feat: move sops config from yaml to nix

yaml is a quite terrible language.
soopyc · Mar 16, 2024 · 75d76f0 · 75d76f0
1 parent a44b6b5
commit 75d76f0
Show file tree

Hide file tree

Showing 6 changed files with 144 additions and 88 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,7 @@ result
 
 .direnv/
 *.qcow2
+
+# backup files
+*.bak
+*.old
diff --git a/.sops.nix b/.sops.nix
@@ -0,0 +1,38 @@
+let
+  # maintainers
+  age.soopyc_pxl7ag = "age1l3qxt6630dzesdclfm3eqgw3uuhwj09dh6typwlwr6clcv0qhfrqgtj2fk";
+  # age.soopyc_yub302 = "age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz";
+  pgp.soopyc_yub302 = "8F3B277901484C6EA7E63F82D539637D518022C6";
+
+  # hosts
+  age.koumakan = "age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt";
+
+  everything = [
+    {
+      age = builtins.attrValues age;
+      pgp = builtins.attrValues pgp;
+    }
+  ];
+in {
+  # remember to run `just utils update-sops-config` and `sops updatekeys` after editing.
+  creation_rules = [
+    {
+      path_regex = "creds/sops/global/.*";
+      key_groups = everything;
+    }
+
+    {
+      path_regex = "creds/sops/koumakan/.*";
+      key_groups = [
+        {
+          age = with age; [
+            soopyc_pxl7ag
+            # soopyc_yub302
+            koumakan
+          ];
+          pgp = [pgp.soopyc_yub302];
+        }
+      ];
+    }
+  ];
+}
diff --git a/.sops.yaml b/.sops.yaml
@@ -1,32 +1,17 @@
-keys:
-  # maintainers
-  - &soopyc_mpxl7a age10rkyshu0lswdqyvun4cs9cekm9zt4fw5c8ssa38tn3lukgcahcvsltnqx2
-  - &soopyc_pgp302 8F3B277901484C6EA7E63F82D539637D518022C6
-  # - &soopyc_age302 age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz
-  # failed to parse input as Bech32-encoded age public key: malformed recipient "age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz": invalid type "age1yubikey"
-
-  # Hosts
-  - &koumakan_ssh age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt
-
-default_group: &default_group
-  pgp:
-    - *soopyc_pgp302
-  age:
-    # - *soopyc_age302
-    - *soopyc_mpxl7a
-
-
-every_key_group: &every_key_group
-  - <<: *default_group
-    age:
-      - *koumakan_ssh
-
+# WARNING: This is a generated file. DO NOT EDIT DIRECTLY!
+# See .sops.nix and utils/build-yaml.nix for more details.
 creation_rules:
-  - path_regex: creds/sops/global/.*
-    key_groups: *every_key_group
-
-  - path_regex: creds/sops/koumakan/.*
-    key_groups:
-      - <<: *default_group
-        age:
-          - *koumakan_ssh
+- key_groups:
+  - age:
+    - age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt
+    - age1l3qxt6630dzesdclfm3eqgw3uuhwj09dh6typwlwr6clcv0qhfrqgtj2fk
+    pgp:
+    - 8F3B277901484C6EA7E63F82D539637D518022C6
+  path_regex: creds/sops/global/.*
+- key_groups:
+  - age:
+    - age1l3qxt6630dzesdclfm3eqgw3uuhwj09dh6typwlwr6clcv0qhfrqgtj2fk
+    - age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt
+    pgp:
+    - 8F3B277901484C6EA7E63F82D539637D518022C6
+  path_regex: creds/sops/koumakan/.*
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,7 @@ result @@
     .direnv/
     *.qcow2
+    # backup files
+    *.bak
+    *.old