Manage user level secrets with sops

2026-01-21 14:01:34 +01:00 · 2024-04-27 22:27:48 +02:00 · 2024-04-27 22:27:48 +02:00 · c170ec09db
commit c170ec09db
parent b6e03035f6
6 changed files with 59 additions and 11 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,12 +1,23 @@
 keys:
+  - &admin age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
  - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
  - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
+  - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
+  - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
 creation_rules:
  - path_regex: hosts/north/secrets.yaml$
    key_groups:
    - age:
+      - *admin
      - *north
  - path_regex: hosts/inspiron/secrets.yaml$
    key_groups:
    - age:
-      - *inspiron
+      - *admin
+      - *inspiron
+  - path_regex: users/seb/secrets.yaml$
+    key_groups:
+    - age:
+      - *admin
+      - *seb-north
+      - *seb-inspiron
--- a/hosts/inspiron/secrets.yaml
+++ b/hosts/inspiron/secrets.yaml
@ -13,14 +13,23 @@ sops:
    azure_kv: []
    hc_vault: []
    age:
+        - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eXBrSUtRUFd2OUhyU2s5
+            NlFFcExYYmR6Sll5MVU2MGRoK2p2ZW5MYlNzCkNxb244QWVkWExiRUx4ZnBmQUZ5
+            YXNoSWdIczNrc2xIZkpwWldvc1BJNDQKLS0tIFpUWGV5RzRFZDlUYk1lby9PRlRB
+            RkxMVXNHMGNPYXJIZXJNcVoyUURnekEK8X5a/pPWBWfTS0w+cgwa51Hu59q1nqIP
+            dE+VG2tKrhay6mAlzK/HeZzSqphAnvcGy2PNng2sad7DxUjfnUnZnw==
+            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSTZjT1llekd3aFdpQ01Q
-            SUppY3JSaTI2TFNNeXd5MDREeHE3am5HeDFVClhRNHJPZkZnclluRFVFUEZuSjk5
-            b1AxZWdMZHNsbDh5QWNMdHFqbzVadlEKLS0tIFJtQ0F4eWtwNEtyd29PY2wvU0Fv
-            N2dzR01qQnVxb3UvdUZLZ05jcDdjUGMKjx1BGh8c+OqXwUKeceUMUjuZgo04H0oy
-            t3HZbqg62Bj+Ucun+lt9sOA1uHHSQsn91i8WTxdrOyiX7WpfiASE1w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTUU3TXpGVHROYlRBUDBp
+            QkRTRVR1Z2haUDRXNklodW5aUWZITUJUekdvCnY3aU0zbXdRb2tvRUU3Z0VubUZq
+            RzVoWHU3U1R2WGt2ZWkyMmw4MjVNbXcKLS0tIG5vNWZ0ZEZyRE1CRHl6TStScmg2
+            WlU1TjFDSHFzVU9TVWlNZVBJNkZabTQKkkgMlCEN84e1Syf9wB06CwToxZoE3CZi
+            h369oefzYx06hEde06tU9UP7FtXRP0ktgZps4d+Fx4IkNJxoP6Ucuw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-21T17:56:11Z"
    mac: ENC[AES256_GCM,data:rTTt8W4biTuzf8lkT6txlggpBhHEfv2XuSs/Mu3DU/y9TygQhmqpwbBjghLpYeeC+V+YTOKwmnPBu4FP147wJAL8tWqI7nY0EFGD5CSAF13bnBG2KE+KZGiI+SWi+uGFzBFsBbXDEbcJyt45/MUt8PTWiL9nea1x5Tt9hx02mn8=,iv:QDN5D5tCUrxgjcjk55DOPT+EaMTTLtq3QPqA3Tnne5w=,tag:FUNM9vgCSMv+T6SlIpyFCQ==,type:str]
--- a/hosts/north/secrets.yaml
+++ b/hosts/north/secrets.yaml
@ -9,14 +9,23 @@ sops:
    azure_kv: []
    hc_vault: []
    age:
+        - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyT2s5NFcyMDVVOGhGYStP
+            UkorOXBxS0dJVEUxZjJEdnA1VklXemw2V3lNCjlkQTR1Nkg3b2ZNMlcrOXV4RUhi
+            QUx6UnV5ci83MUZ0enVUQ25MMmYrOTQKLS0tIG04d0JJeEo2Wm1EOUtJL001V0Rm
+            SThvMkdzWS8rQXNGMHhkemtCUFJCYnMKi1F0SfgW6XP56Xeg/RtpYYAdpqbWmk/b
+            BQ+8Myt1XoeEoTUTQVLuKhRT+ETENocy8SvPfFrtM5UbwRNAcIOqzA==
+            -----END AGE ENCRYPTED FILE-----
        - recipient: age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVlVzRHpVdVNaZ0crRHBK
-            MUJSOXhmV0JtYnY2d3Rsb3NUL0lXYzlJeEhnCjFzcDgrR3pFWGoxQXV0S3JZK0lL
-            dEJ0UENjWVh6WjdjMXBuU3ZyV2I1WTAKLS0tIGNTbTVtbVl6MEtwTVpGS2VVMzB5
-            SzVZMDNXNzhkMUdsYVgzRDMydGR4VTQKK3YYdk3tHd1U4rvyVgQ95+s4Le7E8NDe
-            5KD0bWmg7CcehhRWQfBDzBsg63QcyIcq728PptprwGqik7WZEg0b9w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OUFRckh4VnhWUE5vWHlB
+            NWFPV0djNzM2ckJOWStybGJ5TXlmZ3hyNmhvCkJuZmdnWk9QQkpIcVd0WFRucXBk
+            dm9sMkhJeVhwQWg2bENzYk13ckxxRVEKLS0tIEdXWXcyR1IrSE1heE1FdmE4TDl6
+            S04zMkpXT21GYTBSRFI2c1gyalZCK1UKtD6FA5BLLqnMAtVqYIujkM5qqMD524ck
+            GipN/XwBhXSL98xrgaNmnN+Q46SNX0s41maGO624xvZMKZhObjxHIw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-02T22:17:31Z"
    mac: ENC[AES256_GCM,data:8n1uxIbuCp9z5XML68jq65V3FGj6AVPq6y5BZhS5FGVc7fCSxQrxil+SYIWDDrMn5rp7DHM/t4hJf2TA4T3U7xwS1i63mPiIrwPl9+CiHPK/wMkm67c0Xh+RnRrXhCbl5wO08vZkp2D9pso7wV/52OOtMKax+O3K9wweZWNSef0=,iv:rbtXcGI1JQvBfTq4PJJTXmRz3IOiPyBDDTGtIICNFQY=,tag:7QQknmXBHKEcrco0So+ATg==,type:str]
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -8,5 +8,6 @@
        ./neovim.nix
        ./kitty.nix
        ./equalizer
+        ./sops.nix
    ];
 }
--- a/modules/home/sops.nix
+++ b/modules/home/sops.nix
@ -0,0 +1,17 @@
+{
+    inputs,
+    config,
+    lib,
+    ...
+}: {
+    imports = [inputs.sops-nix.homeManagerModules.sops];
+
+    options.myConfig.sops.enable = lib.mkEnableOption "";
+
+    config = lib.mkIf config.myConfig.sops.enable {
+        sops = {
+            age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
+            defaultSopsFile = "${inputs.self}/home/${config.home.username}/secrets.yaml";
+        };
+    };
+}
--- a/users/seb/home.nix
+++ b/users/seb/home.nix
@ -33,6 +33,7 @@
        vscode.enable = true;
        kitty.enable = true;
        equalizer.enable = true;
+        sops.enable = true;
    };

    programs.btop.enable = true;