move to sops for managing credentials

This must be done outside of a Makefile environment due to how it
affects the programs that run inside `make`. `sops exec-env` will
decrypt a file and export the values as environment variables for the
program specified, which in this case is the user's shell.

This commit also includes a `.sops.yaml` file with the three PGP keys
from the Makefile and regenerates the DigitalOcean PAT.
This commit is contained in:
RyanSquared 2023-05-05 00:53:31 -04:00
parent b75b1f1138
commit 6ed53333da
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
5 changed files with 24 additions and 59 deletions

5
.sops.yaml Normal file
View File

@ -0,0 +1,5 @@
creation_rules:
- pgp: >-
6B61ECD76088748C70590D55E90A401336C8AAA9,
88823A75ECAA786B0FF38B148E401478A3FBEF72,
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA

View File

@ -11,16 +11,6 @@ KEYS := \
88823A75ECAA786B0FF38B148E401478A3FBEF72 \ 88823A75ECAA786B0FF38B148E401478A3FBEF72 \
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
SKIP_SECRETS=
ifeq ("$(wildcard $(CACHE_DIR)/secrets/$(ENVIRONMENT).env)$(SKIP_SECRETS)","")
noop=$(shell \
$(MAKE) SKIP_SECRETS=1 $(CACHE_DIR)/secrets/$(ENVIRONMENT).env \
)
endif
include $(CACHE_DIR)/secrets/$(ENVIRONMENT).env
export $(shell sed 's/=.*//' $(CACHE_DIR)/secrets/$(ENVIRONMENT).env 2>/dev/null)
.DEFAULT_GOAL := .DEFAULT_GOAL :=
.PHONY: default .PHONY: default
default: \ default: \
@ -96,10 +86,6 @@ apply: \
$(CACHE_DIR)/secrets: $(CACHE_DIR)/secrets:
mkdir -p $@ mkdir -p $@
$(CACHE_DIR)/secrets/%.env: secrets/%.env.gpg $(CACHE_DIR)/secrets
@echo "Decrypting $@"
gpg --decrypt $< 2>/dev/null > $@
$(FETCH_DIR)/terraform: $(FETCH_DIR)/terraform:
$(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF)) $(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF))

View File

@ -10,5 +10,6 @@ For the purpose of transparency, we include our infrastructure configuration rig
## Usage ## Usage
```shell ```shell
$ sops exec-env secrets/production.enc.env $(getent passwd $UID | cut -d: -f7)
$ make $ make
``` ```

View File

@ -0,0 +1,18 @@
DIGITALOCEAN_TOKEN=ENC[AES256_GCM,data:WB696UuIGYsH49/vf50qnr0Jc9BlyyOwI2Ro366uTnk+PV2zSoJ5/5dwK7rx5eV+KtEFSRlI77YNSGQQu7Vi2o8/oww0ZKo=,iv:6ajnqWcjni8t2pdgHIu4geakmCWZbJQXI4pTsNcDPPE=,tag:rPMz0mdYDoEfAHHFOIutDw==,type:str]
SPACES_ACCESS_KEY_ID=ENC[AES256_GCM,data:XWbMVgfsw53lrt8n7xVV7N21JrM=,iv:ixIFlfbuf9TnXpq3gb1KT2rSFRhA1Dw6WeMkC7MA6BE=,tag:71WVRoEsoWhmYJDNWQR8bg==,type:str]
SPACES_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:ZlaVEP1aLPwExen8oNGopPvDMEAEH4dRAlXfc4X+UjB9nHbK9GLmByjkYA==,iv:KXvkAliD7fpdlqRPAiVlugFZiOnjs5EcHhSMGJ/EWLI=,tag:uxU9aejIFjzX4d7mAQP7tA==,type:str]
AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:ybxNIT8vIOnmMuWA1OXUKsQO+AA=,iv:ccKucwel6s3Kttmw/c/3n5adWZV7+KOoRq/3w5IQUQU=,tag:wgK/+O9PcngtasX4UNi0tA==,type:str]
AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:DSLjIaOMvNTh4MhBylu2aBtdBz4r8t7jRhUAgq5tjDJdJaW9bqy72FhXLA==,iv:3c69ee8EjPjcFBTW17zPzO5qFosn925W2BMe97d0wxU=,tag:43vbnMuvCakc79CXgc+yiw==,type:str]
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nwcFMA82rPM2mSf/aARAApVrdXQTlzUPWxFcFLcI3jy2mrgcw4hrSdCH4FsVlDUQz\ngUQUoZUU83CFdczUEcVjotS33XBuQhaS5eKa6E6BXZv89FqxphHbpCuhrwhGrV0A\n1zJbwZGvnwJl71Pj6wjgE+zCzyVw29zAxVPD3xe9OowJk1/eHmxfOqZWaJpYxcJt\nOn8V+oP8wTPlQnskpGlJqZngfWyCVH9dL+kxPFRR+dHOUgsRI4NSsIIvjIbCMfNy\nuzXZseJk7gMcwBUyRotX6teDILcOBOWHRlDqdfzy14jklB0nv9vFIEaWBrs1Gl9/\n447JQuZuMcMSZ1V65ty9OkVQj0ypcmbk+xrei/rtQYRAI3qrwEHdnbASBkLAS4MD\nxt1BnQDmCTT+gqd2CkVWg+PL7zghGjM9MjAop0eSi9C1ynlDLxJFjMtQtwHlOOGc\nb3Utt3laECLKK0nzrFIOHR3lGPwcUXynfrCOD8PVd6wnU+HkEawtVoe0toz9EJrA\nkm4eO073p1bBRa2aq4/2/zd2r4ku/qYn34FGikoMrrfkJ4twtVj6fvMuXRHLsAch\ntS2MnZ2ovWBPRqKbpJTjTQQlYpERk9aSbnt4oo1vSCC+H17kVNEDgSt5+AWy/PN8\n/5pzIzTMZPan/8dBHqCIvCjw0FBlAUhQZbPm8qnbBa091CIwguttKGz/8NWc8fHS\n5gGHypqmuYRvGNOgFYAx2mR61sMUpAe8NXZGiSirToJpOfVCOFXqBwqJzk6AOoZJ\nbXBziIr+uTumfRter7jB+hrkJwUII8L8edT1Oc6pmX+KROJg60AfAA==\n=Epd+\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_created_at=2023-05-05T04:43:42Z
sops_pgp__list_2__map_created_at=2023-05-05T04:43:42Z
sops_pgp__list_0__map_fp=6B61ECD76088748C70590D55E90A401336C8AAA9
sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nwcFMAw95Vf08z8oUARAApEd+PAv0sLz4jXqsK8chDqEYN2A2d+Bf8ZZcmqDnDrNR\nyKASwn8CftinXbafOLa2MJGUXMvKwNsYs+WYTUOcuVC38xWfURImJ4FCe/gATGg3\nZraGKfWltYBf4ifs+WE25w23w1sBjPXm3u5Qi8kdBkRFqygkHDcl5NG4zSftfOpF\nfQfxttsvqo1DadqOT6TcLfKIr1thPiasabXIAVHaavQTmcJC0t6cNSKIzCXcR4om\nM5Ujxyns0XyYcqLvoMEdrYDOG2X2jugsyPTfuN7rQQarqqNI6EMqBtq9YF+WUWnS\nnJuFX5Pw6aGrx9huZxcJMZcEGO0fevwI55Xrbj1H4JwEOP7cTT6siW3SEpkNyOTH\n+NrCHA/AWqTGeffejpdC3mDg+Nyks++aTJBolDZZsb/PZEz6+fUvlnmrQYckW0yY\nw/rLFafY2/6tO5OS3N6CJQUKCgeFRN7jbizLT6i5jHv7dvRulCPq5NpEDhJSAiqN\npfWKvhb7ZHWK4tvH519Z6gfOzyHK6PH8YFgssO0yrjO9XP+GIfLupVFZ+Y7VEyFx\nUnYNrecBEMg+tdJlnoJJ28QQWuGeKDlaNlwkmm5ALKodjcduoYp0IeYh68rpVLDV\nUBRKBSHg2yenkzlAsuotZH65N6ekWCERzEDDRF2elhPtEPaAQpn7MIU7OHN1vALS\n5gHzveOkQo09D32bkepp97kGGhPcUKT+CKjC89Rd9FIPPkZ/0t3RWbOhFsc3+bky\n+NZBC4pXzYlJ6nOjvGVKOqjkVRZAw7HjiDlZZiAU+j5lwuJeXgbnAA==\n=ic+S\n-----END PGP MESSAGE-----
sops_pgp__list_1__map_created_at=2023-05-05T04:43:42Z
sops_pgp__list_2__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4Dr/MjkOzuuRESAQdAIJZ5kKqyllezD+VwLZyUpNcv0jw1aEYLWkJWY7xroT0w\nA7WZiUwYwve5UEoRfMGpAPwFo9qwz0NvteO4UtkzRwz0mrqfjHu8cxaOMyhqyWpF\n0lwBeWjEcHvIPsJzCuS2v7dCcxaIHYOistpQn5Xyd699cX/qD4vmulDkrBOSYRZ1\nxiEKMyBd0mSSm/l/jxeGoHzse2FXPLGTyOSR4AUnkvr7iGKFLgCmsdwAS42xoQ==\n=bNSh\n-----END PGP MESSAGE-----\n
sops_pgp__list_2__map_fp=3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
sops_unencrypted_suffix=_unencrypted
sops_mac=ENC[AES256_GCM,data:2pvRhmNz7F/Ge/rPHz9WjHxmpx83TNT4ohBJiRVmjex27E1WEj+GGoAi+ESyGq/J+snQOE5GeVaq6osrGGkYHpX5WvuNBEzfBsVv8q7dy+i+OmDXtZTQ8AFqM/UjdKiSg63YvGqz3f6X4jqCp1N6TyDThLWNJR2OSghgcWwV1kg=,iv:XubIj6mwdpgTHCdabroQo7vatgW3KmK1woQMK6cjiG4=,tag:wlyEzJ6TbZfl8DDb7njQsg==,type:str]
sops_version=3.7.2
sops_lastmodified=2023-05-05T04:52:38Z
sops_pgp__list_1__map_fp=88823A75ECAA786B0FF38B148E401478A3FBEF72

View File

@ -1,45 +0,0 @@
-----BEGIN PGP MESSAGE-----
hQIMAw95Vf08z8oUARAAzjif6oh8WTK7rZTojErFvexZUTdA8ur+n5+jOASFaDi2
404gYSFJlT2FN/72kWCLlggaDjG71vrth/alLjhLgnpGj5R3S7GANyu9exrqp4In
oS8hzFfqsYe7L+tBvdc2XxPgUvSxIKPC1/vrBKpCEiDaJwgGAINnvfbrUQHZktdF
jAFgc46FgZb86uUXsjvrzJ84+yd8ycD0laHgiPTYtt537/qcbFUUThE6olPl5pdr
T5Hf2Z6D+1JnDw659sBoge6rUK7eHIsEttGJgZvOEJo+yk54qzMf2IPEZASFDzF8
1r8PwQmPtrljfgYC1PhgQjCp2NBu3gPxQtihB+UNZbgUZBQHwBUSC4yH3HovzLvZ
NG8fj+E/RqsBwh+I1dDe94u1dmniFIAmYv+lnH2R+nn7c/iNy9FvmVR7mVWTqmlk
WRzS7ktGICZs4Xw/evDalbGvj2ibR9chGlmOZQpRx/TtQWSh4wbX8LQOInKEAQx/
T4IfyLtlspXEaSH0rMs9+0bCXXCgZs0vzdKgM3I2oap1e3/xH58P5cGQtUeOLJqg
xDbRH1cigMCYXxGyszcTzD45YofSQrBHtupA7xrejmswxaqifpnxCmsXvp1uNMOU
thnPtEEiOv2KdQmD+0pq2dVB4TBJ+00vutfMSiSkNxhzmmWm6RskNf69pXQqptOF
AgwDzas8zaZJ/9oBEACcqi1jzsYbQcqX2I1lTl14gwE7WGUTxOHpnHUrsV613JZr
bZKFnrGmTAl+TQAOpg2ypmomwm2e6iYY9zaHiz5PtvYJQGz7RUyBfi3PBUJnOZZg
6xDI4/9X1Yp7FNowI3NrCxickmUhAPz6cgKFxMFukebkeE78o9mvmWOU9QU2UrXm
X+AKwSCbntpsEJWIUJhIPnl/SZlg4tFUdrVo9sPHiTTp8B3hKZautQr7byzF5HAu
lDSsPZJErf0HKftkymiPkd+jTEUjj6X5UU9UND2mzkOdQXMn/bBEhbNgZ6VHBkfj
pKTcdCwulsIMt3dxV+yz+yuSLG+2qe0dDGJhf85smd2TqsBNep6DJgTv8eqt5WaK
3MsqbRAC84XOWm3aEpETzWT0bmYeMkSssDHkbQIcI/mJ7uVpjNOzkxa+aUaQfxq9
jUwwcbYOfdiB2vifUHwJ/H1KcYESQsYW+ELXM+rGn3ROk+RYc4lxlAUNtjclOHj9
og0XCKsv1XVgGKg97FnxrWuEiar0OTgXkpG4pLZfJn6JuNBmEwCG7GPy/cSJg0GJ
jDjiO3E1ZBzWFcXEn65llg4qlYtGAg1lrA6HHG+gBzXpancBv97DWkjZSQbJ6VPF
i81L+K0BjehGcUOA6iZKOWu1rpXjMGADpD90tNknAj8pgU8QGJaj6yC3AHpxvYRe
A6/zI5Ds7rkREgEHQPldmYvPi0+AODArJA3/yxWVLVbIQgZAxMsUHlDiuzhxMNks
Pt/nKodBy7b6T3Qv+hll2RADjwts2BX2rCPvTBE2zpc3tr6tg+h8e+Vz4wHzfIUC
DAOVn/hcifsxSQEP/0ME8yhCf7aV/KNH9kkrreA+7xJc9RDIspyZ7PFESxfZmVvL
o+gi3NhkfgOwzROR6VDLIUrBFdEhtHSeoFf5N0UvoGApSa/FZdf/LpfKnUbOgAER
zkgTyfC8pRCVAzwzfy+LeoinEV9OH22ZyedrG50pxrYbS1OkvRUK2Fe6uKI6Kz2O
bEcHx5fen5GPo3m11xcGAu4JHRV0E6zkiscfoZ5C+oplLtk9hho8LGs+KSR1HS3X
Ay/LdnQtiQSSiUPZebHKo2dC0gmWr9RvDI9mz2jzSsJgbEVqDq6XZkGQRna44kC8
EFl7mzp08X9QINh8XdnNcwUSMkibq32NqwqW3d7CkIA+BrSPFlmWidohyVtglCZX
fFfSVLi8gcgP1EQ23aGBkFuhNtMovwqhNYTmMNRknNmZkZcsfzAg4vWXRcum5zZR
gDQGyAQiPbeMRm7hNjpu0oVlGp6eT3cjqmwRCxXj7EmxokCMiQ86OXtMRMU7efrl
tc64xnbknDe/hP0mKXhglWR4wwF6iLRRtOEqk2uPPa3xJSB7wrax7ekSJlwOfnjY
CRWMMNCTPJrgoTDuGIGGoTPxOGkER583ruYzcl/TtNluxD6KUeacBLL7DRy4wUBi
yRMWVykGWJY30ySaBYLvrpgqpSCVly62m45/dR/AEvM9Pk8UJGlhs3lFqVrx0sA0
AQVImQi9nkGi9R6zuruVY2eM3ag+jwGsEMky1nSLjwJz6hcJNcotRtbAJYStXvta
QS4b+l0vJX65BIc45/BhpfSl4qpswweOstV9FPAbUiPVsCme2rYX6KaFGHzpz4eM
qSPmF270XsXTHO8QPL/W87q98Ve8iLJd2BCjsPqTru8RtjT5zWkDazdwfCHbnoG0
rkvI9TdWuZj5+XDVBPyW7KiMGtUp4BJFFMOcRiJPx+oipW3knJbhz9dmD5xN+J08
kc0K3uTgEalfkDtdoHtQKFeYcaq0PUUilCZr3NDYCeF34JAImXfcckdvHihi9Q0l
hiECWQ==
=2Gks
-----END PGP MESSAGE-----