From 7b9f59a5bbf74bd935840cc472f8fdd78dc1dd95 Mon Sep 17 00:00:00 2001 From: Daylin Morgan Date: Thu, 28 Nov 2024 19:15:05 -0600 Subject: [PATCH] add some secrets for use in algiz --- .sops.yaml | 6 ++++++ hosts/algiz/default.nix | 11 ++++++++++- hosts/algiz/secrets.yaml | 21 +++++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 hosts/algiz/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 9cc3593..95bdbbb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,13 @@ keys: - &admin_daylin age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3 - &host_othalan age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy creation_rules: + - path_regex: hosts/(.*)/[^/]+\.(yaml|json|env|ini)$ + # - path_regex: hosts/algiz/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_daylin - path_regex: hosts/othalan/[^/]+\.(yaml|json|env|ini)$ + key_groups: - age: - *admin_daylin diff --git a/hosts/algiz/default.nix b/hosts/algiz/default.nix index ff6ceb9..c5a577e 100644 --- a/hosts/algiz/default.nix +++ b/hosts/algiz/default.nix @@ -1,4 +1,5 @@ { + config, enabled, enableAttrs, listify, @@ -15,7 +16,8 @@ user = "root"; rcloneConfigFile = "/home/daylin/.config/rclone/rclone.conf"; repository = "rclone:g:archives/algiz"; - passwordFile = "/home/daylin/.config/restic/algiz-pass"; + # passwordFile = "/home/daylin/.config/restic/algiz-pass"; + passwordFile = config.sops.secrets.restic-algiz.path; paths = [ "/home/daylin/services/git/" "/home/daylin/services/gotosocial/" @@ -26,4 +28,11 @@ # git user handles the forgjo ssh authentication users.users.git.isNormalUser = true; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + # by default is accessible only by root:root which should work with above service + secrets.restic-algiz = { }; + }; } diff --git a/hosts/algiz/secrets.yaml b/hosts/algiz/secrets.yaml new file mode 100644 index 0000000..19cd42c --- /dev/null +++ b/hosts/algiz/secrets.yaml @@ -0,0 +1,21 @@ +restic-algiz: ENC[AES256_GCM,data:r7z1s5pSEIlg2laRmY4D,iv:nfajL8J2A8G80NqMBw/t1tFXCsK9JbTzUgFTisf5JLk=,tag:LWOT9vVzuinXD+AYwk35jA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZUJhVVV1SFBEV1BNRS9D + TlhhMW1RbGtaam1FYnppcURlU0VVekRNTUNvCk50aW4yaWJpVTZPK3dPMWI3UjBY + L3k5c1lnejl5M1FxZC9TQU8yWVNZRlkKLS0tIEZHRXNLZG1McFFOeVpWUWtHYUl3 + YWlZMzI4eUoxMW5SanJxSzVpRmJnQlUKPiZnIuBQ5E0A5yorjmoI2pehpMDQ7TNs + 3IvyW+HUOnM/gCJqKBzR/Iqlk74mRKoDb5GuOiUpy7yN/1vrMdHQmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-29T01:19:00Z" + mac: ENC[AES256_GCM,data:J8jbVgwtqck2Sis03re93cVyFw1tMrPc+nnWmlDGoLWh6Jrxq8n+Eac7nsIxU/pZVnY+1x68lAz/2+YHPe8zxChz3f6O2ebscQaAo9M7gG76W2Rt6pDtrKXL7U2pDbjx0p5RwZQM/1tdeRbuUvJk/PYPJONiPVgi/bL6chd2Tew=,iv:brwJE8CZY0K6iRqB9ZUG1AwPfkISoSax692NZoyaNVQ=,tag:7/7V/jw/cgsCSJryrRMJMA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1