43 lines
1.4 KiB
Nix
43 lines
1.4 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
imports = let
|
|
# replace this with an actual commit id or tag
|
|
commit = "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c";
|
|
in [
|
|
"${builtins.fetchTarball {
|
|
url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
|
|
# replace this with an actual hash
|
|
sha256 = "ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=";
|
|
}}/modules/sops"
|
|
];
|
|
|
|
# This will add secrets.yml to the nix store
|
|
# You can avoid this by adding a string to the full path instead, i.e.
|
|
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
|
sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml;
|
|
# This will automatically import SSH keys as age keys
|
|
sops.age.sshKeyPaths = ["/home/database/.ssh/id_ed25519.pub"];
|
|
# This is using an age key that is expected to already be in the filesystem
|
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
# This will generate a new key if the key specified above does not exist
|
|
sops.age.generateKey = true;
|
|
# Secrets key stuff
|
|
sops.secrets."backup_gpg_key" = {
|
|
format = "yaml";
|
|
sopsFile = ../../secrets/database/secrets.yaml;
|
|
owner = "root";
|
|
mode = "0400";
|
|
};
|
|
|
|
# Declare the GCS service account secret
|
|
sops.secrets."gcloud_bucket" = {
|
|
format = "binary"; # Apparently this can make it behave as is.
|
|
sopsFile = ../../secrets/database/gcloud_bucket.json;
|
|
owner = "root";
|
|
mode = "0400";
|
|
};
|
|
}
|