sops: new way of decrypting secrets

2024-11-12 16:12:32 +01:00 · 2024-11-12 16:12:32 +01:00 · f5b2bf580c
commit f5b2bf580c
parent a8e9949d9c
8 changed files with 56 additions and 38 deletions
--- a/modules/nixos/security/acme/default.nix
+++ b/modules/nixos/security/acme/default.nix
@ -26,15 +26,15 @@ in
  config = mkIf cfg.enable {
    sops = {
      secrets = {
-        netcup_customer_number = {
+        "netcup/customer_number" = {
          inherit (cfg) sopsFile;
        };

-        netcup_api_key = {
+        "netcup/api/key" = {
          inherit (cfg) sopsFile;
        };

-        netcup_api_password = {
+        "netcup/api/password" = {
          inherit (cfg) sopsFile;
        };
      };
@ -42,9 +42,9 @@ in
      templates = {
        "netcup.env" = {
          content = ''
-            NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number}
-            NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key}
-            NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password}
+            NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder."netcup/customer_number"}
+            NETCUP_API_KEY=${config.sops.placeholder."netcup/api/key"}
+            NETCUP_API_PASSWORD=${config.sops.placeholder."netcup/api/password"}
            NETCUP_PROPAGATION_TIMEOUT=1200
          '';
        };
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@ -19,13 +19,15 @@ in
    environment.systemPackages = with pkgs; [
      sops
      age
+      ssh-to-age
    ];

    sops = {
      defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
      defaultSopsFormat = "yaml";

-      age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
+      # age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
+      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    };
  };
 }
--- a/modules/nixos/services/factorio-server/default.nix
+++ b/modules/nixos/services/factorio-server/default.nix
@ -24,15 +24,15 @@ in
    environment.systemPackages = [ pkgs.factorio-headless ];
    sops = {
      secrets = {
-        factorio_token = {
+        "factorio/token" = {
          restartUnits = [ "factorio.service" ];
          inherit (cfg) sopsFile;
        };
-        factorio_username = {
+        "factorio/username" = {
          restartUnits = [ "factorio.service" ];
          inherit (cfg) sopsFile;
        };
-        factorio_game_password = {
+        "factorio/game_password" = {
          restartUnits = [ "factorio.service" ];
          inherit (cfg) sopsFile;
        };
@ -43,12 +43,12 @@ in
          "description": "Trying to run a factorio-headless-server on my nix system",
          "tags": ["vanilla"],
          "max_players": 10,
-          "game_password": "${config.sops.placeholder.factorio_game_password}",
+          "game_password": "${config.sops.placeholder."factorio/game_password"}",
          "allow_commands": "admins-only",
          "autosave_slots": 5,
          "ignore_player_limit_for_returning_players": true,
-          "username" : "${config.sops.placeholder.factorio_username}",
-          "token": "${config.sops.placeholder.factorio_token}"
+          "username" : "${config.sops.placeholder."factorio/username"}",
+          "token": "${config.sops.placeholder."factorio/token"}"
        }
      '';
      templates."extraSettingsFile.json".mode = "0444";