Added Sops Secret Management

2024-09-06 17:05:12 +02:00 · 2024-09-06 17:05:12 +02:00 · d7fb53e6ea
commit d7fb53e6ea
parent 8f7033f3a6
4 changed files with 47 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -15,6 +15,8 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.follows = "nixpkgs";
  };

  outputs = inputs:
--- a/systems/x86_64-linux/yerukall/.sops.yaml
+++ b/systems/x86_64-linux/yerukall/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &kbwork_yerukall CEFAA4772EBDE0F5CFD1D1B3ED7E4FF32820BDE8
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *kbwork_yerukall
--- a/systems/x86_64-linux/yerukall/default.nix
+++ b/systems/x86_64-linux/yerukall/default.nix
@ -19,11 +19,18 @@ in {
  imports =
  [
    ./hardware.nix
+    inputs.sops-nix.nixosModules.sops
 #    inputs.home-manager.nixosModules.home-manager
  ];
  
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

+  # Configure Secret Management
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.secrets.example-key = {};
+  sops.secrets."myservice/my_subdir/my_secret" = {};
+
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -130,6 +137,7 @@ in {
      tidal-hifi
      gimp
      libreoffice
+      sops # Secret Management
    ];

  };
--- a/systems/x86_64-linux/yerukall/secrets/secrets.yaml
+++ b/systems/x86_64-linux/yerukall/secrets/secrets.yaml
@ -0,0 +1,30 @@
+#ENC[AES256_GCM,data:Y/4T3/21rAYxhZZpSm1ViwpAuce0j09yIoyQJrywm58g4LNPVoc=,iv:p67M9lRr4P/ZkR+y2Qag8fOQrz6g4hRV+RQttzcpqyA=,tag:UvLX6HBB7R8mmYf2p40qVg==,type:comment]
+example-key: ENC[AES256_GCM,data:QNGwQqL+MF5FouF1sw==,iv:v8Wife1Szo2/hckzjnvgEWeO4W7Z3o5T3b6qDBa9ybc=,tag:udthCeK2XO32a7KStPEacQ==,type:str]
+#ENC[AES256_GCM,data:THHKylFfOJAphDzozezoC8MMq9rAgZNQkzjRS8loFs/M9CeWKretPnzHB0ICyIMoV5EZyZ2A0Aw=,iv:zksZsPPUmPRvjKnbJ1hIz5kNF59yLi1AD8qpjnpowj0=,tag:6wN9qZv/Joh0KszXuRO/HA==,type:comment]
+#ENC[AES256_GCM,data:lnNvxw+ZJ/Oxx49IQJ9v4WOb+9nHVnlDw4dUg2eLVh0SC3FmY0OcIYQbkMi04QJAUeGS90Pk+PEge+DBk36kpeRIjWGnN2Oj,iv:5WA7Fv4h0WFs3bIxxY+Jd5iWGq93NErxshSELYAmKcQ=,tag:pK49KZ0LzOXHnaqEDejkVQ==,type:comment]
+myservice:
+    my_subdir:
+        my_secret: ENC[AES256_GCM,data:djPluXw5DIaX,iv:8ETxthGUW9aHp497FYcFOya0clZI0GDmf8BUyf65Dz0=,tag:62zulMRBSE1cHezfOAPcCA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-09-06T14:49:25Z"
+    mac: ENC[AES256_GCM,data:741EU6IW91+D6O22q/fC2QGC7PU/qxSkdML4KBbYohS2tOx9dl7miyooNnSw2nEjE4yd4qxU+OU8ZNxST/dlnOaGa5otYfwByq0FQ7PLa4pSzVSTMvDBHf55JHOL9zbWuWoiPu2WEa+sQ6bU7Rte/4EtXhJBvHhgys0hc0kHIyQ=,iv:QNpw1v8m+AUqdhYq1LdJSUSDeVN9PM/qyEqibyVxCa4=,tag:tysIywxYhCv51eVBQE3NaQ==,type:str]
+    pgp:
+        - created_at: "2024-09-06T14:48:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dg0be+qgFJlcSAQdACh1dzZqJkACHuha/IvFEhJ5bZvRZ2Gpu/m5VsEUf4xAw
+            B/rjke8hE/MjsPsrbZ6n6GYSO0yMJUceSn5nPKSIdeAVZUjwoBxOm7WTBdu8xRoN
+            1GgBCQIQPkVvuuTknldWZoAnh38jNMfeYKwNXSmn7QPf62IAt9saeZbKnTfKML0x
+            C3xiraVnYScz24DvYMyVYNkOOFyJiXIwKCeu5AAR0hrH6keVYSw+1cnZiO/gZVJS
+            zVjZOdtPDTTa3A==
+            =tCbr
+            -----END PGP MESSAGE-----
+          fp: CEFAA4772EBDE0F5CFD1D1B3ED7E4FF32820BDE8
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0