Add sops
This commit is contained in:
parent
58e1796853
commit
19a6567d44
4 changed files with 35 additions and 4 deletions
5
.sops.yaml
Normal file
5
.sops.yaml
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
keys:
|
||||||
|
- &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
age: *pipeline
|
||||||
|
|
@ -25,6 +25,15 @@ in
|
||||||
./dummy-hardware.nix
|
./dummy-hardware.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = "./secrets/example.yaml";
|
||||||
|
age = {
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ];
|
||||||
|
keyFile = "/root/.config/sops/age/keys.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
# connection only via ssh key
|
# connection only via ssh key
|
||||||
pipeline = {
|
pipeline = {
|
||||||
|
|
@ -32,7 +41,7 @@ in
|
||||||
home = "/home/pipeline";
|
home = "/home/pipeline";
|
||||||
description = "User used by forgejo runners to connect to this system";
|
description = "User used by forgejo runners to connect to this system";
|
||||||
extraGroups = [ "docker" ];
|
extraGroups = [ "docker" ];
|
||||||
openssh.authorizedKeys.keys = [ "TODO" ];
|
openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,15 @@
|
||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs =
|
||||||
{ nixpkgs, ... }:
|
inputs:
|
||||||
{
|
{
|
||||||
colmena = {
|
colmena = {
|
||||||
meta = {
|
meta = {
|
||||||
nixpkgs = import nixpkgs {
|
nixpkgs = import inputs.nixpkgs {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
overlays = [ ];
|
overlays = [ ];
|
||||||
};
|
};
|
||||||
|
|
@ -47,7 +48,7 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
imports = [ ./dev_system.nix ];
|
imports = [ ./dev_system.nix inputs.sops-nix.nixosModules.sops ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
16
secrets/example.yaml
Normal file
16
secrets/example.yaml
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4
|
||||||
|
Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy
|
||||||
|
QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0
|
||||||
|
R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw
|
||||||
|
h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-05-05T15:32:10Z"
|
||||||
|
mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.1
|
||||||
Loading…
Reference in a new issue