From 6a81ce4c1d2605127a707286852d07cb48bb6384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 12 Oct 2022 02:03:22 +0100 Subject: [PATCH] sops: Improve secrets provisioning to split out staging --- .sops.yaml | 9 ++++- configuration/default.nix | 6 +--- configuration/services/starbound.nix | 2 +- configuration/sops.nix | 10 ++++++ flake.nix | 3 ++ keys/hosts/staging.asc | 28 ++++++++++++++++ keys/production.yaml | 50 ++++++++++++++++++++++++++++ keys/staging.yaml | 50 ++++++++++++++++++++++++++++ 8 files changed, 151 insertions(+), 7 deletions(-) create mode 100644 configuration/sops.nix create mode 100644 keys/hosts/staging.asc create mode 100644 keys/production.yaml create mode 100644 keys/staging.yaml diff --git a/.sops.yaml b/.sops.yaml index ad56f8b..4c17c75 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,16 @@ keys: - &tlater 535B61015823443941C744DD12264F6BBDFABA89 - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b + - &server_staging 7762ec55a5727cabada621d961e53f94caa314e4 creation_rules: - - key_groups: + - path_regex: keys/production.yaml + key_groups: - pgp: - *tlater - *server_tlaternet + - path_regex: keys/staging.yaml + key_groups: + - pgp: + - *tlater + - *server_staging diff --git a/configuration/default.nix b/configuration/default.nix index 4b9bfa1..d84302a 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -10,6 +10,7 @@ ./services/webserver.nix ./services/starbound.nix ./ids.nix + ./sops.nix ]; nix = { @@ -25,11 +26,6 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"]; - sops = { - defaultSopsFile = ../keys/external.yaml; - secrets.steam = {}; - }; - # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 boot.kernelParams = ["highres=off" "nohz=off"]; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index e8a0772..5dc0961 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -16,7 +16,7 @@ in { # Credential loading for steam auth (if necessary; prefer # anonymous login wherever possible). - LoadCredential = "steam:/run/secrets/steam"; + LoadCredential = "steam:/run/secrets/steam/tlater"; # Security settings DynamicUser = true; diff --git a/configuration/sops.nix b/configuration/sops.nix new file mode 100644 index 0000000..8efa3af --- /dev/null +++ b/configuration/sops.nix @@ -0,0 +1,10 @@ +{ + sops = { + defaultSopsFile = ../keys/production.yaml; + secrets."nextcloud/tlater" = { + owner = "nextcloud"; + group = "nextcloud"; + }; + secrets."steam/tlater" = {}; + }; +} diff --git a/flake.nix b/flake.nix index 852694f..5ff0a51 100644 --- a/flake.nix +++ b/flake.nix @@ -84,6 +84,9 @@ # can easily test locally with the VM. services.nginx.domain = lib.mkOverride 99 "localhost"; + # Use the staging secrets + sops.defaultSopsFile = lib.mkOverride 99 ./keys/staging.yaml; + # # Set up VM settings to match real VPS # virtualisation.memorySize = 3941; # virtualisation.cores = 2; diff --git a/keys/hosts/staging.asc b/keys/hosts/staging.asc new file mode 100644 index 0000000..fbabfe2 --- /dev/null +++ b/keys/hosts/staging.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEAC32/CXnt4LDPdPZppQ0GcJAxVFHFu8SCl5WnU/PVPEnwgRkV8V +ZeyQN4qgT5LPWgPYyDyAqUHBUwRxvVcguw0fOlDBZ3nECKQxZ53OVlay7xfhgXO1 +luNu657u5VYtxfLqx7lVHfY/TWp5DBOOEpOtoKfz031Zbg11+kdxW5eEg2ypCTvn ++MVQgRH9AQI+0+jegQ9On3X9UaVdc8etuY/F8BAEwLCCbYpLUEUXwOo4YLB36Kg3 +P27q15Nl6g5P/oFEdS3fhHbh9636lJnxJcTTjAfJaDoQJ5rGDASiT8HJnkNWfrf/ +yzLMOiy6fRRIz8HTXKeZNeRvCPu1uHaWYi0RprWMu1HZ0cLzr5N2lHKcWgL8En5b +fPyqldFfJBlY36L59F7hTk10QBgqFhibcXB44iK96jnYw6LgSuFkbfrJr7fx67JN +lM2Xi4WXvzkp3gboDxd2Xy3ChQrQXmXcVAl8XNs78f5AQh5MJP6iC7ayiIsHq4aH +rGVLhbncfKpw4OL9jVNTyRinwpvl5qibLAJbDA7arn8XqT6FT0KjeLa91jTFLHGn +9IkJol+L0/zYrpyiid5ZKNJMousxJoXymzRkeYllr+nLjKNLv0L3MCnsiPEZ23iL +y2/UZ6Vcjrs50L46VuiewCEaVbBp1H9Ps5eUa2YoJ65sfe7wnscXI8oOpQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQYeU/lMqjFOQCGw8CGQEAAEKvEABZo9JRHnwrKr7UGmynctmF +aR+1KApeWrqahhobgfvMjJLfnUV7UDSeiuf3juoZC+L1d8LqEp0czcqU1YuGtjTT +Yk/4WDwc7G9MjHDgVXPZlQ/qxSYBFwowbUkfhj49UA4Np2PW3yLtoZnBHLz6tmaD +mTtdNjzEw+L0GQ9Wi2pQYSUV4I9URF/NH7NGmurNl8Y5SHb3rqFQ4CPGXk5UQYL5 +s0ZdArwgWNH+ceC1Kq0baKu5WJINFfCIJbJajATBqgPy6FPEmhUdgt8awOp01oEc +zs2930sc6YY5GJVEGnxR/qBLTA5lANS1mpqHd9s4YF7jj8h/q8SV4iegTeKHrLox +v1bP+QzHquCn7BpO9V6GD/eaqBKfx6k6+HDb5YmKnBvBV/c3yJ6wiv1H32nauWs1 +CgiJNYV+A/+YnWf0uPRqelAzT06JUtnSBZ0ppKLR68X3IKisXVNzW/3pM/ZWWfFM +uKHCoppH2iuStn2wPkdjJD4UHduAFyF1oj1jFwP9r+EuhhPH1qr40405jRdOR98P +RuPhrSkLBdWiUlNintDOyFzNbKXMZlreZeATeT5y/H+IF3CDvgAhBo7KqhfBfgUK +6P/1xk8DozTmlsKY/cOsK0aL47CJcg8LU6tHrxa8uP6qV2HbUD31WbCRr1eL8k2G +xszxEVPuKG8ckw58WpT4vA== +=kJ/7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/production.yaml b/keys/production.yaml new file mode 100644 index 0000000..bfc494f --- /dev/null +++ b/keys/production.yaml @@ -0,0 +1,50 @@ +nextcloud: + tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str] +steam: + tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-10-12T13:13:37Z" + mac: ENC[AES256_GCM,data:+EuA0rblxZYk+0tZs3vUFtr1cVKhdrLi4Ww0QjeITZn2k+SL8Y2gRl3gNVQOe00WHUgSKN53QKhxDj4q6Rd0LfwASxRRjz78Mk8yHDRDIfdDS960EasgKON4HPW/eMd2Fp4+flv57KYywQQWp3AlD8JqxIf5wNhyywn5LlW3PCQ=,iv:YFIk0LrRjV8417QJ5cp5EuIm7bezyG8ZulKcu1xhIF4=,tag:vtq5hCuLEXOvRjE2D/5cCQ==,type:str] + pgp: + - created_at: "2022-10-12T00:46:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA7x7stsXx45CAQf9Hivg5x2NEKp3icdAIXKoBVTp5jnqJ2S5xDpK4cbCUwRd + Z2VyNjxAXdTgKsviXseWbtsEbqo41oqjtpZwXK36gT/miKSPYyBSLb689L70RpWR + aC4QzOHbYr1Trr1whkTVaQG1vd2u9ZEyxsi13ItiYVylu7tgMqaDqzE4Y47RPZtz + FWFY4chO5Tq/DL0blP8oCTLFx4LSL82JbZswCfqrSHX44HGZ/OELHqNhYNF6hkCr + DgYYh7l7s08farE+PnTbWt808Kd3kP8fCRaLm9nt1X1c5QQElaWBjGIscK9fOsV4 + iVFQfPBdwBi8aawCmwvXOcg6sX050Ow3NeYQBJVICtJeAeHyetxxEYip6CrADsiq + UG1Np+p6Pcbq/k6E1vT6bsRrhUWPYC4yuh6Edg5p/jxa4DAlsq/OgDI9pquE9aIt + F8cQMHfIkNP8/HiM/KwmdHoTJiy8YCwqP/UalSJdVw== + =lnlW + -----END PGP MESSAGE----- + fp: 535B61015823443941C744DD12264F6BBDFABA89 + - created_at: "2022-10-12T00:46:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA9ahl2ynTH87AQ/+ID/6Dcbat+YRvT8VpfKpZf2O6EFbI3dlPDkZ+f4yFW0R + uGKkLR69utM8FoEn1XUkPG3klDk5t/gQikS/d1lPZ6cPOsVzY4P2Te6LizP25vCE + cHkztZG/IuBCBfLp8xsEjF1OXEDnb7Klqd3aJuYrvJNm3SreNydRAGyM1E94+iQL + zLrHF0WbD+dVdVG+ZoHKouGHVVmcxTkfi8Ce63pHKxOiMgqJLnImC357mle4DlJV + 1My0CPV9Y1ElY+W5s+a7sRgursR0AVOkuvWYT39VW+RmFpUZyRCgyW+L6ilCEcOV + VXJHf0IFylkqevh11BssIetHAtT8anqZ+wo3ON4gEHjcahufc1h8rOxEEsWe/qUC + XZzfwilOsY/vKJ+GTz5Cp8XAviozQL5o2O5H9PiHxQl019QHZgprJclGMlukCBkR + Uo3h1Rl2na8JqcolAlFGQ1/QxsOnJ/KAmOpUZ7fZqG2qnsXnFjXcuqo+0e58odaT + sZLIspvsEHBHKzsvUa6BT8bTc+GlsB3hFolBVdX4y9kTWuzxy0K6bKA9HMTf4FPW + w2hIlvYhlgEx9MVqKLbemN3ye2rC3GRUBXxVXmlXBmb7nXPZCOGqL6nrvtsQ1E4h + D9+sN+cvYh5lYPByjXYinT8TqFVpqX++qnpgHC+5c6WtDHlhRAyfIQK51wCyiZbS + UAG6iDEbCWwD7uHZjDmVycC2R/0HnO+o9xMBI6teKYziFhvn8m7R9gzr7zn/0x3t + dVMXtojhfbMPzYK0gT6xOn8SbYGH0MV7ddOm7+Kl3Z8Y + =zDer + -----END PGP MESSAGE----- + fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b + unencrypted_suffix: _unencrypted + version: 3.7.2 diff --git a/keys/staging.yaml b/keys/staging.yaml new file mode 100644 index 0000000..14a683a --- /dev/null +++ b/keys/staging.yaml @@ -0,0 +1,50 @@ +nextcloud: + tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str] +steam: + tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-10-12T13:14:20Z" + mac: ENC[AES256_GCM,data:IlU8Jr+HD/ZHHsd7eaaSGp3tRxGy8/yhbSejkWmHFeL1WsvdWsToHM7yah2WzX+uY7s/i7atHQdhbHITCi6gBIFociVVPwziK5YOmTXv1fHlcD60U4ClRbTtgMVMtvc5tXrxdLQGhaX+DJ5xXBhTlCSwwqgYP0I7vJmEUF9mz7g=,iv:IM1ebqQB1UO5EN92kipHL20iGtFTKJhUiN/XR6psWBM=,tag:WweauZ5pA7/YMuUuq8C/xQ==,type:str] + pgp: + - created_at: "2022-10-12T16:48:23Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA7x7stsXx45CAQf/QKXxlgFzUn5ZS02JDiOLds6wjsiTbwQeIy+den+qH9KF + CyfC/8WhxojyhliG0zUzQ7oHtYYkbknF2DyrR7J4+S3SyvMS6MDGTUUn5dIcGwBO + 2/Q2bt4ayOJFNTPePA0IfuMYNUiMl5B/0GCFRV9DE+gG/dcsOzM5q1Uya/yJ1966 + RndWwbnE4j5yP4Nj2o3OiZFhlNi6W6UffYB0hsTTPmmebIZltDRbmLSSpKcfNEYw + h3st3WaJ0BCuQC5i/kvYTfJyBCoYnvFrb3RmXm3h+MvW0JZwHzfbST3nJCBHh5XJ + fVquF17oDJzn5S7EdWMhUbWwHgZwz2J6sZMgGEQ6WdJeAf2IlCuRYGjQMcB1WhxH + GCgbzUGoOGrxT3euzz9R1J98d1HQqtpFgeg9JgWndUdhoF80+AU7Wpyy6qOg2n/4 + wCcb4pcqG1OqFezauEu8+sFdE07vfLoWzxJIark8WA== + =pc2z + -----END PGP MESSAGE----- + fp: 535B61015823443941C744DD12264F6BBDFABA89 + - created_at: "2022-10-12T16:48:23Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA2HlP5TKoxTkARAAl+2Y+pd5oraYLgiiJ0CbMFef0zCpFwBwUCyzykMOICGa + TWCYs8K6hChjepe0p8+oZnp0wi8U1qrmgRtFljQfHoXq5EXDYKydkz8XHHDI7/W7 + 1BmETajv9Mx7j4BFNB3z0XvLJTPeNhygemuHhox5pA8CUt5FkYahpzYR9AlLiAwx + NtU+csrcGUqYllT5WYIKFVIwFk07IvgK/7vj3filO5G2GMiH7lsV6p7W/MYqCFTV + grE383/bGCT18XmHpe3Uu0NcotexiqKSXpnFNntWOgd/KynBn8Oa/DMr8ci/4QSF + rEV4+IGJSmfAzQYaIfzNRGyTQJKBFiXWQv53GWT9Y5EbdEYEBhyqlIaV5fp/61X+ + 8zhLz3b6QMkNkI6mNVVLK96g2p0dhVoq+R3Wlj/RIVDw/BzH+vJIArQhc8T2NEOX + lmLFTMoTRXPrw/UZKMoO+JSDwt2p3WI0sb/ThS+bd7eymxt5lFW1Ikc4Jgd/iHHu + JtUZ78i8jAV/nBJPaAYXoRxfpcAMFqJCnxTwCoF7vYP6hHeYW9PPqsClPxQ97TrO + /Ei01e9YSfdtIzKcwkOThffRr+7hxwEGQ3EZ+2ShOW9ASfLkIo4MgoLtDAoHCK5E + vc2JGWP+vlylTVnZ46Hp8BMRlSjdkS/qGU0lSTPC3q+PllCF2gkN6ZcdLv5L2DDS + UAFD70TIN2QAiYEZW6jxg2UtO9ULLT5NgrvfHD9aGAk7jIxeY+nH3S7KqFgmA21c + IkNZJSX/J85d13+kJADms3vI7uMOcSUiInaQHy9Cqjrr + =fnOr + -----END PGP MESSAGE----- + fp: 7762ec55a5727cabada621d961e53f94caa314e4 + unencrypted_suffix: _unencrypted + version: 3.7.2