From 7e763ee267dfd897dffe53665c845f84aa68c398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20L=C3=B6tzsch?= Date: Thu, 10 Mar 2022 16:01:44 +0100 Subject: [PATCH] deployment: sops + basicAuth created with htpasswd from pkgs.apache2-utils + ensured the database is not seeded with test logins --- .../db/seed/{example.edn => test.edn} | 0 backend/src/beherbergung/db/state.clj | 10 +-- .../resolver/root/admin/Export.md | 8 +++ .../resolver/root/ngo/get_offers.clj | 1 + deployment/.sops.yaml | 9 +++ deployment/modules/default.nix | 2 +- deployment/modules/nginx/beherbergung.nix | 3 + deployment/modules/sops.nix | 15 ++++ deployment/sops/keys/admins/j03.asc | 69 +++++++++++++++++++ .../sops/keys/hosts/beherbergung-lifeline.asc | 28 ++++++++ deployment/sops/secrets/nginx-passwd | 26 +++++++ flake.nix | 4 +- 12 files changed, 168 insertions(+), 7 deletions(-) rename backend/src/beherbergung/db/seed/{example.edn => test.edn} (100%) create mode 100644 deployment/.sops.yaml create mode 100644 deployment/modules/sops.nix create mode 100644 deployment/sops/keys/admins/j03.asc create mode 100644 deployment/sops/keys/hosts/beherbergung-lifeline.asc create mode 100644 deployment/sops/secrets/nginx-passwd diff --git a/backend/src/beherbergung/db/seed/example.edn b/backend/src/beherbergung/db/seed/test.edn similarity index 100% rename from backend/src/beherbergung/db/seed/example.edn rename to backend/src/beherbergung/db/seed/test.edn diff --git a/backend/src/beherbergung/db/state.clj b/backend/src/beherbergung/db/state.clj index 694da88..4ea6234 100644 --- a/backend/src/beherbergung/db/state.clj +++ b/backend/src/beherbergung/db/state.clj @@ -63,12 +63,14 @@ (export-named-by-date db_ctx "start") ;; before seeding - (let [seed-file (if (not-empty (:db-seed env)) - (:db-seed env) - (io/resource "beherbergung/db/seed/example.edn"))] + (let [seed-file (when (not-empty (:db-seed env)) + (:db-seed env) + ;; TODO configuration for tests + #_(io/resource "beherbergung/db/seed/test.edn"))] (when (:verbose env) (println "Seed the database from:" seed-file)) - (seed seed-file db_ctx)) + (when seed-file + (seed seed-file db_ctx))) (if (:db-validate env) (or (validate-db db_ctx) diff --git a/backend/src/beherbergung/resolver/root/admin/Export.md b/backend/src/beherbergung/resolver/root/admin/Export.md index 8fac295..e0d7397 100644 --- a/backend/src/beherbergung/resolver/root/admin/Export.md +++ b/backend/src/beherbergung/resolver/root/admin/Export.md @@ -8,3 +8,11 @@ curl 'https://URL/graphql' -H 'Content-Type: application/json' --data '{"query": cd backend gpg --decrypt /tmp/export.gpg | DB_SEED=/dev/stdin DB_INMEMORY=true lein run ``` + +## Preparation at server + +Ensure, your server trusts the admin-keyid: + +```sh +echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $ADMIN_GPG_ID trust +``` diff --git a/backend/src/beherbergung/resolver/root/ngo/get_offers.clj b/backend/src/beherbergung/resolver/root/ngo/get_offers.clj index 9946958..ce2b97f 100644 --- a/backend/src/beherbergung/resolver/root/ngo/get_offers.clj +++ b/backend/src/beherbergung/resolver/root/ngo/get_offers.clj @@ -103,6 +103,7 @@ [ngo:id] (auth+role->entity ctx (:auth opt) ::ngo/record)] (when ngo:id ;; TODO: take it from the db and filter it by visibility to the ngo + ;; When importing, we want define to which ngo the imported dataset is visible (if (:import-file env) (unify (clojure.edn/read-string (slurp (:import-file env))) mapping_lifeline_wpforms) diff --git a/deployment/.sops.yaml b/deployment/.sops.yaml new file mode 100644 index 0000000..6759fe1 --- /dev/null +++ b/deployment/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &beherbergung-lifeline 8d7c2caf71c02de02980dba3fdda92b5591c3b27 + - &j03 9EA68B7F21204979645182E4287B083353C3241C +creation_rules: + - path_regex: sops/secrets/.* + key_groups: + - pgp: + - *beherbergung-lifeline + - *j03 diff --git a/deployment/modules/default.nix b/deployment/modules/default.nix index 19efea1..7d89499 100644 --- a/deployment/modules/default.nix +++ b/deployment/modules/default.nix @@ -7,7 +7,7 @@ wget curl htop atop iotop iftop file bc jq - git + git gnupg bind.dnsutils ]; diff --git a/deployment/modules/nginx/beherbergung.nix b/deployment/modules/nginx/beherbergung.nix index e154efb..add04d1 100644 --- a/deployment/modules/nginx/beherbergung.nix +++ b/deployment/modules/nginx/beherbergung.nix @@ -15,6 +15,9 @@ #default = true; ## we would need cors settings supporting multiple hosts forceSSL = true; useACMEHost = config.networking.domain; + basicAuthFile = config.sops.secrets."nginx-passwd".path; # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/ + # Todo: integrate LoginForm into frontend + # Later: For defence in depth locations."/" = { proxyPass = "http://localhost:3000"; #proxyWebsockets = true; diff --git a/deployment/modules/sops.nix b/deployment/modules/sops.nix new file mode 100644 index 0000000..79906f9 --- /dev/null +++ b/deployment/modules/sops.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: +{ + sops.gnupg.sshKeyPaths = [ "/etc/ssh/ssh_host_rsa_key" ]; + + sops.defaultSopsFile = ../sops/secrets/default.json; + sops.defaultSopsFormat = "json"; + + ## Nginx passwd (basic auth of frontend/search for defence in depth) + + sops.secrets."nginx-passwd" = { + sopsFile = ../sops/secrets/nginx-passwd; + format = "binary"; + owner = "nginx"; + }; +} diff --git a/deployment/sops/keys/admins/j03.asc b/deployment/sops/keys/admins/j03.asc new file mode 100644 index 0000000..f0fc226 --- /dev/null +++ b/deployment/sops/keys/admins/j03.asc @@ -0,0 +1,69 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFHTETsBCACv/dL0zE9nAqYLLvVUzZZzrCGsQkIKxs72hV0JNRmXLc7YuQCf +r1alO/UhDOXMqSJKWcG6bLSI6Hf0QxTMCVAj3Hhb0ext58+LryAGYHUZPSaFtdu2 +Tg14WGk9rlyDEUFBhX6Ptn9fHb6nBOoPccc3HQS512hF4il/Z4t9uDPZato0psRh +8MWRWNSW4Ph6lMrW965+zVuYScJy72N2T8E4HJ18m5qScvKKcbH8AUViAaKvCsAK +kfCEP0mZ+W7B2WWYFlyPze2kLWWAh9nU2y6NWUbOCPthjV00xC60KCKiZAqg9ACu +tvipT3EVRr3ZL3ziI8VfEwSSuGyETHbKejvxABEBAAG0LEpvaGFubmVzIEzDtnR6 +c2NoIDxtYWlsQGpvaGFubmVzbG9ldHpzY2guZGU+iQE+BBMBAgAoAhsjBgsJCAcD +AgYVCAIJCgsEFgIDAQIeAQIXgAUCW0x+vAUJEt9u8AAKCRAoewgzU8MkHJ91CACT +ducLvPQILvrrLDqB/gE2SpmG4X1ZYW3KEKSgU3V5V85l+xGq1u/L8DzODzCC6lYc +RiMLzAcW4aml8j6cDVCpXjZ1M2L7Kf4R06bOSrrBU5H0+vWVcIM10CzhdB0C2XC1 +G1Mm875clTrLJG5neyNIJOs+UB7FuxTLriqo8zxpY++TnuoOPDkVDGmOvJnXOtPx +fgWHEC48C+JBwe2PxOHAKk12kjQnlLBskQ/6nNgVybL5gJRaZ1P6UDhrTn+EJJtp +M1eIk3jNtVbjQ8KNSP1lnFjbPgNO9pJE+xNIp0zYsbrwpjwkkVZHzJZglWuXHbSc +io7oSJhZFT2YDchNzGf7iQEcBBMBAgAGBQJR0x56AAoJEGqU0DLQ7yOMILEIAKur +up7q0vnQW70u48eR2VStWPubqCAGfut1oCxvm6OjPVhavlAqj96woQsmweiCFgmO +L8+WfWW+R/Z5x85ciftHwoTM9pAnLlrUrNZxSI48HP2Uk69ywEqUl2pBs+BvqNwO +/Xtf3UJpECBjc5C1zHJA4lpufzVmMbU6IH7j1UtnfWPb5e47qRGOdq0DWGkoP6ER +X27AF1meKMWXG+eRfUapRHde6xkhfve7ri1UbgRCIpu1+XBgXXXL6Nc0PVr52n1R +4KXrbMhXEr1buV+eh4IAok3rB7SHaUjPF12wsboADK+yyxG3tCUKjupwZwwzVJox +V7uXxHQV+/GjtyRAvliJARwEEwECAAYFAlHTJ+MACgkQlZOMlp92uGT4FQf/cdJZ +PboYPW5Q6TTw3YHfsnRKwZqIQf4mn9vEWk3yiWUFw4MYp0Ey6nUAeH0SveQmmub1 +T9/fj+pav5RdYfB02YkmmF+5yU9sTjD9zHQ9+EselIhoULwQDo1eyPS0KQJ5fdEn +Z1HpV72+xJt2Q7pQE0RDRW8+Ha6gN7i++lJBcB+ZO5aVjyn75b4FvoslhJIftA0w +oxZGyUUksfdZhAl5kUTSLqxKolrWTmr5LfzSO6FU9fJhf85U0hlS97XBdPhpF9lW +lp6g4kBUvMYsGbcM6YFs4D/XATywSaUPkbTOrLhqFFwSU9w3FtVvcsbZoqoYIy8V +fnxE/gRNUyCWgSjEwokBHAQTAQoABgUCVkpMjwAKCRCSXvugi3bUcNjfB/9q+t2w +3mF4KxGsGi4JCB05KpZ4ns8t0DatCx6L2qEXaeJDf85UUtYlaVEdzuLIL1H6HFIt +FHMdgiH2sR6x+4P8WSpfMQZ2RpIqrpIVorPBOEEXelyQTKllShU3ndEizAZm5tQm +5S4be5BdWzw1dyEncABnbjeiUWVWzRPJi0NWgj16hOeaZv/6L+ORqH/+OT/VDhBV +pWw0jKj0aDQK8hcjetYo2RXK3H0dZrqj/nR4XW9ByfxfUvtb1gl3oeOsK/h/r5U4 +29+8AJU9NtkBS9jTdsezAV+q704uiXqFPDe6fpGp4DUz+z9pWSGrhq2EzCNzTAa/ +Yi0Tr4CPKwglCxOoiQEcBBABCAAGBQJWitRSAAoJEJzNC13zMNkRgkMH/RA/2Xzq +h2KG0uL1BzO3lYKfcZN0a1prnejbkCkssu85gaqfimuzaOEMNrKbkJzZsXgGkOru +IoHXGGlBToFxI07K8sc8RKQWQHSfJWuvOJqodC9sPMRCaPw6SPP+GSvkl4DZ8RE0 +2SvVUUU+gCNMnlJbHM/LdJqIXpOaWLqh28K9FGwbTfiopU0GGYtwRcFSgUTLYiW9 +HTpr9IiZmnkij6Y/KDy4B2GvKrk757K0eg0NfYsLVFDqfdjfY9pEljhDRJwYNrrp +9UIF6uAynXA5AyErL2mBwT25D9ROhrzcTktpIBnoh8P6Sf0kDE9MGoqUymsi4nE7 +/7u9klo+ZJwx9EuJAT4EEwECACgFAlHTETsCGyMFCQlmAYAGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJECh7CDNTwyQcyHQH/3Hj7L0+ERgwMQQnDV+I+MdE3RyW +v8K+XfeflGY5IK9ogp6TjCyLaHM4pJOtjnSBMQw7yhpabNzAJvv+ibNuQoznAcRA +823jCW6jyznPeW+eYqlMM0gycPN6CbCVjL6AbEp/hlCt4fQQfXX889I1RW28Uqo7 +GW2/fNan3qhSG3EEeo70qTpjwkQ1tR9V7YKkUmPfvDKA/7Pdai5eVLQSSuXafTec +cOwABWAEQZFzlBizBsn9d3+atNys4l1KZDkEf72QdHCGXBzlqEuGsIgUdCXbig95 +ZrRZCZOUBHif+EljwhC/KHg4ce0+C3h8YI1SGTYxSdan9/c/1Hphqzgf/GG0OUpv +aGFubmVzIEzDtnR6c2NoIDxqb2hhbm5lcy5sb2V0enNjaEBtaXNzaW9uLWxpZmVs +aW5lLmRlPokBVAQTAQgAPhYhBJ6mi38hIEl5ZFGC5Ch7CDNTwyQcBQJgPq+zAhsj +BQkS327wBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECh7CDNTwyQco3UIAJI5 +p4RKLxGhSJCUd0Gkd3fuMC/4ZXa+rM/CcmliLPQjWkHPAhBahIPKekeqoohMtn2R +RBIXilUl8qToL+Q6XGrniRKnzcaxl1/B3RQpGocNcypQO1vXErnBi+og0fNtbIIu +EJs7Ddg3dUeiAOcwZpqc4zLEE/gloxCFjLj9OhJCX5rdD6kG+CKVKK0oW15kx6+g +9+qYDXO49GJGTzzZ1me/QDraiY4FefaA+B6BAs2clffA6s8If9SDeVF6NVAxuoPf +i3kHiKM6R9daB3X0JVI0QjI3DkX2sz1KbbtvfT1WC17hQ3pW8uLShchKOuGAo9M0 +em6f5f6bDKpO1Jf+1Uu5AQ0EUdMROwEIAKN+YDgQxxvMkEfDr9zgzAseb/UgMqU2 +O95FCLMlGYCMbeCA/8xdM/xvW5Bpo2a2CUMd5t8YqVt6PJ9Txvk8eeOCgBwYf7B/ +XT0LKPqc90rzLKfWQjJ6rIyrZkt/Jsq7rhWqg63LZvwPxzmSQ1j6HSoPihB8LWFa +6VIa9PXKC3RS2VuSzHAHGklvys1/F/LFQR64O8a3n4ubis2locwGoZLL3z+dYHqR +AG44Z4RqDLisJloV5iAMIJXrN3ln89BUtZ6WyPq5QgAq0/nMnjnmoEC7cXCK7gBa +h6bUCi8YM0bBMbu8y4pAaGGnGXH78DaPqKbW5RMxxmKTt+0CWwrSY+EAEQEAAYkB +JQQYAQIADwIbDAUCW0x+9AUJEt9vNAAKCRAoewgzU8MkHKvwB/4yiaiJp9PMttGb +CNhtkeURObCQ8L43uLt4U4qPD8fREE2BxamSQgH/rXKoO7IbNS8eXAmZJcQ5lsMy +XJ6DJ7AC0T+2jsgSN0EwbgROQ3FuQZna7YL1O14S27X7N0BNJKxapxZXvmgTCS9d +4s7Px8pq3+hJQCF7zKKqDqxgjXS5cL7Kk4mmCTVhjpKqxea4u9Rp9/+H9BxLMuDh +oCdQ8v+TMuRMYir5+KqIDz764VOsK/kk87FVqo72J856drc8bnlIyHMOHVtXbLRD +W5X+d7yX1/TJJXgXdP1l68iUW4U/zBaYMXImRDoFTYTK/+ZvZLp4fahOmUtvJr1o +PxlSdJ1X +=5tRJ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/deployment/sops/keys/hosts/beherbergung-lifeline.asc b/deployment/sops/keys/hosts/beherbergung-lifeline.asc new file mode 100644 index 0000000..60e669d --- /dev/null +++ b/deployment/sops/keys/hosts/beherbergung-lifeline.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEACdX34gzRPFhai0+2aXf9WkNGmrv58ZETD5/xSdSbroqXHMBUCg +HVU5ByKg6SqHaSu0H5xxvUzAgX3WFGXiVVlGGstB2WIoGMjqlEKzb3EKiwP2ch3Y +7KLuapHJIkzLXk0vUDKM12cYqRjQGdwf8JwNxUDcW4hEuOYS2LOTwmcgJmn31g7T +QUo8qpSK3cowszkOgCXaAoCptn0lOE618Waa6AQMPWhEhRsC44FpqXAVGqCvoVZD +5+ja1tHY+td459nG7rb79ketMAzn7A6nTJg381nJP6aMXrTSvLOcfejRJ/epld4j +/C8/H19abCBkJ1aA5ERp1RckjZlzHeLVp6pvUPr9SCkkz720FoqNHYTSE83/ag0y +YmMg1nje2zy1ntPGbjXoBzZFfq5k721NW0rjsv0ZxgtDr4IjOEBpGf93aoCmaun7 +7EjgwJSta7RmOrbIkPzVYWQiT1Xhc2R/KpLxc327W88pK14Q4WQeZds+2PDNCojD +g5AW3HRpEy9ExSwONVRGa8Oq41yumAWKIJdfN0VSKiDiciF2l6ONi7B7ygmZoa5q +Po836CwXysTDDpbPmASqSGyQ+i5DlztrxFv5Lh/aRv625Sg1A67l953kDEXQpxv+ +zBemaRLOCsSsVKt7D5melw0rhNDRxPbssB61OVGyetbKTqhiYvdjfJvMaQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQ/dqStVkcOycCGw8CGQEAADAnEAAdGe47mNyQ4DWflOnL9SeS +c1J9GdyjMiqDey0QYoB/E01gem9Hu3CUAjUJ/NGxF5qi/BlcbLU4maRM5akUQI/W +ejBsZa84pamVY3U9ZxjNDNyA765oADJlBWIrUD52g8T3eeKKwURHTC7ncDTXesAz +C6TamaHPy4f7tdvfA8KubD68g9tyy2C4nWBrJyov+FfcMcFRhpQAvFiNXmOYTnTm +ylmVGCv9tAtzlmJ02jt3BPeL98EsCIAJ3S1D75Q5wFSuSPhGDLfhGdkHtXAeswLK +s+j3+4qHrCkE1NoaLcnHgWt4sKCtAju0eai/LY7AH1CEGJDSbpeEz4uTctK93iKb +bz1bvKlgGf3byqUfje5mRLgVWZwKH5m16SuIMBLU4vPUzTY6XTu2QpX6W9cTB5r1 +/Gpp45sI43fFVkCTZq+qTRogX+j5EElpk5d1wDAEyHTU8EeiqHrJOrrmPrOXJQGr +f89lbi+tGbs0XmlT8J0hVr6SxyUjOlQScQcvlZi4+ewrWTDsndGjCLFTzEK0yKRo +Q1ZxyE7o+WDgjiKuvaiH4iTyUQ4aCsfGNybQ0885gt1sLzk8aV2e0Ex3f6luH+W7 +TY+silE/jPHHCW66PoWOc2nIzfMOHXBQjpKr3h9cJ9F5stQfFlpNpPUFjGRayQ5x +2oEhzxK1JhulVJ9ojN37nQ== +=a4ad +-----END PGP PUBLIC KEY BLOCK----- diff --git a/deployment/sops/secrets/nginx-passwd b/deployment/sops/secrets/nginx-passwd new file mode 100644 index 0000000..946b928 --- /dev/null +++ b/deployment/sops/secrets/nginx-passwd @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:m16wyh6ruLGXyVOzcGHLlAfeubguGZL6FpgLyBIxk1iai4KrYoZ5r+y+eSTddg==,iv:FhiZjUwkp019wW7RT6T4AxGqNZ6HFHluAt8/z7r3Oz8=,tag:T1GNuBxuAdq97tm45l05dQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-10T14:53:47Z", + "mac": "ENC[AES256_GCM,data:fU70SEXq2Qa9rZvwa6/KrFqecx8bTORySXnKDLlTNIAk/hgjuw8Hevxazpqum074Zh3e7KrpWkmiA02PPoVdMAmNpzL37dTiyzVJoOF3SSq6BXJ1IpnIQtdQl0MZqTbCdRFf96WMq0AXc2TNIPGd1L0Acf3p0AvVJS62kYkkhX4=,iv:96YVf6tJ3qEmz6E0eGcHU3NS+0Ct1TWJoTTER5+c4B8=,tag:7d/GAUe1LE2fEHjZ+6iCVg==,type:str]", + "pgp": [ + { + "created_at": "2022-03-10T12:50:11Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA/3akrVZHDsnAQ/9FhBUrNeemuywlWRJIE9IgQEz3CTtOyIHluk8Af0RNvdo\naZXd6XTHM+vip25dRKsXhJkVjFvYibwoj35LvIcKISIwJcFlwEO6BWTUeyfuwofB\ny4Ig+4sh6nSzBi0REBu8DNROBHWJfKVtZ2TI+705AP9SnZlKmfgtIrdct3bVpTqk\nnriYjiCRahzCnQ/7JJvOkKDIWbaGiv0NZm4CXpl164DeN3AnKE6Wg45Q8GPgg31I\n1F+GE2kSwD9wgtwlnyYiN/9Ngx09K486CE2/qo3FePNpk5QgFaxTmHnv/1CTvNu0\nZjOab8ENwLn1TPr/uvXUWfTi4j8auk768Q7+bIFG1xp6BQ+hR6/5r4GVsnAyzdE1\ntcjNIAoiXwbcNcsvV0jvjc/VkyPWhOS7rPW6uZ6hT3OEWVo3e9HPe84N5FjmLIPN\nGFGHHxtJXs7CRHLx1vxCEfzKC2UFW6+fyF+hVEzNV0ThDPpSBxiUnzENfTpgEaBF\nmJjlTg4kmvVzDCdlUdkU8ID5pqoHg0xtVUllxB5FFOlNUsBtpLwjb0CaNVXxSbC5\nYJi+SS6JIzw+C+Hg2pBEuxxWDIGWrq8TOxLn4fVWQz2A8Fz1nKjmqwKRSfdBAuia\nq1Pc0LVXZCFd+PeZ0RL/rcN5MPSRwdiyPZTXY2NexU07WZ/YjmFoLSwhiKim9xnS\nUAFpcSXaOUAiqA/s5dWsw4nCLuR8VS1DTBKqovHJOB+lQkYKzNRJ5gWwY77L+M7F\n2ObqQsP+dvMwDY15ZV7YHAHED+K5Xf/4rpPgSExh6Umr\n=EbV6\n-----END PGP MESSAGE-----\n", + "fp": "8d7c2caf71c02de02980dba3fdda92b5591c3b27" + }, + { + "created_at": "2022-03-10T12:50:11Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA/Z87ylQaotQAQgABf6ptkC0Sqrta+jzY9PJwOEkZRz9arPzpdVCPg9PqrqR\n4F3bFghd1PHoijCNfKCFnDFGwGhH/lxtQvqox+xc83iBc8B+mt8ydDnXBPS3ff5V\n1/obWuG71AIUAZPEHvzs3a3KbQ4lt7hsvSlkfHoAXbRvl/A3Ly8Z7ji7Ql4r2K71\neOARuxATmPKmgjMB1rWsaNkIwiazcr2YXPJJoA284DGOZw6W0Rptv9RFNm9PttC0\nKecwKUVxqR0atTd3bG6+CTTcKH7sSCKhui+LWkX6kWt26cnT2dNxYF83shVojCJ3\nhpj5MHfvbsbPCNzoefrYWE+Gk4qhmwWS5VFTJrqfO9LmAWI/eHwaK/e2uK4xyrqB\nvFFm/BNoK9x17tRDBHo75M/SLkm1Xqg+UW4TpjjjYDH6RYU8n3P2fB15fjy3yVeH\nS+T6o0eFl6hW886pq9Akvmar4mtUYFcA\n=goup\n-----END PGP MESSAGE-----", + "fp": "9EA68B7F21204979645182E4287B083353C3241C" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/flake.nix b/flake.nix index bd97250..0d86b83 100644 --- a/flake.nix +++ b/flake.nix @@ -31,8 +31,8 @@ commonModules = [ ./deployment/modules/nix.nix ./deployment/modules/default.nix - #sops-nix.nixosModules.sops - #./deployment/modules/sops.nix + sops-nix.nixosModules.sops + ./deployment/modules/sops.nix ./deployment/modules/dns.nix #./deployment/modules/monitoring/client.nix ./deployment/modules/nginx/beherbergung.nix