From 639d61d5fbb4c8a6ea04c68bc2834b4358368a38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 4 Oct 2023 07:58:53 +0200
Subject: [PATCH] rotate harmonia key

---
 modules/web01/harmonia.nix                    |  2 +-
 sops/secrets/harmonia-key/secret              | 36 -------------------
 .../groups/admins                             |  0
 .../machines/web01                            |  0
 sops/secrets/harmonia-public/secret           | 36 +++++++++++++++++++
 sops/secrets/harmonia-secret/groups/admins    |  1 +
 sops/secrets/harmonia-secret/machines/web01   |  1 +
 sops/secrets/harmonia-secret/secret           | 36 +++++++++++++++++++
 8 files changed, 75 insertions(+), 37 deletions(-)
 delete mode 100644 sops/secrets/harmonia-key/secret
 rename sops/secrets/{harmonia-key => harmonia-public}/groups/admins (100%)
 rename sops/secrets/{harmonia-key => harmonia-public}/machines/web01 (100%)
 create mode 100644 sops/secrets/harmonia-public/secret
 create mode 120000 sops/secrets/harmonia-secret/groups/admins
 create mode 120000 sops/secrets/harmonia-secret/machines/web01
 create mode 100644 sops/secrets/harmonia-secret/secret

diff --git a/modules/web01/harmonia.nix b/modules/web01/harmonia.nix
index 362af05..87c033c 100644
--- a/modules/web01/harmonia.nix
+++ b/modules/web01/harmonia.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }: {
   services.harmonia.enable = true;
   # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
-  services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
+  services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path;
 
   services.nginx = {
     package = pkgs.nginxStable.override {
diff --git a/sops/secrets/harmonia-key/secret b/sops/secrets/harmonia-key/secret
deleted file mode 100644
index 62f5368..0000000
--- a/sops/secrets/harmonia-key/secret
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:rD10VFg1jQLJwD9yfkro8jIfzHQo2gZUCfmXW5ocqaTXWJvj/3gEGuAqOFUrmkP7YfyD4QeYGnr/EjhMlAIEJPR/UijRY6U16AehROgVCzBCxdfEtlFFvkNt5zI9eJtAO0f0vYA1ETopHw==,iv:L+s0cQyT87Cn/56pIF1xGNLma9L+PYcvj/9NoWYYGPE=,tag:j64AhN4u3tlxbO7bZSalOA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK1ROcTJaSG5lY0NzVUZU\nWFdCTVlDYS94U0JmR1NVN0FYb0hGM3RVTjFZCjNtblpMVklQbVZQTFVnYjdLZW9G\nandzcjdaQmRiSEFOTmdjWmFJY3lkY1UKLS0tIG10ZFd4WllIUjN5OHJYVkZ1eU1x\nS2lWclJQdlhWRDNHd3Y5SHdpQnM0YTgKafGQ0YBxSfKWVRX+j5bUZ7fU5z0FcIr+\nnKWIIcMnpp/MN3shmZZu1c1rdKC+O48Pu9dInQ3d3/VYZuXgviwP8Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSElxMnBMdFltMnN0aHoz\nc3J3UVFBemFNNmcwRzhGVXE1S21qTGJIbm1nClRLaU4xWktLVDZrRGxkV0swdXRJ\nWUpYWmtzRCtQWFl5Rnk4UmxRYkxxYncKLS0tIEZ0SEtZL05CcU1LTGE3Sko0U2NW\neFNSbTQwYWRrV05UTjZ5ZWNrRk8zUFEKiadOv+3Fq3/Tt7zqL1mb8eDRsSEctSlD\ncj2H4Xgm33sL3XlO1pvUwe/GC428VGtPrRERxywuV++Q/1hgQDw5lQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaXJLUzB3eGhhMy9pbFF4\nd1dDN1JuQ1Y1TEVxbmdhSWtiVlc3K1kxQUhzCnczU3phMXR2dkdSazVPL1dmYVYv\nT2FvNW5pRVhjbFF5WEN2V0gxYlhSOHMKLS0tIHl0SlR0dkFualVTMTlSejBydTht\nSzYrZ2lQK1hSazV4QXBMQVQ0NjZwUUUK7sHCwiTzefQ2/mJAZE8l615t1Egc5/1i\nKv1GAnn06HTR1TbchVfmpkZI792flAs77diwsDTBgP1fIKmcy9w4rw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWURNWUZXQWFKM0NPSkRN\nZTNlYUMrVWFPVDVTbEREUTVyQi9TZ2ozc1FZCjZ3c1FDcis3VFQ4ME55UXE5d0Jq\nWlo5M21NUjhONXR1Yk9vVXBtQlBNbHMKLS0tIHBkaStlMHFCWG1NaHkwZHAxWnBS\nQ0FxaGw5UzRmMUtSR0J1LzEzUmMxNmsKzIvnWnPrrmLaFE3WbqNjfLw0uUKpslrt\n3cWxm5HwQlLWyLChE6Hba3NNJAEJl8nlBxeJhA8Tg0liFY9231kcgg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1zwte859d9nvg6wy5dugjkf38dqe8w8qkt2as7xcc5pw3285833xs797uan",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUkVLc2JldDh2bkF1TUZ4\nQm91UW84UWxOUXRkSHlmbmpoMS9aVDVwZ0hrCk5lZEwxNkNneEV4TUxlcVgzZFNr\nd0lpUzN1SVBjWDlDalNuOHgwU1JBMWcKLS0tIC9WVXRFNno3TkRjNFNaQkNUZ1I1\nVUFiSDV4bi81emNuUkJwNXVYdm81UFkKtsuX9ZNK4YbXsWEIXgZRq8nOBCuUe1J0\nWtRl+9R2h8z6tDDTH4UUEzBND27HrGvaRItcyqMFPKxPtZOQc3SbiA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2023-08-09T10:59:21Z",
-		"mac": "ENC[AES256_GCM,data:CTJ99n1j2GyRfqnzOVGoiJkZeoAeC3g8YNepa2FDIVb/ktK26ir35UF+HP14VtftviRxmLZFt1V1MxMxhotox9YlcMxnMLSZVPPak2sNK4yPw73Wf91EYDlaDJxXsB1tC14vbnjn8EP06Pt59gG9AFEiKB+vAH4R2tGS/NU+es4=,iv:T0xJkwZjfMZGLHzmBeyffG4PHy96zCGNUzf49MXi5gg=,tag:lORQc1YfNacORs8qIdFr6w==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}
\ No newline at end of file
diff --git a/sops/secrets/harmonia-key/groups/admins b/sops/secrets/harmonia-public/groups/admins
similarity index 100%
rename from sops/secrets/harmonia-key/groups/admins
rename to sops/secrets/harmonia-public/groups/admins
diff --git a/sops/secrets/harmonia-key/machines/web01 b/sops/secrets/harmonia-public/machines/web01
similarity index 100%
rename from sops/secrets/harmonia-key/machines/web01
rename to sops/secrets/harmonia-public/machines/web01
diff --git a/sops/secrets/harmonia-public/secret b/sops/secrets/harmonia-public/secret
new file mode 100644
index 0000000..b3856ee
--- /dev/null
+++ b/sops/secrets/harmonia-public/secret
@@ -0,0 +1,36 @@
+{
+	"data": "ENC[AES256_GCM,data:Ggt01QP6hYLo4iqRQ4yEJUK+G/HxOomb2th2WSctpfwy2KDV18Z2i1pt6y20bhAoY6JrvwpyAEOdGAme3w==,iv:Xr3ZFk4SU+z1XPecVu4/IpH7QZqysaXMKuOp82naf3w=,tag:bYZ7IlDYC+MAvdn77qHObA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRjZYd3BJR25KQk5sNEZX\nVVFIMDh2OC9FMkQ5V2JscmVHL2F6N3Bic2xBCmQyTEtTRTBpVndOd05ZU1d5alEz\nTE9LTEdvOU5QV0FkYmQ4NWx1ays4WTAKLS0tIC81M3IrMUE0Sno1Rm1ZNVNjaVpw\nV0FseEFnemZCVFdIVm5MRUVaL3BpYVkKSC6m7nn+QbPqT+QOavqOu+at/7I78qcK\n7BmpwTRxHpv/Lzpa20K0AmgD8OmPiI0IIOkwnKCzYSLPX6/s+HYqTA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjK2pTOFdhcVl3ZEdVVHlP\nN1IyUVRwWXh2NmYxc1NIV2VmcXh5UzM5TldBCmw5SjcvQmxTc0VpSWswOEU3SWg4\nWEFudGhQdzdtTnpxY3djMVFXM1RvbmMKLS0tIG01bjhQcHhnQTNRaktNcjN2NzNl\nc0MvdDF4ZUNXTEJXbkppV045QmNUUnMKNECqfLlI6XwrfA5cOQk3VGRKX+hMqvNd\npEHUJ8fsHXb1myq/KJ65F1U+1V8F9sI+Vmf01d2ZuXB4Zi1j1bY5dQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVlJHTFJCL0twc2w1bVdP\ncjNMN0ZSd2NlT0M1R0doY2U0NXZUK0kwdkU0CmVJcUUwcVMwNjBPQ2lINFZLUU1X\ndVoyTEJCY2tOSFR2L3NWWkNXTWhQL2sKLS0tIE5sQlE0WVdVRWFSRHl4Q0FDcHc2\nMXphWDltbE9KcHJiUzZxOEVsS01FeHcKTpriffBPZT5ttUd1VeFFGnCx3pKCOvK9\n/QCoY5Ta74spuQkY45gdOXp3iYRFi/fYiHLYGZemb3aZkSdWpKkdNQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFc09JdnMrcCs5ejQ5SU02\nM3dJTllPWWszQTVUZHBzUnFVeDNRczBnSXlnCkFzT0FrQlpTV3JkQW5vNzF6OWhS\nSHVSTzIzeVp5RWRqdVp4WThYeFF1Z1EKLS0tIFhTUGtDM1ZmaldzSitLYUM1c05v\nOWFzYW0rZDJmc2hnazhHYTdEWVpwV1kK/I15tNlcbzryPW6ABSLCkVDyVX16lXSW\nP2MgA8kssjarCwQAYZXBbNvsqOswacEzTBeOimm5J9NMDAt9aF8nUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zwte859d9nvg6wy5dugjkf38dqe8w8qkt2as7xcc5pw3285833xs797uan",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNENVSm5BVWwrejYzS2Zx\nM2xkNEo1Rmk0TEJrVjRkODhVV0hwV2VGQ1JJCmYzSnVoVEZGZGM1K2M5UGcyaktJ\nL29PU2ljcjdwNXo3UnY4cHRKU3hjejgKLS0tIGE2TEcxTmhvY0paZ3k0SHluRTdV\najlUUDhjNjB1MWdEQ0RpZ25EdHNvT1UKal/QfcSV8sFF3ZcU/NlMR2f3kVWfwmsP\nuD5EQ1tsp5Fbayrwc3CzIWukV8EVkEGHinY682sS0hu0RoV99X4IRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-10-04T05:57:13Z",
+		"mac": "ENC[AES256_GCM,data:sKISFOO84xWMd8oUsK54FHqd7DY+muCq+CavvFOFU/vkOyIunmGt7RRKFdKWMbnVLjeMjWiQpL58NpRWcXRa2BA4y4lsH4T9hJN1U7XP9T9V/ADzPq6TXKERWKwrUcy1FZN3my3i9taq/N4Oam8qnhNfnzK6UBoF5pWdc2/efl4=,iv:xMCIgxeo+qT8y1xJsljMziVPXPKsbN2vO2Hd2RtNUg8=,tag:6dSewJcXLMIBToGKapCBoQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
\ No newline at end of file
diff --git a/sops/secrets/harmonia-secret/groups/admins b/sops/secrets/harmonia-secret/groups/admins
new file mode 120000
index 0000000..e5092e3
--- /dev/null
+++ b/sops/secrets/harmonia-secret/groups/admins
@@ -0,0 +1 @@
+../../../groups/admins
\ No newline at end of file
diff --git a/sops/secrets/harmonia-secret/machines/web01 b/sops/secrets/harmonia-secret/machines/web01
new file mode 120000
index 0000000..a3c776b
--- /dev/null
+++ b/sops/secrets/harmonia-secret/machines/web01
@@ -0,0 +1 @@
+../../../machines/web01
\ No newline at end of file
diff --git a/sops/secrets/harmonia-secret/secret b/sops/secrets/harmonia-secret/secret
new file mode 100644
index 0000000..3957b14
--- /dev/null
+++ b/sops/secrets/harmonia-secret/secret
@@ -0,0 +1,36 @@
+{
+	"data": "ENC[AES256_GCM,data:VYMzJssS+WYht3G8DNFI8xuT/bKBZW97FUiC0pFrTVQgQX2S1MGcErXgOnL1joV57t9W5QSrORzygYUoJYwB43t5Go2tleRIWHiJg7vw1t+W9GWpHtoONB6Xsxasm9PeAUd3dh0QcusF,iv:/QWSp128zNqQqHdO1dA7bGcyIP8ECAVMz5Iq2X3Qk6Y=,tag:IibC8bkmWiOOTXtbuwxYbw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUejFTVS9mWTBVRVZBOGNI\nT1FxQmhEc2VuQkptVVJCNjdVSnNKcGhDV0VzCnBkN1oveURuUmk0dmo4a0x4NFhW\nL01hV2lEVUZqWjdKYm9wRGxTZXZ4Q0kKLS0tIDlSY3dBUFErNkhwbE5hTTNKUWZo\naTVkZUwxdHBmWmFQNmtUUmcyaUh0ZEUKpat16JYBDVdSNrIh0kVMzLelyzJCIIB+\nytAYILW4muReME+gWkgrmgpIJnCsT7gpBRYZSp9BZrxELP5+9Cax+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByR2UvWkpHNnVtM3FvVkFw\naWRMZEJaUWoydHA4b0Q4bU9USmlSK2tjY1hRCnd6dFUwdElLY3dvL1lwcjhNVzRO\nMUdCTElJZzgzQUMxdFNMUDMwaDU3MzAKLS0tIEZQZ3JJWVFMUzJmRlA4RFNZWWpL\nT1EvYWVvWit4MXVxMm1UZndaa3FQa0kKML2cqL0HMWcpncAqiTVvB2+PVrvot5oJ\n7kIcpVs72hMywAQ4+jxwh6MVRyfggXrIr7R8IpsKPe/MA9SPXl+AgA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZkxuS09nK0VkUHhoOSto\nRkhhVGQ4MEZrbVcrck1DZmx2T1JpSEdHSUhNCnJVTEdjNGd4SCtvMUJsR2Q0K0N3\ndTZibm5TRGVxTURtQXF3eFE4Wi9XV1EKLS0tIDhSZ0hTTG8vTXpLejduSkc1VWtt\nK1o5bXk1M3RMK2ZzZ3pOZnA5bmJETzAKYmMqHPNtzcXK94tBAJO4siYTET6eZXmh\npWnx5UEMUhPsdWDyFiD9h0vSM+Or155iZoo6vbTVbflSSuY/LxT5Xg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vphy2sr6uw4ptsua3gh9khrm2cqyt65t46tusmt44z98qa7q6ymq6prrdl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQVVQdTN3QkN5UmlGSmt4\nZFZ3bSsyM1gzUGdURkoySTRIVms3RHY1WDJZCnovZWRmalRNVlNOaWVvOW1IZThR\nTVZnMm9mNG9UNWFDOXUzLzZFSlRSN2sKLS0tIFgrMTMrblEvciticVlSNVRsbEE1\nalQrZU9jd1VOVitPbjNiTHloakpPR2cKxCHBiCuuWIwNG96enMprUnVmLa03lJTl\nOw6SYKUXgTa/GBeEhskjCUMyIxlW0o+WRWa9ZWlaYBXFbCiX0aPQTw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zwte859d9nvg6wy5dugjkf38dqe8w8qkt2as7xcc5pw3285833xs797uan",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ0gzQUxYTjdOYWNDMzUv\naWlBMFViT1dQb2hjNUxDSlIrcWdwMm8xN3dJClVGdkt5QTVQOVpvZ1NMWnZJVlln\nZjY4RER5T1h0UitmVStYRERSbnIvN2cKLS0tIFZjNWF3UDk2R1ROdHh5Zm9Fb1Nz\nbFJVeklsU0RKVzhzaUh3OFJmRk4rWEUKT1tm9otO9CaYyN+HpwuIr0HPEwyPWmrR\nhoUDq2nqIUmsXzEDEPGfD47ipCBcsfggb6a1iuSL6i3NeHYZSxi9dg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-10-04T05:57:01Z",
+		"mac": "ENC[AES256_GCM,data:Pa7mGbrXuLOQVM9pJW97Nel1ebNNVOEDJReTEZg1OKWHFlJUFD/a01q8IbUPrVQoPD8TTfxFQDb/LC4i7qzoJkFr65M7lbn99ctQQyDZPRjWYz/4NkNgvF3KASeQ35UCxBqM990q2DR45pw0r+1+rMaFrNrupYBiqmP+/rh8+Bk=,iv:1m+6p77zpJiiiuYBU307fmH4jo0MRvPPEBfIbJejru4=,tag:sWlZ6d+L8cq91aFYGJERVg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
\ No newline at end of file