more hm sops
This commit is contained in:
parent
9cfc9101b6
commit
018f42e359
|
@ -1,5 +1,4 @@
|
||||||
age:
|
hm-age-keys: ENC[AES256_GCM,data:UhPj72P1NVuD8Y4h8+UyCR5nEq4n76+E1ltA0v8Q3FmEB0vKkMDj2yQvA2r7ILgvlS1wKe5TyQ1tNa+lilCCBdHg7KG/yQNpxfQcngfOqwUkH6SI1KxekZyRisyznvseuGGqMYsBXliyCUnfjokJjdPdYthBgo1un0sKgKJn4wdviVTDzDKGcxqZI9euJBuV7aXqMG8WbIAl6l0Uqph5X/3QDvg54b68t3+6gZ6P9DXFI4BgLsaesiCHHVB+TioVNc6c2PoK7ReJ,iv:gvdoNoFQ3GJEjlCQ+BMqCOYVWazQC9Kf10fGcyTGeXo=,tag:Ao64r0iIotaEkn15K+oBlw==,type:str]
|
||||||
pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str]
|
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -33,8 +32,8 @@ sops:
|
||||||
eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA
|
eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA
|
||||||
j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg==
|
j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-10-27T17:16:46Z"
|
lastmodified: "2024-02-18T01:45:49Z"
|
||||||
mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str]
|
mac: ENC[AES256_GCM,data:ue8Ro6nUtZ2mXez76jtA9Rje2kVvc2vRG3YaEArID/zBrDwR8NJsWU17jvuwr92OtqSVVO2JAps6RuLIrjpLmO6SgcAvRj9rqWrpQQ4Qb9zYCZ2RUlov9yMBk0phsMtkzcHDFsk6EGyS8b6N1eP7iSu7W+riaM8zR9BajuDUuTE=,iv:ke1K1+Uo0jjJjztjCHYmlDMUCFSJWchQz7GoCm5l1aY=,tag:iLiYHS6hiZHNJQlp05yNmQ==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.8.1
|
||||||
|
|
|
@ -1,4 +1,8 @@
|
||||||
{ pkgs, config, ... }:
|
{ lib, pkgs, config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
keyFile = lib.escapeShellArg config.sops.age.keyFile;
|
||||||
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
|
@ -6,8 +10,30 @@
|
||||||
sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
|
sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
|
||||||
sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
|
sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
|
||||||
|
|
||||||
sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt";
|
sops.secrets."hm-age-keys".path = "%r/sops/age/keys-hm.txt";
|
||||||
|
|
||||||
|
/**/
|
||||||
|
home.activation.append-hm-sops-keys = lib.hm.dag.entryAfter ["writeBoundary"] ''
|
||||||
|
if ! test -f ${keyFile}; then
|
||||||
|
$DRY_RUN_CMD mkdir -p "$(dirname ${keyFile})"
|
||||||
|
$DRY_RUN_CMD ${lib.getBin pkgs.age}/bin/age-keygen -o ${keyFile} >/dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
|
||||||
|
if test -w ${keyFile}; then
|
||||||
|
for pubkey in $(age-keygen -y "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt); do
|
||||||
|
if ! grep -q "$pubkey" <(${lib.getBin pkgs.age}/bin/age-keygen -y ${keyFile}); then
|
||||||
|
# TODO: deduplicate
|
||||||
|
cat "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt | $DRY_RUN_CMD tee --append ${keyFile} > /dev/null
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
/**/
|
||||||
|
|
||||||
|
/** /
|
||||||
home.sessionVariables = {
|
home.sessionVariables = {
|
||||||
#SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
|
#SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
|
||||||
SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
|
SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
|
||||||
|
@ -25,12 +51,14 @@
|
||||||
test -f ${config.sops.age.keyFile}
|
test -f ${config.sops.age.keyFile}
|
||||||
install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
|
install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
|
||||||
cat ${config.sops.age.keyFile}
|
cat ${config.sops.age.keyFile}
|
||||||
if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then
|
if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
|
||||||
cat "$XDG_RUNTIME_DIR"/pvv-infra.txt
|
cat "$XDG_RUNTIME_DIR"/hm-keys.txt
|
||||||
fi
|
fi
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
/**/
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue