test
This commit is contained in:
parent
db2ea0f564
commit
5862f43f63
5 changed files with 18 additions and 18 deletions
|
@ -6,7 +6,7 @@ keys:
|
||||||
- &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171
|
- &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/secrets.yaml
|
- path: secrets/secrets.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
- *user_albert
|
- *user_albert
|
||||||
|
@ -15,7 +15,7 @@ creation_rules:
|
||||||
- *host_nixos-rpi4-03
|
- *host_nixos-rpi4-03
|
||||||
- *host_nixos-vm-01
|
- *host_nixos-vm-01
|
||||||
|
|
||||||
- path_regex: secrets/tailscale.yaml
|
- path: secrets/tailscale.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
- *user_albert
|
- *user_albert
|
||||||
|
|
|
@ -11,10 +11,12 @@ gpg --import $gpgKey
|
||||||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust
|
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust
|
||||||
|
|
||||||
# Setup SOPS
|
# Setup SOPS
|
||||||
ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc
|
echo "Copy this key to .sops.yaml: "
|
||||||
# Update your .sops.yaml with this key
|
sudo ssh-to-pgp \
|
||||||
sops-update secrets/secrets.yaml
|
-comment "Generated `ddate`" \
|
||||||
for i in $(ls secrets/):
|
-email "root@`hostname`" \
|
||||||
|
-i /etc/ssh/ssh_host_rsa_key \
|
||||||
|
-o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||||
|
|
||||||
# Set up ssh keys
|
# Set up ssh keys
|
||||||
ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N ""
|
ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N ""
|
||||||
|
@ -30,4 +32,10 @@ git push
|
||||||
popd
|
popd
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
echo "Complete."
|
echo "Complete. Once '.sops.yaml' is updated, "
|
||||||
|
echo "you may run 'sops updateKeys secrets/*.yaml'"
|
||||||
|
echo "and reboot."
|
||||||
|
|
||||||
|
# Update your .sops.yaml with this key
|
||||||
|
# sops updateKeys secrets/secrets.yaml
|
||||||
|
# sops updateKeys secrets/tailscale.yaml
|
|
@ -43,14 +43,6 @@
|
||||||
SSH_ASKPASS = "";
|
SSH_ASKPASS = "";
|
||||||
};
|
};
|
||||||
bashrcExtra = ''
|
bashrcExtra = ''
|
||||||
sops-edit() {
|
|
||||||
nix-shell -p sops --run "sops $1"
|
|
||||||
}
|
|
||||||
|
|
||||||
sops-update() {
|
|
||||||
nix-shell -p sops --run "sops updatekeys $1"
|
|
||||||
}
|
|
||||||
|
|
||||||
nix-clean-all() {
|
nix-clean-all() {
|
||||||
sudo nix-env -u --always
|
sudo nix-env -u --always
|
||||||
sudo nix-collect-garbage -d
|
sudo nix-collect-garbage -d
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# Useful to avoid using channels when using legacy nix commands
|
# Useful to avoid using channels when using legacy nix commands
|
||||||
let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked;
|
let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked;
|
||||||
in import (fetchTarball {
|
in import (fetchTarball {
|
||||||
url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz";
|
url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz";
|
||||||
sha256 = sops-nix-lock.narHash;
|
sha256 = sops-nix-lock.narHash;
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
NIX_CONFIG = "experimental-features = nix-command flakes";
|
NIX_CONFIG = "experimental-features = nix-command flakes";
|
||||||
# imports all files ending in .asc/.gpg
|
# imports all files ending in .asc/.gpg
|
||||||
sopsPGPKeyDirs = [
|
sopsPGPKeyDirs = [
|
||||||
"${toString ./.}/keys/hosts"
|
"keys/hosts"
|
||||||
"${toString ./.}/keys/users"
|
"keys/users"
|
||||||
];
|
];
|
||||||
|
|
||||||
nativeBuildInputs = [
|
nativeBuildInputs = [
|
||||||
|
|
Loading…
Reference in a new issue