diff --git a/.sops.yaml b/.sops.yaml index bdb478b1..99e94c53 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,13 +9,14 @@ keys: - &milan-linode-01 264f9137377eda3b95c82c86cebd6d17984b8d4e - &piaware-rpi4 4216b645667670a6130bb95a72a56f8269cd0818 - &backups-rpi4 8b37122bb46dc98c208002d65e94778ecd94bd4e - - &quitman-rpi4 - &bakersfield-rpi4 c93d5c2da5efe4ba4103c8f571faa392f202eed4 + - &quitman-rpi4 - &nixos-desktop - &nuc-server creation_rules: - + + # Shared: - path_regex: secrets\/yubikey\.yaml$ key_groups: - pgp: @@ -43,12 +44,22 @@ creation_rules: - *framework-server - *backups-rpi4 + # Users + - path_regex: secrets\/users\/albert\.yaml$ + key_groups: + - pgp: + - *albert + - *framework-server + - *nixos-framework + + # Containers - path_regex: secrets\/containers\/rdesktop\.yaml$ key_groups: - pgp: - *albert - *framework-server + # Machines - path_regex: secrets\/hosts\/milan-linode-01\.yaml$ key_groups: - pgp: diff --git a/home-manager/users/albert/default.nix b/home-manager/users/albert/default.nix index 75777c53..bad52b5a 100644 --- a/home-manager/users/albert/default.nix +++ b/home-manager/users/albert/default.nix @@ -12,9 +12,7 @@ programs.bash.sessionVariables = { # SOPS comma delimited list of GPG keys allowed to edit files - # TODO Update old key fingerprints SOPS_PGP_FP = "4A89D6B44B7E423B647C7AE848FBC3335A26DED6"; - TEST = "Hello World."; }; programs.fish.shellInit = '' @@ -36,9 +34,9 @@ accounts = { email = { - accounts."sysctl" = { + accounts."Albert Copeland" = { thunderbird.enable = true; - neomutt.enable = true; + # neomutt.enable = true; userName = "albert"; primary = true; address = "albert@sysctl.io"; @@ -73,4 +71,4 @@ }; }; }; -} +} diff --git a/nixos/users/albert/default.nix b/nixos/users/albert/default.nix index 39ebbcf7..f1f95679 100644 --- a/nixos/users/albert/default.nix +++ b/nixos/users/albert/default.nix @@ -35,10 +35,15 @@ in { # Used here instead of home-manager because HM randomly needs to restart sops-nix and I can't # find a way to do so sops.secrets.atuin_key = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = ../../../secrets/users/albert.yaml; owner = "albert"; }; + sops.secrets.email_password = { + sopsFile = ../../../secrets/users/albert.yaml; + owner = "albert"; + }; + # Make this user trusted nix.settings.trusted-users = [ "albert" ]; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 95615c48..a3b76585 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -2,15 +2,14 @@ services: promtail: ENC[AES256_GCM,data:NULM4o3ujFnx+/NKjMRQ5bi/nFViSNPjg0bmVlBDSt/1GWwxozHqeFwbbqC+cAOGRZvd3J5daqlB95nsPaBxrw==,iv:o2hvumFBQlkBrBV6qJrt9t3TF8oLiF3dByuILCandwE=,tag:CZbx+Ls5R8yrbBQMs1uewg==,type:str] telegraf: ENC[AES256_GCM,data:o8zXVQ42vV4dDg3rljBE5xmSRQDorj6/CCtzbo6gr+fxnF37MPpH+0MJfQrZEzY=,iv:z2gotp149hfl0mWBhiWWbNtU8v+L6gdv5EqkqgwF9s8=,tag:hkmtMds+iQ97pYwU9QubpQ==,type:str] forgejo_token: ENC[AES256_GCM,data:vAH8v82+WI/P0HhtLDfrK66B3u2H49XA1AglfL1LthM6Dm+znBlx4QaFmNk3ag==,iv:/jqtUejqNC9f9kXdUqxl1+LaxKsjXSZdU+I0u+ssmdQ=,tag:+2oWh6sgc7R1PXYxIz3oVQ==,type:str] -atuin_key: ENC[AES256_GCM,data:pSRdTZG59hGKvG2zj0VU9oudugW7q3qz7JfN0r5Zts6DKB1sTszWKRKTODGdhKsoBs3WIWUfJbi7MixRk7ttrJDySWyFZMPYUDgn3g==,iv:B6/DN/akNliFVAhN4Hwk2BvwVStcbtRHRZi/SUkIEzY=,tag:kOwmgKaCQrGupJBiEWiC0g==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-05-05T07:52:02Z" - mac: ENC[AES256_GCM,data:xe5E4B0nIyAAEs7dJVlJOFiuC/xM8RCZ8/Gxj5C+kgcVRMqiL+UoaXMb6N4c5hAJDSbbF6SwDwqTy+bmZu7aV0NSoClICJl/zuyc1jPQrIFf/8GUWDe654mqSmsOijXPsNvPWWC+h2QDSEcut8fe1WQag6RA61ri4fL4ih4VukA=,iv:966NPVYUEdBspI7WhvutngvRs5SgwI+wyDVhldG9IqA=,tag:Pvmeir7NCw8mbN9rtoYsDg==,type:str] + lastmodified: "2024-05-07T00:20:01Z" + mac: ENC[AES256_GCM,data:OPgvDyOnPNWzvVWsuAi0F/c95i0LXoK2ohPpDZnbbzSKin+pFhI2uWNSfGBr8ZLb31jlNcAATVNxcYEoqd8jHT1u45Bt0gEP4QQ+K/mkswcRI/5NbjLPAgkFrPDeLe6BlL1jwVRGWC/0+CGRfDJk4gmA1IOvxG+DZBfL3N74U1E=,iv:5/wlHM/UT8LGiksN6IlUlwI/13NoN6f/1ZJwkWRjuh4=,tag:DE/i/lvhAoP2ZHqRNInETg==,type:str] pgp: - created_at: "2024-05-06T12:29:59Z" enc: |- diff --git a/secrets/users/albert.yaml b/secrets/users/albert.yaml new file mode 100644 index 00000000..446524e7 --- /dev/null +++ b/secrets/users/albert.yaml @@ -0,0 +1,73 @@ +email_password: ENC[AES256_GCM,data:8gSaWe8MVQzd2cm+bqWI0jKhHzWLBe16gXj7+Ymxxj7Yq6eGwYeR+/Pgr5MdYL/Bw8GHZiM6lFticfFBGZcu9ar7tnDjLoI10EuflyvJkxc6pH1cFm4lvI9Y39j3Fc7TOf9EpX5NS74wTyiqAt4jC+sx1p+Uq3mbv6QZzMsI4Qo=,iv:SCpuPI5pd+wnKLrqTwlJkJsnPuOF0l6M92YtsdrwzxA=,tag:kTfu+JfqVIRCzwQhP/7eng==,type:str] +atuin_key: ENC[AES256_GCM,data:0qgmIwr+iTtsZC/XRmvqalz+dtF6QlfewCsWliiKLQnrYMDwQDtTi/x9a+mravCUfU/lMrW+uGP/S9+SaFqhivCR04+lhebVzudhSQ==,iv:noX6V2Cqm1yBL5IKIJkHW3sw9ztlOnxCGWoNIaUizEw=,tag:pb/kyV5KGUv8RjsnaZ5l8w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-05-07T00:20:08Z" + mac: ENC[AES256_GCM,data:vnh6/A6wZxUMERGnlgUAIcv8x6VkMI/Ez1put16FcB71FSrYdcGFsJzFKZzqsZtFG0pubiCL83i2bp40lip6hhBeILmJ4TDUwtHBnHZ40l0nP3F0rAItIKQSaXFW2VLkTZbhqghSyVTywEZQ61Pr7B8/wJILmvDJc4+hfRSnBis=,iv:Afq67eyLjcJzvJchdBSLJKdeiFbmcOKpJd+fWVz6u+4=,tag:A81AbLm6ohXl0h6Q9vDkCA==,type:str] + pgp: + - created_at: "2024-05-06T23:23:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ/9HSTn5/q6LBHkzcn+3CchpE54jWgrK9GT/iV7Mnucawr0 + F6Cx23kK/E41v/MXE8GuBTmwHSIRBsP3d+PTtunc9eI7V0Whd376fIr1l6ImnynP + Yy9GmzIYYYAH7naII2GDsagLgf4iCxwOM13TxtqCrTOMBjNJAR6Ztrg9ynZmfE/E + KHScZW/n9TnMXpOUuwlUWUNFiX39Oj+w6zHeyfZ5gGth3zoSCMY9hAVVnogp9i7H + 7XfoQkqtKgOufg/TgLknX7ooJg65gT1SZz5/nxOdKcUD/yAAE03YmGictIp4FybU + HtVn9IPtQ5n0Z5EhLY0KOOH+BD/JeqKiXEW6jLgwfPC8Q4BD73sLQpE22MdbAWCa + NPNaLvZduohzDFMClgAI3itq6hYRaG76nTDAaRDUQDET7y1Wl8LL2NnEFcljNhR1 + wawsLbDqVjTisBRf1OA6l+Xz3OLCFxv2sYMHGSxO3oTUDO29sFdfdczQxasuQyvr + vdLqoj59YskAE2lVgE/qMCEqOeZ7UQno+H5YEaYSzrReR3kRxMGneiH5+XCwAaa8 + 0Q/GJ10uMAbo78jcPC0iC+8/uO246a++IZs8p5j0sjPwRwJ4iQxEpcTQislQpNv/ + tEtzqJ4YBc+Zdm/QdyNan7a65yUpUzzOnIJnYugK2awpwAr/2IaqHWTXli3lwuzS + XAEeBkoXUR3Oy5UEik8BqP3b7VKgI4GSUpskKUdG+vP+JUVSX0P0+aEOt1E9HhVi + EPJMrgZZmBREWb9kuS5waAEPY9vd8lPcMzAUBiK+MHriXW0jz2e+3B8YZscw + =wAg4 + -----END PGP MESSAGE----- + fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6 + - created_at: "2024-05-06T23:23:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ//W+vqkVQrorKz1ahXVHeBzoqPBE+C0gbE8VX+pBX5/ELI + nL5AH9aWN1+oEU25TaYdSli/D5OFGr6M6QfKWDb/6RKYs7lX+/MZW9B+GL0OkD6Q + yLRacMnWwxuX3Ek1tvgCWnrtXoPFEPPFy6uBLpjG8dtbZJbghBC4l8UTiVlQLnuW + R83jOuASvv9VI97SWwYoYhSmfzveN8r01uVBi7opeBim1GH2lU4TmnvbccYRDrUH + amCgkPlXYfCdgw4ss3HhfqFAd7+qhXOHBUjwbJ25APH33m7ujOsiszLx4midQbyt + FDakG8bXXNtPs4vIXYTNXTj3deCoa40wkvg6Lb3iekFh4d2vI9j/4CUadrj8GCTG + dEFva1UgoUyHjQdEvwFxWbseZiOonDvTDw7uY2ov+pW+Zf5V6hU8joxXDesNXI9B + s+vcDzKBOmFIv23yWLO8Mc5q6oezp6KZ55H1ZMk38Nk2rQoWO/diLil3sGcTKD/B + c3MtF3iuub/qylWacGAy/o+cE5Gf0DBE124mGFFAco0EBtV/GCY9KXxAHWKAi2Hd + /G+Ns+oCW0+hO19+mqGwPNSIsBLxpmE/Yg2TrCpe6ljDxk9VO1R+o+C24nr8xNvP + xoZDsNhbpn3yB7MyHqmZo7q/pQW3JTCtEP1C5aoYVxye01RGewvlypJTmYCGKC/S + VgFejuQp2VVgly6FX6114HdqCa1pbjNZcFe1655njMvdHsVJwOnsQ74iMQaWUxAE + xieFjRAw943FMlTEdLlJy8SGJU2M3svrKEfJOx7v8P8CmIqnY6iT + =t+mE + -----END PGP MESSAGE----- + fp: dfd3a496aba156fa521e82ada77d68dc727cf52b + - created_at: "2024-05-06T23:23:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ//SPuNaZEJImK4AoAIr5Bj8bjOPDlJvGCsO51ktbQKSNN/ + eOwYEzh8KksN5A+RVltaV67DOg7EL4lwQhplsBEewt2EdY4AfG2zZBuL0yb9HrPX + BXBj5g0AMfGVdiIibXBNNlB3zkEVieTyfPZrmlO4jb0g3Xkbtp61caZ47WWaQbiT + yg2GrvkkzA6FcOSbOdDVbjTKavJ3G3d9n1hXSM9h1ui1onOLlkRUznri/maZS3wd + 03odq3u8dtLeJgEkF12N14wRhSltgdDTdpclDdOSuTjMmATrupM2Mdvnc5I9wraO + si6I19tsvDEZi/lzG+GuOPNjPoLwVqzMM2pC+0S8DMsC2x23EUWMPRR21shy+wDH + 3nTBimbaFCjwLObZeWm5SdkiME15m0cxZxHNoz6VgKKaCnUafx4eVzeFmK7vWETh + ghXvxWePrbfrHv1f2ToBKr/3NMA/wTypM95IameFuhYt95XnM0PiF3NmBvmIGXJn + WJNAjIubnw9WQgCkww/LP88O0CWNX1FJHL8Mk1H7DX0f83WBnGA0WLBFQ12k95DL + slR320I7Hnx0m/PIcJJ/NonNYdChHGx9sO/+aEvx1sI6k8dyS193EKZ6Gt+JGgua + yJqB4MoLBIVvOYvCRFjGIIuhZIPWyjXRGU1dW/k3INTiu4fjHCKv6ZbBwo9A5L7S + VgFRvbshQMnZvZrPqcG/J0/ITEbXKdOCnbfIBu3Ip7mAqn7Bhd48kxT7kv6KGeO8 + ede0aYSSzYYp3ouxbl73rUyaUmiLXo75/6dZ7Tw0oeWi2PFLtsS4 + =I6BQ + -----END PGP MESSAGE----- + fp: aaec681e4fb9dcdd15d0d367a86615d17653d819 + unencrypted_suffix: _unencrypted + version: 3.8.1