commit 82ea805ff6f1bffc2638cc9f68af5cca7f216e36
author Skyler Grey <minion@clicks.codes> Sat Jun 08 22:56:00 2024 +0000
committer Samuel Shuert <coded@clicks.codes> Sun Jun 09 00:40:11 2024 +0000
tree 85e77e7cbaefa20045e7b6efdac72172dba7e322
parent d3377400b7bd81cb1d5b62c0463a52438e2330a9

feat: add sops

We've previously used SOPS for our secrets management and liked it. We
did, however, find the configuration was a bit annoying to do. In aid of
this, we've made a SOPS module that we find a little easier to make the
sort of configurations we want without creating so much mess.

We haven't set up scalpel/equivalent yet - we intend to avoid it if at
all possible. It isn't necessarily out-of-scope but it isn't included in
our current SOPS plans.

Change-Id: I35b9c7e94c12a4f1360833026efe06803d59626e
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/725
Reviewed-by: Samuel Shuert <coded@clicks.codes>
Tested-by: Samuel Shuert <coded@clicks.codes>

.sops.nix

diff --git a/.sops.nix b/.sops.nix
new file mode 100644
index 0000000..78271c5
--- /dev/null
+++ b/.sops.nix
@@ -0,0 +1,63 @@
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+nixpkgs:
+let
+  keys = {
+    users = {
+      coded = "BC82DF237610AE9113EB075900E944BFBE99ADB5";
+      minion = "76E0B09A741C4089522111E5F27E3E5922772E7A";
+      pinea = "8F50789F12AC6E6206EA870CE5E1C2D43B0E4AB3";
+    };
+    hosts = {
+      # nix run github:Mic92/ssh-to-pgp -- -i /etc/ssh/ssh_host_rsa_key
+      a1d1 = "67c66d58ac73fd744c2b49720f026aad93752d6a";
+    };
+  };
+in
+{
+  creation_rules = [
+    {
+      path_regex = ''.*\/a1d1\/.*\.sops\.(yaml|json|env|ini|([^.]\.)*bin)$'';
+      pgp = nixpkgs.lib.concatStringsSep "," [
+        keys.users.coded
+        keys.users.minion
+        keys.users.pinea
+
+        keys.hosts.a1d1
+      ];
+    }
+  ];
+}
+
+/* A1D1
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEACSxCiPC32/kuhkaXnxLcXWQuNkKb3oimnzVn2cOl6X7mpwUQkO
+WSL4mP+s/bsEoHuC17h+IbuA3vm62fWhfxoC59sJe3J0zNUb9YzHu2RkyO23msoo
+WBbO+3qCs8W+/1FIh5LTW5X35V5Bl3D2p/4Xydk3qKvyU3VQp8JYJZahP2Rwxs8g
+2IGWV39dJVwwBL/3ZRY122jBc0m1TKXVtg1pzkpJoNLQNWVPH3xrRjhAplXY8ArF
+MT1trQHvTNC3fIxAlc+ED8Mf9nzYikxyQQmvwR98cE20Nzlrs8VSw+Xwo3v6/t0j
+hmlUQTtDJMl1Oow3VLUZwvsHcSc+JuZW24t/1i1iZ59fi5/ZlbXQGgJ/Iwrx/3n0
+3grQufiWAsN3ALHkyD0KFjxqlt9M8DSg8OYMzPvRK/75vPPB1oaXXG76Us9bkF/M
+vckCpHoxBEGu/eSY2MBcW7CrWXkLW898txJfhgh6o2TQjPWcnGCDn+tGA9AxvGl1
+HlnyVz+MIJvQ2Pp9DGMEqSPNWiv1ESPAgiyeIuDAL9pnpLO+WFfc/NU2GUnPybEk
+vzq8uYiD0Nyr01ruxdcsmagbI/7z8h93bNMpo8V7/nT8n881oJYUtTWrJ+CTB6F/
+9ulZteFbXBQ5i2Xk+VYeVjVZ2snkCZ16qm4j81PFojRm1NUbRmz5uoYFwQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQDwJqrZN1LWoCGw8CGQEAAC2GEAAK0ceEOyeb2YlhCN750G2s
+H+bGWlV+AyEDAocPEQJxxG3WJVMldXXaeZnFJ7bbILouMVBNcaGzWBHy8vuDGz3T
+GmjHRmscN5ZMA5to5khf42q+fd5XvBRgdgED5RKIqNlNT60VODqPe/sVtwOV0p2R
+3Mmk3ycnsJuOfmvxP3JCHCWDCeVlT/THN5qpZlAqBK12GUQBgpalUqTl/gfMR00E
+eSI/KEch1vZaj+hQr4Hmu+2tz+0K9Vjhr+esDWIbCLYUJ+pjLCcEY9V1KzSA/mgo
+lvdIXOKTDDvUw12LU2vZkvQBskjfQw65M9mnw8n95Y4QnynW0qzMXT5XE01WYi6q
+PdJCfJKllJ+2TXt8XlqcM/wQvJMJB+PDdbfC5Z468WBBrZdjkqFpJnVT4j77zTlK
+X6/3OHqVdD5bEPceIrG/Iefcy3LNYF38euR1QOCzpOywyMlaujYXQdJbBPngkXAc
+GjYO3gevAkfaltLWddX5cK0YzrRI5m8e0zCLVGbcqxU7vK5ZmJKwTJ8W7INQrH3h
+IDtqRQ8k0eRIv8mXF1sFgyFiPmyyJdYqaosR+hxi9nerAChk7TLTNN7fnoUirowN
+unr5YcMBKpjiT6VMeYLtVsLcpwjSqet/d+/+yHy+Yn6As67IV67c2+tkZAHk5N4I
+vs8VtLQNyjiNH4Rbc8c1RQ==
+=A4oI
+-----END PGP PUBLIC KEY BLOCK-----
+*/