This commit is contained in:
iFargle 2023-09-23 09:05:32 +09:00
parent db2ea0f564
commit 5862f43f63
5 changed files with 18 additions and 18 deletions

View file

@ -6,7 +6,7 @@ keys:
- &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171 - &host_nixos-rpi4-03 769021d2a24bf6e4d1c72791fc302f9a3cfb5171
creation_rules: creation_rules:
- path_regex: secrets/secrets.yaml - path: secrets/secrets.yaml
key_groups: key_groups:
- pgp: - pgp:
- *user_albert - *user_albert
@ -15,7 +15,7 @@ creation_rules:
- *host_nixos-rpi4-03 - *host_nixos-rpi4-03
- *host_nixos-vm-01 - *host_nixos-vm-01
- path_regex: secrets/tailscale.yaml - path: secrets/tailscale.yaml
key_groups: key_groups:
- pgp: - pgp:
- *user_albert - *user_albert

View file

@ -11,10 +11,12 @@ gpg --import $gpgKey
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key 64F6C4EB46C4543A trust
# Setup SOPS # Setup SOPS
ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc echo "Copy this key to .sops.yaml: "
# Update your .sops.yaml with this key sudo ssh-to-pgp \
sops-update secrets/secrets.yaml -comment "Generated `ddate`" \
for i in $(ls secrets/): -email "root@`hostname`" \
-i /etc/ssh/ssh_host_rsa_key \
-o /etc/nixos/git/keys/hosts/$(hostname).asc
# Set up ssh keys # Set up ssh keys
ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N "" ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N ""
@ -30,4 +32,10 @@ git push
popd popd
echo echo
echo echo
echo "Complete." echo "Complete. Once '.sops.yaml' is updated, "
echo "you may run 'sops updateKeys secrets/*.yaml'"
echo "and reboot."
# Update your .sops.yaml with this key
# sops updateKeys secrets/secrets.yaml
# sops updateKeys secrets/tailscale.yaml

View file

@ -43,14 +43,6 @@
SSH_ASKPASS = ""; SSH_ASKPASS = "";
}; };
bashrcExtra = '' bashrcExtra = ''
sops-edit() {
nix-shell -p sops --run "sops $1"
}
sops-update() {
nix-shell -p sops --run "sops updatekeys $1"
}
nix-clean-all() { nix-clean-all() {
sudo nix-env -u --always sudo nix-env -u --always
sudo nix-collect-garbage -d sudo nix-collect-garbage -d

View file

@ -1,5 +1,5 @@
# Useful to avoid using channels when using legacy nix commands # Useful to avoid using channels when using legacy nix commands
let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked; let sops-nix-lock = (builtins.fromJSON (builtins.readFile ../flake.lock)).nodes.sops-nix.locked;
in import (fetchTarball { in import (fetchTarball {
url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz"; url = "https://github.com/Mic92/sops-nix/archive/${sops-nix-lock.rev}.tar.gz";
sha256 = sops-nix-lock.narHash; sha256 = sops-nix-lock.narHash;

View file

@ -9,8 +9,8 @@
NIX_CONFIG = "experimental-features = nix-command flakes"; NIX_CONFIG = "experimental-features = nix-command flakes";
# imports all files ending in .asc/.gpg # imports all files ending in .asc/.gpg
sopsPGPKeyDirs = [ sopsPGPKeyDirs = [
"${toString ./.}/keys/hosts" "keys/hosts"
"${toString ./.}/keys/users" "keys/users"
]; ];
nativeBuildInputs = [ nativeBuildInputs = [