From 374f2f364a3a5de5438dd310f6cb50490eae6f1e Mon Sep 17 00:00:00 2001 From: sefidel Date: Mon, 6 Feb 2023 18:16:38 +0900 Subject: feat: use sops for secret management --- nixos/cobalt/configuration.nix | 2 ++ nixos/cobalt/secrets/secrets.yaml | 43 +++++++++++++++++++++++++++++++++++++++ nixos/cobalt/services/acme.nix | 13 ++++++------ 3 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 nixos/cobalt/secrets/secrets.yaml (limited to 'nixos/cobalt') diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix index c596536..b4baf47 100644 --- a/nixos/cobalt/configuration.nix +++ b/nixos/cobalt/configuration.nix @@ -134,6 +134,8 @@ in # impermanence requirement fileSystems."/persist".neededForBoot = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml new file mode 100644 index 0000000..8d2e9f2 --- /dev/null +++ b/nixos/cobalt/secrets/secrets.yaml @@ -0,0 +1,43 @@ +hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-06T09:15:44Z" + mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str] + pgp: + - created_at: "2023-02-05T09:56:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw + cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ + 0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc + 2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL + =3baE + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - created_at: "2023-02-05T09:56:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi + TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh + AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B + XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1 + 0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH + oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ + eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+ + bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA + ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO + xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI + VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS + WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx + NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o= + =uD2V + -----END PGP MESSAGE----- + fp: 9794c486d5673ff6613f6cde774d4895eb911703 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix index d28bfc7..58a5c77 100644 --- a/nixos/cobalt/services/acme.nix +++ b/nixos/cobalt/services/acme.nix @@ -1,7 +1,13 @@ +{ config, ... }: + let poorObfuscation = y: x: "${x}@${y}"; in { + sops.secrets.hetzner-dns-key = { + owner = "acme"; + }; + security.acme = { acceptTerms = true; defaults.email = poorObfuscation "sefidel.com" "postmaster"; @@ -14,7 +20,7 @@ in ]; dnsProvider = "hetzner"; dnsPropagationCheck = true; - credentialsFile = "/persist/secrets/hetzner.key"; + credentialsFile = config.sops.secrets.hetzner-dns-key.path; }; }; }; @@ -22,9 +28,4 @@ in environment.persistence."/persist".directories = [ "/var/lib/acme" ]; - - deployment.keys."hetzner.key" = { - keyCommand = [ "pass" "show" "server/hetzner-dns" ]; - destDir = "/persist/secrets"; - }; } -- cgit 1.4.1