kalipso
727f771c4f
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m50s
1.3 KiB
1.3 KiB
Sops
How to add admin keys
-
Git:
- Generate gpg key
- Add public key to
./machines/secrets/keys/users/ - Write the fingerprint of the gpg key in
.sops.yamlunderkeys:in the format- &admin_$USER $FINGERPRINT
-
Age:
- Generate age key for Sops:
or to convert an ssh ed25519 key to an age key
$ mkdir -p ~/.config/sops/age $ age-keygen -o ~/.config/sops/age/keys.txt$ mkdir -p ~/.config/sops/age $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt" - Get public key using
$ age-keygen -y ~/.config/sops/age/keys.txt - Write public key in
.sops.yamlunderkeys:in the format- &admin_$USER $PUBKEY
- Generate age key for Sops:
-
Write
- *admin_$USERunder the apropriatekey_grups:of the secrets the user should have access to -
cd machines/and reencrypt existing secrets for the new key withsops updatekeys $path/to/secrets.yaml
How to add host keys
If a new host is created we have to add its age keys to the sops config. Do the following:
# ssh into the host and run:
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# create new host with the output of that command in /machines/.sops.yaml