🔒️ setting up sops-nix

2021-11-13 21:54:02 -05:00 · 2021-11-13 21:54:02 -05:00 · 91b3d32222
commit 91b3d32222
parent 459cd7392c
4 changed files with 58 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &walkah age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
+  - &plato age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *walkah
+      - *plato
--- a/nix/sources.json
+++ b/nix/sources.json
@ -34,5 +34,17 @@
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/d14ae62671fd4eaec57427da1e50f91d6a5f9605.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "sops-nix": {
+        "branch": "master",
+        "description": "Atomic secret provisioning for NixOS based on sops",
+        "homepage": "",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed",
+        "sha256": "1rqwrhc8fcaf1c8d0h9mirpznnypg8afnrzsya4r4lvvifz16kgi",
+        "type": "tarball",
+        "url": "https://github.com/Mic92/sops-nix/archive/a8cbd0c796e4678f0fd2e59f274e49705ee523ed.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    }
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,30 @@
+testing: ENC[AES256_GCM,data:L7u7KRH74FPLtYi/,iv:yloHuSqAbxz95L3Bpye8VRJFR87dVGMkArTBj5GFVtA=,tag:pKbC5EsdBM4zqrUwzb0abA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMW9GbTVQWjdOaUVJNjJH
+            VUhsSGxLb1NlU2NXTjRqYklLUlYxRnpkbm44CjRZU2lNTTlERmFHYTRoL0dRWjRq
+            QUhkYjBsK2NyWDMzL004aDZBMGJrNjgKLS0tIFNHbEl2ejZJK0tGeEcyRTk3TU9S
+            MmFZc29kdEFlL202emU3cUhwMytUeXMK429JtnxnZfDl8Op2NSz40xUXKO2XWICY
+            I0Z2xOATxOq9N1MvNbD6HheT8ngUtu/LQJXcsDIHk0MkzBJRe8u79A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNklPdm52OHVzL0cxOHRI
+            cVdFcW0zL0RuYXJJbzlTZjI0dkxoQThjVG5zCldCLzE3cGF0ZGJTZ0dBajFaMktr
+            ZDA3WHFaQzJONmlUSXBrNzY5MHJTT1EKLS0tIHczU2JVc2RhVmc1Y01NOWZHclly
+            QXJkUkFMS1ZCcXl1ZCsvUmdqeVVvc0EK9xP+VkSN61gLwMwwlOFCpLsfL6Jzk7CB
+            5LfW5lsyWCMqnw00W52h177kHZdf/nLmnoLDz2jZ7hPXiDpS7G9MrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-11-12T04:16:10Z"
+    mac: ENC[AES256_GCM,data:o4Pbvl/ry70zqKZnQ95I0zff/8Vzz1g+5i5PrrClmAlrq4OKiXKhmAyriMSknYzcBA4JnHqjfyHWzB7VpIPCAfiT5jmSjQgMaixVkFvtjDKNtuVXP9ECSY1sb3EeKBnlkR4Ev9aodkoJGxeaiTChadadkG09M6pjSwwyn6r1yNM=,iv:6GjWlgSHRDqwqeAI2J8IgGFo7/cTwKLcxz2h8tj+iYY=,tag:T3W+cvDk0t3G/c/mkcqoyw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
--- a/shell.nix
+++ b/shell.nix
@ -1,9 +1,14 @@
 let
  sources = import ./nix/sources.nix;
  pkgs = import sources.nixpkgs { };
-in pkgs.mkShell {
+in
+pkgs.mkShell {
  name = "athens";
-  buildInputs = [ pkgs.morph ];
+  buildInputs = [
+    pkgs.age
+    pkgs.morph
+    pkgs.sops
+  ];

  shellHook = ''
    export NIX_PATH="nixpkgs=${sources.nixpkgs}:home-manager=${sources.home-manager}:."