feat(sops): finally somewhat properly set up with sops

2025-10-23 14:47:53 +02:00 · 2025-10-23 14:47:53 +02:00 · e9fef516ec
commit e9fef516ec
parent 40da937ee0
6 changed files with 58 additions and 43 deletions
--- a/.just/machine.just
+++ b/.just/machine.just
@ -0,0 +1,9 @@
+@_default: list
+
+[doc('List machines')]
+@list:
+  ls -1 ../systems/x86_64-linux/
+
+[doc('Update the target machine')]
+update machine:
+  nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
--- a/.just/vars.just
+++ b/.just/vars.just
@ -0,0 +1,28 @@
+base_path := invocation_directory() / "systems/x86_64-linux"
+sops := "nix shell nixpkgs#sops --command sops"
+
+@_default:
+  just --list
+
+[doc('list all vars of the target machine')]
+list machine:
+  {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
+  
+@edit machine:
+  {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
+  
+@set machine key value:
+  {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\"
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml
+
+  echo "Done"
+  
+@remove machine key:
+  {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml
+
+  echo "Done"
--- a/.justfile
+++ b/.justfile
@ -1,7 +1,12 @@
+@_default:
+  just --list --list-submodules

-try-again:
-    nix flake update amarth-customer-portal
-    nix flake check --all-systems --show-trace
+[doc('Manage vars')]
+mod vars '.just/vars.just'

-update machine:
-    nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
+[doc('Manage machines')]
+mod machine '.just/machine.just'
+
+[doc('Show information about project')]
+@show:
+  echo "show"
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,11 @@
+keys:
+  - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
+  - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+
+creation_rules:
+  # All Machine secrets
+  - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$
+    key_groups:
+      - age:
+          - *ulmo_1
+          - *ulmo_2
--- a/.sops.yml
+++ b/.sops.yml
@ -1,8 +0,0 @@
-keys:
-  - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-
-creation_rules:
-  - path_regex: secrets/secrets.yml$
-    key_groups:
-      - age:
-          - *primary
--- a/_secrets/secrets.yaml
+++ b/_secrets/secrets.yaml
@ -1,30 +0,0 @@
-#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
-example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
-#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
-#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
-example:
-    my_subdir:
-        my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
-            ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
-            YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
-            dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
-            Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-09T11:37:49Z"
-    mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4
-
-zitadel:
-  masterKey: thisWillBeAnEncryptedValueInTheFuture