From 374f2f364a3a5de5438dd310f6cb50490eae6f1e Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Mon, 6 Feb 2023 18:16:38 +0900
Subject: feat: use sops for secret management

---
 nixos/.sops.yaml                  | 17 +++++++++------
 nixos/alpha/configuration.nix     |  8 +++++--
 nixos/alpha/secrets/secrets.yaml  | 44 +++++++++++++++++++++++++++++++++++++++
 nixos/cobalt/configuration.nix    |  2 ++
 nixos/cobalt/secrets/secrets.yaml | 43 ++++++++++++++++++++++++++++++++++++++
 nixos/cobalt/services/acme.nix    | 13 ++++++------
 nixos/default.nix                 |  1 +
 7 files changed, 114 insertions(+), 14 deletions(-)
 create mode 100644 nixos/alpha/secrets/secrets.yaml
 create mode 100644 nixos/cobalt/secrets/secrets.yaml

(limited to 'nixos')

diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index 0d15882..030fefe 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -1,10 +1,15 @@
 keys:
-  - &user_zach 346833414516C852FFB238E19F734565641C2F14
-  - &host_alpha age1ndc6vascfywmk5d3ptyeps92dyc9d9qsxmezn6t4wv56jjzysucqu8ldfn
+  - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+  - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f
+  - &host_cobalt 9794c486d5673ff6613f6cde774d4895eb911703
 creation_rules:
   - path_regex: alpha/secrets/[^/]+\.yaml$
     key_groups:
-      - pgp:
-        - *user_zach
-      - age:
-        - *host_alpha
+    - pgp:
+      - *sefidel
+      - *host_alpha
+  - path_regex: cobalt/secrets/[^/]+\.yaml$
+    key_groups:
+    - pgp:
+      - *sefidel
+      - *host_cobalt
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index 67f56a2..d9dd00d 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -236,16 +236,20 @@
     ];
   };
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.zach-password.neededForUsers = true;
+
   users.mutableUsers = false;
 
   fileSystems."/persist".neededForBoot = true;
 
   users.users = {
-    root.passwordFile = "/persist/passwords/root";
+    root.passwordFile = config.sops.secrets.root-password.path;
     zach = {
       isNormalUser = true;
       shell = pkgs.zsh;
-      passwordFile = "/persist/passwords/zach";
+      passwordFile = config.sops.secrets.zach-password.path;
 
       extraGroups = [
         "wheel"
diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml
new file mode 100644
index 0000000..185220f
--- /dev/null
+++ b/nixos/alpha/secrets/secrets.yaml
@@ -0,0 +1,44 @@
+root-password: ENC[AES256_GCM,data:KVPWUhy2dqSz8djBQRogBYUxZXmnJ1m7w+d6osLQXiVyrMf/ZKdJIn3jWUNkTTFRIdiHeZT4WZbffHtZO1GhjQG4jeRIfS6oBmPzhFJKG8d3R2JwbL4gCXQT9mvmX4cgPIs7BJxCo3GnWg==,iv:D9uva5kvuiPtYWGDcStbD+f+K2+xpE3Ogdq4idCnUsQ=,tag:OcwGkm541OPSHMEqU4odgw==,type:str]
+zach-password: ENC[AES256_GCM,data:hjCi2Pu0KtmaJ+RVU1SyLHKMgG/WP/AcTBYce+IV/ftfA9e7z294yZ6EizvtwwTDqJbI0ADSekdiomYIP5u6g1gz9pvexDEw3KR3nhVSQSKnhOwZ6wBm9ycNhRJhPmCM27uh6dM/SPuIgg==,iv:qJuPimIzJP053V1GnUTe5GKC8s/sFfQ7Wr3Wb0meGGM=,tag:SR4jecEt2P6u+PzqEl2ZNQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-05T11:33:33Z"
+    mac: ENC[AES256_GCM,data:bgEgm7Wu53ttYIygSCMZP9F2FMcqjc941cmERolnwFQhbjYMh5viRIsBm5t+bRDRRgIpOZsrieCGzRHll4Ub3718geLx8mkEOA57bRSgl4BBVx2qg7HHhK9yHMhO1VsazVQg/W5QW+m0EGtc/skfnM9rprywbPIGiPQW0RuP0LY=,iv:s8zHX5z9iGzijvn4fb5vZRuyDMsdZKWYRMZ3z/I1c4s=,tag:3WwXUfhmg5rsBxtq/PbOvQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdA+fosTjcmurKUcSFNK/FF5LNqpajbdcBxjm/ZBKMOLFEw
+            ITClO3QJMtQjG8knzV5Pk8EekGFWYcdhQETvuVHZpEpaPmZDcYUsFa/N/7S7dtUl
+            0l4BFfTjxrZTNqO43pnhS+TYOIMuutNKfknE7kaFCw5TpLHkpf+QZz4Ted0B4Wbh
+            JMaiaMGmCGi2z1AjLpHTiRPFd3kkoljhm4geITMqL0AlmumrxosGWkdqejXtIbBr
+            =mxAB
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwdMqFVkGlt/AQ/9Gh0eEPgRGO/n3fihcpy7Ec5n1BTZ6IYcIFayFrLoqztP
+            LzRNwT5gt3T/D7rRCwgYEULXWGC1+9JLoLw6QgjiK4ArO8Wkb+7V2FEHF+jdpqth
+            +XrwGEozwsmOi0Oh1BBUIF5mpPjrQjf3SyF9Rr6hhauhg0WWMAeuDu1uP9xMaZet
+            lZVv73G3WvHwphRzaSoA70yby+o5EzT1DuOSjH5/6X6GP0U5LmnsZx1o7HHJ9tN6
+            9uD5TnUVzE7Ib0Bh/+3Hxb1csWI7HW9nH5A687foX5zuPklvFjtkaR3fH2gzo7l3
+            pL+PXhlpO7BPoNHKghAUhKNrk1TUHZZUyqplVPcLTXt14wK5sWWMvn7h4OMqt7h/
+            rGXNhEzNR66urJBCykBJ+3bdD7t324M+KWK5gcwbJgN9VVs1UVGYNcbqwGP94eNs
+            A3vUUBrMRbSXHi2FMRMQTPCO3CH5X+xpTn3yYSZLDvPrLRpLKffGph/usEwmnXub
+            TYXNMRa+Kt8zjLIF9R+eemjSYQ5Z+jg5GDUGmMw8xEk8nY9TsqOxKQ1keh1BIScF
+            7xY9rzDI2CDmSH88Gs+cifAW3MwOLGjPSmzuNpMqm6JPrOPNWtVIMe5cd5dNNbcu
+            2Qgvxr3KtXzO/fX/DjbdOWSpS6yWpKnoTwkM6ATuAS6OodTvenqj8GO5yiXRDO7S
+            WAFf9iqF0/ajPpbjeRS17NA/eC5CmRJ7aw66TbD4mndGUusTqVNvL98OtadLmSuF
+            T1UkSAJeyGSb2THMLLFcTvpYu1q83l+mBbMDaIkLd/VO2dQG/AfwKuE=
+            =QIC+
+            -----END PGP MESSAGE-----
+          fp: c62b0336ff6e444e5f2041e8074ca855641a5b7f
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix
index c596536..b4baf47 100644
--- a/nixos/cobalt/configuration.nix
+++ b/nixos/cobalt/configuration.nix
@@ -134,6 +134,8 @@ in
   # impermanence requirement
   fileSystems."/persist".neededForBoot = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml
new file mode 100644
index 0000000..8d2e9f2
--- /dev/null
+++ b/nixos/cobalt/secrets/secrets.yaml
@@ -0,0 +1,43 @@
+hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-06T09:15:44Z"
+    mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw
+            cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ
+            0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc
+            2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL
+            =3baE
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi
+            TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh
+            AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B
+            XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1
+            0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH
+            oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ
+            eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+
+            bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA
+            ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO
+            xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI
+            VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS
+            WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx
+            NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o=
+            =uD2V
+            -----END PGP MESSAGE-----
+          fp: 9794c486d5673ff6613f6cde774d4895eb911703
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index d28bfc7..58a5c77 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -1,7 +1,13 @@
+{ config, ... }:
+
 let
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
+  sops.secrets.hetzner-dns-key = {
+    owner = "acme";
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = poorObfuscation "sefidel.com" "postmaster";
@@ -14,7 +20,7 @@ in
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
-        credentialsFile = "/persist/secrets/hetzner.key";
+        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
       };
     };
   };
@@ -22,9 +28,4 @@ in
   environment.persistence."/persist".directories = [
     "/var/lib/acme"
   ];
-
-  deployment.keys."hetzner.key" = {
-    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
-    destDir = "/persist/secrets";
-  };
 }
diff --git a/nixos/default.nix b/nixos/default.nix
index 31d1a61..c113d42 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -8,6 +8,7 @@
     extraModules = [
       ./modules/security.nix
       ./modules/cachix
+      inputs.sops-nix.nixosModules.sops
     ];
   };
 
-- 
cgit 1.4.1