sops: init
This commit is contained in:
parent
903ad98313
commit
b8608870c9
GPG key ID:
91FA5E5BF9AA901C
5 changed files with 70 additions and 3 deletions
10
.sops.yaml
Normal file
10
.sops.yaml
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
keys:
|
||||||
|
- &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||||
|
- µwave age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *admin_oxa
|
||||||
|
age:
|
||||||
|
- *microwave
|
||||||
|
|
@ -19,7 +19,9 @@
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs = { inherit inputs; };
|
specialArgs = { inherit inputs; };
|
||||||
modules = [
|
modules = [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
./hosts/microwave/configuration.nix
|
./hosts/microwave/configuration.nix
|
||||||
|
./hosts/microwave/secrets.nix
|
||||||
./hosts/microwave/hardware-configuration.nix
|
./hosts/microwave/hardware-configuration.nix
|
||||||
./modules/graphical.nix
|
./modules/graphical.nix
|
||||||
./modules/hw-accel-intel.nix
|
./modules/hw-accel-intel.nix
|
||||||
|
|
|
||||||
11
hosts/microwave/secrets.nix
Normal file
11
hosts/microwave/secrets.nix
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.defaultSopsFile = ../../secrets/secrets.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"wg/wg-zw-seckey" = { };
|
||||||
|
"wg/wg-dvb-seckey" = { };
|
||||||
|
"wg/mlwd-nl-seckey" = { };
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
{
|
{
|
||||||
networking.wg-quick.interfaces = {
|
networking.wg-quick.interfaces = {
|
||||||
wg-zw = {
|
wg-zw = {
|
||||||
privateKeyFile="/etc/wg/zw-wg-key";
|
privateKeyFile=config.sops.secrets."wg/wg-zw-seckey".path;
|
||||||
address = ["172.20.76.226" ];
|
address = ["172.20.76.226" ];
|
||||||
dns = [ "172.20.73.8" ];
|
dns = [ "172.20.73.8" ];
|
||||||
peers = [
|
peers = [
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
wg-dvb = {
|
wg-dvb = {
|
||||||
privateKeyFile="/etc/wg/wg-dvb";
|
privateKeyFile=config.sops.secrets."wg/wg-dvb-seckey".path;
|
||||||
address = [ "10.13.37.3/32" ];
|
address = [ "10.13.37.3/32" ];
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
mlwd-nl = {
|
mlwd-nl = {
|
||||||
privateKeyFile = "/etc/wg/mlvd";
|
privateKeyFile=config.sops.secrets."wg/mlwd-nl-seckey".path;
|
||||||
address = [ "10.65.79.164/32" "fc00:bbbb:bbbb:bb01::2:4fa3/128" ];
|
address = [ "10.65.79.164/32" "fc00:bbbb:bbbb:bb01::2:4fa3/128" ];
|
||||||
dns = [ "193.138.218.74" ];
|
dns = [ "193.138.218.74" ];
|
||||||
|
|
||||||
|
|
|
||||||
44
secrets/secrets.yaml
Normal file
44
secrets/secrets.yaml
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
wg:
|
||||||
|
wg-zw-seckey: ENC[AES256_GCM,data:fkt4UEVgmmFw6UFUEs6T5/CePKo1Z/hc8pu+Bj6fWT/p/1eE14Y3TgxfMks=,iv:SN97FG5Lquhc7k9R1Aavu7hE1zoY4FAnacvapdLkBkk=,tag:l82y7vwieanfYRRjfqKJoA==,type:str]
|
||||||
|
wg-dvb-seckey: ENC[AES256_GCM,data:a1OuEOnSwCqwfL6+TYhyU1lkRcDeW2wAJetytc8ry8kJicPGMkqSHJvRdBs=,iv:oS1olgSuhR3J0LW8OSDSYMSHxxhBehdEP0VnQIKqOAM=,tag:CXkL5lOF91KluH3yGWwzTA==,type:str]
|
||||||
|
mlwd-nl-seckey: ENC[AES256_GCM,data:YM7dq8aRm7qNECiE3NR4B8BId4MioPS8zoeiSOPBJfh+LuXf8yQ5ZI3opNg=,iv:9xwVbKstq2mj1hzL2PS1Wlr3pgaW6Kl/WAG7CJjug7c=,tag:BqIyxZDWnVGpBsZCPhkeuQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRkdhUkt4WGpkSDJGQUdN
|
||||||
|
MDcrb0RUTTdDUEdQclVvOC92d2ZBS2pOMGlRCk82dXRIcW9UcTVkMzgyMDV6NEV3
|
||||||
|
bW8wbVQ4Ulk4ak1QNHFaU0RjTWZaWmsKLS0tIHBSZnlkWEV6SHg2MFVLemNUdFhx
|
||||||
|
TjlMN1JLazV4YldTNlZwSldsREZNMjAKGMAs2yOck92r8hdm3Iw4+Rio73WB/MLE
|
||||||
|
tyflDRSKJCRKV/IjDuFqTAlpdA7T4KOWwc7HyhdLVkhz2jyTBT/ioA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-05-29T12:22:15Z"
|
||||||
|
mac: ENC[AES256_GCM,data:qV8RPVlE2y25K+V8v+QqAT4RkzcSgFIHxZ2NwTirksr2Z10B+s7ZSVyvjVOtdINv4IDOuehSwXor4tbWSxrO1BIqoaBQ6hzMOCbB3RTQ/0LCmIqomIhqSWM6l7UubhCV1Nem8D1MI7325VRPnfLvX8ZprCMANZ+sQVALVEs71QY=,iv:QqMaRhisaMkIe+huAQx51BikBemtH3L03BEvBJGK1Wg=,tag:dOFAZbbwhW3bvVBy5CWiIw==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2022-05-29T12:17:48Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMA7zUOKwzpAE7ARAAIBnPyH3j8i9Xx6GZM1TPf5MIN7ZaGGJomxBpydmUW+sO
|
||||||
|
4bMKWBrlMVlY6HXhmZ5HbPf5IZsPNDBaCZxN1R9GD2y644hqheeR3GcLsCKGRoCq
|
||||||
|
tBsxghOulbq0bjM5FEMh5+T6sju5/7qZMGftoUbDkJ7UiPRrmx8FkXytVcA8FO7J
|
||||||
|
C8Fd4APyzAORqvRoJqzKQEZ26lNqrhH2sW1Hm4+4BWKuRb5aAnz0Pi4miDi4ulJ3
|
||||||
|
GsBAdXdfl5iZOr7JPNg8QhO0+sB9M96JVHV4ZddLq1J+9dqHZHW5ygekIxBvXxQt
|
||||||
|
pn+Lu7zjNtEXYz//WC/FmJCqp252JvDMpllpqg10f5LPqbHcSS82qC4kSSojc5AW
|
||||||
|
gfZQ4u7msp1EewFMwOjGWpqYstxarKsBR2yS5oJvSYvGJUcN4WR+Fqk2sj73YRqs
|
||||||
|
hTnANswT5UKivzPFW6T4NBnCRXptcFrZrmudzBI7ONcS6coY9qa7BHrjeEmZuhf/
|
||||||
|
uAIUYA6lz1sAiocfb7VLPZBLxDpM3lM0eePIKlcfu036v/9ptso+CEFtaKzBeSr7
|
||||||
|
nDfDu/h9VKT/dWobg/qrv7/sY3BM6sdQ3UBBxtL/yiETBA1mp0zil+e61mMyf5ij
|
||||||
|
pA4x5wmg1CstMbkCqq9uduPTRT5AKQrNM5ZDpSPSp1b/X1juXnTo/cwq/j46P37S
|
||||||
|
5gFf/xIEuDZGBkkbVsV0nMn399WaCoUIOnj3RD611IJdIb63/Szj4J4JT1AeyJh8
|
||||||
|
EIuWYy+qZBkt5HyfrKmXH1zkt8KdNYJONaLsRDFR+2Xqc+KJn5CUAA==
|
||||||
|
=aw7c
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.2
|
||||||
Loading…
Add table
Reference in a new issue