fJyi7OvVDMyPQKbX1OzYKgQ19f+wrfI=,tag:An0m7oXeUACxWDVackxXAQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3