moved staging keys into seperate file

2022-05-31 21:29:48 +02:00 · 2022-05-31 21:29:48 +02:00 · b3c37b6f71
parent 4e4a9c884d
commit b3c37b6f71
6 changed files with 118 additions and 6 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -40,6 +40,16 @@ creation_rules:
        age:
        - *data-hoarder
        - *data-hoarder-staging
+  - path_regex: secrets/data-hoarder-staging/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        - *admin_revol-xut
+        - *admin_marenz-1
+        - *admin_marenz-2
+        age:
+        - *data-hoarder
+        - *data-hoarder-staging
  - path_regex: secrets/traffic-stop-box/[^/]+\.yaml$
    key_groups:
      - pgp:
--- a/hosts/data-hoarder/configuration.nix
+++ b/hosts/data-hoarder/configuration.nix
@ -28,9 +28,10 @@
  };

  networking.defaultGateway = "192.109.108.61";
-
  networking.nameservers = [ "9.9.9.9" ];

+  sops.defaultSopsFile = ../../secrets/data-hoarder/secrets.yaml;
+
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

--- a/hosts/staging/configuration.nix
+++ b/hosts/staging/configuration.nix
@ -56,6 +56,7 @@
  networking.defaultGateway = "172.20.73.1";
  networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];

+  sops.defaultSopsFile = ../../secrets/data-hoarder-staging/secrets.yaml;
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

--- a/modules/data-hoarder/secrets.nix
+++ b/modules/data-hoarder/secrets.nix
@ -1,6 +1,5 @@
 { config, pkgs, ... }:
 {
-  sops.defaultSopsFile = ../../secrets/data-hoarder/secrets.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  sops.secrets = {
--- a/secrets/data-hoarder-staging/secrets.yaml
+++ b/secrets/data-hoarder-staging/secrets.yaml
@ -0,0 +1,102 @@
+wg-seckey-staging: ENC[AES256_GCM,data:7ZDE0ePdbjzoHXyJSAIJ/Eryp9nZAEH8OTaej9/lGtSiuLAWdB+4Y/EhgfU=,iv:YlhiQvGJaxpYN1AsLDvpWbA1xq+W/8NB4L2uBQNbiy4=,tag:Nl8GEaGjLqTh6Iq51rgYkQ==,type:str]
+postgres_password: ENC[AES256_GCM,data:gHujC1YtssY=,iv:CI/oVto6ncK6l2QF7IsTQ/ca954LH/GFmZgZQ43u1zc=,tag:gVH4DvEzyJqNOgyjoCbgIQ==,type:str]
+postgres_password_hash_salt: ENC[AES256_GCM,data:bHt2y+gknmwlgOw=,iv:QDeMNauoCfC7egIkGUb/Ecp6vfZ/UxqjtTL6V3sadHM=,tag:vVjTBPT8KCkglp2SGGmo7g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zmuyxqnhq7naxa8egf24gzz2tjqtg5j9yv8zhvcxta08xqr8h9aqq7fjca
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZnRRdk5EVWd5eVpoMno0
+            WVNTVDBTOExabmhqVE9IT2JQVEtjUTF1bzBVCno5VjV5RmYxQUkzNDd5MTFYVm8v
+            NzhDazBFVDR5Y3lRWndKRGIrTEZqdFUKLS0tIDdLNHgrNGVUcXRJOE4yV1pVRzRn
+            RFNwanJuQUlMZDlpWmNsT2N6YjJZU1UK1hNvLZwVh5+g4Xe7O35q8x0LL0LAER4R
+            Kp4TLZ/bbec92OhdQ25UPho+09AR0sMOhPyMFCtodvTT9q83fwBapw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xztjvj79kxdrf97mldvv9nas5vfm636y3agkcvtyyyd0xtg73aasx5y7dc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0YkdCaklzakhiaXdLdTZo
+            clpDS1dNcFZwSmZMU2VXODJlaWs2eWRKSmtrCkdhaXIwblM5RU5DWlNwWGROMXh6
+            T0Z1UUFDUTNWL3NOQktnRlV4QzRDM3MKLS0tIDNKTGdOeWE5ejBhL3lBbWNDQUdj
+            cmRkeUpBdzdleG1aMDRiWTk5NFBQbWsKQqAdbF9+1U2Y/CUNxt/u7zOc7vfZmuCK
+            HxT0x7I0I3r5m3OKrIvN7CSfXTZ5tE601DfYr4i92dvRvD46J/JbUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-05-31T19:26:07Z"
+    mac: ENC[AES256_GCM,data:SsqSSFTOVe5thim+2DMYaAvE0suRVD2qrXYZvx1FSRzegd0aiOX1Kes7vAtvY2X5ulQfKXrNAr1GWe/b9IP9iEcOzn9yBVxQ31u4rINQKqYh5ySBPbtR0l3whe2P5QdZdfXeQ8IcPdFXaRCurKRX8jLMxq0LyC4GPNC8vdXLkgA=,iv:HohR+vPGnZK0Eybbc5UB2g20mcIE540ocdLg+iId7os=,tag:pziHLELfrk9It1DzIfLTbA==,type:str]
+    pgp:
+        - created_at: "2022-05-29T14:13:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7ARAATZXPD2xOs9KMfesUX+WXDrWGWzcm9ldUHMBNSBXr7hY3
+            jmWeYBh/3DIm+o4nw0tkU9WAxb+PZ1UImc/qVWnyGP90QSuJyO4T4fNeaZjMPv7G
+            2DpPKhTgmHVm8zksqntW+Fr8pQN6QzbXwhEmp/UaNpxcIlzlTmOu0idETHfe5iHK
+            iExxAekq21ThqSze2a1hWIKbfMSzGp0PjSSOksEUazzciXFx40yTxOOTAqk8EGLt
+            pI2t1b9C02M1A1Gxx/UBFykgC+2cdBWwSXAzfBzuUAtWLBGEQyMblhPQbmhcEvFY
+            aBaoooXfjDMNJKXZcnG4itIbrwThdevmcupNH9m8svmO8IR6XKO5AOMefhZff5XE
+            I+kl4CjExyxN8oX0G+HJ2oBhJdF7hmFt+PbtZbvqXw2W7+KV+bE67JVubzmtISE6
+            fMOjhdscGpQ8LZOZ+oSNJO4/73Ll9Nl6TcIN/4uvqGpyZO0aP7rTtRhEcz6o34wP
+            Ksyj6ed7eOOaEXbGwERmkgvcBHBqaS9i/aHG2iRAnXUdGo5C3V0z6yWMqkkTFIAu
+            j3qv8+nSOeRpi2A3JmvGlC7yTUTd0Rrh9nD/I/2TA9oI9KeB4zBth5S9+w122Fya
+            5z2lY2MNkkHo5RfrLSErFY7BGpRoNtUmxe8T/rUURUF9D/NgpGkGz7KCrhZzBULS
+            5gHMhBq7lxjgBrHz7od29nu+CjGh7OmZtTMgGcPf9BGuDmm3YgCeWCcDlORmBNde
+            oiyt/UEio3guTVVfZB87QrfkZHnRTpFUIs1MX8yfzwY1buKuEAYnAA==
+            =6vSf
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+        - created_at: "2022-05-29T14:13:53Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/YLzOYaRIJJAQ/+L9n1vh06hboRjbuisAabzJSd+oSpthuHR7pPcotkyS72
+            kQEw2Gl5FMlyN21K9BFgo2pM/651pBN3eWNCKe2OrEMIMiaYvk8f33nGIlFGfe02
+            72Tc1NrrBNvQ/p2c6hb8ZYQp60bo0M6XYg2yeE/7IRYpRYWiVCZOedFDOZlBaP7m
+            dlPsq0lk6/XKxaxoDgZSY1z65eKejQPTxWiJDb+qcbYDRO5YuQk4zMQ+pyMdnK6W
+            sYG3l9/6sZE7/IqUWszEILCW+UIGLdU/bj+J2MRYNZz6u529falBu2hKMN0KiFf7
+            W20aXj7Pqixvj0rwjh4ukmoPlplOOpVPZKrXULlxpqAxONSTW4bkzPkheo3LOvmo
+            58dn73oXZ/Pc/SdsXz1XOhgnEJJkbtHyJahyq1Yhc799nZUGHtJpLnTJU54+nv3P
+            sr6j6OS4Wrn4/fjCytv3vTzVciRY0usp+DMBcC4Yisrl0kagXv2ZBRbOjPN9i7A+
+            ufPDp9tlgdANimU7fOyBA0fsyUqlHeOxibCal11sV6y5w8CtzxL2Iow6IAHkZT85
+            AbQa5NzO2QVBZen1N2WizrJ2zVmqP6ek6dJJK2vJDo2MeOe2Ld45gsA6uM+94Z7r
+            EwyYtD2rNPSu0sivZ50vrm+9zxFJqO4Lm5RBER8cOTNA2tQUq1oqFoRky5ODxULS
+            XgGfRGN/pU4CsQg+PLnDZ8lnCUKaUD792VDVskzlPhq1lf1QlOad9e/CMNfjsiFf
+            i75yX8b7dTBqKIaOJAPwK2uAB8t6DS1FOE9A1tvjy2AQlEx7F8ZYvvpEfyt1q2s=
+            =B7/8
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2022-05-29T14:13:53Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA1N/l9+zlMQzAQf9Gp0N2XwrL08GYEL0bXK/H4gz5aSlSWRZ8bLDtwZeu6Ja
+            uPtuHJ63fDhwkDAveXIRUMIu0zAdAChOUOIMxjNHtTqbl++o+BeQQglfPQ0OUhKA
+            G5SIgRpUp60WScMUj3EoBSE7yskEoRUGkYm435zHuIgWXQxryQ8ZHCQdLjd65yFp
+            VUN30vEjHiXaTz2SssTD979wm6VjlaXTI0qY84Sm4CYg454sdgAQEM8+tSWdaSFI
+            al87uwSxHAHj+GZ6YzfiHtri78G1BNX51xva3tQOLf9w/rCP1z1N3CLyiuzZql19
+            wOdOG5nNpAGQWx8KEdod6s8KXkCOj91oikDC1G3N5dJeAYiJJxzGPj8hSrHyQWRY
+            YIjQXk0LcL7L/cz+3xYihJboV3Sk9luu3FkJR9CXbY6JVysil73GwhhMSDFNdV2v
+            i6WM3vCeQhTZi5u/Jk7DJ61zBRGsCyfTO26PMbfWeg==
+            =zfZh
+            -----END PGP MESSAGE-----
+          fp: 069836A578F7939612DB4934F77D0F7E247A1EE4
+        - created_at: "2022-05-29T14:13:53Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA1N/l9+zlMQzAQf/X2qCrQ3TyClbkOD3ELeBGYy8udokPo0WtXTbrvd9gN3K
+            KXwUHxw4JhtJMfoAvGwbD4WAyLwkzs0AfxxAD17H7lK63vJ/9DMgBR+72GKJ7Dto
+            gezKQhdW1D0K8mV6HHVe9THO0sXyaalzxArLUsAGVNBFLOybr+VtiP73hjndAA8Y
+            mTNTKst4ZL1UOQmoBg6vl95CXmkHjVWeATEb4LGggXYLvhn9iVLP+VJCMVf6P7Xe
+            etA25ij+7w3UuYY//2iS/j71fbeBL9x5DtUpfmllF8Bx+xaWpg5KkH7orBHhaj9E
+            VS2EPsCMBuxJNBptMS7Np+/79Zg9igXp1J5cMfnjAdJeAV+uNwBSb/IAFfHpeKMp
+            MwqBcs1EVvhf2LPANfA6FG2wRXaKwSI0t1AVgq6JwH4N3IU2UEVPDrEXe7c2leRZ
+            RZaAODeIrRFlz7cvsfTYGexOaEiYOPAflvjxHGnwlA==
+            =eHlt
+            -----END PGP MESSAGE-----
+          fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2
--- a/secrets/data-hoarder/secrets.yaml
+++ b/secrets/data-hoarder/secrets.yaml
@ -1,6 +1,5 @@
 wg-seckey: ENC[AES256_GCM,data:2ro+gGzaqolAkXNuVEz028X3cbq5jjoSSUZyO+FHITeX8f6lB8PYOPpe2lk=,iv:c3/J3k6TQ6+cpqk+/wutjwbVCyzY1X/rHSJU4iw0lJA=,tag:Itcvtz/AWC88PNzzLrpjTg==,type:str]
-wg-seckey-staging: ENC[AES256_GCM,data:7ZDE0ePdbjzoHXyJSAIJ/Eryp9nZAEH8OTaej9/lGtSiuLAWdB+4Y/EhgfU=,iv:YlhiQvGJaxpYN1AsLDvpWbA1xq+W/8NB4L2uBQNbiy4=,tag:Nl8GEaGjLqTh6Iq51rgYkQ==,type:str]
-postgres_password: ENC[AES256_GCM,data:j2nfOIse6j24sRDdofVDVV9yaNBICfF6bLuM1zAh2d4ityZ/9Nsm4CAHXo3P9fojiBeT2d6rEP82zwcghhOAaoM8mKPg,iv:OWVfqqbKbRzihevgJ+cevDcbtWgYN2t75SADkseM8qE=,tag:sGstRV0xGzjLF+SGEUPYGQ==,type:str]
+postgres_password: ENC[AES256_GCM,data:URbuozlVPL+5rw5bH1sA2wWvlLi5v5cFC6q3MDHPOSI=,iv:4FGJXB0TEZH69bkHl58lVD0epACGsJ/HNTriyrtkY/8=,tag:PueSnmlF372efUm5+PjUYQ==,type:str]
 postgres_password_hash_salt: ENC[AES256_GCM,data:VexqhXH0gc/agVLv04K4FygcSRc=,iv:3vlrIZUm+KaGXybchUDWtXQ6cfU8Vc/DCxLXhe+igOU=,tag:eqJvJdHzu35bTQqyF345ig==,type:str]
 sops:
    kms: []
@ -26,8 +25,8 @@ sops:
            cmRkeUpBdzdleG1aMDRiWTk5NFBQbWsKQqAdbF9+1U2Y/CUNxt/u7zOc7vfZmuCK
            HxT0x7I0I3r5m3OKrIvN7CSfXTZ5tE601DfYr4i92dvRvD46J/JbUw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-05-30T17:05:40Z"
-    mac: ENC[AES256_GCM,data:ToDfRg2/jGBbzTE8GuuQPRUib1OcyWrDmPfJlzLwTRoBiRq5fZs/yO045QnJTXVxiGv+PoLkOXRddkCRzA6o7Jdn8nJxMFnAKM+t4EDGFXGZ0Vto7EaLUkvVJbMRQ+yiAziaqb09qh7g4BQy1886AJEFbcQ3j8UuLrq3SaRzE1s=,iv:9kFUHzs7IMWh8R2dEb4Qd6jXXWPXbYpjGSqR9ko9xbA=,tag:+74VIdCfmT+L56hbObzIAg==,type:str]
+    lastmodified: "2022-05-31T19:26:14Z"
+    mac: ENC[AES256_GCM,data:8k8JC53kkGe4K/9myGB7EGiQ0CQ1f4A7tZ38sPm58Kjnjz7A+jNGOdWFqiu03Ox67vcrzgIht0SmBgaQPHXJcagSpEi3B8wyKFyScBoESis7Xw06FVz+EacwKbEEoGg999414Nn8SkyZ1KgBfw6KHQZRbrOwYsXPeTOmIm95qSQ=,iv:4iGILiP1Z13KS5+O1jJ04BL6Yz81c2ZqheiFsFGZCNc=,tag:qXHH4YIuiFuSal/wHxCA7Q==,type:str]
    pgp:
        - created_at: "2022-05-29T14:13:53Z"
          enc: |-