diff --git a/.sops.yaml b/.sops.yaml index d72903ca..7de480ec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,7 @@ keys: - &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171 creation_rules: - - path_regex: secrets/secrets.yaml + - path: secrets/secrets.yaml key_groups: - pgp: - *user_albert @@ -15,7 +15,7 @@ creation_rules: - *host_nixos-rpi4-03 - *host_nixos-vm-01 - - path_regex: secrets/tailscale.yaml + - path: secrets/tailscale.yaml key_groups: - pgp: - *user_albert diff --git a/docs/setup.sh b/docs/setup.sh index e7fb079e..e405a94b 100755 --- a/docs/setup.sh +++ b/docs/setup.sh @@ -11,10 +11,12 @@ gpg --import $gpgKey echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust # Setup SOPS -ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc -# Update your .sops.yaml with this key -sops-update secrets/secrets.yaml -for i in $(ls secrets/): +echo "Copy this key to .sops.yaml: " +sudo ssh-to-pgp \ + -comment "Generated `ddate`" \ + -email "root@`hostname`" \ + -i /etc/ssh/ssh_host_rsa_key \ + -o /etc/nixos/git/keys/hosts/$(hostname).asc # Set up ssh keys ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N "" @@ -30,4 +32,10 @@ git push popd echo echo -echo "Complete." \ No newline at end of file +echo "Complete. Once '.sops.yaml' is updated, " +echo "you may run 'sops updateKeys secrets/*.yaml'" +echo "and reboot." + +# Update your .sops.yaml with this key +# sops updateKeys secrets/secrets.yaml +# sops updateKeys secrets/tailscale.yaml \ No newline at end of file diff --git a/home-manager/common/software/cli/bash.nix b/home-manager/common/software/cli/bash.nix index 7693ec57..f615787a 100644 --- a/home-manager/common/software/cli/bash.nix +++ b/home-manager/common/software/cli/bash.nix @@ -43,14 +43,6 @@ SSH_ASKPASS = ""; }; bashrcExtra = '' - sops-edit() { - nix-shell -p sops --run "sops $1" - } - - sops-update() { - nix-shell -p sops --run "sops updatekeys $1" - } - nix-clean-all() { sudo nix-env -u --always sudo nix-collect-garbage -d diff --git a/lib/sops-nix.nix b/lib/sops-nix.nix index 04f718d0..17832f1a 100644 --- a/lib/sops-nix.nix +++ b/lib/sops-nix.nix @@ -1,5 +1,5 @@ # Useful to avoid using channels when using legacy nix commands -let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked; +let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked; in import (fetchTarball { url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz"; sha256 = sops-nix-lock.narHash; diff --git a/shell.nix b/shell.nix index 1a9042b5..0dd8d1c2 100644 --- a/shell.nix +++ b/shell.nix @@ -9,8 +9,8 @@ NIX_CONFIG = "experimental-features = nix-command flakes"; # imports all files ending in .asc/.gpg sopsPGPKeyDirs = [ - "${toString ./.}/keys/hosts" - "${toString ./.}/keys/users" + "keys/hosts" + "keys/users" ]; nativeBuildInputs = [