From c170ec09db17a36612d3d2636eb257324f8e717f Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 27 Apr 2024 22:27:48 +0200 Subject: [PATCH] Manage user level secrets with sops --- .sops.yaml | 13 ++++++++++++- hosts/inspiron/secrets.yaml | 19 ++++++++++++++----- hosts/north/secrets.yaml | 19 ++++++++++++++----- modules/home/default.nix | 1 + modules/home/sops.nix | 17 +++++++++++++++++ users/seb/home.nix | 1 + 6 files changed, 59 insertions(+), 11 deletions(-) create mode 100644 modules/home/sops.nix diff --git a/.sops.yaml b/.sops.yaml index 151c1ee..d9eeb70 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,23 @@ keys: + - &admin age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv + - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf + - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz creation_rules: - path_regex: hosts/north/secrets.yaml$ key_groups: - age: + - *admin - *north - path_regex: hosts/inspiron/secrets.yaml$ key_groups: - age: - - *inspiron \ No newline at end of file + - *admin + - *inspiron + - path_regex: users/seb/secrets.yaml$ + key_groups: + - age: + - *admin + - *seb-north + - *seb-inspiron \ No newline at end of file diff --git a/hosts/inspiron/secrets.yaml b/hosts/inspiron/secrets.yaml index e3737d6..bad7637 100644 --- a/hosts/inspiron/secrets.yaml +++ b/hosts/inspiron/secrets.yaml @@ -13,14 +13,23 @@ sops: azure_kv: [] hc_vault: [] age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eXBrSUtRUFd2OUhyU2s5 + NlFFcExYYmR6Sll5MVU2MGRoK2p2ZW5MYlNzCkNxb244QWVkWExiRUx4ZnBmQUZ5 + YXNoSWdIczNrc2xIZkpwWldvc1BJNDQKLS0tIFpUWGV5RzRFZDlUYk1lby9PRlRB + RkxMVXNHMGNPYXJIZXJNcVoyUURnekEK8X5a/pPWBWfTS0w+cgwa51Hu59q1nqIP + dE+VG2tKrhay6mAlzK/HeZzSqphAnvcGy2PNng2sad7DxUjfnUnZnw== + -----END AGE ENCRYPTED FILE----- - recipient: age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSTZjT1llekd3aFdpQ01Q - SUppY3JSaTI2TFNNeXd5MDREeHE3am5HeDFVClhRNHJPZkZnclluRFVFUEZuSjk5 - b1AxZWdMZHNsbDh5QWNMdHFqbzVadlEKLS0tIFJtQ0F4eWtwNEtyd29PY2wvU0Fv - N2dzR01qQnVxb3UvdUZLZ05jcDdjUGMKjx1BGh8c+OqXwUKeceUMUjuZgo04H0oy - t3HZbqg62Bj+Ucun+lt9sOA1uHHSQsn91i8WTxdrOyiX7WpfiASE1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTUU3TXpGVHROYlRBUDBp + QkRTRVR1Z2haUDRXNklodW5aUWZITUJUekdvCnY3aU0zbXdRb2tvRUU3Z0VubUZq + RzVoWHU3U1R2WGt2ZWkyMmw4MjVNbXcKLS0tIG5vNWZ0ZEZyRE1CRHl6TStScmg2 + WlU1TjFDSHFzVU9TVWlNZVBJNkZabTQKkkgMlCEN84e1Syf9wB06CwToxZoE3CZi + h369oefzYx06hEde06tU9UP7FtXRP0ktgZps4d+Fx4IkNJxoP6Ucuw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-04-21T17:56:11Z" mac: ENC[AES256_GCM,data:rTTt8W4biTuzf8lkT6txlggpBhHEfv2XuSs/Mu3DU/y9TygQhmqpwbBjghLpYeeC+V+YTOKwmnPBu4FP147wJAL8tWqI7nY0EFGD5CSAF13bnBG2KE+KZGiI+SWi+uGFzBFsBbXDEbcJyt45/MUt8PTWiL9nea1x5Tt9hx02mn8=,iv:QDN5D5tCUrxgjcjk55DOPT+EaMTTLtq3QPqA3Tnne5w=,tag:FUNM9vgCSMv+T6SlIpyFCQ==,type:str] diff --git a/hosts/north/secrets.yaml b/hosts/north/secrets.yaml index 5b5ebc7..6044536 100644 --- a/hosts/north/secrets.yaml +++ b/hosts/north/secrets.yaml @@ -9,14 +9,23 @@ sops: azure_kv: [] hc_vault: [] age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyT2s5NFcyMDVVOGhGYStP + UkorOXBxS0dJVEUxZjJEdnA1VklXemw2V3lNCjlkQTR1Nkg3b2ZNMlcrOXV4RUhi + QUx6UnV5ci83MUZ0enVUQ25MMmYrOTQKLS0tIG04d0JJeEo2Wm1EOUtJL001V0Rm + SThvMkdzWS8rQXNGMHhkemtCUFJCYnMKi1F0SfgW6XP56Xeg/RtpYYAdpqbWmk/b + BQ+8Myt1XoeEoTUTQVLuKhRT+ETENocy8SvPfFrtM5UbwRNAcIOqzA== + -----END AGE ENCRYPTED FILE----- - recipient: age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVlVzRHpVdVNaZ0crRHBK - MUJSOXhmV0JtYnY2d3Rsb3NUL0lXYzlJeEhnCjFzcDgrR3pFWGoxQXV0S3JZK0lL - dEJ0UENjWVh6WjdjMXBuU3ZyV2I1WTAKLS0tIGNTbTVtbVl6MEtwTVpGS2VVMzB5 - SzVZMDNXNzhkMUdsYVgzRDMydGR4VTQKK3YYdk3tHd1U4rvyVgQ95+s4Le7E8NDe - 5KD0bWmg7CcehhRWQfBDzBsg63QcyIcq728PptprwGqik7WZEg0b9w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OUFRckh4VnhWUE5vWHlB + NWFPV0djNzM2ckJOWStybGJ5TXlmZ3hyNmhvCkJuZmdnWk9QQkpIcVd0WFRucXBk + dm9sMkhJeVhwQWg2bENzYk13ckxxRVEKLS0tIEdXWXcyR1IrSE1heE1FdmE4TDl6 + S04zMkpXT21GYTBSRFI2c1gyalZCK1UKtD6FA5BLLqnMAtVqYIujkM5qqMD524ck + GipN/XwBhXSL98xrgaNmnN+Q46SNX0s41maGO624xvZMKZhObjxHIw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-04-02T22:17:31Z" mac: ENC[AES256_GCM,data:8n1uxIbuCp9z5XML68jq65V3FGj6AVPq6y5BZhS5FGVc7fCSxQrxil+SYIWDDrMn5rp7DHM/t4hJf2TA4T3U7xwS1i63mPiIrwPl9+CiHPK/wMkm67c0Xh+RnRrXhCbl5wO08vZkp2D9pso7wV/52OOtMKax+O3K9wweZWNSef0=,iv:rbtXcGI1JQvBfTq4PJJTXmRz3IOiPyBDDTGtIICNFQY=,tag:7QQknmXBHKEcrco0So+ATg==,type:str] diff --git a/modules/home/default.nix b/modules/home/default.nix index e15446e..caaccd2 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -8,5 +8,6 @@ ./neovim.nix ./kitty.nix ./equalizer + ./sops.nix ]; } diff --git a/modules/home/sops.nix b/modules/home/sops.nix new file mode 100644 index 0000000..752b3ad --- /dev/null +++ b/modules/home/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + config, + lib, + ... +}: { + imports = [inputs.sops-nix.homeManagerModules.sops]; + + options.myConfig.sops.enable = lib.mkEnableOption ""; + + config = lib.mkIf config.myConfig.sops.enable { + sops = { + age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"]; + defaultSopsFile = "${inputs.self}/home/${config.home.username}/secrets.yaml"; + }; + }; +} diff --git a/users/seb/home.nix b/users/seb/home.nix index 328ad71..2a0cfb2 100644 --- a/users/seb/home.nix +++ b/users/seb/home.nix @@ -33,6 +33,7 @@ vscode.enable = true; kitty.enable = true; equalizer.enable = true; + sops.enable = true; }; programs.btop.enable = true;