diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..66469cf --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr + - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + age: + - *admin_gaspard + - *server_ovh diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index 7906b15..e3269eb 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -9,6 +9,7 @@ imports = [ ./hardware-configuration.nix + ./sops.nix ]; # Nix diff --git a/hosts/OVHCloud/sops.nix b/hosts/OVHCloud/sops.nix new file mode 100644 index 0000000..edbc448 --- /dev/null +++ b/hosts/OVHCloud/sops.nix @@ -0,0 +1,23 @@ +{config, ...}: { + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ../../secrets/OVHCloud.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + + sops.secrets."caddy/ovh_endpoint".owner = "caddy"; + sops.secrets."caddy/ovh_application_key".owner = "caddy"; + sops.secrets."caddy/ovh_application_secret".owner = "caddy"; + sops.secrets."caddy/ovh_consumer_key".owner = "caddy"; + + sops.templates."caddy.env" = { + content = '' + OVH_ENDPOINT=${config.sops.placeholder."caddy/ovh_endpoint"} + OVH_APPLICATION_KEY=${config.sops.placeholder."caddy/ovh_application_key"} + OVH_APPLICATION_SECRET=${config.sops.placeholder."caddy/ovh_application_secret"} + OVH_CONSUMER_KEY=${config.sops.placeholder."caddy/ovh_consumer_key"} + ''; + owner = "caddy"; + }; +} diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml new file mode 100644 index 0000000..b498669 --- /dev/null +++ b/secrets/OVHCloud.yaml @@ -0,0 +1,34 @@ +caddy: + ovh_endpoint: ENC[AES256_GCM,data:VkchYxz0QK8=,iv:NufvzW2DCt2HE9rr3knzEP5urUtY+lhjNbVgy+NXSz4=,tag:EWwNRkx5VSuB4pgJ+JmBXQ==,type:str] + ovh_application_key: ENC[AES256_GCM,data:jq4=,iv:0Q+ZWrimJdbjqFeOD7cLjB6QeCAcfbp0FU/xC06uSto=,tag:n7jhp8xAQ73bmdNXPXx+jA==,type:str] + ovh_application_secret: ENC[AES256_GCM,data:9YAF6xVN,iv:Rb/Bv33N4Gyxu4XNrDz5VuLT+aTojT3WoVJf+gyxDBk=,tag:nXWQRjfORJV6/CqFQpGmxQ==,type:str] + ovh_consumer_key: ENC[AES256_GCM,data:lwP6/kHp,iv:oNs4QuCqOSrawXGdEG5QO2ATTKqjg1x6C1SzRbgWm2E=,tag:piTViTsKIsp+SJ+P7a8znA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqckxiTmx3Rm12ZFJ2ZXBn + VVdOeCtWeE5xZGExOE4wTFliOGlqWWpWSFNBCmFSWS9MQmt1TWg4VFJzZmNpdStv + dThvSFlPSjk0dHZGTlEraldHSklDUkkKLS0tIFVjbFliTFZjUlkrejR2RnAwVTRU + U0NEaEpLREVNMUlxUFNIbTVKaUpoc1EKRC6skQPEMA4odk3yD66bqPa/2rvLGztx + FTwwdJuE1CXaErwtt7wOfMsb3c9HhpT2R+c76woP20+VsMJdrwdeHg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSLy8yZlBuUU5QRXptZmZQ + UzlLUmxSblpFVCtFdE4vWmUreThhT090aEFrCkV6b2FaVy83QnBTZTVrcWE2RGNE + VldUZVkveUl5bnFLZzRBR0JCWGhseEUKLS0tIDNZeGczT1BxV21VcnFmSkN0V09P + MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN + y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-26T13:50:20Z" + mac: ENC[AES256_GCM,data:swF5s4D2zyO1sRxoZnYQ5oNx9psl5YjW0afuozdqODObUvkVfHo5IClRZ3EOMsly5Hvr5If04TBVf2/qTQv7SVVr1jUpyVnirgY6l8SH/Fvp2JWYdgUYRUR9wdzTDfqmYwf+vIxP2o7kPKpVg4Ek0ipewIf/3XHfiFfKmDCea5c=,iv:VKsbK9gfdj68Xr44v2oL4YoljRfyyF+53s2bdyedPwA=,tag:8hQ8pHctHJa0Jbgk0ZChGg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0