From 65e1d5ee28e07ef94462ca512dee97e1680fa3b4 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Tue, 27 May 2025 15:16:43 -0500 Subject: [PATCH] deck sops --- .sops.yaml | 4 ++ hosts/deck/configuration.nix | 1 + hosts/deck/sops.nix | 44 ++++++++-------- secrets/secrets.yaml | 98 +++++++++++++++++++++--------------- 4 files changed, 85 insertions(+), 62 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index a881e9b..2b43880 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,8 @@ keys: - &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt - &pi4 age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a - &pi5 age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje + - &deck age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg + - &steamdeck age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0 creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -20,3 +22,5 @@ creation_rules: - *jallen-nas - *pi4 - *pi5 + - *deck + - *steamdeck diff --git a/hosts/deck/configuration.nix b/hosts/deck/configuration.nix index 24196cd..9a36a2c 100755 --- a/hosts/deck/configuration.nix +++ b/hosts/deck/configuration.nix @@ -11,6 +11,7 @@ ./boot.nix ./jovian.nix ./hardware-configuration.nix + ./sops.nix ]; nixpkgs.config.allowUnfree = true; diff --git a/hosts/deck/sops.nix b/hosts/deck/sops.nix index 6e0574d..692c861 100755 --- a/hosts/deck/sops.nix +++ b/hosts/deck/sops.nix @@ -36,28 +36,28 @@ in # ------------------------------ # SSH keys # ------------------------------ - "ssh-keys-public/desktop-nixos" = { - mode = "0644"; - owner = config.users.users."${user}".name; - group = config.users.users."${user}".group; - restartUnits = [ "sshd.service" ]; - }; - "ssh-keys-private/desktop-nixos" = { - mode = "0600"; - owner = config.users.users."${user}".name; - group = config.users.users."${user}".group; - restartUnits = [ "sshd.service" ]; - }; - "ssh-keys-public/desktop-nixos-root" = { - path = "/root/.ssh/id_ed25519.pub"; - mode = "0600"; - restartUnits = [ "sshd.service" ]; - }; - "ssh-keys-private/desktop-nixos-root" = { - path = "/root/.ssh/id_ed25519"; - mode = "0600"; - restartUnits = [ "sshd.service" ]; - }; + # "ssh-keys-public/desktop-nixos" = { + # mode = "0644"; + # owner = config.users.users."${user}".name; + # group = config.users.users."${user}".group; + # restartUnits = [ "sshd.service" ]; + # }; + # "ssh-keys-private/desktop-nixos" = { + # mode = "0600"; + # owner = config.users.users."${user}".name; + # group = config.users.users."${user}".group; + # restartUnits = [ "sshd.service" ]; + # }; + # "ssh-keys-public/desktop-nixos-root" = { + # path = "/root/.ssh/id_ed25519.pub"; + # mode = "0600"; + # restartUnits = [ "sshd.service" ]; + # }; + # "ssh-keys-private/desktop-nixos-root" = { + # path = "/root/.ssh/id_ed25519"; + # mode = "0600"; + # restartUnits = [ "sshd.service" ]; + # }; # ------------------------------ # Secureboot keys diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index fa16413..6de0ea4 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -103,74 +103,92 @@ sops: - recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRFQyQWVDYnd6MlNHUU83 - SUlvQ05FZDBMNmxRdkZpMS9vN1E1S0w1TW1ZCnN2Mm16Vyt0ZzRTQmhGbUNZeDNW - eDcwa0FtQlQvYkc0UUVybnpyWHN6Tk0KLS0tIFR0SHByc3BoVzI3QmJKT1dINjBN - ZXRoeS9TUGZDSzIzYy9qdHRXUWN6TVkK/BWAbun7pwW9dqKQ7SuTyRlri6ttBlR4 - j6kovkyqLNPdcZCZ8Sgxqo7RGdCHFmkmjms06tsfjFNxrNMySIbdhQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHczFweU5Zb0g3a0JNY0E2 + ODU2TnYrZFl6UHZub0IrZ3ZDTmZzb2NtaFhFCmxCYUU0bnVNaFgzd0VYM1F0YWc1 + TnVVN2l0a3pydDdLR21mK0VrYURicTgKLS0tIC9BSnBRLzJQQVJweFRZYXdvQkRH + UU95ZDdIZ1kzN29oMmRDcFV2WmVnSU0KRb6msqKVymmbPomXb3nk91TE/cFz2Ghp + L75yiYHSmTjWkCN3XbTETxvCBUkPCVWq4Eeiac4XKbTCZfy8thzYmA== -----END AGE ENCRYPTED FILE----- - recipient: age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCcU5lbUMzU04wZUNaUkph - QjdtUHRsK0VqNU1WT3Zja1Avdlk4UTQrWHlRCkYwRXMySHBJRVhycGF3N2dzSTB0 - RVl5enpxZE1sSnBxTm5jR3dXRk8xNVEKLS0tIFdZOGNQZHJnTWM2VTJ3MjNkTi9m - eFFId1B4Q0FXWWxaM3lXcnF0ZWFLSzgKj1mt6ogp+c81mQPK+j0wvD+7YdHxxixB - uWOHd8zNTFIruRfOU9sYf7Ghwahbag2MWdRyH4ytRjgM5qxct2MPKg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWGhHdDhmc2x0TE5BN1VT + TVR2QWNnWEQ3ODI3eTdtN2doNmFvWDhGUUJBClkveWZYRFNJNTduUHpSSVR4eHVO + K2Nzam5QU0IxQi84cHVEM253MmlmTHMKLS0tIDQ2bnRlV2VWOVhRR1E1NW53VzFp + V0ZWN0ZPOGtKYjlpOGpSWU9aTmRjeWcKqa+D/8Y4X+40WryFSEUGcOe2w8Id+K94 + 2S4TsSpNpuFQoZ5VrF29J2VdAhbhoDNCZAMy3QiwMDiUoOa+CfRA2A== -----END AGE ENCRYPTED FILE----- - recipient: age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQmo4aWU4SGlBZWZ4Ynpm - YVNydHRjNmJVR0R6SnNIK0szWXFGUmJTeEhRCjZIU1htVGQxTFp2bGZHeFpzSlJL - elhwVUhIZjEvT1Q0aUtjbU15ZGU5S2cKLS0tIHE4SmR4Mm9jM0ROcnF5Wnl6MWpP - azFoc0h3U1dNa3Z6ZU5FdXE3UVZYSzAK4Ge42ceCmP0PA8cSJRp7bRTb5iLA/TWN - Z4cD8Azdn1Xx9HYZJ+T7cLmqXzi5as2p4nf7O7y+UV5KI1+VV/oboQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSCtpT2t6VGcrYjRsbEJ3 + OXdUZzdzeWNFTGhWMUpjU1RMWjBpZ2R0U0RZCjJFWWJjdkpyNGVGZXA1Tmpka2VV + UGdEY1hlKzQ0YVRKUEdyeW1ZVkpOVzAKLS0tIHArWnR6c1ptaFlHZkUxaFRCVWsv + NzcyVkdqcHJ3L0lNSXVZSGtxdE5tL1EKSv+iig3l6ffZTnPR+SDaffQOJDOiF1Ss + E7MC7V5mAZxeMyzZ5A7boiKBLIJkpLAFUunLuzOeM0ifUy7B/Vrr1Q== -----END AGE ENCRYPTED FILE----- - recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K2Y0QzFxdWg2N3lDNVYz - TzZ2WTRBMjRFWjUxOHhjTUZNQW4vQ29aZmdjCnhTb2J3RDlsbmNGWmRzYlFueFpB - NDJXMC9aRXVrcVAzeG56S0hEVGgrQVEKLS0tIHlMZ0NkdzNYNURYbGtrK0Ywb05W - b3dweDR6b3pHUGxNTUZJTnluVXkwTDgKbIUMRg2OuEhlJNLDHZHHnCydMWiUaDbG - noSFkVPlb51LKU1kge5Vo6xGAul3tH0CAww/5kG60LbHKeQS76onQQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkY2QvODdCTjF5UjMweTdO + RVpMUGs3dE0wZGVWN2FlYjJKRkF0WUhZekJjCklWOVJJaVduZmlYeHVYL1lJWXov + OURVenpDaHVtM3dmd3NjTmE2Smg4S3cKLS0tIG8yLzZrdXdqcmppUmRwdHlJOUFL + cVJxOG1ZN2VJWExRTjlzN3N5L1c5U0kKRz8+om//JIQ3+0bLvQfsdmb9wj0lxJdi + BCLcDrTyf/QKZtecXaU+eJV4OZb5JFYTt/5eEoqXxliYxXmgEpjSqQ== -----END AGE ENCRYPTED FILE----- - recipient: age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVHprYzlFVWc4RWhDdnlr - ampReXFFZGduOCtiV0FGT3YzVVFWaGhGMFZFCm85aXBWM0JvSnU0WEJmb0xkQ2Yx - Qm5NYUViMzhWVFJFcGhKYmoyWUJsV28KLS0tIEQyRFlhMGVLUGhZTi9rRUNCWExQ - T2MrTGVmTjhSVDVibHg1L084VFIydVUKibkSm36F2eXo3h7Naj7+h3rMVn8vfJns - 1j9B4eWi7nh/B0INK8Si6mgSTAx/3sOUw+OWHjG1y1GAA1xF+bEJ1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OUVCWENST3B2N2VadStC + UGtjR08xUmxiQThPTm9vSHk2MzNWLzFyOG1rClI3Y2doMGtSWWJvSVZ6aHB1UUdr + SVlYbWNSejEvR0k5czZBa1VNTDhmODAKLS0tIDB6NmhsbHdMTm1nYnJkTnA1OXdp + U2VwZVBrTmRDZ1UxNW90TFI5V3BYc0UKnQt1MC30gqSvXq3hrTxZDt83qm4ImSyF + lK0iJZnEMy7aU7HA9+TYLspxQeQDS9AR7KJipfpERg8q1VhQloIsCQ== -----END AGE ENCRYPTED FILE----- - recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWWkwTjdzZ2N1cEFHWmV6 - Ukk5dnBaalA2SkJ2SzVrcHlIdWFUQ3dtUEJJClIzandJcktkZ3VIZXRQblBja1p1 - TWtVbmtJSWl0dmpFa2RIQmdkclVuOE0KLS0tIElrc05tNGY1dndIUlJmZXlkbmZF - a1dnR1ZCTHEzbUljdVl3QXBaTThPVHMKi4rHbmK9mhmTuCvuM1HidnR9hU1ykncc - 5etozYpcyaPLELZr29zPlCIMnlPW12blz2kGA1qlKdoKm1PIIQ0Pdw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDaUhmSEtTTm5TeVFDcW10 + Ly9NekdXcjVxNmNYZVpBS2UvcEt0azRWNURFCmVDbExRMkVQRXNGTU5MZGdDNElM + THMwY3poaEhSN1MzaFdMRVF6N3dZYnMKLS0tIFdwdU9RVnZ0NTRZdzFtckI5c3NW + TXY1OFFBa1M3ODh2cHlpMzlFV2trU00KrS2Z7GeFJMz1DLtWdsBivkCN9lwePUxq + +d6HPbrOHL+djKWnmTY4Q2Q811WYFZSccZKdBM5nz4YvtFV1utewQQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFVhVHk1Q2ZFS3d5SFN4 - SWxRdUxXQTZQdWRnMDhVK2RqOW5Xd0dnZUFNCmNTdzF4clMrRitIZFRMOGZFaXdB - VXJDZTNKZ2tKOThveGRzYnY0UGFwZEEKLS0tIFlwdnNJa0gwYU9GWnBvYndhVTFD - bWRNcnVCMWJFa2VUbmxtMGFPcWpDVTQKwdJJA/5Ko5dXEbP2sUJbjOddIkYs6G4L - CURKzdVmfvXu1nvJ4C+jDXnZ9YZNv7iTQRrhOnK2a6j4HEd/lQUD9Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cnpaeFR2aGVUL0RrVzdZ + eENHQ0RMdE9RYkh4d2tlL1BzR2VEenRhVGtJCndXWG45VFVJYkN0TmducmxkUU8z + c3RNQTZYOTZDcTJ4ZkFoMk9RN1B4UEEKLS0tIEt4alAxbE1nOTJ4UGRHSzdSMFQy + V3hrQ2R3UEJNNStYMjV6Wjh4d0M5ZkkKwHBbJCSVh5wFeyNGEkeR0SWr8RSI0IL/ + GYlSgizXf7rnQa1lrepAw11EsP37OmBAw9ywt/YgI/GiIo0iKb+2ZA== -----END AGE ENCRYPTED FILE----- - recipient: age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETkZVVGxHcUlaZnBoZGxH - YkNjQVEwZ3JxTEp3dG5lUlRJUFNGRitQRXo4CkR3NG83MlY5SGhQNkhFaFVjWWR1 - M0V0MkxOU0hod0luQ1B0YlEvWml4UTQKLS0tIHVyL09mWjE1MEcyczQ0OGp3WXYv - TkdNc25CSGVkSmJsZW0xc0hRK05SV1kK9kKvR2slhnKAUUQcQ/3mJ79PfrrTLyfL - IuEG3xwGQvwIISdSM5KOFEVYLe98N1+W3GYRPwqGTac8MG+vyXlirw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Z2tzaDNnNkVLSDc3RG91 + enpWMG13UDZmSlRJWUU5UzNYOEI3SXQ5SFNzClFZdWMwWXA5TWltMDZhRTlaeDRo + Vk4wcGc4RVZ1SnMrNExFQkhIRVlxRFUKLS0tIEI0Vy94QjU3bEg2dHdXNWZoWnJz + ZDZLMDNYOHJjMm9IWXExMnpvUFNPRmcKHjJbGTig7VCjtsgIwdBVNdxLCywWu297 + T3UP8w30Vv4P3FGo7FbiC0GYX1zVrY47bi0RgcJS0/7EcvRF63u7MA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdzBJVEtKclNqTHZ6bzN0 + RzRxN1ZuMGUvcnRDakIvalFMRGtUL0VSTGtnCnpQZERVZWF6RmVvTHlrTUNYU002 + ZjYyNmpOV0IwUHBpQ2lldHFULzhYR0UKLS0tIE16TGpNWGdMNU5jZTl1Zm80OWw3 + Z1VCTHcvbnIwTDhJNTNqUmVCdjlsRm8KReUkvf6QUcQ2v7c2P+4ArxghuSBwHzs8 + vx///NUPViautzBaMBiOyw318aG1I/ThnutYTBqBSqHWsb7A1sf+Yg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSWkyZzdwNDJuSmdHeERi + YXN2aXRyUE9UTFl3aWg0WHozTnBEeGNUZnp3CnpEUXUvbHJtajVXTDhqbFIxYVk5 + NG9LQ0Q2NG9HNVFBQklOaU9RdVNHamsKLS0tIEh1YnFrUXBVZGlNcDc5WkVndjk4 + THgvY1JGS3gwNUdhSXVEd25kcndFbEUKvTRzMYgIsYxK0Kmbq8JhpwAjqzX5AC87 + 5pnLllSogskDIHNmKga+WiL2FyZtkFXW7x4jGW+oOLdZ5mWxAt8yJg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-05-18T23:58:00Z" mac: ENC[AES256_GCM,data:nvQuAwSP2We341SLYBsMIVGwHFtog1Qd0Bpm5mCsiET9aMFV0xsXcdxJiHg+xo2dxdkW6l/H0eQRQnRk1RJ0XK7QsxpJebWy4ryRFXmdn8dCwybtROIQyHuB8ict97mlhDNigu9q6h+e97J0Uvo5E8qNbn76S9L54E5IPJOzlvI=,iv:L4uhNCeRZ7va6LrL/vDEvUDHfa2E6OFJnhE4+TyKw14=,tag:r3UXhMl1EWCaRRjI2q4gcA==,type:str]