waffentrager: add secrets

2024-03-21 19:30:54 +01:00 · 2024-03-21 19:30:54 +01:00 · 15cf859638
parent 114c2e93be
commit 15cf859638
4 changed files with 63 additions and 0 deletions
--- a/configurations/host/waffentrager/configuration.nix
+++ b/configurations/host/waffentrager/configuration.nix
@ -26,6 +26,7 @@
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl"
    ];
    hashedPasswordFile = config.sops.secrets."users/materus".path;
  };
  nix = {
--- a/configurations/host/waffentrager/secrets/default.nix
+++ b/configurations/host/waffentrager/secrets/default.nix
@ -0,0 +1,27 @@
 { config, pkgs, lib, materusCfg, ... }:
 {
  imports =
    [
    ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]);
  sops.age.generateKey = false;
  sops.gnupg.home = null;
  sops.gnupg.sshKeyPaths = [ ];
  sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml";
  services.openssh.hostKeys = [
    {
      bits = 4096;
      path = "/materus/root/ssh_host_rsa_key";
      type = "rsa";
    }
    {
      path = "/materus/root/ssh_host_ed25519_key";
      type = "ed25519";
    }
  ];
  sops.secrets.wireguard = { };
  sops.secrets."users/materus" = { neededForUsers = true; };
 }
--- a/configurations/host/waffentrager/secrets/private/default.nix
+++ b/configurations/host/waffentrager/secrets/private/default.nix
--- a/configurations/host/waffentrager/secrets/secrets.yaml
+++ b/configurations/host/waffentrager/secrets/secrets.yaml
@ -0,0 +1,35 @@
 wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
 users:
    materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1j34lqh0z6ak2c94n564wgyjeykn9srma34f5e5e7xvf498fwk3rqxvwx0l
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvejRrcGVwZHNkTVB5dkYr
            RnhVVjNEblFVd0xXSStqdjFhWVVNS3ljUTNZCnBFVmRRVVVENGhJUVg2L1lSM1NO
            dkQydVhOaFVxd0p0aFhVcmp6eXdGeVEKLS0tIFIvRDlvZDdsbm1USEZUZ3FYMmla
            eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
            ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-03-21T18:19:14Z"
    mac: ENC[AES256_GCM,data:W+DPXTyAZCMawijkbvNNe6UItS4ZVHY4qZ7hDOGkaMlziu9+e1awkvgmqg7H7gM0DgoAz17UE4uVIGB9Y/fnSc80Rk9sPZoNP8wnTwqzujmCyYIroi570aNQuNc6riTgaNcrSEefkzoATRUJvjbv63m+Sp5Vbl1kXepD3qaDDAU=,iv:HLOBwzemB8kqAE2DLoWeIIUUmp9i913bTG0onNdHAWY=,tag:cW0gP2TlUPY42NkWiWqICg==,type:str]
    pgp:
        - created_at: "2024-03-21T18:15:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D5fSX77p80GYSAQdAWetrf0jhs/b9qcQc4b21+PJUPdSjk372BjokfwJ2oXQw
            4LaIaNB3LRmY4FF3UOqk28NwkwBw6n0AzYKC/k1G4ntaNBMI9eDtFJ1c1+KkxSl2
            1GYBCQIQMCKcu2aBEMiIGOyG08vcRW2T23DUAfTQqQdRKD/SgSTqAZLSICVJ91xU
            TBsdiPBKO2cRDfPc7DlVLbPNe/SUqVUX9N4GTGPUocXc1s6lvgx3NBP5cGoSNx+A
            xCmXl373IDc=
            =uSyc
            -----END PGP MESSAGE-----
          fp: 28D140BCA60B4FD1
    unencrypted_suffix: _unencrypted
    version: 3.8.1