Add sops for secret management

This commit is contained in:
Daniel Olsen 2022-12-07 10:09:17 +01:00 committed by System administrator
parent f418516013
commit 3ed65c6cfa
2 changed files with 26 additions and 0 deletions

17
.sops.yaml Normal file
View File

@ -0,0 +1,17 @@
keys:
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum
# Host specific secrets
## Jokum
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *user_danio
- *host_jokum

View File

@ -4,6 +4,8 @@ let
in in
{ {
imports = [ imports = [
<sops-nix/modules/sops>
# Include the results of the hardware scan. # Include the results of the hardware scan.
../../hardware-configuration.nix ../../hardware-configuration.nix
@ -23,6 +25,13 @@ in
inherit unstable; inherit unstable;
}; };
sops.defaultSopsFile = ../../secrets/jokum/jokum.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;