From 17d6a03bd5b4bd5b8d1dde2d4991ac3a0afb1a56 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Sun, 23 Feb 2025 11:31:06 +0100
Subject: [PATCH 1/2] add public sops key for ccchh pass

---
 .sops.yaml             |  2 ++
 secrets/passwords.yaml | 19 ++++++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 1fe1a0c..03121b3 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,7 +1,9 @@
 keys:
+  - &ccchh_pass "age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92"
   - &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d"
 creation_rules:
   - path_regex: secrets/passwords.yaml
     key_groups:
       - age:
+          - *ccchh_pass
           - *user_lilly
diff --git a/secrets/passwords.yaml b/secrets/passwords.yaml
index 8806649..bcd90ab 100644
--- a/secrets/passwords.yaml
+++ b/secrets/passwords.yaml
@@ -18,14 +18,23 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
+        - recipient: age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlR6c1djamw2ZmpYb3pE
+            TDZBSlI1emJRWlZGRmJJbElXRlp4V0lUVWhzCm9EeWxqKy8xaVpNUXRIcUNNZGRj
+            R2dzN3IwZEJ4ajRMUmZnY2hwVWRNNlkKLS0tIE9TcE1NWUdaQ2x0My9QNDYwQjZO
+            K2pYWmV3WjkyRmdPYlRqakRndlJ4V0UKERTgFxUlywU3zZZ1VFeBjPrMG1kbWM9u
+            yz37P+dEj5c7djQFymyQInaAN9HgxoKZg+ouqaaUHIpp/pCGThFo3Q==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkVFRnd5MjQ1S3Q3aTlq
-            UWJZZC9mUGZFQXpyczBFQWpVcUlJQXZjY0NzCnhQd3Q3QUhjbDZvdlMzeTRtQWtt
-            SCsyUVhvRFBzL01XaWduK2YvNkhrZzAKLS0tIDFzeHFrb2dZU3JmMmgzZVVHN3VR
-            Q0ZGUFBmUWpUYjR5OUwxOUplblZ0SmcKtMl1KoYwPb776zz8FfFnf0s7XlnOLnuU
-            nXkPxRaDel/3EsLnfhcONRAKTGdleRHAXQVIGHrs/jjnZ2OJgXIzYA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bU1Gd09tQ1FHYlJ2WWRZ
+            Ni9RdVhMaUI0bEEyd0pZaWNqQVlOZGRUMGtRClFRV0todlpDYmkxVjE3OFRZa3VQ
+            aXpLUGhlNFFGcjJHTzRlNk5qSEttSG8KLS0tIGJ5cFNhREw1KzZ5bjlBUFlLSzRs
+            YW1BSERaOURtVGpMSnRiTkJyaDR3OTQK3pXGQU1SoUKdmLKUe88e8/BjqPjmdhke
+            bP7DHbpvk4xG2Z3fnacihDCwiBASn2Wu350hl1WoM5pzMiqmS84X9Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-02-21T18:34:34Z"
     mac: ENC[AES256_GCM,data:yeMXclT2ZdxHy2CqWQkXVay4EHHq2o8dXF2yXa7q1FKyteRzf0Gve/IQVxH3VXYsGQf3lSdL5EAe3BXmNesWnA5QfTELt2hzgd5nQ6+NTzLDXmi/AW3L4BhzpOoK7UIJ+mG42N4mkYlBe1dUyDBikxevWB3AAzGl7mAF/2io4TQ=,iv:d4g5dWUhFBauR8+4aPGU1hYkhyGsmdGBjgwBMs0HbtA=,tag:oOYKKCwOw/gjqeB/SCdkuQ==,type:str]

From 05fbd7183c115099680b69bae327d81fdcedb036 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Sun, 23 Feb 2025 11:42:19 +0100
Subject: [PATCH 2/2] update documentation regarding ccchh-pass age key

---
 README.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e059629..db00a4d 100644
--- a/README.md
+++ b/README.md
@@ -24,11 +24,23 @@ Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/
 
 This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
 
+### Using CCCHH Password-Store Key
+
+For convenience, a sops key has been added to the [CCCHH Password-Store](https://git.hamburg.ccc.de/CCCHH/password-store) which is able to encrypt all secrets of this repository.
+Sops can be told to use it like this:
+
+```bash
+export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)
+```
+
+If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.
+
 ### Passwords
 
 All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
 It should contain all relevant passwords, a NOC admin needs.
 
+
 #### Accessing Passwords
 
 ```bash
@@ -48,10 +60,12 @@ I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and
 
 Adding a new age key works like this:
 
-1. `vim .sops.yaml` and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
+1. Run `age-keygen -o ~/.config/sops/age/keys.txt` and copy the public key from the generated file.
+2. Edit [.sops.yaml](./.sops.yaml) and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
    Look at the existing file content and you'll figure it out.
-2. `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
 3. Commit and push changes.
+4. Ask someone with existing access to run `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
+   They should, of course, also commit and push the changes.
 
 ### Machine-Secrets