feat(sops): manage atuin config and key

sbulav · Nov 2, 2024 · 9b0d937 · 9b0d937
1 parent d9c96bb
commit 9b0d937
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 18 deletions.
diff --git a/nix/.sops.yaml b/nix/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &sab_nz age1p9ee76x0dlr7tm6v93r64p9ys5tqt9slhg6vyrn76qydh53gwuhsya0zsq
   - &sab_mbp16 age18rax0jv4pj2yuegt7e5ea2wzu486mz9nl3vhsa09y45lzw8cj58stfdd6d
   - &host_mbp16 age17tnup59gy7jvj65la8nud0y6ukf57w0mueh3e4hxx5npwsa5x44sv765ru
+  - &host_nz age1ranl5gsq43t0z22s28zdhvfzrvqqpmwqcjc3h6latfa4rrruxpps34vgqj
 creation_rules:
   - path_regex: secrets/sab/[^/]+\.(yaml|json|env|ini)$
     key_groups:
@@ -24,6 +25,8 @@ creation_rules:
       - age:
           - *sab_mbp16
           - *host_mbp16
-          # - *user_khanelinix_khaneliman
-          # - *user_CORE_nixos
-          # - *user_khanelimac_khaneliman
+  - path_regex: secrets/nz/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *sab_nz
+          - *host_nz
diff --git a/nix/modules/home/cli-apps/atuin/default.nix b/nix/modules/home/cli-apps/atuin/default.nix
@@ -1,11 +1,11 @@
 {
   lib,
   config,
-  pkgs,
+  namespace,
+  osConfig,
   ...
 }: let
   inherit (lib) mkEnableOption mkIf;
-  inherit (lib.custom) enabled;
 
   cfg = config.custom.cli-apps.atuin;
 in {
@@ -20,6 +20,33 @@ in {
       enableBashIntegration = true;
       enableFishIntegration = true;
       enableZshIntegration = true;
+      settings = {
+        auto_sync = true;
+        #FIXME:(atuin) move to private server
+        sync_address = "https://api.atuin.sh";
+        sync_frequency = "30m";
+        update_check = false;
+        filter_mode = "global";
+        invert = false;
+        #TODO:(atuin) disable when comfortable
+        show_help = true;
+        sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable {
+          key_path = config.sops.secrets.atuin_key.path;
+        };
+
+        # This came from https://github.com/nifoc/dotfiles/blob/ce5f9e935db1524d008f97e04c50cfdb41317766/home/programs/atuin.nix#L2
+        history_filter = [
+          "^base64decode"
+          "^instagram-dl"
+          "^mp4concat"
+        ];
+      };
+    };
+
+    sops.secrets = lib.mkIf osConfig.${namespace}.security.sops.enable {
+      atuin_key = {
+        sopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml";
+      };
     };
   };
 }
diff --git a/nix/modules/home/security/sops/default.nix b/nix/modules/home/security/sops/default.nix
@@ -37,16 +37,17 @@ in {
         sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"] ++ cfg.sshKeyPaths;
       };
 
-      secrets = {
-        c11-kubeconfig = {
-          sopsFile = lib.snowfall.fs.get-file "secrets/mbp16@sab/default.yaml";
-          path = "${config.home.homeDirectory}/c11-test.yaml";
-        };
-        exa_mbp16 = {
-          sopsFile = lib.snowfall.fs.get-file "secrets/mbp16@sab/default.yaml";
-          path = "${config.home.homeDirectory}/exa-test.yaml";
-        };
-      };
+      # Example secrets
+      # secrets = {
+      #   c11-kubeconfig = {
+      #     sopsFile = lib.snowfall.fs.get-file "secrets/mbp16@sab/default.yaml";
+      #     path = "${config.home.homeDirectory}/c11-test.yaml";
+      #   };
+      #   exa_mbp16 = {
+      #     sopsFile = lib.snowfall.fs.get-file "secrets/mbp16@sab/default.yaml";
+      #     path = "${config.home.homeDirectory}/exa-test.yaml";
+      #   };
+      # };
 
       # secrets = {
       #   nix = {

diff --git a/nix/modules/nixos/system/security/sops/default.nix b/nix/modules/nixos/system/security/sops/default.nix
@@ -27,7 +27,7 @@ in {
 
     sops.secrets = {
       "nz_sab_ssh_key" = {
-        sopsFile = lib.snowfall.fs.get-file "secrets/nz@sab/default.yaml";
+        sopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml";
       };
     };
   };

diff --git a/nix/secrets/nz/default.yaml b/nix/secrets/nz/default.yaml
@@ -0,0 +1,30 @@
+nz: ENC[AES256_GCM,data:QqEqbfUGLXGEQ7eTVA==,iv:QHxCTnHx40VP0HhO6kNV1rbtZw+RIGgqG2B3yLjX+yE=,tag:WZnwNXuiNGEUyBqymSmgMA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p9ee76x0dlr7tm6v93r64p9ys5tqt9slhg6vyrn76qydh53gwuhsya0zsq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITHNGWUMxdDZYS3BtL3Ez
+            U2FtSVpDSjVaZWJZaDBYZGxLMkNYRWwvc2prCkpCUThqWVRyMElGbHQwQ1hyZGJ2
+            VEttT094OG04Y3ZaU1VLRmR3eEtoWVEKLS0tIGlyRFp3SjRIaHFJOGlzaXAxZ0V2
+            TUx5U3l1Z1BwMlk4anpzVzVzdDQrZVkK2gKc7E/YKaI91t/iZSVDBeIFn37XnWId
+            hFhDtNoFnSJvt00muITLcS7K5XlMu3ipoi474wooCXRJXa7ZjaktLg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ranl5gsq43t0z22s28zdhvfzrvqqpmwqcjc3h6latfa4rrruxpps34vgqj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyakVGbUllNWZuTDZoTDhp
+            cFJ2bzlsRW1KTzVvdVdKY0lHc21lbzc3MTJvCmhVUkNoY1NNaEtwSTN1cG9Ia0dB
+            UVltd2w4UHpJVWpzZGkwV2hGRWdicG8KLS0tIDd6OU4rYzFlV3lJR1RiQlZETnd4
+            VjZFbU11SEpEdU04STBRNWlYdFQzdXMKiP+drST+u6ibahDzPesdV+mRO4z3SXY8
+            ubX7wFMv6+hfxvnfkWA7izk9klIp5EfhvgfDNAGusZDgcb26IAEETg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-02T06:54:55Z"
+    mac: ENC[AES256_GCM,data:dNHMYF3GnsJOq1/IkgYeeawCG5GoudRW68MLkQfk1N27IyGG3XDtPi6QvhRcdgQXCvNjdUAj4o6hkT5AYYtHmjjy3Ogo3TtttIg1BWllk5ZR0bUVT1/57w519i9G3fr9q6XCTT442OQmQsGDPNiJmUaaOLsqqBCTn+CeFENulMY=,iv:Gv03Ybztpf4k8b/evkJDx+SDicS5rw4+O2NPbL4cKlQ=,tag:Y1Y3kojptrorLdUYSs+UoQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/nix/secrets/sab/default.yaml b/nix/secrets/sab/default.yaml
@@ -1,5 +1,6 @@
 example_key: ENC[AES256_GCM,data:db4wLhDMLwk7qrMdX24=,iv:tL8H78oNaQibOxiEBZpvVVJs58sgtApWrBdvyAEbMXs=,tag:u9/CJLZH5JvLVbXp1W5l2g==,type:str]
 nz_sab_ssh_key: ENC[AES256_GCM,data:avcGPKW3n3vI5KGYJB1jxuxMpA236L4UyXWl9JYlA4Y2cMAvqiyx4aWXKADEJIWwOvKZ5xR/kHB81MX3q2eK/pS39Y7u51QLR6VqBmCSUKfNKeakDwqANQsGza6axyJtSIqQKGVhWXw4uQjlz56KWjMM6BMaGDxfX5nb0AQBB0vVPoDwTQPuFv5IRv+hcls0vkjNrEFjSHLDjtXyHnOYxSFxuz2euLJhwe8BuSZjH8dHWd25TYnLFmC9ADt+QGjFEg2xAYUe47WS0wqVEOw5u19/X2Lep0tzyC/KOPVV4mfpnrL2XfHZMJmkqKVHFemksmGhOA6BE7tqOsazODxXjHenP/WsTBiMCCt33XFRsy8czUZx2awSkupNUQJMcXCxF8Ma93MEmWjtC+PbhwgUH46LCYr4TDjICtaDEmhPBGb+TJXVlKE7rbcjdUSJlp7ssV3n9VHt2470zVdczier1NScQWZ1QMmLOCAlieZOd+CRLYjbbVhWo6SMomavnsfCLowB46ddt16l/QgOHjWc04TpmVh/HSvF1lo=,iv:Ld8A1kf+K6hlOSawnjSw4yrYvKRB7X+nYh40Gmk4u9A=,tag:wBVb0axy58EU+RkdgqNj+Q==,type:str]
+atuin_key: ENC[AES256_GCM,data:tG7Nj9virYKiPuCnRotex2o/gW6Z0MhOPaSQ6bpehjOr40S4fmUMEjkhlb7K0D/kTO1Ktm5PgkIMnfcYgoHPVg==,iv:pNvTMM2U421tyjrZqAL7uPtGddeALPWhSYlI+XibtGs=,tag:+jFmITYcfP6SJ8ClFy5xhg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +25,8 @@ sops:
             VXRBZDl2QjhXNnFkRzVrL0JsajhkWkUKRiEBV+qHZO48XE8Ko7+7jgznaD6q9GTP
             LPNdGnNxAB5BrByfgRIq0deaU+C7M6zbqK1lj2FN/ZuNWhsYqpttKA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-01T13:31:00Z"
-    mac: ENC[AES256_GCM,data:SsoE3MXXj5tA3mO83Wsg+gW2H13Jt1Ei+W/p0Th5w3CpJITh/pW7qkLs5JHVaCkTUoFbgs2Foldrrtn30dPIEtaTeJI7AymAjkTaZ4y1PAB3Rl15si+60+97bP+xcWOdDzfthwW7Bz0AEF2b8TQiGB/jvP0cw9/vNRYu62mcnxs=,iv:PVMshjS4XHh8xLLb5slZBAyvG2bRVHDmQY6pJ3UxApA=,tag:PUchIyVS8P6jcsJ0BnRNpw==,type:str]
+    lastmodified: "2024-11-02T07:39:07Z"
+    mac: ENC[AES256_GCM,data:Wz6ZaiJ/JZ9lJpfeL+/7fz7g3QMqE0BSN3dg97Ay/4TORcYXfLgd/b7S9DkOcrquROcUrTn+Bqv9k9VnBiDYsui5bqnThvLsnB55qd5SHuZDU3ByUXge1pJFv4as1QS6WQQAEZ2IY7Sp8qasEiPSSmf+DXK6o8EsZrkL0ltEWsY=,iv:fUUgIJ+rN+yEkoSJ6ZD7ONQFnWToCjvMWY9YKIP1M2E=,tag:3joTkRUOeK5s54zxIusw2Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1