more hm sops

This commit is contained in:
Peder Bergebakken Sundt 2024-02-18 18:50:17 +01:00
parent 9cfc9101b6
commit 018f42e359
2 changed files with 36 additions and 9 deletions

View File

@ -1,5 +1,4 @@
age: hm-age-keys: ENC[AES256_GCM,data:UhPj72P1NVuD8Y4h8+UyCR5nEq4n76+E1ltA0v8Q3FmEB0vKkMDj2yQvA2r7ILgvlS1wKe5TyQ1tNa+lilCCBdHg7KG/yQNpxfQcngfOqwUkH6SI1KxekZyRisyznvseuGGqMYsBXliyCUnfjokJjdPdYthBgo1un0sKgKJn4wdviVTDzDKGcxqZI9euJBuV7aXqMG8WbIAl6l0Uqph5X/3QDvg54b68t3+6gZ6P9DXFI4BgLsaesiCHHVB+TioVNc6c2PoK7ReJ,iv:gvdoNoFQ3GJEjlCQ+BMqCOYVWazQC9Kf10fGcyTGeXo=,tag:Ao64r0iIotaEkn15K+oBlw==,type:str]
pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -33,8 +32,8 @@ sops:
eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA
j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg== j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-27T17:16:46Z" lastmodified: "2024-02-18T01:45:49Z"
mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str] mac: ENC[AES256_GCM,data:ue8Ro6nUtZ2mXez76jtA9Rje2kVvc2vRG3YaEArID/zBrDwR8NJsWU17jvuwr92OtqSVVO2JAps6RuLIrjpLmO6SgcAvRj9rqWrpQQ4Qb9zYCZ2RUlov9yMBk0phsMtkzcHDFsk6EGyS8b6N1eP7iSu7W+riaM8zR9BajuDUuTE=,iv:ke1K1+Uo0jjJjztjCHYmlDMUCFSJWchQz7GoCm5l1aY=,tag:iLiYHS6hiZHNJQlp05yNmQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1

View File

@ -1,4 +1,8 @@
{ pkgs, config, ... }: { lib, pkgs, config, ... }:
let
keyFile = lib.escapeShellArg config.sops.age.keyFile;
in
{ {
@ -6,8 +10,30 @@
sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml; sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt"; sops.secrets."hm-age-keys".path = "%r/sops/age/keys-hm.txt";
/**/
home.activation.append-hm-sops-keys = lib.hm.dag.entryAfter ["writeBoundary"] ''
if ! test -f ${keyFile}; then
$DRY_RUN_CMD mkdir -p "$(dirname ${keyFile})"
$DRY_RUN_CMD ${lib.getBin pkgs.age}/bin/age-keygen -o ${keyFile} >/dev/null
fi
if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
if test -w ${keyFile}; then
for pubkey in $(age-keygen -y "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt); do
if ! grep -q "$pubkey" <(${lib.getBin pkgs.age}/bin/age-keygen -y ${keyFile}); then
# TODO: deduplicate
cat "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt | $DRY_RUN_CMD tee --append ${keyFile} > /dev/null
break
fi
done
fi
fi
'';
/**/
/** /
home.sessionVariables = { home.sessionVariables = {
#SOPS_AGE_KEY_FILE = config.sops.age.keyFile; #SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt"; SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
@ -25,12 +51,14 @@
test -f ${config.sops.age.keyFile} test -f ${config.sops.age.keyFile}
install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <( install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
cat ${config.sops.age.keyFile} cat ${config.sops.age.keyFile}
if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
cat "$XDG_RUNTIME_DIR"/pvv-infra.txt cat "$XDG_RUNTIME_DIR"/hm-keys.txt
fi fi
) )
''; '';
}; };
}; };
/**/
} }