feat: use sops for secret management

3 files changed, 52 insertions, 6 deletions

diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix
index c596536..b4baf47 100644
--- a/nixos/cobalt/configuration.nix
+++ b/nixos/cobalt/configuration.nix
@@ -134,6 +134,8 @@ in
   # impermanence requirement
   fileSystems."/persist".neededForBoot = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml
new file mode 100644
index 0000000..8d2e9f2
--- /dev/null
+++ b/nixos/cobalt/secrets/secrets.yaml
@@ -0,0 +1,43 @@
+hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-06T09:15:44Z"
+    mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw
+            cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ
+            0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc
+            2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL
+            =3baE
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi
+            TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh
+            AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B
+            XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1
+            0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH
+            oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ
+            eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+
+            bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA
+            ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO
+            xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI
+            VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS
+            WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx
+            NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o=
+            =uD2V
+            -----END PGP MESSAGE-----
+          fp: 9794c486d5673ff6613f6cde774d4895eb911703
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index d28bfc7..58a5c77 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -1,7 +1,13 @@
+{ config, ... }:
+
 let
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
+  sops.secrets.hetzner-dns-key = {
+    owner = "acme";
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = poorObfuscation "sefidel.com" "postmaster";
@@ -14,7 +20,7 @@ in
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
-        credentialsFile = "/persist/secrets/hetzner.key";
+        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
       };
     };
   };
@@ -22,9 +28,4 @@ in
   environment.persistence."/persist".directories = [
     "/var/lib/acme"
   ];
-
-  deployment.keys."hetzner.key" = {
-    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
-    destDir = "/persist/secrets";
-  };
 }