move more secrets to sops and closer to terraform
This commit is contained in:
Jörg Thalheim
parent
ecc1c1d34c
commit
b88933d38d
7 changed files with 59 additions and 9 deletions
|
|
@ -9,6 +9,13 @@ keys:
|
||||||
# scan new hosts like this:
|
# scan new hosts like this:
|
||||||
# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
|
# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
|
||||||
creation_rules:
|
creation_rules:
|
||||||
|
- path_regex: terraform/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *mic92
|
||||||
|
- *ryantm
|
||||||
|
pgp:
|
||||||
|
- *zimbatm
|
||||||
- path_regex: build01/[^/]+\.yaml$
|
- path_regex: build01/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -25,13 +25,4 @@ mkShell {
|
||||||
|
|
||||||
sops-import-keys-hook
|
sops-import-keys-hook
|
||||||
];
|
];
|
||||||
|
|
||||||
# terraform cloud without the remote execution part
|
|
||||||
TF_FORCE_LOCAL_BACKEND = "1";
|
|
||||||
TF_CLI_CONFIG_FILE = toString ./secrets/terraformrc;
|
|
||||||
|
|
||||||
shellHook = ''
|
|
||||||
export CLOUDFLARE_API_TOKEN=$(< ./secrets/cloudflare-api-token)
|
|
||||||
export HYDRA_PASSWORD=$(< ./secrets/hydra-password)
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
5
terraform/.envrc
Normal file
5
terraform/.envrc
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
source_up
|
||||||
|
|
||||||
|
# terraform cloud without the remote execution part
|
||||||
|
export TF_FORCE_LOCAL_BACKEND="1";
|
||||||
|
eval "$("$direnv" dotenv bash <(sops -d --output-type dotenv secrets.yaml))"
|
||||||
47
terraform/secrets.yaml
Normal file
47
terraform/secrets.yaml
Normal file
|
|
@ -0,0 +1,47 @@
|
||||||
|
CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:YDe1kQGBXn1DxIAInQkZociCuZhfVMQq7KaUeI4bkZDQhXlc38E67A==,iv:z/7VchAdz6zFMOmf67801V+yAU7vk4MyITVpvzIH4U8=,tag:krlU7ogI3E7UYxKdBuLO9w==,type:str]
|
||||||
|
HYDRA_PASSWORD: ENC[AES256_GCM,data:7o8RuTWxYY7HNbMDgl9ur0j+ehI1bf0JSA==,iv:oZ6iHGGL4xbCC54kQ+mjpYYrm3Kn2PAlhDOyX8K6VCY=,tag:hXSlJSgjQymbsriHBiMy4w==,type:str]
|
||||||
|
TF_TOKEN_app_terraform_io: ENC[AES256_GCM,data:htOyHZEIKxwPHzgpao+m3YIhLBM6ihZdq54YVlIw9bNHup7qrwgjJbT4nX6SIrFQvGQmqbVvhoFN6+UYyfcPlOWfdiIMUgZfa2F4zMceIsArNAcXMtv7Efzy,iv:RmDIHFfPJ5hHNDwvjdb7vxTnpE6JIlbLmbFzfGo+YAc=,tag:gzFY4HOGmuT5BrrFhzBtxw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5blVRbEU4YXNtaWRZM0ll
|
||||||
|
YWNacFNCZ0xUdGRzY05LaTllTnd1WWN3YVVNCmw0L09uclI3QUxiNmFBZnlEUnZs
|
||||||
|
VnRFWnFNRmd4UTNlWnh4QmtDWU1LZG8KLS0tIG8zQ0lFK2dHTHBhRVBibloxKzZS
|
||||||
|
OHZHaWY2WnZrU3Z2eUVlOVZWWTRqclUKvCRIA85XJ72u6Q+yc8mcloBPj1lIbri0
|
||||||
|
kXQH/X1rvwaKNhSzNzoUH64PlNQdjelgcl2eUrlDiqfvnXcVLTyfQg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU3hNODVQMnJ4d0JDeEpQ
|
||||||
|
Qk1nMHd2M2IvQmplNDRnZy84VHZSb1hFV2hFCm8xRTlBRUlhMEllWUhZNHh3aVVH
|
||||||
|
d1BpZFFSN3BDWEVSeDE1Rk01cnVtZTgKLS0tIEF4ajVVbG1xalBqRmt2cTVRZVhJ
|
||||||
|
cDhJajhSUWNHcXhqMW1Gcnp5c2tlS2sKsoavYL6DTdjGHg74uPow54PdY/F2rROc
|
||||||
|
aEtMsirY3CgbsroyjWfaHd+LszUOrY2jaN7UcNiqE1cJo6pJLyXa9g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-05-15T15:01:13Z"
|
||||||
|
mac: ENC[AES256_GCM,data:R0A/XaigE7nSDfthabJ6TCUTxI28qeopF4GiAuwA21bgIFcEVWfR76w02alMYIp0gjWjL87KlNk+XiijeM054pDESMGGtbdVaYiQL0nqB8jH6Z8rreVt8pqnzC7I90EP0bWjQUPflCsDgMKrSOGdaLJRHGAOHnMLy8pvwaE+OXc=,iv:5Nr1OAHoTrbrQgXNg+4rVGQDdIsyGxc74TlYjsVPEBw=,tag:3LIWD8IGPY9dCdIk9BLZQg==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2022-05-15T14:38:07Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA3tEuTsG48KkAQf/eIw45c+1Y0hRehsO/irm0zHcEtN+VFb1/n7yORw/cgl6
|
||||||
|
PByxkbHLtrKxOeMwAWS80DW+xPdigqDdZz7v+VPivDZJfBnvH9BVEgtljPd3JtR4
|
||||||
|
3b/IKgKvFQ9rSDpwAcfJJYP8zlWR7wIcpw/Eu+nt08/94guvsDzda7OUUo+5G2Fj
|
||||||
|
IyaLejv0bXJm4Kz48zk9dsLIGLJwOok/eyHsisTSmfKBuLC/axVEgIJqyRxte3LI
|
||||||
|
OqKo3HMqUqdVZ1Fcarr2A8WtCtHT5hEoxDh00uGULa7OQuAYerYoKFvet1C7BrLq
|
||||||
|
ioPAgI2F5Ggt3c60femP0eIENzPXQLarYh0ZPmwOudJeAQiLRC4xvCvVGnH/KO/k
|
||||||
|
cViuRUDKHrn3vyDzumAcdFHw8civlceSuln4LI/TCM7LkfQ4JFXLl6SpznUpUDC8
|
||||||
|
6iHtN1hg7DVefCJT4qj64o2qwtXIZ1JB7Y+ch4l7IA==
|
||||||
|
=kUzQ
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
||||||
Loading…
Add table
Reference in a new issue