Add openweathermap key via sops

This commit is contained in:
Cyryl Płotnicki 2022-06-04 12:51:36 +01:00
parent b0662675c8
commit c19e22736d
8 changed files with 69 additions and 11 deletions

13
.sops.yaml Normal file
View file

@ -0,0 +1,13 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
- &skinnyv age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
- &bolty age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
creation_rules:
- path_regex: /[^/]+\.yaml$
key_groups:
- age:
- *skinnyv
- *bolty

View file

@ -145,6 +145,8 @@ reboot
cd ~/dev/dotfiles/ cd ~/dev/dotfiles/
nixos-install --flake '.#' nixos-install --flake '.#'
ssh-keygen -t ed25519 ssh-keygen -t ed25519
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
age-keygen -y ~/.config/sops/age/keys.txt #add result to .sops.yaml
# syncthing # syncthing
# vault # vault
# firefox sync # firefox sync

View file

@ -7,6 +7,7 @@
ext.pass-audit ext.pass-audit
ext.pass-update ext.pass-update
])) ]))
age
aria aria
bfg-repo-cleaner bfg-repo-cleaner
binutils binutils
@ -40,6 +41,8 @@
restic restic
ripgrep-all ripgrep-all
rustup rustup
sops
ssh-to-age
tmux tmux
topgrade topgrade
unzip unzip

View file

@ -1,13 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
download = pkgs.writeTextFile { download = pkgs.writeShellScriptBin "download" ''
name = "download";
executable = true;
destination = "/bin/download";
text = ''
${pkgs.aria}/bin/aria2c -x 16 -s 16 $@ ${pkgs.aria}/bin/aria2c -x 16 -s 16 $@
''; '';
};
in { home.packages = with pkgs; [ download ]; } in {
home.packages = with pkgs; [ download ];
}

View file

@ -1,5 +1,5 @@
{ config, pkgs, ... }: { { config, pkgs, ... }: {
imports = [ ./autorandr.nix ]; imports = [ ./autorandr.nix ./openweathermap-secrets.nix ];
environment.systemPackages = with pkgs; [ dconf ]; environment.systemPackages = with pkgs; [ dconf ];
programs.dconf.enable = true; programs.dconf.enable = true;

View file

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
source $HOME/.open-secrets.sh OPENWEATHERMAP_KEY=`cat /run/secrets/openweathermap-api-key`
KEY="$OPENWEATHERMAP_KEY" KEY="$OPENWEATHERMAP_KEY"
CITY="" CITY=""

View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
sops.age.keyFile = /home/cyryl/.config/sops/age/keys.txt;
sops.secrets.openweathermap-api-key = {
mode = "0440";
owner = config.users.users.cyryl.name;
group = config.users.users.cyryl.group;
sopsFile = ./openweathermap.sops.yaml;
};
home-manager.users.cyryl = { home.sessionVariables = { }; };
}

View file

@ -0,0 +1,30 @@
openweathermap-api-key: ENC[AES256_GCM,data:NNeVpkLxM9xDxV0oskAoUPjH6b3V8K3MfnNOOAEtg0k=,iv:0uOxqjmUvslHH7yyKJuZ9h0tY20BUmqr7zsRSX2AjBc=,tag:1rJHeWtct6pph58U9Nalkw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMXQzL3JVaTBOL0U3MlFm
d0tjUE9abDVUR2dVbHlBQ1diSWRRWUVnalVvCnNQbWZUUmJ3TFFpL0x6c0lQV3hx
UW5IU28xdlp6Mi9OdU9UNmFuRWRKWmsKLS0tIG9GUFNLblphdHdmMXFQbzJmSjBN
TVZMTWJCd1lyZU1tNFZJQTBhT0lGZTgKKM0mC1k7YsEBaogB4Y7TEhGliU/lbETQ
DuZ59BaXpOy9wzQ62m3oAhubP/cQZVOp1rH094BVdQqfNnDB4+F9xg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ekZTVjhnaUJkbS9tdm9w
cnJQYXpYbTVjOFhCMmFaQmdERCtzS1NBSlRzCnZpYUpGa01QRElhaDdaLzRtY0sy
UXQrU1hJRnlNNlJWME1NWWdPbG5rcjQKLS0tIHVmY2lHZ3NDR2FTZmRpSjhkM0FG
L0IzUmQvNS9PT2hXYUNYL1hoRVgyQTgKdJs/VaS7G076v2CPoGz71yjeQsu19GCZ
pIThhU9ppGJvgo1eD0kQFeNHwHB4Wg1jN38d/KoC5A0vWYWmk+Hhng==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-04T08:35:33Z"
mac: ENC[AES256_GCM,data:Rne0FsSpBMOPSdwDryFtB9ui7hSxvbJMz1+Qkq3Ih1HYBdVuIldyWsoJK7D8wvAl2E/z3MMk/vBoYQUmkhuzZorqiseuFix6sAZBps08R9ZG1t7uJbHuU9Bt2/ebX3n2ZQXgWkPX06eglmqbqzE+WS/yzUxu/KGYa3aqpv2COt4=,iv:+ginG0RSy8aacTHwKnjO17XKkBU4iY5YzAcIovBIaTU=,tag:yyTxDGqK2BI1QNv+vg2ZqQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3