Add sops

2025-05-05 18:04:08 +02:00 · 2025-05-05 18:04:08 +02:00 · 19a6567d44
commit 19a6567d44
parent 58e1796853
4 changed files with 35 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,5 @@
+keys:
+  - &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    age: *pipeline
--- a/dev_system.nix
+++ b/dev_system.nix
@ -25,6 +25,15 @@ in
    ./dummy-hardware.nix
  ];

+  sops = {
+    defaultSopsFile = "./secrets/example.yaml";
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ];
+      keyFile = "/root/.config/sops/age/keys.txt";
+      generateKey = true;
+    };
+  };
+
  users.users = {
    # connection only via ssh key
    pipeline = {
@ -32,7 +41,7 @@ in
      home = "/home/pipeline";
      description = "User used by forgejo runners to connect to this system";
      extraGroups = [ "docker" ];
-      openssh.authorizedKeys.keys = [ "TODO" ];
+      openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ];
    };
  };
 }
--- a/flake.nix
+++ b/flake.nix
@ -1,14 +1,15 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix.url = "github:Mic92/sops-nix";
  };

  outputs =
-    { nixpkgs, ... }:
+    inputs:
    {
      colmena = {
        meta = {
-          nixpkgs = import nixpkgs {
+          nixpkgs = import inputs.nixpkgs {
            system = "x86_64-linux";
            overlays = [ ];
          };
@ -47,7 +48,7 @@
            ...
          }:
          {
-            imports = [ ./dev_system.nix ];
+            imports = [ ./dev_system.nix inputs.sops-nix.nixosModules.sops ];
          };
      };
    };
--- a/secrets/example.yaml
+++ b/secrets/example.yaml
@ -0,0 +1,16 @@
+foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str]
+sops:
+    age:
+        - recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4
+            Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy
+            QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0
+            R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw
+            h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-05T15:32:10Z"
+    mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1