diff --git a/.sops.yaml b/.sops.yaml index e5adc66..52b072a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -40,6 +40,16 @@ creation_rules: age: - *data-hoarder - *data-hoarder-staging + - path_regex: secrets/data-hoarder-staging/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + - *admin_revol-xut + - *admin_marenz-1 + - *admin_marenz-2 + age: + - *data-hoarder + - *data-hoarder-staging - path_regex: secrets/traffic-stop-box/[^/]+\.yaml$ key_groups: - pgp: diff --git a/hosts/data-hoarder/configuration.nix b/hosts/data-hoarder/configuration.nix index e9cb780..c34b05d 100644 --- a/hosts/data-hoarder/configuration.nix +++ b/hosts/data-hoarder/configuration.nix @@ -28,9 +28,10 @@ }; networking.defaultGateway = "192.109.108.61"; - networking.nameservers = [ "9.9.9.9" ]; + sops.defaultSopsFile = ../../secrets/data-hoarder/secrets.yaml; + # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; diff --git a/hosts/staging/configuration.nix b/hosts/staging/configuration.nix index e6b121e..62618d2 100644 --- a/hosts/staging/configuration.nix +++ b/hosts/staging/configuration.nix @@ -56,6 +56,7 @@ networking.defaultGateway = "172.20.73.1"; networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; + sops.defaultSopsFile = ../../secrets/data-hoarder-staging/secrets.yaml; # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; diff --git a/modules/data-hoarder/secrets.nix b/modules/data-hoarder/secrets.nix index 5570b29..0b31c8e 100644 --- a/modules/data-hoarder/secrets.nix +++ b/modules/data-hoarder/secrets.nix @@ -1,6 +1,5 @@ { config, pkgs, ... }: { - sops.defaultSopsFile = ../../secrets/data-hoarder/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets = { diff --git a/secrets/data-hoarder-staging/secrets.yaml b/secrets/data-hoarder-staging/secrets.yaml new file mode 100644 index 0000000..abf8179 --- /dev/null +++ b/secrets/data-hoarder-staging/secrets.yaml @@ -0,0 +1,102 @@ +wg-seckey-staging: ENC[AES256_GCM,data:7ZDE0ePdbjzoHXyJSAIJ/Eryp9nZAEH8OTaej9/lGtSiuLAWdB+4Y/EhgfU=,iv:YlhiQvGJaxpYN1AsLDvpWbA1xq+W/8NB4L2uBQNbiy4=,tag:Nl8GEaGjLqTh6Iq51rgYkQ==,type:str] +postgres_password: ENC[AES256_GCM,data:gHujC1YtssY=,iv:CI/oVto6ncK6l2QF7IsTQ/ca954LH/GFmZgZQ43u1zc=,tag:gVH4DvEzyJqNOgyjoCbgIQ==,type:str] +postgres_password_hash_salt: ENC[AES256_GCM,data:bHt2y+gknmwlgOw=,iv:QDeMNauoCfC7egIkGUb/Ecp6vfZ/UxqjtTL6V3sadHM=,tag:vVjTBPT8KCkglp2SGGmo7g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zmuyxqnhq7naxa8egf24gzz2tjqtg5j9yv8zhvcxta08xqr8h9aqq7fjca + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZnRRdk5EVWd5eVpoMno0 + WVNTVDBTOExabmhqVE9IT2JQVEtjUTF1bzBVCno5VjV5RmYxQUkzNDd5MTFYVm8v + NzhDazBFVDR5Y3lRWndKRGIrTEZqdFUKLS0tIDdLNHgrNGVUcXRJOE4yV1pVRzRn + RFNwanJuQUlMZDlpWmNsT2N6YjJZU1UK1hNvLZwVh5+g4Xe7O35q8x0LL0LAER4R + Kp4TLZ/bbec92OhdQ25UPho+09AR0sMOhPyMFCtodvTT9q83fwBapw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xztjvj79kxdrf97mldvv9nas5vfm636y3agkcvtyyyd0xtg73aasx5y7dc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0YkdCaklzakhiaXdLdTZo + clpDS1dNcFZwSmZMU2VXODJlaWs2eWRKSmtrCkdhaXIwblM5RU5DWlNwWGROMXh6 + T0Z1UUFDUTNWL3NOQktnRlV4QzRDM3MKLS0tIDNKTGdOeWE5ejBhL3lBbWNDQUdj + cmRkeUpBdzdleG1aMDRiWTk5NFBQbWsKQqAdbF9+1U2Y/CUNxt/u7zOc7vfZmuCK + HxT0x7I0I3r5m3OKrIvN7CSfXTZ5tE601DfYr4i92dvRvD46J/JbUw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-05-31T19:26:07Z" + mac: ENC[AES256_GCM,data:SsqSSFTOVe5thim+2DMYaAvE0suRVD2qrXYZvx1FSRzegd0aiOX1Kes7vAtvY2X5ulQfKXrNAr1GWe/b9IP9iEcOzn9yBVxQ31u4rINQKqYh5ySBPbtR0l3whe2P5QdZdfXeQ8IcPdFXaRCurKRX8jLMxq0LyC4GPNC8vdXLkgA=,iv:HohR+vPGnZK0Eybbc5UB2g20mcIE540ocdLg+iId7os=,tag:pziHLELfrk9It1DzIfLTbA==,type:str] + pgp: + - created_at: "2022-05-29T14:13:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7ARAATZXPD2xOs9KMfesUX+WXDrWGWzcm9ldUHMBNSBXr7hY3 + jmWeYBh/3DIm+o4nw0tkU9WAxb+PZ1UImc/qVWnyGP90QSuJyO4T4fNeaZjMPv7G + 2DpPKhTgmHVm8zksqntW+Fr8pQN6QzbXwhEmp/UaNpxcIlzlTmOu0idETHfe5iHK + iExxAekq21ThqSze2a1hWIKbfMSzGp0PjSSOksEUazzciXFx40yTxOOTAqk8EGLt + pI2t1b9C02M1A1Gxx/UBFykgC+2cdBWwSXAzfBzuUAtWLBGEQyMblhPQbmhcEvFY + aBaoooXfjDMNJKXZcnG4itIbrwThdevmcupNH9m8svmO8IR6XKO5AOMefhZff5XE + I+kl4CjExyxN8oX0G+HJ2oBhJdF7hmFt+PbtZbvqXw2W7+KV+bE67JVubzmtISE6 + fMOjhdscGpQ8LZOZ+oSNJO4/73Ll9Nl6TcIN/4uvqGpyZO0aP7rTtRhEcz6o34wP + Ksyj6ed7eOOaEXbGwERmkgvcBHBqaS9i/aHG2iRAnXUdGo5C3V0z6yWMqkkTFIAu + j3qv8+nSOeRpi2A3JmvGlC7yTUTd0Rrh9nD/I/2TA9oI9KeB4zBth5S9+w122Fya + 5z2lY2MNkkHo5RfrLSErFY7BGpRoNtUmxe8T/rUURUF9D/NgpGkGz7KCrhZzBULS + 5gHMhBq7lxjgBrHz7od29nu+CjGh7OmZtTMgGcPf9BGuDmm3YgCeWCcDlORmBNde + oiyt/UEio3guTVVfZB87QrfkZHnRTpFUIs1MX8yfzwY1buKuEAYnAA== + =6vSf + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2022-05-29T14:13:53Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ/+L9n1vh06hboRjbuisAabzJSd+oSpthuHR7pPcotkyS72 + kQEw2Gl5FMlyN21K9BFgo2pM/651pBN3eWNCKe2OrEMIMiaYvk8f33nGIlFGfe02 + 72Tc1NrrBNvQ/p2c6hb8ZYQp60bo0M6XYg2yeE/7IRYpRYWiVCZOedFDOZlBaP7m + dlPsq0lk6/XKxaxoDgZSY1z65eKejQPTxWiJDb+qcbYDRO5YuQk4zMQ+pyMdnK6W + sYG3l9/6sZE7/IqUWszEILCW+UIGLdU/bj+J2MRYNZz6u529falBu2hKMN0KiFf7 + W20aXj7Pqixvj0rwjh4ukmoPlplOOpVPZKrXULlxpqAxONSTW4bkzPkheo3LOvmo + 58dn73oXZ/Pc/SdsXz1XOhgnEJJkbtHyJahyq1Yhc799nZUGHtJpLnTJU54+nv3P + sr6j6OS4Wrn4/fjCytv3vTzVciRY0usp+DMBcC4Yisrl0kagXv2ZBRbOjPN9i7A+ + ufPDp9tlgdANimU7fOyBA0fsyUqlHeOxibCal11sV6y5w8CtzxL2Iow6IAHkZT85 + AbQa5NzO2QVBZen1N2WizrJ2zVmqP6ek6dJJK2vJDo2MeOe2Ld45gsA6uM+94Z7r + EwyYtD2rNPSu0sivZ50vrm+9zxFJqO4Lm5RBER8cOTNA2tQUq1oqFoRky5ODxULS + XgGfRGN/pU4CsQg+PLnDZ8lnCUKaUD792VDVskzlPhq1lf1QlOad9e/CMNfjsiFf + i75yX8b7dTBqKIaOJAPwK2uAB8t6DS1FOE9A1tvjy2AQlEx7F8ZYvvpEfyt1q2s= + =B7/8 + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-05-29T14:13:53Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf9Gp0N2XwrL08GYEL0bXK/H4gz5aSlSWRZ8bLDtwZeu6Ja + uPtuHJ63fDhwkDAveXIRUMIu0zAdAChOUOIMxjNHtTqbl++o+BeQQglfPQ0OUhKA + G5SIgRpUp60WScMUj3EoBSE7yskEoRUGkYm435zHuIgWXQxryQ8ZHCQdLjd65yFp + VUN30vEjHiXaTz2SssTD979wm6VjlaXTI0qY84Sm4CYg454sdgAQEM8+tSWdaSFI + al87uwSxHAHj+GZ6YzfiHtri78G1BNX51xva3tQOLf9w/rCP1z1N3CLyiuzZql19 + wOdOG5nNpAGQWx8KEdod6s8KXkCOj91oikDC1G3N5dJeAYiJJxzGPj8hSrHyQWRY + YIjQXk0LcL7L/cz+3xYihJboV3Sk9luu3FkJR9CXbY6JVysil73GwhhMSDFNdV2v + i6WM3vCeQhTZi5u/Jk7DJ61zBRGsCyfTO26PMbfWeg== + =zfZh + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2022-05-29T14:13:53Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf/X2qCrQ3TyClbkOD3ELeBGYy8udokPo0WtXTbrvd9gN3K + KXwUHxw4JhtJMfoAvGwbD4WAyLwkzs0AfxxAD17H7lK63vJ/9DMgBR+72GKJ7Dto + gezKQhdW1D0K8mV6HHVe9THO0sXyaalzxArLUsAGVNBFLOybr+VtiP73hjndAA8Y + mTNTKst4ZL1UOQmoBg6vl95CXmkHjVWeATEb4LGggXYLvhn9iVLP+VJCMVf6P7Xe + etA25ij+7w3UuYY//2iS/j71fbeBL9x5DtUpfmllF8Bx+xaWpg5KkH7orBHhaj9E + VS2EPsCMBuxJNBptMS7Np+/79Zg9igXp1J5cMfnjAdJeAV+uNwBSb/IAFfHpeKMp + MwqBcs1EVvhf2LPANfA6FG2wRXaKwSI0t1AVgq6JwH4N3IU2UEVPDrEXe7c2leRZ + RZaAODeIrRFlz7cvsfTYGexOaEiYOPAflvjxHGnwlA== + =eHlt + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.2 diff --git a/secrets/data-hoarder/secrets.yaml b/secrets/data-hoarder/secrets.yaml index e8fd846..6e770c5 100644 --- a/secrets/data-hoarder/secrets.yaml +++ b/secrets/data-hoarder/secrets.yaml @@ -1,6 +1,5 @@ wg-seckey: ENC[AES256_GCM,data:2ro+gGzaqolAkXNuVEz028X3cbq5jjoSSUZyO+FHITeX8f6lB8PYOPpe2lk=,iv:c3/J3k6TQ6+cpqk+/wutjwbVCyzY1X/rHSJU4iw0lJA=,tag:Itcvtz/AWC88PNzzLrpjTg==,type:str] -wg-seckey-staging: ENC[AES256_GCM,data:7ZDE0ePdbjzoHXyJSAIJ/Eryp9nZAEH8OTaej9/lGtSiuLAWdB+4Y/EhgfU=,iv:YlhiQvGJaxpYN1AsLDvpWbA1xq+W/8NB4L2uBQNbiy4=,tag:Nl8GEaGjLqTh6Iq51rgYkQ==,type:str] -postgres_password: ENC[AES256_GCM,data:j2nfOIse6j24sRDdofVDVV9yaNBICfF6bLuM1zAh2d4ityZ/9Nsm4CAHXo3P9fojiBeT2d6rEP82zwcghhOAaoM8mKPg,iv:OWVfqqbKbRzihevgJ+cevDcbtWgYN2t75SADkseM8qE=,tag:sGstRV0xGzjLF+SGEUPYGQ==,type:str] +postgres_password: ENC[AES256_GCM,data:URbuozlVPL+5rw5bH1sA2wWvlLi5v5cFC6q3MDHPOSI=,iv:4FGJXB0TEZH69bkHl58lVD0epACGsJ/HNTriyrtkY/8=,tag:PueSnmlF372efUm5+PjUYQ==,type:str] postgres_password_hash_salt: ENC[AES256_GCM,data:VexqhXH0gc/agVLv04K4FygcSRc=,iv:3vlrIZUm+KaGXybchUDWtXQ6cfU8Vc/DCxLXhe+igOU=,tag:eqJvJdHzu35bTQqyF345ig==,type:str] sops: kms: [] @@ -26,8 +25,8 @@ sops: cmRkeUpBdzdleG1aMDRiWTk5NFBQbWsKQqAdbF9+1U2Y/CUNxt/u7zOc7vfZmuCK HxT0x7I0I3r5m3OKrIvN7CSfXTZ5tE601DfYr4i92dvRvD46J/JbUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-05-30T17:05:40Z" - mac: ENC[AES256_GCM,data:ToDfRg2/jGBbzTE8GuuQPRUib1OcyWrDmPfJlzLwTRoBiRq5fZs/yO045QnJTXVxiGv+PoLkOXRddkCRzA6o7Jdn8nJxMFnAKM+t4EDGFXGZ0Vto7EaLUkvVJbMRQ+yiAziaqb09qh7g4BQy1886AJEFbcQ3j8UuLrq3SaRzE1s=,iv:9kFUHzs7IMWh8R2dEb4Qd6jXXWPXbYpjGSqR9ko9xbA=,tag:+74VIdCfmT+L56hbObzIAg==,type:str] + lastmodified: "2022-05-31T19:26:14Z" + mac: ENC[AES256_GCM,data:8k8JC53kkGe4K/9myGB7EGiQ0CQ1f4A7tZ38sPm58Kjnjz7A+jNGOdWFqiu03Ox67vcrzgIht0SmBgaQPHXJcagSpEi3B8wyKFyScBoESis7Xw06FVz+EacwKbEEoGg999414Nn8SkyZ1KgBfw6KHQZRbrOwYsXPeTOmIm95qSQ=,iv:4iGILiP1Z13KS5+O1jJ04BL6Yz81c2ZqheiFsFGZCNc=,tag:qXHH4YIuiFuSal/wHxCA7Q==,type:str] pgp: - created_at: "2022-05-29T14:13:53Z" enc: |-