Secret management via sops-nix.

2024-09-21 10:24:16 +01:00
parent 9619607919
commit a79e666a85
9 changed files with 142 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,20 @@
+keys:
+  - &admin_ppetru age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l
+  - &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
+  - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
+  - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
+  - &server_c1 age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl
+  - &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
+  - &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_ppetru
+        - *server_zippy
+        - *server_chilly
+        - *server_alo_cloud_1
+        - *server_c1
+        - *server_c2
+        - *server_c3
+
--- a/common/global/default.nix
+++ b/common/global/default.nix
@@ -10,6 +10,7 @@
    ./nix.nix
    ./packages.nix
    ./show-changelog.nix
+    ./sops.nix
    ./sudo.nix
    ./tailscale.nix
  ];
--- a/common/global/packages.nix
+++ b/common/global/packages.nix
@@ -1,9 +1,12 @@
 { pkgs, ... }:
 {
  environment.systemPackages = with pkgs; [
+    age
    file
    lm_sensors # TODO: this shouldn't be installed on cloud nodes
    nodejs_20 # TODO: this is for one job on nomad, it should just be a dependency there
    neovim
+    sops
+    ssh-to-age
  ];
 }
--- a/common/global/sops.nix
+++ b/common/global/sops.nix
@@ -0,0 +1,5 @@
+{
+  sops = {
+    defaultSopsFile = ./../../secrets/secrets.yaml;
+  };
+}
--- a/common/user-ppetru.nix
+++ b/common/user-ppetru.nix
@@ -1,6 +1,7 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
  programs.fish.enable = true;
+  sops.secrets.ppetru-password.neededForUsers = true;
  users.users.ppetru = {
    isNormalUser = true;
    extraGroups = [
@@ -10,7 +11,7 @@

    shell = pkgs.fish;

-    hashedPassword = "$y$j9T$RStwCKefSqHTIiRo6u6Q50$Pp2dNUeJeUMH0HJdDoM/vXMQa2jqyTTPvvIzACHZhVB";
+    hashedPasswordFile = config.sops.secrets.ppetru-password.path;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+QbeQG/gTPJ2sIMPgZ3ZPEirVo5qX/carbZMKt50YN petru@happy"
--- a/flake.lock
+++ b/flake.lock
@@ -354,7 +354,31 @@
        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
-        "nixvim": "nixvim"
+        "nixvim": "nixvim",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -22,6 +22,11 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
      inputs.home-manager.follows = "home-manager";
    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-stable.follows = "nixpkgs";
+    };
  };

  outputs =
@@ -31,6 +36,8 @@
      nixpkgs-unstable,
      deploy-rs,
      disko,
+      home-manager,
+      sops-nix,
      ...
    }@inputs:
    let
@@ -51,7 +58,8 @@
              }
            )
            disko.nixosModules.disko
-            inputs.home-manager.nixosModules.home-manager
+            sops-nix.nixosModules.sops
+            home-manager.nixosModules.home-manager
            {
              home-manager = {
                useGlobalPkgs = true;
--- a/home/default.nix
+++ b/home/default.nix
@@ -21,6 +21,7 @@
      directories = [
        ".cache/nix"
        ".cache/nix-index"
+        ".config/sops/"
        ".local/share/fish"
        ".ssh"
        "projects"
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -0,0 +1,75 @@
+ppetru-password: ENC[AES256_GCM,data:3q1oSiMObDDC0pRErkoCbttofFlRiJ/Y2KqCk5widNZTecjouSnUCArKvxpn3KsZRCF1ZvomQhG10tg+/ZZYnOiOdxyRMWBNiw==,iv:UM9S3/UeseaGAXCptbT9GCKn5GAXzH0uQJhMJNIMffk=,tag:gS2UDo1JaEotEv2qiREnNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2VIRUZmajF6TjBlbEVQ
+            TTBtN3N5d0lndXNnNzY3ang4alRYeE04K2dJCnhtVmF0WWdZUTdBYTY1MVpQWEg2
+            SWhyZ1VuVTBra1hzV2pxM0NONmFENnMKLS0tIGxVWDVQRHlPKzFtQU9STE83czdm
+            UEFBdjVpRVRrNGVpZnlVR29hclJRck0KPKRgZZ0eaRZftrh3aBjOWLD2g6wFxJ+4
+            Rw/oaza3MledGTujZmWyHW2JgwhuE2T2HD3KddVaftWSHESQN1Om2g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbGlNNUtBd0traXg3cGJW
+            ZVUzc1hNMnA5ZjJuM1h5aGdtbjBPNTdTQ21jCmxDUnU5WitkRnFMRFgwcDJCR0F6
+            ZERrVUdJYjVaZ2hvbVJRVEdMM0tLalUKLS0tIGV3Z0JzY01RcEdvR282Ly9sb1NJ
+            U3V1RE1tRCt4cFNtRkpaWGJMRFJBeVEKBcDcuJX/O+xJ3a4HHvjqZGl6TlpvKRjZ
+            Pr+cGGcCFHRzxpamU2VZV6L2bK+vJIo4vduKbOrntItHsJtLCZmRVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrckJaN1dJRTZJcGtjQThT
+            QUFSOUJUekpPZTd0SHJTL3RWdmZlc3FTU3lNCkU5T1hqVERHVytoenpQRFJBRUcv
+            NHZPTEc5Si9wSythSFhibUtINUo1eG8KLS0tIG9RQktsTERLaUFiaE1mMWdQK0xl
+            L2VWRngva0xkaW41Q0xtQjhIWGdmUGsKKWxCOM5puUD9iLnlDl4PECWsRrKzTzKW
+            3uVNZJHDE8Bb1yXxIVFGkNoPaOOS8u+qNUg6k3aH69PrirdfKUgChw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVnU3Qjd4UGZCYys5RkpD
+            S1VRd3cydEV6VDdTRXY5dkNieFNiYWhjTmpnCnl0NGE5akVIMjNENDdES2h6bGhV
+            UFpCa3lCcDZnUmFyNlpObHJ6cUtCL00KLS0tIGp6U3M5ZkNzOGZZQ0x1dk56L0Js
+            ZVBON0w1YzhxMit6SUxYV0JBcXI1N2sKq3c4yigumNGvsgjxgB07kR0F6e2lKzdQ
+            Wro4jiBv/kB7hWhOQcpgpodmsVzoYsbFwCHySV3MjpDeyO1AS68fRw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWlBCYjducUZOR05GTlJx
+            eGVsRnNoWjhEL0JaS1FuR3dPSmVGRk9ZN0FZCmY4bW4xd2dGbkdIamhmV1EyWE9z
+            NWtJc0xKbWZ6cEsrRE5jenB4bC93K3cKLS0tIDAxUUc5OFFzWUEyQmh2R3Vzb0RS
+            S2xjbnpKWFdIS3FybXRrZjFkNzJaNXMKAwQmEjNZoDthL2dk3nbW1yWbrl2weyrf
+            MTXyF9pfAT+rnmS20Z40Hn9srI+W8+W4Qf+AMhzQAdPHCyFflrT8oA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUXNBVXhHNEN0bzdyVzRl
+            VS9ZSlNmMXRRRVBrd1BxQXVUalVET0hqZHpFClQvUktFVjBpakg0aS94UXZzRWhq
+            UGZCOTZwTHBHdVJGYTFPbk5LRVpZRTgKLS0tIGxORGVWQm5oWG85ZkRBWjgwVFht
+            N0lXWlQrTWthQzgxaU9WSFpZRm9LRDgK4FqR0ggrikAWBDlmg5PM51zgbdXH0s9k
+            GbZQzvpOd4ScF12YejRZ2usslGDYauhdL+eCNlqRIvABYKfA8KfZsQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbWlUUkp6SGkzUzlnS0sy
+            V29ISDNlb3JkeHBKZ3VhUEJycFJTUG5MMERjCjJCTy9vYUdrdC9jM1RUa2ZLMS9z
+            WEdmK20rNmVtRXBCbVlLa3p4MVJoWlUKLS0tIFFmaTJod3ZUODFvMnR4UFNJLzZj
+            b2FwQUNmcytoelM5c1lkT2ZlS3FieXcK9ZuoUKQeoCrMx0X+6UDfVIKn5sON4o4h
+            Y8KDphPCb7RINcPbVX4MhMqzkBkGOgMEBeo8YRo8mJYD0S92K4qUUQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-21T09:16:15Z"
+    mac: ENC[AES256_GCM,data:VrpYMsWdGvzCvfNCDj+R9NKsq5FVHn4FYlZd10FbFiSd2sfPikiOZfE7ih1E7Smp2KRM3ARyjnq0OSgpw+V1NnRQVTk1uL6oE/VDRUsBJG97EPS8gbC3a7hbvNaa9dAoj8ZB08wziuVs9GExvkpYS+Y13xKDiaxc97XrpQzOcHY=,iv:vxaTs950++ig2rZsPn4mMVT0OMfmEbvHZqnQKYxvkTM=,tag:w2Zp4PGzQLhcCaASKr0/vg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1