Use sops for secrets
Since I currently do not have access to sayuri, sayuri’s migration is not done yet. The host keys and wg-home-private-key secret still have to be added.
This commit is contained in:
parent
b595aceb7c
commit
4a8a7e0a4f
1
.gitattributes
vendored
1
.gitattributes
vendored
|
@ -3,3 +3,4 @@
|
||||||
*.svg filter=lfs diff=lfs merge=lfs -text
|
*.svg filter=lfs diff=lfs merge=lfs -text
|
||||||
|
|
||||||
**/secrets/** filter=git-crypt diff=git-crypt
|
**/secrets/** filter=git-crypt diff=git-crypt
|
||||||
|
**/secrets.yaml diff=sops
|
||||||
|
|
28
.sops.yaml
Normal file
28
.sops.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
keys:
|
||||||
|
- &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
|
||||||
|
- &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
|
||||||
|
- &nunotaba 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
|
||||||
|
- &vueko BB046D773F54739757553A053CB9B8EFD7FED749
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: machines/nunotaba/secrets\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *simon
|
||||||
|
- *nunotaba
|
||||||
|
- path_regex: machines/vueko/secrets\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *simon
|
||||||
|
- *vueko
|
||||||
|
- path_regex: machines/fuuko/secrets\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *simon
|
||||||
|
- *fuuko
|
||||||
|
- path_regex: secrets\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *simon
|
||||||
|
- *nunotaba
|
||||||
|
- *vueko
|
||||||
|
- *fuuko
|
|
@ -23,9 +23,7 @@
|
||||||
* `users/simon`: [home-manager](https://github.com/nix-community/home-manager)
|
* `users/simon`: [home-manager](https://github.com/nix-community/home-manager)
|
||||||
configuration
|
configuration
|
||||||
|
|
||||||
Secrets are managed with krops’s integrated support for
|
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
|
||||||
[`pass`](https://www.passwordstore.org/). Permission management for them is
|
|
||||||
implemented in `modules/secrets.nix`.
|
|
||||||
|
|
||||||
## How to install
|
## How to install
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,6 @@ let
|
||||||
kropsDeploy =
|
kropsDeploy =
|
||||||
{ hostname
|
{ hostname
|
||||||
, target ? null
|
, target ? null
|
||||||
, secrets ? true
|
|
||||||
, extraSources ? { }
|
, extraSources ? { }
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
@ -46,12 +45,6 @@ let
|
||||||
};
|
};
|
||||||
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
|
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
|
||||||
}
|
}
|
||||||
(lib.mkIf secrets {
|
|
||||||
secrets.pass = {
|
|
||||||
dir = toString ~/.password-store;
|
|
||||||
name = "nixos/machines/${hostname}";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
extraSources
|
extraSources
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
|
|
28
keys/machines/fuuko.asc
Normal file
28
keys/machines/fuuko.asc
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
xsFNBAAAAAABEACkl9IfFWt7bGRtnJmDsv3sfotEQZusmFA6d9+Lh3J3Z5Ekx1Yz
|
||||||
|
wIf26Y2MgOtxv8AJJ8QW13wH8/NOrySTPUaaQwjmkiv+7Hp3Ez7uoSg7BRrUXVez
|
||||||
|
oo6dIStda5rNmx1ClYnzBVu0q54/mOayYWxeJOTl1YVKr7cSx2jcV+h5vEMZYeym
|
||||||
|
AkHGNoFz83dguwNWTZvURjp6B65G84w3YuZyG0YHeQ8Lr0gCJDEmrP2NzIuXeGWy
|
||||||
|
VEaE4XAUOF/9T+WVkuQmz6Drnqpw59Wc/J51Z2bz/2KL1oI1vR1HSzJlv7kc3joJ
|
||||||
|
63yYv0TXy4AeptWoY8FX2wtHxfIUK6ClHNfBhjis0cYgvru0KZSMNAGQutlGB0yA
|
||||||
|
2YHOS1vSPXfdyKbODCP08CpA1lufYapJwSNgU0c5d22OCCYvdwdr0HRc/0zmUoVH
|
||||||
|
/ge2SL0dRTm85ny/wEE5TgL9qnh3iWpWM60lCX3MgkHRnfgmSYn/FJHB4+3miQ31
|
||||||
|
hYkw1X1ee5ZFNsptVT5vtz/b1reVA/+v6moReIsFaWKxEgGFHXBYCRt8HnxyYvcv
|
||||||
|
jv9B+qpL12p7gflMr/trA5xTu9yQLpLqxSRpl1vebLo5p6H084pUelwFtBq/hLs6
|
||||||
|
bEPw5R/n/7EyPauDeEPb/xHKACez3hhdS+GqxgcaaLqQZN1w7/cxXBVSFQARAQAB
|
||||||
|
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||||
|
AQgAFgUCAAAAAAkQacgYfJxDdU4CGw8CGQEAALeFEABb6uheTtzwh2pmbEfahsMf
|
||||||
|
3Umb9E1hGVaKz9KUez2gU/C3EbnELm7qPSP8Bj5gp5hF527YpwcPTGMKXD+SyyUE
|
||||||
|
w+1lFun6RNEEeeJoOEtDoQZA6j4bcpZqvR7r7jAhdU1LHuIjD+4AM4jrTF3B2BrN
|
||||||
|
LpuX70MO0zX0b6ryHeH+9y3iCDmxViXmn0EVG/MLAjguWMrimZ66R0raKfs4eRR4
|
||||||
|
WbbFRl+xXPOv5JvPVhl0BQItVXrTTXFnRNF8y0AxmpxGZ8uFr3PwN9xB9I4o25mu
|
||||||
|
5Pj+aEfJkHTiMqzG44+TITu4pN3xvy32yqO9skn99pz16Q1jQy1cYYnl64nfktJ5
|
||||||
|
cH9Unq5CQIzyugrHhFTruN4PZR07mMMoIHRNisKOVifoyEQPqKUEOsYsaEv+zeU3
|
||||||
|
a42acC3AXJJrSgjN5XoA7bV4RRmU3QYQUsO87gJF2I3xnZwKkRL8R+g0cZeBTaG3
|
||||||
|
U1DwKNfb2WhiAtagixVk7bsKknYJDar41LA0FM5i6uRez+Pb1y8yscD9TP3xiR5d
|
||||||
|
m+/mbrz4fF+5ifRqhvfsewcZIwkVVXR0pBK8c/eGL7YrZ1pJwt3JDsWfM50TGvS1
|
||||||
|
O9LCghAw/SZPfyBik0vKc3R01Pfj3yC70gsG6DI9bIG1UavLhbGQCgDPcEpDZiIt
|
||||||
|
N7RsQdc2NwPnMMMH4mTAvg==
|
||||||
|
=9jYa
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
28
keys/machines/nunotaba.asc
Normal file
28
keys/machines/nunotaba.asc
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
xsFNBAAAAAABEACo9KbNVEL7yttMyACGIxYS5UvkJDsXJiuIzPWmrzhVzDXTs1hi
|
||||||
|
3iS0EjkVB8mm8GLBKI25Pc9b7Rb2B3XeRcu2btUtWH61aBPOwcqpg8vt0MtcieZN
|
||||||
|
lpmwFBg0QtBdSrnUr/GdekRDcenSmIVPh8cyb9KCyJgcGxvTFWkd5lhrdQoAWAdM
|
||||||
|
TynUd8tKvmp9R6z54uPuGNUHbmNmHHDtv7LSOD79DIi+32bQGHevNTkCeXJNLO1P
|
||||||
|
5YJdz04xb7kGEhUodYoAx7RB2M18BdTk97XA7sHmoI3TayARHssPWtqJb1B8CK8x
|
||||||
|
uSHi1L7tHOF74pmo6V4Rt41gECMKjxLzXwB87hnrBxQ5UT8VZx5MBBQm+nfNKYH0
|
||||||
|
MWAvWvaHGwBzNPabeGgaCoRT2OhC+0q4hPnYMxdSA61IYN6fch7LYfJdaPxOdGKH
|
||||||
|
/IMW091tS1JF9aY0ZGGy52DCVa+bC+4yHziqpCzf7aPJ4oCYtxZ904t6hocKlggG
|
||||||
|
bEM879Or9/nZ63smodUP907msUpFdvXUfFckAWAKms/SECN3lRvBnVj7VsHylvdi
|
||||||
|
gwUI+XkEw6NXscsTGepSWgQppz4hmQWFAhfkYZYl0P59HRyXa+PdyQeH+jDOlyNg
|
||||||
|
B6yIdCJWwDEiCvErqfJ9mulgrmZWePrjPYHOy1iFUueSoupxEbzBkm6LIwARAQAB
|
||||||
|
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||||
|
AQgAFgUCAAAAAAkQQ+4ZdD+sHVwCGw8CGQEAAHFMEAAB8oxf8GD/w6932R30qybr
|
||||||
|
Y6kJukhmsTSPszeILmIU+F0BDBekgPxApFZRHRjAbAfra131emtj1xrUXGi+Y2UL
|
||||||
|
E4wN/Ebaxc5TfJk46iklxHsRUNG6ikJOcSz8zIl2LYN1BEOYOOGTtJqpWq607ngF
|
||||||
|
hkK6FDqKYcomrWGfGOzp33ts4j8t52zwsipms7Z1x9DqQmYEZcT6kvPbAUKQh2oj
|
||||||
|
chTI6FixsL63UH26JtlxPwrXqDGy1LwL2VUzlTHYYAuo3A+t6gEWveMCv99jLa2U
|
||||||
|
jVdjhjSTC6vX+7Rj3qko1Gns9h2JmsBSpocEvpsOGseAGA6uVoZcbWG5AzW/729b
|
||||||
|
xkQ9mL2Ya/htPwG/pzzuHvmK/YdFdUYQvZJr82Gvtkiu0/KUN21FU5BeE0Zg0kCk
|
||||||
|
pM5s8vJtj87eJ4UsUNlDtVX1DtwHAP8G2Dmpd2lWkD6ulovwpNcHLQ+Q+YH7UyU6
|
||||||
|
OjZzlX5yf4Tndm+Gv8YhnTOm6Bo6jgiMIZpJh5qObA0oY8dEAiDdy7mVsNR0AFUn
|
||||||
|
lWBjVAfO4keEwMPqs/RBONofixRkZLoX54s3ypAS8ltr/Qlxjk3fzDLf/en01uL8
|
||||||
|
qOjTkYBRwfGZdIPVuTYsncxBVSh9/MPKF1zEYpTSFF4hxhW+00R9mpvNiqO4CHia
|
||||||
|
x2KNnq/P36Mpcv6X7j4U4Q==
|
||||||
|
=5d0j
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
28
keys/machines/vueko.asc
Normal file
28
keys/machines/vueko.asc
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
xsFNBAAAAAABEADQYi6d6/laFq0OQWLZYL/48/SF1gnej22Ob+Cy0Tm0d2w9lU95
|
||||||
|
hASROWy6ZqUFwVXKp85uh6UJtA6q2XpaodfurGciCW7DYOjPNexJ0o2xmyFqGB/s
|
||||||
|
PuQDB4NxGXhCyNBXa42adfIlDyYHo5zIDuglMbwr7CQ3RZ1ktxudaA6t9Zlw/5pM
|
||||||
|
c1RXuTwvlhLGstnAz/ojNFwEH4lzYIIRpW4GXmWrtnmjXL/z4LLplYrfPGnsPIij
|
||||||
|
Qf31vhIrEp42nzJIY2wjshZaTvj5y0QIBPfgy9Q9I8/YwxFSY2wt3x8ooGLkTw4v
|
||||||
|
bshqUReatSdoIL4snCaA1oFtnKpqv2vJy/Z6LvURA4e/sbD+c5lMBTE/EkVgvCkC
|
||||||
|
6AbvCxwYHxB2G+lizKgRrQ8tVNDEHOFJBKNMaJAXpzz50ItaSpC+8FrYEP+y7iHk
|
||||||
|
0SBzKlJv3F+yuo1WrD4gHyxHAxACa2eDUU+EikO9BrOh78unOmWYEWVCju+ICHHP
|
||||||
|
STpW8jvEkldttv9Zr4YBDe22sjLKGuqngqabfSCokjjtEPgABCuJMLaGMW5nQm1K
|
||||||
|
Qdr0OHjr1apQMG454CMl4SGoXuNv0XIAcDpaR9xUB5cbBmAmwOWtdrqP2z772+9E
|
||||||
|
jw2WwavW6bn/cApa6BHSK+PQhF9wWvASy138i4m7aCLC8cteukOd6jCexwARAQAB
|
||||||
|
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||||
|
AQgAFgUCAAAAAAkQPLm479f+10kCGw8CGQEAABX4EAAT59Yhu+JwOlmSI9UlzM/E
|
||||||
|
FJ+A8AHijh7Fc8+TjqnA7HmUSlhhVzhuSpjsSt8f1wswNXdcM9N7A5p0DCPZ+caG
|
||||||
|
9TyUrQXktiUdOj3O8bAwnsp7c/GYSBpIjhK1ZN8giN/c66l6z5IcolLA/KBPkMOp
|
||||||
|
2ipPBNjD7bk4khAzAqbPxGxGcpHqaNCS/nC/ovRlcQ2O8rgedXhhRZackuy6gw5+
|
||||||
|
fwGyrnAt9oVthBqhYSUNItQwEPWnEj1yZzsQVvpCX61Vkh7qfqiG/ewvWVVTVOL3
|
||||||
|
lEV5EUsFhiNX5ORUm3pk2qqELR8FbcVzTWf8sLgRM3NeqnotPS3rcHFb11Crh5SD
|
||||||
|
kqoAK2U0oYdGj5wlOH/yNtO5Q1auKwQ0Unttj8zmy55tCwqTiSrahmVxksCyINJn
|
||||||
|
B7h4Xct0ENH9gK/03aEGSZCzLxNG3BpOAOjWU+Ir5W2QLVxZDJT1KiaSftf81h9I
|
||||||
|
k57QsrXAoJNfzwONphQGSVKADBa0Y1P/zkm91gOcuIh3WXZ7BRcn5YZ72POqf61o
|
||||||
|
4uvT5xnDH2Y7upsCMTQkOUCenRUspapQZEQP+tZgQIwli86UeXfcPsqXX8j5QiJD
|
||||||
|
5HOl1jSRt5Rh4rqHfWYyobvLaEnWFEc3H/tYWSkk/w1ideiB3jMCdw65clQHGqJy
|
||||||
|
benF3GpcdU5XwmnJZ3XrCA==
|
||||||
|
=4Idg
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
52
keys/users/simon.asc
Normal file
52
keys/users/simon.asc
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0
|
||||||
|
wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz
|
||||||
|
wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt
|
||||||
|
xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF
|
||||||
|
6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps
|
||||||
|
n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T
|
||||||
|
T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h
|
||||||
|
pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y
|
||||||
|
Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC
|
||||||
|
c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp
|
||||||
|
SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB
|
||||||
|
tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV
|
||||||
|
ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA
|
||||||
|
Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s
|
||||||
|
RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk
|
||||||
|
FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK
|
||||||
|
qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv
|
||||||
|
64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe
|
||||||
|
VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh
|
||||||
|
znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG
|
||||||
|
mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4
|
||||||
|
VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq
|
||||||
|
09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE
|
||||||
|
iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l
|
||||||
|
13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt
|
||||||
|
nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4
|
||||||
|
e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i
|
||||||
|
ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm
|
||||||
|
9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH
|
||||||
|
VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV
|
||||||
|
DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR
|
||||||
|
nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi
|
||||||
|
JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b
|
||||||
|
ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4
|
||||||
|
elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra
|
||||||
|
9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF
|
||||||
|
CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr
|
||||||
|
3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z
|
||||||
|
AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB
|
||||||
|
+UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF
|
||||||
|
rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+
|
||||||
|
Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k
|
||||||
|
49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR
|
||||||
|
NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk
|
||||||
|
MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7
|
||||||
|
ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP
|
||||||
|
dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd
|
||||||
|
R7VFGCA=
|
||||||
|
=7eg7
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -50,7 +50,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
users.users.nginx.extraGroups = [ "keys" ];
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||||||
|
|
||||||
services.postgresqlBackup = {
|
services.postgresqlBackup = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -47,16 +47,10 @@
|
||||||
loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52";
|
loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52";
|
||||||
};
|
};
|
||||||
|
|
||||||
krops.secrets.luks-data = { };
|
environment.etc.crypttab.text = ''
|
||||||
|
data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 /root/luks-data luks
|
||||||
environment.etc.crypttab.text =
|
data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a /root/luks-data luks
|
||||||
let
|
'';
|
||||||
keyfile = config.krops.secrets.luks-data.source; # path is not yet available
|
|
||||||
in
|
|
||||||
''
|
|
||||||
data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 ${keyfile} luks
|
|
||||||
data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a ${keyfile} luks
|
|
||||||
'';
|
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
|
60
machines/fuuko/secrets.yaml
Normal file
60
machines/fuuko/secrets.yaml
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
|
||||||
|
drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
|
||||||
|
gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
|
||||||
|
prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str]
|
||||||
|
restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str]
|
||||||
|
restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str]
|
||||||
|
synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str]
|
||||||
|
synapse-turn-shared-secret: ENC[AES256_GCM,data:I5QbouvLvBpjroux5TTi8gIAHeyNb5KXV1g9sbTdqjD4YoMaedHSiC53h+ZMmqNCKor64e6iP58Y6SbMaTfFaEl0CyK2GqfcSBrlHxKj0GSWaopO5kLS,iv:qsfHxHykY+oZOaMGw5Tvq8a6zBUDxH3B5q8QKdT1oSk=,tag:75OOrVtztDsLYeTglKPYCQ==,type:str]
|
||||||
|
wg-aria-private-key: ENC[AES256_GCM,data:qbxpfNRocrXDbUJ3MwR5WMXX8LB4Vnv9HMXN403ANaBbCLrRTEL9hy93roY=,iv:l2DYXGY1wN1rP2bG/s9uSwRhbvCUm2T6IJy5LKzguqk=,tag:51S+m1P1EtHk1QWEjdUCUA==,type:str]
|
||||||
|
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
lastmodified: '2021-04-06T11:40:14Z'
|
||||||
|
mac: ENC[AES256_GCM,data:k9GRiDmXoKFN96NMGHt0rjAMklKIsnFUgWRP7iUQeA5j0uG4lo92KzJCMsHCIicDdF+NnNmEigeXE1eI7iet8K+rAh9x1wO8CiO/5ITsNeCzJO/PsfVxZHL1h9dqirjMkqGvKA//2nocEGv9uT/k6xezriDktBkDbLBIWg3Jfek=,iv:T5mO4IuPqO7jRRhQm2LMoW51D659SL4zVXBHbdt0Qgg=,tag:ahtBYe/18kHpGWHtqeKlAA==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: '2021-04-06T11:27:21Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwDgSONkM+d4AQ/+KSo1N4aEuIAF2JMX+3RborUdEMIJNqIQsBYejPF4o5UD
|
||||||
|
25XVDt+GrC4Lx6OJsWobLOHm+FDLPzm4Zfo+grU+JaEBo0ZSthUul610iqChwEGF
|
||||||
|
zVMkNKARsZE7lDQ3uN54Mq/A7RQaav4mrt1AbHTOwBR9UdG5hrEJ8JZjObS7Gqz2
|
||||||
|
/OFpX4xr214IA9ALx+O2UIkSAJT9u9Ann/xcKL5GpwE9etcGZbYqOhAPaSzbOSDr
|
||||||
|
BtWuM8Z5nKb1O90pXEe16yVUmFXyO7T+lU1gDrDReSXJJFg7zcjMY4s9rro2H7xq
|
||||||
|
u0z/ufl4sf1E5u7fLLpzrVcqKJAOw+fvfoPeqMrNsGy3r3AdATw9jPp6giRoB8qL
|
||||||
|
xm3gGvs/VedBBqbXMDSCTIuhBcTu3/rrTWb0TJeuMz9RM01owkvtTrL3zjwK81BK
|
||||||
|
pNTwz2a49ylCiDS8Vin2u2jwjoRlri4mPTzw5pvcGqNAoNopv6cjawGQ2toCD5qG
|
||||||
|
tqx0hY0uXAE1cnfewFC63VGFbaBwfCYLryjGLefRH7XFOAcqZ3dlZFi5lJTVnnXO
|
||||||
|
44uO7dW8wfJj45USIEoG6D0BiRU7JPUhgPIjMa1cEI4XpoBSj13EACxovE3z5AYa
|
||||||
|
pX72eJHMkKZ5u+eRrXkrFSGFWkYBGKtgIdbgXn1i9Zw/Ewbf7Qz8kC83kxkih7jS
|
||||||
|
XAEbvfL1DTAHDEyAXFoI2ekIoTTGAtCpsadQcTZ3+3DeWU5R8X29vflEG/kSeRO4
|
||||||
|
m2npmJ9OCKyEN+zAd/WRIQ0wChFgadlTugsDcmXazdvzJ1qJiuNGmzpRn3QF
|
||||||
|
=dltN
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
|
||||||
|
- created_at: '2021-04-06T11:27:21Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA2nIGHycQ3VOAQ//RC1NMySQoeqfTGEKFB7LwC3o0yLTMHAqoi4qm2Q8jKxH
|
||||||
|
6zSjHNoYI9+2VNEWJcSvUwd9ks79jkVOAWO+Lmv2h1QT3RrsSsj16VZwl+ORp50/
|
||||||
|
+PDrZjaimMafAKaqGJ3HaPlzFX7jUjCHS0yCaF6WIU1ztRLVnHAv3p8dsPzQ1w+7
|
||||||
|
p1h0oQ2noWibl2GLGI3+1O3sv1N5tusTGZWFacG6VsTbtbJmbVCO5FQRqX7vcJtM
|
||||||
|
xfClghFPoHCGbN5W1NWpo/a/lOLUucqO7bFB5DIOoXme6SSS7lrYQKtjBQy/4DRe
|
||||||
|
r3VIjvS6ncVUIYPPnEMlxI3MPUB2lwJLG2B89XNNWwfwREUXTG4DEg09Z6jMUqVr
|
||||||
|
yNO67YCF95fNUQFMQ0LWyVsWZW1n1ef7/iKtDHNoFubCVGjWimIa3ZDX/e4WemEN
|
||||||
|
ww7dab2RXEY3oTLJZwAFMN4jeqUfpgH1TOvcs9OHwF0CQjJIDyDj6uyt6wYqITT2
|
||||||
|
dorhmn1FN/tUUNn4hE0iRjFaD1QrN30KZ4pQ1S/G3IkHGzJ4AlelO0j9yE2VMR2q
|
||||||
|
E8wEhVtDlO/VAYZSx7tJ7jd24gFsGlL70OfSXvo7jyNpo+OjaN9yy5Qy8iogwpGC
|
||||||
|
Jua/Y7+XORx3+SVB+1AUNSwCABOhWL2RQGnGxRRQrST4uEv2Gn6IV5sQuPz6my3S
|
||||||
|
TgEtH78YDDWHFdEE4b3lQaPAR8NGNvuE0btjpdeR7QoTOAkmg0SaUNqAoqrz80jj
|
||||||
|
7kdIBtI8XA2CW/oXYcoxHlkqbPNqPAhaRu3YDci8oQ==
|
||||||
|
=ukYv
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.6.0
|
|
@ -31,7 +31,7 @@ in
|
||||||
PAGER = "cat";
|
PAGER = "cat";
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;
|
EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
|
||||||
BindPaths = [
|
BindPaths = [
|
||||||
"/nix/var/nix/daemon-socket/socket"
|
"/nix/var/nix/daemon-socket/socket"
|
||||||
"/run/nscd/socket"
|
"/run/nscd/socket"
|
||||||
|
|
|
@ -5,9 +5,9 @@ let
|
||||||
group = "drone-server";
|
group = "drone-server";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
krops.secrets = {
|
sops.secrets = {
|
||||||
drone-rpc-environment = { };
|
drone-rpc-environment.sopsFile = ../../secrets.yaml;
|
||||||
drone-server-environment = { };
|
drone-server-environment.sopsFile = ../../secrets.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.drone-server = {
|
systemd.services.drone-server = {
|
||||||
|
@ -24,7 +24,7 @@ in
|
||||||
DRONE_USER_CREATE = "username:simon,admin:true";
|
DRONE_USER_CREATE = "username:simon,admin:true";
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
EnvironmentFile = with config.krops.secrets; [
|
EnvironmentFile = with config.sops.secrets; [
|
||||||
drone-rpc-environment.path
|
drone-rpc-environment.path
|
||||||
drone-server-environment.path
|
drone-server-environment.path
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,10 +1,13 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.gitea;
|
cfg = config.services.gitea;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
krops.secrets.gitea-mail.owner = cfg.user;
|
sops.secrets.gitea-mail = {
|
||||||
users.users."${cfg.user}".extraGroups = [ "keys" ];
|
owner = cfg.user;
|
||||||
|
sopsFile = ../secrets.yaml;
|
||||||
|
};
|
||||||
|
systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -32,7 +35,7 @@ in
|
||||||
clonePort = 2022;
|
clonePort = 2022;
|
||||||
};
|
};
|
||||||
database.type = "postgres";
|
database.type = "postgres";
|
||||||
mailerPasswordFile = config.krops.secrets.gitea-mail.path;
|
mailerPasswordFile = config.sops.secrets.gitea-mail.path;
|
||||||
settings = {
|
settings = {
|
||||||
mailer = {
|
mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
|
|
|
@ -6,11 +6,17 @@ let
|
||||||
domain = "sbruder.de";
|
domain = "sbruder.de";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
krops.secrets = {
|
sops.secrets = {
|
||||||
synapse-registration-shared-secret.group = "matrix-synapse";
|
synapse-registration-shared-secret = {
|
||||||
synapse-turn-shared-secret.group = "matrix-synapse";
|
owner = "matrix-synapse";
|
||||||
|
sopsFile = ../../secrets.yaml;
|
||||||
|
};
|
||||||
|
synapse-turn-shared-secret = {
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
sopsFile = ../../secrets.yaml;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
users.users.matrix-synapse.extraGroups = [ "keys" ];
|
systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||||||
|
|
||||||
services.matrix-synapse = {
|
services.matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -71,7 +77,7 @@ in
|
||||||
suppress_key_server_warning: true
|
suppress_key_server_warning: true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
extraConfigFiles = with config.krops.secrets; [
|
extraConfigFiles = with config.sops.secrets; [
|
||||||
synapse-registration-shared-secret.path
|
synapse-registration-shared-secret.path
|
||||||
synapse-turn-shared-secret.path
|
synapse-turn-shared-secret.path
|
||||||
];
|
];
|
||||||
|
|
|
@ -184,15 +184,16 @@ in
|
||||||
# get rid of “could not call action: authorization required” every scrape
|
# get rid of “could not call action: authorization required” every scrape
|
||||||
systemd.services.prometheus-fritzbox-exporter.serviceConfig.StandardOutput = "null";
|
systemd.services.prometheus-fritzbox-exporter.serviceConfig.StandardOutput = "null";
|
||||||
|
|
||||||
krops.secrets.prometheus-htpasswd = {
|
sops.secrets.prometheus-htpasswd = {
|
||||||
group = "nginx";
|
owner = "nginx";
|
||||||
|
sopsFile = ../secrets.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."prometheus.sbruder.de" = {
|
services.nginx.virtualHosts."prometheus.sbruder.de" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
basicAuthFile = config.krops.secrets.prometheus-htpasswd.path;
|
basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
|
||||||
|
|
||||||
locations = {
|
locations = {
|
||||||
"/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
|
"/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
|
||||||
|
|
|
@ -98,14 +98,14 @@ in
|
||||||
"d '${homeDir}' 0771 aria2 aria2 - -"
|
"d '${homeDir}' 0771 aria2 aria2 - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
krops.secrets.wg-aria-private-key = { };
|
sops.secrets.wg-aria-private-key.sopsFile = ../secrets.yaml;
|
||||||
|
|
||||||
networking.wireguard.interfaces.wg-aria = {
|
networking.wireguard.interfaces.wg-aria = {
|
||||||
interfaceNamespace = "aria2";
|
interfaceNamespace = "aria2";
|
||||||
preSetup = "ip netns add aria2 && ip -n aria2 link set lo up";
|
preSetup = "ip netns add aria2 && ip -n aria2 link set lo up";
|
||||||
postShutdown = "ip netns del aria2";
|
postShutdown = "ip netns del aria2";
|
||||||
|
|
||||||
privateKeyFile = config.krops.secrets.wg-aria-private-key.path;
|
privateKeyFile = config.sops.secrets.wg-aria-private-key.path;
|
||||||
} // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data
|
} // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data
|
||||||
|
|
||||||
environment.etc."netns/aria2/resolv.conf".text = ''
|
environment.etc."netns/aria2/resolv.conf".text = ''
|
||||||
|
|
51
machines/nunotaba/secrets.yaml
Normal file
51
machines/nunotaba/secrets.yaml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
wg-home-private-key: ENC[AES256_GCM,data:u4svQwAMai742deedGbhr2Pk6wGdmztb1L+93ZQl9eZ8qAfOPhDrcmXAVSQ=,iv:ilMwQGV8+9Bk78lq6slLgKtQaWPgdTbwgA6pxgK5gLY=,tag:Vui4xbbvreC6j2UxrR0o3A==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
lastmodified: '2021-04-06T11:11:35Z'
|
||||||
|
mac: ENC[AES256_GCM,data:mP+I2i2Iam02GnIwnzO+AfQNaPKPyHR7JhVf5zrt2p1MuMBkDH5LZp3BT4YDxetj9u5bevyTuC4x2gZ+H2lcBUNovuXYLPEoNqE+MvwRHitSkDEV6qR5CPaA63AJll9dW6P0+c7Dv0QZTyO2Zs71Hk9hJEnUEmNbqo1xhgATvFw=,iv:hJ/Yaa55/O5XnRie8MKbe+vz4C4qFF8npOLy4E+9jBk=,tag:9ljgygjLx3fcid4XuJcebg==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: '2021-04-06T11:11:32Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwDgSONkM+d4ARAAwkb7dnfNKpXcCxT+G9lgoS78eIlMQz/y5Ask6ENviXun
|
||||||
|
reSn7/DQJeFBhtK6XODqDUjYkg0VihviFGl47Fw7HfVZKYpG1KB7bXMiBBPycwAB
|
||||||
|
b0OmBMAwfH6tdfIye6shcal+4I1qlhCKmWBtNcg0KKd95EMK3sGki5l8cRlsFO/e
|
||||||
|
IA1f5Xw2/t8tfFdYIXrSqwInGcMIOKLBCO/NH7Fcw0enqZz4L9X5StfdxeHnirnt
|
||||||
|
QFw05FoH2LgTfDiF2MRbllRIVQD0XwylleL+4EAZGl83vsn95j/1CPuBtAq+Nnen
|
||||||
|
uKpVTyCMUiaokKHOMlNsv6elqxCHEs9ai9pwFkVZrBAoofjVEzuPoFw+2E9Fpvtk
|
||||||
|
hsAoSEPFLL9SKHpVTzaC3h272jrImQWitkqlZYzpaWAdDnG/3imRXx1cqX1AgJdz
|
||||||
|
hE6GHoBkDZ/TmE5DBNqQZ7h1JXvJPecu8EFaGwPKcq/AR3zgH6D1iUfpAPfoMpir
|
||||||
|
ngTHeZAsfUcaQ1h3KP9d6Atq6Q13C3SJL9DyE2NYl5NVMwLcBx8qSetItzwMpix4
|
||||||
|
XqEj9jjpiUNYaY8oM9uzuGSDHlGsFPBEsvpqnDV2a2FqOmDS+faEgH7eXnqdbXgp
|
||||||
|
xBHH4F6hgUees0gpsum8Uf5yaZilaGkNJjKfpGPgI3W4WyFq10kk4lu4Zbgg3VfS
|
||||||
|
XgHcM8JkYx9cvsPO/QFbcOhVZeV60kyjHZY+bOufJ6iG9f8MrtsXY5IVx2I/wjCM
|
||||||
|
j3/YrY7vXK31i8toVf7+sPxipjoMItkppBg2Uo5SJg7hqksfBan/emVVT8zrOcY=
|
||||||
|
=swUH
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
|
||||||
|
- created_at: '2021-04-06T11:11:32Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA0PuGXQ/rB1cAQ//T/ieiP/sj93zsDnMZNuahlyONBeY3Z5IbKCCi6iAl05b
|
||||||
|
9bKKcKr37nPm/np2pAZjmGftNEpkwjfF047Qg9AcmnwyoIeOiYIGR6ILtnRwtjri
|
||||||
|
tx5RBDMpmPs/h3xocaqAWfHKxXGT452GKy6taOiHitjJcIWUKX0pFdOucw5u5/AL
|
||||||
|
mimc4S0W1iLUxXmNJAy/YxQKvBzkXtDx6/ixEm5JnxSG6Xn+q6Go9VPFGBOQLKnt
|
||||||
|
1WHSUVu/6gHjtYmnt5VqDKjVY/pjZZrsLfFHAH8RlYPJMp48jQjoXptrZgdtPV7p
|
||||||
|
+fu+sEgMBal8W4YaI8bHG6iliYvSZoMcpvFsdoIhxThXzyZjMZCEY/h9a8oYqmdk
|
||||||
|
6RQZl63LlxsZi5v5Db31pbaiPC30R6rTuCm5n4wTiOKqQ4WG61yd9Sc/R/3vT6ux
|
||||||
|
hZRywmZUVjVBT+TnZ+Eclcg2xm27Tk+uIRMYq4mjP0XV3oYCA+1o+La6YBpmBgMH
|
||||||
|
kpFbx3IcxHJT2gRFTg7bg78NYvgb5CYRFGz0sfnhlrwjLgYQFzJT7l2w/2yFDQdo
|
||||||
|
u+bDwF7cvNyGQiEEJilcuh1Cf/lk/1Ol+9LQftF2bNNzoKn2QzDeTp11bTrhPJnj
|
||||||
|
HNLwZjNord4fF7pak7bSkjYYKrhW+NpzN1oT7ioQ7V3If99Em4wMssGLRrzvBgLS
|
||||||
|
UAGk4FkNoLosNdxNDovwHwUK2T0zPWuOZ+wvRPcZQk9fTycdXo8MhiyaLaU09Nsh
|
||||||
|
mWG2tdK/8KDP1aXupXzT70XQUk2q8QxwRYAJOa3NupXV
|
||||||
|
=pjuj
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.6.0
|
|
@ -43,7 +43,7 @@
|
||||||
label = "data";
|
label = "data";
|
||||||
enable = true;
|
enable = true;
|
||||||
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
|
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
|
||||||
keyFile = "/mnt-root" + toString <secrets> + "/luks-data";
|
keyFile = "/mnt-root/root/luks-data";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -100,12 +100,15 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
krops.secrets.murmur-superuser.owner = config.users.users.murmur.name;
|
sops.secrets.murmur-superuser = {
|
||||||
|
owner = config.users.users.murmur.name;
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
services.murmur = {
|
services.murmur = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
superuserPasswordFile = config.krops.secrets.murmur-superuser.path;
|
superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
|
||||||
acmeDomain = "mumble.sbruder.de";
|
acmeDomain = "mumble.sbruder.de";
|
||||||
config = {
|
config = {
|
||||||
bandwidth = "128000";
|
bandwidth = "128000";
|
||||||
|
|
52
machines/vueko/secrets.yaml
Normal file
52
machines/vueko/secrets.yaml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
murmur-superuser: ENC[AES256_GCM,data:jTVEa1KmbGAIxxFS2/uIlDCnnJTtGmKFZQ==,iv:YJIfcXlgKEwIRzFEY94dgReNjWZqLAqL0Rb6TG4IHIE=,tag:MVzaRkb24QyyNyFCEMwmzQ==,type:str]
|
||||||
|
wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
lastmodified: '2021-04-06T11:14:32Z'
|
||||||
|
mac: ENC[AES256_GCM,data:eMx+ls4NHFqKNwW4XmrtVsizbtnASeO38cw3oPeSlvW8NbT8yUZWRxRofhzg3nD3icyGcwhImVMKHgVz5305zwvrjx0D9n+URe733WPcMmfR39G0FfXz+9kob6p5TVruKjL6qTPmyNRD+8E8CvmBmnwPwRW46F5Pvadum2SZJ3c=,iv:zVxvTUJaTx57KAglUkSNzGsxcX0csPU4qYkkLHwl7bs=,tag:a2Al47gGxFm6XubaTAdw9A==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: '2021-04-06T11:13:54Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwDgSONkM+d4ARAAxn8UVtRKn0s+wpuUBpk3cCwSSa3te4BjHshyNrI3TyZ9
|
||||||
|
A2jEVz7xfZXItD5VMs9cZmwhm5kD5qC+2qFauwAnQA8JVn5pCKL1gVxGZURZHgPe
|
||||||
|
eLON75sxWCt6+A+HCXvl8x8ay2ZMSgQ3N+SSuqrihMKe0UcsngzAJQS4qIUPIrQd
|
||||||
|
YQYkm2Nf6n1Ya+t05W0CRqyHLLkwObOF0OWN/t8wvBOh4HY2UCRqvXqSEz6nCb06
|
||||||
|
8jDfy6GLhJBjSMV5000/GTvnbVNH11vYjqq0U/2k33HYD/ddX2TPRarWKQsWi8Fe
|
||||||
|
QYYMjU/zIubNQ1y2Iv89zzpd7DBVFlnCkjnSIjxop+eR4Kk8EUkJnGFHlRek67lc
|
||||||
|
k9le8sdlBTYBahT48igpKWfxrZ3bky27O39TLY7luLAXxpjWTGZ//8WD3eJyiY9d
|
||||||
|
k/TmI7ZLLtR42NKeD/anVmHpSf/rHtgHWwYm1m0Qz0/mvKWhZbdkFTPGWMPVAPNu
|
||||||
|
hBiBjuXd1Gt8ekKr3jZxLR4uRCzzeCA/zXib4x7HvYs/9cLib2UblHsB2hLYwZQ8
|
||||||
|
ah59+O51SrcJWcq56kRhwKbrqh6Oui/KCXUSTdbO2auwtzBxUMmcbJAZV5cxRdtA
|
||||||
|
eD9RXW8WfXVtcmvJ+B9Ab52+RfdYmd/bVpljLPY1kmUEKZG08jDfH08kAtcScyLS
|
||||||
|
XgG0mxcyhD+ZiGIeLgIPUwFC0UT8FT2V0+VAAso1CVH+iIzdF+9BiGPpc2usoOiY
|
||||||
|
XDcaU74seCR/EeiuMWfEeNasu6EULEG+AKOnG9s8zoPp5730EG9v8r4q7ma89jc=
|
||||||
|
=JlIF
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
|
||||||
|
- created_at: '2021-04-06T11:13:54Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAzy5uO/X/tdJAQ/9Hx6h7IIjr4vwFPC3UCx07rt/lljWHwqA8d8bN3VIcVWJ
|
||||||
|
39doJ3DigerCeZWZo/5Wvdm1TBLnbvnQndl+7EcP5mbAuGUmNo2VajTBOkFoySLa
|
||||||
|
A6g0HwkztuftjtxQV2ICunw1NEsqBCWlNKziGKBjEzsDgOuXLzIaN5ArJAkiUFel
|
||||||
|
kH8jGyHCP6W+nplHE1zOD20SA/oIyRfLW1m+G7d8KU6EuluaPSgASocS6t4oGtsG
|
||||||
|
gnApj6WwWOdM3tDefxtYxa/PlPDXo4gj+Dhak6mOMK88UW/wrDC/f4fYL9JrILmT
|
||||||
|
ImjtA+BIWCI9nLkeo3FTTFhtfr+evOhCsLc8qGL/NMCVZOXB0gK7rpCsReBRQS09
|
||||||
|
4t2KGI1Jti01rNFYvdTN16o59+oF0DoFYnE2dXHAnBA4jmWt+9eDqd5TPmlsuIyr
|
||||||
|
XBiqBcKK+1z0/3ad7nv7vb8jOYkUjKasJl+qhLUaUD5ehojfaCawDMUVia7Y2k72
|
||||||
|
yS77m3m/hCEq0vVvUvMev7hvSTKbfQy3gQkjcnWGavbFfdz64pVBI/KgSJPBM5YE
|
||||||
|
1VFRFZIf30wOF9Xlt++9Cc6xFMQH9JVLG/WouK5On4mfdWwcfnMLgpu83qmYtS6b
|
||||||
|
30hYAuuqKUwWDMbZtXsYOrfb6HXGqs0mtBfpJzgFaiZyHyIVVhb/blXF4ML4dfnS
|
||||||
|
UAGUryszfSsH+ag2oerNKEaDFmgdktmL0FdpP3ycf2qVkMmBNbTpTf2BZaVPcrzF
|
||||||
|
mSfsOU6k+KcWtXYpurZr31zUVK626Re0fsr5XbPSj+9G
|
||||||
|
=Grqu
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: BB046D773F54739757553A053CB9B8EFD7FED749
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.6.0
|
|
@ -59,6 +59,8 @@ in
|
||||||
./udev.nix
|
./udev.nix
|
||||||
./unfree.nix
|
./unfree.nix
|
||||||
./wireguard
|
./wireguard
|
||||||
|
|
||||||
|
"${(import ../nix/sources.nix).sops-nix}/modules/sops"
|
||||||
];
|
];
|
||||||
|
|
||||||
config = lib.mkMerge [
|
config = lib.mkMerge [
|
||||||
|
|
|
@ -2,19 +2,19 @@
|
||||||
let
|
let
|
||||||
port = 8888;
|
port = 8888;
|
||||||
services = {
|
services = {
|
||||||
"media" = config.krops.secrets.media-proxy-auth.path;
|
"media" = config.sops.secrets.media-proxy-auth.path;
|
||||||
"torrent" = config.krops.secrets.torrent-proxy-auth.path;
|
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
|
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
|
||||||
|
|
||||||
config = lib.mkIf config.sbruder.media-proxy.enable {
|
config = lib.mkIf config.sbruder.media-proxy.enable {
|
||||||
krops.secrets = {
|
sops.secrets = {
|
||||||
torrent-proxy-auth.group = "nginx";
|
torrent-proxy-auth.owner = "nginx";
|
||||||
media-proxy-auth.group = "nginx";
|
media-proxy-auth.owner = "nginx";
|
||||||
};
|
};
|
||||||
users.users.nginx.extraGroups = [ "keys" ];
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
|
||||||
|
|
||||||
# otherwise name resolution fails
|
# otherwise name resolution fails
|
||||||
systemd.services.nginx.after = [ "network-online.target" ];
|
systemd.services.nginx.after = [ "network-online.target" ];
|
||||||
|
|
|
@ -67,7 +67,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
krops.secrets = {
|
sops.secrets = {
|
||||||
restic-password = { };
|
restic-password = { };
|
||||||
restic-s3 = { };
|
restic-s3 = { };
|
||||||
};
|
};
|
||||||
|
@ -75,8 +75,8 @@ in
|
||||||
services.restic.backups.system = {
|
services.restic.backups.system = {
|
||||||
inherit repository;
|
inherit repository;
|
||||||
inherit (cfg) timerConfig;
|
inherit (cfg) timerConfig;
|
||||||
passwordFile = config.krops.secrets.restic-password.path;
|
passwordFile = config.sops.secrets.restic-password.path;
|
||||||
s3CredentialsFile = config.krops.secrets.restic-s3.path;
|
s3CredentialsFile = config.sops.secrets.restic-s3.path;
|
||||||
paths = [
|
paths = [
|
||||||
"/etc"
|
"/etc"
|
||||||
"/home"
|
"/home"
|
||||||
|
|
|
@ -1,66 +1,3 @@
|
||||||
# Adapted from https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix
|
|
||||||
#
|
|
||||||
# All of the users wanting to access any key under /run/keys have to be a
|
|
||||||
# member of the keys group (or be root). This is a hard coded limitation of
|
|
||||||
# NixOS and I haven’t found a way to allow everyone to access /run/keys/ (not a
|
|
||||||
# security problem since the keys themselves are given the right permissions).
|
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
secret = lib.types.submodule ({ config, ... }: {
|
|
||||||
options = {
|
|
||||||
name = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = config._module.args.name;
|
|
||||||
};
|
|
||||||
path = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "/run/keys/${config.name}";
|
|
||||||
};
|
|
||||||
mode = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "0440";
|
|
||||||
};
|
|
||||||
owner = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "root";
|
|
||||||
};
|
|
||||||
group = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "root";
|
|
||||||
};
|
|
||||||
source = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = toString <secrets> + "/${config.name}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
options.krops.secrets = lib.mkOption {
|
sops.defaultSopsFile = ../secrets.yaml;
|
||||||
type = lib.types.attrsOf secret;
|
|
||||||
default = { };
|
|
||||||
};
|
|
||||||
config = lib.mkIf (config.krops.secrets != { }) {
|
|
||||||
system.activationScripts.setup-secrets =
|
|
||||||
let
|
|
||||||
script = ''
|
|
||||||
echo "setting up secrets…"
|
|
||||||
'' + lib.concatMapStringsSep
|
|
||||||
"\n"
|
|
||||||
(secret: ''
|
|
||||||
${pkgs.coreutils}/bin/install \
|
|
||||||
-D \
|
|
||||||
--compare \
|
|
||||||
--verbose \
|
|
||||||
--mode=${lib.escapeShellArg secret.mode} \
|
|
||||||
--owner=${lib.escapeShellArg secret.owner} \
|
|
||||||
--group=${lib.escapeShellArg secret.group} \
|
|
||||||
${lib.escapeShellArg secret.source} \
|
|
||||||
${lib.escapeShellArg secret.path} \
|
|
||||||
|| echo "failed to copy ${secret.source} to ${secret.path}"
|
|
||||||
'')
|
|
||||||
(lib.attrValues config.krops.secrets);
|
|
||||||
in
|
|
||||||
lib.stringAfter [ "users" "groups" ] "source ${pkgs.writeText "setup-secrets.sh" script}";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,12 +36,14 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
krops.secrets.wg-home-private-key = { };
|
sops.secrets.wg-home-private-key = {
|
||||||
|
sopsFile = builtins.path { path = "${toString ./.}/../../machines/${config.networking.hostName}/secrets.yaml"; };
|
||||||
|
};
|
||||||
|
|
||||||
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
|
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
|
||||||
|
|
||||||
networking.wireguard.interfaces.wg-home = {
|
networking.wireguard.interfaces.wg-home = {
|
||||||
privateKeyFile = config.krops.secrets.wg-home-private-key.path;
|
privateKeyFile = config.sops.secrets.wg-home-private-key.path;
|
||||||
ips = [ "${cfg.address}/24" ];
|
ips = [ "${cfg.address}/24" ];
|
||||||
listenPort = if enableServer then 51820 else null;
|
listenPort = if enableServer then 51820 else null;
|
||||||
peers =
|
peers =
|
||||||
|
|
|
@ -70,5 +70,17 @@
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/cachix/pre-commit-hooks.nix/archive/c7e3896e35ceea480a7484ec1709be7bdda8849d.tar.gz",
|
"url": "https://github.com/cachix/pre-commit-hooks.nix/archive/c7e3896e35ceea480a7484ec1709be7bdda8849d.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"branch": "master",
|
||||||
|
"description": "Atomic secret provisioning for NixOS based on sops",
|
||||||
|
"homepage": "",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "441227c4fd831818fb55f366ea16ea6364850102",
|
||||||
|
"sha256": "0dv8kbax83rrvq599q5m2x4xi805iv343r68fmh7k2i44c0s4kck",
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/Mic92/sops-nix/archive/441227c4fd831818fb55f366ea16ea6364850102.tar.gz",
|
||||||
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
94
secrets.yaml
Normal file
94
secrets.yaml
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
media-proxy-auth: ENC[AES256_GCM,data:KaYd8TCMVlHbgoj1QQfRwTXAK2hJUDr0UJqhTXvILylyR+mdJy7smn5EtFdNNFWZk6eJituvGG7naT2/UiNoYne4ljlJhu/IuObTLY5AI9ELDtYBDQ==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:SND1zp2Cd2gqQdOVWw2eWw==,type:str]
|
||||||
|
torrent-proxy-auth: ENC[AES256_GCM,data:9XuDRdUjOClPuZFvI7VwYQdbegzg400zfmFmE3qt5kTo6bD7m74V9F3b73aUueqMQ+80PxBc1KusTTlPYy2LAf6mT4PQ2TpqSu0kBXAezfL4e5fxdQ==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:5FtjmtIY1gSixu/9UZhBVA==,type:str]
|
||||||
|
restic-s3: ENC[AES256_GCM,data:lRcwoChzSX+ICXyafAtBGjkBTBdzL5v/imUL2yHtApMOe+MkP5CjXr47WoWGt17tdLPVRQ9v7/6jcagTKIk3IfjmhRhMip3CMyPkio62uDxArlaKpi9GoZNQOCt+XHWlpiBJ609H,iv:yrp2QZLXJypWh5XjsAHcpiXEPUcYF8A+mQZ+W2w7zpU=,tag:Xis3NQ2KNQqG+Rmgzpy3Tg==,type:str]
|
||||||
|
restic-password: ENC[AES256_GCM,data:Bi/WJAVECgBegIZMV/MZN8kvHyxsh/xERAnZ6TQ1OIOkffqkWBwx6DCS1cVJ0Nzz,iv:8/WPCuGfLkd0LkLTEr7pjpT8kb/P64VICppDeEcKDIE=,tag:JLgYEekrZG91AapztOYBTw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
lastmodified: '2021-04-06T11:12:39Z'
|
||||||
|
mac: ENC[AES256_GCM,data:guWWnJb9153SmSFwvDEqru0GGYUgQCmCtDb/bmKCehUvQ2ecVDulYYKAQ5jq2v3Eo5pfKmdrtIMV/jf6TOwNyEqBuWxU5aUODMheSqYgDNKAcFSvwpdldyVATspt7XT0s0waUbFBPjMOmQC0TEp5rtZXS7PlRT8DgohUlyy6jhI=,iv:Eh3Uwctaw0hrI6Ux2q0WUixZiLF5Fdj3/AVG8PluCHc=,tag:Jo3bzKNQzH7tsatfLphagQ==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: '2021-04-06T11:13:25Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwDgSONkM+d4AQ/7BodHEMmqPhO3VSvOa8lqTHHXv9HxL5T9MkaMlclTGW4W
|
||||||
|
EVaVsUUbONpsUUXxS0l8hOFBOwZuZMJyDVhtyjdRAnFYFjbbM35iKIaaDgn159nq
|
||||||
|
VJC4uwFuU90+Ps8zoxRdf9I+0hYv/LOCI9FDlUY6gTRNvf1Nv2Lh3uPXRjZQJE6q
|
||||||
|
U12IAfqSL/o3UWsozR/8qcaHIBx8nOS5eb1r4PSKikvmigz0KUyyOmZSh5GYXVIo
|
||||||
|
HoJOG5goCX1Fo6in4slW15CAwyir+owwtN0mQPH9tgoOSeEUK00c2VrUc2gf7wxg
|
||||||
|
Le65pTZ3YP1ghqsEJupkjRMCuguKCb6TRwBhR3rQ+xvqqGDxplYMD7q6XtSh0PJx
|
||||||
|
LSHllk9nl7u5tjs9vwN0RxVQ7aG7ORPPSp1tjolxtLMQ8l0Vd0EssAqoeaqbrkDa
|
||||||
|
Iz8qYFICzvkJKJ3lsXKylhbf2iSPu10aLU4nW0GgArUhNnKOIi90ndzPjo23jB8D
|
||||||
|
KXuJMWDhaH2K/TAwM99IfOeYnRkx63ctPNVvyo+nyJYlthrkO/77k0SxG/RI/2W+
|
||||||
|
8muO8ZXBcp3SyyQp2P/xkx/O2YBvSxx3MBnyzL9B3+tgbls02cQh9MmYY0OB7MLR
|
||||||
|
D56HXV0odIfovqYnHFLN6g3nhUtRohwak1QrsmP8Fgw6qcMlrRgKDFsewe8xeQfS
|
||||||
|
XAEH6WarsCSJAerz1HDftOCkcWXorq/bCqygebk2V6OfftaIRKoMqXxJQXESN3sY
|
||||||
|
Kvr0nEjwFRydxy6/I61Z/hFlb2P7OBaReNBA2zve1OAIvBRUNI+m6Tl/7O/M
|
||||||
|
=cMUp
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
|
||||||
|
- created_at: '2021-04-06T11:13:25Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA0PuGXQ/rB1cAQ//TcQhviuRMst0/kj2TgK7+qK4JoFwVcuesI9syp7LR2YE
|
||||||
|
nBEyr/a4ifnqD7M/A84FZZqvK/2Sx2yHuX/Qjz6UvI6E8gWgdBtSPI7zgJqgQd/f
|
||||||
|
wmeHFpDZGx3rwpzgOKHreVY+Lk4/u30GfxDHFpCu81HHI8SDVPF9/SxyxLEmIvqw
|
||||||
|
zCAdmHR52Fvha2yis7Rz4iZEmOPcpFfVNaLJRJM6wTQKao4l6ANmW10GZle02/eN
|
||||||
|
u/lHg1caLsZIX6L0TuEK5c9iMZLmxH/UXg6poDbwB9jFpdolBSV/p/j5S3FdALVw
|
||||||
|
a7VTyyT80am48iuD/WTIwPqcUfL66RpJmbz6p+UzknFlJmdvPcujWlx7svBWKhf0
|
||||||
|
5pukqTapM5VXYguzGjl363JV60gAP/i51873kV+qnn3DQAw93JXZz1rbLFKT6zGm
|
||||||
|
LhemAqqrz8kDXdEaO+sfQb/ZAKJsPAcNKVr/Au3Ekig4hKYysvhoMzhFnBlUDTe8
|
||||||
|
2tKtYCUfun5XYuoy+4f1XpI25KZd3sow1KiKFU7QhTgE75rjxXNRLgbuiHKoYvVs
|
||||||
|
jELUszztxGsMdGUT3UOUZAS2Aj+G+fqsnMVh+yMfvNMKx6IWFTC9qjG5isaWHYfO
|
||||||
|
b5aqq/dOaqwyO4+nvd4Akj8rEVYqz2jh8nAaBvcJBryQSbY1wnZj/k/vl8B8gYnS
|
||||||
|
TgHSC/a/G0NLJ4HPYJb7DvlQcBLwRbbF3tUFVl8K/1rKTNOa23ucUm2G2iF1HyFg
|
||||||
|
E8hygSkmtAa9rmhWpyPQ3fkh5mpm6Xmdx9FtLXY6JQ==
|
||||||
|
=UwEc
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
|
||||||
|
- created_at: '2021-04-06T11:13:25Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAzy5uO/X/tdJAQ/+JaLUL8RuXCyqrOARepnU1tgAyWB1GsUjYEXd83k72ZOr
|
||||||
|
QN3IRQJr3tE6eT4lusBSXI/9wIm102EsnIHs+RROUdjnic2RLkYUUS3vN6mtE+Lc
|
||||||
|
8FwcbhUIzWnzSOTUSEFGeDxarD/X5bXEXWoUKWsJuZv5gZIIgvNNxKSCkT4vwqUQ
|
||||||
|
E8ljMy7J25D0tiT0XIHqj2sNzrdtYf0tdmAMDTHvHWkBTTo+dPw5moLI69yBRUC6
|
||||||
|
k+hhuELJiNkuOIj1+hOBOKkiin1vCsnccen7nmQ4OmZ1N+2zNGucq0zbBQITSp63
|
||||||
|
kooVpvgb3B1uyglOqTvvlRnBsoY7h1LEgkyx/lTvrfjCpY1VWHGIiTGz2Mt5R2GL
|
||||||
|
SelAtk3kh1SV1FQrgyZUMp7XEHxs1P9Dl3halWqK2aPCpzDk++qgNeOJ2DRg+yzM
|
||||||
|
iTtPwrBiWSENDAJgyafqG8vQRlZD2SLahxM0Vk0TqnG4VPlPj9j1PSr7IgEKDNWN
|
||||||
|
7COE9mq0sYdK4DAbu+ML9X52e7PpakcsnCr5kQtMvaRIZDxXpDurSvWRf28s/Kne
|
||||||
|
RjackUCPtjfdN3dG6qnBXykkZJPZLeTRA/rsxENvQbuFuTi2eUyGygsg1xO+xnsz
|
||||||
|
k6z08LrA6u+TwGKVwUy16mURPRhmwr02DwMx5D8+zzQT+SdMFo7kFDc7KnXpDEzS
|
||||||
|
TgG8d5bYZblY1wGGYcGt8VJzGvHUwTA5HlKhE/14+ONXLfnylUmysV6GjC9XgPeP
|
||||||
|
9a6rxtvE50BO2lCRwN5DeEPnKENEumCslUkjvFHQGQ==
|
||||||
|
=fIUQ
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: BB046D773F54739757553A053CB9B8EFD7FED749
|
||||||
|
- created_at: '2021-04-06T11:13:25Z'
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA2nIGHycQ3VOAQ/9HgTHU/5EYiHDRf65WHtQxfXSJ4Mv16IHemfRSITh9u/N
|
||||||
|
oJvbr/UPaAojzKYyh/HRlUq+H3FDM0x77JGaS/YTEpW89lmcLsOHmHe30Me9hlWQ
|
||||||
|
yiVIlIzJsXHls0lbtU765EU83C8d//eQjHf5hfqHlyXLZUtdziXqF1Adi1HOZdC/
|
||||||
|
MCvLfDePwTZjKmToJLZY1jljARuxl6LcLUwq2XQvCL84BJMCg8vOJJw/JvBo+kZN
|
||||||
|
2nDHfKrFk5P3kztCBY3ScgJSzIAxB8E1NhOtLORMwMuwh2WSu2rDw6Owf5VetusF
|
||||||
|
ioFbsL+qEUn8gljLGjRGXd0Xsxgem7BZtmbWl4KUx39aWzXRDDswB7GI/8AkWmB+
|
||||||
|
bHIGAEKh7mbs1buNmnxBoJbLmFhY5CR88Aru6T31gDLpvlJgq09XLJkm/Xk8XkiC
|
||||||
|
PBgYC6nqws2Lo0UE8p1ArLchSYHzXt77Q3Ymlo3Wa3YkO8ZVv5yyQ1DSYUs90IJV
|
||||||
|
Dy0QVAP7hdKjeCloinyzhHqZw6fxDusKeb9w52y31foh/qXaXzXLC2dWQPEEfq4V
|
||||||
|
LGxXpxaV09bIOVy6c40y2Pk/w1ZeCyyflyjK5hvgn8Tj0VAlR3I1hTwHTa+UMCn6
|
||||||
|
IwsCtjMJAgboB3pMMTZIEwteYW0coq3fyX95E3PSWhgzjP7E0TLDfzjcOJ7QxiPS
|
||||||
|
TgEZPWn4QIjnivTNgHnlHqMHJTg4mePyq//Mpw7ECIf+LkYoJ2l/1pG0VmpoJMv+
|
||||||
|
cLTcQfThrWSoXSiBq9+Mr8bwQpnTJf3lrPGx4YPZ3g==
|
||||||
|
=QcVc
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.6.0
|
|
@ -42,6 +42,10 @@ let
|
||||||
"root@$hostname" \
|
"root@$hostname" \
|
||||||
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
|
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
show-key-fingerprint = ''
|
||||||
|
gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }'
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
pkgs.mkShell {
|
pkgs.mkShell {
|
||||||
|
@ -49,8 +53,13 @@ pkgs.mkShell {
|
||||||
git
|
git
|
||||||
niv
|
niv
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
|
sops
|
||||||
|
ssh-to-pgp
|
||||||
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
|
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
|
||||||
|
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
${pre-commit-check.shellHook}
|
${pre-commit-check.shellHook}
|
||||||
|
|
||||||
|
find ${./. + "/keys"} -type f -print0 | xargs -0 gpg --quiet --import
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue