c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Add ssh keys to sops

This commit is contained in:
Sandro - 2023-01-05 00:31:10 +01:00
parent 1173a83b77
commit c162f15462
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
hosts/hydra/default.nix
View File

@ -244,20 +244,38 @@ in
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."ldap/search-user-pw" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
path = "/var/lib/hydra/ldap-password.conf";
};
secrets."machine-id" = {
mode = "444";
path = "/etc/machine-id";
};
secrets."nix-serve/secretKey" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
secrets = {
"ldap/search-user-pw" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
path = "/var/lib/hydra/ldap-password.conf";
};
"machine-id" = {
mode = "444";
path = "/etc/machine-id";
};
"nix-serve/secretKey" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
};
"ssh-keys/root/private" = {
mode = "600";
path = "/root/.ssh/id_ed25519";
};
"ssh-keys/root/public" = {
mode = "644";
path = "/root/.ssh/id_ed25519.pub";
};
"ssh-keys/updater/private" = {
mode = "600";
path = "/var/lib/updater/.ssh/id_ed25519";
};
"ssh-keys/updater/public" = {
mode = "644";
path = "/var/lib/updater/.ssh/id_ed25519.pub";
};
};
};

11
hosts/hydra/secrets.yaml
View File

@ -4,6 +4,13 @@ nix-serve:
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
ldap:
search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
ssh-keys:
root:
private: ENC[AES256_GCM,data:aerhMF9uwwOPsgcWLumpXuPSOI1JHUYP3fqeo+F64+n1068rmJwPTtAj9NTTmxJB0XeCsI7VwM5gYaQx3Zl6bYYRWHdgLJmQAyCZhiLKqZDPypGnBBLWR6Ctd3BpOGd253bVPXVPOw8FqYfC152KjnGNANZQVbsv26CSiS+3j0D+S3xt70mkyTQxrfUdFPP5RojmqbgvbvOJt0qj02HOmnUdrzwIILqJMBM3CycP9qSnq36mEihqJSJ0YkX+qechVxU0PktmcLUGBjri38kSLno4v4oc1eRSsljyOYRUbf/M5vyHuHgNql3ROweS+RegsJIljtN3XdH2X0SHkntaAk6+d1ssrb6UKnTbP6ipEBGAnu12jErvRZHLYehcl+rx0gk3RCPKEmH88tPIIiOlSADgLw59Ghr6E68U3d9VpqQhZe5qh1jv7ZVAr1k4XkJJvx9oCnbf6UR8jQ4DZFqCYusB56nBKZkcXtCoMlLXTFD3eLLRwXNmAqZoUu9mXzFK9TIyk+zsI+JdUbK0ZAju,iv:ZCGvaBjhG0tSRgrEANPf0fR5XnDK1gqU0WORSu75/lY=,tag:lAhZHLltfA8j2hF1IZM4qw==,type:str]
public: ENC[AES256_GCM,data:7skUJMhKvPVhVO3lpXOUepgExVGR6C01NUK6r0rnXnU81tCsiZoG7PF5RedSiE1USOpm/k2kz1IJUehn4xKqtLZNrVn1PPjNJIZ7Dpgm15PvVOtvyM+wSdxHFw==,iv:bz/rLsOHVapgvCPgewAHFPamKOCWYJXSp12SLeCNFSQ=,tag:vUDqPrvn/Y6Y5aLxfMYVow==,type:str]
updater:
private: ENC[AES256_GCM,data:D9IHwI/gOc3LFDdiRpMYdldPwfZpvF03ThJvqVMESqHWRoKXrb0raUkLDfy0kvJZF2glWwXME3SDToiyi+4/iaxCEkO40qxxW4mqzrNfVNq1OjcyganYML3f7sDtQ6UzsBQK3CWlb6YvdQlvAwaUvhPuCu9bi8IBfSTDZtV8NcAyVkir8sOYALAPUxoiHXAk01I3htcL9EMpK9MExQhpkwL4ESlXQ5cB+qzUnOW1jGyN7FvKIlkLpIPxtKKiUV86cNkxYe84H9/1Jy3VjmTf03xhnWlp3d4/pbUhgFnT2wVZH0A4tu6Ewhkx8I5v9fqEunOTvZE2+6a5lfHpdva+mK+wDItwF2fwt0PHXUBVoIvqRI3LZzlqI9FNv3xRW7Sa0q8tHiQjrtTLxw9MtuwDlisBpLEWKkhVEUGuSznGRH1PxyL2kNjavWTgRsRY5dPDWAWAQ37AJBCfqGyRg+NE5cqZBzYBheMHKrGqp7ePmKaIBw6F5qFZ1II7ucNUeimu9A/3qMMU41B/++opDKq3,iv:DMD11AUuWPHutmZOVBeL1megyvQxbJ9Tw5ApH3RWrCw=,tag:yyWpFuJua79+QCMIOOCpwQ==,type:str]
public: ENC[AES256_GCM,data:sphILo6Xz3eCsIC0Y8fr4+CllH2nK42aijMDp5Psc5vhnxCuBxL+Zh4yT3NkPjAHMYZyAxp35uOGOjpOUNS+ii14C86WVTpWtiX3d52/1W5MK9SUGIBQrw8oGoqJeg==,iv:SlinQ+S0QEI6pMzUm8oJqJmlW11ULne2e73974RHiYw=,tag:QkFP9D3MsXM6OSPDqnKKOw==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +35,8 @@ sops:
WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf
dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T00:46:32Z"
mac: ENC[AES256_GCM,data:iAGu+wOfSh5kYlwonk3DTLQPHEuOfXExv54vHikIRQbk81VNN7GKferJo9uB8d3fos461zGFulsL/Zw4j0EX1X7jr7d4PGybtb1oWIqi8D81TTeBqvfsvgrHfozeQCSIF6xzmXpulTmrTtuIAzMuHRXkV+i85YmYVBKFBi0g2jE=,iv:wafAqiOzpRREVfp1D4+/kB5g9kjd8786XosnrGmtUi4=,tag:OzUBTZ5L7wK47R5axF3N+w==,type:str]
lastmodified: "2023-01-04T23:32:36Z"
mac: ENC[AES256_GCM,data:wBh2gnaGCcLPItcr7SfMV3F8dmWlpeV9H77Cc0bRovFbbrxob+9A7FKNzqNSR372MnTRCaf6pRWDu5U9nNAGohrqtP11oouehuNyieW3PlijWepAN3A+BYd0DFYqu5FtNvccFWJnKy6I4Fjsf1Fjh8ark06h7fg8mMafsudLXH0=,iv:11bCknws/idxujuLWSyn2Sa6ilCyI1IIihHguuwLuxs=,tag:PKtlEddCxmgWTiOJDQOqhA==,type:str]
pgp:
- created_at: "2022-12-26T19:10:03Z"
enc: |