From 018f42e359f26461feb04c3301ded4ace8c3c799 Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Sun, 18 Feb 2024 18:50:17 +0100 Subject: [PATCH] more hm sops --- secrets/user-pbsds.yaml | 9 ++++---- users/pbsds/home/profiles/sops.nix | 36 ++++++++++++++++++++++++++---- 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/secrets/user-pbsds.yaml b/secrets/user-pbsds.yaml index 9639182..9467153 100644 --- a/secrets/user-pbsds.yaml +++ b/secrets/user-pbsds.yaml @@ -1,5 +1,4 @@ -age: - pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str] +hm-age-keys: ENC[AES256_GCM,data:UhPj72P1NVuD8Y4h8+UyCR5nEq4n76+E1ltA0v8Q3FmEB0vKkMDj2yQvA2r7ILgvlS1wKe5TyQ1tNa+lilCCBdHg7KG/yQNpxfQcngfOqwUkH6SI1KxekZyRisyznvseuGGqMYsBXliyCUnfjokJjdPdYthBgo1un0sKgKJn4wdviVTDzDKGcxqZI9euJBuV7aXqMG8WbIAl6l0Uqph5X/3QDvg54b68t3+6gZ6P9DXFI4BgLsaesiCHHVB+TioVNc6c2PoK7ReJ,iv:gvdoNoFQ3GJEjlCQ+BMqCOYVWazQC9Kf10fGcyTGeXo=,tag:Ao64r0iIotaEkn15K+oBlw==,type:str] sops: kms: [] gcp_kms: [] @@ -33,8 +32,8 @@ sops: eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-27T17:16:46Z" - mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str] + lastmodified: "2024-02-18T01:45:49Z" + mac: ENC[AES256_GCM,data:ue8Ro6nUtZ2mXez76jtA9Rje2kVvc2vRG3YaEArID/zBrDwR8NJsWU17jvuwr92OtqSVVO2JAps6RuLIrjpLmO6SgcAvRj9rqWrpQQ4Qb9zYCZ2RUlov9yMBk0phsMtkzcHDFsk6EGyS8b6N1eP7iSu7W+riaM8zR9BajuDUuTE=,iv:ke1K1+Uo0jjJjztjCHYmlDMUCFSJWchQz7GoCm5l1aY=,tag:iLiYHS6hiZHNJQlp05yNmQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/users/pbsds/home/profiles/sops.nix b/users/pbsds/home/profiles/sops.nix index 3227ab7..5ac9556 100644 --- a/users/pbsds/home/profiles/sops.nix +++ b/users/pbsds/home/profiles/sops.nix @@ -1,4 +1,8 @@ -{ pkgs, config, ... }: +{ lib, pkgs, config, ... }: + +let + keyFile = lib.escapeShellArg config.sops.age.keyFile; +in { @@ -6,8 +10,30 @@ sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml; - sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt"; + sops.secrets."hm-age-keys".path = "%r/sops/age/keys-hm.txt"; + /**/ + home.activation.append-hm-sops-keys = lib.hm.dag.entryAfter ["writeBoundary"] '' + if ! test -f ${keyFile}; then + $DRY_RUN_CMD mkdir -p "$(dirname ${keyFile})" + $DRY_RUN_CMD ${lib.getBin pkgs.age}/bin/age-keygen -o ${keyFile} >/dev/null + fi + + if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then + if test -w ${keyFile}; then + for pubkey in $(age-keygen -y "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt); do + if ! grep -q "$pubkey" <(${lib.getBin pkgs.age}/bin/age-keygen -y ${keyFile}); then + # TODO: deduplicate + cat "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt | $DRY_RUN_CMD tee --append ${keyFile} > /dev/null + break + fi + done + fi + fi + ''; + /**/ + + /** / home.sessionVariables = { #SOPS_AGE_KEY_FILE = config.sops.age.keyFile; SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt"; @@ -25,12 +51,14 @@ test -f ${config.sops.age.keyFile} install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <( cat ${config.sops.age.keyFile} - if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then - cat "$XDG_RUNTIME_DIR"/pvv-infra.txt + if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then + cat "$XDG_RUNTIME_DIR"/hm-keys.txt fi ) ''; }; }; + /**/ + }