sops

2025-11-18 21:51:54 +01:00
parent 8d32e1a377
commit 4198728c33
2 changed files with 30 additions and 8 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,11 +1,13 @@
 # sops updatekeys <fname>
 keys: # https://github.com/getsops/sops/pull/1123
  user_pbsds: &user_pbsds
+  # just sops-pubkey-user
  # test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
  - &user_pbsds_sopp   age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_pbsds_nord   age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pbsds_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  hosts: &hosts
+  # (remote-quick) just sops-pubkey-system
  # ssh $(remote-host) cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  - &host_sopp   age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
  - &host_nox    age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
@@ -69,7 +71,7 @@ creation_rules:
      - *user_pbsds_nord
      - *user_pbsds_bjarte
  # sopp only
-  - path_regex: hosts/nixos/sopp/secrets.yaml
+  - path_regex: hosts/nixos/sopp/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -77,7 +79,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_sopp
  # nox only
-  - path_regex: hosts/nixos/noximilien/secrets.yaml
+  - path_regex: hosts/nixos/noximilien/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -85,7 +87,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_nox
  # bolle only
-  - path_regex: hosts/nixos/bolle/secrets.yaml
+  - path_regex: hosts/nixos/bolle/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -93,7 +95,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_bolle
  # garp only
-  - path_regex: hosts/nixos/garp/secrets.yaml
+  - path_regex: hosts/nixos/garp/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -101,7 +103,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_garp
  # eple only
-  - path_regex: hosts/nixos/eple/secrets.yaml
+  - path_regex: hosts/nixos/eple/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -109,7 +111,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_eple
  # nord only
-  - path_regex: hosts/nixos/nord/secrets.yaml
+  - path_regex: hosts/nixos/nord/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
@@ -117,7 +119,7 @@ creation_rules:
      - *user_pbsds_bjarte
      - *host_nord
  # bjarte only
-  - path_regex: hosts/nixos/bjarte/secrets.yaml
+  - path_regex: hosts/nixos/bjarte/secrets.yaml$
    key_groups:
    - age:
      - *user_pbsds_sopp
--- a/22
+++ b/22
@@ -325,6 +325,25 @@ motd:
    printf "%s\n" "There are $todos 'TODO's"
  fi

+sops-pubkey-user:
+  #!/usr/bin/env -S bash -euo pipefail
+  keyfile="${XDG_CONFIG_HOME:-"$HOME"/.config}"/sops/age/keys.txt
+  if [[ ! -s "$keyfile" ]]; then
+    gum confirm "Generate a new age key at $(hostname):$keyfile?" # otherwise error
+    (
+      set -x
+      mkdir -p "$(dirname "$keyfile")"
+      age-keygen -o "$keyfile" >/dev/null
+    )
+  fi
+  age-keygen -y "$keyfile"
+
+sops-pubkey-system:
+  #!/usr/bin/env -S bash -euo pipefail
+  ssh-to-age </etc/ssh/ssh_host_ed25519_key.pub
+
+# ===== helpers =====
+
@_a_remote_label:
  just remote-list | gum filter --placeholder "Pick a remote..." | cut -d' ' -f2

@@ -381,4 +400,5 @@ remote-mprocs *cmd:
@gorgon:
  # https://codeberg.org/gorgon/gorgon/src/branch/main/nix-web
  # https://discourse.nixos.org/t/a-web-ui-for-the-nix-store-early-beta/35762
-  nix run 'git+https://codeberg.org/gorgon/gorgon#nix-web'
+  # nix run 'git+https://codeberg.org/gorgon/gorgon#nix-web'
+  nix run nixpkgs#nix-web