From 491982aac383ca369c34375091d6326a4f3ce53f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Wed, 12 Oct 2022 17:51:29 +0100
Subject: [PATCH] sops: Improve secrets provisioning to split out staging

---
 .sops.yaml                              |  9 ++++-
 configuration/default.nix               |  6 +--
 configuration/services/starbound.nix    |  2 +-
 configuration/sops.nix                  | 10 +++++
 flake.nix                               |  3 ++
 keys/hosts/staging.asc                  | 28 ++++++++++++++
 keys/{internal.yaml => production.yaml} |  6 ++-
 keys/staging.yaml                       | 50 +++++++++++++++++++++++++
 8 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 configuration/sops.nix
 create mode 100644 keys/hosts/staging.asc
 rename keys/{internal.yaml => production.yaml} (82%)
 create mode 100644 keys/staging.yaml

diff --git a/.sops.yaml b/.sops.yaml
index ad56f8b..4c17c75 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,16 @@
 keys:
   - &tlater 535B61015823443941C744DD12264F6BBDFABA89
   - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
+  - &server_staging 7762ec55a5727cabada621d961e53f94caa314e4
 
 creation_rules:
-  - key_groups:
+  - path_regex: keys/production.yaml
+    key_groups:
       - pgp:
           - *tlater
           - *server_tlaternet
+  - path_regex: keys/staging.yaml
+    key_groups:
+      - pgp:
+          - *tlater
+          - *server_staging
diff --git a/configuration/default.nix b/configuration/default.nix
index e722628..d957dba 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -10,6 +10,7 @@
     ./services/webserver.nix
     ./services/starbound.nix
     ./ids.nix
+    ./sops.nix
   ];
 
   nix = {
@@ -26,11 +27,6 @@
   nixpkgs.config.allowUnfreePredicate = pkg:
     builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];
 
-  sops = {
-    defaultSopsFile = ../keys/external.yaml;
-    secrets.steam = {};
-  };
-
   boot.kernelParams = ["highres=off" "nohz=off"];
 
   networking = {
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index e8a0772..5dc0961 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -16,7 +16,7 @@ in {
 
       # Credential loading for steam auth (if necessary; prefer
       # anonymous login wherever possible).
-      LoadCredential = "steam:/run/secrets/steam";
+      LoadCredential = "steam:/run/secrets/steam/tlater";
 
       # Security settings
       DynamicUser = true;
diff --git a/configuration/sops.nix b/configuration/sops.nix
new file mode 100644
index 0000000..8efa3af
--- /dev/null
+++ b/configuration/sops.nix
@@ -0,0 +1,10 @@
+{
+  sops = {
+    defaultSopsFile = ../keys/production.yaml;
+    secrets."nextcloud/tlater" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    secrets."steam/tlater" = {};
+  };
+}
diff --git a/flake.nix b/flake.nix
index 852694f..5ff0a51 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,6 +84,9 @@
             # can easily test locally with the VM.
             services.nginx.domain = lib.mkOverride 99 "localhost";
 
+            # Use the staging secrets
+            sops.defaultSopsFile = lib.mkOverride 99 ./keys/staging.yaml;
+
             # # Set up VM settings to match real VPS
             # virtualisation.memorySize = 3941;
             # virtualisation.cores = 2;
diff --git a/keys/hosts/staging.asc b/keys/hosts/staging.asc
new file mode 100644
index 0000000..fbabfe2
--- /dev/null
+++ b/keys/hosts/staging.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEAC32/CXnt4LDPdPZppQ0GcJAxVFHFu8SCl5WnU/PVPEnwgRkV8V
+ZeyQN4qgT5LPWgPYyDyAqUHBUwRxvVcguw0fOlDBZ3nECKQxZ53OVlay7xfhgXO1
+luNu657u5VYtxfLqx7lVHfY/TWp5DBOOEpOtoKfz031Zbg11+kdxW5eEg2ypCTvn
++MVQgRH9AQI+0+jegQ9On3X9UaVdc8etuY/F8BAEwLCCbYpLUEUXwOo4YLB36Kg3
+P27q15Nl6g5P/oFEdS3fhHbh9636lJnxJcTTjAfJaDoQJ5rGDASiT8HJnkNWfrf/
+yzLMOiy6fRRIz8HTXKeZNeRvCPu1uHaWYi0RprWMu1HZ0cLzr5N2lHKcWgL8En5b
+fPyqldFfJBlY36L59F7hTk10QBgqFhibcXB44iK96jnYw6LgSuFkbfrJr7fx67JN
+lM2Xi4WXvzkp3gboDxd2Xy3ChQrQXmXcVAl8XNs78f5AQh5MJP6iC7ayiIsHq4aH
+rGVLhbncfKpw4OL9jVNTyRinwpvl5qibLAJbDA7arn8XqT6FT0KjeLa91jTFLHGn
+9IkJol+L0/zYrpyiid5ZKNJMousxJoXymzRkeYllr+nLjKNLv0L3MCnsiPEZ23iL
+y2/UZ6Vcjrs50L46VuiewCEaVbBp1H9Ps5eUa2YoJ65sfe7wnscXI8oOpQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQYeU/lMqjFOQCGw8CGQEAAEKvEABZo9JRHnwrKr7UGmynctmF
+aR+1KApeWrqahhobgfvMjJLfnUV7UDSeiuf3juoZC+L1d8LqEp0czcqU1YuGtjTT
+Yk/4WDwc7G9MjHDgVXPZlQ/qxSYBFwowbUkfhj49UA4Np2PW3yLtoZnBHLz6tmaD
+mTtdNjzEw+L0GQ9Wi2pQYSUV4I9URF/NH7NGmurNl8Y5SHb3rqFQ4CPGXk5UQYL5
+s0ZdArwgWNH+ceC1Kq0baKu5WJINFfCIJbJajATBqgPy6FPEmhUdgt8awOp01oEc
+zs2930sc6YY5GJVEGnxR/qBLTA5lANS1mpqHd9s4YF7jj8h/q8SV4iegTeKHrLox
+v1bP+QzHquCn7BpO9V6GD/eaqBKfx6k6+HDb5YmKnBvBV/c3yJ6wiv1H32nauWs1
+CgiJNYV+A/+YnWf0uPRqelAzT06JUtnSBZ0ppKLR68X3IKisXVNzW/3pM/ZWWfFM
+uKHCoppH2iuStn2wPkdjJD4UHduAFyF1oj1jFwP9r+EuhhPH1qr40405jRdOR98P
+RuPhrSkLBdWiUlNintDOyFzNbKXMZlreZeATeT5y/H+IF3CDvgAhBo7KqhfBfgUK
+6P/1xk8DozTmlsKY/cOsK0aL47CJcg8LU6tHrxa8uP6qV2HbUD31WbCRr1eL8k2G
+xszxEVPuKG8ckw58WpT4vA==
+=kJ/7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/keys/internal.yaml b/keys/production.yaml
similarity index 82%
rename from keys/internal.yaml
rename to keys/production.yaml
index 316e6f5..bfc494f 100644
--- a/keys/internal.yaml
+++ b/keys/production.yaml
@@ -1,13 +1,15 @@
 nextcloud:
     tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str]
+steam:
+    tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-10-12T00:50:02Z"
-    mac: ENC[AES256_GCM,data:6EIC9W7If1c2OnP6j3u4SOcG26v/aScfRWyZeofhtM6Wkw52sonaBp3IsOkp/Jn/WWYKdNgffpBwMYfxI6JumsiZzb9cdED6Tr/fxjminoz8dopZTMgIYHj3ocIyU2M35SlsYE3iPEb4eHrmP/dIhExEQp2Hkin3afLHbmDV1Rs=,iv:kQ+OGNg3p/3i9d0Xlr/vp1ac14GYvg4GZqeXOt+9jZE=,tag:NYqyLUn9pTjSlrTAC/ke8g==,type:str]
+    lastmodified: "2022-10-12T13:13:37Z"
+    mac: ENC[AES256_GCM,data:+EuA0rblxZYk+0tZs3vUFtr1cVKhdrLi4Ww0QjeITZn2k+SL8Y2gRl3gNVQOe00WHUgSKN53QKhxDj4q6Rd0LfwASxRRjz78Mk8yHDRDIfdDS960EasgKON4HPW/eMd2Fp4+flv57KYywQQWp3AlD8JqxIf5wNhyywn5LlW3PCQ=,iv:YFIk0LrRjV8417QJ5cp5EuIm7bezyG8ZulKcu1xhIF4=,tag:vtq5hCuLEXOvRjE2D/5cCQ==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |
diff --git a/keys/staging.yaml b/keys/staging.yaml
new file mode 100644
index 0000000..14a683a
--- /dev/null
+++ b/keys/staging.yaml
@@ -0,0 +1,50 @@
+nextcloud:
+    tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
+steam:
+    tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-10-12T13:14:20Z"
+    mac: ENC[AES256_GCM,data:IlU8Jr+HD/ZHHsd7eaaSGp3tRxGy8/yhbSejkWmHFeL1WsvdWsToHM7yah2WzX+uY7s/i7atHQdhbHITCi6gBIFociVVPwziK5YOmTXv1fHlcD60U4ClRbTtgMVMtvc5tXrxdLQGhaX+DJ5xXBhTlCSwwqgYP0I7vJmEUF9mz7g=,iv:IM1ebqQB1UO5EN92kipHL20iGtFTKJhUiN/XR6psWBM=,tag:WweauZ5pA7/YMuUuq8C/xQ==,type:str]
+    pgp:
+        - created_at: "2022-10-12T16:48:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA7x7stsXx45CAQf/QKXxlgFzUn5ZS02JDiOLds6wjsiTbwQeIy+den+qH9KF
+            CyfC/8WhxojyhliG0zUzQ7oHtYYkbknF2DyrR7J4+S3SyvMS6MDGTUUn5dIcGwBO
+            2/Q2bt4ayOJFNTPePA0IfuMYNUiMl5B/0GCFRV9DE+gG/dcsOzM5q1Uya/yJ1966
+            RndWwbnE4j5yP4Nj2o3OiZFhlNi6W6UffYB0hsTTPmmebIZltDRbmLSSpKcfNEYw
+            h3st3WaJ0BCuQC5i/kvYTfJyBCoYnvFrb3RmXm3h+MvW0JZwHzfbST3nJCBHh5XJ
+            fVquF17oDJzn5S7EdWMhUbWwHgZwz2J6sZMgGEQ6WdJeAf2IlCuRYGjQMcB1WhxH
+            GCgbzUGoOGrxT3euzz9R1J98d1HQqtpFgeg9JgWndUdhoF80+AU7Wpyy6qOg2n/4
+            wCcb4pcqG1OqFezauEu8+sFdE07vfLoWzxJIark8WA==
+            =pc2z
+            -----END PGP MESSAGE-----
+          fp: 535B61015823443941C744DD12264F6BBDFABA89
+        - created_at: "2022-10-12T16:48:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2HlP5TKoxTkARAAl+2Y+pd5oraYLgiiJ0CbMFef0zCpFwBwUCyzykMOICGa
+            TWCYs8K6hChjepe0p8+oZnp0wi8U1qrmgRtFljQfHoXq5EXDYKydkz8XHHDI7/W7
+            1BmETajv9Mx7j4BFNB3z0XvLJTPeNhygemuHhox5pA8CUt5FkYahpzYR9AlLiAwx
+            NtU+csrcGUqYllT5WYIKFVIwFk07IvgK/7vj3filO5G2GMiH7lsV6p7W/MYqCFTV
+            grE383/bGCT18XmHpe3Uu0NcotexiqKSXpnFNntWOgd/KynBn8Oa/DMr8ci/4QSF
+            rEV4+IGJSmfAzQYaIfzNRGyTQJKBFiXWQv53GWT9Y5EbdEYEBhyqlIaV5fp/61X+
+            8zhLz3b6QMkNkI6mNVVLK96g2p0dhVoq+R3Wlj/RIVDw/BzH+vJIArQhc8T2NEOX
+            lmLFTMoTRXPrw/UZKMoO+JSDwt2p3WI0sb/ThS+bd7eymxt5lFW1Ikc4Jgd/iHHu
+            JtUZ78i8jAV/nBJPaAYXoRxfpcAMFqJCnxTwCoF7vYP6hHeYW9PPqsClPxQ97TrO
+            /Ei01e9YSfdtIzKcwkOThffRr+7hxwEGQ3EZ+2ShOW9ASfLkIo4MgoLtDAoHCK5E
+            vc2JGWP+vlylTVnZ46Hp8BMRlSjdkS/qGU0lSTPC3q+PllCF2gkN6ZcdLv5L2DDS
+            UAFD70TIN2QAiYEZW6jxg2UtO9ULLT5NgrvfHD9aGAk7jIxeY+nH3S7KqFgmA21c
+            IkNZJSX/J85d13+kJADms3vI7uMOcSUiInaQHy9Cqjrr
+            =fnOr
+            -----END PGP MESSAGE-----
+          fp: 7762ec55a5727cabada621d961e53f94caa314e4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2