From 32bba888a932416c11359f15caf50ef7c7297ce8 Mon Sep 17 00:00:00 2001 From: sefidel Date: Tue, 23 Jan 2024 03:44:58 +0900 Subject: feat(nixos/kanata): use sops to unlock data pool --- nixos/kanata/configuration.nix | 2 ++ nixos/kanata/hardware-configuration.nix | 2 ++ nixos/kanata/secrets/secrets.yaml | 5 +++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index b12dc46..aac02f5 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -93,6 +93,8 @@ in powerManagement.cpuFreqGovernor = "ondemand"; + sops.secrets.zfs-smol-key = { }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/nixos/kanata/hardware-configuration.nix b/nixos/kanata/hardware-configuration.nix index ca125a0..262b0c6 100644 --- a/nixos/kanata/hardware-configuration.nix +++ b/nixos/kanata/hardware-configuration.nix @@ -38,6 +38,8 @@ fsType = "zfs"; }; + # ZFS pool `smol` is decrypted using a sops key named `zfs-smol-key`. + # In an event of emergency, manual unlocking is possible by typing the passphrase. fileSystems."/smol/core" = { device = "smol/ds1/core"; fsType = "zfs"; diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml index b88ffd7..efe1b0f 100644 --- a/nixos/kanata/secrets/secrets.yaml +++ b/nixos/kanata/secrets/secrets.yaml @@ -1,6 +1,7 @@ initrd-ssh-host-rsa-key: ENC[AES256_GCM,data:gSkUM4GGij4u+qdpjfA3JBtOhLpvhvXALmyp9dv3LRFqckQy/4IIIFUdsLWIGKSa8lWqqvcljhbGV8gr/UnYHL+kZElu1mG4JbsqMkIEfgqryiGYAps7wzamDpp+sVaxT/8f6HmQUCgROFLJKddAmL2gbmrlbXprMNJK7OLHigULOLLvn0TyEWk2cboC8keYBN6IPsHB5uGkw0IcbNSGgtnRqXB7T2377FqS0CqfEd2r5monbLDDuLa4Tk8+y4GHhz/U8Hp53Wi+RYn1PWirUFrpQ0sqcIn71KBqO6/+inxmAuowE0DUxtu0yHJ55eGfk4rQIJMAnWB4kEO55ZSOEyA/1OYLoLKOWiRk1bGO/Tgu3fAsGQ+B3B1zYcCiIRGhLWp5/S9eb5BdgHv26kkmSWDkChJo41/8koxS5HBP7nyAJRntGk8AfI0nuTUiahVMB3qIW1cKl1KSRN06fEoO9AxkhgVhubI3MST9fnAdqxxb9x1cwb1PS3Wmz9M+iNxVVeUkIjutI0/MBY5eOoCGycrp+oDUnGL4LhAkJrefyHxlEmcly0/IoontNEdYTZWLfXvugDJSjGkxVKg+Z/omQuV2HUEzJJ9VZ9x/gk5/hvdr43svY/A8KXMQYxeqgSKtZWukUrTGnLc3GGlZKq/gBlO1p5Ty147U/LsGD1nljFfX2z22LkOG5eBqHJxJkKh2R8EoUQp3SbYrdsXQAmMxXCaS3wf56urB+mKg+QtwOMNkfmrRRz4rcgtsuVJPkw4Tf3ZoV4IR0y4X/aKEpjR0cFriFtL85sMEwNsnHf6X3R/juWIsa2Z+ik6mz9Kjok6uSTVS8NGw6emw1sOZDZRlQoYOdydx4E2Sc5jA8dv/BBssLMfdH20e4nk8V1+wg3oYqtBmg0U1V56xteBxame/IZBBJrolX8PkAhWGhghelq6FL0C2QN2Uj5dHlLGqPRyj/2rAxPfKTU+ucNUjU4JibCVSM4FRg5gc1qx3PmMt+nn9a4oIqPb/apH9+MZJZ3N1gXOTGXmF9GFCfMnAYrLsHObd6dgDyMyFpu436cF8xM6MOvuF2gwNFFwQgNphAaD0rC3uyWDNorK2R3KmhUHC5k8VRgwzvXdgWSHcyize7y9BzkcDBs2cRurtsACV8HHFrDFtIJyH912v069exT5zx6VDI9Jnd9bbVvz89hKbkmibNKIVLtOouLyApKovGCO4TDfDt4iY+GwqQyBL0gZkuESwmb4UbxOD0tGMM2e3vG0Y0uzXWyGNbJ61oqONOulOiVemPxEEdwrq2eo5zHgL1rJv8udQLeTRSHcZlkRj+ErclYQ3XVZEIl5jODc6Ch393o5dCgKzYOSVVD6TSSwjLtHnLj41GrQNfloUxK1Jz4wk+ACasbPY3Q1gN2+N5goqQiFKYrP4QMGqvG5JIssy27VIQbZyX2ClX7bqRygOtcLLyVFafkuZ66TSfhbDArE8xIf5gJpTGErJv420tzmTL5pvAuixfbRLjE0CRDkr0txL1lUe5FichSkY38BNb8rLe4E5zcRF6PYZ7F7nW+pStc4MfDmC3vT0F6juv+FoIMR5dlYRE1emYabo6lYPI40mU46RkcmlBPwjSENbXGeBbPpPd7Z6Ugm9WUo9a50ZIuIx+r/A86JvK9s+/IfL+/j9qkWxW1cOWHFLqSTIvO3vkSpgVV9UdFwi6MED9FHH5+YbkYwbibJP64TQ3lvYZ07flnB9RsC9b72wrZpbyiczrMm02Nqh7rRcjGrbMD+Mo0OWXkOW7xqFHPPW+QqnZza4kGJWjQKtI427PBNj+36cHZhfF2GNYIc8ZmwRHPvnnO8fJVhI2JY87HjqvCVa+J9NzhFfZ3rP/bDhyHA9s5hRmxnOsqT7JN+/cdnQT9hGcjcCckSDkMCs4SsZL6JGA0/ChelKZxry2BEhpJOWTWI4QrP4pDwUrRKMeSsIWkwC3QRLj1AvZbm+mxBwJnp82wkYaNHJeWWX0B6e8B0+MCxtl/eVsttLrF+wrn/KF4qpiW8UGAjUjSGc+cIBfCXG97uwJtXHwt25C2CJyhyyiD8ODzyEgVB/ac/ODSC7Fu/msF6ehhJ3MyaitdMBBUCf7hmKl/X+h/yzlHyq6WlcUkMFcHrapqMKX/+OJz75AXWL5seEJBB5x8eRFo1MCKKg9gPaDpEbRqVaN8dBecXma6sOM5guNONPbbOKS77ky1mhE31z5oufRKUZoz21d/Gv9DKaf5xwf+NElxKOwRcD860LiESMBkadF3oeuQpuIoKGYgZFoZFZkOFfBApzPinAxdU350b++FvnYNWj+1vI1bFJ4/qLjYdnpCDal2TQv0pmTk7CIB4Uwrs2E6r7wq7Mp02UXV7NHer4n3L8L8lYUBJl0OiUFeVkI0gp5tk2P7OV/3woY/9kjVjxak9u3HWirDtq8zYYkNajrB628V8uv3XqsSOmLNAPM8Q7IpQ9wbAyUJLlS/lGsz8OO5Ma9auCZh1eE3v1JQ/FuZ01YVZ4y5PXxZo+GHpaaqRfDVxwzPozWaVf9Cdc5x6qeZtxMDa6nGXWFlsbLj1MA9zbinyCwNbY5sEuoytdRwIBVgPxh4sXsbkzyZDhViXfTC09VdhPVfimjcFjS9Hb5g+HL3PFkwfbdAHXF3AzD512TNn/9qGMvrlD/GqS7GOhYrwpn2QIVcHMQ1W1kUqSSLoXw0AvCnDBKgv5j8+NNwbSp5PdB1ij7Dr74B9fRhnVqKMVos6df2JUDbKG4p+f4c9qWY5Tg8L16ZTSZxr2AnViNgfpkt0I/frw4aG4bNHEzB3qO5EGPzjDHhO1BNWw4zBe7Yvddo91pZuc6o5lsIWK/DXoJNOQE4Spp7pJOyAfsfIIlg/tI7/cvOKZT84cKBDimBj6U8QwDpMv1Zk1hD2U+hOKsoHLU4PieIBYz6XCH11m0Bj/epYFVuySy60+7tYy5ZmEqtZRgLZpadR+XNCkxSvvUAS7z4Z/wkk/rh1ZXKoOfqwS2IOptyyeukZ5nevrJ22gIb9TSAIyrt4chPeouwva38E7+tV2GiVM8FiIQ2XvQK+FVAXsINNUz/vaGgAMr0VcYQL78dLhXx3cmU0RmeNQOWWhvX0ReROMetLGl/Oaoz1UVHPJRGM1EM0dssfvwk1qDfVas+TtSqdNu1GaTETD+ImamGyz7PC0b/nsVTLeMOReOWYL9avONXO9Lwphik2EOykU+haL9X1BbMUDvU4kDmXyBI5tXqMqd2DBgkSOYApjrB74QT8d7QjYBEjcd6zc9DNHL26+IT0YdbqvdHZS8ESWbMeX1qjanZTMDZDGpKXzhPKMT8abmP1BiGppBsUXlKpDfeuHSm8GddGqQZMKCYvvYjbTi+1cAnLB0kcIjxyW5i/NN1BMvd+VLgStLcbsWCQM1p8GsdQV8ygtNQQ1TFN3b5R/uX4+/JFBKeGOuHIKrUdQD18ndbl2fm4CIA==,iv:lA2dygMQoZ3tja54IA6HcKOSZfTnC7VDytqP26CWRcM=,tag:KTa+qQx+s/q7j90ruRK+pg==,type:str] initrd-ssh-host-ed25519-key: ENC[AES256_GCM,data:eD8UZZ6FnqT5tP+y1xDrtjKjl/DQLXEQs/a4snHoHKHbyNmHXM8aO5o5QuPP6F9MMi0KvrnMHXJs+OqnA+/ZpXD3LJ/k13xIijktWPcpY97X6790ZmkIjE797LiV5YRuwuMQOQVsipISjVmlRWY1UpO4VO8n/TvMJV+SbJUgI3sfK1H5/xG0DlwdPJ1Wb8UVEK/3RPo75Z0tJ7OX7gNwPAh2pEz7XKHjIFdnNwjPgFOCO958ozSZPPMJElUjaffAMyiNBJPdPjV0TYxSD+G5/CVs3pWOEHD2FaF2Gx+BMHT8VRKIGW1cQOQjOBwePx5kQesPl9AkavpP6QOsbktY3+c9Dt4+G4XKsZ0ZpvlCRKf60u39z/K5DvM4CiNzu+nm+hfFcCXEHleFKq2BPB13tMJ3IaEtqA8TJ/8NqkP9zlnRuf/5sxSktUxAri9uIv8s++xNNSsIu+9BYK41t8Snso0uT3AN1emAsLGBMBQLpGzrC6l8WvfntAU7D9HTB0EA6xQCm7Pj+SIU6cxyVkUY,iv:GWEDQtmutLsL9RVQGoXv/uwg9gHKr/QA2/I9g52obqM=,tag:Rs6uaU9hwaoSP7oifJwkbA==,type:str] initrd-ts-state: ENC[AES256_GCM,data:8xftKiXfuaWB4XxvP9LBAmFTbX1VbGJix6SqkIbDliUzaiJwO9lrhYMTs2J4tGi4r56skPH1u8GUcUPZx90akXJbvZK+FMwNDxOBFr5nvXDTkkw2G/raBskwGFEpQbcQ6j+pCeh2pUq7EHw8JDSvj27uCrpau6MkjrO2ni/Eefce7EKBxwrFUc4x/Y2VymF48ovcBQsiYeeG7mbHLV1kBHvyqLkPVDX/Y+vkKACADi5QC5/Kg0ZVjXNqCHNDdjv0beOsq6hL7V7msfAfiNPceK8Yc6iyp1hlqyDPWZav5X8sYgD5mV7/G6304Am2435tyI/KQq6XHsd+JGUj/s8hHDfDZ6uz2iNgbDKxxWaOdvODrnqNQ+nNne5TIc1flZvXjEFNBkrMWAgos3J1Tx7jZmJfej51P0k9wQK3QMl9ADQnmn6GvvYrFCboaHO9SYeP+R09K0Tg29BEqvvJcc4MIrEzDyg28mxWAzVp96QfU2Qe4tRpC4yTJlFuXGeY1EWQB9qmGzzYZ2Jn1p+UXPJsrdiIsKkpeFS5fXQF5++UTC24XheXE6OZjYY94u2UpTM2lhLk3CWUe1KdHWYtpxRv6PEcl2QA1KhdvK/0ZvzQ9ercqjkjmOCKkThnI2pJDvU0FA5rjlRc1146AbI2LBklgqsPsesEoKSGaBEITGiHa2uwUlPNu/lesyl9+jPWEo62oT7na/WaYUJZPmAk5XL4BtZDHHfyssy7USoC7nKjc5ij9Y7ZMrmiHXQZiAS9XxvF1jmxhCIEYLBu3+tOaJW3BMDAWDmvQcAl4lQvTwprr7mO3+D3wyXFo7bYkALptA76LfUuzIrO5G8y4ijdcJYEYHw6wmGdvrmMZkzd5Wdu9I9CjSBodxbGQaxKBShfO1uwvCiKqqVPvn9hz59awUVuuPbo2Ev8xN27F5ntemZ1kdfStUVecLskVfm7lpWxLMqU9FWVGhZXTh5TRINNjKiRZin8lTZiIuZK2GwDnTO+XDhdCrcTVBrOl/oCpw7Ym+p4LYjeFhjNeroAm0j8PiYh471LOF6MrYtxb5YRdbp+z5VNWaWf6Lg7ZtDmZtBniyFHaa8iVLFjUUDRa3OhX+hNJ0P+mU1YPmAKjjqWBd0FSPLrnv0P3sizoC8ba0qqREzpcCMRAWHvK3VRfwRNklXxGzP8Az66ZayT4u5XPXLxCYZTa9xMsn72Kypz2HV7jAgvG9rN31pUHGCU8YurRWnK8sqQ5yNoNaWBsL2ypM/f9HfisacLMUazitgfFgP9agAdssSBdtp8BB6MMISq42RjPNCpeMth78egUbHOfqXkYjDs0FwjaIctKvq9myjHfqklZyiV6dh0gJKwoSRIXn+aGgr2/H2ltejT87Zj7IXOk7VD0N8rMcLJgiwFmjj3X1ecI8gJGwNLYRczH82NGWdYGAmCYiJ87kv7PBK++iRM22vK8diIjCepjj+FQgTHLy6Ig5UQ92PPsdLp8EQVtsVKBSHhVtX0sOsnIEnHUARsmLbkNQqA2nWNQB6XvwBPUOR+EhkL1sgeGf1Jq9ncDKbs7ZmbpQ0I5QH1C87m/KltOkinnIoktBQQdTvtoUL7EIdue+SeCwcAIuTdSHRvcUfn1AJtt6jdM0/B3PS23NXHRBe/3J2ejiXn5r2udQ1uE/u2eAfQjegJtx2ynxMOSyILeX8xqjtbhotO7f8R9A8pVaGKmFaMmz0vZtvKNaEKyWPM5YoQPGHq8v1e1WGsr4QmTD9tbnbxclq8CN82VPhPtwZFfhikwbuvdYIAd5tSIR40qW/3Zw3QmyE2Wp9sWwfauTr0K4qz1yj7W6/SiQFRO7RYCsOoTMQ3qTN/Uww2rY0xs9cTK/8h7Q590F65HEsE4V9DdrQ9hU127O3anWNhPXrJM7LTMYOwjW1x/jJSeU8y/SFOCrCz7zv3myIABJulGa1HYQn9y0sho6EFBECD5t6eYeCqWNgqREQaJs4PpyCCv49DThjim4DmkI+nf1CyZnJ1BED6555tFCEg3Rfzq86Z7PPtJ91bFpnYUWtPWOlKZbvun+TdqCFmWELRyVU7GA09mqefWqZYGtWoKX0HeHzj5np3q3G8ij7e159LU9uh3hvahth5yV8Xk3N7/hvefVUxQLkW2GbhOsNJX76q+2Fw8HicBN+z587ZhZzOx8kmqk1ZQqFnjG9wYpkxjz7gRk+gCyj+DNYZpBhUsUmz0f9JCfGJACyKYe/SaXHtE2Det2SQ/b3f4txe/DlHzsLmiSCU4GHrORw9jQFVrBPOISDKJyAh3VA7P50R+0m1bD6XVU048s7pjFg/rMsOy7JW3yyJVFQqGRyPC/yfNLeON7wX2wxYzk0RV/U+65Y5YnmxvIPP8i41cO2bJ3sZYgCVTK+uNfIL5+LWx9jvzN5EW9lHT4So5ny5ylpgW0CQBneYmFIIwuNY+539XgDhGEPIMk3yx4b/pCF532+q40EOtzCdsahAf8u7y5YAnfLYnlrdcXjnVbVFxh/r91BcbEN5ulOHGey1KYAXozh+8FFsD2LjNGWatb+b62HGgh6UcdmrIPHVu0jM+TDAC7rgaUHmRMpTUz5YgITKNA/sCtikpIEuSAKgpcUvhoHujBwe92LFE/0MI3vGLD7YhrEAF01lxwn5dbbuDkgq+WTBeYmrX784m5FiOD4FJiN6fc4oH9x6MWW/TTHmRW22WnMqirX5l/Pr6o6eEHmTYVoWP0wBiXCqjzYgMSvkym83J+6WZKPhbg4YqIj6xTsiXJIsTDW7tF2wEkgdGSK3YzryQb1CR98nyGYQr+01yArmhNPPxRY0Ozc50sBBvkjZAcc1Jr9Coj/xwPDa/onr/vg5seT4DzIQCDRm2dAWOGiugzYMpWn2AW08CsfNCYSaNrsMKbAVGB2syBdMHAxyEQUeOWkmttYJBvj+YDGYWZIZ6lXXidPPM6GI4rvKZ9I3fnFjxUkAgg5BrIYS7PYjzyFcAOGQ7Kc4a7nopi3LXLlkKMe6ubzgDcZt59YtFcUuZQ+67g3wDG32KCX97aapc7V1kkj5gplPFFzl9L7ONLyPzbJMkGYa6rfceeVjb6yPDQ4vGspJMY/oeEOfUhKeV9aoJvq8yU6Zu8K1hDcmcZ3sKswMB9DdTA00clq4Ay1HEQSNY8qjl2hHRzRMABCxWSPmDSv0vsx2pOZOBJoXuOF7Mxl4tGODhnckgP1phBebSwLbpOGoyY397t1NFNhVYXKgP7gx+B7iOgXlsEQsUnfs8XsFiOtiZyBGReGZzk7D4vg9EHRB7v1VlrX8SqUcBSYcPhBHWvqi5DUt+RBOJTdMnJiTWMQRO4AcxjTuiJF9gcg9oxVrg/ic7Vni4mu/xafGY9r5A+02P7B7tD3x,iv:sGA4zACuGYJ3P/auaHXOttP8TGyVgf++Ppk6jiekUbw=,tag:/+XtiRJIjTA7MM5sYdPlSg==,type:str] +zfs-smol-key: ENC[AES256_GCM,data:M6JUsFoAvt2nqI/9bVq0slhrcQE8sGgC3s0x,iv:hZK99Veh+oMhxxA9BbBe7OBisjhF00baAb1JQ7yfMaA=,tag:30GjpPzIpgw5htoK1BcmUg==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-22T15:59:14Z" - mac: ENC[AES256_GCM,data:lvTdQhmlvLfycaE9a8c4Pw79yV7a7ic7z4BgTMSKuh95cC6/NdL4yqjhG5U5wX4PAl4v3Qx/GsfqtVcMUxyzT0ZWdWTpnLh6yBwYx413IwHziQg0di6YB9FOfcOMRfEqkc+tTV146A8aeTigxUI4biS3+NHOPjDPrUulAgr1s88=,iv:HguUOQhq3F+wnKkVKxeBCoBtxToGK1LWNG2ARYjKh+M=,tag:7On9A+A3LfGF+SQedEfOJg==,type:str] + lastmodified: "2024-01-22T18:40:17Z" + mac: ENC[AES256_GCM,data:Bja0XWa7S/PeA+61AYWLyDkJyY7RUOakJl4xhtvWp854Ku5wTRM5hsAbdpvAeKRvNN9EoJI1ljeUihRXY3e1jlD3yElH7p9Bfs1Gb6J4rQ+hODf/vvCwVyyVhXFCU6PHjUhFiTuAyQdY9VecOTZj4Jx603DzoGU0VYvpXp9k7EU=,iv:u6pdlF7Fkw1khrZVvi/bMa3HRAcyXkPWYc0RO0PCSaQ=,tag:c3KRwyZHoIoX8BwvCuGypw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- cgit 1.4.1