From bf3eee793188e2969fd64cd3dc174118ca8e286c Mon Sep 17 00:00:00 2001 From: chn Date: Wed, 27 Mar 2024 18:41:52 +0800 Subject: [PATCH] system.sops: move default secret file --- .sops.yaml | 16 ++++++++-------- .../nas/{secrets/default.yaml => secrets.yaml} | 0 .../pi3b/{secrets/default.yaml => secrets.yaml} | 0 .../{secrets/default.yaml => secrets.yaml} | 0 .../vps6/{secrets/default.yaml => secrets.yaml} | 0 .../vps7/{secrets/default.yaml => secrets.yaml} | 0 modules/system/sops.nix | 5 ++++- 7 files changed, 12 insertions(+), 9 deletions(-) rename devices/nas/{secrets/default.yaml => secrets.yaml} (100%) rename devices/pi3b/{secrets/default.yaml => secrets.yaml} (100%) rename devices/surface/{secrets/default.yaml => secrets.yaml} (100%) rename devices/vps6/{secrets/default.yaml => secrets.yaml} (100%) rename devices/vps7/{secrets/default.yaml => secrets.yaml} (100%) diff --git a/.sops.yaml b/.sops.yaml index 5dd120e9..f38e9edf 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,42 +9,42 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - &xmupc2 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw - &pi3b age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw creation_rules: - - path_regex: devices/pc/secrets/.*$ + - path_regex: devices/pc/.*$ key_groups: - age: - *chn - *pc - - path_regex: devices/vps6/secrets/.*$ + - path_regex: devices/vps6/.*$ key_groups: - age: - *chn - *vps6 - - path_regex: devices/vps7/secrets/.*$ + - path_regex: devices/vps7/.*$ key_groups: - age: - *chn - *vps7 - - path_regex: devices/nas/secrets/.*$ + - path_regex: devices/nas/.*$ key_groups: - age: - *chn - *nas - - path_regex: devices/surface/secrets/.*$ + - path_regex: devices/surface/.*$ key_groups: - age: - *chn - *surface - - path_regex: devices/xmupc1/secrets/.*$ + - path_regex: devices/xmupc1/.*$ key_groups: - age: - *chn - *xmupc1 - - path_regex: devices/xmupc2/secrets/.*$ + - path_regex: devices/xmupc2/.*$ key_groups: - age: - *chn - *xmupc2 - - path_regex: devices/pi3b/secrets/.*$ + - path_regex: devices/pi3b/.*$ key_groups: - age: - *chn diff --git a/devices/nas/secrets/default.yaml b/devices/nas/secrets.yaml similarity index 100% rename from devices/nas/secrets/default.yaml rename to devices/nas/secrets.yaml diff --git a/devices/pi3b/secrets/default.yaml b/devices/pi3b/secrets.yaml similarity index 100% rename from devices/pi3b/secrets/default.yaml rename to devices/pi3b/secrets.yaml diff --git a/devices/surface/secrets/default.yaml b/devices/surface/secrets.yaml similarity index 100% rename from devices/surface/secrets/default.yaml rename to devices/surface/secrets.yaml diff --git a/devices/vps6/secrets/default.yaml b/devices/vps6/secrets.yaml similarity index 100% rename from devices/vps6/secrets/default.yaml rename to devices/vps6/secrets.yaml diff --git a/devices/vps7/secrets/default.yaml b/devices/vps7/secrets.yaml similarity index 100% rename from devices/vps7/secrets/default.yaml rename to devices/vps7/secrets.yaml diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 40a9fcb8..41976109 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -14,7 +14,10 @@ inputs: sops = { defaultSopsFile = - "${inputs.topInputs.self}/devices/${inputs.config.nixos.system.networking.hostname}/secrets/default.yaml"; + let deviceDir = "${inputs.topInputs.self}/devices/${inputs.config.nixos.system.networking.hostname}"; + in + if builtins.pathExists "${deviceDir}/secrets.yaml" then "${deviceDir}/secrets.yaml" + else "${deviceDir}/secrets/default.yaml"; # sops start before impermanence, so we need to use the absolute path age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ]; gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ];