From 4f901d4367b499a68b67380910eebf7a90049c4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= Date: Mon, 30 Mar 2026 01:25:43 +0200 Subject: [PATCH] feat: wire up sops for cube and reencrypt secrets --- .sops.yaml | 8 ++++++- secrets/common.yaml | 51 ++++++++++++++++++++++++++------------------- 2 files changed, 37 insertions(+), 22 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c2c129b..c5abf03 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65 - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4 - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl + - &cube age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g creation_rules: # per-host secrets @@ -23,8 +24,13 @@ creation_rules: - pgp: [*matej] age: [*floo] + - path_regex: ^secrets/cube\.yaml$ + key_groups: + - pgp: [*matej] + age: [*cube] + # shared secrets (all hosts) - path_regex: ^secrets/common\.yaml$ key_groups: - pgp: [*matej] - age: [*tower, *fw16, *floo] + age: [*tower, *fw16, *floo, *cube] diff --git a/secrets/common.yaml b/secrets/common.yaml index 4ba007e..04a2051 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -4,42 +4,51 @@ sops: - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVzB0YkFIM3Y3KzVQMHZE - K3gzd2M3K0tKa2E3YmJKVVlSeG5hUkY0dnlFCkQrbDV6N0pMaWF3NHorTXRLdnAw - NEgydG9SMllSdnR4Vm1qSkR1Y2dKNVEKLS0tIE5TbllNTjQrWkFMQmIrODBWWjVF - ZmlCSzJvZ1p4eTR3OHNlcktaOE12T3MKUkhzkVqQ5P2+jD4BBHN/dFmoeK9oyAy/ - 9qO7miin10kHTGAOBWXybkt8jXdbY8+gvqjAIYqE/u0ESUW0z+UvKA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOU9BTksxbXdjTkExRDJV + aFhVbUFGd1ZSeHFBL0lJRjdSRDRjcjl6ZEQ0Cjg2TFlNZENUWTh5aWNGck52TWFx + SC9LS0FrelFCWUI3RUZjdCs3cXF6aDQKLS0tIEwwTWkzOXgxUC9iTFgrQ0szRW8v + cGFMa2Rqd1VvWjU3Z2pUdExsdnJUT1EK9iQiW5qZszu65b0wEeq+9JnzzhiAS7fo + BmR9OWbDA4GZJBEPBJFD8KxIcO/BYFOjfW2A9PZaTsTpa50Z6+zWxw== -----END AGE ENCRYPTED FILE----- - recipient: age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaXNCMEh1NUNsS2VacDI1 - NFVsK1B6cjE0Y2gwbFA3NGN6aGdoSnBNcVM4Cnhzamx5bFY3UlV0VGRqdk1jN3A5 - K3RFV2dGTi85cTZialB2THBuTEg5a2cKLS0tIFBWWW1waFdCWEFFNUhQa25nSDFE - VnhJa1lhakxVQ3RWZi94K0IvUnN3QmsK/3FYCP5Py3G8NYsCAsKuHx2u4w5O/xBE - +PJD9Zan7CDurKVkGz/7QoCgD6OPQ7h+Mw1Px2iVKZ9RsfxCU7CF6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPczdWeTRxalA1M3R0S0Qr + eGdtZnJxaHllZ2lKMXJUZTN3VWhhTnU1TFRnCjM5OHoxMnEzKzdQelZEQ3ZZRFpt + aWRzaTg4dUc5OXpQUngrVmtSRkk1Q3MKLS0tIEZOd0FyMFRlRElWbjlHOVVkZlZP + eEhwRVRrcVgvQUx6bi85YWxDYjJZa28K7Hrk4fAqbjeYJfPJODvsth1p8JYbsfMf + a6gTckyeQWTNlE+1Tw6g18lvMP1dzIAYRPHtyzmxeCaETVMmSn7XxQ== -----END AGE ENCRYPTED FILE----- - recipient: age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXRBdWNod3RvUmV5SUt2 - TnVWbjVpODBwaHF5SDlqTFNqdFlKRlFvWEdRCnowbW1DSEViSXNoMlpQQ0tDZjhH - QVcwZytEYUhYZkw1R2N6QUk2Y3NkbGMKLS0tIDYwSU9SQzJEcm5abGR3TUtUTEpw - eVltZlM1c2d0OVZMWnRRL29ZWGZqRTAKujJHoH+wAB9NtzTF0i4nMIv6dHUXQ4mN - HJXXEAGRb7hAYRm2hn8ABtoqs61qvIqiOATcHSnE/NucOrQ68CidQA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUh0U1ZDc0ZOKzhxZ3Yv + ZHRwbzBIdVNsbEJmU0h4ZnpuTlNHSFdwRlQ0Ck1BREhlVFQ3bnVKajVlTGUzRjhN + cWpna25Ya1hoZG1ybFZ0REpCNTFTZmcKLS0tIG5ZQzNIWmd4a3J6YWxDQjYyY2px + Y085TkhubS9MSjJtMmZDakdZd2RhR3cKlGH906WAhXNDKwaWqHRoYO9bgiZau0ay + 8ph3OLOVmrENPW3Othf17NDRet/nATFYZghBU/CI5CvZjr9n9SDYMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRG5zRkxOT0RyeXVpTDJu + TSt2SFFtSlFrSTk1YUZBMnAxTEM3dnFnQkFrClA0cnVpMkdsQWxCakNEZm16OEVG + dHFIUDA3TDJLdytySEJJMSsrMGZHcTgKLS0tIHhvdWNXaUthbDJqMWVYeWxuOGpL + L0lEZ3FVbmlOcndGUXUybXA4RDA2alUKQo5ctVmARPNY0POf2Ft6AxjwIN1N06C7 + ft4YX+B4D61tUZ+uvFqHzmKsNpvDdoV81zxvGnnCnv0nSXwNghPFxw== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-03-29T23:11:10Z" mac: ENC[AES256_GCM,data:XY5wElDn+YD4UHSIGd9Ru8ob39gJVE8VE5gqJJkmzF/xERXp7re/d/6RXxoYDgYS0qUnn8c2VFzJxCvakmV/lPLA8YulFk/ZDysEVn+U3CbfTIkjXcJzewJNz0N+hQKeVaCzPfWeB5oaGtB8bjxOg+GYz2TmSvEAT+kO1U/4Klg=,iv:QOlZ4O+eqvOS9/guc+RmWgVDgPzskb4WIlzyT/14MVM=,tag:ziJE9Yytlr680EpSnBGmdQ==,type:str] pgp: - - created_at: "2026-03-29T23:09:25Z" + - created_at: "2026-03-29T23:25:01Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DPaEEpDtHdk8SAQdAeOAy5jmbFTr4UInI64Dwvb8hMTULgVAhqPPLZFOGTl4w - h0B0BzvOW52J67eWcvctbM1PFCmKX17JspnW/x1tEORFB9A9mR91DrgiMuLHVv5g - 0l4BhWxhsMqsKkeCaNYLz7NfIG5FlolLJbZABKdRZs6xX6pAzkWxj3cLWkc4iuRF - rE8W2lGN5Yd+luFn7Uxjc8TbQ/dbQ2y5ln0lmxFhFc1+Ka8aQ7S6liNvEvKvK2t8 - =gtNK + hF4DPaEEpDtHdk8SAQdAPlvxgVq9o2boPPXWWwV6X3TjHZEl3lm9OcOj7lbsQxsw + 5PTrX1rIV73XbRQUdFlnoYpUAwxh3UPULyA4+19fvCooC3L0FxA8e4wTiAdw6SKE + 0l4BImy4sTiM8hNHXqB6u4rj3LbykCjesQve5C3fut62RV8x4cqUJHAB/aumQINT + QRXErylKmqo3h7ReRrCm2oOELauv4JFKNPi/cTE0MNh1+w9JxjoASoBufozDOxe4 + =vIK+ -----END PGP MESSAGE----- fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D unencrypted_suffix: _unencrypted