move secrets to host folder
This commit is contained in:
parent
a1034afb0f
commit
3af0c8a43f
18
.sops.yaml
18
.sops.yaml
@ -20,7 +20,7 @@ keys: # https://github.com/getsops/sops/pull/1123
|
||||
# https://github.com/getsops/sops#key-groups
|
||||
creation_rules:
|
||||
# global
|
||||
- path_regex: secrets/default.yaml$
|
||||
- path_regex: secrets/common.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -54,7 +54,7 @@ creation_rules:
|
||||
- *user_pbsds_nord
|
||||
- *user_pbsds_bjarte
|
||||
# sopp only
|
||||
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/sopp/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -62,7 +62,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_sopp
|
||||
# nox only
|
||||
- path_regex: secrets/noximilien(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/noximilien/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -70,7 +70,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_nox
|
||||
# bolle only
|
||||
- path_regex: secrets/bolle(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/bolle/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -78,7 +78,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_bolle
|
||||
# garp only
|
||||
- path_regex: secrets/garp(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/garp/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -86,7 +86,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_garp
|
||||
# eple only
|
||||
- path_regex: secrets/eple(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/eple/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -94,7 +94,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_eple
|
||||
# nord only
|
||||
- path_regex: secrets/nord(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/nord/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -102,7 +102,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_nord
|
||||
# bjarte only
|
||||
- path_regex: secrets/bjarte(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/bjarte/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
@ -110,7 +110,7 @@ creation_rules:
|
||||
- *user_pbsds_bjarte
|
||||
- *host_bjarte
|
||||
# brumlebasse only
|
||||
- path_regex: secrets/brumle(basse)?(/[^/]+)?\.yaml$
|
||||
- path_regex: hosts/nixos/brumlebasse/secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
|
18
flake.nix
18
flake.nix
@ -157,28 +157,12 @@
|
||||
imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
|
||||
./base.nix
|
||||
"${self}/hosts/nixos/${hostname}/configuration.nix"
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
./secrets
|
||||
inputs.home-manager.nixosModule
|
||||
#inputs.nix-index-database.nixosModules.nix-index # TODO: fix?
|
||||
] ++ modules ++ extra-modules;
|
||||
#++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
|
||||
|
||||
sops.defaultSopsFile = ./secrets/default.yaml;
|
||||
#sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml;
|
||||
#sops.secrets = let # TODO: importYAML does not exist
|
||||
# file = ./secrets/${hostname}.yaml;
|
||||
# exists = builtins.pathExists file;
|
||||
# yaml = lib.removeAttrs (lib.importYAML file) ["sops"];
|
||||
# secrets = lib.attrNames yaml; # TODO: recurse
|
||||
#in
|
||||
# if !exists then {} else lib.mkMerge (lib.forEach secrets (secret:
|
||||
# lib.mkIf (config.sops.secrets ? secret) {
|
||||
# "${secret}".sopsFile = file;
|
||||
# }
|
||||
# ));
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
sops.age.generateKey = true;
|
||||
|
||||
home-manager.useGlobalPkgs = true; # go brrr, reuse overrides
|
||||
home-manager.extraSpecialArgs = {
|
||||
|
@ -106,7 +106,7 @@
|
||||
|
||||
#networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat
|
||||
|
||||
sops.secrets.flexget.sopsFile = ../../../secrets/${config.networking.hostName}.yaml;
|
||||
sops.secrets.flexget.sopsFile = ./secrets.yaml;
|
||||
|
||||
# TODO: remove? Move to where relevant?
|
||||
nixpkgs.overlays = [
|
||||
|
24
secrets/default.nix
Normal file
24
secrets/default.nix
Normal file
@ -0,0 +1,24 @@
|
||||
{ config, inputs ,... }:
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
sops.age.generateKey = true;
|
||||
|
||||
sops.defaultSopsFile = ./common.yaml;
|
||||
#sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml;
|
||||
#sops.secrets = let # TODO: importYAML does not exist
|
||||
# file = ./secrets/${hostname}.yaml;
|
||||
# exists = builtins.pathExists file;
|
||||
# yaml = lib.removeAttrs (lib.importYAML file) ["sops"];
|
||||
# secrets = lib.attrNames yaml; # TODO: recurse
|
||||
#in
|
||||
# if !exists then {} else lib.mkMerge (lib.forEach secrets (secret:
|
||||
# lib.mkIf (config.sops.secrets ? secret) {
|
||||
# "${secret}".sopsFile = file;
|
||||
# }
|
||||
# ));
|
||||
}
|
Loading…
Reference in New Issue
Block a user