more hm sops
This commit is contained in:
parent
9cfc9101b6
commit
018f42e359
@ -1,5 +1,4 @@
|
||||
age:
|
||||
pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str]
|
||||
hm-age-keys: ENC[AES256_GCM,data:UhPj72P1NVuD8Y4h8+UyCR5nEq4n76+E1ltA0v8Q3FmEB0vKkMDj2yQvA2r7ILgvlS1wKe5TyQ1tNa+lilCCBdHg7KG/yQNpxfQcngfOqwUkH6SI1KxekZyRisyznvseuGGqMYsBXliyCUnfjokJjdPdYthBgo1un0sKgKJn4wdviVTDzDKGcxqZI9euJBuV7aXqMG8WbIAl6l0Uqph5X/3QDvg54b68t3+6gZ6P9DXFI4BgLsaesiCHHVB+TioVNc6c2PoK7ReJ,iv:gvdoNoFQ3GJEjlCQ+BMqCOYVWazQC9Kf10fGcyTGeXo=,tag:Ao64r0iIotaEkn15K+oBlw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -33,8 +32,8 @@ sops:
|
||||
eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA
|
||||
j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-27T17:16:46Z"
|
||||
mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str]
|
||||
lastmodified: "2024-02-18T01:45:49Z"
|
||||
mac: ENC[AES256_GCM,data:ue8Ro6nUtZ2mXez76jtA9Rje2kVvc2vRG3YaEArID/zBrDwR8NJsWU17jvuwr92OtqSVVO2JAps6RuLIrjpLmO6SgcAvRj9rqWrpQQ4Qb9zYCZ2RUlov9yMBk0phsMtkzcHDFsk6EGyS8b6N1eP7iSu7W+riaM8zR9BajuDUuTE=,iv:ke1K1+Uo0jjJjztjCHYmlDMUCFSJWchQz7GoCm5l1aY=,tag:iLiYHS6hiZHNJQlp05yNmQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.1
|
||||
|
@ -1,4 +1,8 @@
|
||||
{ pkgs, config, ... }:
|
||||
{ lib, pkgs, config, ... }:
|
||||
|
||||
let
|
||||
keyFile = lib.escapeShellArg config.sops.age.keyFile;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
@ -6,8 +10,30 @@
|
||||
sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
|
||||
sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
|
||||
|
||||
sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt";
|
||||
sops.secrets."hm-age-keys".path = "%r/sops/age/keys-hm.txt";
|
||||
|
||||
/**/
|
||||
home.activation.append-hm-sops-keys = lib.hm.dag.entryAfter ["writeBoundary"] ''
|
||||
if ! test -f ${keyFile}; then
|
||||
$DRY_RUN_CMD mkdir -p "$(dirname ${keyFile})"
|
||||
$DRY_RUN_CMD ${lib.getBin pkgs.age}/bin/age-keygen -o ${keyFile} >/dev/null
|
||||
fi
|
||||
|
||||
if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
|
||||
if test -w ${keyFile}; then
|
||||
for pubkey in $(age-keygen -y "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt); do
|
||||
if ! grep -q "$pubkey" <(${lib.getBin pkgs.age}/bin/age-keygen -y ${keyFile}); then
|
||||
# TODO: deduplicate
|
||||
cat "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt | $DRY_RUN_CMD tee --append ${keyFile} > /dev/null
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
/**/
|
||||
|
||||
/** /
|
||||
home.sessionVariables = {
|
||||
#SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
|
||||
SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
|
||||
@ -25,12 +51,14 @@
|
||||
test -f ${config.sops.age.keyFile}
|
||||
install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
|
||||
cat ${config.sops.age.keyFile}
|
||||
if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then
|
||||
cat "$XDG_RUNTIME_DIR"/pvv-infra.txt
|
||||
if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
|
||||
cat "$XDG_RUNTIME_DIR"/hm-keys.txt
|
||||
fi
|
||||
)
|
||||
'';
|
||||
};
|
||||
};
|
||||
/**/
|
||||
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user