infra/.sops.yaml

# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.

# use `ssh-keyscan <IP> | ssh-to-age` to get the age key for a remote machine
# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
  - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8

  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
  - &router0-dmz0 age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u
  - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
  - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
  - &hstk0  age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0

creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
      - *steveej-x13s
      - *elias-e525
      - *justyna-p300

      - *srv0-dmz0
      - *router0-dmz0

      - *sj-vps-htz0
      - *sj-srv1
      - *hstk0
      - *router0-ifog
      - *router0-hosthatch
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
  - path_regex: ^secrets/desktop/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
      - *steveej-x13s
  - path_regex: ^secrets/servers/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
      - *sj-srv1
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
      - *sj-srv1
  - path_regex: ^secrets/holochain-infra/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *srv0-dmz0
  - path_regex: ^secrets/router0-dmz0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *router0-dmz0
  - path_regex: ^secrets/router0-ifog/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *router0-ifog
  - path_regex: ^secrets/router0-hosthatch/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *router0-hosthatch
  - path_regex: ^secrets/sj-vps-htz0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
  - path_regex: ^secrets/sj-srv1/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-srv1
  - path_regex: ^secrets/hstk0/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *hstk0
  - path_regex: ^secrets/steveej-x13s/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-x13s
  - path_regex: ^secrets/work-holo/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-x13s
feat(router0-dmz0): AP with dynamic vlan filtering on central bridge 2023-12-28 10:38:38 +00:00			`# This example uses YAML anchors which allows reuse of multiple keys`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`# without having to repeat yourself.`
			`# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml`
			`# for a more complex example.`

add sj-bm-hostkey0, bump steveej-t14, rework NIX_PATH and zsh 2023-11-23 17:14:15 +01:00			# use `ssh-keyscan <IP> \| ssh-to-age` to get the age key for a remote machine
work on remote dev set up on sj-bm-hostkey0 2023-11-24 11:34:17 +01:00			# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`keys:`
			`- &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B`
			`- &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl`
secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00			`- &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6`
feat: migrate all containers and hosts to sops nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions 2023-07-09 20:15:06 +02:00			`- &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm`
			`- &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00			`- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv`
sj-srv1: init with restic backup 2024-01-18 21:06:45 +00:00			`- &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00			`- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3`
router0-dmz0: update and tweak wifi 2024-07-26 14:01:59 +02:00			`- &router0-dmz0 age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u`
feat: migrate nfmnk to ifog, add hosthatch 2024-06-08 21:04:38 +02:00			`- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00`
			`- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4`
rename sj-bm-hostkey0 -> hstk0 2024-07-26 13:47:57 +02:00			`- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0`
feat: migrate nfmnk to ifog, add hosthatch 2024-06-08 21:04:38 +02:00
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`creation_rules:`
			`- path_regex: ^(.+/\|)secrets/[^/]+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *steveej-t14`
secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00			`- *steveej-x13s`
feat: migrate all containers and hosts to sops nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions 2023-07-09 20:15:06 +02:00			`- *elias-e525`
			`- *justyna-p300`
feat(router0-dmz0): init bpir3 based router 2023-08-10 21:45:49 +02:00
			`- *srv0-dmz0`
			`- *router0-dmz0`

			`- *sj-vps-htz0`
sj-srv1: init with restic backup 2024-01-18 21:06:45 +00:00			`- *sj-srv1`
rename sj-bm-hostkey0 -> hstk0 2024-07-26 13:47:57 +02:00			`- *hstk0`
feat: migrate nfmnk to ifog, add hosthatch 2024-06-08 21:04:38 +02:00			`- *router0-ifog`
			`- *router0-hosthatch`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`- path_regex: ^secrets/steveej-t14/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *steveej-t14`
WIP: x13s: install to nvme, refactor into module 2024-01-22 22:50:51 +01:00			`- path_regex: ^secrets/desktop/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *steveej-t14`
secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00			`- *steveej-x13s`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`- path_regex: ^secrets/servers/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *sj-vps-htz0`
sj-srv1: init with restic backup 2024-01-18 21:06:45 +00:00			`- *sj-srv1`
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`- path_regex: ^nix/os/containers/.+_secrets.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
feat(webserver): switch to caddy, add authelia, lldap, switch hedgedoc to LDAP auth 2023-07-15 21:20:45 +02:00			`- *sj-vps-htz0`
sj-srv1: init with restic backup 2024-01-18 21:06:45 +00:00			`- *sj-srv1`
feat(webserver): switch to caddy, add authelia, lldap, switch hedgedoc to LDAP auth 2023-07-15 21:20:45 +02:00			`- path_regex: ^secrets/holochain-infra/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
feat(router0-dmz0): init bpir3 based router 2023-08-10 21:45:49 +02:00			`- *srv0-dmz0`
			`- path_regex: ^secrets/router0-dmz0/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
feat(sj-vps-htz0): separate secrets 2023-08-11 18:49:31 +02:00			`- *router0-dmz0`
feat: migrate nfmnk to ifog, add hosthatch 2024-06-08 21:04:38 +02:00			`- path_regex: ^secrets/router0-ifog/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *router0-ifog`
			`- path_regex: ^secrets/router0-hosthatch/.+$`
WIP: add router0-nfmnk and connect router0-dmz0 via wg 2024-05-25 21:23:43 +02:00			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
feat: migrate nfmnk to ifog, add hosthatch 2024-06-08 21:04:38 +02:00			`- *router0-hosthatch`
feat(sj-vps-htz0): separate secrets 2023-08-11 18:49:31 +02:00			`- path_regex: ^secrets/sj-vps-htz0/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
add sj-bm-hostkey0, bump steveej-t14, rework NIX_PATH and zsh 2023-11-23 17:14:15 +01:00			`- *sj-vps-htz0`
sj-srv1: init with restic backup 2024-01-18 21:06:45 +00:00			`- path_regex: ^secrets/sj-srv1/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *sj-srv1`
rename sj-bm-hostkey0 -> hstk0 2024-07-26 13:47:57 +02:00			`- path_regex: ^secrets/hstk0/.+$`
add sj-bm-hostkey0, bump steveej-t14, rework NIX_PATH and zsh 2023-11-23 17:14:15 +01:00			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
rename sj-bm-hostkey0 -> hstk0 2024-07-26 13:47:57 +02:00			`- *hstk0`
secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00			`- path_regex: ^secrets/steveej-x13s/.+$`
steveej-x13s-rmvbl: init with minimal setup this configures a standalone USB device that doesn't need configuration of the firmware's EFI variables. 2024-01-21 21:08:01 +01:00			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
secrets: rename steveej-x13s{-rmvbl} and update key 2024-01-23 09:40:21 +00:00			`- *steveej-x13s`
feat(zerotier): make os snippet and add custom options a way to disable autostart for zerotier is beneficial to not accidentally connect on each boot while still being able to connect on demand 2024-03-01 11:21:37 +01:00			`- path_regex: ^secrets/work-holo/.+$`
			`key_groups:`
			`- pgp:`
			`- *steveej`
			`age:`
			`- *steveej-x13s`