зеркало из
https://github.com/iharh/notes.git
synced 2025-11-01 06:06:08 +02:00
m
Этот коммит содержится в:
Ihar Hancharenka
родитель
d3a25fe569
Коммит
a3ce20a3a3
@ -1,7 +1,7 @@
|
|||||||
https://github.com/Mic92/sops-nix
|
https://github.com/Mic92/sops-nix
|
||||||
|
|
||||||
2023
|
2023
|
||||||
vimjoyer - NixOS Secrets Management | SOPS-NIX 2:00 of 6:34
|
vimjoyer - NixOS Secrets Management | SOPS-NIX 4:00 of 6:34
|
||||||
https://www.youtube.com/watch?v=G5f6GC7SnhU
|
https://www.youtube.com/watch?v=G5f6GC7SnhU
|
||||||
https://github.com/vimjoyer/sops-nix-video
|
https://github.com/vimjoyer/sops-nix-video
|
||||||
mkdir -p ~/.config/sops/age/
|
mkdir -p ~/.config/sops/age/
|
||||||
@ -42,6 +42,89 @@ vimjoyer - NixOS Secrets Management | SOPS-NIX 2:00 of 6:34
|
|||||||
mkdir secrets
|
mkdir secrets
|
||||||
sops secrets/secrets.yaml
|
sops secrets/secrets.yaml
|
||||||
|
|
||||||
|
example_key: example_value
|
||||||
|
# Nesting the key results in the creation of directories
|
||||||
|
# These directories will be owned by root:keys and have permissions 0751
|
||||||
|
myservice:
|
||||||
|
my_subdir:
|
||||||
|
my_secret: password1
|
||||||
|
|
||||||
|
cat secrets/secrets.yaml
|
||||||
|
# all the values are encrypted !!!
|
||||||
|
|
||||||
|
5. flake.nix
|
||||||
|
|
||||||
|
{
|
||||||
|
description = "nixos config";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
inputs.sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
# optional, not necessary for the module
|
||||||
|
#inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs, ... }@inputs:
|
||||||
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
nixosConfigurations = {
|
||||||
|
your-hostname = nixpkgs.lib.nixosSystem {
|
||||||
|
specialArgs = { inherit inputs; };
|
||||||
|
modules = [ ./configuration.nix ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
6. configuration.nix
|
||||||
|
|
||||||
|
{ pkgs, inputs, config, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ./secrets/secrets.yaml;
|
||||||
|
sops.defaultSopsFormat = "yaml";
|
||||||
|
|
||||||
|
sops.age.keyFile = "/home/user/.config/sops/age/keys.txt";
|
||||||
|
|
||||||
|
sops.secrets.example-key = { };
|
||||||
|
sops.secrets."myservice/my_subdir/my_secret" = {
|
||||||
|
owner = "sometestservice";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."sometestservice" = {
|
||||||
|
script = ''
|
||||||
|
echo "
|
||||||
|
Hey bro! I'm a service, and imma send this secure password:
|
||||||
|
$(cat ${config.sops.secrets."myservice/my_subdir/my_secret".path})
|
||||||
|
located in:
|
||||||
|
${config.sops.secrets."myservice/my_subdir/my_secret".path}
|
||||||
|
to database and hack the mainframe
|
||||||
|
" > /var/lib/sometestservice/testfile
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
User = "sometestservice";
|
||||||
|
WorkingDirectory = "/var/lib/sometestservice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.sometestservice = {
|
||||||
|
home = "/var/lib/sometestservice";
|
||||||
|
createHome = true;
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "sometestservice";
|
||||||
|
};
|
||||||
|
users.groups.sometestservice = { };
|
||||||
|
}
|
||||||
|
|
||||||
|
7. after nixos-rebuild
|
||||||
|
|
||||||
|
$ sudo cat /run/secrets/example-key
|
||||||
|
|
||||||
2022
|
2022
|
||||||
https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/
|
https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/
|
||||||
|
|
||||||
|
|||||||
Загрузка…
x
Ссылка в новой задаче
Block a user