use nix to generate .sops.yaml
This commit is contained in:
zowoq
parent
01137d599d
commit
7478e0268a
6 changed files with 86 additions and 53 deletions
82
.sops.yaml
82
.sops.yaml
|
|
@ -1,56 +1,36 @@
|
||||||
keys:
|
# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files
|
||||||
- &build01 age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
|
|
||||||
- &build02 age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
|
|
||||||
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
|
|
||||||
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
|
|
||||||
- &web02 age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
|
|
||||||
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
|
||||||
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
|
||||||
- &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
|
|
||||||
- &zowoq age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
|
|
||||||
- &adisbladis age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
|
|
||||||
# scan new hosts with `scan-age-keys` task
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: ^secrets.yaml$
|
- key_groups:
|
||||||
key_groups:
|
|
||||||
- age:
|
- age:
|
||||||
- *mic92
|
- age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
|
||||||
- *ryantm
|
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
|
||||||
- *zimbatm
|
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||||
- *zowoq
|
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
||||||
- *adisbladis
|
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
|
||||||
- path_regex: terraform/secrets.yaml$
|
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
|
||||||
key_groups:
|
path_regex: ^hosts/build02/secrets.yaml$
|
||||||
|
- key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *mic92
|
- age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
|
||||||
- *ryantm
|
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
|
||||||
- *zimbatm
|
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||||
- *zowoq
|
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
||||||
- *adisbladis
|
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
|
||||||
- path_regex: hosts/build02/[^/]+\.yaml$
|
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
|
||||||
key_groups:
|
path_regex: ^hosts/build03/secrets.yaml$
|
||||||
|
- key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *build02
|
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
|
||||||
- *mic92
|
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||||
- *ryantm
|
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
||||||
- *zimbatm
|
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
|
||||||
- *zowoq
|
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
|
||||||
- *adisbladis
|
path_regex: ^secrets.yaml$
|
||||||
- path_regex: hosts/build03/[^/]+\.yaml$
|
- key_groups:
|
||||||
key_groups:
|
|
||||||
- age:
|
- age:
|
||||||
- *build03
|
- age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
|
||||||
- *mic92
|
- age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||||
- *ryantm
|
- age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
||||||
- *zimbatm
|
- age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
|
||||||
- *zowoq
|
- age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
|
||||||
- *adisbladis
|
path_regex: ^terraform/secrets.yaml$
|
||||||
- path_regex: hosts/web02/[^/]+\.yaml$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *web02
|
|
||||||
- *mic92
|
|
||||||
- *ryantm
|
|
||||||
- *zimbatm
|
|
||||||
- *zowoq
|
|
||||||
- *adisbladis
|
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@
|
||||||
python3.pkgs.invoke
|
python3.pkgs.invoke
|
||||||
sops
|
sops
|
||||||
ssh-to-age
|
ssh-to-age
|
||||||
|
yq-go
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
sotp =
|
sotp =
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
- Add their user to [secrets/secrets.nix](../secrets/secrets.nix) and run `inv update-agenix-files`.
|
- Add their user to [secrets/secrets.nix](../secrets/secrets.nix) and run `inv update-agenix-files`.
|
||||||
|
|
||||||
- Add their age key to [.sops.yaml](../.sops.yaml), update the `creation_rules` and run `inv update-sops-files`.
|
- Add their age key to [sops.json](../sops.json) and run `inv update-sops-files`.
|
||||||
|
|
||||||
- Add their email in [terraform/locals.tf](../terraform/locals.tf), this will give them access to:
|
- Add their email in [terraform/locals.tf](../terraform/locals.tf), this will give them access to:
|
||||||
|
|
||||||
|
|
|
||||||
13
sops.json
Normal file
13
sops.json
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
{
|
||||||
|
"admins": {
|
||||||
|
"adisbladis": "age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy",
|
||||||
|
"mic92": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||||
|
"ryantm": "age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay",
|
||||||
|
"zimbatm": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h",
|
||||||
|
"zowoq": "age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n"
|
||||||
|
},
|
||||||
|
"hosts": {
|
||||||
|
"build02": "age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d",
|
||||||
|
"build03": "age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq"
|
||||||
|
}
|
||||||
|
}
|
||||||
35
sops.nix
Normal file
35
sops.nix
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# https://github.com/TUM-DSE/doctor-cluster-config/blob/8c11c117e66af1cc205eb2094ab94e8a3317ff2e/sops.yaml.nix
|
||||||
|
let
|
||||||
|
keys = builtins.fromJSON (builtins.readFile ./sops.json);
|
||||||
|
admins = builtins.attrValues keys.admins;
|
||||||
|
|
||||||
|
mapAttrsToList = f: attrs: map (name: f name attrs.${name}) (builtins.attrNames attrs);
|
||||||
|
|
||||||
|
renderPermissions =
|
||||||
|
attrs:
|
||||||
|
mapAttrsToList (path: keys: {
|
||||||
|
path_regex = "^${path}$";
|
||||||
|
key_groups = [
|
||||||
|
{
|
||||||
|
age = keys ++ admins;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}) attrs;
|
||||||
|
|
||||||
|
# This is the list of permissions per file. The admins have permissions for all files.
|
||||||
|
sopsPermissions =
|
||||||
|
{
|
||||||
|
"secrets.yaml" = [ ];
|
||||||
|
"terraform/secrets.yaml" = [ ];
|
||||||
|
}
|
||||||
|
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) { }
|
||||||
|
// builtins.listToAttrs (
|
||||||
|
mapAttrsToList (hostname: key: {
|
||||||
|
name = "hosts/${hostname}/secrets.yaml";
|
||||||
|
value = [ key ];
|
||||||
|
}) keys.hosts
|
||||||
|
);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
creation_rules = renderPermissions sopsPermissions;
|
||||||
|
}
|
||||||
6
tasks.py
6
tasks.py
|
|
@ -65,8 +65,12 @@ def update_agenix_files(c: Any) -> None:
|
||||||
@task
|
@task
|
||||||
def update_sops_files(c: Any) -> None:
|
def update_sops_files(c: Any) -> None:
|
||||||
"""
|
"""
|
||||||
Update all sops yaml files according to .sops.yaml rules
|
Update all sops yaml files according to sops.nix rules
|
||||||
"""
|
"""
|
||||||
|
with open(f"{ROOT}/.sops.yaml", "w") as f:
|
||||||
|
print("# AUTOMATICALLY GENERATED WITH: $ inv update-sops-files", file=f)
|
||||||
|
|
||||||
|
c.run(f"nix eval --json -f {ROOT}/sops.nix | yq e -P - >> {ROOT}/.sops.yaml")
|
||||||
c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml")
|
c.run("shopt -s globstar && sops updatekeys --yes **/secrets.yaml")
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue