Set password for all hosts, made sops look at the same folder for the key file for all hosts (move in queen)

2024-02-22 13:01:31 +01:00 · 2024-02-22 13:01:31 +01:00 · b21150f431
commit b21150f431
parent a8a5cdec7b
9 changed files with 31 additions and 10 deletions
--- a/nixos/hosts/EDI/configuration.nix
+++ b/nixos/hosts/EDI/configuration.nix
@ -31,7 +31,6 @@
  ];

  sops.defaultSopsFile = ./secrets/sops.yaml;
-  sops.age.keyFile = ../../../../../../var/secrets/keys.txt;

  home-manager = {
    extraSpecialArgs = {inherit inputs outputs;};
--- a/nixos/hosts/GLaDOS/configuration.nix
+++ b/nixos/hosts/GLaDOS/configuration.nix
@ -31,7 +31,6 @@
  ];

  sops.defaultSopsFile = ./secrets/sops.yaml;
-  sops.age.keyFile = ../../../../../../var/secrets/keys.txt;

  environment.systemPackages = with pkgs; [
  ];
--- a/nixos/hosts/GLaDOS/secrets/sops.yaml
+++ b/nixos/hosts/GLaDOS/secrets/sops.yaml
@ -0,0 +1,21 @@
+lillian-password: ENC[AES256_GCM,data:aHJCYmnpGIWJMsNZ8aw51Rquuv4F7kgGvfIxHMELuDlEqgjkg+SAhh+UQEpv16F0WVxrYZ/EwxKFMBpfPv9M2NLZC98bav0D9g==,iv:uzYLfmxG46ubmgeFsfW7aqXZbcL+TQw0VdDcklV0/ZI=,tag:Ozcf5qXC7xh0VcsBzhyo2g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUHlSTzhndDRHOUd1WG41
+            Wk9haEVmS3FlcFl5VUxRZUVDaENHcUpsYm04ClBJS3doOXRHUjhsMmIvck5ldy8y
+            VW9yb2NCRWZhNGNlZWlyRlk4NFJiTTgKLS0tIElLMFdiUU95ejNoUFl4US9DSWU5
+            MUZWTVh0dVdMZlRzelJ4WlROUlIyNmcKphNuMN9Wh8h/gvmtUxQWjPKtgjWriLRD
+            +DpEEVGrmu0RJ8/wUqjxGoL4GzLAlZm4EnKlyUyA0tw8sbLZ2Lnl/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-22T11:58:42Z"
+    mac: ENC[AES256_GCM,data:TuNvE51hpHvOjB3G2y7UCT8BvlI1ulc8aeeBihtnGiGDjwU1Eze1bdA47hZYCZsCYdo3Tow1gY0gCkJACKeWqUXMLT8jxcUfiUWqQicQhBm/TT9m+oqLQiAqJCkh1Ez8XuaftqIg+oJstyy4wZyvMK8Bg+9EsSYiBnMrKfrgLBs=,iv:GXy93l1BBkkeKXJ1ntFI6Rw6QZmSbzDlWClJ16/Csv4=,tag:jBYynl6tLL/xN61ypMwvrw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/hosts/queen/configuration.nix
+++ b/nixos/hosts/queen/configuration.nix
@ -52,7 +52,6 @@

  #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
  sops.defaultSopsFile = ./secrets/sops.yaml;
-  sops.age.keyFile = ../../../../../var/secrets/keys.txt;

  nix = {
    gc = {
--- a/nixos/hosts/queen/secrets/sops.yaml
+++ b/nixos/hosts/queen/secrets/sops.yaml
@ -7,6 +7,7 @@ mssqlpass: ENC[AES256_GCM,data:XEu4bQC5qM5Cm8UDVX3qAzTuL/t3xbx+qcEbZM4h3Hg=,iv:j
 mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8,iv:oAFna87l3sL/42ljUF1QsRL0xBrP82uYdKLxK/8HcQE=,tag:liFFGHbNPOpOHyMsjnvMOQ==,type:str]
 rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str]
 wg-private: ENC[AES256_GCM,data:6BEuNqqG//p5UhRmQ4RPEze6jZdvzK4PEXxlbX2ANYIhFpacj0aZnCr9o/A=,iv:tPlwYdV4I5oA8qG+bfVi1Dpbf7xedByantqsmylZXKQ=,tag:k1BqKqlayOWz5QW1XiAjqQ==,type:str]
+lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -22,8 +23,8 @@ sops:
            KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
            NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-04T21:18:00Z"
-    mac: ENC[AES256_GCM,data:ZHXg541BI94kwvLJ/CFHS7UauQN6LimqNK9rU60dil1RIArDy5xHtRki/p5uajKeGhM+Bv1t9SWAehk1n3U0PiynLGLm3npraIxItBPiRf7hyqDXmc8kG4U7BBcbIf3qvkvxVVd5auWfnPobKsRhKA+gC1Z11ylPqK37yIgK5Sw=,iv:EKacOHhgwjFDw2ioraxlyfXt89VpT+B4D/a/rC+ulNM=,tag:YvgctOLxmojg2uOAlKihkQ==,type:str]
+    lastmodified: "2024-02-22T11:53:17Z"
+    mac: ENC[AES256_GCM,data:bOrEW/yQIgJy7Jqfj/95jtXoIeEX2JNTvsnodkrtmtUQoY8Lczb47rTLpS0CM9Gh1Do38dvoNgWY08jXj3PVPO6s7Yy995ZbtgaR8n/G190PZ+p+i7EInv/OAJe/Xw4WcZlLs1XeKPashJmoX7qZi2fVPmu5UpYD1YiCMzZsWkQ=,iv:vjEJCDX8D4relmBJs569d+sklY1bUptWBjJVS7pKB70=,tag:xsQM3cDBkHymS9t9Qyyitg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/hosts/shodan/secrets/sops.yaml
+++ b/nixos/hosts/shodan/secrets/sops.yaml
@ -1,4 +1,5 @@
 pass: ENC[AES256_GCM,data:M7V75Q7I,iv:d59fWvFsEOOu8A+BSK0f2ZskX1SXHN1wA3EfGGsHp70=,tag:FLTogvUgI3HdKYWCJc/M1Q==,type:int]
+lillian-password: ENC[AES256_GCM,data:w/1/aAcP0MXe7EUhZshMcksvyzewlvO2/0PncrSnCkHHrPl8RHWvyBqxIZDC/FHlpZOO77lIsdcQzK9ahjEc/crUmit5LZeYThP4pPyXTol3uh3RqtH1HXbeOEmBufw4Ln+yJwWXo2eK4w==,iv:jEuB/+U2xe3sP6UIK9OZZKd0RBr5W8f5y55h64pMME4=,tag:2ZzNt7Sn2LXfUMVMoaOxkw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +15,8 @@ sops:
            KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
            NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-28T21:33:20Z"
-    mac: ENC[AES256_GCM,data:4tFAJCqCAfqlIGj7kDQ9uoUg7TgXYgogkm/h0nP6fuedKiV/CRmD8CbdWInesaDP276pggZbtUY9I92pV8bpJ2h+U07qihTo79ZTPTsObUHQrrc002ZiYwCtI+14t1+2KuTQNpEJsZxoECjG1R0mjg3Zv8MQ0wj6YpnEaGmXkC0=,iv:roPZJXFjB7lLK4RQcmQaNOq5RRCvguNO4O2iasgolEU=,tag:j7G0HvAx6XqrijyZcqntXQ==,type:str]
+    lastmodified: "2024-02-22T11:57:17Z"
+    mac: ENC[AES256_GCM,data:IpF786I/i4U0oQqY1sRQAGZkK0uxHZYpZ2Hse2dzenedbwVZEOmhA1foc0fffVMd26AOrSg323vnndIEl1WTuzmZBhFlUM3fwX38wbhDrAuUJfGiyLLBVsZshW2EjkGzkdpQo2otyLNjah5qLUTsss5dUKMIUbTKpwAdkiujiqE=,iv:sA6ROO538N+XcezZUSQxwer5dLd+lmlavTVeDxiVVJA=,tag:GZZLUp3ZiUW25Tdji0tZGg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/hosts/wheatley/configuration.nix
+++ b/nixos/hosts/wheatley/configuration.nix
@ -53,7 +53,6 @@
  };

  sops.defaultSopsFile = ./secrets/sops.yaml;
-  sops.age.keyFile = ../../../../../var/secrets/keys.txt;

  sops.secrets."wireless.env".mode = "0440";
  sops.secrets."wireless.env".owner = config.users.users.root.name;
--- a/nixos/hosts/wheatley/secrets/sops.yaml
+++ b/nixos/hosts/wheatley/secrets/sops.yaml
@ -1,4 +1,5 @@
 wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str]
+lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +15,8 @@ sops:
            Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div
            bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-12T16:14:03Z"
-    mac: ENC[AES256_GCM,data:J/0+e7w8tcfsQ9xtWJifKYpWQLpLssjSgxMl/PdIyYuWKDKkF/dDr+joP7Evlk5Hg3dXL7ijGFgYVwUjhFzbgk9pUiHt0cvXj0hthgwUIUpQh42M6qKtxRaxP/Mp9Shb2CSwZfZ2GyXP4lJuMS76SDKo46xGdbejwlLPZ11oArA=,iv:rWrrB9VUxX3N2OSSep9SPfyl9Ke7hQVGkheazOrbis4=,tag:9fBYgtCoNm9Unv7ADJTb0Q==,type:str]
+    lastmodified: "2024-02-22T11:57:45Z"
+    mac: ENC[AES256_GCM,data:V9vscu55woZjJGFV3aDgdHKqmIopYw6cajdOHG1/45Qel6l5YJkt8VyLMzYlUOlFGatXBlfTB7VC9zhhaY4lduww2XLrARcTk61BT+GSHp5sawND+RIDghY6CJBuoPUbtsfmmlmg+J2DljBlSbrcVmvfjMV12Ql6Zb8PEPM9K68=,iv:TFrDt1XpuIFLUyDN6+8n+0OypBkr1OrZOmXWvnY9ApI=,tag:EfsFhToEGFCZJSXh0WBrIw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/nixos/shared/default.nix
+++ b/nixos/shared/default.nix
@ -10,6 +10,7 @@
    ./locale
    ./packages
  ];
+  sops.age.keyFile = ../../../../../../var/secrets/keys.txt;
  sops.secrets."lillian-password".neededForUsers = true;

  users.users.lillian = {