From 4e6cf6bf92a9acfa93ed341ba995d74a13507aba Mon Sep 17 00:00:00 2001 From: Ethan Simmons Date: Mon, 17 Jun 2024 22:17:55 -0500 Subject: [PATCH] Add sops-nix --- .sops.yaml | 13 +++++++++ flake.lock | 54 ++++++++++++++++++++++++++++++++++++- flake.nix | 8 ++++-- secrets/diphda/backups.yaml | 31 +++++++++++++++++++++ 4 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/diphda/backups.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..8064f01 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,13 @@ +keys: + - &admin_ankaa age1079fszreaakwf6xnwu9kra8xcsp4e8q8ed3y99yrhjnz9n3t9pnsj05m97 + - &server_diphda age1rxqyz6watg05r3rzlme7grpgfgezhlt535gdl7psqys2ec8eegmqchfk4d +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_ankaa + - path_regex: secrets/diphda/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_ankaa + - *server_diphda diff --git a/flake.lock b/flake.lock index 02d1277..bbc8844 100644 --- a/flake.lock +++ b/flake.lock @@ -71,6 +71,22 @@ "type": "github" } }, + "nixpkgs": { + "locked": { + "lastModified": 1718276985, + "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3f84a279f1a6290ce154c5531378acc827836fbb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1718437845, @@ -87,6 +103,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1718478900, + "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c884223af91820615a6146af1ae1fea25c107005", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1718318537, @@ -110,7 +142,27 @@ "home-manager-stable": "home-manager-stable", "home-manager-unstable": "home-manager-unstable", "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1718506969, + "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index f71180e..325ff3e 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,8 @@ flake-utils.url = "github:numtide/flake-utils"; + sops-nix.url = "github:Mic92/sops-nix"; + }; outputs = inputs@{ self @@ -25,6 +27,7 @@ , home-manager-stable , home-manager-unstable , flake-utils + , sops-nix , ... }: let inherit (self) outputs; @@ -204,10 +207,11 @@ networking.hostName = hostname; simmer = currentConfig; } - (import ./modules/nix) - (import ./modules/options) systemConfig (./. + "/hosts/${hostname}/hardware-configuration.nix") + sops-nix.nixosModules.sops + (import ./modules/nix) + (import ./modules/options) home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; diff --git a/secrets/diphda/backups.yaml b/secrets/diphda/backups.yaml new file mode 100644 index 0000000..bfc645d --- /dev/null +++ b/secrets/diphda/backups.yaml @@ -0,0 +1,31 @@ +mc-arcadia: + repo_password: ENC[AES256_GCM,data:SPP/RmwxAeeyERrMjO7vEqMd/SY=,iv:/U4sbPogBeqJ4vli2MmMb4H4BjMPFO+Fe/uRtyltvsM=,tag:i06a7yIDmhYJt3ARfDaE4w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1079fszreaakwf6xnwu9kra8xcsp4e8q8ed3y99yrhjnz9n3t9pnsj05m97 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcGpQYUVrZElXK2pjeTlj + MW9DbHJhZkcvYlk2MlRUcitNQkZxS200YWo4CmxKeVA4Yk9VOWxqMHNqTUZDYm1G + YU8rZFBPMDhSTHN3eWU4Y1ZaRmRsakkKLS0tIHFlWllHVWNEeHZ0UHo5eU5Id0hj + dkRiYWRxTTI3QktpTFVlZDRma0NGN0UKdTh5HDNuqWWq4HFkoAaRJyqRU64TPr4u + BG+PkJuFwEzX/Zql0f8janB1U2xNA9B+GT6l62xgYSXaij1QgSKDTA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rxqyz6watg05r3rzlme7grpgfgezhlt535gdl7psqys2ec8eegmqchfk4d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbkRJeHI1VVVxQXFQcVVC + S2xVb1RiNGtpcmprQUgrbjRzN01VZ1FwNWc0ClpzZGFYOXQxZlplRExnOWdjdTFN + SHJWODQ5RG4yL2YyMmdRcG9DK0tyZG8KLS0tIHpCZHlKRGdVTGhOSGNmN3dXMGlv + aGtybEc5TWlwUUZvaDByQWU5aU1RM28KMSkwEEtDVACF8vO5dNxls4XWcmssMMTR + p2HRAb7UytCIYUtZ+FxEWKhozGP/RZ562Gmr3Ae5+E08bexebIzdiA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-18T03:14:52Z" + mac: ENC[AES256_GCM,data:B0rqLgUfVOxS79fKaEU8nH48Z5Kdex77vEWkuIUb14nd0pwvXY00HbLYwYQq3o9Lhfto60oRb/QVXMvMa+SCL6+23mZ2sBOBT9gRDDN6z45i1cdfZRjgqrctrQnwM914D9M3UVBdmrUdtijBY53xxGOFB9VZFkaf8R8gbSaanrE=,iv:efLjdoBadMe6b0CUGd4ZmFJEBgCxYYHYwSHnsGJ1nGY=,tag:De9FijcgKYMmo1TLW8gspw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1