From 4198728c332447c045ad6b54b99444e0fbd99021 Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Tue, 18 Nov 2025 21:51:54 +0100 Subject: [PATCH] sops --- .sops.yaml | 16 +++++++++------- justfile | 22 +++++++++++++++++++++- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 02a2239..fbcafa6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,11 +1,13 @@ # sops updatekeys keys: # https://github.com/getsops/sops/pull/1123 user_pbsds: &user_pbsds + # just sops-pubkey-user # test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt - &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - &user_pbsds_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 hosts: &hosts + # (remote-quick) just sops-pubkey-system # ssh $(remote-host) cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3 - &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 @@ -69,7 +71,7 @@ creation_rules: - *user_pbsds_nord - *user_pbsds_bjarte # sopp only - - path_regex: hosts/nixos/sopp/secrets.yaml + - path_regex: hosts/nixos/sopp/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -77,7 +79,7 @@ creation_rules: - *user_pbsds_bjarte - *host_sopp # nox only - - path_regex: hosts/nixos/noximilien/secrets.yaml + - path_regex: hosts/nixos/noximilien/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -85,7 +87,7 @@ creation_rules: - *user_pbsds_bjarte - *host_nox # bolle only - - path_regex: hosts/nixos/bolle/secrets.yaml + - path_regex: hosts/nixos/bolle/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -93,7 +95,7 @@ creation_rules: - *user_pbsds_bjarte - *host_bolle # garp only - - path_regex: hosts/nixos/garp/secrets.yaml + - path_regex: hosts/nixos/garp/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -101,7 +103,7 @@ creation_rules: - *user_pbsds_bjarte - *host_garp # eple only - - path_regex: hosts/nixos/eple/secrets.yaml + - path_regex: hosts/nixos/eple/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -109,7 +111,7 @@ creation_rules: - *user_pbsds_bjarte - *host_eple # nord only - - path_regex: hosts/nixos/nord/secrets.yaml + - path_regex: hosts/nixos/nord/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp @@ -117,7 +119,7 @@ creation_rules: - *user_pbsds_bjarte - *host_nord # bjarte only - - path_regex: hosts/nixos/bjarte/secrets.yaml + - path_regex: hosts/nixos/bjarte/secrets.yaml$ key_groups: - age: - *user_pbsds_sopp diff --git a/justfile b/justfile index cf5aac2..220d792 100644 --- a/justfile +++ b/justfile @@ -325,6 +325,25 @@ motd: printf "%s\n" "There are $todos 'TODO's" fi +sops-pubkey-user: + #!/usr/bin/env -S bash -euo pipefail + keyfile="${XDG_CONFIG_HOME:-"$HOME"/.config}"/sops/age/keys.txt + if [[ ! -s "$keyfile" ]]; then + gum confirm "Generate a new age key at $(hostname):$keyfile?" # otherwise error + ( + set -x + mkdir -p "$(dirname "$keyfile")" + age-keygen -o "$keyfile" >/dev/null + ) + fi + age-keygen -y "$keyfile" + +sops-pubkey-system: + #!/usr/bin/env -S bash -euo pipefail + ssh-to-age