Compare commits
2 commits
5366a47e77
...
22ced0b1e3
| Author | SHA1 | Date | |
|---|---|---|---|
| 22ced0b1e3 | |||
| 281ca7ed03 |
3 changed files with 35 additions and 8 deletions
|
|
@ -1,8 +1,9 @@
|
||||||
# XXX: missing: macbook, thinknix?, at some point mobile
|
# XXX: missing: macbook, thinknix?, at some point mobile
|
||||||
keys:
|
keys:
|
||||||
- &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
|
- &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
|
||||||
|
- &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
|
||||||
# Generate AGE keys from SSH keys with:
|
# Generate AGE keys from SSH keys with:
|
||||||
# nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
# nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||||
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
|
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
|
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
|
||||||
|
|
@ -15,5 +16,6 @@ creation_rules:
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *admins
|
- *admins
|
||||||
|
- *workmac
|
||||||
- *machine_framenix
|
- *machine_framenix
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
sops = {
|
sops = {
|
||||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
|
||||||
defaultSopsFile = lib.mkDefault ./secrets.yaml;
|
defaultSopsFile = lib.mkDefault ./secrets.yaml;
|
||||||
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
|
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,32 @@
|
||||||
{ inputs, ... }:
|
|
||||||
{
|
{
|
||||||
sops = {
|
inputs,
|
||||||
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
|
config,
|
||||||
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
|
lib,
|
||||||
};
|
pkgs,
|
||||||
}
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
homeKeys =
|
||||||
|
if pkgs.stdenv.isDarwin then
|
||||||
|
"/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
|
||||||
|
else
|
||||||
|
"/home/${config.home.username}/.config/sops/age/keys.txt";
|
||||||
|
in
|
||||||
|
lib.mkMerge [
|
||||||
|
{
|
||||||
|
home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
|
||||||
|
sops = {
|
||||||
|
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
|
||||||
|
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
|
||||||
|
(lib.mkIf pkgs.stdenv.isLinux {
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
})
|
||||||
|
|
||||||
|
# darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
|
||||||
|
(lib.mkIf pkgs.stdenv.isDarwin {
|
||||||
|
sops.age.keyFile = homeKeys;
|
||||||
|
})
|
||||||
|
]
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue