1
0
Fork 0

make letsencrypt use sops for secret

This commit is contained in:
ibizaman 2023-04-08 22:05:10 -07:00
parent b44da6f303
commit 5db376a330
5 changed files with 73 additions and 10 deletions

View file

@ -0,0 +1,18 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
- &me age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
- &machine1 age16yraj9xdpjqazwakcy4fs9gcxu75el3yefpzudhv7zu9pn6jsvtqeee23r
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *me
- path_regex: secrets/machine1/[^/]+\.yaml$
key_groups:
- age:
- *me
- *machine1

View file

@ -11,7 +11,13 @@ When that's done, explore the files in this folder.
To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md). To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md).
```bash ```bash
nixops set-args --arg domain '"dev.mydomain.com"' --network dev nixops set-args --network dev \
--arg domain '"dev.mydomain.com"' \
--arg sopsKeyFile '"$HOME/.config/sops/age/keys.txt"'
```
You can use the `info` subcommand to print the values of the arguments:
```bash
nixops info --network dev nixops info --network dev
``` ```
@ -26,5 +32,5 @@ nixops create ./network-virtualbox.nix -d vaultwarden-staging
nixops deploy --network dev nixops deploy --network dev
nixops reboot nixops reboot
disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix disnixos-env -s services.nix -n dev/nixops.nix -d distribution.nix
``` ```

View file

@ -1,5 +1,6 @@
{ {
domain ? "dev.mydomain.com", domain ? "dev.mydomain.com",
sopsKeyFile ? "",
}: }:
{ {
@ -24,6 +25,9 @@
["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"]; ["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"];
in in
recursiveUpdate base { recursiveUpdate base {
imports = [
<sops-nix/modules/sops>
];
deployment.targetEnv = "virtualbox"; deployment.targetEnv = "virtualbox";
deployment.virtualbox = { deployment.virtualbox = {
memorySize = 1024; memorySize = 1024;
@ -31,5 +35,18 @@
headless = true; headless = true;
vmFlags = concatMap mkPortMapping vbox.portMappings; vmFlags = concatMap mkPortMapping vbox.portMappings;
}; };
# This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e.
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ../secrets/linode.yaml;
# This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = /. + sopsKeyFile;
# This will generate a new key if the key specified above does not exist
sops.age.generateKey = true;
# This is the actual specification of the secrets.
sops.secrets.linode = {};
}; };
} }

View file

@ -83,13 +83,6 @@ rec {
}; };
# deployment.keys = { # deployment.keys = {
# linode.text = ''
# LINODE_HTTP_TIMEOUT=10
# LINODE_POLLING_INTERVAL=10
# LINODE_PROPAGATION_TIMEOUT=240
# LINODE_TOKEN=383525f4d58919d43506e6ab43a549a6eda6491eccb8e384d43013f0bcf45d47
# '';
# keycloakdbpassword.text = '' # keycloakdbpassword.text = ''
# KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}" # KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}"
# ''; # '';
@ -129,7 +122,15 @@ rec {
email = "ibizapeanut@gmail.com"; email = "ibizapeanut@gmail.com";
dnsProvider = "linode"; dnsProvider = "linode";
dnsResolver = "8.8.8.8"; dnsResolver = "8.8.8.8";
credentialsFile = "/run/keys/linode";
# For example, to use Linode to prove the dns challenge,
# the content of the file should be the following, with
# XXX replaced by your Linode API token.
# LINODE_HTTP_TIMEOUT=10
# LINODE_POLLING_INTERVAL=10
# LINODE_PROPAGATION_TIMEOUT=240
# LINODE_TOKEN=XXX
credentialsFile = "/run/secrets/linode";
enableDebugLogs = true; enableDebugLogs = true;
}; };
}; };

View file

@ -0,0 +1,21 @@
linode: ENC[AES256_GCM,data:Rg/k/gmBJ8iBP9KW8Zom7gGecNG404v9oQ85MuXPB+fjKowmm36YJ61tiVhUADPsFMWezulJG3RpvpoqZLPU+8cCX1KPsfJgUN77MlQRjjdraqVMq/opcEXfwIs3g76y9hDvbTMVIGpKCVE8hl7N5XTRPkQPSpracj+papL0bdFLhmsDgGi/vmaH7zs9K6gwYQv/mzz2oy6oZh8NoAlF,iv:2Z4NLAQmf/m5oemdM7Z+MAAyVUBVZoA4Zia/bqcW8u0=,tag:WeVnU4swvvQdA7QU9Ax4Xg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweERHTXJWU1BWNXJJUVNM
WUZObm82a0JHSWM2cWdBQTI2ckRvMnRGMDIwCm9TZWtTTUlaTTRuYVcvd1J3TnVF
dUN0NFdtaTZWL2IraE5BcE43WWdXcmMKLS0tIDFyQ3FGT1F4dkVtU0U5R2FNNlRa
dXB5OEx1clZiMktxdkFVUVpWOUtleU0Kb4E+x2cxcOayFigQDo9dv3e/si9a19YJ
mw2PUTb1Tm3PQ/ZXW6R6y5CfzFf7FhBTpRas84sPDg9MrOrWLygUgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-09T05:03:49Z"
mac: ENC[AES256_GCM,data:t03zcu+puxqs6bqb+7MJDY67UXJVN4RP48VSY2aBYtzRp4tcZ0zKpqGDJ2y9sFkLkUu5Mvha68g5Bd6uylQFwVyks2HQyyT0UFsQWJfpk9WGXElmJ+BeU4m51QFLK17rAFGSqvlHjbo3U47IgySlr4vViIyikOxY/UAUI0r2jsQ=,iv:Q5QgjDszLKbcqN415YLdqMGLa0b3Cy4WbXOtkT4HKBs=,tag:Cgpox1V73/UU4kg+dLgyWA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3