diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..76cda7e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,12 @@ +keys: + - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 +creation_rules: + - path_regex: config/hosts/ikiwiki/.* + key_groups: + - age: + - *admin_age_fi + - *host_age_ikiwiki +stores: + yaml: + indent: 2 diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix index bc9766c..32d16c7 100644 --- a/config/hosts/ikiwiki/default.nix +++ b/config/hosts/ikiwiki/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./ikiwiki.nix ./nginx.nix + ./sops.nix ]; } diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 9f6462e..6b09cb0 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -26,7 +26,7 @@ in tryFiles = "$uri $uri/ =404"; }; "~ .cgi" = { - basicAuthFile = "/secrets/ikiwiki-auth-file.secret"; + basicAuthFile = "/run/secrets/auth_file"; extraConfig = '' gzip off; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; @@ -45,4 +45,11 @@ in ''; }; }; + + sops.secrets."auth_file" = { + mode = "0440"; + owner = "nginx"; + group = "nginx"; + restartUnits = [ "nginx.service" ]; + }; } diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix deleted file mode 100644 index d366c75..0000000 --- a/config/hosts/ikiwiki/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."ikiwiki-auth-file.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ]; - destDir = "/secrets"; - user = "nginx"; - group = "nginx"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/ikiwiki/secrets.yaml b/config/hosts/ikiwiki/secrets.yaml new file mode 100644 index 0000000..a707f57 --- /dev/null +++ b/config/hosts/ikiwiki/secrets.yaml @@ -0,0 +1,25 @@ +auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3 + eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j + UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5 + b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu + zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp + RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j + ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1 + b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY + xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 + lastmodified: "2026-05-16T22:13:21Z" + mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/ikiwiki/sops.nix b/config/hosts/ikiwiki/sops.nix new file mode 100644 index 0000000..78dc2c8 --- /dev/null +++ b/config/hosts/ikiwiki/sops.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +}