From b15432bd15f38b1256e591f7945d3baca0a71f00 Mon Sep 17 00:00:00 2001 From: Cy Pokhrel Date: Sat, 23 Nov 2024 21:41:28 -0500 Subject: [PATCH] better secrets management --- nix/.sops.yaml | 7 +++++++ nix/configuration.nix | 8 +++++++- nix/flake.lock | 23 ++++++++++++++++++++++- nix/flake.nix | 7 ++++++- nix/secrets/secrets.yaml | 22 ++++++++++++++++++++++ 5 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 nix/.sops.yaml create mode 100644 nix/secrets/secrets.yaml diff --git a/nix/.sops.yaml b/nix/.sops.yaml new file mode 100644 index 0000000..7166ce8 --- /dev/null +++ b/nix/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/nix/configuration.nix b/nix/configuration.nix index 5acb071..de9e6ed 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -6,6 +6,11 @@ ./hardware-configuration.nix ]; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/root/.config/sops/age/keys.txt"; + sops.secrets."borg/yt" = { }; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -98,6 +103,7 @@ wgnord wireguard-tools traceroute + sops ]; system.stateVersion = "24.05"; @@ -151,7 +157,7 @@ repo = "de3911@de3911.rsync.net:borg/yt"; encryption = { mode = "repokey-blake2"; - passCommand = "cat /root/keys/borg_yt"; + passCommand = "cat /run/keys/borg_yt"; }; environment = { BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; diff --git a/nix/flake.lock b/nix/flake.lock index ed92882..cf25dcd 100644 --- a/nix/flake.lock +++ b/nix/flake.lock @@ -17,7 +17,28 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732186149, + "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/nix/flake.nix b/nix/flake.nix index f8dc047..56714d9 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -3,9 +3,13 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs }: + outputs = { self, nixpkgs, sops-nix }: let lib = nixpkgs.lib; in { @@ -14,6 +18,7 @@ system = "x86_64-linux"; modules = [ ./configuration.nix + sops-nix.nixosModules.sops ]; }; }; diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml new file mode 100644 index 0000000..f5179d9 --- /dev/null +++ b/nix/secrets/secrets.yaml @@ -0,0 +1,22 @@ +borg: + yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90 + a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH + SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3 + a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY + ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-24T02:00:55Z" + mac: ENC[AES256_GCM,data:d8CY4QNU0O2pqTsNZgikJpCkm/jGgvu0lyBfmKoYmlQpHHIeWag9cT3n5/8UKnrcdgiLzCu26j0D6RiqolvpS/qtTz953kjSXiu3mclk9uuRurvzxxA31IacuiOeDRiln7dephRXxzzYvNiq5HtyAIEBxoIni5BCLFepBtGhB8U=,iv:b7Z6jFuXdhHJSuz6mJtB0f1hfo41UcNsXi+XwWUR10M=,tag:2Bdv9m4eoWZAt5Q/Fmf6Rw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1