From 676da8dca31eaf3ecc2b13111635c98a9243a72f Mon Sep 17 00:00:00 2001 From: Joey Hafner Date: Wed, 14 Aug 2024 14:26:52 -0700 Subject: [PATCH] #2 Move age files to homelab/.sops/ Separate "authors" keys and "deploy" keys. Add features to setup, encrypt, and decrypt scripts: - Validate input arguments - Set age keyfile and recipients dynamically at runtime --- .age-aliases | 16 ---------- .age-decrypt.sh | 10 ------ .age-encrypt.sh | 10 ------ .age-pubkeys | 1 - .sops.md | 8 ----- homelab/.sops/.age-author-pubkeys | 1 + homelab/.sops/.age-decrypt.sh | 32 +++++++++++++++++++ homelab/.sops/.age-encrypt.sh | 26 +++++++++++++++ homelab/.sops/.age-setup.sh | 27 ++++++++++++++++ homelab/.sops/.sops.md | 5 +++ homelab/dungeon-master/.age-pubkey | 1 + homelab/fighter/.age-pubkey | 1 + .../fighter/config/keycloak/secrets.enc.env | 30 ++++++++--------- .../fighter/config/traefik/docker-compose.yml | 8 +---- .../fighter/config/traefik/secrets.enc.env | 9 ++++++ 15 files changed, 118 insertions(+), 67 deletions(-) delete mode 100644 .age-aliases delete mode 100755 .age-decrypt.sh delete mode 100755 .age-encrypt.sh delete mode 100644 .age-pubkeys delete mode 100644 .sops.md create mode 100644 homelab/.sops/.age-author-pubkeys create mode 100755 homelab/.sops/.age-decrypt.sh create mode 100755 homelab/.sops/.age-encrypt.sh create mode 100644 homelab/.sops/.age-setup.sh create mode 100644 homelab/.sops/.sops.md create mode 100644 homelab/dungeon-master/.age-pubkey create mode 100644 homelab/fighter/.age-pubkey create mode 100644 homelab/fighter/config/traefik/secrets.enc.env diff --git a/.age-aliases b/.age-aliases deleted file mode 100644 index 660ceb31..00000000 --- a/.age-aliases +++ /dev/null @@ -1,16 +0,0 @@ -export SOPS_AGE_RECIPIENTS=$(cat .age-pubkeys) -export SOPS_AGE_KEY_FILE=$HOME/.age/key - -function enc () { - input_file=$1 - file_extension=${input_file##*.} - file_name=${input_file%%.*} - output_file="$file_name.enc.$file_extension" - - sops --encrypt --age ${SOPS_AGE_RECIPIENTS} $input_file > $output_file -} - -function dec () { - sops --decrypt --age ${SOPS_AGE_RECIPIENTS} $1 -} - diff --git a/.age-decrypt.sh b/.age-decrypt.sh deleted file mode 100755 index ed9219e7..00000000 --- a/.age-decrypt.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# Takes one file path as input -# Outputs to a new file with `.enc` stripped from the end - -input_file=$1 -file_extension=${input_file##*.} -file_name=${input_file%%.*} -output_file="$file_name.enc.$file_extension" - -sops --decrypt --age ${SOPS_AGE_RECIPIENTS} $input_file diff --git a/.age-encrypt.sh b/.age-encrypt.sh deleted file mode 100755 index 839925c3..00000000 --- a/.age-encrypt.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# Takes one file path as input -# Outputs to a new file named `$1.enc` - -input_file=$1 -file_extension=${input_file##*.} -file_name=${input_file%%.*} -output_file="$file_name.enc.$file_extension" - -sops --encrypt --age ${SOPS_AGE_RECIPIENTS} $input_file > $output_file \ No newline at end of file diff --git a/.age-pubkeys b/.age-pubkeys deleted file mode 100644 index f38e011f..00000000 --- a/.age-pubkeys +++ /dev/null @@ -1 +0,0 @@ -age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00,age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855 \ No newline at end of file diff --git a/.sops.md b/.sops.md deleted file mode 100644 index aa7f5b72..00000000 --- a/.sops.md +++ /dev/null @@ -1,8 +0,0 @@ -# Set up SOPS and age to encrypt and decrypt secrets in this repo - -1. Install [sops](https://github.com/getsops/sops/releases) -2. Install [age](https://github.com/FiloSottile/age) -3. Generate a keypair with age. `mkdir ~/.age; age-keygen -o ~/.age/key` -4. Append the publickey to [.age-pubkeys](.age-pubkeys). -5. Add the encrypt and decrypt scripts to shell profile. - diff --git a/homelab/.sops/.age-author-pubkeys b/homelab/.sops/.age-author-pubkeys new file mode 100644 index 00000000..7137f672 --- /dev/null +++ b/homelab/.sops/.age-author-pubkeys @@ -0,0 +1 @@ +age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00 \ No newline at end of file diff --git a/homelab/.sops/.age-decrypt.sh b/homelab/.sops/.age-decrypt.sh new file mode 100755 index 00000000..0b8c4f1f --- /dev/null +++ b/homelab/.sops/.age-decrypt.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Takes one file path as input +# Outputs to a new file with `.enc` stripped from the end + +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +SOPS_AGE_KEY_FILE=$HOME/.age/key +if [[ -f $SOPS_AGE_KEY_FILE ]]; then + export SOPS_AGE_KEY_FILE=$HOME/.age/key +fi + +# Set age directory and default recipients +AGE_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) +SOPS_AGE_RECIPIENTS="$(<$AGE_DIR/.age-author-pubkeys)" + +# Get host to which input file belongs +FILE_PATH=$1 +HOST_AGE_PUBKEY="$AGE_DIR/../$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey" + +if [[ -f $HOST_AGE_PUBKEY ]]; then + SOPS_AGE_RECIPIENTS="$SOPS_AGE_RECIPIENTS,$(<$HOST_AGE_PUBKEY)" +fi + +input_file=$1 +file_extension=${input_file##*.} +file_name=${input_file%%.*} +output_file="$file_name.enc.$file_extension" + +sops --decrypt --age ${SOPS_AGE_RECIPIENTS} $input_file diff --git a/homelab/.sops/.age-encrypt.sh b/homelab/.sops/.age-encrypt.sh new file mode 100755 index 00000000..068b9c42 --- /dev/null +++ b/homelab/.sops/.age-encrypt.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Takes one file path as input +# Outputs to a new file named `$1.enc` + +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +# Set age directory and default recipients +AGE_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) +SOPS_AGE_RECIPIENTS="$(<$AGE_DIR/.age-author-pubkeys)" + +# Get host to which input file belongs +FILE_PATH=$1 +HOST_AGE_PUBKEY="$AGE_DIR/../$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey" + +if [[ -f $HOST_AGE_PUBKEY ]]; then + SOPS_AGE_RECIPIENTS="$SOPS_AGE_RECIPIENTS,$(<$HOST_AGE_PUBKEY)" +fi + +FILE_EXT=${FILE_PATH##*.} +FILE_NAME=${FILE_PATH%%.*} +OUTPUT_FILE="$FILE_NAME.enc.$FILE_EXT" + +sops --encrypt --age ${SOPS_AGE_RECIPIENTS} $FILE_PATH > $OUTPUT_FILE \ No newline at end of file diff --git a/homelab/.sops/.age-setup.sh b/homelab/.sops/.age-setup.sh new file mode 100644 index 00000000..3905eedf --- /dev/null +++ b/homelab/.sops/.age-setup.sh @@ -0,0 +1,27 @@ +AGE_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) + +# Check for existing private key +if ! [[ -f ~/.age/key ]]; then + mkdir -p $HOME/.age + age-keygen -o $HOME/.age/key > $AGE_DIR/../$HOSTNAME/.age-pubkey + echo "Pubkey added to $AGE_DIR/.age-pubkeys" + echo "Remember to add, commit, push, the new key, and then re-encrypt all secrets for the new pubkey list." +fi + +# Configure private key path, and pubkey list env vars. +export SOPS_AGE_KEY_FILE=$HOME/.age/key +#echo 'export SOPS_AGE_RECIPIENTS=$(cat $AGE_DIR/.age-pubkeys)' >> $HOME/.bashrc +#echo 'export SOPS_AGE_KEY_FILE=$HOME/.age/key' >> $HOME/.bashrc + +alias enc="$AGE_DIR/.age-encrypt.sh" +alias dec="$AGE_DIR/.age-decrypt.sh" + +# Configure the git filters +# git config --local filter.sops.smudge $AGE_DIR/.age-decrypt.sh +# git config --local filter.sops.clean $AGE_DIR/.age-encrypt.sh +# git config --local filter.sops.required true + +AGE_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) + +HOST_AGE_PUBKEY="$(realpath -m --relative-to=$AGE_DIR $FILE_PATH | cut -d'/' -f2)/.age-pubkey" +SOPS_AGE_RECIPIENTS="$(echo $HOST_AGE_PUBKEY)" \ No newline at end of file diff --git a/homelab/.sops/.sops.md b/homelab/.sops/.sops.md new file mode 100644 index 00000000..03249e19 --- /dev/null +++ b/homelab/.sops/.sops.md @@ -0,0 +1,5 @@ +# Set up SOPS and age to encrypt and decrypt secrets in this repo + +1. Install [sops](https://github.com/getsops/sops/releases). +2. Install [age](https://github.com/FiloSottile/age). +3. Run the [setup script](.age-setup.sh). diff --git a/homelab/dungeon-master/.age-pubkey b/homelab/dungeon-master/.age-pubkey new file mode 100644 index 00000000..7137f672 --- /dev/null +++ b/homelab/dungeon-master/.age-pubkey @@ -0,0 +1 @@ +age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00 \ No newline at end of file diff --git a/homelab/fighter/.age-pubkey b/homelab/fighter/.age-pubkey new file mode 100644 index 00000000..62e4efca --- /dev/null +++ b/homelab/fighter/.age-pubkey @@ -0,0 +1 @@ +age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855 \ No newline at end of file diff --git a/homelab/fighter/config/keycloak/secrets.enc.env b/homelab/fighter/config/keycloak/secrets.enc.env index 74afd83b..395f7a01 100644 --- a/homelab/fighter/config/keycloak/secrets.enc.env +++ b/homelab/fighter/config/keycloak/secrets.enc.env @@ -1,18 +1,18 @@ -keycloak_KC_DB_PASSWORD=ENC[AES256_GCM,data:Sa6/qn+gFQx+gthxrXpb9zpbSIqTyFh3lWy3uVdycR4xKw==,iv:hf/5wLeB6gYvN/GEKIlxSpQsYMovXobcEUkakhQP+eA=,tag:Sbz1jsEt9HvDvy+HcVw0Wg==,type:str] -keycloak_DB_PASS=ENC[AES256_GCM,data:Pq0TO3aRxHVTs/216Q3YaJWRLbcYpuATWcyOtmtY5/EOAQ==,iv:sTEr5DnfCHGSCCybqskTNtI0M3V5IO1faAOROuRWo20=,tag:cdBcRfCtO4NriGwe7Yn1Vg==,type:str] -keycloak_KEYCLOAK_ADMIN_PASSWORD=ENC[AES256_GCM,data:YZ4i8dpMwqJFOZKPBuQWw3YzthKVndIQvw5O4JmMocgkRMn2COAR6wTR32gN2tv+I8eO+Ke0U4mP3uxaNESx+86s,iv:7hLH9Qir1Q9c0xEvKEnKFx+mshku38iDaEsG227Fzps=,tag:RS7JNAw8FHiARmfwMrpT/Q==,type:str] -forwardauth_CLIENT_SECRET=ENC[AES256_GCM,data:URHSO4KgdcSEsCQL1fiBVm+89U1H3DHSnsaJQswuQfIpMw==,iv:+IdIadL82TIutr2ffqPRtkF2SwL2WShJxB1XGgvefsU=,tag:5lJMLwZJxK4ldYBAavw3Dg==,type:str] -forwardauth_SECRET=ENC[AES256_GCM,data:Kz5lvloDt45XBiwLTRGEtuz37vZu+3XmvhPuDtaDNjzmXbPrZt92x6HObcAzVvGmf95yOO+DXE1Z6FmENTVhywsW,iv:XRETk6CTv4EWtwqjfbbcvU1aflxPrZBViT55HY4hD10=,tag:dL5AsoXHa3+XZPa9Qf502Q==,type:str] -forwardauth_ENCRYPTION_KEY=ENC[AES256_GCM,data:Fri2u0iO/GyI8vuJbjUI75A1CF/b4jJ224W8ZdWblrPhLA==,iv:+zbc2KuRw32x/uxlkRdCXtPgaRcXX5CNFvlmB9Wifoc=,tag:1NxvfUk3hkSCiL2lAnxK4w==,type:str] -forwardauthprivileged_CLIENT_SECRET=ENC[AES256_GCM,data:E8CmrjhoAa+ByZW/GN2CR72YbRLMpPwtcrCuqkkPtQoaxg==,iv:a6gZ9lJuG+9QUt7cfp/EKQk8rIE9JivtGM5ryk5VLEo=,tag:r2Y/sDCbUmmRtMMrBi1KVA==,type:str] -forwardauthprivileged_SECRET=ENC[AES256_GCM,data:vd0HwADInp+HRVXc4v7x9aP3usN2Q5ZCU2ro5ucm3OPWQ1uNIHgIYgquhaSitLSEVmA=,iv:jO83wNiUXgtTPIcgsdFMynG8bVCUB+1Z/ignoaNnYe4=,tag:X1X6ERgYp1tImaIIfNhFyA==,type:str] -forwardauthprivileged_ENCRYPTION_KEY=ENC[AES256_GCM,data:mrkngv5W5PcB14tS3XqRcbqsNGuzKOaTqi8ZFu7kLL9m6A==,iv:w4E/MSq87im3EqMD//5/Bex6ktUQlnKZLC9NyMWQ48U=,tag:t/TTL4/CSPF7WhVGslAxgQ==,type:str] -postgres_POSTGRES_PASSWORD=ENC[AES256_GCM,data:2eMWJK8LR1yNed8vardojB2+Xbl0u53mbr3MWxEZRy3IdA==,iv:MpV3yFfv/GRjP4r0hSuBBsApLW0lznDA0Rbm1Bokeps=,tag:RhGhTkR+O3up8+Cr440LSA==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1RGtUaUtlMVFORDBKU1JQ\nZUJSeXZ1aWhsZndwU2pDWktxY0lzb3lEQmpvCkV1Zk4rZVpFcXNITHNDemx4alIy\nQVJjZDE5Z0xhVU5hV05ydm1PR0Q1a0EKLS0tIDFnT3NpWGhPWW9MZ0xsbzZERmR2\nZjA2Zk92REhhUDlBTjk5VUw4Y1lKTnMKMNpzaYpazx0MeaDR931sPNG043OLHczz\nKB42qQe91dZ8xsxCR2j4Rv9R8iHljlexPEbdYdTXZB4qyoJcPfOzPw==\n-----END AGE ENCRYPTED FILE-----\n +keycloak_KC_DB_PASSWORD=ENC[AES256_GCM,data:TNkK8sncew8xH413tJM0Cgwz/gwx7iaF0Gz5j+WmLA+L5g==,iv:DxTn795Mj+bK1kJFIvVtrc2sgNSgpdlgD2EUkkEqhbo=,tag:HhbVITHiDCKCoMnBfyiykA==,type:str] +keycloak_DB_PASS=ENC[AES256_GCM,data:fnZzDKwci6PVHcJ40LPSBLhpxSp1A7lOsQ3XDwHCsk3NBw==,iv:AopariZfYuaADhiuRybTSpRdawIEGDcI9SlLmUTfnP0=,tag:Tk9hzbsvD2fb7G63JOT2gw==,type:str] +keycloak_KEYCLOAK_ADMIN_PASSWORD=ENC[AES256_GCM,data:HOUdm8NS89P+DKNf059ZQmJBtlOabqKephWWLYtItjOAiRmtn5hpSZETRfQecMwvwbfHp6xVweffYl70OS0nBIcf,iv:o4+zpBtUtIlyQFjnBfjTrJf43RDYmr2WgARvHrRMxpA=,tag:+YiHAz5AtAwbXstbfn842Q==,type:str] +forwardauth_CLIENT_SECRET=ENC[AES256_GCM,data:QgEBtdNL0xGi2ms52uERGEOlssudN+KyfjURCBePICv9DA==,iv:9DS2X8T0gjBSu/bwmHhnSx5EarHeIXC4aglrN7rKh/Y=,tag:8vyfeKNsbHpqAei65qv70w==,type:str] +forwardauth_SECRET=ENC[AES256_GCM,data:6f+V4UWT2zl7tNMFd+VR5PFWr2V1c81QDwvsGPwNWwiihmF3SyMOVDq+6l+z4nZVRbnmAi0ytsbBaNRQZSrp8Zlk,iv:0NPpZ+lOIsQXb7wdRgx+2N43nx539chNyik1YtpY8m8=,tag:0lJsf2JqUBEaaD/PxJWuUg==,type:str] +forwardauth_ENCRYPTION_KEY=ENC[AES256_GCM,data:d/lETqW1XEEH/m7yJnh1odq/j9ApJCNxg/MTs0bTh1WFuw==,iv:2h3HcHvs37YdAnjTktn8YhJEz6m1YK6FybrahnKMKsQ=,tag:MORJ/JK7zrEaPU0BXgGq2Q==,type:str] +forwardauthprivileged_CLIENT_SECRET=ENC[AES256_GCM,data:AVW0r+QNYfId7M7GUpl6+hLXkynjK5YGAIQaaDiklfayrQ==,iv:X5WlRiU9BHOALrXLovz4UZDdfcBZw+CEmG8ESKLcqs8=,tag:Z6IK/2fzz1d827JYB7uEyA==,type:str] +forwardauthprivileged_SECRET=ENC[AES256_GCM,data:zvxpyLKrQF//Hrl1dltGfmhvd40mLBsmWlmqi4fo+WRrocOIaCXSc3/gWqX3ZhWaaFw=,iv:M1T+eMtSqxbXo6A43pOljXw401dkWnsVbZKLoYK4IAc=,tag:K8WpbXTP3hzFo958dv0s6Q==,type:str] +forwardauthprivileged_ENCRYPTION_KEY=ENC[AES256_GCM,data:kqQAXMLyOdCwl/1gnaholcMMpX1ZrTjlQre/M14E8jv2eg==,iv:/yxGmhJFBT1dLi3445+b1WAeKpgIBZ1uZR0M4HXP2do=,tag:E3QcK1Ardkg7TUadaYmOGQ==,type:str] +postgres_POSTGRES_PASSWORD=ENC[AES256_GCM,data:tD21MCx1PuS2Q0zyqtHb8UljXLNRAW0kPfwwkn24jdmt2Q==,iv:4WFIL4kRs6/SHjC/ZlbynK3X2hMfuhLMBrall63u3CI=,tag:o5d5f8LaCiXWyO8PWReO4g==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeVdQQjhyVks3SjY5bmNI\nUzE1RXg1UEpLWUk3VGlseXAwTTg2TXVZWlVzCjcyczdrM0JmRUVhWlRvVHJORHRR\nTGJRWGIzN2RPM2F1K0pjVTRhZmI4REEKLS0tIE93UzZ6QnVjaUVwUnhmUkRaRTdB\nT0FnTHo2eXZZcndVSno5K2hLelM5NGcKuhmmsrKXnyjtuvG982jzs1AxVGnLNMrV\nc8lChL6tqTPSV5R/AJqYzHFqP/ul0XTMNqGV+UMQepdPYR3keC+F+Q==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00 -sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieVlsTmZSdGxidmlYRTJv\nQnVxLzh5bkp4bnpibE5RdEx1WEFtRWYrVWswCnJSaDJuV1YxRGtoaFptVUZhOUY2\nY0cxZlpKRmhteXF3RUw4S0RRa1RHM2MKLS0tIDhQOG5sNkFDL3hpQWJ5dFRpdEhO\nRk8xa2wrV1ZBRnB1VVdYcUdoeXlmMDAKa3LSvmSIIYdPLuUwy/Z+a+piiY3C1+ot\n76gYAhe6fTPkwk2479dQ2PyD2m4zuIxprsAHdRFuBhG5BvkVnG2mpw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNS3JwN0ZOV0hjSDBCL1Fx\nazlmdnhMSm1HNXliMFd1aWtSV280aTRtOWxvCm8yZVpya0toTHZONW0yZ0xSeHNX\nd0tvYTVTWTdGRzZvd2plaVVIMzZYRlEKLS0tIDYxbmVENnp3eW9qUnpycG5ROWNm\nNjZSRE9meElMZzFRcEhLNVd5c0c2aHcKxYQH9Pfm6n9dh0EtpfWrvtwBBndXjndS\nlmoZ4fwu+/PV5bz41lk/GJu9se3haRjpXoI6jfdApIhyIuyKNpOlaA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_1__map_recipient=age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855 -sops_lastmodified=2024-08-14T07:04:27Z -sops_mac=ENC[AES256_GCM,data:CW8Jl6siqoaAkJaXW26x7LC7jqKW3yaLd9995F/pAJQCqJrpbrx+bJnFtukPFlH3LV9hvX5Hc2FASu9UXR6xbJ4Q8rzd6Yy1L0LhNy2cwl3m/qzvpYCrDViSX17V6AFp0cmbPN+qUsInsgqP4UhWNU8Qm7hfaBtzMyNGzSIva9k=,iv:PxOMsYbwQQ004e1ael6cqbicCpan6wZYfPQ8rRUx6us=,tag:VArxq+lteHYY7J8mRWgKHA==,type:str] +sops_lastmodified=2024-08-14T19:11:07Z +sops_mac=ENC[AES256_GCM,data:KSg9SbhFiHldI17UFK1mcOAeK6+nkE2lDphj4cBSE+ckc81KTP4nYSLRhnetcfbmOEBFY8YvxizPgoJxhh0Tpet2qBsxW3ZoHelFsqq138EYpFOKkY6wlf8tXDrHHLHxE1+ba3jBPYT9me3YtRBEPZukvAFZlKOb2hnytuzG5KI=,iv:E00Uc+BXR5HEoOaURBAKO5l0WU93TsipPCRUyZenSJ0=,tag:4TwB7qW09U98jw6Dn/iIsg==,type:str] sops_unencrypted_suffix=_unencrypted -sops_version=3.9.0 \ No newline at end of file +sops_version=3.9.0 diff --git a/homelab/fighter/config/traefik/docker-compose.yml b/homelab/fighter/config/traefik/docker-compose.yml index da939b6a..67b653f6 100644 --- a/homelab/fighter/config/traefik/docker-compose.yml +++ b/homelab/fighter/config/traefik/docker-compose.yml @@ -17,17 +17,11 @@ services: - ./config:/config - $DOCKER_DATA/acme.json:/acme.json - $DOCKER_DATA/acme-dns01.json:/acme-dns01.json - secrets: - - cloudflare_token environment: - - CF_DNS_API_TOKEN=/run/secrets/cloudflare_token + - CF_DNS_API_TOKEN=${traefik_CF_DNS_API_TOKEN} networks: web: external: true monitoring: external: true - -secrets: - cloudflare_token: - file: ./cloudflare_secret.txt \ No newline at end of file diff --git a/homelab/fighter/config/traefik/secrets.enc.env b/homelab/fighter/config/traefik/secrets.enc.env new file mode 100644 index 00000000..a71f41c1 --- /dev/null +++ b/homelab/fighter/config/traefik/secrets.enc.env @@ -0,0 +1,9 @@ +traefik_CF_DNS_API_TOKEN=ENC[AES256_GCM,data:3kMrXC7zZwxpgPIYg3xTpC61EDkN/xO3R1Cc/b9bSoB4LMBOSUS+Kq/j,iv:uA/2dsEN6pLTRpG/IGKg2qd8TDWsXRAAZzW6i5ppG5s=,tag:CqjOOqrkhrB+9ALFRdJlkw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZFVudjZpUGZjSGovWVp3\nMUt1UGlhNXhPQitSMjBaTVBCL2gvbWNoN3h3CllMc2ZndURYbkdzdHhaMWxDMFJ2\nN2F3Y0JFSzNrN2hKeGZobURFYXpHTm8KLS0tIFloV0NsMGlaTlNWQ0lhUUZhNWJN\ndmVac1hzWTZFa3lBb2VhREtsRHA2WEkKiqWViJQ2+RpXgSYfvbrPlH1ir2GQnNkA\nsNCKMKzB6JRU6w1aNZXBeiDBMacXS2rT70awKUYKfzx3t6PCrV8ouA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00 +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMGtKaHdzdnE1NldoZ0x5\neUExZy9aYjUzQWxXWE90VWxQYzZsNXpZY1c0CnlXbXdybmhDeDV4MWJTaFZibmRi\nTmxZbGNrbWo5RHdkL2xoemxERFQ2NmMKLS0tIGd0ZVR6U0h3WUc3bHhxZmlWWC95\nZUtZWG9vV0pZVDVQUkpyenMxaXgzL1UKOQl6FtqQUOTmbl/u6zJ6cGe9a/wdgx1K\n6ajpK5SarfYYrfQRNnZvM8zbsNP/SxLBBLIWXRZq8wFL4u1sPWYKaw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855 +sops_lastmodified=2024-08-14T21:18:27Z +sops_mac=ENC[AES256_GCM,data:KA6D7PwVb/pA5b+yQRuGA1l8ohjFaI7cTOatoneRt6Z2+/B5wVZYiBb0gJxN2Kh4pfGlvwL477sceiGRkwn85E4Oz2oobzkt4By0qeo4uqRyfcse7ukSvQvGxAflg/pX8qahcEn5Z58OG2Vvfx0ocCBp6kcMLrKD7QLQ0ffk7Mg=,iv:Mg4ACF/IabibtULkPuQoLvAnH/Sbp2H6ayxYpddlxoY=,tag:gpq2bAgHojNzCR1718VsDg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0