diff --git a/.sops.yaml b/.sops.yaml index 7e1dc85..cc7b9aa 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,8 +1,8 @@ keys: - - &stefan_ellmauthaler 3B398B086C410264A14F3B53B1E6F03030A4AEAA + - &stefan_ellmauthaler 3B398B086C410264A14FB353B1E6F03030A4AEAA - &stel-xps e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca creation_rules: - - path_regex: secrets/[^/]+\.yaml$ + - path_regex: secrets/secrets\.yaml key_groups: - pgp: - *stefan_ellmauthaler diff --git a/README.md b/README.md index dbc5fd7..7e4f5c4 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,23 @@ * setup the filesystem as you see fit * check out repository to `/mnt/etc/nixos` * run `nixos-generate-config --root /mnt` in `/mnt/etc/nixos` -* create `machine//default.nix` and add machine specific configuration to it -* move `hardware-configuration.nix` to `machine//hardware-configuration.nix` -* add your machine to `/mnt/etc/nixos/default.nix` -* stage the machine-folder to the git-repository +* create `machines//default.nix` and configure the machine +* move `hardware-configuration.nix` to `machines//hardware-configuration.nix` +* stage the machine-folder * run - * `nix-shell -p nixFlakes` - * `sudo _NIXOS_REBUILD_REEXEC=1 nixos-install --no-root-passwd --flake .#hostname` - * ~~`nixos-install --no-root-passwd --flake .#hostname`~~ + * `nix-install --no-root-passwd --flake .#hostname --option experimental-features "nix-command flakes"` +## nix-sops +* generate on your (sshd-enabled) machine a pgp key: + * `nix shell nixpkgs#ssh-to-pgp` + * `sudo ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key > /etc/nixos/secrets/hosts/.asc` +* add the fingerprint of the new key to the `/etc/nixos/.sops.yaml` file +* Rekey the secrets with either + * a master key + * or after a git push on another machine with enough permissions to rekey +* the flakes dev-shell (`nix devshell`) allows to use the `sops ` as well `sops-rekey ` to manage the keys on the system + + # redesign checklist - [x] lorri or similar (nix-direnv) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index e69de29..706e08c 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -0,0 +1,61 @@ +hello: ENC[AES256_GCM,data:MOALCu8iOAyfGkjK9z4NMDo0f6MmG6x5VkfyZcZvYCKnWFBRQAKPDTWBH5rK1g==,iv:jFU+0lkJ0MUv20a7snZEtIx4MauWJcWGz7QBM3+LjEI=,tag:mM2WRwx58uyfHmzhtT0R2g==,type:str] +example_key: ENC[AES256_GCM,data:lAAqf3unmJ0zsg7nlEM=,iv:y1CfpqMkgOw1amloIxLvMR0Y74G0zO+RlBfXvZZIYAs=,tag:SUnHRfpMttYHRuQn8ABXsg==,type:str] +#ENC[AES256_GCM,data:S8HV5uWQ2U1r+3GxJ1Uw9A==,iv:03NBULMd31qtDl1yDhXLdNaTJxsB5IR6ox4K5Ik8vSI=,tag:5tCKgR8Ue66TnOmR8Ya2zg==,type:comment] +example_array: + - ENC[AES256_GCM,data:wyZTcylOGQqGvJCEAtI=,iv:tYMAa5ohpA2QyXITG/S+HV7ZaOd9hZtiQMRlo2IGk6Y=,tag:BNQsl4gOgGK3U4aPBrQGww==,type:str] + - ENC[AES256_GCM,data:eLXzjr7IOWnrAN90F3s=,iv:6uAIFz/uN/td6XD5b+Pe73kjGIpdDl+fbKWo1TiaAxo=,tag:0Q3Afv+W6ddIS+37aFPugQ==,type:str] +example_number: ENC[AES256_GCM,data:gWSzljU0nOeIGA==,iv:B59DTWMum0nILKdxHSCyQoie5by/HNe+qOwN+gfNci4=,tag:cKb781zfp5QhKrwuWK5kiA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:UnJYcQ==,iv:9Mm4d/Sf9VCeF0fq3LmfO15pjUrmbGYhzU/814jHCno=,tag:oZB1J633JyCSf1XACbxSlA==,type:bool] + - ENC[AES256_GCM,data:u0faKdM=,iv:kBl1oIAwuJji34U+ENq1hkz2b4zYZ/7Zo1f2Tgr1GsI=,tag:Fjtt/u4IJ4j5oDafLFQeDw==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-06-09T15:36:38Z" + mac: ENC[AES256_GCM,data:fJcGUyG9ur8qrkm0C318GDzAlYnhEy4QeaxBLNCQU9OsS/1eabJ0/wpw0cmUlfQkfu5IzZbPECWhrzxjN5S5ct1d/bNS+xSUtgZfSPXiXk4A9u9FR8BJaukOHvIa8nY15NludGMhsHxZcU1HFPlBuspt+AZv3SUuZXZHNousAvY=,iv:yxHTP/Lu+8rJ2tSZiq/dSTjNFuru8O5fRo+u0ULkP4Q=,tag:EjQGrlKOJX4Z1VuHUVQyhA==,type:str] + pgp: + - created_at: "2022-06-09T15:36:19Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzhsLR+kpSPjAQ//ddcTABupwvYDzULHzmAkkwOjm84k+457laJIbT/5OcZC + Y+5+J/LmnnoiHAnraItvuNerWegOoy0RWzEjmxbyHAA4eZdOjSCDv9TE0VHSKS3C + dfsO7yJ6k/cZCzldYVFKxK7PGgpb64au9mRmH2HIpI3evlk0ZvKRTiHUJApjod6D + Ne36w0lGbaszUIo8hufUuL+yevBbW8naiVpjE7yR28j8rIaDo14QuVbd/X5lIATd + r4BVXpqK7zA3wYnBSoGe/aFMYqwRkVRUEg16i99n5Jph2bVTNutcrSmIyih8X9MT + EoPeLfOP5xZt+Ku9xuiCCIkz3XFU8HD2W54TcwKfZcFr4wN+SZkrAEAi0zE9t61N + HELBwwKVGoiHp/k7KkbeFTS0CEdRfGA8lBPzdY+1rEgPfBdS/ElnbU1mjCWF/Ljl + OjqkNy5DjNzHicuorn9dPcKB/amz4LC2UN5F06AzlCoolU4+H3kMpjeEZsDOTskc + WrNRdoI2oex16GAqVJ/b1oTy3a0pZQ6vsUibuu3tJX4Yut0kcjXtgCk422NrhiE9 + q5JKJLrGqbDzu8bXApA/4ggPDu1v+CIudmkIMjgijir4sBkIuXQ4LGNXLj0UlnWc + S2Z+j3CZ3pxlKeGMo++l53ELOgW8ASOhfoU/dOzzy7bynawSmUazUF4bGk/XZUbS + XgGq9ttQ52hp+9r5HDvwRsZ7hS6kCAQ3i/Pl/mJv8B3u4q/JgQYCfnnAp8endATK + I7ObbW7DsS8nKZkDYFIHOjnT0klEFCnMkrFTlbLp27pqCmFEqFUxi4DrIN9FPMI= + =sgda + -----END PGP MESSAGE----- + fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA + - created_at: "2022-06-09T15:36:19Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA1NKtoXYguTKARAAqYAGCF0IBq76TsQgCIg2RSq+v2i79qJtIJrAhqECe19T + 0Us0ZQLC/fMdbRgf/caLVHNq5RgXtzmfqvKROMFgtnGxGjdBzCbK6TXQnUAiWDTB + Aa53txt5xfFEVZSZz1XIUPpIV1A83vCRhJtGENbMWNjWZmmNEdvLkWoWv7m88DCd + XgR2oGNvBCuCvxPATQpeFXpn+bz/lNCCKO6oS3jo9qyjYR3ZgG8+vUrs30c5L5lW + GKxYtq8dz1g2GIfQx30e1f2jVzP8d0Q3Uze3IINDzuzzBbIAfUUQdAAidH92Aq16 + 1/0ADgrnwHKjtNGz/iT6tj19g9+jGIzHpjag8MBAQHKCs+CqgHLYbuoGp9hW8yzJ + g8RSmO2wKE2dlf2aWqryEWZypacxJ/f/EZmuS0TxJM+rh7zk3S4Ftcd/DFeHOIYY + BkpqIEv1wsTdtDQd0nRWXi331jcAtIKfs152rogDRtXLvtGPlkrJ6IqzmXvjl4bf + 0K7FiDAo20wRPQERk5DchamvJBg2Q74CunArqzVINkeWbJ4Ex5AtN4w9E9aiA25P + NNq6/6crDI4EeJ5DKuc7B/r+/mRlQXg7pmNGG4fLBpRx3ABx93yE6eBxH5r1uvdj + 8q60/UTjfQYVmeZoNNI91AH3btIOuI6ciyNzOwRdjbxfgladH4qmrfNSdKI41sDS + WAGV6iH3qwbYCopStneaL2p9MH5hGYqEIx2DYvU9y6rDWp1iDnVYV7jNRVdWrrWn + 0m9Xw8ZDA9OI/pf5nio/wEq6uz36jdNgF0okyRG5jkq38H8ZnsyedUo= + =Y1wC + -----END PGP MESSAGE----- + fp: e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca + unencrypted_suffix: _unencrypted + version: 3.7.3