karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganize secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-08-15 09:58:03 +03:00
parent 2da836953b
commit 0665ded197
40 changed files with 88 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
hosts/common/configs/system/nix-install/install.sh
View File

@@ -95,13 +95,13 @@ copy_secure_boot_keys() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['guid']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
sops --decrypt --extract "['guid']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*

6
hosts/common/configs/system/nix/default.nix
View File

@@ -2,8 +2,10 @@
{
sops = {
secrets = {
"git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/github.com/public/username".sopsFile =
"${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/github.com/public/password".sopsFile =
"${inputs.secrets}/domains/personal/secrets.yaml";
};
templates.nix-access-tokens = {