Setup example using SOPs.

README.md

@@ -14,6 +14,27 @@ configurations are grouped within a directory specific to each user. As of now,
 this is just `jrpotter`. The `flake.nix` file links the system and user
 configurations together.
 
+## Secrets
+
+Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing
+keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing
+ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
+```bash
+$ ssh-keygen -t ed25519 -C "<email>"
+```
+You can generate an `age` secret key from this SSH key like so:
+```bash
+$ mkdir -p ~/.config/sops/age
+$ nix-shell -p ssh-to-age --run \
+    "ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
+```
+And find the corresponding public key (to be included in `.sops.yaml`) like so:
+```bash
+$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
+```
+and include in the root `.sop.yaml` file to be used when creating new secret
+files.
+
 ## Remotes
 
 Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
@@ -22,6 +43,8 @@ The custom image used by each droplet can be built using the top-level
 A droplet running this image will automatically pull in any enabled SSH keys
 from your DigitalOcean account at creation time.
 
+Each machine must be registered using
+
 Deployment is managed using [colmena](https://github.com/zhaofengli/colmena).
 To deploy, run the following:
 ```bash
@@ -29,10 +52,10 @@ $ cd infra
 $ nix flake update  # If any machine changes were made.
 $ colmena apply
 ```
-Note that colmena requires non-interactivity. If you haven't done so already,
-you'll likely need to add the private SSH key corresponding to the public one
-uploaded to DigitalOcean to your SSH agent. Do so by running:
+Note that `colmena` requires non-interactivity. If you haven't done so already,
+you'll likely need to add the private Ed25519 SSH key corresponding to the
+public one uploaded to DigitalOcean to your SSH agent. Do so by running:
 ```bash
 $ eval $(ssh-agent -s)
-$ ssh-add <ssh-file>
+$ ssh-add ~/.ssh/id_ed25519
 ```

desktop/flake.nix

@@ -3,7 +3,6 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
-
     bootstrap = {
       url = "github:jrpotter/bootstrap/v0.1.2";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -12,13 +11,9 @@
       url = "github:nix-community/home-manager/release-23.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
-  outputs = { nixpkgs, bootstrap, home-manager, sops-nix, ... }:
+  outputs = { nixpkgs, bootstrap, home-manager, ... }:
     let
       system = "x86_64-linux";
     in
@@ -28,7 +23,6 @@
 
         modules = [
           ./configuration.nix
-          sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager
           {
             home-manager = {

infra/.sops.yaml

@@ -0,0 +1,13 @@
+keys:
+  - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
+  - &server_phobos age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs
+creation_rules:
+  - path_regex: phobos/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin_jrpotter
+      - *server_phobos
+  - path_regex: .*
+    key_groups:
+    - age:
+      - *admin_jrpotter

infra/flake.lock

@@ -72,16 +72,49 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1701568804,
+        "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
+      "locked": {
+        "lastModified": 1701568804,
+        "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "phobos": {
       "inputs": {
         "boardwise": "boardwise",
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "sops-nix": "sops-nix"
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-BcLR2La75qG8EVXabtZ0KXq+OYXtBVY8opTxS2qHdrg=",
+        "narHash": "sha256-eJcRqFATORPXB3PXPLiR+5lAJDNiEK+SbpdBkBcS3G8=",
         "path": "./phobos",
         "type": "path"
       },
@@ -93,7 +126,51 @@
     "root": {
       "inputs": {
         "nixpkgs": "nixpkgs",
-        "phobos": "phobos"
+        "phobos": "phobos",
+        "sops-nix": "sops-nix_2"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "phobos",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1701728052,
+        "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "sops-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_2"
+      },
+      "locked": {
+        "lastModified": 1701728052,
+        "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {

infra/flake.nix

@@ -2,14 +2,18 @@
   description = "Configuration of all remote NixOS machines.";
 
   inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
     phobos = {
       url = "path:./phobos";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, phobos, ... }:
+  outputs = { nixpkgs, phobos, sops-nix, ... }:
     let
       system = "x86_64-linux";
     in

infra/phobos/flake.nix

@@ -7,14 +7,23 @@
       url = "github:boardwise-gg/website/v0.1.0";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { boardwise, ... }: {
+  outputs = { boardwise, sops-nix, ... }: {
     nixosModules.default = { modulesPath, pkgs, lib, system, ... }: {
       imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
         (modulesPath + "/virtualisation/digital-ocean-config.nix")
+        sops-nix.nixosModules.sops
       ];
 
+      sops.defaultSopsFile = ./secrets.yaml;
+      sops.secrets.example-key = {};
+      sops.secrets."myservice/my_subdir/my_secret" = {};
+
       deployment = {
         targetHost = "146.190.127.180";
       };

infra/phobos/secrets.yaml

@@ -0,0 +1,36 @@
+#ENC[AES256_GCM,data:pkTmy1WX4sI6CHkuiMO/873FBuGKjtDyDuqGIY69b7LYXAyOeKU=,iv:CjqG2mlzIieeTJqrwAGklZQ1l7upH4dXTT0aoqKWQFY=,tag:25gMrm0gi21DhgnIdrki4A==,type:comment]
+example-key: ENC[AES256_GCM,data:1ywkHMSLq1aAiZl9JA==,iv:1ip/LHeptLnpYq3O29xjNeDIUZr77xiAdGFmPPKIy3c=,tag:Q5BeX1XS6ySIqKcLv86yrg==,type:str]
+#ENC[AES256_GCM,data:t4SrnsLqfNlxLqoEwuDtameoUYBZ4TpUDYQ2nQ133vEig6MuNgsKVQPs+3J3K3jXSqJHu8TvV9k=,iv:IDhuYa6LnPLREq3TFUBdkkdbFoxWxRuDw4rNYX+Q294=,tag:H+1n+P4NN4/4MHyXjDsOEg==,type:comment]
+#ENC[AES256_GCM,data:DHudM+N5MDuM/tRKFcUNHn1pkSdSzJRgg4ROkAxOlWQy03x6up3MtTCbuZ1gW2aLAA8sHxB3ki1WOLQ6jeU67Hk6DMsP+sOS,iv:p9ry0MmeUXXdtmZYKlqs4dJ9uopHD4Z9YVf25PVKjIc=,tag:3WmKGQyrIpL2Aw+b2ANIxA==,type:comment]
+myservice:
+    my_subdir:
+        my_secret: ENC[AES256_GCM,data:uZOzai2mhtkM,iv:Uo+RuNxwaaMPr56pcNfN7stZXterbvfbhbwr3gyH+PI=,tag:kzQav/0gDRELwdmOMJjn7g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyN0d4VDcvZ085Sm9SL2ZE
+            MW5rUlpNQWdLV3UrVHlkMDFQazRuaGZLUlVVClo4a0ZreVU3MGV4MUovZXZVWm10
+            dTZ3OEc4ZlJqQ21TYmJEc2FJNDAyazAKLS0tIEZxVzk4ZEo3MjFHMVZDV0JTWmRo
+            YzRDWjZ2ZFlQdEw5N2N5SG9oVDdPMFkKHPz6J4TL6lPSH1a806iVBrgJUnV297uh
+            1sacjMW5ncEktozngq7gqQnrKEfapYqq3rAVpxGLY3C6mxwPDTgT5g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYmtQcWF5Rm50MWxQYjRB
+            bHBYK25BMThvN3Ivd1JxSTJKOThxS0N6TEZFCnVvS2RKZEQ3WEpCN1V6ekd3Sjhv
+            N0UwbUJTck9PSXhDcGI3aDNUYmNPVVEKLS0tIDBuc2xmdEpYZVZpbGczQ2RlRS9U
+            YXV1UEl0Q3RTZSt0ak1sU3BkcFIwdWcKwfNMcaDdud0Ve+ibJq5bRc63hiDgaTp9
+            5GKaIaU4TOkB2K3/N8DIU3KW0scl+5foWTaQbrVSMy9x31H0jTdlgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-08T18:51:48Z"
+    mac: ENC[AES256_GCM,data:/pnQDn4ADDkyYNRYAMzOnxc6HkyJ94izk8Em+v6oY3oKEw8m0I51ClS1glaXTL+FFocYnKAu/TuuX49QI8mnY3qhHrg1s2ruGtjRhDJGEvsCCgK6BcuclktTS7r046rRa7S0kahotI9C9ZHKilRoc5tTGNVKnGg+Xq+zG2ch6Cc=,iv:muBqr7RR0taT9VYwZoBMJn76kc5Zk0h6d8vcZJOxwT8=,tag:wF/6Q6fkDzyJ+XtEB9Vzog==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3