finish nomad, add consul, sops

2026-01-25 14:42:55 +00:00 · 2023-11-19 23:54:43 +00:00
parent cfd6335ea1
commit 5ce7ffc29c
3 changed files with 51 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -14,3 +14,11 @@ creation_rules:
      - *StuPC-WSL_NIXOS
      - *go3_WSL_NIXOS
      - *ODROID8
+  - path_regex: secrets/.*$
+    key_groups:
+    - age:
+      - *adminkey
+      - *STU_ID
+      - *StuPC-WSL_NIXOS
+      - *go3_WSL_NIXOS
+      - *ODROID8
--- a/modules/consul.nix
+++ b/modules/consul.nix
@@ -20,18 +20,22 @@
  # myPkg = oldpkgs.consul;
 in {
  # virtualisation.docker.enable = true;
-  sops.secrets.consul_encrypt = {};
+sops.secrets.consul_encrypt_json = {
+    sopsFile = "${secretstore}/consul_encrypt.json";
+    device_json.format = "binary";
+ };
+
+
  services.consul = {
    # package = myPkg;
    enable = true;
    webUi = true;
    interface.bind = "end0";
-
+    extraConfigFiles = [ sops.secrets.consul_encrypt_json.path ]
    extraConfig = {
      bootstrap = false;
      server = true;
      bootstrap_expect = 3;
-      encrypt = config.sops.secrets.consul_encrypt;
      performance = {
        raft_multiplier = 5;
      };
--- a/secrets/consul_encrypt.json
+++ b/secrets/consul_encrypt.json
@@ -0,0 +1,36 @@
+{
+	"data": "ENC[AES256_GCM,data:6m0aFztZK6zR1XcY1Ok3vbTrsCNvtM0XLT7C+XxkJwyzZ4XWRmsbyYVrFI6UEoqZAkTbHT6yTqSnCYI74w==,iv:GfWMo4xtantgsNqhi88ZspcmkLwIYhNi0gcTDeMtVdM=,tag:X65OgsVdSZ+0zpLcwrAONw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1jvqe2j70h97844nkz34z9k4epx3uahx50cx75ss8mty2dnxlrf7qqv9a0g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVS1hzVFNLODFMNmk1b3dv\nVS9RU1hsYkNlcWJyd25XemlxVE82VU9rVkNNClVadWJsTDhycWtmbloyRHBueU0v\nZ3Nwb0Q1cHVBa2ZtMjMyNjVTaTgzbzgKLS0tIDJ5d1Z3OE10QTlGbEZPdE5vUG5U\nRTZGR1NNejRUWnMyTzZ0UGZTUVJTY28K7PxvVdrH7VzoG7ytwgFNNnluiDzY97FL\ndrfHEYRh0ydNgTxTbfrB8H8VXgM/PL2XYhQHF7USf56D/MNy+QmHMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1r86w07gy3nm2ltkqx7wcv94wzneeqmqvcm88nzw4g902kdgwgvdqvjumrj",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYWhDMHp1NXRYYUZTU24w\nSmhGcjZzUXZscVlHZUNpdFUrZnV6MGU4cGdzCjFDUkpnR083V2k5bmdnNUN4VCth\nNEhYbFVkb2oyRWJiUDVCelp2SDA0S0kKLS0tIFM0SWt0cXdRNkZGTklpSDRYa3Bn\nd0lwZ2JvZTZHeTN4OTArUEFscGw4U1kK48+23AWynj4gfzzrJrFfGap5+b1MbB6t\nKbZ+sTQkt9wh8Sb+DzmPJfLxSZQCBXxkxJMu4+ueOu0sWK62f69uNw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t6zzuxzzlfvqfhcvj3vyngfguxrw960c5u9hjwd05k5q9zp7l3gqyjatew",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTVZUdWlIemwwR0pKU1J6\nRU13ejVJRjRjRnhnaTZHVVZXSXZqRnhLdGhnCjJoOXJRblVHRjl0YUZMeTFzL3ZF\nTVRDWGxRKzlUNHZveTAzejhvV0R1cG8KLS0tIFB3cTFEeCt4dFpkV21RdG1zYzE3\nakE2VkdtWk5qY08wZjBJNS9seEFRNFEK80oL/CqaYcnpg2uI3fVXZuGfN7NCnrYz\n259Ng4UgHIamP/g0J13hpWE101s/wHAb14vvDHRX4WHo1KRADBLvfQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age187fdx6pc2559tjh03jrcwp6yj8whd70h666g8a0ptyr0z49tfcsssdx6au",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNVVKNlI3ZFF5WW5zcEdI\nSllMSlFvU2xITGVlcXU1OU9OTFVETmMyQ1JNCjlDbll5OXk4M0Zkb05TdnNrcVNS\nUG1IRXE5enhROE5BY0RkWHI2YkQveFUKLS0tIGRSazl2UTkzWlF2dmJkcCsxbmFy\nTnBZaDVaT0VXU21nK0ZLc1ZwcE95ZHcKKCAf3iGOu7sImnPWjssfg8hLbGZfDjf7\n98vn7sVDK+8WwtBaWUifAfcwnpNf9EvxGu7qkNAQTvzEN2awETok+w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1m3zny0wn4smrwhjrvw8qay8438l06v49h0fg4s3c6mpjyuq28vwsp5wvdk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRitUNVV5dGxXaURndCt4\ndmRZdnh5RkNmZVp6dzZUYjVXeUROblJNQjBrCitCbTNsUkVielBTTnhHc2txV0Mz\ncExwMy9WUndVNWxabVE3WUhDdHMrMG8KLS0tIGR1NHhKUGliQzg3bUhNM3NiME5N\nSmw2QlRZT3BCcW5uZTZnMlA3Um1sRUUKkFWOd5LgTCNjjvGTsSaadxD1Ixx3hb0Q\nOCHwpHplYpjxF9C4EFDqiRwoj+JwtKU1E4w0x0LV1/xhCZjLLGlskQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-11-19T23:52:37Z",
+		"mac": "ENC[AES256_GCM,data:mCPJ5NxiKqxwl5sNUXuSlEALOzhk+eam+gLSNUAUffkTUMQzI2hXvbZxuUPGPqGrYbtoY3WRbR3Lzk4LpBO7tPsNsrSOr3R1lScYQjzaahnNOzMec5bwAGQ8biE676yvjBL1slhZ1AEqqlZsxdenif/Zf3V5Ro4MzxZGI2RZ/zA=,iv:jHSUZFh/IzfPXpj8SUQJD0oBs6fElvR+XC2HozD9JeE=,tag:v+Pyhe1Ov7L09Qat/NJGsw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}