diff --git a/.sops.yaml b/.sops.yaml index a21a8f7..6d61d0b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,17 +1,15 @@ keys: - - &min 78795D9EBD425CBB3E850BC45DF91852CB14CEFF + - &min age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj - &eidola age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6 - &silver age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3 creation_rules: - path_regex: secrets/eidola\.yaml$ key_groups: - - pgp: + - age: - *min - age: - *eidola - path_regex: secrets/silver\.yaml$ key_groups: - - pgp: + - age: - *min - age: - *silver diff --git a/flake.lock b/flake.lock index d804b99..94d7a1d 100644 --- a/flake.lock +++ b/flake.lock @@ -81,11 +81,11 @@ ] }, "locked": { - "lastModified": 1740485968, - "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", + "lastModified": 1745502102, + "narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=", "owner": "nix-community", "repo": "disko", - "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", + "rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70", "type": "github" }, "original": { @@ -115,11 +115,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1740603184, - "narHash": "sha256-t+VaahjQAWyA+Ctn2idyo1yxRIYpaDxMgHkgCNiMJa4=", + "lastModified": 1745487689, + "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f44bd8ca21e026135061a0a57dcf3d0775b67a49", + "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", "type": "github" }, "original": { @@ -197,14 +197,33 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1745526057, + "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "root": { @@ -215,6 +234,7 @@ "flake-parts": "flake-parts", "impermanence": "impermanence", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "sim-breeze": "sim-breeze", "sops-nix": "sops-nix" } @@ -248,11 +268,11 @@ ] }, "locked": { - "lastModified": 1739262228, - "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", + "lastModified": 1745310711, + "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", + "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7c84579..245cbc2 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; flake-parts.url = "github:hercules-ci/flake-parts"; @@ -37,14 +38,15 @@ perSystem = { system, pkgs, + inputs', ... }: { devShells.default = pkgs.mkShell { packages = with pkgs; [ - sops + inputs'.nixpkgs-unstable.legacyPackages.sops ssh-to-age openssl - # not included: age, gpg, pcscd, scdaemon, etc. + # not included: age, age-plugin-yubikey, pcscd deploy-rs nixos-anywhere diff --git a/secrets/eidola.yaml b/secrets/eidola.yaml index b81255b..d4186ac 100644 --- a/secrets/eidola.yaml +++ b/secrets/eidola.yaml @@ -3,42 +3,27 @@ user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRA nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str] terra-key: ENC[AES256_GCM,data:pQRlvltiRr83ndfSjX/I8n1WekS9jY2K1QyLTTcYn14TRupRVgvX47rsus1QA9QAbpT/9f0ZYld3aCrR5J0rxg==,iv:mkiu/+uLKOHG9gDjv72T7JGz6/3oaimDawAOqGs3Koo=,tag:c9Ubj3i5rDj5vaLBRpAUkQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: + - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBb2FySEVQ + MlJXcHhrRGdaUWdqMVlhOVU2TFZDWVFaYURNK2JFMTI3eFZRRgo5ZmltTHRDSStB + MjhvSFM1bnViUllYQXcxT2ZUc3hUWnFhRmtDUFNxbWhJCi0tLSBXRlBOQ0FjWTFF + SHcvWFlHdnczbzlZeFdLaWFtaURzSENHZWJ6eGdUVEtJChc+IZb49DXtLhh+xutX + va765WabBmojoMKI6tIZGUqwwBCMZXd9tWAmyNOu3vxQ43KCpWXP/NkYxGgd0+Ot + 7eY= + -----END AGE ENCRYPTED FILE----- - recipient: age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZC9lQXJhZUVtTzFSZVM3 - UkpCUXhzUURaWEhMaVNTTDExNmZjY2Y0UjFvCnk5a1RPd0lMMXRGK1o3ZEQrMjBv - RGN3cjJLeGY2T2txakQ0NWFaOGF3KzQKLS0tIDMzVUMybGxra2NjRjdzeExtb0cx - SDF1ZjBHRzBjdW1CUWFHL0pkdWpTZEkKNhQcpKiy0Wr5luzhYW3ObHg2cX7T/iKU - WLEk2G8QKb52FFH/rNE3cfE64EOx97T7B2YB8nX5CEC7rDuoDN8rKg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdkJmdTJ2ZXl6ZEtjbVh1 + amVVREtNQURUVUpDdHp6OFV4eFpaaTVVaGs4CmZ3d3pCVlFpOUR0aFN6dlpPbjJs + eE5VRFBGOCtHbDZhbzgxYyt3anNGOTQKLS0tIGpoWkNHNTNoUTFUYWRTMFl1Mzh3 + VTJvaGtSZGpQMSs5N05pblQ4aEIzbkkKQiM+335AZC2+UmotonvM1nsyA/l9F5gr + da9+ltLr5U88pXfcdpiXTmxrSnMzDgLuZLRKZ0S/ZllGDhlnwxsuOQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-12-14T07:48:40Z" mac: ENC[AES256_GCM,data:1PUbru5HQynz5oC6AFcwreJdT7HupCZUuISsSTQkIY4fQHCeYDp5SqdNhGxjfjl9g7DeoNDCK3jCSY3HPnoz+34RfiC1Cf8lLjV139+jROHakG0gv05wrKqH2b8d52deX/OwDP5SV3mg3OFkiiDEroGF/1apAPs+FXeehnt4jQg=,iv:7E1i9ENR4ZEBYl2aSoNLBOmV7Xx3F7Fr8Ldr8SkWrlE=,tag:L0sCmeD8lCcxA/qtrHr7xg==,type:str] - pgp: - - created_at: "2024-11-04T02:36:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwAAAAAAAAAAAQ/+OC1WDGVhxo/e3Oe412FgEKDI11knja2j8cdYMSGhdZmc - kIGkM8R3DUsnzd1U3ZOrDtqctVlyN0nDryZL0U5E2idYvkUdOyWROEvhqZhtjG5j - 2RGjDeyVE3viXOmykVKKhs6xa5QXmsTLWq/tNVhdv/MDuC/JW99hnTZ9YtkVRXIz - 3DZbc5NdDEPmHsqwVWbjy/k4jU5iqe3SsEYHlN5Sjl81L9YBeqISjE3EVONb7bHj - 45IhAq2Ngk4j8sBJ9nvX0MyvnRfqw52BApfI3KYNhH1Wv67s1K9dQ3S81Z7bj0K3 - xAVKurRoYdphXzcp2H0L5Kp72457s8ntzsTZFlQt3eD8QWNze2EyIDkOj75I6VYB - qgE6ZmVfClDegnqiG9y/Jdir95RNchwNduAno2zAbReK34gku8CzCmO77jnqnqrf - kVfrAsKD/ura7xKB0gGkCT4LfWSOdJcL2+VlN9JlLHvSOz9CCCfwIvDaTNiUrEGF - 7lIvKpNk8161JE2L/8L+N4950zLxPSlz8Z6wiLKGfqP145I7NXWswssqJcU+8fE/ - F78GMd3wOXZ93rjPzEpYWlpFheMuXzBsnlnnvlr4qP0/OCF6oeBHfERuQW/ZXW35 - cjPqzlKfoaztMYltVarkgqB9HKRLm0bvBVdfH0rLlGVdqk0Co+yvauCK4I/joAnS - XgFvPKOSrylP/awO3cz3Q0QhjmJZ1Y/FhhK/1MOIv176WIJg1NfrF1lycxOI05hy - YuRo6zs5UNetcPul3bOYvCHDowhxndyJSMllE1M7Kpo/pn0vcK9Tkoj7e6Vwm5E= - =hGwT - -----END PGP MESSAGE----- - fp: 78795D9EBD425CBB3E850BC45DF91852CB14CEFF unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/secrets/silver.yaml b/secrets/silver.yaml index 2ca6a7c..b2a397f 100644 --- a/secrets/silver.yaml +++ b/secrets/silver.yaml @@ -8,42 +8,27 @@ svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNN svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str] svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: + - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBaksyYUQy + UlhXUDJlRE9SY2NUUE9OSWJjcFVPRkNJaUdWUktMT3NVU3pveApRU2NGSWVlZXAz + ODB0b1Y4Ry9iWVoxMFpxOU9HR0ppZ1A0MUFCSFEzRWJvCi0tLSBRVHdMUU5SR2d4 + ZlMzTkhDUDZJYXRlWTJ0NkpMaXZaUFprVzZKdElyZ3RjCo6/6NJZpJxTW8I4WsN+ + aGOyPa0xeiGs9kCkkYykoD6tQsf4FVovT+YOvvAlRrch4yKDo7oAVNF+hfw4vLeP + 24s= + -----END AGE ENCRYPTED FILE----- - recipient: age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuM3BNazcvRmtuZjlEeGN0 - S3l3alF0eno5YmFVN3lTK3hJdUJiM1JnRTJBCmhBRktrZ0N1b2hKTzhPUURoRzRs - L2FDcU5BYmdDUVlwWVBEUGtQQ0FnMjQKLS0tIGNBNEh5eEhTQm96TVV0QTlYS0ll - SFhuV0prbkJUSC9uZjJsV1VCTHVPSjAKfH148Hh3CDFCE1BOgMlA5ROVVoiO4x6+ - fpkAQO4rfvcdpi+1NJjAOp0tkxOV4gApo/B/Vd3xPCtR6rVky5/0XQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a0Z3TVBYSkV5YU0zeERa + T3NXUGxlMGp6UEFrdXJ2YmdjRE5YQ0t4eEVnClZ5eEgza3UzaGhIY3ExTjdZRVpO + eXFRMFU2NEFZRXZlRUlGUlF4V2tzUXMKLS0tIGF0RjR6aFFDMVZ0SWhJNDNTdkNp + MXdERWkyRitkbWtHMnpQaGxhbTRma2cK75S4x9TdquXAV00m9EQ1vJno14YTmPD4 + K8ne37brRWWi3gW6JsaOQOshNE19u4uwkAXZ2IQ+NdAq7Kt/qrcU8w== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-01T04:01:15Z" mac: ENC[AES256_GCM,data:1eMZuUzXH1fPIWh32J6RUntb/ki7OTovX/dtQ5uaf6J6r+B6nLR+TvpAdw4P+XLnxtTeVGIZEHb0sXSA9WXcEE90MHIYOPxG/rb/zf0IOGtg/iwfgLFTacaDJsqX4+WwQJgACJ98SbtznyXr0NnP2d4SudIOjkj05subfrOcPYo=,iv:Fzp1iLEtfxhvy14SG1l06mSDplD2KQoOV+t4rUMX9Qw=,tag:6JRywlTUw6V7yajm6lar8g==,type:str] - pgp: - - created_at: "2024-11-04T02:36:46Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwAAAAAAAAAAARAAqv5kOfnA/e8jeXdTj3mYZMGmfhlew/MYmxZmHlov2RRm - VhExfdF/A4uDh8vlJAMBKEDUTWEThfQYS9KfTWRu1JFSSENOx1IONxBIVW5LTTlP - EkmmNpD6z+xnNgL8xEOXEwn9CMd23CHchej4Sg40MbDGV2U5riYyw091As33uSea - Fai55Aw4/Bd+NA46x9+wgy94I2yp6zSltfjWfORmC7sk9gkzj5pt6OuCq0RPbti+ - 7i95TA8MMqDP/igi2NpiG8CCfh+W5G7gvfPxmePsg5fw05I2tr+n/7ByTsSNqaKO - CMB8BwNeVSLguUKnTJrv6B+cQugYEN+hwvS/xTUVBgjKVuJxhoLq8cYbS9EjMrwQ - 8rJDacCKsgB1m04DEZXotPsEaD5RBb4mDJKWNqeYAe2kNVDT8W93t838ha8Q3XMQ - WGQZdAmEtha0Lg5MNSq3AK92rWWSiMpQPzab7hJOzLPpBbedy8MIY6i5VkoN+fpR - 0dqjyZjiIq7LTMd5R50lpLefuj3PvbHhKOwrEGjOiVH5cAhy2O/NonLgbdqFLUHo - 7Sg7uz/zlsw7I0KUnO2qkl8Vl5wVNfUzDgY22WuLFmWmNr3UDozpjbbJxeAG+1Cm - 3nnRUfbQ/LIGiIyZ+i+r5tRFOp+LvLtZZAJMHcWkaC7Q/fLGMJDxvyZ9Ox18jRLS - XgHm+Pdhd8eLU3+qbb7VpvGI7sM3YAN1rfVUmdx22v/pdjoZLPxzErxGCGE/UJmb - xbiyvwjBVdzpZ52JBreLoY+mes75uc3MAWAKJfAJEPA0CyXLHUtKXEvMqNLsjww= - =hsHI - -----END PGP MESSAGE----- - fp: 78795D9EBD425CBB3E850BC45DF91852CB14CEFF unencrypted_suffix: _unencrypted version: 3.9.4