Further structure for sops

2025-12-19 09:29:36 +01:00 · 2022-06-09 16:13:23 +02:00 · 2022-06-09 16:13:23 +02:00 · a1f4b090d4
commit a1f4b090d4
parent 4415550559
5 changed files with 52 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,9 @@
 keys:
  - &stefan_ellmauthaler 3B398B086C410264A14F3B53B1E6F03030A4AEAA
+  - &stel-xps e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca
 creation_rules:
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
      - pgp:
          - *stefan_ellmauthaler
+          - *stel-xps
--- a/flake.nix
+++ b/flake.nix
@ -131,5 +131,12 @@
            homeDirectory = "/home/${username}";
            stateVersion = "21.05";
          });
+      
+      outputsBuilder = channels: {
+        devShell = import ./secrets/shell.nix {
+          pkgs = channels.nixpkgs;
+          sops-nix = inputs.sops-nix.packages."${channels.nixpkgs.system}";
+        };
+      };
    };
 }
--- a/secrets/base.yaml
+++ b/secrets/base.yaml
--- a/secrets/keys/hosts/stel-xps.asc
+++ b/secrets/keys/hosts/stel-xps.asc
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEAC1eCDHJpjx8tlAVZz3g5/TZVFvCWcHn6WLNof96pwlThTiMitX
+jQBAcyXSRBLiNLY1tdQi+Dd+toOESX3Tz2glGYGLhLGRcd77U4Xfock+rxpXr6Kq
+X3+z9DQRAP5zp9LBdlDzhPzbUNv+CaQOPfMREGB+U1tQO9BB229VZD0l64yvJe1C
+rVIFMXxeExjIE22p4QwYG9XTnvcoGHYonBoqPm9A4cil0IvISOJKVB6dmTKWqso3
+zIFcr431I2ce2EZidVz68AbKvf/3pG5LYM4SaKFjyugxVkKXex5ENfwwg/54843X
+ATmufpK36eiYpQu0kmTexaQLqEVEVFDiWS4YyRBJJxD3SX1qDmZVdHt0YGWGwe/l
+28f/xVGU30itswbl7iraLWuQxBl3Fngrxera3GDEqIVZwSMocIIv7PgP2aGWhEP3
+EN37wmaXE6wkefJSwFa2vS4+dcbZ8NFKDfFPYfaXg2SeWdHgd6u35NqFxM0lm1FC
+RWAD5/6VD3J6oCOMI21p01Hc5a55uaLdGRN+qZzkKNy269swR/ovd4Aq0VAswKd7
+lcA2+XFjokgmZYY68DbJM1/q93hJjd7peyM3ReKHgf4UFDGDmxtc/4K5sdOZSqaP
+N18ZUoqQ21wjbXnAZWLMi2ICxIjvHPi9N1GiOAKTsau37B/VlzsjRRzcKQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQU0q2hdiC5MoCGw8CGQEAAO7yEAAiR/ePv5GBXyKYdJW+FezO
+DUXAJVpIqZAgJIFrEsh53aNd/dR+kyTZ8uh6UG3pXzlhFCvOBojHVC4Ssb2h4c2X
+W20kzRn4vJhDUdXrN+vCnXdBIcM5Thn4AhvvDDTc5Q9x2qishpLHTjcgCvejBltL
+kiAqbcV9ILSt/VuBYY+8Oe+8dJwuhzdZwrydy8hn+ktPkQGxeBt4zihOdYTGoTSL
+OifOAaLzDye1iDhGOExjb+pvfaxnMS85hQW54UuGIi6tJJV496MFuhWUuQV/mzbH
+w2DuQabfpDGZyA5awGTP/SxmL1T4B6iIxQG1vbyyejqMuFjyiVjWXmMiePn/c1Wv
+TYyLoFwDaK3PcBl2HcX6GLRRd7w85cQlEHESZc7QhgswrTR0r1SlraPjFJYvdkMr
+JVkDWgx7Xe8u+ZApxAB+mtDkDJdvk9nn/hRwn25yXVM+QWELBC4r41k5/pwjrAsM
+ovsSawjq1wTBgbUOTHaob91FSHOkvnhpGix5SCzsyraz6VZ0ZJt+ab14IHIPDksn
+rsDaW7VqURF7IK777vVnMFrA1UiPbrwJYxJso4cdSCeQLEq/5SghDSbmIB3rXp33
+LSDkfB3ZFfxp6ZJUW7YD2w8DlmG80xzGyWPtI6ZVKaJZGFJwNSJONq9yWQSoKQoX
+OjF1D1sm47MlQBJ8zirGKQ==
+=Spou
+-----END PGP PUBLIC KEY BLOCK-----
--- a/secrets/shell.nix
+++ b/secrets/shell.nix
@ -0,0 +1,15 @@
+{ pkgs ? import <nixpkgs> { }
+, sops-nix ? pkgs.callPackage <sops-nix> { }
+, ...
+}:
+
+let
+  sops-rekey = pkgs.writeShellScriptBin "sops-rekey" ''
+    ${pkgs.findutils}/bin/find . -wholename '*/secrets/*.yaml' -exec ${pkgs.sops}/bin/sops updatekeys {} \;
+  '';
+in
+pkgs.mkShell {
+  sopsPGPKeyDirs = [ ./keys/users ./keys/hosts ];
+
+  nativeBuildInputs = [ sops-nix.sops-import-keys-hook sops-nix.ssh-to-pgp sops-rekey ];
+}