Add sops-nix secrets + dev defaults so local stack runs with zero setup
check / flake-check (pull_request) Has been cancelled
check / flake-check (pull_request) Has been cancelled
- sops-nix flake input, age + ssh-to-age in devShell, .sops.yaml with per-host recipients (real pubkeys still TODO until lars bootstraps). - nix/modules/gebos-secrets.nix centralises per-host secret subsets and renders /run/secrets/gebos-env via sops.templates. Service modules now read EnvironmentFile= from services.gebos.secrets.envFile instead of the placeholder /etc/gebos/secrets.env. - Falls back to a writeText env file when nix/secrets/secrets.yaml is absent, so `nix flake check` and first-boot eval work pre-bootstrap. - nix/secrets/README.md walks through age key + sops bootstrap. - Dev defaults: ingester binary falls back to local tcp/postgres URLs, process-compose adds mosquitto and wires GEBOS_MQTT_BROKER / GEBOS_POSTGRES_URL / GEBOS_POSTGRES_PASSWORD + VITE_SUPABASE_URL / VITE_SUPABASE_ANON_KEY, frontend defaults to 127.0.0.1:8000 in DEV. Refs #23 (comment #110).
This commit is contained in:
+33
@@ -0,0 +1,33 @@
|
||||
# sops creation/decryption rules.
|
||||
#
|
||||
# Recipients listed here decide who can decrypt each key in
|
||||
# nix/secrets/secrets.yaml. Each host gets only the keys it actually needs;
|
||||
# every developer who edits secrets is also a recipient on the matching key.
|
||||
#
|
||||
# Hosts derive their age identity from /etc/ssh/ssh_host_ed25519_key via
|
||||
# ssh-to-age. Run `nix run nixpkgs#ssh-to-age -- < /etc/ssh/ssh_host_ed25519_key.pub`
|
||||
# on each host to get its age pubkey, then paste it below.
|
||||
|
||||
keys:
|
||||
# ---- developers (laptops, hardware keys) ----
|
||||
- &dev_lars age1TODO_lars_personal_age_pubkey_replace_me_before_first_real_secret
|
||||
|
||||
# ---- hosts (derived from each host's ssh_host_ed25519_key.pub via ssh-to-age) ----
|
||||
- &host_db age1TODO_db_host_age_pubkey_replace_me
|
||||
- &host_app age1TODO_app_host_age_pubkey_replace_me
|
||||
- &host_ingest age1TODO_mqtt_ingest_host_age_pubkey_replace_me
|
||||
|
||||
creation_rules:
|
||||
# Supabase compose stack → app-host only.
|
||||
- path_regex: nix/secrets/secrets\.yaml$
|
||||
encrypted_regex: ^(supabase_|ingester_|postgres_admin_)
|
||||
key_groups:
|
||||
- age:
|
||||
- *dev_lars
|
||||
- *host_db
|
||||
- *host_app
|
||||
- *host_ingest
|
||||
|
||||
# NOTE: a single key_group above lets every recipient decrypt every key.
|
||||
# Per-host filtering will be tightened to one rule per prefix once real age
|
||||
# pubkeys land — see nix/secrets/README.md for the rotation/bootstrap flow.
|
||||
Reference in New Issue
Block a user