From 7d02cab3011030d385ce69375fa43ff777a1b279 Mon Sep 17 00:00:00 2001 From: derped Date: Sat, 17 Jun 2023 18:10:50 +0200 Subject: [PATCH] Add sops secrets for Marid. --- machines/Marid/configuration.nix | 3 +++ machines/Marid/secrets.yaml | 37 ++++++++++++++++++++++++++++++++ machines/Marid/sops.nix | 14 ++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 machines/Marid/secrets.yaml create mode 100644 machines/Marid/sops.nix diff --git a/machines/Marid/configuration.nix b/machines/Marid/configuration.nix index 22a41f0..c1cdd60 100644 --- a/machines/Marid/configuration.nix +++ b/machines/Marid/configuration.nix @@ -2,6 +2,9 @@ { services.cron.enable = false; + security.pki.certificateFiles = [ + config.sops.secrets."certs/proxy".path + ]; networking.dhcpcd.extraConfig = "noarp"; system.stateVersion = "21.05"; } diff --git a/machines/Marid/secrets.yaml b/machines/Marid/secrets.yaml new file mode 100644 index 0000000..1e01a74 --- /dev/null +++ b/machines/Marid/secrets.yaml @@ -0,0 +1,37 @@ +users: + derped: + password: ENC[AES256_GCM,data:bSkIZ3CrpnYPzmOZSp/J6y2IUXOe2kszqRYH1ffv7UQgE0sbbbRD/Re5b/p2RfJMhF7vRGH7QfSX6rcTMktyf4cnq14L655OHrah4/+J9YgRRYtGKNeVxr6DJAFPcoW3nc99,iv:NI9lm0SeNN0keDxeLoa+tU6LCfDkICJNCMm90+kKd5c=,tag:edoH4DVqjnu4233DXk5GIg==,type:str] +certs: + proxy: ENC[AES256_GCM,data:T68c6HOxit4pJwWhRcYfFFXi3F8c5j0auiIAlafoexaJvOgnarjmyDnikRB4+gobV0ZytVYIRosb2JuqtH159B05310dJDmUBnGPpOyKSKtPjIaKV0BFCnMI04sosTqh0dNKhqPCuA/95QNJeXvJ3zHkpWuriZhuej45EGJLROWG3fQCpibdDvYaeHhWj2SdtJB9o/eRRbyI7g/AuqJfuvHXoKJmTKbsEXZHu8M0qAiABoR/fuMwF8/FrCgzJ9FZPLPBqQLfGzLMyRULYay8JYegmbvw/YKGk2Y6OMp2zgQOz2xbIAPfGFrPVhoaeyJMRq6aaVa1zupHKFLd8R+cxIfYuViRwMQGOQWZ/hy6gEOCasBzZQVP1SXpCYmHLZPK1Q9jsRxO3ja61EBwNg2dFEe9ONBfSftmj71Ipzrjo/jm3VBPabI3OYbp6LaDIShn/lJxVoyTYJiSe2rn1jix/LE2mwJYg//g2ckkCDSJCVr991MHpsYKeGc7Aocxy/UAWUFPWtCdLGfkJ5T/Z1jYqvGE0MbcifUO2KBvOdZJSu4ptYWxgq1hg0q+f/KQu7WPGcDXpiE2AOfA04coaF+NxCOwHq46py7Ez36wt4y3a2/5xBYnvsdQCb2kKf253IuSF1hMB+yj0Fbw2+HU4FK5V8zuVjfhvC9zncq8WSWojiyodWritbzBKBj/FDqOSKH4UdFfsC4oSzY8y0vDsW5Ied2iE5gPlDeXqwmkfEQuqtBLekc8063ny+iX8TD+5WbEUxn+6++lXiQZWPcaGffGSWcGFaE+EhKV67ul6uARYSuB328WO/mA9cKlv1xPH4HwEXcqPBOdtw==,iv:vyUBk+7VryI+u1yIkPYLYV13gZVE2P9q4T/pmz92OqY=,tag:htempltVO7hkJI0Wfkgm/A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rnd5UndnWlVUd3RQdEs1 + S2c3OTFMbmwwdE1WWE5wSEhVQ1NIenJDMG5vCm0xMk1jTGJqTzVtVGwrMVBKNlF5 + bGxHaURhSzRkdndZalRpT2VLOXhDbEkKLS0tIEd0T1AyR3RsT3NCaGhiZ3BtQUFi + MHl3cFVaa0pnbTR3NGhuTXp0dk5ob2cKh2aFZqv1C/m3rZvEKSl9sCYJ8lC/mofq + oaigG2BXkgVkcT9xhZufWkMDhS+mOZW7oL0m2DDM3M8cnSMx55ONFg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-17T17:35:37Z" + mac: ENC[AES256_GCM,data:r4VXy06lvBAtGMexX3zDg9VI67WYeWLS7g9zg9HIv9rZUfwF2/2ZAXDu4PC9Ree8navCb1JhRYpopkZqlm04ky/6XI8RgFfGHXrdtvJAMJeS3houHuL7xLHlEarPvlLfE53g0zZa/GJqBiPzv+VTFEibv6kRKhhQ3FyRgsqUrO4=,iv:cpX1FIhCivvzM6dN4e+z6A2Lo/crHxRffRDweIViehA=,tag:FHRX14G/ke8MgJMyge+eiQ==,type:str] + pgp: + - created_at: "2023-06-17T16:07:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DVbZwA9DOvl8SAQdAcdYIYiBbPSGSTJBzT5ZTV+4fJr8AdZcE5IpSEno7pVIw + k6f2fPf2VuXdfnHOFtSMvPfDCsWIqO9JLuue5Bgjd6yxyq7Ss7QqZpFFWjlW6V1A + 1GgBCQIQI8f3q64+P9CSec9gjmIhAv/ohOsMfBI3CozxHJhQO4B+N4CyZsCYvHrF + 6qUXpvXEMm6xkTvmXnMc6EEKEuIRMTm+pHEf8Uoz9NCGsWSBbNRFtL6fUZVKLQ09 + lglDc2ZHhC6XJg== + =uWvi + -----END PGP MESSAGE----- + fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/Marid/sops.nix b/machines/Marid/sops.nix new file mode 100644 index 0000000..e9cde21 --- /dev/null +++ b/machines/Marid/sops.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + # TODO: auto loop over users + secrets."users/derped/password".neededForUsers = true; + secrets."certs/proxy".mode = "0440"; + }; +}