daylin/oizys
1
0
Fork 0
mirror of https://github.com/daylinmorgan/oizys.git synced 2024-12-21 21:50:43 -06:00
Code Issues Projects Releases Packages Wiki Activity

add some secrets for use in algiz

Browse source
This commit is contained in:
Daylin Morgan 2024-11-28 19:15:05 -06:00
parent 0447eb645a
commit 7b9f59a5bb
Signed by: daylin
GPG key ID: 950D13E9719334AD
3 changed files with 37 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -6,7 +6,13 @@ keys:
- &admin_daylin age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3 - &admin_daylin age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
- &host_othalan age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy - &host_othalan age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy
creation_rules: creation_rules:
- path_regex: hosts/(.*)/[^/]+\.(yaml|json|env|ini)$
# - path_regex: hosts/algiz/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_daylin
- path_regex: hosts/othalan/[^/]+\.(yaml|json|env|ini)$ - path_regex: hosts/othalan/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *admin_daylin - *admin_daylin

11
hosts/algiz/default.nix
View file

@ -1,4 +1,5 @@
{ {
config,
enabled, enabled,
enableAttrs, enableAttrs,
listify, listify,
@ -15,7 +16,8 @@
user = "root"; user = "root";
rcloneConfigFile = "/home/daylin/.config/rclone/rclone.conf"; rcloneConfigFile = "/home/daylin/.config/rclone/rclone.conf";
repository = "rclone:g:archives/algiz"; repository = "rclone:g:archives/algiz";
passwordFile = "/home/daylin/.config/restic/algiz-pass"; # passwordFile = "/home/daylin/.config/restic/algiz-pass";
passwordFile = config.sops.secrets.restic-algiz.path;
paths = [ paths = [
"/home/daylin/services/git/" "/home/daylin/services/git/"
"/home/daylin/services/gotosocial/" "/home/daylin/services/gotosocial/"
@ -26,4 +28,11 @@
# git user handles the forgjo ssh authentication # git user handles the forgjo ssh authentication
users.users.git.isNormalUser = true; users.users.git.isNormalUser = true;
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
# by default is accessible only by root:root which should work with above service
secrets.restic-algiz = { };
};
} }

21
hosts/algiz/secrets.yaml Normal file
View file

@ -0,0 +1,21 @@
restic-algiz: ENC[AES256_GCM,data:r7z1s5pSEIlg2laRmY4D,iv:nfajL8J2A8G80NqMBw/t1tFXCsK9JbTzUgFTisf5JLk=,tag:LWOT9vVzuinXD+AYwk35jA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZUJhVVV1SFBEV1BNRS9D
TlhhMW1RbGtaam1FYnppcURlU0VVekRNTUNvCk50aW4yaWJpVTZPK3dPMWI3UjBY
L3k5c1lnejl5M1FxZC9TQU8yWVNZRlkKLS0tIEZHRXNLZG1McFFOeVpWUWtHYUl3
YWlZMzI4eUoxMW5SanJxSzVpRmJnQlUKPiZnIuBQ5E0A5yorjmoI2pehpMDQ7TNs
3IvyW+HUOnM/gCJqKBzR/Iqlk74mRKoDb5GuOiUpy7yN/1vrMdHQmw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-29T01:19:00Z"
mac: ENC[AES256_GCM,data:J8jbVgwtqck2Sis03re93cVyFw1tMrPc+nnWmlDGoLWh6Jrxq8n+Eac7nsIxU/pZVnY+1x68lAz/2+YHPe8zxChz3f6O2ebscQaAo9M7gG76W2Rt6pDtrKXL7U2pDbjx0p5RwZQM/1tdeRbuUvJk/PYPJONiPVgi/bL6chd2Tew=,iv:brwJE8CZY0K6iRqB9ZUG1AwPfkISoSax692NZoyaNVQ=,tag:7/7V/jw/cgsCSJryrRMJMA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1