From d0ddc3f8be978ddf65cf7ae636e16b0c816df012 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 10 Nov 2023 19:27:52 +0100 Subject: [PATCH] add wrwks secret to fw --- .sops.yaml | 7 ++++- README.md | 5 ++++ hosts/fw.cloonar.com/modules/openconnect.nix | 4 ++- hosts/fw.cloonar.com/secrets.yaml | 30 ++++++++++++++++++++ 4 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 hosts/fw.cloonar.com/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index af138fa..18e5f32 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,8 +11,8 @@ keys: - &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 + - &fw age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw - - &phone age12zmq67s0cykfxw9st9j4qqsus4saye96lsv3dpkmhfwsw325rvgst56hj3 creation_rules: - path_regex: ^[^/]+\.yaml$ key_groups: @@ -91,6 +91,11 @@ creation_rules: - age: - *dominik - *web-01-server + - path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *fw - path_regex: utils/modules/promtail/[^/]+\.yaml$ key_groups: - age: diff --git a/README.md b/README.md index 383e614..f0b8e75 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,11 @@ nix-shell -p sops --run "sops updatekeys -y secrets.yaml" ./install.sh example.com ``` +# 2. Sops command +```console +nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml' +``` + # 2. Web Server specific - change the permissions for /var/www ```console diff --git a/hosts/fw.cloonar.com/modules/openconnect.nix b/hosts/fw.cloonar.com/modules/openconnect.nix index 6e7c943..5bc4038 100644 --- a/hosts/fw.cloonar.com/modules/openconnect.nix +++ b/hosts/fw.cloonar.com/modules/openconnect.nix @@ -1,8 +1,10 @@ { ... }: { + sops.secrets.wrwks_vpn_key = {}; + networking.openconnect.interfaces = { wrwks = { gateway = "vpn.wrwks.at"; - passwordFile = "/var/lib/secrets/openconnect-passwd"; + passwordFile = config.sops.secrets.wrwks_vpn_key.path; protocol = "anyconnect"; user = "exdpolakovics@wrwks.local"; }; diff --git a/hosts/fw.cloonar.com/secrets.yaml b/hosts/fw.cloonar.com/secrets.yaml new file mode 100644 index 0000000..da7020b --- /dev/null +++ b/hosts/fw.cloonar.com/secrets.yaml @@ -0,0 +1,30 @@ +wrwks_vpn_key: ENC[AES256_GCM,data:gGipXC8JJO59b4KWMSo0+r761raQl7RzgBuUbXmPEKlZR21bs5XRAQalzDCFNtjcpNkXiGqAHCLkDTtjPagMsw==,iv:MH1EBJEOdQDEgm9E0F884fynhsH8KiS5QSc605XbASQ=,tag:FUM1eptHS0rpt6ILyQjGOg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaExBbWFIRlRFMFBCQUdt + MElGZkpqWDcyNkY0dnd6QkVRenJNUWFGWDJzCnNYZWdtMkhLemlVbzh6TXREMG5p + SE5Bc1RaZ3ZlQnVVc0pmOFNTYkZ1alkKLS0tIGxGSiswRkxOdlR1ZkdUY1JHV1Ux + TGphL2Q3eFVRZUllRUtrd0s2eHUwc0UKz/PVi6nnhO3+Y5wnvsfu80vpdgvIZKEc + XGI21VBqDS6qetrlPoU2L0Ta729rs6PAeoAhiY+z7cXxgzaDvWONCA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU2RWbDZoemRUTjlpTklI + R1JyMTQ5OE50bHBHR25LSVdXdHBoSys2MXdjCnRNN2RhRis1dmdwcEJ5anp3eEEv + U2VQcXBkQXRNaE1Na2ozV1VuRzVJdkEKLS0tIGxRa2pDS2VGUGNjblM1Smt6dy85 + dTNvbDlqMmYyQXJsTlFWWHpVZlZzWEUK18tC5iPbbcr9pNvPy67XzQttnizp8huI + faFSGZLKdc7F32F39yw9hAu8QpYBQ+Sb6ucYxZ4pIAKNX+9ICGcnTA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-10T18:21:41Z" + mac: ENC[AES256_GCM,data:ejqFUPuyQC5YC5zcB/T8MwpUnb9JE9kCaWelzKf5qceXjD2XbcYHVbFAV2mNb+VwFTRCWAazNzIXGB3KiS9FBts2LfGbuzmjxN3WzcnW9n5oWSME9DMdnYzpI6Rkz35coIFZglaEx+m/DCXzVWTzah/I+zxtK3EiXFNhkCHxlCs=,iv:XK0iRQ/l4eHemzbMHFJ2Y6yW9Ar1GGYBkoYUzxO7k8w=,tag:lfxNcfuktoioXDa0SmDFXw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3