diff options
author | David Morgan <djm_uk@protonmail.com> | 2024-09-03 15:19:46 +0000 |
---|---|---|
committer | David Morgan <djm_uk@protonmail.com> | 2024-09-03 15:19:46 +0000 |
commit | ce9c53858fab4ef08ba3e683f6c29cd86a7be10d (patch) | |
tree | 3607287145fe3442058f08a06b0a8824abd4a215 /nix-conf | |
parent | 95ed21bec068982547dcedc4efc64d4e1fb56d69 (diff) | |
download | dotfiles-ce9c53858fab4ef08ba3e683f6c29cd86a7be10d.tar.gz |
Add openiscsi config
Diffstat (limited to 'nix-conf')
-rw-r--r-- | nix-conf/.sops.yaml | 5 | ||||
-rw-r--r-- | nix-conf/machines/djmuk2/configuration.nix | 7 | ||||
-rw-r--r-- | nix-conf/secrets/djmuk2.yaml | 21 |
3 files changed, 33 insertions, 0 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml index 8c4f2d6..24125e8 100644 --- a/nix-conf/.sops.yaml +++ b/nix-conf/.sops.yaml @@ -1,11 +1,16 @@ keys: - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv - &server_edrahil age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp + - &server_djmuk2 age17j56andser5ddtlfunm35m25xueua4djh9glxlscfcet8865yv9s5aqvla creation_rules: - path_regex: secrets/edrahil\.(json|yaml)$ key_groups: - age: - *server_edrahil + - path_regex: secrets/djmuk2\.(json|yaml)$ + key_groups: + - age: + - *server_djmuk2 - path_regex: secrets/[^/]+\.(json|yaml)$ key_groups: - age: diff --git a/nix-conf/machines/djmuk2/configuration.nix b/nix-conf/machines/djmuk2/configuration.nix index 14b7562..f332103 100644 --- a/nix-conf/machines/djmuk2/configuration.nix +++ b/nix-conf/machines/djmuk2/configuration.nix @@ -35,6 +35,13 @@ localuser = null; }; + # Emulate nix-sops. Technically an anti-pattern, but this isn't a real secret, and this has to be embedded here, as we cannot set a file path to read it from. + # Populate/update with: + # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["openiscsi_name"]' secrets/djmuk2.yaml | doas tee /root/.config/secrets/openiscsi_name + services.openiscsi.enable = true; + services.openiscsi.name = builtins.readFile "/root/.config/secrets/openiscsi_name"; + #services.openiscsi.enableAutoLoginOut = true; + users.users.djm = { isNormalUser = true; home = "/home/djm"; diff --git a/nix-conf/secrets/djmuk2.yaml b/nix-conf/secrets/djmuk2.yaml new file mode 100644 index 0000000..3216fd3 --- /dev/null +++ b/nix-conf/secrets/djmuk2.yaml @@ -0,0 +1,21 @@ +openiscsi_name: ENC[AES256_GCM,data:RZtrRGCnYgiAwq1bVnyK8fiYCxCKbtNs5diV3nUmNWAhU8CYRxau6SIAhB9t3f7p1fKgVC1V0fxV0nko6tdK,iv:M7qSnfBdxdTaCIb2/QZfrTUOZGX19IJY69IncTEk68w=,tag:eIo0fSKZTMEakGHh2zi5oQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17j56andser5ddtlfunm35m25xueua4djh9glxlscfcet8865yv9s5aqvla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UFgxckhMa1RWL3hGQkZw + M25XN1JkT2dnQk9iVXdyaFJsa3hMM0pVam04CmZSWFdJbnl4RzFpUUpYK2JmRXFO + L3ZZbXZ3aHA4NjBuRCtnYlpsNG94ZVkKLS0tIFNIUTVjOUxhS00zZFlyODVuQ1lB + bC9sLzdObkpFNTJRcmk3N3Y0TG1xakkKvFbr1YlLFS7c0BfK1MYczTXgjwcaNjxH + tHCQWzVyx1VzLID1TCQDGXWApkaaQYxa2d/afTTRxk98w6xJIvLj2g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-03T15:08:24Z" + mac: ENC[AES256_GCM,data:CtMDdk/tY52HLDuTHIUWF8qV3wdyykWnEKJk0bGMT+feWd/+PAzJRzCOVDuL6AxT1FmtZGx2lFZz6A9vzFbGsn1fawXVo40q+6TWpdcv80tRaicfyh1FTppWGNOJn/bh7DILuX41HRTEP2ngpMHwSr3cbCUfhxrV+r7giguj1do=,iv:uGe15h57SyQr8yi19sqDRPwtC/4WmBAwqvsHI5g5pAc=,tag:2Lv+QZf0CsgusJMay9MyQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 |