try to add secrets

2023-04-19 14:16:39 +08:00 · 2023-04-19 14:16:39 +08:00 · 71b20209b2
commit 71b20209b2
parent 9dd2c42726
4 changed files with 19 additions and 3 deletions
--- a/machines/laptop/configuration.nix
+++ b/machines/laptop/configuration.nix
@ -13,6 +13,7 @@
      ../vscode.nix
      # ../dnscrypt.nix
      ./secret.nix
+      ../sops.nix
    ];

  # Bootloader.
@ -33,6 +34,14 @@
    resolvconf.useLocalResolver = true;
  };

+  
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.keyFile = "/var/lib/sops-nix/keys.txt";
+    age.generateKey = true;
+  };
+
  # Setup wireguard
  # Set your time zone.
  time.timeZone = "Asia/Shanghai";
@ -270,7 +279,7 @@

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  networking.firewall.allowedUDPPorts = [ 41641 ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

--- a/machines/laptop/secrets.yaml
+++ b/machines/laptop/secrets.yaml
@ -0,0 +1,30 @@
+gmail: ENC[AES256_GCM,data:CajGtLth9OWLc4OHvRB2WIf9h8Fz4A==,iv:8VpGHDn06sDsTwsIVSHf9teRLNWx3hmQJ7Qml5ovjoo=,tag:dVIgRQ9LjSWSe/6QdCVUyA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n359y6qkgzypu0lkcy66pfpneskul35xyhrzz3qumjsmeyp2wsuqq0df49
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNmR1LzJkZUxHcnRsV0Nj
+            RVRJZ3lZWmhzWFkyM3M5ZHZyZGo5OG0xZmpJCkVEd0VmNVNDejlDY0pYcmNHMjB0
+            a1d0UDVQRFFCUUxFMXh2UlBGc0RRZk0KLS0tIFpJRVIvM1Q3NG02ZEk2MEdsYmkz
+            YU9zMzJCcDVtRGdOWXNSMGpCcUNneDgKUDVNx2OjyOSRzMqhmFkBx3do4VrNO/fw
+            tFk4EzayyNoRAd5Ch/XfAccGwLceNhvMPZYxcB0hZljZM5u3g3JPtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age179ldmg92wqsspgujc70hujfgttw0ljxkh7g86w8rqzywx0f7psysrk0cfn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVFg0OEFSMHJYTjZxNUM0
+            ZmY0NUU0c3pNK1d4ak0wcmYrRTN1TEcyakZRCnBLNzNxNm5YWk9kNzZqL0dHMkhG
+            UXA1bDY4QVg2K3d6eVBpWG1ybHN2VDAKLS0tIFJpSTk4cFZKeTVkd09sN3NmQzc1
+            eXNvMElBbnkxaEVJZ1hRZnZDUmp0WE0KmjdpdtWkxNgwcm3GuGAhO2p8rH/UyGSW
+            iJMXAD/FIbbB9e50oSVixg5PFZuqL6ryxFDrj8UgUZozBVXFrlZfBw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-16T05:37:57Z"
+    mac: ENC[AES256_GCM,data:XX17bbc+hGPcsfg7t3S93X22fpydT0N+P8DTpLB4SkVi9anRbNTrldJkIxKNuN3LXKZmdON/BO6x4TMe+wh45yAW1Ds8OD6VTr6IdXYIvvYC5IKt27qd30Cqbed0Q4LSq9mZ97YiRCyxVsNSf+n4rJV+Ufc24LS35Kb3qR5Pia8=,iv:T5BPf9fCLroreDqHGBrWyI1fFYNTWtYx557AnMReQnU=,tag:8qC/yN/erx4mDDO949oppA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/sops.nix
+++ b/machines/sops.nix
@ -0,0 +1,2 @@
+{
+}