change encypt key from gnupg to age. And encrypt dae url

2025-01-12 17:18:01 +08:00 · 2025-01-12 17:18:01 +08:00 · 991a8b4bbc
commit 991a8b4bbc
parent 7d52c44603
9 changed files with 73 additions and 44 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,7 @@
 keys:
-  - &admin C6FCBD7F49E1CBBABD6661F7FC02063F04331A95
+  - &master age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
-    - pgp:
-      - *admin
+    - age:
+      - *master
--- a/home/david/configurations/Tytonidae/default.nix
+++ b/home/david/configurations/Tytonidae/default.nix
@ -124,8 +124,9 @@
    sopsFile = rootPath + "/secrets/ssh-config.yaml";
  };

-  sops.gnupg = {
-    home = "${config.home.homeDirectory}/.gnupg";
+  sops.age = {
+    keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+    generateKey = false;
  };
  sops.defaultSopsFile = rootPath + "/secrets/general.yaml";
 }
--- a/nixos/configurations/Tytonidae/dae/default.nix
+++ b/nixos/configurations/Tytonidae/dae/default.nix
@ -1,4 +1,9 @@
-{ pkgs, config, ... }:
+{
+  pkgs,
+  config,
+  rootPath,
+  ...
+}:
 {
  services.dae = {
    enable = true;
@ -9,7 +14,10 @@
    disableTxChecksumIpGeneric = false;
    config = builtins.readFile ./config.dae;
  };
-  environment.etc."dae/urls.txt".source = ./urls.txt;
+  sops.secrets.url = {
+    mode = "0444";
+    sopsFile = rootPath + "/secrets/general.yaml";
+  };
  systemd.services =
    let
      new_proxy = "/etc/dae/proxy.d.new";
@ -17,7 +25,7 @@
      update = ''
        num=0
        check=1
-        urls="$(${pkgs.coreutils}/bin/cat /etc/dae/urls.txt)"
+        urls="$(${pkgs.coreutils}/bin/cat ${config.sops.secrets.url.path})"
        mkdir -p ${new_proxy}
        for url in "''${urls}"; do
          txt=${new_proxy}/''${num}.txt
@ -49,6 +57,7 @@
        before = [ "dae.service" ];
        serviceConfig = {
          Type = "oneshot";
+          User = "root";
          ExecStart =
            let
              script = pkgs.writeTextFile {
--- a/nixos/configurations/Tytonidae/dae/urls.txt
+++ b/nixos/configurations/Tytonidae/dae/urls.txt
@ -1 +0,0 @@
-https://bava8u2znaj6bdzzjnfb.wgetcloud.online/link/df057715-3fa5-38c8-b550-316aa84c22c1?target=v2rayn&list=1&simple=1
--- a/nixos/configurations/Tytonidae/default.nix
+++ b/nixos/configurations/Tytonidae/default.nix
@ -25,6 +25,10 @@
    hostName = "Tytonidae";
  };

+  programs.gnupg.agent = {
+    enable = true;
+  };
+
  networking.hostName = "Tytonidae";

  time.timeZone = "Asia/Shanghai";
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -16,6 +16,7 @@
    ++ [
      ./nix.nix
      ./home.nix
+      ./sops.nix
    ];

  config = {
--- a/nixos/modules/sops.nix
+++ b/nixos/modules/sops.nix
@ -0,0 +1,20 @@
+{
+  rootPath,
+  config,
+  ...
+}:
+{
+  config = {
+    sops.defaultSopsFile = rootPath + "/secrets/general.yaml";
+    sops.age =
+      let
+        unixName = config.youthlic.home-manager.unixName;
+        cfg = config.users.users."${unixName}";
+      in
+      {
+        keyFile = "${cfg.home}/.config/sops/age/keys.txt";
+        sshKeyPaths = [ ];
+        generateKey = false;
+      };
+  };
+}
--- a/secrets/general.yaml
+++ b/secrets/general.yaml
@ -1,25 +1,23 @@
-ssh-private-key: ENC[AES256_GCM,data:TzcvWxAsQTmoGTR4xMsDIWTKIjr6InWUoqSz3zPnX6cIDyAMHQLN7cNRQcNJ9VAX1IxjlF6+WsTWZahKIZmQ0kfjWr9bsEcx6r4VZp73AGudP7UQ4ntmCYO5cw2iHTiGxbrdIPYYcPf4y7aRjusWxGDeqaPtRB20xGCMigKqazGBN3vsgnQXPj46wcwy7ibsCAtg1DBP1q9c8nspvVOL4bhByxjcLi2p3E54C79fTGOlKRx2HRZh6tFRxH56C6mnuFnDg+TF7I/5t3vw7+EBo7roVJJPypW0tRq+lnbmU4TFFEqf4v+2BaEVKtSBQZd4gb4PRyEgcmmrh2wJjx2JvBi4ansZZWB6d7GRHB1e1Yh16ONJ3Y1XuTjzVNPLbWtPAhPffcg6TDZzWrWxHqES7eI9p+0k8gZZv7vRZM5XpbXlcZpNm1XA2YktJL36asoE1ZjXLzDHNxLAGaq/l1tsxHzx/vZXhIw/dNFEF9xzXH7Jt9oY9I68VbLw/4F4C7epiRJK55Fj/3+ninrsTyMswDlNLfnO6skgpFFcWftTJOAIKhsA2v6a5Wh6jqa9JaxupdYD/ZC+Emp+mivT,iv:3j79GakhiOvvqYUiCc0RaWsD60xl1aRCKnJ0WuEFqt8=,tag:SsUiEzMs/aOwPrv2ZisklQ==,type:str]
-git-credential: ENC[AES256_GCM,data:WTuAE/627ke6Jt2ctTteS9v2Lrtkr2n0NYUHZvfGn8lro/eplTtF8/3SkCmftbT3XsKA9Os=,iv:hpgeqy6NVvxe+5Tsvom/k1qTj0VvRtdwXqmXkROPm2s=,tag:HTwL//8RUgeqod9B97OnIw==,type:str]
+ssh-private-key: ENC[AES256_GCM,data:hT2/OaZBAXK8eQe0qAxHw8nO6Z9ErzUdGWUgN/0c04NKUz6dyynKXsSEE7sC/P/WfUCOTXVgf7u/SY2/hMBG2tpceEwx2FDVJnUDF6Wi/2U8C1z3TjBitjYY1apku3lMTNYF7GwflUA+lB3xcKJ9dKnJlU/5moPqCf58G5w9DFXM1YJcUfVQ1Cl5MKguJkxpSw4MMm7QxGhruX5C/a84TYIZC/IHll3f1e6qvM+5TEibXIa9LBMcT7pxw4SQ/vhPmAJO54/GHbktTHxkjPbo2keGr3J1Im+TlX9OB81cbNZMxIn++Igw9iffF0LZmudmndLhWFPUK0itpkP8pjMY3rIrI6KsPG/7w4zQMO0p6rNfeGjkLvKp3mj5mYRlBdMaqtiqngAxzelsKaVhXlO+JXR+qdpONico8mRP+f3KSJU6gmGCIw0RNFcBlV/NN2VNUTxBS7/cwYGKF1kkb4Or9h5l5N7Ta1U5m2PEYclrneuclx6fdKXfChLG65E0l86EgpMyC6hHSL1x51e8QJSnHBkbjAMI59Kj9sy4QE8J4/a3q1D/sr/bn2t2Y7W0CckK7iPqyeiA0RSXiIVZ,iv:QVQCQJyc2ZgSzBpJ2MIrjgxBKghpr48k9yGzBUIoffg=,tag:3zo3vzwqWhQkAWB4N4R0NQ==,type:str]
+git-credential: ENC[AES256_GCM,data:Rt6ccMJ+D/Jv1U7Ex51j4zIKp5KIyPFJdWZwJyW6liU5CHxBfrFWeNOJobhT5tFPrhzHRUI=,iv:f2SYFKpAcHoKG3dMsniKRi02EFDzwgzzli5Qzw8CWqo=,tag:hUi0FAZ7+2+mcqUsz5HtbQ==,type:str]
+url: ENC[AES256_GCM,data:n152X334cpUJXgm/0D+mbF2xDOSq/xT4xO3rBLjxEkcAexkn7lIm2mHKLaumBO0M7YC6gP/AVZlhOrpC7EtwwyzvxFgZIYBT0u3pKRpp2ifedMXd/7iKq45vu3xltX8blFF5TcMslO4UsXJEc+NxnCMS/PvO,iv:RWFUzHi2t06CqY1fHPTFUJevyW0bXc1xuhsjfZd3UAw=,tag:BWGxxAtfoJ8tbbbKbkzQRw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
-    lastmodified: "2025-01-11T14:58:31Z"
-    mac: ENC[AES256_GCM,data:exP8VRjXNq0mCDDcS0qvuUXrmJ86IMU6GIXINud9n2T6143B3y/uNPH44UtDsVQ2z7DhJqhvRNQgWTrUz0b/QFqmF74MA28JAbzz8bKEHRKzKlATT/nPesTX87FONf/vmmDpAWMh0kolU+Rj10q8VIRLKhxto9WwoKO4j8HPRhE=,iv:cWhuEHCFngGAfUh6UqiFi4uUKPogE5oYoNJPodtIgxU=,tag:XUlPPLTCiw/kSdHyM8/28w==,type:str]
-    pgp:
-        - created_at: "2025-01-10T12:20:32Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DNZgse+e4B/gSAQdAeJeXZE+thM6aaFDfs13nnljAvJWXlpBWvGACRVKzUEkw
-            IzAT4aLTVpRhaKLZ+neZX1Ky3uQJZrosGgbjj4OoJY0yTjPdo3FoEGZ8VXKexxoy
-            1GgBCQIQeyJY0eJh38MIpxxLu2/xSpwOXRzdugPLhvMX0ZYRefntC0NXyjTjCN1H
-            +/YUlb+K4qNeZNDpKS2JyvZl5u8N2w/pZ98+HDgMpieJrdbv4gkiXmmnUaw8y3Ct
-            EgBuPA8pkBt+DQ==
-            =h3Bi
-            -----END PGP MESSAGE-----
-          fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95
+    age:
+        - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ2IrRG90eUJUT1grZEtV
+            N25XNDI0Z0JlZ2RJWU5LN05jbDQwL0hMMkU4Cm5sVHpiVHV5UVdIY24xNFZYTmpm
+            TUlyZmQ1TTZuaHB3aFpzV2hPZnNNZGcKLS0tIGJrN1lqWUFOU09XcFJ5Mys0WjV6
+            dTkwcThVQTNYZ0RKWnIwMEgzQ2lYMVEKWs0OsGlPCRfsjZwntyVa6RGhZLye35kX
+            3PDxZ66jP63OGi5Hai17fp5IvT3/mIRWh6UMq44TFz9OQoUWCymakg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-12T08:58:47Z"
+    mac: ENC[AES256_GCM,data:XXdGGA/S6tg3xlsLwEtRjLHIVRRQHR2MBIeZv+9VtGYG1cBJD64RGZBCAJ5Jaw7WctcqZqj0Q1C9rIgNyv8ZYJTum3ok469WNFfcoDkPCr12nAO7vujvZp5xA5KfOdiP3wrHmorD4hl8qfv2oURm2RDcfzMIL2LWgNiwWndXs+I=,iv:RVHpsunJlOzN3QxxPfQdkUiC+Tf71j4L7SGEeTfDzYM=,tag:BgMqfCz1RG5Kl5PCIf/HdQ==,type:str]
+    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2
--- a/secrets/ssh-config.yaml
+++ b/secrets/ssh-config.yaml
@ -1,24 +1,21 @@
-ssh-config: ENC[AES256_GCM,data:NIYcwDJ9ycS2C/BZA0GFETURDUPcuPlP9Cn1Ku0AZNiWtqI3w+kIhu2G37j9F6k04gSS+BviQ2C5LRJbJb9+blHHeL7+pACgWVJGLBw=,iv:gpE8RdvX4ZWgBrgYKOXbV6aIwFHbLT6mb+plVkRISdU=,tag:GPGn0B0ibPA6ddt/ae68Lg==,type:str]
+ssh-config: ENC[AES256_GCM,data:kQe12czlvgScrtOae32PpKNrXREh1XP5n7WrFvBb4NcGLRj0j61T490D5v6vgTzppyQnU84tTNVtMBUfdLN6jjdli8cEM71qcKy4eLw=,iv:FaUEI9dYamBt7kI9quCNBXZwDzTosR4ad1JQq6IatBE=,tag:R4TTA6iMrRQPt1ApYBGfEg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
-    age: []
-    lastmodified: "2025-01-11T15:33:47Z"
-    mac: ENC[AES256_GCM,data:nGi6Z8XV67/VssmOFlAGy9F+nwgO0OwtMl1VSHvHEM8zeOIvdftcCh7jTdLUpRXi/bNY/3eidSLr9HWdNprPed98E8qA37OdFYwb7nousqVjWMWLZlMNCBfGeCbUQxu1+fiJnMzrYKJGQHPfYhWr0rOizOCUT707uOT+6Rs+CJE=,iv:1p9q2m4HQrouf6vymlA1PG2fCZNnRTZruhEqRna+1UY=,tag:uD0a/NwXKsaH5DhPbJ8aWg==,type:str]
-    pgp:
-        - created_at: "2025-01-11T14:58:53Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DNZgse+e4B/gSAQdAHHLJHSheWR76VPjKuHzcELWfkfWecafPv29r5TnXGFgw
-            QfAypb7nQT5v01tKI4V6VCtsevDL868voABCwu7Izg6onDOxH26zsRg+m0GvfFwK
-            1GYBCQIQH8VmTueJ7KN6CS6vqdEFEVrpuwrmQAa6aS94ir0U5qE3xDXfsgb61ETq
-            6ybtGXmNpmd2Gy842DxngHnxgL+v8YG61bJ2L0tB1S/MxOxVGueIkxNs2C5Bg6e/
-            wCz2U/E31Q4=
-            =cnit
-            -----END PGP MESSAGE-----
-          fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95
+    age:
+        - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWklncVlZbTFXdndXUmJ4
+            bTlyOEkvZE5aUnJHQzRJVjRBK2dja2RmaGpZCnNQRTdJeXJHSTFLaGx3SUpBUUI5
+            R1p5Y0w3OG1KYmZScDczelVkdFBReDAKLS0tIHZSM2Y5NExYVzArVWppK01vQUtF
+            K1A5bnBxMjJPV2NyRzNuOXVSY2tkZFUKinl6fL9caEM/bzTfQYk8ZCYLsMdgwmJE
+            LhNSWMFL9zqxSFFZ5GrrT/hATR+5AckKydD+3uYxQbGKO8TO39HVKQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-12T08:59:41Z"
+    mac: ENC[AES256_GCM,data:uJ7GrffSlgKCxxmCVrrs1gNTpEEs/B8F9aEHHTdwlSFCTxcueNbIP2RaQVRQmyZO5CDTD/srmCT1dwPwAaxQE49OFUwUDgpn2JMjQdTyLmbK5+JDfvvMNnv/OVNaQUvVPsPoA1CqCqrpKOLh6kfp1FpYkPpZFOoQWByKw/FmSL8=,iv:CX4RJvRJce7wLUxyM1Fi89G1PINte9gxXoBfYMHn4NQ=,tag:12eZ1TZLsdlDpUZa/1HPWA==,type:str]
+    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2
				`@ -1 +0,0 @@`
				`https://bava8u2znaj6bdzzjnfb.wgetcloud.online/link/df057715-3fa5-38c8-b550-316aa84c22c1?target=v2rayn&list=1&simple=1`