test
This commit is contained in:
parent
db2ea0f564
commit
5862f43f63
5 changed files with 18 additions and 18 deletions
|
@ -6,7 +6,7 @@ keys:
|
|||
- &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/secrets.yaml
|
||||
- path: secrets/secrets.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *user_albert
|
||||
|
@ -15,7 +15,7 @@ creation_rules:
|
|||
- *host_nixos-rpi4-03
|
||||
- *host_nixos-vm-01
|
||||
|
||||
- path_regex: secrets/tailscale.yaml
|
||||
- path: secrets/tailscale.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *user_albert
|
||||
|
|
|
@ -11,10 +11,12 @@ gpg --import $gpgKey
|
|||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust
|
||||
|
||||
# Setup SOPS
|
||||
ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||
# Update your .sops.yaml with this key
|
||||
sops-update secrets/secrets.yaml
|
||||
for i in $(ls secrets/):
|
||||
echo "Copy this key to .sops.yaml: "
|
||||
sudo ssh-to-pgp \
|
||||
-comment "Generated `ddate`" \
|
||||
-email "root@`hostname`" \
|
||||
-i /etc/ssh/ssh_host_rsa_key \
|
||||
-o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||
|
||||
# Set up ssh keys
|
||||
ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N ""
|
||||
|
@ -30,4 +32,10 @@ git push
|
|||
popd
|
||||
echo
|
||||
echo
|
||||
echo "Complete."
|
||||
echo "Complete. Once '.sops.yaml' is updated, "
|
||||
echo "you may run 'sops updateKeys secrets/*.yaml'"
|
||||
echo "and reboot."
|
||||
|
||||
# Update your .sops.yaml with this key
|
||||
# sops updateKeys secrets/secrets.yaml
|
||||
# sops updateKeys secrets/tailscale.yaml
|
|
@ -43,14 +43,6 @@
|
|||
SSH_ASKPASS = "";
|
||||
};
|
||||
bashrcExtra = ''
|
||||
sops-edit() {
|
||||
nix-shell -p sops --run "sops $1"
|
||||
}
|
||||
|
||||
sops-update() {
|
||||
nix-shell -p sops --run "sops updatekeys $1"
|
||||
}
|
||||
|
||||
nix-clean-all() {
|
||||
sudo nix-env -u --always
|
||||
sudo nix-collect-garbage -d
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Useful to avoid using channels when using legacy nix commands
|
||||
let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked;
|
||||
let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked;
|
||||
in import (fetchTarball {
|
||||
url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz";
|
||||
sha256 = sops-nix-lock.narHash;
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
NIX_CONFIG = "experimental-features = nix-command flakes";
|
||||
# imports all files ending in .asc/.gpg
|
||||
sopsPGPKeyDirs = [
|
||||
"${toString ./.}/keys/hosts"
|
||||
"${toString ./.}/keys/users"
|
||||
"keys/hosts"
|
||||
"keys/users"
|
||||
];
|
||||
|
||||
nativeBuildInputs = [
|
||||
|
|
Loading…
Reference in a new issue