Compare commits
2 commits
86a896c688
...
84225a9a71
Author | SHA1 | Date | |
---|---|---|---|
|
84225a9a71 | ||
|
a9e075ed8c |
6 changed files with 114 additions and 1 deletions
10
.sops.yaml
Normal file
10
.sops.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
keys:
|
||||
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
age:
|
||||
- *admin_gaspard
|
||||
- *server_ovh
|
40
flake.lock
40
flake.lock
|
@ -364,6 +364,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1725762081,
|
||||
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1726243404,
|
||||
|
@ -392,7 +408,29 @@
|
|||
"hy3",
|
||||
"hyprland"
|
||||
],
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726524647,
|
||||
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
|
|
@ -23,6 +23,11 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
# Hyprland
|
||||
hyprland = {
|
||||
url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
|
||||
|
@ -43,6 +48,7 @@
|
|||
nixpkgs,
|
||||
disko,
|
||||
deploy-rs,
|
||||
sops-nix,
|
||||
home-manager,
|
||||
...
|
||||
} @ inputs: let
|
||||
|
@ -64,6 +70,7 @@
|
|||
modules = [
|
||||
./hosts/OVHCloud
|
||||
disko.nixosModules.disko
|
||||
sops-nix.nixosModules.sops
|
||||
home-manager.nixosModules.home-manager
|
||||
];
|
||||
};
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./sops.nix
|
||||
];
|
||||
|
||||
# Nix
|
||||
|
|
23
hosts/OVHCloud/sops.nix
Normal file
23
hosts/OVHCloud/sops.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{config, ...}: {
|
||||
# This will add secrets.yml to the nix store
|
||||
# You can avoid this by adding a string to the full path instead, i.e.
|
||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||
sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||
|
||||
sops.secrets."caddy/ovh_endpoint".owner = "caddy";
|
||||
sops.secrets."caddy/ovh_application_key".owner = "caddy";
|
||||
sops.secrets."caddy/ovh_application_secret".owner = "caddy";
|
||||
sops.secrets."caddy/ovh_consumer_key".owner = "caddy";
|
||||
|
||||
sops.templates."caddy.env" = {
|
||||
content = ''
|
||||
OVH_ENDPOINT=${config.sops.placeholder."caddy/ovh_endpoint"}
|
||||
OVH_APPLICATION_KEY=${config.sops.placeholder."caddy/ovh_application_key"}
|
||||
OVH_APPLICATION_SECRET=${config.sops.placeholder."caddy/ovh_application_secret"}
|
||||
OVH_CONSUMER_KEY=${config.sops.placeholder."caddy/ovh_consumer_key"}
|
||||
'';
|
||||
owner = "caddy";
|
||||
};
|
||||
}
|
34
secrets/OVHCloud.yaml
Normal file
34
secrets/OVHCloud.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
caddy:
|
||||
ovh_endpoint: ENC[AES256_GCM,data:VkchYxz0QK8=,iv:NufvzW2DCt2HE9rr3knzEP5urUtY+lhjNbVgy+NXSz4=,tag:EWwNRkx5VSuB4pgJ+JmBXQ==,type:str]
|
||||
ovh_application_key: ENC[AES256_GCM,data:jq4=,iv:0Q+ZWrimJdbjqFeOD7cLjB6QeCAcfbp0FU/xC06uSto=,tag:n7jhp8xAQ73bmdNXPXx+jA==,type:str]
|
||||
ovh_application_secret: ENC[AES256_GCM,data:9YAF6xVN,iv:Rb/Bv33N4Gyxu4XNrDz5VuLT+aTojT3WoVJf+gyxDBk=,tag:nXWQRjfORJV6/CqFQpGmxQ==,type:str]
|
||||
ovh_consumer_key: ENC[AES256_GCM,data:lwP6/kHp,iv:oNs4QuCqOSrawXGdEG5QO2ATTKqjg1x6C1SzRbgWm2E=,tag:piTViTsKIsp+SJ+P7a8znA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqckxiTmx3Rm12ZFJ2ZXBn
|
||||
VVdOeCtWeE5xZGExOE4wTFliOGlqWWpWSFNBCmFSWS9MQmt1TWg4VFJzZmNpdStv
|
||||
dThvSFlPSjk0dHZGTlEraldHSklDUkkKLS0tIFVjbFliTFZjUlkrejR2RnAwVTRU
|
||||
U0NEaEpLREVNMUlxUFNIbTVKaUpoc1EKRC6skQPEMA4odk3yD66bqPa/2rvLGztx
|
||||
FTwwdJuE1CXaErwtt7wOfMsb3c9HhpT2R+c76woP20+VsMJdrwdeHg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSLy8yZlBuUU5QRXptZmZQ
|
||||
UzlLUmxSblpFVCtFdE4vWmUreThhT090aEFrCkV6b2FaVy83QnBTZTVrcWE2RGNE
|
||||
VldUZVkveUl5bnFLZzRBR0JCWGhseEUKLS0tIDNZeGczT1BxV21VcnFmSkN0V09P
|
||||
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
||||
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-26T13:50:20Z"
|
||||
mac: ENC[AES256_GCM,data:swF5s4D2zyO1sRxoZnYQ5oNx9psl5YjW0afuozdqODObUvkVfHo5IClRZ3EOMsly5Hvr5If04TBVf2/qTQv7SVVr1jUpyVnirgY6l8SH/Fvp2JWYdgUYRUR9wdzTDfqmYwf+vIxP2o7kPKpVg4Ek0ipewIf/3XHfiFfKmDCea5c=,iv:VKsbK9gfdj68Xr44v2oL4YoljRfyyF+53s2bdyedPwA=,tag:8hQ8pHctHJa0Jbgk0ZChGg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
Loading…
Reference in a new issue