sops: new way of decrypting secrets

2024-11-12 16:12:32 +01:00 · 2024-11-12 16:12:32 +01:00 · cc9c283e12
commit cc9c283e12
parent cfbdeed038
8 changed files with 56 additions and 38 deletions
--- a/modules/nixos/security/acme/default.nix
+++ b/modules/nixos/security/acme/default.nix
@ -26,15 +26,15 @@ in
  config = mkIf cfg.enable {
    sops = {
      secrets = {
-        netcup_customer_number = {
+        "netcup/customer_number" = {
          inherit (cfg) sopsFile;
        };

-        netcup_api_key = {
+        "netcup/api/key" = {
          inherit (cfg) sopsFile;
        };

-        netcup_api_password = {
+        "netcup/api/password" = {
          inherit (cfg) sopsFile;
        };
      };
@ -42,9 +42,9 @@ in
      templates = {
        "netcup.env" = {
          content = ''
-            NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number}
-            NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key}
-            NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password}
+            NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder."netcup/customer_number"}
+            NETCUP_API_KEY=${config.sops.placeholder."netcup/api/key"}
+            NETCUP_API_PASSWORD=${config.sops.placeholder."netcup/api/password"}
            NETCUP_PROPAGATION_TIMEOUT=1200
          '';
        };
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@ -19,13 +19,15 @@ in
    environment.systemPackages = with pkgs; [
      sops
      age
+      ssh-to-age
    ];

    sops = {
      defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
      defaultSopsFormat = "yaml";

-      age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
+      # age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
+      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    };
  };
 }