From eb1d4559a094ce24093f12135848a400d57097b0 Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Thu, 18 Sep 2025 10:30:22 +0200 Subject: [PATCH] feat: rekey to include heimdall Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 4 ++++ home/lander/global/secrets.yaml | 35 +++++++++++++++++------------- hosts/common/global/secrets.yaml | 35 +++++++++++++++++------------- hosts/common/optional/secrets.yaml | 35 +++++++++++++++++------------- 4 files changed, 64 insertions(+), 45 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index cfb8166..b602e71 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh + - &heimdall age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv - &hosting-02 age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt @@ -11,12 +12,14 @@ creation_rules: key_groups: - age: - *wodan + - *heimdall pgp: - *lander - path_regex: hosts/common/optional/secrets.yam?l$ key_groups: - age: - *wodan + - *heimdall pgp: - *lander - path_regex: hosts/common/servers/secrets.yam?l$ @@ -50,5 +53,6 @@ creation_rules: key_groups: - age: - *wodan + - *heimdall pgp: - *lander diff --git a/home/lander/global/secrets.yaml b/home/lander/global/secrets.yaml index 8e312aa..4fb0a0a 100644 --- a/home/lander/global/secrets.yaml +++ b/home/lander/global/secrets.yaml @@ -1,31 +1,36 @@ inuits-mail-pass: ENC[AES256_GCM,data:0MqpjT2mmKs9UiY=,iv:yFo08gU4jfocr8yOQKQPBl49lOeE1QZrdsdjjOxp0dE=,tag:o2mOPnNJM0EXvkRep5w92w==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNjFaMmY0cE5QSWZyUmRh - VnB1cWJub1lZcWZhQjdJMlJCM0tjV1Eya1RVCjlHODZGQVF6R3N4WDd2dlk5WGRU - YlB5eEFDMFcyU1pvM2ZOZjB6dW5uaFkKLS0tIGRvaU1kS2RZc3E0YVUyNy9CSTA0 - Zm84S0dCNmtUeVJwd3JsZFZTZ0NJUjAKS4z1n4Tns76En2Hj+bzxKK9O/8xKvMIW - 7frvaBMIIXN2hZkaGbDladav4Z4h858Pr9QG9pSTvIDlVYnapWYyiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNlo3aFU5cnVUQVNxUDZ5 + SjY4VndITCtsOSsydkJrWjVJOWQ3aWR6OEZZClNwblVWemdQZTJmclcwSzBZV2xX + SXg4dTc1Wkh6NWtpWFhpdnAzZWw5YTgKLS0tIGFUdGtNT09oUlk4MVRNZEtFWVRW + K3BWWUdMcG9RVDBROS9sNmJJNkJUQWcK7bQPtL1Bbzm3DPclbxebByXRPlNNIh3f + xeH+tVOhPEW6BqjwH3s7GYKtmny+ZpF9ppP+KQjzDQKh7sdZtA9nDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYWV5aE92eER3ZzZjOWE5 + M0FMazBmbzRkZ001TitsV3VCWDVRZldIckFNClQ1cm16bVg0QWVKc2RXdmNseTNW + d3lvbytHcGFLZFZzYjlkcDdYamlhbW8KLS0tIHZHK1c4cXg1S3Z2aTR4RjN5ZU5Z + SVJPeW1XM0RPWWI5L0wzSmFmNWRnZ3MKKbpkILPQB7dpzZQcU45g/4SfCdo8+UJK + 7hrCYeiae9zHu2CfrZqVMkCnAOpda8lL0INLNnrS9hDRNdk3LBLapQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-09-05T06:11:39Z" mac: ENC[AES256_GCM,data:SVdNtwrN7MEtXMdWKLQXR9BRlRaYvOBRDLmoDZMkX3t3dlUMR5m5m/btpal1+nPkYjUk58q0hSGA94BREdDTpMYHmvr0V+tWnKsmE8j7r51plN1Dp/4sfgtZBgaqHD2IRDGLI4pW9GCg2fXIxB+BGC6GNU/ZAVbhB4bmzNfFqOY=,iv:ElCt+fJFSjsykoiIS9XO9ViaBJ02Oi169YnUeHiATPk=,tag:vR/KXyuRMnWtW9uXIHNwUw==,type:str] pgp: - - created_at: "2024-09-05T06:11:29Z" + - created_at: "2025-09-18T08:29:55Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DARdpY4woM6wSAQdAGSK2AVRQnRUm4xQfA3XsO+PMCN9Gss9+jJOKD+npryYw - DcwFC5udj+M+XPa3Ggk5WK+vC5hkvUrvwsPqILqzJSv7aiSRqmDyoxTVcsVsIXEP - 0l4BXgG9tcQMTu5SjVkeVi5YrS+4GPjmSGXUm83BcJ27CHHv9coGu7wb53KotC2N - xBNBWLrhn37jXovF2EFAMI/CBXU6svqDKYoFHXZpW06LLw/F7EgKd2zHReRVHuwj - =ETqP + hF4DARdpY4woM6wSAQdAFEieEviKo3vWoXlyXVCr1dAzMVuVpTlNA1gOflXjz0Yw + utn0sKwCWxYVRjzUFNW07c2qsNJcttqXk8+/1NzvnXQDF6NxSm5JO7QKjsx/BTL7 + 0l4B4B1tHqBuNZluTQzKk8sffiqbumUlS5gAWtmxK5DhQ4edgz4aS1ZR2XDTPxBl + NddOSjNdUCUGy4+H/GOZgEdbAdhNdyy7Qj9ZiBxIDDjUDTJ0hhIOG+aEv5APrzXm + =J41I -----END PGP MESSAGE----- fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 unencrypted_suffix: _unencrypted diff --git a/hosts/common/global/secrets.yaml b/hosts/common/global/secrets.yaml index edd1931..bf8b724 100644 --- a/hosts/common/global/secrets.yaml +++ b/hosts/common/global/secrets.yaml @@ -1,31 +1,36 @@ inuits-mail-pass: ENC[AES256_GCM,data:FgZZfDIPcJc4Vn4=,iv:e5yq7bi6peOrf7eehi0860eEY9dFYFjuVOmGOyxSAKY=,tag:V/hY/9zW5Z7NqhW2fzdt2A==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3amZHakdya085QjRCVWN5 - OWM0OWh2OVBpYmxYTWVXdXkyck9iVFVJd2dVCk1zU2x0eFNPRmpUcUFTMWpBaHQz - a0ZzTEF0TUlkTmpXV1VEN1JaTHQyY3cKLS0tIEttMmE4UGlIU05oNFR3RnZiNkNU - Q3UyUzRBZW9YNjlVdDF4akRjcEd5K2MK2c3KfLBgnorRQGvW0AcnJmZTc0rJ9BKi - fFuBpIU5GWyd4BvNMF30ChEfJr/CQ3Zh3YEowquVajtBlUGt32nePw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L0tNblo0dFNPVitHZ09p + ZisrQ0ZEbDh3dUZNd3lZYUg5eXNiQytnbVE0CmhJb2tDTUFEeW1jRnhrbnFuaGtm + SE1SMzRKY2JFZ05wMUdyclk1dVJvdzAKLS0tIExsbTFBSmc0L0RXVlhEc2xzKzdW + eEpDL2IvdlVSRWljZGFIMDVWdXdiUjgKsGY7+Qc2baHCuTeqDokf0rxBOWaFdzbL + aDXMGXRMeBWGMMOkKzMNl6+PZOSv4SpwuGYYRoArWpp5AAN0oqeqXw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WkZvT1BCV2tsU2JLN2xV + SW1vOU5tdUVzbjFzYXJ5VElyZnhtd0VyV2tnCjJqNEhmanRQUFliQlJWR1Uvc2R6 + TjBMcFhpZm5qU0dETVNJV2I1K09URE0KLS0tIG0wRXN0ek9TUk8wdWJxMUdkOEcx + dXBrM2JSUmlsTk42Rkg4UnRZejNBVUkK7M3m6+h+bcVufwNYTV6aXGiv7CxpR/KZ + xPtQXAUX+pGff3Vu6oAT0aYHJbaGbeapNVGtvPSXfl6T5JVUFW74tg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-08-29T14:26:20Z" mac: ENC[AES256_GCM,data:4yvj8696SpXsEucOShKjMKIiFcq7L0B6KpH6CFw3aIFslMKa1Wa8aQp64F9pF9grWi9LcXG6btL/iOhPvDXeW1VRwtckzuzhFnI+PMuxJmYVNZHvDkUNBpshCI3BvRzEixpqtwXq36AXtrPoHC39ieQy8EIxpJjMksCODyZyBms=,iv:JcbMRmJwEoRgSx1n9Gb6RzMzZvb/3UiEyk3lBvhYF8I=,tag:BKPx2ZTRkNWRNljkrVyoCA==,type:str] pgp: - - created_at: "2024-08-29T13:58:05Z" + - created_at: "2025-09-18T08:29:31Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DARdpY4woM6wSAQdAwnsdN5NJNjxX8y4uZsQ7KCSSSjsUpN7uCuo634KQPyMw - uVb6m7wa3SfMy6ex6QZqvVDr8hIbFhmB7SwQ0EpcnK+axnMn8ni1fsfRY007+H0e - 0lwBZRErE5y+N+9P16FNnEJfnO2KxtrOIYgIPAeds1mFF6OmbUe5bnWBtl/U74nP - XfuG9segRf/1Alma43FlflacJ5koaxwItj8MSVwsG0YX//78O++h5Wy8JnC1QQ== - =wZyC + hF4DARdpY4woM6wSAQdA+SKggTeVF9E89UzFdgRopXtmDcaVuc9oKKzDlWDpBAsw + qbMTw5nN9TejyZtA6Vs0p48xpSARhtOWiMo/MPfTjtqtYk8/2M7ZCnbqQKLYR23e + 0l4B1PkPKPd3zA49sWSDM4QdDLK7GUxTrTorR/7NWKtmp7o5VtC9YMv0Nq1s6rn0 + q1+CoieqEDGBmcvOk5K9eRaqWCd5Gt4bsSOdrzAi2mWE+e0+VkNTzpsUKLZq1fFP + =7Bvu -----END PGP MESSAGE----- fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 unencrypted_suffix: _unencrypted diff --git a/hosts/common/optional/secrets.yaml b/hosts/common/optional/secrets.yaml index 198807b..5362372 100644 --- a/hosts/common/optional/secrets.yaml +++ b/hosts/common/optional/secrets.yaml @@ -2,32 +2,37 @@ restic-environment: ENC[AES256_GCM,data:CkgRnXNGAsVlWWPj4pvADpNTPyufafaO745vySUB restic-password: ENC[AES256_GCM,data:BsJ7fkoeZHxGbKP7YGuD13s1feYWeVj+hg==,iv:vmpWp/vWBt2bw61p43HTp7fuTKOX4k7io/HGt4yPPo4=,tag:f3pfbcWqccKJ1fI00AyKLA==,type:str] restic-repository: ENC[AES256_GCM,data:GAm8+hE96byqeyIb9qQ7QCstBYd0j+WIXp69quZ/f8joH2fUst/Kxb18mOKQozlu6Q==,iv:VQYZmGv+fyyYWUeAQTNiwxhAwR6o0LRw2s6G4lYkkDQ=,tag:P0bAsB3Wp9Vw7YH73XspIg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Q1BObXBYUFhXdStEbWFa - Z29mZXp6NkJZbitZcjhibkl4UGlBazV2MGc4CklZSG82bU9oMUt1WUpUamt2QmpS - VDBqWHBQZGl0YUtXOTFSOThOeGk1YmMKLS0tIFJkSlhibVFwVnl0WHl4aUd4ajRm - RWRuU0tKTzNQb0hwZHZJYlhjZ2lJYkUK6T9iTfsfgajho1UUgcYTQa3ppT0CaoT7 - rVLOyhLGHZLoBkmAm0gTJ1SOFHOyYZMbRMvN2saSLgMIiCuvXm4eEg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWlLQXNWQnV5T1pJbGcy + R0lBY1M2WHVwU3BZeDk3QU4vckJhTUVhK1g4Cml0Mk50cDQwZlIwc2lxb0JwTGRK + YWRZWHZITGxsZFltbDBtb3AzVEx6S0EKLS0tIERvaUVheXl4NUlPS1pZNFlxQnVm + MlM1Ynord1JlWU1WYVJldDNXODdyTGMKyODudvM+gyGRaJgAcG+Fz1M5Ru7RfpPx + rIseYmLvyFjTqGQmXkV5oGwqq5jEZlJwBbxEjl9mHKRiYMjC//8Jtg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZERqL2Y0M0Nvdk1RbU5Q + VEJYRGFBR29mQ01pZjd3UE0xUjRUZEU2cGlBClhVc0xNSm1PME80eVJoc0FObk5T + djlWUis5MHRCbDRKMkFpRHA1TldUWmMKLS0tIGNRL0JwVW9DSXR4czhHYjlSZHJJ + Sm0wclJuU2pZTnVKM1pPMFdkQ3QycHcKTrZzAZsH1fuwUyS7eWBDhuYX42puSRvX + WD+tDdWWSBjUWOxgnA9x9c+eHvKvydK2Ztuo5yFX61b2uP9aMkrVTg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-13T17:47:53Z" mac: ENC[AES256_GCM,data:qKEbUu0/kt4eM7JXCOl73hJ3IuHr6kr3A7Y0xdXKZ0A/5Ex2F2dgLRTtmFeEMdmm77dYr6PLm8u+eQ+FmpuMb59+q1Y3k/IUpaQXfBJ6qtQCX5lOxJrE9VpR84OIDVQZ7pKclXuNfc6H+MKlGEbmVRnpdJrd6lWxIkpgwmBLBRc=,iv:xh6ywlS7sn/BVpYpej7mmxV/Be33wvQYn/8glbMLnrA=,tag:iIixjf9VZ6OuP5Pgw0w/WA==,type:str] pgp: - - created_at: "2025-01-13T15:15:34Z" + - created_at: "2025-09-18T08:29:44Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DARdpY4woM6wSAQdAwVc6Y2JuSKZ+CfVXGcZwXGLPxd4qzYEYCXeVw6fUMn0w - 8nCY3GAdJR2doPeQFtakqulb6sNH+sA2eGSUS1B+MQ7HpxkungLAbWI0wpFYwnfw - 0lwB5Zz4+rRkhPTqQNudTSBHX018kR5/A6/jLslox6vaKesyPIFSMejJqFp3hmHu - 3QoK0HNLTCgmUw4OZsYtgPLw00KxDYNbUN6JY9H/MOuBT3Uwe4y8HXlffPXr1w== - =Csbt + hF4DARdpY4woM6wSAQdAhtZLnsE71OX18DaQHEW/BMpS/HtQyKCToYUxKgfmV1cw + Cq2OA4I2a/QN/uZeJVAkHjTrasTAK+g2AV5dKjQY2gnD0UXJFDgX9EtpjCPXnMWH + 0l4BNn+Alhf6CBs4k8WOVDV5+rtJRBrmfmMTutQ48279G0JNGEO1MrH8oC6uHzfF + 8SO4niqVL+jE6faaLlEktcVJUTs0HOHlmR7wmF5RHowgVbmYb6OJocv7cqgodhBR + =Dh78 -----END PGP MESSAGE----- fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 unencrypted_suffix: _unencrypted