From cbebc799bd18109f1c9b5c66b6f5ebd3b94192a8 Mon Sep 17 00:00:00 2001 From: Nat Allan <19149206+Truxnell@users.noreply.github.com> Date: Thu, 14 Mar 2024 22:04:40 +1100 Subject: [PATCH] feat: add temp vm for nixos dev --- .sops.yaml | 9 + .vscode/extensions.json | 3 + docs/vm/secrets.md | 9 + flake.lock | 154 +++++++++++++++ flake.nix | 3 +- nixos/hosts/common/nixos/packages.nix | 5 +- .../hosts/common/optional/cloudflare-ddns.nix | 6 + .../common/optional/cloudflare.ddns.sops.yaml | 1 + .../optional/editors/vscode/default.nix | 138 ++++++++++++++ .../optional/editors/vscode/extensions.nix | 177 ++++++++++++++++++ nixos/hosts/common/optional/firefox.nix | 8 + nixos/hosts/common/optional/gnome.nix | 34 ++++ nixos/hosts/nixosvm/default.nix | 3 + taskfile/sops/Taskfile copy.yaml | 18 ++ taskfile/sops/Taskfile.yaml | 0 15 files changed, 566 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 .vscode/extensions.json create mode 100644 docs/vm/secrets.md create mode 100644 flake.lock create mode 100644 nixos/hosts/common/optional/cloudflare-ddns.nix create mode 100644 nixos/hosts/common/optional/cloudflare.ddns.sops.yaml create mode 100644 nixos/hosts/common/optional/editors/vscode/default.nix create mode 100644 nixos/hosts/common/optional/editors/vscode/extensions.nix create mode 100644 nixos/hosts/common/optional/firefox.nix create mode 100644 nixos/hosts/common/optional/gnome.nix create mode 100644 taskfile/sops/Taskfile copy.yaml create mode 100644 taskfile/sops/Taskfile.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0f48904 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +--- +keys: + - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn + +creation_rules: + - path_regex: .*\.sops\.yaml$ + key_groups: + - age: + - *nixosvm diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000..0b04a3b --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,3 @@ +{ + "recommendations": ["jnoortheen.nix-ide"] +} diff --git a/docs/vm/secrets.md b/docs/vm/secrets.md new file mode 100644 index 0000000..08b3cc1 --- /dev/null +++ b/docs/vm/secrets.md @@ -0,0 +1,9 @@ +# Generate age key per machine + +On new machine, run below to transfer its shiny new ed25519 to age + +```sh +nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' +``` + +Copy this into `./.sops.yaml` in base repo, then re-run taskfile `task sops:re-encrypt` to loop through all sops keys, decrypt then re-encrypt diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..fbf453e --- /dev/null +++ b/flake.lock @@ -0,0 +1,154 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710379006, + "narHash": "sha256-n4C2wIUCi+aDDEejrRBERfhwvXsZbS5BDxfDvVc54Nk=", + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "rev": "dae307e517aba2d464ad09072d5b96c6e20f3a1f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1710283656, + "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710033658, + "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1710272261, + "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-vscode-extensions": "nix-vscode-extensions", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1710195194, + "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 7bf6b84..36ad97b 100644 --- a/flake.nix +++ b/flake.nix @@ -20,7 +20,7 @@ }; - outputs = { self, nixpkgs, ... }@inputs: + outputs = { self, nixpkgs, sops-nix, ... }@inputs: with inputs; { @@ -45,6 +45,7 @@ modules = [ (./nixos/hosts + "/${x}/default.nix") + sops-nix.nixosModules.sops ]; }; }) diff --git a/nixos/hosts/common/nixos/packages.nix b/nixos/hosts/common/nixos/packages.nix index d4d0385..44e649a 100644 --- a/nixos/hosts/common/nixos/packages.nix +++ b/nixos/hosts/common/nixos/packages.nix @@ -9,7 +9,10 @@ vim git dnsutils + # TODO Move + nixpkgs-fmt + nil ]; - + programs.mtr.enable = true; } diff --git a/nixos/hosts/common/optional/cloudflare-ddns.nix b/nixos/hosts/common/optional/cloudflare-ddns.nix new file mode 100644 index 0000000..15646d4 --- /dev/null +++ b/nixos/hosts/common/optional/cloudflare-ddns.nix @@ -0,0 +1,6 @@ +{ inputs, outputs, config, ... }: { + + # Cloudflare dynamic dns to keep my DNS records pointed at home + services.cloudflare-dyndns.enable = true; + +} \ No newline at end of file diff --git a/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml b/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml new file mode 100644 index 0000000..61c78a8 --- /dev/null +++ b/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml @@ -0,0 +1 @@ +forward-address: hi diff --git a/nixos/hosts/common/optional/editors/vscode/default.nix b/nixos/hosts/common/optional/editors/vscode/default.nix new file mode 100644 index 0000000..84840d9 --- /dev/null +++ b/nixos/hosts/common/optional/editors/vscode/default.nix @@ -0,0 +1,138 @@ +{ config, pkgs, lib, ... }: + +{ + + # Enable vscode & addons + environment.systemPackages = with pkgs; [ + (vscode-with-extensions.override { + vscode = vscodium; + vscodeExtensions = with vscode-extensions; [ + bbenoist.nix + + ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + + { + name = "prettier-vscode"; + publisher = "esbenp"; + version = "10.1.0"; + sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; + } + + { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.28.0"; + sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; + } + + { + name = "gitlens"; + publisher = "eamodio"; + version = "14.7.0"; + sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; + } + + { + name = "remote-containers"; + publisher = "ms-vscode-remote"; + version = "0.327.0"; + sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; + } + + { + name = "remote-ssh"; + publisher = "ms-vscode-remote"; + version = "0.107.1"; + sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; + } + + { + name = "vscode-yaml"; + publisher = "redhat"; + version = "1.14.0"; + sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; + } + + + + { + name = "todo-tree"; + publisher = "gruntfuggly"; + version = "0.0.226"; + sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; + } + + { + name = "path-autocomplete"; + publisher = "ionutvmi"; + version = "1.25.0"; + sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; + } + + { + name = "even-better-toml"; + publisher = "tamasfe"; + version = "0.19.2"; + sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; + } + + { + name = "linter"; + publisher = "fnando"; + version = "0.0.19"; + sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; + } + + { + name = "catppuccin-vsc"; + publisher = "catppuccin"; + version = "3.11.0"; + sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; + } + + { + name = "catppuccin-vsc-icons"; + publisher = "catppuccin"; + version = "1.8.0"; + sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; + } + + { + name = "nix-ide"; + publisher = "jnoortheen"; + version = "0.2.2"; + sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; + } + + { + name = "vscode-swissknife"; + publisher = "luisfontes19"; + version = "1.8.1"; + sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; + } + + { + name = "pre-commit-helper"; + publisher = "elagil"; + version = "0.5.0"; + sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; + } + + { + name = "sops-edit"; + publisher = "shipitsmarter"; + version = "1.0.0"; + sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; + } + + { + name = "json5-for-vscode"; + publisher = "tudoudou"; + version = "0.0.3"; + sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; + } + + ]; + }) + ]; +} diff --git a/nixos/hosts/common/optional/editors/vscode/extensions.nix b/nixos/hosts/common/optional/editors/vscode/extensions.nix new file mode 100644 index 0000000..e2c78a9 --- /dev/null +++ b/nixos/hosts/common/optional/editors/vscode/extensions.nix @@ -0,0 +1,177 @@ +# Warning, this file is autogenerated by nix4vscode. Don't modify this manually. + +{ pkgs }: + +let + vscode-utils = pkgs.vscode-utils; +in +{ + + "ms-python"."python" = vscode-utils.extensionFromVscodeMarketplace { + name = "python"; + publisher = "ms-python"; + version = "2024.0.0"; + sha256 = "0sy1z2r6b0m1lkivjyrcf41dbgj9m5zkjy6yncpji1hisjcbgq6n"; + }; + + "ms-python"."vscode-pylance" = vscode-utils.extensionFromVscodeMarketplace { + name = "vscode-pylance"; + publisher = "ms-python"; + version = "2023.12.1"; + sha256 = "03fr9zanhdsf3wirv65vb41swvdnxxaz8lviyjdbmzcw9yihf8dv"; + }; + + "esbenp"."prettier-vscode" = vscode-utils.extensionFromVscodeMarketplace { + name = "prettier-vscode"; + publisher = "esbenp"; + version = "10.1.0"; + sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; + }; + + "ms-azuretools"."vscode-docker" = vscode-utils.extensionFromVscodeMarketplace { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.28.0"; + sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; + }; + + "eamodio"."gitlens" = vscode-utils.extensionFromVscodeMarketplace { + name = "gitlens"; + publisher = "eamodio"; + version = "14.7.0"; + sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; + }; + + "ms-vscode-remote"."remote-containers" = vscode-utils.extensionFromVscodeMarketplace { + name = "remote-containers"; + publisher = "ms-vscode-remote"; + version = "0.327.0"; + sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; + }; + + "ms-vscode-remote"."remote-ssh" = vscode-utils.extensionFromVscodeMarketplace { + name = "remote-ssh"; + publisher = "ms-vscode-remote"; + version = "0.107.1"; + sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; + }; + + "redhat"."vscode-yaml" = vscode-utils.extensionFromVscodeMarketplace { + name = "vscode-yaml"; + publisher = "redhat"; + version = "1.14.0"; + sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; + }; + + "github"."copilot" = vscode-utils.extensionFromVscodeMarketplace { + name = "copilot"; + publisher = "github"; + version = "1.156.0"; + sha256 = "16nzwazfbh895kmc2887b17zzbbcjyk8fhiphk5xmy1nm9qxszk0"; + }; + + "golang"."go" = vscode-utils.extensionFromVscodeMarketplace { + name = "go"; + publisher = "golang"; + version = "0.40.3"; + sha256 = "15kicpv9xpn7l3w9mbmsjdzjmavh88p3skkim0a9prg9p40bsq0m"; + }; + + "gruntfuggly"."todo-tree" = vscode-utils.extensionFromVscodeMarketplace { + name = "todo-tree"; + publisher = "gruntfuggly"; + version = "0.0.226"; + sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; + }; + + "ms-kubernetes-tools"."vscode-kubernetes-tools" = vscode-utils.extensionFromVscodeMarketplace { + name = "vscode-kubernetes-tools"; + publisher = "ms-kubernetes-tools"; + version = "1.3.15"; + sha256 = "1x6npc90p6b1wx5sd1hd0x0djahmffr6lw9cxh2zg10rbpq48w8i"; + }; + + "hashicorp"."terraform" = vscode-utils.extensionFromVscodeMarketplace { + name = "terraform"; + publisher = "hashicorp"; + version = "2.29.3"; + sha256 = "sha256-cYYtBZaWgtT6vS6In+tbpLfp/GdyWodBXyHsxn8ZZrU="; + }; + + "ionutvmi"."path-autocomplete" = vscode-utils.extensionFromVscodeMarketplace { + name = "path-autocomplete"; + publisher = "ionutvmi"; + version = "1.25.0"; + sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; + }; + + "tamasfe"."even-better-toml" = vscode-utils.extensionFromVscodeMarketplace { + name = "even-better-toml"; + publisher = "tamasfe"; + version = "0.19.2"; + sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; + }; + + "redhat"."ansible" = vscode-utils.extensionFromVscodeMarketplace { + name = "ansible"; + publisher = "redhat"; + version = "2.9.118"; + sha256 = "0yndj2r0w2zxc5firxgfrykkc5ajy9gsmrfmkz80kfhwk33n9y1p"; + }; + + "fnando"."linter" = vscode-utils.extensionFromVscodeMarketplace { + name = "linter"; + publisher = "fnando"; + version = "0.0.19"; + sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; + }; + + "catppuccin"."catppuccin-vsc" = vscode-utils.extensionFromVscodeMarketplace { + name = "catppuccin-vsc"; + publisher = "catppuccin"; + version = "3.11.0"; + sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; + }; + + "catppuccin"."catppuccin-vsc-icons" = vscode-utils.extensionFromVscodeMarketplace { + name = "catppuccin-vsc-icons"; + publisher = "catppuccin"; + version = "1.8.0"; + sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; + }; + + "jnoortheen"."nix-ide" = vscode-utils.extensionFromVscodeMarketplace { + name = "nix-ide"; + publisher = "jnoortheen"; + version = "0.2.2"; + sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; + }; + + "luisfontes19"."vscode-swissknife" = vscode-utils.extensionFromVscodeMarketplace { + name = "vscode-swissknife"; + publisher = "luisfontes19"; + version = "1.8.1"; + sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; + }; + + "elagil"."pre-commit-helper" = vscode-utils.extensionFromVscodeMarketplace { + name = "pre-commit-helper"; + publisher = "elagil"; + version = "0.5.0"; + sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; + }; + + "shipitsmarter"."sops-edit" = vscode-utils.extensionFromVscodeMarketplace { + name = "sops-edit"; + publisher = "shipitsmarter"; + version = "1.0.0"; + sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; + }; + + "tudoudou"."json5-for-vscode" = vscode-utils.extensionFromVscodeMarketplace { + name = "json5-for-vscode"; + publisher = "tudoudou"; + version = "0.0.3"; + sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; + }; +} diff --git a/nixos/hosts/common/optional/firefox.nix b/nixos/hosts/common/optional/firefox.nix new file mode 100644 index 0000000..69dac8a --- /dev/null +++ b/nixos/hosts/common/optional/firefox.nix @@ -0,0 +1,8 @@ +{ config, pkgs, lib, ... }: +{ + + programs.firefox = { + enable = true; + }; + +} \ No newline at end of file diff --git a/nixos/hosts/common/optional/gnome.nix b/nixos/hosts/common/optional/gnome.nix new file mode 100644 index 0000000..9eaf16f --- /dev/null +++ b/nixos/hosts/common/optional/gnome.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, ... }: + +{ + # Ref: https://nixos.wiki/wiki/GNOME + + # Enable GNOME with this 3 wierd tricks + services.xserver.enable = true; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # And dconf + programs.dconf.enable = true; + + # Exclude default GNOME packages that dont interest me. + environment.gnome.excludePackages = (with pkgs; [ + gnome-photos + gnome-tour + ]) ++ (with pkgs.gnome; [ + cheese # webcam tool + gnome-music + gnome-terminal + gedit # text editor + epiphany # web browser + geary # email reader + evince # document viewer + gnome-characters + totem # video player + tali # poker game + iagno # go game + hitori # sudoku game + atomix # puzzle game + ]); + +} \ No newline at end of file diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index 2eb1f61..da60414 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -17,6 +17,9 @@ ../common/optional/monitoring.nix ../common/optional/reboot-required.nix ../common/optional/dnscrypt-proxy2.nix + ../common/optional/gnome.nix + ../common/optional/editors/vscode + ../common/optional/firefox.nix ]; diff --git a/taskfile/sops/Taskfile copy.yaml b/taskfile/sops/Taskfile copy.yaml new file mode 100644 index 0000000..ccec51a --- /dev/null +++ b/taskfile/sops/Taskfile copy.yaml @@ -0,0 +1,18 @@ +--- +version: "3" + +tasks: + # shamelessly stolen from szinn/nix-config :) + re-encrypt: + desc: Decrypt and re-encrypt all sops secrets + silent: true + dir: "{{.USER_WORKING_DIR}}" + vars: + SECRET_FILES: + sh: find . -type f -name '*.sops.yaml' ! -name ".sops.yaml" + cmds: + - for: { var: SECRET_FILES } + cmd: | + echo "Re-encrypting {{ .ITEM }}" + sops --decrypt --in-place "{{ .ITEM }}" + sops --encrypt --in-place "{{ .ITEM }}" diff --git a/taskfile/sops/Taskfile.yaml b/taskfile/sops/Taskfile.yaml new file mode 100644 index 0000000..e69de29