From b8608870c9774d49ed62f398751fda8b49ed0c8d Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Sun, 29 May 2022 14:33:39 +0200 Subject: [PATCH] sops: init --- .sops.yaml | 10 +++++++++ flake.nix | 2 ++ hosts/microwave/secrets.nix | 11 ++++++++++ modules/wireguard.nix | 6 ++--- secrets/secrets.yaml | 44 +++++++++++++++++++++++++++++++++++++ 5 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 .sops.yaml create mode 100644 hosts/microwave/secrets.nix create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9de2531 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - µwave age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *microwave diff --git a/flake.nix b/flake.nix index 109e0d9..96deb37 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,9 @@ system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ + sops-nix.nixosModules.sops ./hosts/microwave/configuration.nix + ./hosts/microwave/secrets.nix ./hosts/microwave/hardware-configuration.nix ./modules/graphical.nix ./modules/hw-accel-intel.nix diff --git a/hosts/microwave/secrets.nix b/hosts/microwave/secrets.nix new file mode 100644 index 0000000..b343ec8 --- /dev/null +++ b/hosts/microwave/secrets.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + sops.defaultSopsFile = ../../secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/wg-zw-seckey" = { }; + "wg/wg-dvb-seckey" = { }; + "wg/mlwd-nl-seckey" = { }; + }; +} diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 9a01f74..d989570 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -3,7 +3,7 @@ { networking.wg-quick.interfaces = { wg-zw = { - privateKeyFile="/etc/wg/zw-wg-key"; + privateKeyFile=config.sops.secrets."wg/wg-zw-seckey".path; address = ["172.20.76.226" ]; dns = [ "172.20.73.8" ]; peers = [ @@ -15,7 +15,7 @@ ]; }; wg-dvb = { - privateKeyFile="/etc/wg/wg-dvb"; + privateKeyFile=config.sops.secrets."wg/wg-dvb-seckey".path; address = [ "10.13.37.3/32" ]; peers = [ @@ -29,7 +29,7 @@ }; mlwd-nl = { - privateKeyFile = "/etc/wg/mlvd"; + privateKeyFile=config.sops.secrets."wg/mlwd-nl-seckey".path; address = [ "10.65.79.164/32" "fc00:bbbb:bbbb:bb01::2:4fa3/128" ]; dns = [ "193.138.218.74" ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..59dc941 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,44 @@ +wg: + wg-zw-seckey: ENC[AES256_GCM,data:fkt4UEVgmmFw6UFUEs6T5/CePKo1Z/hc8pu+Bj6fWT/p/1eE14Y3TgxfMks=,iv:SN97FG5Lquhc7k9R1Aavu7hE1zoY4FAnacvapdLkBkk=,tag:l82y7vwieanfYRRjfqKJoA==,type:str] + wg-dvb-seckey: ENC[AES256_GCM,data:a1OuEOnSwCqwfL6+TYhyU1lkRcDeW2wAJetytc8ry8kJicPGMkqSHJvRdBs=,iv:oS1olgSuhR3J0LW8OSDSYMSHxxhBehdEP0VnQIKqOAM=,tag:CXkL5lOF91KluH3yGWwzTA==,type:str] + mlwd-nl-seckey: ENC[AES256_GCM,data:YM7dq8aRm7qNECiE3NR4B8BId4MioPS8zoeiSOPBJfh+LuXf8yQ5ZI3opNg=,iv:9xwVbKstq2mj1hzL2PS1Wlr3pgaW6Kl/WAG7CJjug7c=,tag:BqIyxZDWnVGpBsZCPhkeuQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRkdhUkt4WGpkSDJGQUdN + MDcrb0RUTTdDUEdQclVvOC92d2ZBS2pOMGlRCk82dXRIcW9UcTVkMzgyMDV6NEV3 + bW8wbVQ4Ulk4ak1QNHFaU0RjTWZaWmsKLS0tIHBSZnlkWEV6SHg2MFVLemNUdFhx + TjlMN1JLazV4YldTNlZwSldsREZNMjAKGMAs2yOck92r8hdm3Iw4+Rio73WB/MLE + tyflDRSKJCRKV/IjDuFqTAlpdA7T4KOWwc7HyhdLVkhz2jyTBT/ioA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-05-29T12:22:15Z" + mac: ENC[AES256_GCM,data:qV8RPVlE2y25K+V8v+QqAT4RkzcSgFIHxZ2NwTirksr2Z10B+s7ZSVyvjVOtdINv4IDOuehSwXor4tbWSxrO1BIqoaBQ6hzMOCbB3RTQ/0LCmIqomIhqSWM6l7UubhCV1Nem8D1MI7325VRPnfLvX8ZprCMANZ+sQVALVEs71QY=,iv:QqMaRhisaMkIe+huAQx51BikBemtH3L03BEvBJGK1Wg=,tag:dOFAZbbwhW3bvVBy5CWiIw==,type:str] + pgp: + - created_at: "2022-05-29T12:17:48Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7ARAAIBnPyH3j8i9Xx6GZM1TPf5MIN7ZaGGJomxBpydmUW+sO + 4bMKWBrlMVlY6HXhmZ5HbPf5IZsPNDBaCZxN1R9GD2y644hqheeR3GcLsCKGRoCq + tBsxghOulbq0bjM5FEMh5+T6sju5/7qZMGftoUbDkJ7UiPRrmx8FkXytVcA8FO7J + C8Fd4APyzAORqvRoJqzKQEZ26lNqrhH2sW1Hm4+4BWKuRb5aAnz0Pi4miDi4ulJ3 + GsBAdXdfl5iZOr7JPNg8QhO0+sB9M96JVHV4ZddLq1J+9dqHZHW5ygekIxBvXxQt + pn+Lu7zjNtEXYz//WC/FmJCqp252JvDMpllpqg10f5LPqbHcSS82qC4kSSojc5AW + gfZQ4u7msp1EewFMwOjGWpqYstxarKsBR2yS5oJvSYvGJUcN4WR+Fqk2sj73YRqs + hTnANswT5UKivzPFW6T4NBnCRXptcFrZrmudzBI7ONcS6coY9qa7BHrjeEmZuhf/ + uAIUYA6lz1sAiocfb7VLPZBLxDpM3lM0eePIKlcfu036v/9ptso+CEFtaKzBeSr7 + nDfDu/h9VKT/dWobg/qrv7/sY3BM6sdQ3UBBxtL/yiETBA1mp0zil+e61mMyf5ij + pA4x5wmg1CstMbkCqq9uduPTRT5AKQrNM5ZDpSPSp1b/X1juXnTo/cwq/j46P37S + 5gFf/xIEuDZGBkkbVsV0nMn399WaCoUIOnj3RD611IJdIb63/Szj4J4JT1AeyJh8 + EIuWYy+qZBkt5HyfrKmXH1zkt8KdNYJONaLsRDFR+2Xqc+KJn5CUAA== + =aw7c + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.7.2