clan/clan-core
11
2
Fork 13
Code Issues 91 Pull Requests 6 Actions Packages Projects 1 Releases Wiki Activity

secrets sops: deploy age key

Browse Source
This commit is contained in:
lassulus 2023-09-18 23:07:03 +02:00
parent 1ae314d39c
commit 521f4ee5bc
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixosModules/clanCore/secrets/sops.nix
View File

@ -66,7 +66,14 @@ in
'') "" config.clanCore.secrets}
'';
system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
echo upload is not needed for sops secret store, since the secrets are part of the flake
#!/bin/sh
set -efu
tmp_dir=$(mktemp -dt populate-pass.XXXXXXXX)
trap "rm -rf $tmp_dir" EXIT
clan secrets get ${config.clanCore.machineName}-age.key > "$tmp_dir/key.txt"
cat "$tmp_dir/key.txt" | ssh ${config.clan.networking.deploymentAddress} 'mkdir -p "$(dirname ${lib.escapeShellArg config.sops.age.keyFile})"; cat > ${lib.escapeShellArg config.sops.age.keyFile}'
'';
sops.secrets = builtins.mapAttrs
(name: _: {
@ -76,5 +83,6 @@ in
secrets;
# To get proper error messages about missing secrets we need a dummy secret file that is always present
sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
sops.age.keyFile = lib.mkDefault "/var/lib/sops-nix/key.txt";
};
}