yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

automatically import secrets into nixos

Browse Source
This commit is contained in:
Jörg Thalheim
2023-08-23 11:58:12 +02:00
parent ed1d28f20b
commit 63bb9395fd
17 changed files with 196 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
checks/secrets/.clan-flake Normal file
View File

6
checks/secrets/clan-secrets Executable file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -eux -o pipefail
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
export SOPS_AGE_KEY_FILE="${SCRIPT_DIR}/key.age"
nix run .# -- secrets "$@"

16
checks/secrets/default.nix Normal file
View File

@@ -0,0 +1,16 @@
(import ../lib/test-base.nix) {
name = "secrets";
nodes.machine = { self, config, ... }: {
imports = [
self.nixosModules.secrets
];
environment.etc."secret".source = config.sops.secrets.foo.path;
sops.age.keyFile = ./key.age;
clan.sops.sopsDirectory = ./sops;
networking.hostName = "machine";
};
testScript = ''
machine.succeed("cat /etc/secret >&2")
'';
}

1
checks/secrets/key.age Normal file
View File

@@ -0,0 +1 @@
AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX

4
checks/secrets/sops/machines/machine/key.json Executable file
View File

@@ -0,0 +1,4 @@
{
"publickey": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
"type": "age"
}

1
checks/secrets/sops/secrets/foo/machines/machine Symbolic link
View File

@@ -0,0 +1 @@
../../../machines/machine

20
checks/secrets/sops/secrets/foo/secret Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:bhxF,iv:iNs+IfSU/7EwssZ0GVTF2raxJkVlddfQEPGIBeUYAy8=,tag:JMOKTMW3/ic3UTj9eT9YFQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxS0g4TEt4S09LQnFKdCtk\nZTlUQWhNUHZmcmZqdGtuZkhhTkMzZDVaWWdNCi9vNnZQeklNaFBBU2x0ditlUDR0\nNGJlRmFFb09WSUFGdEh5TGViTWtacFEKLS0tIE1OMWdQMHhGeFBwSlVEamtHUkcy\ndzI1VHRkZ1o4SStpekVNZmpQSnRkeUkKYmPS9sR6U0NHxd55DjRk29LNFINysOl6\nEM2MTrntLxOHFWZ1QgNx34l4rYIIXx97ONvR0SRpxN0ECL9VonQeZg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-08-23T09:11:08Z",
"mac": "ENC[AES256_GCM,data:8z819mP4FJXE/ExWM1+/dhaXIXzCglhBuZwE6ikl/jNLUAnv3jYL9c9vPrPFl2by3wXSNzqB4AOiTKDQoxDx2SBQKxeWaUnOajD6hbzskoLqCCBfVx7qOHrk/BULcBvMSxBca4RnzXXoMFTwKs2A1fXqAPvSQd1X4gX6Xm9VXWM=,iv:3YxZX+gaEcRKDN0Kuf9y1oWL+sT/J5B/5CtCf4iur9Y=,tag:0dwyjpvjCqbm9vIrz6WSWQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

1
checks/secrets/sops/secrets/foo/users/admin Symbolic link
View File

@@ -0,0 +1 @@
../../../users/admin

4
checks/secrets/sops/users/admin/key.json Executable file
View File

@@ -0,0 +1,4 @@
{
"publickey": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
"type": "age"
}