From a1f4b090d4acbb6c8eaf18e535d075979edb413d Mon Sep 17 00:00:00 2001 From: Stefan Ellmauthaler Date: Thu, 9 Jun 2022 16:13:23 +0200 Subject: [PATCH] Further structure for sops --- .sops.yaml | 2 ++ flake.nix | 7 +++++++ secrets/base.yaml | 0 secrets/keys/hosts/stel-xps.asc | 28 ++++++++++++++++++++++++++++ secrets/shell.nix | 15 +++++++++++++++ 5 files changed, 52 insertions(+) create mode 100644 secrets/base.yaml create mode 100644 secrets/keys/hosts/stel-xps.asc create mode 100644 secrets/shell.nix diff --git a/.sops.yaml b/.sops.yaml index 7dd1e37..7e1dc85 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,9 @@ keys: - &stefan_ellmauthaler 3B398B086C410264A14F3B53B1E6F03030A4AEAA + - &stel-xps e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca creation_rules: - path_regex: secrets/[^/]+\.yaml$ key_groups: - pgp: - *stefan_ellmauthaler + - *stel-xps diff --git a/flake.nix b/flake.nix index 0d5ecd6..047498d 100644 --- a/flake.nix +++ b/flake.nix @@ -131,5 +131,12 @@ homeDirectory = "/home/${username}"; stateVersion = "21.05"; }); + + outputsBuilder = channels: { + devShell = import ./secrets/shell.nix { + pkgs = channels.nixpkgs; + sops-nix = inputs.sops-nix.packages."${channels.nixpkgs.system}"; + }; + }; }; } diff --git a/secrets/base.yaml b/secrets/base.yaml new file mode 100644 index 0000000..e69de29 diff --git a/secrets/keys/hosts/stel-xps.asc b/secrets/keys/hosts/stel-xps.asc new file mode 100644 index 0000000..76cb9b7 --- /dev/null +++ b/secrets/keys/hosts/stel-xps.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEAC1eCDHJpjx8tlAVZz3g5/TZVFvCWcHn6WLNof96pwlThTiMitX +jQBAcyXSRBLiNLY1tdQi+Dd+toOESX3Tz2glGYGLhLGRcd77U4Xfock+rxpXr6Kq +X3+z9DQRAP5zp9LBdlDzhPzbUNv+CaQOPfMREGB+U1tQO9BB229VZD0l64yvJe1C +rVIFMXxeExjIE22p4QwYG9XTnvcoGHYonBoqPm9A4cil0IvISOJKVB6dmTKWqso3 +zIFcr431I2ce2EZidVz68AbKvf/3pG5LYM4SaKFjyugxVkKXex5ENfwwg/54843X +ATmufpK36eiYpQu0kmTexaQLqEVEVFDiWS4YyRBJJxD3SX1qDmZVdHt0YGWGwe/l +28f/xVGU30itswbl7iraLWuQxBl3Fngrxera3GDEqIVZwSMocIIv7PgP2aGWhEP3 +EN37wmaXE6wkefJSwFa2vS4+dcbZ8NFKDfFPYfaXg2SeWdHgd6u35NqFxM0lm1FC +RWAD5/6VD3J6oCOMI21p01Hc5a55uaLdGRN+qZzkKNy269swR/ovd4Aq0VAswKd7 +lcA2+XFjokgmZYY68DbJM1/q93hJjd7peyM3ReKHgf4UFDGDmxtc/4K5sdOZSqaP +N18ZUoqQ21wjbXnAZWLMi2ICxIjvHPi9N1GiOAKTsau37B/VlzsjRRzcKQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQU0q2hdiC5MoCGw8CGQEAAO7yEAAiR/ePv5GBXyKYdJW+FezO +DUXAJVpIqZAgJIFrEsh53aNd/dR+kyTZ8uh6UG3pXzlhFCvOBojHVC4Ssb2h4c2X +W20kzRn4vJhDUdXrN+vCnXdBIcM5Thn4AhvvDDTc5Q9x2qishpLHTjcgCvejBltL +kiAqbcV9ILSt/VuBYY+8Oe+8dJwuhzdZwrydy8hn+ktPkQGxeBt4zihOdYTGoTSL +OifOAaLzDye1iDhGOExjb+pvfaxnMS85hQW54UuGIi6tJJV496MFuhWUuQV/mzbH +w2DuQabfpDGZyA5awGTP/SxmL1T4B6iIxQG1vbyyejqMuFjyiVjWXmMiePn/c1Wv +TYyLoFwDaK3PcBl2HcX6GLRRd7w85cQlEHESZc7QhgswrTR0r1SlraPjFJYvdkMr +JVkDWgx7Xe8u+ZApxAB+mtDkDJdvk9nn/hRwn25yXVM+QWELBC4r41k5/pwjrAsM +ovsSawjq1wTBgbUOTHaob91FSHOkvnhpGix5SCzsyraz6VZ0ZJt+ab14IHIPDksn +rsDaW7VqURF7IK777vVnMFrA1UiPbrwJYxJso4cdSCeQLEq/5SghDSbmIB3rXp33 +LSDkfB3ZFfxp6ZJUW7YD2w8DlmG80xzGyWPtI6ZVKaJZGFJwNSJONq9yWQSoKQoX +OjF1D1sm47MlQBJ8zirGKQ== +=Spou +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/secrets/shell.nix b/secrets/shell.nix new file mode 100644 index 0000000..5d01992 --- /dev/null +++ b/secrets/shell.nix @@ -0,0 +1,15 @@ +{ pkgs ? import { } +, sops-nix ? pkgs.callPackage { } +, ... +}: + +let + sops-rekey = pkgs.writeShellScriptBin "sops-rekey" '' + ${pkgs.findutils}/bin/find . -wholename '*/secrets/*.yaml' -exec ${pkgs.sops}/bin/sops updatekeys {} \; + ''; +in +pkgs.mkShell { + sopsPGPKeyDirs = [ ./keys/users ./keys/hosts ]; + + nativeBuildInputs = [ sops-nix.sops-import-keys-hook sops-nix.ssh-to-pgp sops-rekey ]; +}