From d7fb53e6eada441c86c0df273bbec64714b00b37 Mon Sep 17 00:00:00 2001 From: kB01 Date: Fri, 6 Sep 2024 17:05:12 +0200 Subject: [PATCH] Added Sops Secret Management --- flake.nix | 2 ++ systems/x86_64-linux/yerukall/.sops.yaml | 7 +++++ systems/x86_64-linux/yerukall/default.nix | 8 +++++ .../yerukall/secrets/secrets.yaml | 30 +++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 systems/x86_64-linux/yerukall/.sops.yaml create mode 100644 systems/x86_64-linux/yerukall/secrets/secrets.yaml diff --git a/flake.nix b/flake.nix index b791df3..1c9b86f 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,8 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.follows = "nixpkgs"; }; outputs = inputs: diff --git a/systems/x86_64-linux/yerukall/.sops.yaml b/systems/x86_64-linux/yerukall/.sops.yaml new file mode 100644 index 0000000..a416887 --- /dev/null +++ b/systems/x86_64-linux/yerukall/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &kbwork_yerukall CEFAA4772EBDE0F5CFD1D1B3ED7E4FF32820BDE8 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - pgp: + - *kbwork_yerukall diff --git a/systems/x86_64-linux/yerukall/default.nix b/systems/x86_64-linux/yerukall/default.nix index 138ae9a..1e2e922 100644 --- a/systems/x86_64-linux/yerukall/default.nix +++ b/systems/x86_64-linux/yerukall/default.nix @@ -19,11 +19,18 @@ in { imports = [ ./hardware.nix + inputs.sops-nix.nixosModules.sops # inputs.home-manager.nixosModules.home-manager ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Configure Secret Management + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.secrets.example-key = {}; + sops.secrets."myservice/my_subdir/my_secret" = {}; + # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -130,6 +137,7 @@ in { tidal-hifi gimp libreoffice + sops # Secret Management ]; }; diff --git a/systems/x86_64-linux/yerukall/secrets/secrets.yaml b/systems/x86_64-linux/yerukall/secrets/secrets.yaml new file mode 100644 index 0000000..0b01499 --- /dev/null +++ b/systems/x86_64-linux/yerukall/secrets/secrets.yaml @@ -0,0 +1,30 @@ +#ENC[AES256_GCM,data:Y/4T3/21rAYxhZZpSm1ViwpAuce0j09yIoyQJrywm58g4LNPVoc=,iv:p67M9lRr4P/ZkR+y2Qag8fOQrz6g4hRV+RQttzcpqyA=,tag:UvLX6HBB7R8mmYf2p40qVg==,type:comment] +example-key: ENC[AES256_GCM,data:QNGwQqL+MF5FouF1sw==,iv:v8Wife1Szo2/hckzjnvgEWeO4W7Z3o5T3b6qDBa9ybc=,tag:udthCeK2XO32a7KStPEacQ==,type:str] +#ENC[AES256_GCM,data:THHKylFfOJAphDzozezoC8MMq9rAgZNQkzjRS8loFs/M9CeWKretPnzHB0ICyIMoV5EZyZ2A0Aw=,iv:zksZsPPUmPRvjKnbJ1hIz5kNF59yLi1AD8qpjnpowj0=,tag:6wN9qZv/Joh0KszXuRO/HA==,type:comment] +#ENC[AES256_GCM,data:lnNvxw+ZJ/Oxx49IQJ9v4WOb+9nHVnlDw4dUg2eLVh0SC3FmY0OcIYQbkMi04QJAUeGS90Pk+PEge+DBk36kpeRIjWGnN2Oj,iv:5WA7Fv4h0WFs3bIxxY+Jd5iWGq93NErxshSELYAmKcQ=,tag:pK49KZ0LzOXHnaqEDejkVQ==,type:comment] +myservice: + my_subdir: + my_secret: ENC[AES256_GCM,data:djPluXw5DIaX,iv:8ETxthGUW9aHp497FYcFOya0clZI0GDmf8BUyf65Dz0=,tag:62zulMRBSE1cHezfOAPcCA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-06T14:49:25Z" + mac: ENC[AES256_GCM,data:741EU6IW91+D6O22q/fC2QGC7PU/qxSkdML4KBbYohS2tOx9dl7miyooNnSw2nEjE4yd4qxU+OU8ZNxST/dlnOaGa5otYfwByq0FQ7PLa4pSzVSTMvDBHf55JHOL9zbWuWoiPu2WEa+sQ6bU7Rte/4EtXhJBvHhgys0hc0kHIyQ=,iv:QNpw1v8m+AUqdhYq1LdJSUSDeVN9PM/qyEqibyVxCa4=,tag:tysIywxYhCv51eVBQE3NaQ==,type:str] + pgp: + - created_at: "2024-09-06T14:48:54Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dg0be+qgFJlcSAQdACh1dzZqJkACHuha/IvFEhJ5bZvRZ2Gpu/m5VsEUf4xAw + B/rjke8hE/MjsPsrbZ6n6GYSO0yMJUceSn5nPKSIdeAVZUjwoBxOm7WTBdu8xRoN + 1GgBCQIQPkVvuuTknldWZoAnh38jNMfeYKwNXSmn7QPf62IAt9saeZbKnTfKML0x + C3xiraVnYScz24DvYMyVYNkOOFyJiXIwKCeu5AAR0hrH6keVYSw+1cnZiO/gZVJS + zVjZOdtPDTTa3A== + =tCbr + -----END PGP MESSAGE----- + fp: CEFAA4772EBDE0F5CFD1D1B3ED7E4FF32820BDE8 + unencrypted_suffix: _unencrypted + version: 3.9.0