From 91b3d32222404c76cc473162b2ded8ad9fa75fba Mon Sep 17 00:00:00 2001 From: James Walker Date: Sat, 13 Nov 2021 21:54:02 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20setting=20up=20sops-nix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .sops.yaml | 9 +++++++++ nix/sources.json | 12 ++++++++++++ secrets/secrets.yaml | 30 ++++++++++++++++++++++++++++++ shell.nix | 9 +++++++-- 4 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..5ae16b1 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &walkah age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j + - &plato age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *walkah + - *plato \ No newline at end of file diff --git a/nix/sources.json b/nix/sources.json index fc2144c..b93812e 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -34,5 +34,17 @@ "type": "tarball", "url": "https://github.com/NixOS/nixpkgs/archive/d14ae62671fd4eaec57427da1e50f91d6a5f9605.tar.gz", "url_template": "https://github.com///archive/.tar.gz" + }, + "sops-nix": { + "branch": "master", + "description": "Atomic secret provisioning for NixOS based on sops", + "homepage": "", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed", + "sha256": "1rqwrhc8fcaf1c8d0h9mirpznnypg8afnrzsya4r4lvvifz16kgi", + "type": "tarball", + "url": "https://github.com/Mic92/sops-nix/archive/a8cbd0c796e4678f0fd2e59f274e49705ee523ed.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..aa242e2 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,30 @@ +testing: ENC[AES256_GCM,data:L7u7KRH74FPLtYi/,iv:yloHuSqAbxz95L3Bpye8VRJFR87dVGMkArTBj5GFVtA=,tag:pKbC5EsdBM4zqrUwzb0abA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMW9GbTVQWjdOaUVJNjJH + VUhsSGxLb1NlU2NXTjRqYklLUlYxRnpkbm44CjRZU2lNTTlERmFHYTRoL0dRWjRq + QUhkYjBsK2NyWDMzL004aDZBMGJrNjgKLS0tIFNHbEl2ejZJK0tGeEcyRTk3TU9S + MmFZc29kdEFlL202emU3cUhwMytUeXMK429JtnxnZfDl8Op2NSz40xUXKO2XWICY + I0Z2xOATxOq9N1MvNbD6HheT8ngUtu/LQJXcsDIHk0MkzBJRe8u79A== + -----END AGE ENCRYPTED FILE----- + - recipient: age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNklPdm52OHVzL0cxOHRI + cVdFcW0zL0RuYXJJbzlTZjI0dkxoQThjVG5zCldCLzE3cGF0ZGJTZ0dBajFaMktr + ZDA3WHFaQzJONmlUSXBrNzY5MHJTT1EKLS0tIHczU2JVc2RhVmc1Y01NOWZHclly + QXJkUkFMS1ZCcXl1ZCsvUmdqeVVvc0EK9xP+VkSN61gLwMwwlOFCpLsfL6Jzk7CB + 5LfW5lsyWCMqnw00W52h177kHZdf/nLmnoLDz2jZ7hPXiDpS7G9MrA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-11-12T04:16:10Z" + mac: ENC[AES256_GCM,data:o4Pbvl/ry70zqKZnQ95I0zff/8Vzz1g+5i5PrrClmAlrq4OKiXKhmAyriMSknYzcBA4JnHqjfyHWzB7VpIPCAfiT5jmSjQgMaixVkFvtjDKNtuVXP9ECSY1sb3EeKBnlkR4Ev9aodkoJGxeaiTChadadkG09M6pjSwwyn6r1yNM=,iv:6GjWlgSHRDqwqeAI2J8IgGFo7/cTwKLcxz2h8tj+iYY=,tag:T3W+cvDk0t3G/c/mkcqoyw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/shell.nix b/shell.nix index f357315..4a040a6 100644 --- a/shell.nix +++ b/shell.nix @@ -1,9 +1,14 @@ let sources = import ./nix/sources.nix; pkgs = import sources.nixpkgs { }; -in pkgs.mkShell { +in +pkgs.mkShell { name = "athens"; - buildInputs = [ pkgs.morph ]; + buildInputs = [ + pkgs.age + pkgs.morph + pkgs.sops + ]; shellHook = '' export NIX_PATH="nixpkgs=${sources.nixpkgs}:home-manager=${sources.home-manager}:."