feat(sops): working sops!

sbulav · sbulav · commit eac461d53742 · 2024-11-01T12:21:48.000+03:00
diff --git a/nix/.sops.yaml b/nix/.sops.yaml
@@ -0,0 +1,14 @@
+keys:
+  - &sab age1p9ee76x0dlr7tm6v93r64p9ys5tqt9slhg6vyrn76qydh53gwuhsya0zsq
+creation_rules:
+  - path_regex: secrets/sab/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *sab
+  - path_regex: secrets/nz/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *sab
+          # - *user_khanelinix_khaneliman
+          # - *user_CORE_nixos
+          # - *user_khanelimac_khaneliman
diff --git a/nix/flake.lock b/nix/flake.lock
diff --git a/nix/flake.nix b/nix/flake.nix
@@ -52,11 +52,11 @@
       inputs.nixpkgs.follows = "stable";
     };
 
-    sops-nix-darwin = {
-      # url = "github:Mic92/sops-nix/nix-darwin";
-      url = "github:khaneliman/sops-nix/nix-darwin";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    # sops-nix-darwin = {
+    #   url = "github:Mic92/sops-nix/nix-darwin";
+    #   # url = "github:khaneliman/sops-nix/nix-darwin";
+    #   inputs.nixpkgs.follows = "nixpkgs";
+    # };
   };
 
   outputs = inputs: let
diff --git a/nix/modules/nixos/system/security/sops/default.nix b/nix/modules/nixos/system/security/sops/default.nix
@@ -25,10 +25,10 @@ in {
       };
     };
 
-    # sops.secrets = {
-    #   "khanelinix_khaneliman_ssh_key" = {
-    #     sopsFile = lib.snowfall.fs.get-file "secrets/khanelinix/khaneliman/default.yaml";
-    #   };
-    # };
+    sops.secrets = {
+      "nz_sab_ssh_key" = {
+        sopsFile = lib.snowfall.fs.get-file "secrets/sab/default.yaml";
+      };
+    };
   };
 }
diff --git a/nix/secrets/nz/default.yaml b/nix/secrets/nz/default.yaml
@@ -1,5 +1,30 @@
+hello: ENC[AES256_GCM,data:l9Vv9CED0oX5KgupqKJfL6g+qJ7u4lOLwBkAmIE8r/C1F8FQlHf8adROBRt4BA==,iv:Vh6yQ0oBIHoZhzm9R49n3DFl8NSbTpnSY5gb3hIIjI4=,tag:Fsc9HRFSFfZVbf2eM+G0Yw==,type:str]
+example_key: ENC[AES256_GCM,data:hL1/mneX0HvwPmt9iA==,iv:0s64w2qqYAHThEf8tkXg4MNb4J+G6tmWJ6jZk3MYhak=,tag:nhiFZgHlavoyTBv5zvr9kw==,type:str]
+#ENC[AES256_GCM,data:QyOSMWEe5DSgLlLV0AVGOA==,iv:VHRR+NmC8Z8E+6fp298qRBB9SQQfWnRQ9YoeBnkeEHQ=,tag:QqyvpgO9OUsX8V/AYSCrcQ==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:TemOdnjWpyCTLNwvTig=,iv:uNxyrQnl2JyKIUiCL3KOvw/wz7/7VAMZMl5+Qj4wf1o=,tag:DhbG3msW2OQ7Tzih9drIAA==,type:str]
+    - ENC[AES256_GCM,data:Ns4h8fKbyqI67IGUnao=,iv:nkbJH0DE+8+r4hfyTdOfGtaKxx0EKfzIRFEkDuMAX1o=,tag:mpj6r21loXstTN3u324VNw==,type:str]
+example_number: ENC[AES256_GCM,data:BCURUDVfvjNo8Q==,iv:PmyGDxlkBl4O3unuS/pkxMtN+MHuaW+QWr/PoBmoPaw=,tag:ZydHPidZJEIzYp6H5s/44w==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:yGu9cw==,iv:gwszOZtXznKidOhgAQJObfAYdR35grrp/sONdQBvsw8=,tag:4iNKmgn0Kv2bJUF3XSh1wA==,type:bool]
+    - ENC[AES256_GCM,data:yoO41aI=,iv:sZu3cllZDgHnN6wZFb4NdPzNGQjHr0QCR5Ci0FydSKQ=,tag:KbPiK9R+dH6WcoLngPa6cQ==,type:bool]
 sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p9ee76x0dlr7tm6v93r64p9ys5tqt9slhg6vyrn76qydh53gwuhsya0zsq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UCtMM3E4T1pFb3JiQlRC
+            NjV4TVJXZVRlYlArVWJKUlhhY0o4cUk5cjI0CmhZOGMrTWtDVUhUR3pqTmNYLzVk
+            UDRiTlB1dXc5SGIxYStERlpZdGk1akkKLS0tIFdvaEs5MkRKSmVxV1RQcmdGQTdl
+            eUxGcmNBOEtSOGNzc1NPaG53eVB5cHcKN+1WmR1at8sRAGm+oKjQrvFln9B4pK2r
+            IuhygZXTtV9S/MI5FyCKYG6Jr6d4buki0rCHpdxBdEh8pn5RG9qy2Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-01T09:16:14Z"
+    mac: ENC[AES256_GCM,data:Q7IN+zb+QgLJeHIzVJ62RtXXeJjxh9Wq7YtW7S4pZaEnQlKi5L38e/5v/sOPz6ewP1YzUPMleLkL5+esRxmXRJMx0G00TzoJlA83IEOx7qOdq1a5nOBMIM6LJratkBNPBDWFS9qqISlPxuq5gf4xI1oM6F0UbluKSacXWmsH2SA=,iv:Dba1u8LSCSCIl6vG4OVqwEBt+MdoACQNcdLQRepiRUM=,tag:ke8bcNCEVoWGFgk9B4RAzQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/nix/secrets/sab/default.yaml b/nix/secrets/sab/default.yaml
@@ -1,6 +1,22 @@
-nix: []
+example_key: ENC[AES256_GCM,data:9C9ZAbnOKbk0TUwu+Q==,iv:3BSxKb7O/Vtbrm0Es1ddhHVkJDMrdasMOt1k/s95iEc=,tag:0E8E4ecmwDClRIrTe1G5hQ==,type:str]
+nz_sab_ssh_key: ENC[AES256_GCM,data:IpR02GJ0vRn6tRbkgr+AE0knCDNSMJDXMtqNn8NAl/wLHppl0ys5zcSh9QTOgg3PjmMA298MR5cIIC7GcwGDMNJ4Z5BsjHwGN2d5ZfuSg7XMKKw/rqgaa7xaVAP7nGov8bQ7mWg9qskqn8zDp1gTwddtToTa7FubZde3PdQh8d2tfght69R6SqZg8FJQtW1y81Y6+SLYtMRBydPwrGL1ElTOFPBOzYURfNBapcx6XzSs1eEEdItWRBHWKDU4xDiT2dRkZgduCMABjvs7FvXuViFqVpWRmF0NnjmwPxV9o46nyrvj3Ch6rj2F9cm+VePRhHmy51UYxw/VGofqJ/j2CYaVKOXznWPKlf5ZFyoYF9LZ+pMlqu9n9MQ5csq2pH8vFbMmlWSdHl1dNjjWV5mS17lj5zShdx2JpudjxHaazCiuCZU2A2qw+nt/D+4a4RSZURcUsjgTWgr+RMbwBOnIaxagWYuuv28XLOUNgUm7O7GADnxFZwxuGiV6uTak/F0BXj6Xn/Z1ST0+jAeSj1ro+IgEnmjR8QRukaM=,iv:Ld8A1kf+K6hlOSawnjSw4yrYvKRB7X+nYh40Gmk4u9A=,tag:unc7gq31gx2HadNRK36Vzg==,type:str]
 sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p9ee76x0dlr7tm6v93r64p9ys5tqt9slhg6vyrn76qydh53gwuhsya0zsq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveUJlTWk3UlhSNXoyRDVY
+            TG81Q1d4MHZEUDNwdnNKM2ptZjk4OUJVNzJvCjVBZWVRQ21yQXJwWjgwdEs2NGZl
+            aVcxWnRsaUpWc2twR0g1MHNsc1FqaGcKLS0tIHA0Z2p2UGVxT0V4UVJmL1JaSHJ5
+            NFJZYUFVWjhWNmZDWnhZSUVBOFhRVTQKIVocxesO36l7nvq1+PdAKMBNZofHisAU
+            QcLYEN8VEenzQ0z++ToqCAU30js7Qxal5+Jkzf7ty2ErRV0jZC7yjw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-01T09:19:36Z"
+    mac: ENC[AES256_GCM,data:bscVMQXneHdB827zze644kL/aH1Z2C7M7aNFczOPitNrcrq+aa9+a40RUwtnr79rpBX+o1kcCYAzhTI4Ul0EKS3UaXaUK1fRIEU/0ZrQVE2mBFDuVhfbKKqJtdvoh0KK9ZfUMcK7W4lhqIdaQNhmmb/bTVHlE0SdkfQyY3W8WqY=,iv:ceKovQWV2W62XlokiBmgM6sneE2iNjmWKmN6sJfc1tk=,tag:cfvl6IWHSwF0STJI+H4GBA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
