Add first encrypted sops file, update readme

.sops.yaml

@@ -1,8 +1,8 @@
 keys:
-  - &stefan_ellmauthaler 3B398B086C410264A14F3B53B1E6F03030A4AEAA
+  - &stefan_ellmauthaler 3B398B086C410264A14FB353B1E6F03030A4AEAA
   - &stel-xps e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca
 creation_rules:
-  - path_regex: secrets/[^/]+\.yaml$
+  - path_regex: secrets/secrets\.yaml
     key_groups:
       - pgp:
           - *stefan_ellmauthaler

README.md

@@ -4,14 +4,22 @@
 * setup the filesystem as you see fit
 * check out repository to `/mnt/etc/nixos`
 * run `nixos-generate-config --root /mnt` in `/mnt/etc/nixos`
-* create `machine/<machine-name>/default.nix` and add machine specific configuration to it
+* create `machines/<machine-name>/default.nix` and configure the machine
-* move `hardware-configuration.nix` to `machine/<machine-name>/hardware-configuration.nix`
+* move `hardware-configuration.nix` to `machines/<machine-name>/hardware-configuration.nix`
-* add your machine to `/mnt/etc/nixos/default.nix`
+* stage the machine-folder
-* stage the machine-folder to the git-repository
 * run
-  * `nix-shell -p nixFlakes`
+ * `nix-install --no-root-passwd --flake .#hostname --option experimental-features "nix-command flakes"`
-  * `sudo _NIXOS_REBUILD_REEXEC=1 nixos-install --no-root-passwd --flake .#hostname`
+
-  * ~~`nixos-install --no-root-passwd --flake .#hostname`~~
+## nix-sops
+* generate on your (sshd-enabled) machine a pgp key:
+  * `nix shell nixpkgs#ssh-to-pgp`
+  * `sudo ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key > /etc/nixos/secrets/hosts/<hostname>.asc`
+* add the fingerprint of the new key to the `/etc/nixos/.sops.yaml` file
+* Rekey the secrets with either 
+	* a master key
+	* or after a git push on another machine with enough permissions to rekey
+* the flakes dev-shell (`nix devshell`) allows to use the `sops <sops-file>` as well `sops-rekey <sops-file>` to manage the keys on the system
+   
 	
 
 # redesign checklist

secrets/secrets.yaml

@@ -0,0 +1,61 @@
+hello: ENC[AES256_GCM,data:MOALCu8iOAyfGkjK9z4NMDo0f6MmG6x5VkfyZcZvYCKnWFBRQAKPDTWBH5rK1g==,iv:jFU+0lkJ0MUv20a7snZEtIx4MauWJcWGz7QBM3+LjEI=,tag:mM2WRwx58uyfHmzhtT0R2g==,type:str]
+example_key: ENC[AES256_GCM,data:lAAqf3unmJ0zsg7nlEM=,iv:y1CfpqMkgOw1amloIxLvMR0Y74G0zO+RlBfXvZZIYAs=,tag:SUnHRfpMttYHRuQn8ABXsg==,type:str]
+#ENC[AES256_GCM,data:S8HV5uWQ2U1r+3GxJ1Uw9A==,iv:03NBULMd31qtDl1yDhXLdNaTJxsB5IR6ox4K5Ik8vSI=,tag:5tCKgR8Ue66TnOmR8Ya2zg==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:wyZTcylOGQqGvJCEAtI=,iv:tYMAa5ohpA2QyXITG/S+HV7ZaOd9hZtiQMRlo2IGk6Y=,tag:BNQsl4gOgGK3U4aPBrQGww==,type:str]
+    - ENC[AES256_GCM,data:eLXzjr7IOWnrAN90F3s=,iv:6uAIFz/uN/td6XD5b+Pe73kjGIpdDl+fbKWo1TiaAxo=,tag:0Q3Afv+W6ddIS+37aFPugQ==,type:str]
+example_number: ENC[AES256_GCM,data:gWSzljU0nOeIGA==,iv:B59DTWMum0nILKdxHSCyQoie5by/HNe+qOwN+gfNci4=,tag:cKb781zfp5QhKrwuWK5kiA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:UnJYcQ==,iv:9Mm4d/Sf9VCeF0fq3LmfO15pjUrmbGYhzU/814jHCno=,tag:oZB1J633JyCSf1XACbxSlA==,type:bool]
+    - ENC[AES256_GCM,data:u0faKdM=,iv:kBl1oIAwuJji34U+ENq1hkz2b4zYZ/7Zo1f2Tgr1GsI=,tag:Fjtt/u4IJ4j5oDafLFQeDw==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-06-09T15:36:38Z"
+    mac: ENC[AES256_GCM,data:fJcGUyG9ur8qrkm0C318GDzAlYnhEy4QeaxBLNCQU9OsS/1eabJ0/wpw0cmUlfQkfu5IzZbPECWhrzxjN5S5ct1d/bNS+xSUtgZfSPXiXk4A9u9FR8BJaukOHvIa8nY15NludGMhsHxZcU1HFPlBuspt+AZv3SUuZXZHNousAvY=,iv:yxHTP/Lu+8rJ2tSZiq/dSTjNFuru8O5fRo+u0ULkP4Q=,tag:EjQGrlKOJX4Z1VuHUVQyhA==,type:str]
+    pgp:
+        - created_at: "2022-06-09T15:36:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzhsLR+kpSPjAQ//ddcTABupwvYDzULHzmAkkwOjm84k+457laJIbT/5OcZC
+            Y+5+J/LmnnoiHAnraItvuNerWegOoy0RWzEjmxbyHAA4eZdOjSCDv9TE0VHSKS3C
+            dfsO7yJ6k/cZCzldYVFKxK7PGgpb64au9mRmH2HIpI3evlk0ZvKRTiHUJApjod6D
+            Ne36w0lGbaszUIo8hufUuL+yevBbW8naiVpjE7yR28j8rIaDo14QuVbd/X5lIATd
+            r4BVXpqK7zA3wYnBSoGe/aFMYqwRkVRUEg16i99n5Jph2bVTNutcrSmIyih8X9MT
+            EoPeLfOP5xZt+Ku9xuiCCIkz3XFU8HD2W54TcwKfZcFr4wN+SZkrAEAi0zE9t61N
+            HELBwwKVGoiHp/k7KkbeFTS0CEdRfGA8lBPzdY+1rEgPfBdS/ElnbU1mjCWF/Ljl
+            OjqkNy5DjNzHicuorn9dPcKB/amz4LC2UN5F06AzlCoolU4+H3kMpjeEZsDOTskc
+            WrNRdoI2oex16GAqVJ/b1oTy3a0pZQ6vsUibuu3tJX4Yut0kcjXtgCk422NrhiE9
+            q5JKJLrGqbDzu8bXApA/4ggPDu1v+CIudmkIMjgijir4sBkIuXQ4LGNXLj0UlnWc
+            S2Z+j3CZ3pxlKeGMo++l53ELOgW8ASOhfoU/dOzzy7bynawSmUazUF4bGk/XZUbS
+            XgGq9ttQ52hp+9r5HDvwRsZ7hS6kCAQ3i/Pl/mJv8B3u4q/JgQYCfnnAp8endATK
+            I7ObbW7DsS8nKZkDYFIHOjnT0klEFCnMkrFTlbLp27pqCmFEqFUxi4DrIN9FPMI=
+            =sgda
+            -----END PGP MESSAGE-----
+          fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA
+        - created_at: "2022-06-09T15:36:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1NKtoXYguTKARAAqYAGCF0IBq76TsQgCIg2RSq+v2i79qJtIJrAhqECe19T
+            0Us0ZQLC/fMdbRgf/caLVHNq5RgXtzmfqvKROMFgtnGxGjdBzCbK6TXQnUAiWDTB
+            Aa53txt5xfFEVZSZz1XIUPpIV1A83vCRhJtGENbMWNjWZmmNEdvLkWoWv7m88DCd
+            XgR2oGNvBCuCvxPATQpeFXpn+bz/lNCCKO6oS3jo9qyjYR3ZgG8+vUrs30c5L5lW
+            GKxYtq8dz1g2GIfQx30e1f2jVzP8d0Q3Uze3IINDzuzzBbIAfUUQdAAidH92Aq16
+            1/0ADgrnwHKjtNGz/iT6tj19g9+jGIzHpjag8MBAQHKCs+CqgHLYbuoGp9hW8yzJ
+            g8RSmO2wKE2dlf2aWqryEWZypacxJ/f/EZmuS0TxJM+rh7zk3S4Ftcd/DFeHOIYY
+            BkpqIEv1wsTdtDQd0nRWXi331jcAtIKfs152rogDRtXLvtGPlkrJ6IqzmXvjl4bf
+            0K7FiDAo20wRPQERk5DchamvJBg2Q74CunArqzVINkeWbJ4Ex5AtN4w9E9aiA25P
+            NNq6/6crDI4EeJ5DKuc7B/r+/mRlQXg7pmNGG4fLBpRx3ABx93yE6eBxH5r1uvdj
+            8q60/UTjfQYVmeZoNNI91AH3btIOuI6ciyNzOwRdjbxfgladH4qmrfNSdKI41sDS
+            WAGV6iH3qwbYCopStneaL2p9MH5hGYqEIx2DYvU9y6rDWp1iDnVYV7jNRVdWrrWn
+            0m9Xw8ZDA9OI/pf5nio/wEq6uz36jdNgF0okyRG5jkq38H8ZnsyedUo=
+            =Y1wC
+            -----END PGP MESSAGE-----
+          fp: e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3