aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Nipper <nipsy@bitgnome.net>2024-10-14 02:27:19 -0700
committerMark Nipper <nipsy@bitgnome.net>2024-10-14 02:27:19 -0700
commit7275edb740367c1e2ef3817817135af81621c775 (patch)
treeeabb8075a2fb67c9314f1f6a51269e1d5b9c5c51
parent5dcdd5452cd43c5ad3feb7f943d6265a84f80c55 (diff)
downloadnix-7275edb740367c1e2ef3817817135af81621c775.tar
nix-7275edb740367c1e2ef3817817135af81621c775.tar.gz
nix-7275edb740367c1e2ef3817817135af81621c775.tar.bz2
nix-7275edb740367c1e2ef3817817135af81621c775.tar.lz
nix-7275edb740367c1e2ef3817817135af81621c775.tar.xz
nix-7275edb740367c1e2ef3817817135af81621c775.tar.zst
nix-7275edb740367c1e2ef3817817135af81621c775.zip
Add nix GitHub access token for root@arrakis
-rw-r--r--.sops.yaml5
-rw-r--r--home/root/arrakis.nix13
-rw-r--r--home/root/secrets/arrakis.yaml30
3 files changed, 48 insertions, 0 deletions
diff --git a/.sops.yaml b/.sops.yaml
index 99d2fb3..4e69c3b 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -28,6 +28,11 @@ creation_rules:
key_groups:
- age:
- *nipsy
+ - path_regex: ^home/root/secrets/arrakis.yaml$
+ key_groups:
+ - age:
+ - *arrakis
+ - *nipsy
- path_regex: ^hosts/secrets/arrakis.yaml$
key_groups:
- age:
diff --git a/home/root/arrakis.nix b/home/root/arrakis.nix
index c78c958..f7600df 100644
--- a/home/root/arrakis.nix
+++ b/home/root/arrakis.nix
@@ -72,4 +72,17 @@
'';
};
};
+
+ nix.extraOptions = ''
+ !include ${config.sops.secrets."nix-access-token-github".path}
+ '';
+
+ sops = {
+ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ defaultSopsFile = ./secrets/arrakis.yaml;
+
+ secrets = {
+ "nix-access-token-github" = {};
+ };
+ };
}
diff --git a/home/root/secrets/arrakis.yaml b/home/root/secrets/arrakis.yaml
new file mode 100644
index 0000000..6b5b3b5
--- /dev/null
+++ b/home/root/secrets/arrakis.yaml
@@ -0,0 +1,30 @@
+nix-access-token-github: ENC[AES256_GCM,data:xZYk/BVSRuQKZpBXWotT2yHthhYE3ZmiLJfoVeSkiRlDuPhZEbPYhHmDqqSeb/1jsERmKqmMMVUyXnjsrZ3CJvvZDQU=,iv:0p7A3Ke6IgLzp259JPaGNJ5Kb8E41c1//s/2MBIoAYU=,tag:scowbHsFxjww5rmuHaB/4g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSmR3ZDYzSGJYY3NYeVhJ
+ RUUwQU1nRWhxa0NPdU85V0RDZmc2NC9nRFcwCmE3TTlidWRFUENMd0NFWjJ1NldZ
+ REgyRnRsOFl4MHRRL0dibDkrN2psS0UKLS0tIG04MFlkTERzU284VUtnWHVYSzV4
+ ZjJCUDJZNFo2MHVEQ1F5K3J1cVpkQWcKNQOTCwMghAxEEPje8QkGzJ8Wnsng9iCO
+ e8K9kgDYnf78ZtM0JFVeLal7WjeKbq3dn1rjX00w8d5ByR3oQEDyFg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXelNsTGlhcXF5dERGdHB3
+ NmNhN0pkTWNmczBjVlRDT3NSYjAvendtbWk4CjRQWjNzTS9COXhOTW9tempjS2wy
+ c3hMTnFCdmlLd01ZbjdMcHkxa0xCK0kKLS0tIEF3NWh0RTJPZkNqb2J0cWlSaGxv
+ MUJsWEc0U3BjWW5RcGlQazBGbkM2MzQKs04xzaPXbgWARenoMmdMzy3MijR/Ln5r
+ wmwC6eaWU0TxKPHhyZDFdRXc8ec+5aUjfVeTOlOUBaoHPNCFeB9UHw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-10-14T09:18:10Z"
+ mac: ENC[AES256_GCM,data:/IWjv0OO4YCl4fjNfbW9MnlSM2fOoH9gvEOoyer1G1QSfLkNDd4/xgdCNif/kV3QkHzXom5eKUoSEOFS47l0xj+ZSlP1ZzA26a0MPxoC7wnTQuCbu9m268r7nUhVzPFhyLxtvKa+urSZGgRBWSFh1RrFccEZbgOV4Bhq3ljc6bI=,iv:81lOQWbx049bsGq8E+Q1P2YDjLAkxXxDhPJUqavfXPo=,tag:MP4RB7yvCQzB/W+tusqwOA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.1