integrate sops-nix for secret management
This commit is contained in:
parent
d3f11dd890
commit
99ad3058a3
10 changed files with 141 additions and 16 deletions
25
.sops.yaml
Normal file
25
.sops.yaml
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
# To set up sops-nix:
|
||||
# 1. Generate an age key on each host:
|
||||
# mkdir -p ~/.config/sops/age
|
||||
# age-keygen -o ~/.config/sops/age/keys.txt
|
||||
# Or derive from the host SSH key:
|
||||
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||
#
|
||||
# 2. Replace the placeholder age keys below with the actual public keys.
|
||||
#
|
||||
# 3. Encrypt secret files:
|
||||
# sops secrets/homelab.yaml
|
||||
#
|
||||
# 4. To re-key after changing keys:
|
||||
# sops updatekeys secrets/homelab.yaml
|
||||
|
||||
keys:
|
||||
- &homelab age1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # replace with: ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
|
||||
- &admin age1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # replace with: age-keygen output from your admin machine
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/homelab\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *homelab
|
||||
- *admin
|
||||
Loading…
Add table
Add a link
Reference in a new issue