move secrets to host folder

This commit is contained in:
Peder Bergebakken Sundt 2024-10-19 18:45:45 +02:00
parent a1034afb0f
commit 3af0c8a43f
6 changed files with 35 additions and 27 deletions

View File

@ -20,7 +20,7 @@ keys: # https://github.com/getsops/sops/pull/1123
# https://github.com/getsops/sops#key-groups # https://github.com/getsops/sops#key-groups
creation_rules: creation_rules:
# global # global
- path_regex: secrets/default.yaml$ - path_regex: secrets/common.yaml$
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -54,7 +54,7 @@ creation_rules:
- *user_pbsds_nord - *user_pbsds_nord
- *user_pbsds_bjarte - *user_pbsds_bjarte
# sopp only # sopp only
- path_regex: secrets/sopp(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/sopp/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -62,7 +62,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_sopp - *host_sopp
# nox only # nox only
- path_regex: secrets/noximilien(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/noximilien/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -70,7 +70,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_nox - *host_nox
# bolle only # bolle only
- path_regex: secrets/bolle(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/bolle/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -78,7 +78,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_bolle - *host_bolle
# garp only # garp only
- path_regex: secrets/garp(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/garp/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -86,7 +86,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_garp - *host_garp
# eple only # eple only
- path_regex: secrets/eple(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/eple/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -94,7 +94,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_eple - *host_eple
# nord only # nord only
- path_regex: secrets/nord(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/nord/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -102,7 +102,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_nord - *host_nord
# bjarte only # bjarte only
- path_regex: secrets/bjarte(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/bjarte/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp
@ -110,7 +110,7 @@ creation_rules:
- *user_pbsds_bjarte - *user_pbsds_bjarte
- *host_bjarte - *host_bjarte
# brumlebasse only # brumlebasse only
- path_regex: secrets/brumle(basse)?(/[^/]+)?\.yaml$ - path_regex: hosts/nixos/brumlebasse/secrets.yaml
key_groups: key_groups:
- age: - age:
- *user_pbsds_sopp - *user_pbsds_sopp

View File

@ -157,28 +157,12 @@
imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
./base.nix ./base.nix
"${self}/hosts/nixos/${hostname}/configuration.nix" "${self}/hosts/nixos/${hostname}/configuration.nix"
inputs.sops-nix.nixosModules.sops ./secrets
inputs.home-manager.nixosModule inputs.home-manager.nixosModule
#inputs.nix-index-database.nixosModules.nix-index # TODO: fix? #inputs.nix-index-database.nixosModules.nix-index # TODO: fix?
] ++ modules ++ extra-modules; ] ++ modules ++ extra-modules;
#++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work #++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
sops.defaultSopsFile = ./secrets/default.yaml;
#sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml;
#sops.secrets = let # TODO: importYAML does not exist
# file = ./secrets/${hostname}.yaml;
# exists = builtins.pathExists file;
# yaml = lib.removeAttrs (lib.importYAML file) ["sops"];
# secrets = lib.attrNames yaml; # TODO: recurse
#in
# if !exists then {} else lib.mkMerge (lib.forEach secrets (secret:
# lib.mkIf (config.sops.secrets ? secret) {
# "${secret}".sopsFile = file;
# }
# ));
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
home-manager.useGlobalPkgs = true; # go brrr, reuse overrides home-manager.useGlobalPkgs = true; # go brrr, reuse overrides
home-manager.extraSpecialArgs = { home-manager.extraSpecialArgs = {

View File

@ -106,7 +106,7 @@
#networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat #networking.wireguard.interfaces."wg0".ips = [ "172.22.48.3/24" ]; # fyrkat
sops.secrets.flexget.sopsFile = ../../../secrets/${config.networking.hostName}.yaml; sops.secrets.flexget.sopsFile = ./secrets.yaml;
# TODO: remove? Move to where relevant? # TODO: remove? Move to where relevant?
nixpkgs.overlays = [ nixpkgs.overlays = [

24
secrets/default.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, inputs ,... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.defaultSopsFile = ./common.yaml;
#sops.defaultSopsFile = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) ./secrets/${hostname}.yaml;
#sops.secrets = let # TODO: importYAML does not exist
# file = ./secrets/${hostname}.yaml;
# exists = builtins.pathExists file;
# yaml = lib.removeAttrs (lib.importYAML file) ["sops"];
# secrets = lib.attrNames yaml; # TODO: recurse
#in
# if !exists then {} else lib.mkMerge (lib.forEach secrets (secret:
# lib.mkIf (config.sops.secrets ? secret) {
# "${secret}".sopsFile = file;
# }
# ));
}