From 06e52eed74eff22659c8b972e0d4bbc4b9eeb9de Mon Sep 17 00:00:00 2001 From: June Date: Sun, 9 Jun 2024 21:08:52 +0200 Subject: [PATCH] Document how to use sops and sops-nix --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/README.md b/README.md index fff8bbf..c89b549 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,46 @@ infra-rebuild switch git matrix By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used. This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration. + +## Setting up secrets with sops-nix for a host + +1. Convert the hosts SSH host public key to an age public key. + This can be done by connecting to the host and running: + ``` + cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age + ``` +2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys. + It should be named something like: `host_age_hostname` +3. Add a new creation rule for the hosts config directory. + It should probably have all admin keys and the hosts age key. \ + You can use existing creation rules as a reference. +4. Create a file containing the relevant secrets in the hosts config directory. + This can be accomplished with a command similar to this: + ``` + sops config/hosts/hostname/secrets.yaml + ``` + Note: Nested keys don't seem to be compatible with sops-nix. +5. Add the following entry to the modules of the hosts `nixosConfiguration`: + ``` + sops-nix.nixosModules.sops + ``` +6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`: + ``` + { ... }: + + { + sops = { + defaultSopsFile = ./secrets.yaml; + }; + } + ``` +7. Make sure the `sops.nix` gets imported. For example in the `default.nix`. +8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following: + ``` + sops.secrets."forgejo_git_smtp_password" = { + mode = "0440"; + owner = "forgejo"; + group = "forgejo"; + restartUnits = [ "forgejo.service" ]; + }; + ```