diff --git a/.sops.yaml b/.sops.yaml index 5b5a57c..a5922c5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,9 @@ keys: - - &primary age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn + - &1password age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn + - &lola-ad age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30 creation_rules: - path_regex: secrets/secrets.yaml$ key_groups: - age: - - *primary \ No newline at end of file + - *1password + - *lola-ad diff --git a/README.md b/README.md index effe990..561cc03 100644 --- a/README.md +++ b/README.md @@ -71,10 +71,14 @@ nixos-rebuild switch --flake git+https://gitea.john-stream.com/john/ad-nix#ad-ni ### Secrets +During build time `/etc/ssh/ssh_host_ed25519_key` automatically gets imported as an age key. If that fingerprint is included in the `.sops.yaml` file, then `secrets/secrets.yaml` can be decrypted during the build. Otherwise `~/.config/sops/age/keys.txt` needs to already be populated. + `secrets/secrets.yaml` needs to be edited from the terminal. There's a `sops-ad` command for convenience. The following keys are required: - `telegraf_influx_token` +`~/.config/sops/age/keys.txt` needs to be set for the `sops-ad` command to work. + ### Tailscale Needs this in the `/etc/pve/lxc/.conf` file on the proxmox host. diff --git a/configuration.nix b/configuration.nix index 4e42277..be31e0b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -16,8 +16,10 @@ sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; - # This is needed for nix to access the secrets at build time. It doesn't affect gets used for the `sops ...` command - sops.age.keyFile = "${userSettings.adHome}/.config/sops/age/keys.txt"; + # This is needed for nix to access the secrets at build time. + # It doesn't affect for the `sops ...` command + # Optional if the system has the key age for /etc/ssh/ssh_host_ed25519_key in .sops.yaml + # sops.age.keyFile = "${userSettings.adHome}/.config/sops/age/keys.txt"; environment.systemPackages = with pkgs; [ bash diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 3e64802..642593b 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -8,11 +8,20 @@ sops: - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Tkc4Yml1R28zdlppY1dN - dnJMS0tLZTZQSWtNVGZDbHBKaUJ5RjJhdkZRClQ4K08rbUVoRm5jTGV0M3RzdUZv - T0tWbnFrYnNOQ1dXV21ka0dZZ0QyNk0KLS0tIC9FLzBHSVhXT0FYalc4L3VSVXNa - dmR2a2QvZVRPc3ZFc1EvVWZqMTdQcncKTc4D3riTbEcv3eeREFMIZYQk7aDvDZEt - xBCoMNVjYaLIy9ljNfLGKh0J/wed0MC6wBIfABuH6eanEvV4ob+xnw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAralB5SnNwckUxMkRad0Jr + U2xMRVpnUU9GNHpZTEtLdnpwc2tmT08rQmpNCnFzdHpOdWFpZzBNR1lUSHR5U3lr + Vk1HTEQ3REFvdUg1T0hMM014N3BtcVEKLS0tIE5LUTF4Qk1XSXlNNkxNN2pnVi9P + TXd3eUJyYTZYaENSV3FEU2pGbFc1RDQKMj8dOska8lpMAFKV2w6bbO/r01K/9Dw5 + Q/jp5XdYtyaGSZcxRnHHbJYldyKKYII9Rcm/uDNuMNA/gCFvbSLccA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWmtMR1Vuc0g2OCsxSjJ2 + eCs1bWJyT3g3QktRRHlzVFB6bkZjVjIwRlRFCmVtam9HWWErdlVwYkFrSUprZHR4 + bllDcWdCT2ZiRFpaQ1lVZVBSb05kb2MKLS0tIGgrRUx4TTljdDVGVCtxN0kyZGRL + Vm1ldGhPRmNyZHErekRlbFBZQy8wK0EKY2vsWzqtX5w4vM0aLGEN2ZO0Rm9slcKk + 6Yx2KvJAT6dNg2lqjzXYYS/MvnpOrW6fA46bmWKaAl9IzKhyW+2avw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-12-18T02:36:09Z" mac: ENC[AES256_GCM,data:lXFJxFQJy9qNu2dVo+UBIfDNAeZ4U2n5c085qYmAShJrY2OiX0+Dv6n4kLg1ohgPni0VG6tAayPghHkStQPT7chFZwlAlvRol1kELWDukygWgPfZqvooDlPlH3ews16TtEM/B/cTOYFZA3X82nJgjcoEFjUHasWg2Ryic5mWe0I=,iv:ys1nRfNV6gawPjPfjfJfLGSSSsiauNEJVMMTAzcoGf4=,tag:UowQI9F59EzDEyTROACI0A==,type:str]