secrets updates

.sops.yaml

@@ -1,7 +1,9 @@
 keys:
-  - &primary age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+  - &1password age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+  - &lola-ad age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30
 creation_rules:
   - path_regex: secrets/secrets.yaml$
     key_groups:
     - age:
-      - *primary
+      - *1password
+      - *lola-ad

README.md

@@ -71,10 +71,14 @@ nixos-rebuild switch --flake git+https://gitea.john-stream.com/john/ad-nix#ad-ni
 
 ### Secrets
 
+During build time `/etc/ssh/ssh_host_ed25519_key` automatically gets imported as an age key. If that fingerprint is included in the `.sops.yaml` file, then `secrets/secrets.yaml` can be decrypted during the build. Otherwise `~/.config/sops/age/keys.txt` needs to already be populated.
+
 `secrets/secrets.yaml` needs to be edited from the terminal. There's a `sops-ad` command for convenience. The following keys are required:
 
 - `telegraf_influx_token`
 
+`~/.config/sops/age/keys.txt` needs to be set for the `sops-ad` command to work.
+
 ### Tailscale
 
 Needs this in the `/etc/pve/lxc/<vmid>.conf` file on the proxmox host.

configuration.nix

@@ -16,8 +16,10 @@
   sops.defaultSopsFile = ./secrets/secrets.yaml;
   sops.defaultSopsFormat = "yaml";
   
-  # This is needed for nix to access the secrets at build time. It doesn't affect gets used for the `sops ...` command
-  sops.age.keyFile = "${userSettings.adHome}/.config/sops/age/keys.txt";
+  # This is needed for nix to access the secrets at build time.
+  # It doesn't affect for the `sops ...` command
+  # Optional if the system has the key age for /etc/ssh/ssh_host_ed25519_key in .sops.yaml
+  # sops.age.keyFile = "${userSettings.adHome}/.config/sops/age/keys.txt";
 
   environment.systemPackages = with pkgs; [
     bash

secrets/secrets.yaml

@@ -8,11 +8,20 @@ sops:
         - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Tkc4Yml1R28zdlppY1dN
-            dnJMS0tLZTZQSWtNVGZDbHBKaUJ5RjJhdkZRClQ4K08rbUVoRm5jTGV0M3RzdUZv
-            T0tWbnFrYnNOQ1dXV21ka0dZZ0QyNk0KLS0tIC9FLzBHSVhXT0FYalc4L3VSVXNa
-            dmR2a2QvZVRPc3ZFc1EvVWZqMTdQcncKTc4D3riTbEcv3eeREFMIZYQk7aDvDZEt
-            xBCoMNVjYaLIy9ljNfLGKh0J/wed0MC6wBIfABuH6eanEvV4ob+xnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAralB5SnNwckUxMkRad0Jr
+            U2xMRVpnUU9GNHpZTEtLdnpwc2tmT08rQmpNCnFzdHpOdWFpZzBNR1lUSHR5U3lr
+            Vk1HTEQ3REFvdUg1T0hMM014N3BtcVEKLS0tIE5LUTF4Qk1XSXlNNkxNN2pnVi9P
+            TXd3eUJyYTZYaENSV3FEU2pGbFc1RDQKMj8dOska8lpMAFKV2w6bbO/r01K/9Dw5
+            Q/jp5XdYtyaGSZcxRnHHbJYldyKKYII9Rcm/uDNuMNA/gCFvbSLccA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qf4c4asf7wcqqyd9aju8fq9dvum4ptcqr8dd6xqengsf6jx7daqqtgup30
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWmtMR1Vuc0g2OCsxSjJ2
+            eCs1bWJyT3g3QktRRHlzVFB6bkZjVjIwRlRFCmVtam9HWWErdlVwYkFrSUprZHR4
+            bllDcWdCT2ZiRFpaQ1lVZVBSb05kb2MKLS0tIGgrRUx4TTljdDVGVCtxN0kyZGRL
+            Vm1ldGhPRmNyZHErekRlbFBZQy8wK0EKY2vsWzqtX5w4vM0aLGEN2ZO0Rm9slcKk
+            6Yx2KvJAT6dNg2lqjzXYYS/MvnpOrW6fA46bmWKaAl9IzKhyW+2avw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-12-18T02:36:09Z"
     mac: ENC[AES256_GCM,data:lXFJxFQJy9qNu2dVo+UBIfDNAeZ4U2n5c085qYmAShJrY2OiX0+Dv6n4kLg1ohgPni0VG6tAayPghHkStQPT7chFZwlAlvRol1kELWDukygWgPfZqvooDlPlH3ews16TtEM/B/cTOYFZA3X82nJgjcoEFjUHasWg2Ryic5mWe0I=,iv:ys1nRfNV6gawPjPfjfJfLGSSSsiauNEJVMMTAzcoGf4=,tag:UowQI9F59EzDEyTROACI0A==,type:str]