sops: init

2022-05-29 14:33:39 +02:00 · 2022-05-29 14:33:39 +02:00 · b8608870c9
commit b8608870c9
parent 903ad98313
5 changed files with 70 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,10 @@
+keys:
+  - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+  - &microwave age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *microwave
--- a/flake.nix
+++ b/flake.nix
@ -19,7 +19,9 @@
        system = "x86_64-linux";
        specialArgs = { inherit inputs; };
        modules = [
+          sops-nix.nixosModules.sops
          ./hosts/microwave/configuration.nix
+          ./hosts/microwave/secrets.nix
          ./hosts/microwave/hardware-configuration.nix
          ./modules/graphical.nix
          ./modules/hw-accel-intel.nix
--- a/hosts/microwave/secrets.nix
+++ b/hosts/microwave/secrets.nix
@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/wg-zw-seckey" = { };
+    "wg/wg-dvb-seckey" = { };
+    "wg/mlwd-nl-seckey" = { };
+  };
+}
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -3,7 +3,7 @@
 {
  networking.wg-quick.interfaces = {
    wg-zw = {
-      privateKeyFile="/etc/wg/zw-wg-key";
+      privateKeyFile=config.sops.secrets."wg/wg-zw-seckey".path;
      address = ["172.20.76.226" ];
      dns = [ "172.20.73.8" ];
      peers = [
@ -15,7 +15,7 @@
      ];
    };
    wg-dvb = {
-      privateKeyFile="/etc/wg/wg-dvb";
+      privateKeyFile=config.sops.secrets."wg/wg-dvb-seckey".path;
      address = [ "10.13.37.3/32" ];

      peers = [
@ -29,7 +29,7 @@
    };

    mlwd-nl = {
-      privateKeyFile = "/etc/wg/mlvd";
+      privateKeyFile=config.sops.secrets."wg/mlwd-nl-seckey".path;
      address = [ "10.65.79.164/32" "fc00:bbbb:bbbb:bb01::2:4fa3/128" ];
      dns = [ "193.138.218.74" ];

--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,44 @@
+wg:
+    wg-zw-seckey: ENC[AES256_GCM,data:fkt4UEVgmmFw6UFUEs6T5/CePKo1Z/hc8pu+Bj6fWT/p/1eE14Y3TgxfMks=,iv:SN97FG5Lquhc7k9R1Aavu7hE1zoY4FAnacvapdLkBkk=,tag:l82y7vwieanfYRRjfqKJoA==,type:str]
+    wg-dvb-seckey: ENC[AES256_GCM,data:a1OuEOnSwCqwfL6+TYhyU1lkRcDeW2wAJetytc8ry8kJicPGMkqSHJvRdBs=,iv:oS1olgSuhR3J0LW8OSDSYMSHxxhBehdEP0VnQIKqOAM=,tag:CXkL5lOF91KluH3yGWwzTA==,type:str]
+    mlwd-nl-seckey: ENC[AES256_GCM,data:YM7dq8aRm7qNECiE3NR4B8BId4MioPS8zoeiSOPBJfh+LuXf8yQ5ZI3opNg=,iv:9xwVbKstq2mj1hzL2PS1Wlr3pgaW6Kl/WAG7CJjug7c=,tag:BqIyxZDWnVGpBsZCPhkeuQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRkdhUkt4WGpkSDJGQUdN
+            MDcrb0RUTTdDUEdQclVvOC92d2ZBS2pOMGlRCk82dXRIcW9UcTVkMzgyMDV6NEV3
+            bW8wbVQ4Ulk4ak1QNHFaU0RjTWZaWmsKLS0tIHBSZnlkWEV6SHg2MFVLemNUdFhx
+            TjlMN1JLazV4YldTNlZwSldsREZNMjAKGMAs2yOck92r8hdm3Iw4+Rio73WB/MLE
+            tyflDRSKJCRKV/IjDuFqTAlpdA7T4KOWwc7HyhdLVkhz2jyTBT/ioA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-05-29T12:22:15Z"
+    mac: ENC[AES256_GCM,data:qV8RPVlE2y25K+V8v+QqAT4RkzcSgFIHxZ2NwTirksr2Z10B+s7ZSVyvjVOtdINv4IDOuehSwXor4tbWSxrO1BIqoaBQ6hzMOCbB3RTQ/0LCmIqomIhqSWM6l7UubhCV1Nem8D1MI7325VRPnfLvX8ZprCMANZ+sQVALVEs71QY=,iv:QqMaRhisaMkIe+huAQx51BikBemtH3L03BEvBJGK1Wg=,tag:dOFAZbbwhW3bvVBy5CWiIw==,type:str]
+    pgp:
+        - created_at: "2022-05-29T12:17:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7ARAAIBnPyH3j8i9Xx6GZM1TPf5MIN7ZaGGJomxBpydmUW+sO
+            4bMKWBrlMVlY6HXhmZ5HbPf5IZsPNDBaCZxN1R9GD2y644hqheeR3GcLsCKGRoCq
+            tBsxghOulbq0bjM5FEMh5+T6sju5/7qZMGftoUbDkJ7UiPRrmx8FkXytVcA8FO7J
+            C8Fd4APyzAORqvRoJqzKQEZ26lNqrhH2sW1Hm4+4BWKuRb5aAnz0Pi4miDi4ulJ3
+            GsBAdXdfl5iZOr7JPNg8QhO0+sB9M96JVHV4ZddLq1J+9dqHZHW5ygekIxBvXxQt
+            pn+Lu7zjNtEXYz//WC/FmJCqp252JvDMpllpqg10f5LPqbHcSS82qC4kSSojc5AW
+            gfZQ4u7msp1EewFMwOjGWpqYstxarKsBR2yS5oJvSYvGJUcN4WR+Fqk2sj73YRqs
+            hTnANswT5UKivzPFW6T4NBnCRXptcFrZrmudzBI7ONcS6coY9qa7BHrjeEmZuhf/
+            uAIUYA6lz1sAiocfb7VLPZBLxDpM3lM0eePIKlcfu036v/9ptso+CEFtaKzBeSr7
+            nDfDu/h9VKT/dWobg/qrv7/sY3BM6sdQ3UBBxtL/yiETBA1mp0zil+e61mMyf5ij
+            pA4x5wmg1CstMbkCqq9uduPTRT5AKQrNM5ZDpSPSp1b/X1juXnTo/cwq/j46P37S
+            5gFf/xIEuDZGBkkbVsV0nMn399WaCoUIOnj3RD611IJdIb63/Szj4J4JT1AeyJh8
+            EIuWYy+qZBkt5HyfrKmXH1zkt8KdNYJONaLsRDFR+2Xqc+KJn5CUAA==
+            =aw7c
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2