refactor: separate sops-nix configuration for each device

2025-04-22 13:55:40 +08:00 · 2025-04-22 13:55:40 +08:00 · 41db8f919a
commit 41db8f919a
parent 97e6508ab9
9 changed files with 53 additions and 7 deletions
--- a/system/dev/dn-lap/default.nix
+++ b/system/dev/dn-lap/default.nix
@ -6,6 +6,7 @@
  imports = [
    ./hardware-configuration.nix
    ./boot.nix
+    ./sops-conf.nix
    ../../modules/presets/basic.nix
    ../../modules/gaming.nix
    ../../modules/virtualization.nix
--- a/system/dev/dn-lap/secret.yaml
+++ b/system/dev/dn-lap/secret.yaml
@ -0,0 +1,22 @@
+wireguard:
+    conf: ENC[AES256_GCM,data:GKUlc2K+pJCZHrasZtC/ql8ojYOyIqquOa6gTD3BycvCIU62OO0X0Zi1XW858AzQokHNd3vE+m18XPk1/am5I9FBc0+vGlVctNZgcPLKYObsxF40aZU+NU+Ip1wjNP/V6t0zyt6ur7R7Si9HePhZZqDEpdyBzR2Jjl8DrfC9NiRTVQaHw1D72yjwOGZCkeY7n8PRW9wW9UkzuJNmFHDxF4nUaeP3k3fpfLFEOVyyjvy8Ba995tVWOfJgkMng57VgIr36jzMXWlkpSTB06wWEIfgVpbQpzkFyxWwA4sxhMJfp4JvO3IvzUvkGn3W14Z/SVcg5km7q5aXff9m1/Srn,iv:Oxa377J9Wufm036iFcm+RvitNiWWNPXmUrm9BwrUfBo=,tag:kM4PR/u+j1RkET2Z7FTIPA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ankwMFc5R3lRK2svRzBL
+            VVRUMjNRYisyRTNxM1hHeDNsbGVGT2hFUkEwCkpoVWR4MXVuWlJpZEt3eGJiYm5t
+            SUZubUJqSUEwNnk1K1RsWFVucmFoVEkKLS0tIFd1TitJMHNxc2xwWCtwWnJSWWhN
+            SnFxQ2Z0MVZ6Nm5oRy96TjFKR0Y3dEkKsT9FjBvrjUZCAx0XKb5Vj5I7VsJixdtf
+            LTNIAxt20mkyuddr6AaFFN8xsjz0TlwEQRgSGAmm3As2KGKohduMsQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-22T05:44:47Z"
+    mac: ENC[AES256_GCM,data:DODaAnKe5ExNhXxfOq874bXGy44A3aw+KWnpeDr3OAbocVMvM0uE55r0x9JEbMakVWiDZq0SCP2K6XiTT74hX90tmwvl8jr9HYqAqscOZ75mRfc2NmZJRWuxJj6nA0U+4/A6dm2ftSXP09rH/WjKGpLObLbpOKQledM+U5Ggzjo=,iv:WEhgMOX+L471+ZrBicoBsJAlTxLl9Nc608SPJ3p6XpY=,tag:e/eKKmy4Z8+mC9Ixg0X6+A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/system/dev/dn-lap/sops-conf.nix
+++ b/system/dev/dn-lap/sops-conf.nix
@ -0,0 +1,7 @@
+{
+  sops = {
+    secrets = {
+      "wireguard/conf" = { };
+    };
+  };
+}
--- a/system/dev/dn-pre7780/default.nix
+++ b/system/dev/dn-pre7780/default.nix
@ -12,6 +12,7 @@
    })
    ./hardware-configuration.nix
    ./boot.nix
+    ./sops-conf.nix
    ../../modules/presets/basic.nix
    ../../modules/cuda.nix
    ../../modules/gaming.nix
--- a/system/dev/dn-pre7780/sops-conf.nix
+++ b/system/dev/dn-pre7780/sops-conf.nix
@ -0,0 +1,7 @@
+{
+  sops = {
+    secrets = {
+      "wireguard/conf" = { };
+    };
+  };
+}
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@ -11,6 +11,7 @@
      intel-bus-id = settings.nvidia.intel-bus-id;
      nvidia-bus-id = settings.nvidia.nvidia-bus-id;
    })
+    ./sops-conf.nix
    ./boot.nix
    ./hardware-configuration.nix
    ./networking.nix
--- a/system/dev/dn-server/sops-conf.nix
+++ b/system/dev/dn-server/sops-conf.nix
@ -0,0 +1,9 @@
+{
+  sops = {
+    secrets = {
+      "wireguard/privateKey" = { };
+      "nextcloud/adminPassword" = { };
+      "step_ca/password" = { };
+    };
+  };
+}