EH22/nox
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: EH22:d31677b549307770cc21231a44ab2125f85da79d
Branches Tags
EH22:main
...
compare: EH22:05fbd7183c115099680b69bae327d81fdcedb036
Branches Tags
EH22:main

2 commits
d31677b549 ... 05fbd7183c

Author SHA1 Message Date
lilly
05fbd7183c
 		update documentation regarding ccchh-pass age key 2025-02-23 11:42:19 +01:00
lilly
17d6a03bd5
 		add public sops key for ccchh pass 2025-02-23 11:31:06 +01:00
3 changed files with 32 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -1,7 +1,9 @@
keys: keys:
- &ccchh_pass "age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92"
- &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d" - &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d"
creation_rules: creation_rules:
- path_regex: secrets/passwords.yaml - path_regex: secrets/passwords.yaml
key_groups: key_groups:
- age: - age:
- *ccchh_pass
- *user_lilly - *user_lilly

18
README.md
View file

@ -24,11 +24,23 @@ Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/
This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines. This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
### Using CCCHH Password-Store Key
For convenience, a sops key has been added to the [CCCHH Password-Store](https://git.hamburg.ccc.de/CCCHH/password-store) which is able to encrypt all secrets of this repository.
Sops can be told to use it like this:
```bash
export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)
```
If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.
### Passwords ### Passwords
All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted. All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
It should contain all relevant passwords, a NOC admin needs. It should contain all relevant passwords, a NOC admin needs.
#### Accessing Passwords #### Accessing Passwords
```bash ```bash
@ -48,10 +60,12 @@ I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and
Adding a new age key works like this: Adding a new age key works like this:
1. `vim .sops.yaml` and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file. 1. Run `age-keygen -o ~/.config/sops/age/keys.txt` and copy the public key from the generated file.
2. Edit [.sops.yaml](./.sops.yaml) and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
Look at the existing file content and you'll figure it out. Look at the existing file content and you'll figure it out.
2. `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
3. Commit and push changes. 3. Commit and push changes.
4. Ask someone with existing access to run `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
They should, of course, also commit and push the changes.
### Machine-Secrets ### Machine-Secrets

19
secrets/passwords.yaml
View file

@ -18,14 +18,23 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlR6c1djamw2ZmpYb3pE
TDZBSlI1emJRWlZGRmJJbElXRlp4V0lUVWhzCm9EeWxqKy8xaVpNUXRIcUNNZGRj
R2dzN3IwZEJ4ajRMUmZnY2hwVWRNNlkKLS0tIE9TcE1NWUdaQ2x0My9QNDYwQjZO
K2pYWmV3WjkyRmdPYlRqakRndlJ4V0UKERTgFxUlywU3zZZ1VFeBjPrMG1kbWM9u
yz37P+dEj5c7djQFymyQInaAN9HgxoKZg+ouqaaUHIpp/pCGThFo3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkVFRnd5MjQ1S3Q3aTlq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bU1Gd09tQ1FHYlJ2WWRZ
UWJZZC9mUGZFQXpyczBFQWpVcUlJQXZjY0NzCnhQd3Q3QUhjbDZvdlMzeTRtQWtt Ni9RdVhMaUI0bEEyd0pZaWNqQVlOZGRUMGtRClFRV0todlpDYmkxVjE3OFRZa3VQ
SCsyUVhvRFBzL01XaWduK2YvNkhrZzAKLS0tIDFzeHFrb2dZU3JmMmgzZVVHN3VR aXpLUGhlNFFGcjJHTzRlNk5qSEttSG8KLS0tIGJ5cFNhREw1KzZ5bjlBUFlLSzRs
Q0ZGUFBmUWpUYjR5OUwxOUplblZ0SmcKtMl1KoYwPb776zz8FfFnf0s7XlnOLnuU YW1BSERaOURtVGpMSnRiTkJyaDR3OTQK3pXGQU1SoUKdmLKUe88e8/BjqPjmdhke
nXkPxRaDel/3EsLnfhcONRAKTGdleRHAXQVIGHrs/jjnZ2OJgXIzYA== bP7DHbpvk4xG2Z3fnacihDCwiBASn2Wu350hl1WoM5pzMiqmS84X9Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-21T18:34:34Z" lastmodified: "2025-02-21T18:34:34Z"
mac: ENC[AES256_GCM,data:yeMXclT2ZdxHy2CqWQkXVay4EHHq2o8dXF2yXa7q1FKyteRzf0Gve/IQVxH3VXYsGQf3lSdL5EAe3BXmNesWnA5QfTELt2hzgd5nQ6+NTzLDXmi/AW3L4BhzpOoK7UIJ+mG42N4mkYlBe1dUyDBikxevWB3AAzGl7mAF/2io4TQ=,iv:d4g5dWUhFBauR8+4aPGU1hYkhyGsmdGBjgwBMs0HbtA=,tag:oOYKKCwOw/gjqeB/SCdkuQ==,type:str] mac: ENC[AES256_GCM,data:yeMXclT2ZdxHy2CqWQkXVay4EHHq2o8dXF2yXa7q1FKyteRzf0Gve/IQVxH3VXYsGQf3lSdL5EAe3BXmNesWnA5QfTELt2hzgd5nQ6+NTzLDXmi/AW3L4BhzpOoK7UIJ+mG42N4mkYlBe1dUyDBikxevWB3AAzGl7mAF/2io4TQ=,iv:d4g5dWUhFBauR8+4aPGU1hYkhyGsmdGBjgwBMs0HbtA=,tag:oOYKKCwOw/gjqeB/SCdkuQ==,type:str]