diff options
author | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 02:27:19 -0700 |
---|---|---|
committer | Mark Nipper <nipsy@bitgnome.net> | 2024-10-14 02:27:19 -0700 |
commit | 7275edb740367c1e2ef3817817135af81621c775 (patch) | |
tree | eabb8075a2fb67c9314f1f6a51269e1d5b9c5c51 | |
parent | 5dcdd5452cd43c5ad3feb7f943d6265a84f80c55 (diff) | |
download | nix-7275edb740367c1e2ef3817817135af81621c775.tar nix-7275edb740367c1e2ef3817817135af81621c775.tar.gz nix-7275edb740367c1e2ef3817817135af81621c775.tar.bz2 nix-7275edb740367c1e2ef3817817135af81621c775.tar.lz nix-7275edb740367c1e2ef3817817135af81621c775.tar.xz nix-7275edb740367c1e2ef3817817135af81621c775.tar.zst nix-7275edb740367c1e2ef3817817135af81621c775.zip |
Add nix GitHub access token for root@arrakis
-rw-r--r-- | .sops.yaml | 5 | ||||
-rw-r--r-- | home/root/arrakis.nix | 13 | ||||
-rw-r--r-- | home/root/secrets/arrakis.yaml | 30 |
3 files changed, 48 insertions, 0 deletions
@@ -28,6 +28,11 @@ creation_rules: key_groups: - age: - *nipsy + - path_regex: ^home/root/secrets/arrakis.yaml$ + key_groups: + - age: + - *arrakis + - *nipsy - path_regex: ^hosts/secrets/arrakis.yaml$ key_groups: - age: diff --git a/home/root/arrakis.nix b/home/root/arrakis.nix index c78c958..f7600df 100644 --- a/home/root/arrakis.nix +++ b/home/root/arrakis.nix @@ -72,4 +72,17 @@ ''; }; }; + + nix.extraOptions = '' + !include ${config.sops.secrets."nix-access-token-github".path} + ''; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets/arrakis.yaml; + + secrets = { + "nix-access-token-github" = {}; + }; + }; } diff --git a/home/root/secrets/arrakis.yaml b/home/root/secrets/arrakis.yaml new file mode 100644 index 0000000..6b5b3b5 --- /dev/null +++ b/home/root/secrets/arrakis.yaml @@ -0,0 +1,30 @@ +nix-access-token-github: ENC[AES256_GCM,data:xZYk/BVSRuQKZpBXWotT2yHthhYE3ZmiLJfoVeSkiRlDuPhZEbPYhHmDqqSeb/1jsERmKqmMMVUyXnjsrZ3CJvvZDQU=,iv:0p7A3Ke6IgLzp259JPaGNJ5Kb8E41c1//s/2MBIoAYU=,tag:scowbHsFxjww5rmuHaB/4g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSmR3ZDYzSGJYY3NYeVhJ + RUUwQU1nRWhxa0NPdU85V0RDZmc2NC9nRFcwCmE3TTlidWRFUENMd0NFWjJ1NldZ + REgyRnRsOFl4MHRRL0dibDkrN2psS0UKLS0tIG04MFlkTERzU284VUtnWHVYSzV4 + ZjJCUDJZNFo2MHVEQ1F5K3J1cVpkQWcKNQOTCwMghAxEEPje8QkGzJ8Wnsng9iCO + e8K9kgDYnf78ZtM0JFVeLal7WjeKbq3dn1rjX00w8d5ByR3oQEDyFg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXelNsTGlhcXF5dERGdHB3 + NmNhN0pkTWNmczBjVlRDT3NSYjAvendtbWk4CjRQWjNzTS9COXhOTW9tempjS2wy + c3hMTnFCdmlLd01ZbjdMcHkxa0xCK0kKLS0tIEF3NWh0RTJPZkNqb2J0cWlSaGxv + MUJsWEc0U3BjWW5RcGlQazBGbkM2MzQKs04xzaPXbgWARenoMmdMzy3MijR/Ln5r + wmwC6eaWU0TxKPHhyZDFdRXc8ec+5aUjfVeTOlOUBaoHPNCFeB9UHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-14T09:18:10Z" + mac: ENC[AES256_GCM,data:/IWjv0OO4YCl4fjNfbW9MnlSM2fOoH9gvEOoyer1G1QSfLkNDd4/xgdCNif/kV3QkHzXom5eKUoSEOFS47l0xj+ZSlP1ZzA26a0MPxoC7wnTQuCbu9m268r7nUhVzPFhyLxtvKa+urSZGgRBWSFh1RrFccEZbgOV4Bhq3ljc6bI=,iv:81lOQWbx049bsGq8E+Q1P2YDjLAkxXxDhPJUqavfXPo=,tag:MP4RB7yvCQzB/W+tusqwOA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 |