mirror of
https://github.com/SebastianStork/nixos-config.git
synced 2026-01-21 17:31:34 +01:00
Manage user level secrets with sops
This commit is contained in:
parent
b6e03035f6
commit
c170ec09db
6 changed files with 59 additions and 11 deletions
11
.sops.yaml
11
.sops.yaml
|
|
@ -1,12 +1,23 @@
|
||||||
keys:
|
keys:
|
||||||
|
- &admin age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||||
- &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
|
- &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
|
||||||
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
||||||
|
- &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
|
||||||
|
- &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: hosts/north/secrets.yaml$
|
- path_regex: hosts/north/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
- *admin
|
||||||
- *north
|
- *north
|
||||||
- path_regex: hosts/inspiron/secrets.yaml$
|
- path_regex: hosts/inspiron/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
- *admin
|
||||||
- *inspiron
|
- *inspiron
|
||||||
|
- path_regex: users/seb/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin
|
||||||
|
- *seb-north
|
||||||
|
- *seb-inspiron
|
||||||
|
|
@ -13,14 +13,23 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age:
|
age:
|
||||||
|
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eXBrSUtRUFd2OUhyU2s5
|
||||||
|
NlFFcExYYmR6Sll5MVU2MGRoK2p2ZW5MYlNzCkNxb244QWVkWExiRUx4ZnBmQUZ5
|
||||||
|
YXNoSWdIczNrc2xIZkpwWldvc1BJNDQKLS0tIFpUWGV5RzRFZDlUYk1lby9PRlRB
|
||||||
|
RkxMVXNHMGNPYXJIZXJNcVoyUURnekEK8X5a/pPWBWfTS0w+cgwa51Hu59q1nqIP
|
||||||
|
dE+VG2tKrhay6mAlzK/HeZzSqphAnvcGy2PNng2sad7DxUjfnUnZnw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
- recipient: age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSTZjT1llekd3aFdpQ01Q
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTUU3TXpGVHROYlRBUDBp
|
||||||
SUppY3JSaTI2TFNNeXd5MDREeHE3am5HeDFVClhRNHJPZkZnclluRFVFUEZuSjk5
|
QkRTRVR1Z2haUDRXNklodW5aUWZITUJUekdvCnY3aU0zbXdRb2tvRUU3Z0VubUZq
|
||||||
b1AxZWdMZHNsbDh5QWNMdHFqbzVadlEKLS0tIFJtQ0F4eWtwNEtyd29PY2wvU0Fv
|
RzVoWHU3U1R2WGt2ZWkyMmw4MjVNbXcKLS0tIG5vNWZ0ZEZyRE1CRHl6TStScmg2
|
||||||
N2dzR01qQnVxb3UvdUZLZ05jcDdjUGMKjx1BGh8c+OqXwUKeceUMUjuZgo04H0oy
|
WlU1TjFDSHFzVU9TVWlNZVBJNkZabTQKkkgMlCEN84e1Syf9wB06CwToxZoE3CZi
|
||||||
t3HZbqg62Bj+Ucun+lt9sOA1uHHSQsn91i8WTxdrOyiX7WpfiASE1w==
|
h369oefzYx06hEde06tU9UP7FtXRP0ktgZps4d+Fx4IkNJxoP6Ucuw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-04-21T17:56:11Z"
|
lastmodified: "2024-04-21T17:56:11Z"
|
||||||
mac: ENC[AES256_GCM,data:rTTt8W4biTuzf8lkT6txlggpBhHEfv2XuSs/Mu3DU/y9TygQhmqpwbBjghLpYeeC+V+YTOKwmnPBu4FP147wJAL8tWqI7nY0EFGD5CSAF13bnBG2KE+KZGiI+SWi+uGFzBFsBbXDEbcJyt45/MUt8PTWiL9nea1x5Tt9hx02mn8=,iv:QDN5D5tCUrxgjcjk55DOPT+EaMTTLtq3QPqA3Tnne5w=,tag:FUNM9vgCSMv+T6SlIpyFCQ==,type:str]
|
mac: ENC[AES256_GCM,data:rTTt8W4biTuzf8lkT6txlggpBhHEfv2XuSs/Mu3DU/y9TygQhmqpwbBjghLpYeeC+V+YTOKwmnPBu4FP147wJAL8tWqI7nY0EFGD5CSAF13bnBG2KE+KZGiI+SWi+uGFzBFsBbXDEbcJyt45/MUt8PTWiL9nea1x5Tt9hx02mn8=,iv:QDN5D5tCUrxgjcjk55DOPT+EaMTTLtq3QPqA3Tnne5w=,tag:FUNM9vgCSMv+T6SlIpyFCQ==,type:str]
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,23 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age:
|
age:
|
||||||
|
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyT2s5NFcyMDVVOGhGYStP
|
||||||
|
UkorOXBxS0dJVEUxZjJEdnA1VklXemw2V3lNCjlkQTR1Nkg3b2ZNMlcrOXV4RUhi
|
||||||
|
QUx6UnV5ci83MUZ0enVUQ25MMmYrOTQKLS0tIG04d0JJeEo2Wm1EOUtJL001V0Rm
|
||||||
|
SThvMkdzWS8rQXNGMHhkemtCUFJCYnMKi1F0SfgW6XP56Xeg/RtpYYAdpqbWmk/b
|
||||||
|
BQ+8Myt1XoeEoTUTQVLuKhRT+ETENocy8SvPfFrtM5UbwRNAcIOqzA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
|
- recipient: age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVlVzRHpVdVNaZ0crRHBK
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OUFRckh4VnhWUE5vWHlB
|
||||||
MUJSOXhmV0JtYnY2d3Rsb3NUL0lXYzlJeEhnCjFzcDgrR3pFWGoxQXV0S3JZK0lL
|
NWFPV0djNzM2ckJOWStybGJ5TXlmZ3hyNmhvCkJuZmdnWk9QQkpIcVd0WFRucXBk
|
||||||
dEJ0UENjWVh6WjdjMXBuU3ZyV2I1WTAKLS0tIGNTbTVtbVl6MEtwTVpGS2VVMzB5
|
dm9sMkhJeVhwQWg2bENzYk13ckxxRVEKLS0tIEdXWXcyR1IrSE1heE1FdmE4TDl6
|
||||||
SzVZMDNXNzhkMUdsYVgzRDMydGR4VTQKK3YYdk3tHd1U4rvyVgQ95+s4Le7E8NDe
|
S04zMkpXT21GYTBSRFI2c1gyalZCK1UKtD6FA5BLLqnMAtVqYIujkM5qqMD524ck
|
||||||
5KD0bWmg7CcehhRWQfBDzBsg63QcyIcq728PptprwGqik7WZEg0b9w==
|
GipN/XwBhXSL98xrgaNmnN+Q46SNX0s41maGO624xvZMKZhObjxHIw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-04-02T22:17:31Z"
|
lastmodified: "2024-04-02T22:17:31Z"
|
||||||
mac: ENC[AES256_GCM,data:8n1uxIbuCp9z5XML68jq65V3FGj6AVPq6y5BZhS5FGVc7fCSxQrxil+SYIWDDrMn5rp7DHM/t4hJf2TA4T3U7xwS1i63mPiIrwPl9+CiHPK/wMkm67c0Xh+RnRrXhCbl5wO08vZkp2D9pso7wV/52OOtMKax+O3K9wweZWNSef0=,iv:rbtXcGI1JQvBfTq4PJJTXmRz3IOiPyBDDTGtIICNFQY=,tag:7QQknmXBHKEcrco0So+ATg==,type:str]
|
mac: ENC[AES256_GCM,data:8n1uxIbuCp9z5XML68jq65V3FGj6AVPq6y5BZhS5FGVc7fCSxQrxil+SYIWDDrMn5rp7DHM/t4hJf2TA4T3U7xwS1i63mPiIrwPl9+CiHPK/wMkm67c0Xh+RnRrXhCbl5wO08vZkp2D9pso7wV/52OOtMKax+O3K9wweZWNSef0=,iv:rbtXcGI1JQvBfTq4PJJTXmRz3IOiPyBDDTGtIICNFQY=,tag:7QQknmXBHKEcrco0So+ATg==,type:str]
|
||||||
|
|
|
||||||
|
|
@ -8,5 +8,6 @@
|
||||||
./neovim.nix
|
./neovim.nix
|
||||||
./kitty.nix
|
./kitty.nix
|
||||||
./equalizer
|
./equalizer
|
||||||
|
./sops.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
17
modules/home/sops.nix
Normal file
17
modules/home/sops.nix
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
inputs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [inputs.sops-nix.homeManagerModules.sops];
|
||||||
|
|
||||||
|
options.myConfig.sops.enable = lib.mkEnableOption "";
|
||||||
|
|
||||||
|
config = lib.mkIf config.myConfig.sops.enable {
|
||||||
|
sops = {
|
||||||
|
age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
|
||||||
|
defaultSopsFile = "${inputs.self}/home/${config.home.username}/secrets.yaml";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -33,6 +33,7 @@
|
||||||
vscode.enable = true;
|
vscode.enable = true;
|
||||||
kitty.enable = true;
|
kitty.enable = true;
|
||||||
equalizer.enable = true;
|
equalizer.enable = true;
|
||||||
|
sops.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.btop.enable = true;
|
programs.btop.enable = true;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue