diff --git a/docs/examples/vaultwarden/.sops.yaml b/docs/examples/vaultwarden/.sops.yaml new file mode 100644 index 0000000..a67ab0f --- /dev/null +++ b/docs/examples/vaultwarden/.sops.yaml @@ -0,0 +1,18 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &me age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr + - &machine1 age16yraj9xdpjqazwakcy4fs9gcxu75el3yefpzudhv7zu9pn6jsvtqeee23r + +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *me + - path_regex: secrets/machine1/[^/]+\.yaml$ + key_groups: + - age: + - *me + - *machine1 diff --git a/docs/examples/vaultwarden/README.md b/docs/examples/vaultwarden/README.md index dbe2d4c..475e9c7 100644 --- a/docs/examples/vaultwarden/README.md +++ b/docs/examples/vaultwarden/README.md @@ -11,7 +11,13 @@ When that's done, explore the files in this folder. To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md). ```bash -nixops set-args --arg domain '"dev.mydomain.com"' --network dev +nixops set-args --network dev \ + --arg domain '"dev.mydomain.com"' \ + --arg sopsKeyFile '"$HOME/.config/sops/age/keys.txt"' +``` + +You can use the `info` subcommand to print the values of the arguments: +```bash nixops info --network dev ``` @@ -26,5 +32,5 @@ nixops create ./network-virtualbox.nix -d vaultwarden-staging nixops deploy --network dev nixops reboot -disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix +disnixos-env -s services.nix -n dev/nixops.nix -d distribution.nix ``` diff --git a/docs/examples/vaultwarden/dev/nixops.nix b/docs/examples/vaultwarden/dev/nixops.nix index 6f1516d..dc1fe49 100644 --- a/docs/examples/vaultwarden/dev/nixops.nix +++ b/docs/examples/vaultwarden/dev/nixops.nix @@ -1,5 +1,6 @@ { domain ? "dev.mydomain.com", + sopsKeyFile ? "", }: { @@ -24,6 +25,9 @@ ["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"]; in recursiveUpdate base { + imports = [ + + ]; deployment.targetEnv = "virtualbox"; deployment.virtualbox = { memorySize = 1024; @@ -31,5 +35,18 @@ headless = true; vmFlags = concatMap mkPortMapping vbox.portMappings; }; + + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ../secrets/linode.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = /. + sopsKeyFile; + # This will generate a new key if the key specified above does not exist + sops.age.generateKey = true; + # This is the actual specification of the secrets. + sops.secrets.linode = {}; }; } diff --git a/docs/examples/vaultwarden/network.nix b/docs/examples/vaultwarden/network.nix index 9e59014..91446c1 100644 --- a/docs/examples/vaultwarden/network.nix +++ b/docs/examples/vaultwarden/network.nix @@ -83,13 +83,6 @@ rec { }; # deployment.keys = { - # linode.text = '' - # LINODE_HTTP_TIMEOUT=10 - # LINODE_POLLING_INTERVAL=10 - # LINODE_PROPAGATION_TIMEOUT=240 - # LINODE_TOKEN=383525f4d58919d43506e6ab43a549a6eda6491eccb8e384d43013f0bcf45d47 - # ''; - # keycloakdbpassword.text = '' # KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}" # ''; @@ -129,7 +122,15 @@ rec { email = "ibizapeanut@gmail.com"; dnsProvider = "linode"; dnsResolver = "8.8.8.8"; - credentialsFile = "/run/keys/linode"; + + # For example, to use Linode to prove the dns challenge, + # the content of the file should be the following, with + # XXX replaced by your Linode API token. + # LINODE_HTTP_TIMEOUT=10 + # LINODE_POLLING_INTERVAL=10 + # LINODE_PROPAGATION_TIMEOUT=240 + # LINODE_TOKEN=XXX + credentialsFile = "/run/secrets/linode"; enableDebugLogs = true; }; }; diff --git a/docs/examples/vaultwarden/secrets/linode.yaml b/docs/examples/vaultwarden/secrets/linode.yaml new file mode 100644 index 0000000..944292c --- /dev/null +++ b/docs/examples/vaultwarden/secrets/linode.yaml @@ -0,0 +1,21 @@ +linode: ENC[AES256_GCM,data:Rg/k/gmBJ8iBP9KW8Zom7gGecNG404v9oQ85MuXPB+fjKowmm36YJ61tiVhUADPsFMWezulJG3RpvpoqZLPU+8cCX1KPsfJgUN77MlQRjjdraqVMq/opcEXfwIs3g76y9hDvbTMVIGpKCVE8hl7N5XTRPkQPSpracj+papL0bdFLhmsDgGi/vmaH7zs9K6gwYQv/mzz2oy6oZh8NoAlF,iv:2Z4NLAQmf/m5oemdM7Z+MAAyVUBVZoA4Zia/bqcW8u0=,tag:WeVnU4swvvQdA7QU9Ax4Xg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweERHTXJWU1BWNXJJUVNM + WUZObm82a0JHSWM2cWdBQTI2ckRvMnRGMDIwCm9TZWtTTUlaTTRuYVcvd1J3TnVF + dUN0NFdtaTZWL2IraE5BcE43WWdXcmMKLS0tIDFyQ3FGT1F4dkVtU0U5R2FNNlRa + dXB5OEx1clZiMktxdkFVUVpWOUtleU0Kb4E+x2cxcOayFigQDo9dv3e/si9a19YJ + mw2PUTb1Tm3PQ/ZXW6R6y5CfzFf7FhBTpRas84sPDg9MrOrWLygUgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-09T05:03:49Z" + mac: ENC[AES256_GCM,data:t03zcu+puxqs6bqb+7MJDY67UXJVN4RP48VSY2aBYtzRp4tcZ0zKpqGDJ2y9sFkLkUu5Mvha68g5Bd6uylQFwVyks2HQyyT0UFsQWJfpk9WGXElmJ+BeU4m51QFLK17rAFGSqvlHjbo3U47IgySlr4vViIyikOxY/UAUI0r2jsQ=,iv:Q5QgjDszLKbcqN415YLdqMGLa0b3Cy4WbXOtkT4HKBs=,tag:Cgpox1V73/UU4kg+dLgyWA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3