add wrwks secret to fw

2023-11-10 19:27:52 +01:00
parent 3d7c7e41b3
commit d0ddc3f8be
4 changed files with 44 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,8 +11,8 @@ keys:
  - &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
  - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3
  - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
+  - &fw age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
  - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
-  - &phone age12zmq67s0cykfxw9st9j4qqsus4saye96lsv3dpkmhfwsw325rvgst56hj3
 creation_rules:
  - path_regex: ^[^/]+\.yaml$
    key_groups:
@@ -91,6 +91,11 @@ creation_rules:
    - age:
      - *dominik
      - *web-01-server
+  - path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *dominik
+      - *fw
  - path_regex: utils/modules/promtail/[^/]+\.yaml$
    key_groups:
    - age:
--- a/README.md
+++ b/README.md
@@ -13,6 +13,11 @@ nix-shell -p sops --run "sops updatekeys -y secrets.yaml"
 ./install.sh example.com
 ```

+# 2. Sops command
+```console
+nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml'
+```
+
 # 2. Web Server specific
 - change the permissions for /var/www
 ```console
--- a/hosts/fw.cloonar.com/modules/openconnect.nix
+++ b/hosts/fw.cloonar.com/modules/openconnect.nix
@@ -1,8 +1,10 @@
 { ... }: {
+  sops.secrets.wrwks_vpn_key = {};
+
  networking.openconnect.interfaces = {
    wrwks = {
      gateway = "vpn.wrwks.at";
-      passwordFile = "/var/lib/secrets/openconnect-passwd";
+      passwordFile = config.sops.secrets.wrwks_vpn_key.path;
      protocol = "anyconnect";
      user = "exdpolakovics@wrwks.local";
    };
--- a/hosts/fw.cloonar.com/secrets.yaml
+++ b/hosts/fw.cloonar.com/secrets.yaml
@@ -0,0 +1,30 @@
+wrwks_vpn_key: ENC[AES256_GCM,data:gGipXC8JJO59b4KWMSo0+r761raQl7RzgBuUbXmPEKlZR21bs5XRAQalzDCFNtjcpNkXiGqAHCLkDTtjPagMsw==,iv:MH1EBJEOdQDEgm9E0F884fynhsH8KiS5QSc605XbASQ=,tag:FUM1eptHS0rpt6ILyQjGOg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaExBbWFIRlRFMFBCQUdt
+            MElGZkpqWDcyNkY0dnd6QkVRenJNUWFGWDJzCnNYZWdtMkhLemlVbzh6TXREMG5p
+            SE5Bc1RaZ3ZlQnVVc0pmOFNTYkZ1alkKLS0tIGxGSiswRkxOdlR1ZkdUY1JHV1Ux
+            TGphL2Q3eFVRZUllRUtrd0s2eHUwc0UKz/PVi6nnhO3+Y5wnvsfu80vpdgvIZKEc
+            XGI21VBqDS6qetrlPoU2L0Ta729rs6PAeoAhiY+z7cXxgzaDvWONCA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU2RWbDZoemRUTjlpTklI
+            R1JyMTQ5OE50bHBHR25LSVdXdHBoSys2MXdjCnRNN2RhRis1dmdwcEJ5anp3eEEv
+            U2VQcXBkQXRNaE1Na2ozV1VuRzVJdkEKLS0tIGxRa2pDS2VGUGNjblM1Smt6dy85
+            dTNvbDlqMmYyQXJsTlFWWHpVZlZzWEUK18tC5iPbbcr9pNvPy67XzQttnizp8huI
+            faFSGZLKdc7F32F39yw9hAu8QpYBQ+Sb6ucYxZ4pIAKNX+9ICGcnTA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-10T18:21:41Z"
+    mac: ENC[AES256_GCM,data:ejqFUPuyQC5YC5zcB/T8MwpUnb9JE9kCaWelzKf5qceXjD2XbcYHVbFAV2mNb+VwFTRCWAazNzIXGB3KiS9FBts2LfGbuzmjxN3WzcnW9n5oWSME9DMdnYzpI6Rkz35coIFZglaEx+m/DCXzVWTzah/I+zxtK3EiXFNhkCHxlCs=,iv:XK0iRQ/l4eHemzbMHFJ2Y6yW9Ar1GGYBkoYUzxO7k8w=,tag:lfxNcfuktoioXDa0SmDFXw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3