From 71b20209b212fa17cd733656b013475567dbf640 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 19 Apr 2023 14:16:39 +0800 Subject: [PATCH] try to add secrets --- .sops.yaml | 5 +++++ machines/laptop/configuration.nix | 11 ++++++++++- .../default.yaml => machines/laptop/secrets.yaml | 4 ++-- machines/sops.nix | 2 ++ 4 files changed, 19 insertions(+), 3 deletions(-) rename secrets/laptop/default.yaml => machines/laptop/secrets.yaml (81%) create mode 100644 machines/sops.nix diff --git a/.sops.yaml b/.sops.yaml index 56ad9bb..e989cd5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,11 @@ creation_rules: - age: - *xin - *host-laptop + - path_regex: machines/laptop/secrets.yaml + key_groups: + - age: + - *xin + - *host-laptop - path_regex: secrets/common/[^/]+\.yaml$ kay_groups: - age: diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index 6eb7607..e3df24b 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -13,6 +13,7 @@ ../vscode.nix # ../dnscrypt.nix ./secret.nix + ../sops.nix ]; # Bootloader. @@ -33,6 +34,14 @@ resolvconf.useLocalResolver = true; }; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.keyFile = "/var/lib/sops-nix/keys.txt"; + age.generateKey = true; + }; + # Setup wireguard # Set your time zone. time.timeZone = "Asia/Shanghai"; @@ -270,7 +279,7 @@ # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedUDPPorts = [ 41641 ]; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/secrets/laptop/default.yaml b/machines/laptop/secrets.yaml similarity index 81% rename from secrets/laptop/default.yaml rename to machines/laptop/secrets.yaml index a590e66..26181d2 100644 --- a/secrets/laptop/default.yaml +++ b/machines/laptop/secrets.yaml @@ -23,8 +23,8 @@ sops: eXNvMElBbnkxaEVJZ1hRZnZDUmp0WE0KmjdpdtWkxNgwcm3GuGAhO2p8rH/UyGSW iJMXAD/FIbbB9e50oSVixg5PFZuqL6ryxFDrj8UgUZozBVXFrlZfBw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-12T14:46:17Z" - mac: ENC[AES256_GCM,data:2OxHuP8xjwuS999XylcyAXEOhJJY2OGcPbYzE5/9GJZVOv/C5FWV1zRhdauByTcODjUeUYx3n0N4VsT7PlPBLTnKGuW7K9n2Dou0PsPxTOy/NgtUpB4cmpIr/Kflf7uTHTahzRMT5lRmZOA0Z7HggiAYq1fSAo+uRfldkQtk5R0=,iv:t8Oyqrl3XWtgh8IbZzjEyXWRmudLgOeZQgIsFjQBODI=,tag:n0yZMiR1htdYwld3LarK3Q==,type:str] + lastmodified: "2023-04-16T05:37:57Z" + mac: ENC[AES256_GCM,data:XX17bbc+hGPcsfg7t3S93X22fpydT0N+P8DTpLB4SkVi9anRbNTrldJkIxKNuN3LXKZmdON/BO6x4TMe+wh45yAW1Ds8OD6VTr6IdXYIvvYC5IKt27qd30Cqbed0Q4LSq9mZ97YiRCyxVsNSf+n4rJV+Ufc24LS35Kb3qR5Pia8=,iv:T5BPf9fCLroreDqHGBrWyI1fFYNTWtYx557AnMReQnU=,tag:8qC/yN/erx4mDDO949oppA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/machines/sops.nix b/machines/sops.nix new file mode 100644 index 0000000..7a73a41 --- /dev/null +++ b/machines/sops.nix @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file