init sops for mail and auth
This commit is contained in:
goeranh
parent
43cfebcec6
commit
2fa576a302
6 changed files with 79 additions and 34 deletions
47
.sops.yaml
47
.sops.yaml
|
|
@ -1,38 +1,17 @@
|
||||||
# SOPS configuration for StuRa HTW Dresden infrastructure
|
|
||||||
#
|
|
||||||
# This file defines which keys can decrypt which secrets.
|
|
||||||
# Add GPG public keys (.asc files) or age keys to keys/hosts/ and keys/users/
|
|
||||||
# to grant decryption access to hosts and users respectively.
|
|
||||||
|
|
||||||
keys:
|
keys:
|
||||||
# Admin/user keys - add GPG public keys here
|
- &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
|
||||||
# Example:
|
- &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
|
||||||
# - &user_admin_key age1... or pgp fingerprint
|
- &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
|
||||||
|
|
||||||
# Host keys - add host-specific keys here
|
|
||||||
# Example:
|
|
||||||
# - &host_proxy_key age1... or pgp fingerprint
|
|
||||||
# - &host_git_key age1... or pgp fingerprint
|
|
||||||
|
|
||||||
# Define which keys can access which files
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Default rule: all secrets can be decrypted by admin keys
|
- path_regex: hosts/mail/secrets.sops.yml$
|
||||||
- path_regex: secrets/.*\.yaml$
|
key_groups:
|
||||||
# key_groups:
|
- age:
|
||||||
# - pgp:
|
- *mail
|
||||||
# - *user_admin_key
|
- *goeranh
|
||||||
# - age:
|
- path_regex: hosts/auth/secrets.sops.yml$
|
||||||
# - *user_admin_key
|
key_groups:
|
||||||
|
- age:
|
||||||
# Host-specific secrets (example)
|
- *auth
|
||||||
# - path_regex: secrets/proxy/.*\.yaml$
|
- *goeranh
|
||||||
# key_groups:
|
|
||||||
# - pgp:
|
|
||||||
# - *user_admin_key
|
|
||||||
# - *host_proxy_key
|
|
||||||
|
|
||||||
# - path_regex: secrets/git/.*\.yaml$
|
|
||||||
# key_groups:
|
|
||||||
# - pgp:
|
|
||||||
# - *user_admin_key
|
|
||||||
# - *host_git_key
|
|
||||||
|
|
|
||||||
|
|
@ -196,6 +196,7 @@
|
||||||
disko.nixosModules.disko
|
disko.nixosModules.disko
|
||||||
authentik.nixosModules.default
|
authentik.nixosModules.default
|
||||||
mailserver.nixosModules.mailserver
|
mailserver.nixosModules.mailserver
|
||||||
|
sops.nixosModules.default
|
||||||
{
|
{
|
||||||
_module.args = { inherit self modulesPath; };
|
_module.args = { inherit self modulesPath; };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,13 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.sops.yml;
|
||||||
|
secrets = {
|
||||||
|
"auth/env-file".owner = "authentik";
|
||||||
|
"auth/ldap-env-file".owner = "authentik";
|
||||||
|
};
|
||||||
|
};
|
||||||
imports = [
|
imports = [
|
||||||
"${modulesPath}/virtualisation/proxmox-lxc.nix"
|
"${modulesPath}/virtualisation/proxmox-lxc.nix"
|
||||||
./authentik.nix
|
./authentik.nix
|
||||||
|
|
|
||||||
27
hosts/auth/secrets.sops.yml
Normal file
27
hosts/auth/secrets.sops.yml
Normal file
|
|
@ -0,0 +1,27 @@
|
||||||
|
auth:
|
||||||
|
env-file: ENC[AES256_GCM,data:WDJ3daYCxybublm8VWO8W5HHmYYWKOcw81f+fQ0Vz78EOvbYI+SgEwnuAd/0/eeGkTPEJPSCfbymArs+YRTdibgO5y/34jdN0DOVQetZLPXrDbcZ/Sg=,iv:bykKdvkgmxwgptkGHKH4rnFknPA0PTrW+mEqIzIYERk=,tag:8UKhLz/VoPiXckcIEBfrLg==,type:str]
|
||||||
|
ldap-env-file: ENC[AES256_GCM,data:CpgiiUin3hj8+aykcSU2rasaCFt/CAC5lK3Ek7zxzw6hYCkhwxIc9a4Xfy9SxSQtASJ5dOOrOaa8gA1ahf4Z1g/1981fhxlQPeJd9PlJFgdL4CP5P6ZrPBKZKgygnreUo6HC7Rfc9x2CRmnDhQvMVUmQL9akZRNYasX+9IlRyKmLSFmi35IuryFhVLwfjfECmq51/Xo2WYzjWrayfFuOpS0jHWicQxXvXq6QcLvqmbk5euXiHDkFXOXcwMRr6mAompDAKa9BKXqcRDbxOWqzJ1gflEJvOJi249PeYFo+poTK1CUtBCTejFo=,iv:P1xN6wq5oeba1LSEn6UiArOka37alV/PhI5kOmpfDG0=,tag:Xisd5elHQ8mhvE6YEbCuLg==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRmV2dGt1UXZ3M2RKd24y
|
||||||
|
V0x4MzZyYUh0aDVwQ1NmOCtyOHR6Z1c0R1ZNCi80Nk9PZFVTcVFIQjlZVXJNeXBN
|
||||||
|
TC9td05ZeWVVTCtFSWhqazN6bFF3akkKLS0tIEV3YzdRUDA5Q2dBd2JWUWNqOTU4
|
||||||
|
SnZtdVd4Q3lCaStJTnV4U2cvZUZEMlkK85XYSh6VbDFPKPIhKBKtkErGtgsHjXxy
|
||||||
|
kq14EXwfZnnBlR76JMQgPvSLrDLdj+4tDIVcuE4JplCoSvbGKckGww==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQm5nUHkzZExKOXNzNjk4
|
||||||
|
Y1JURVJwNXhFUGZJak8vbEtCNnE2dHFuNVVNClJHQ3E2RGJkbUtlMDNwcy9Ib01Q
|
||||||
|
dG9nRTVJejkySTdlb2IrbHF4Z3ZMTmcKLS0tIHUwNndGdW9EaWwyNmRUb2NQU2Vs
|
||||||
|
MC9VSmVqVlVHRlJ4NXozUkQ4ZDVEVlkKbfVoBNsral3n7rG7ujUgdQXF68EVB+4G
|
||||||
|
MKMuOiY05QGBViLYyKh1jioHv6nds1hCuc2vpLNB3J0KT3I2q/a0VQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2026-03-21T16:42:34Z"
|
||||||
|
mac: ENC[AES256_GCM,data:i9hTUqbrmc2mD8PAbCe2gWern4ArMIkTQWN7eaJcsjZ9m6LZjOQFpnrpgPg6fj3hazgnFn86veNvQGe/J50NLnwj2FCyF3jKG3xkc7rKa9fyD0Yz0XnpbNKtDb2YGxwyBmLsnnyl6sdpyvPipZYCfwM+bhB8OERIXVXKwbZOn1A=,iv:dKI/NsMcVBNBOw0kYEQqrgfdvLKDg4NM/yRBYDqXIxU=,tag:xkg0z7IUy2m4ivosB925vQ==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.12.1
|
||||||
|
|
@ -25,6 +25,12 @@ let
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.sops.yml;
|
||||||
|
secrets = {
|
||||||
|
"ldap_passwd".owner = "dovecot2";
|
||||||
|
};
|
||||||
|
};
|
||||||
imports = [
|
imports = [
|
||||||
"${modulesPath}/virtualisation/proxmox-lxc.nix"
|
"${modulesPath}/virtualisation/proxmox-lxc.nix"
|
||||||
];
|
];
|
||||||
|
|
|
||||||
25
hosts/mail/secrets.sops.yml
Normal file
25
hosts/mail/secrets.sops.yml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
ldap_passwd: ENC[AES256_GCM,data:wAtRF+7QNgkHAKoQVYZeepshAo/dHuGBC3L15svZ5NVpqaTAtWKIVz/tT/SkjxjC2OXTkzUxin4JMGS6,iv:RELJtuCRLPyqzxUqN2KYTI5/P4fiQALRVtr+xZmKUOY=,tag:2ZS1jmAxw3dohAC6zJLUCQ==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenVrS0tkTWZRY2xDZklO
|
||||||
|
WTcwaENIY2I1bTFGMEZZVzBoeUNrT2RESmhFCnZXU2M1SjlGQWo0OEp0TzI0c21u
|
||||||
|
UkNuNEdQQldQdy9uSzhveEM2eFZrRUkKLS0tIGV4S3lreHJPVS96VUZ6SXRaSklW
|
||||||
|
MUE4eXN0bkNkU0dCckppdldvV2V4dHcKdKh6ekq6hB5pCUAEPdASqsxqAKZDwzCv
|
||||||
|
NyS2jitHo9XBtMQVJg4PmNcoRs5XLdqy2tP8upnGelj0B/Q9D+dhag==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVlVrdXhGMDRxMjhPb3Nv
|
||||||
|
c3lBS25OKzJIaWhHWHpKQXo0N1dFTnZLaHdnClVFVTFPVE1rNFVEclFVc3VjQVhu
|
||||||
|
SjF6Nnp6dE9oRUJYUVVnOWVpVE11WVkKLS0tIEJ0aVJzejROMHFPK1JQbkJjbUdi
|
||||||
|
bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5
|
||||||
|
SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2026-03-21T16:02:33Z"
|
||||||
|
mac: ENC[AES256_GCM,data:FCxkzhMTplghsBfPMSR1LeIKcVRZ4o6sfmZjTQFvgJyecHM81zytxisUCGLqJb4/80Im+eUhHw8Pq+UrF3N7R/YtPsVWTaVzCguS4A0WVpEiOPmikTAekV0/6pyYJcYlnuIi9xQ55+ud1lE9Iq0u+S58MvcpdsRhh/SH+jbTFlc=,iv:HrC5aEwJZka9uYFhfS7MPnqlwHzI9CMpUipXbOlenDY=,tag:tNzURnfJ9+9+UJsn92YUXg==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.12.1
|
||||||
Loading…
Add table
Add a link
Reference in a new issue