Update gluetun encryption

2025-01-24 20:20:45 +00:00
parent 02c355308d
commit d74533afb5
3 changed files with 37 additions and 32 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,8 +1,8 @@
 creation_rules:
-    - path_regex: secret.yaml$
-      encrypted_regex: ^(data|stringData)$
-      # tower
-      # k8s
-      age: >-
-        age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
-        age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
+  - path_regex: secret.yaml$
+    encrypted_regex: ^(data|stringData)$
+    # server vscode
+    # kairos
+    age: >-
+      age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
+      age1uet38mkyg2uacft9tzdfuql6y5vf9d97h4dvfq2fm5gew7rz4usqm3a7tf
--- a/apps/gluetun/secret.yaml
+++ b/apps/gluetun/secret.yaml
@@ -3,13 +3,13 @@ kind: Secret
 metadata:
    name: gluetun-env
 stringData:
-    TZ: ENC[AES256_GCM,data:LJEpoJ4aVy5Qf8w7zg==,iv:IOxz/scZUCqEhasCje3X64MCddTzrtcnOp/6wg0SHEU=,tag:PTfTjdbClLj6fnXWJFedDw==,type:str]
-    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:ttMPiwizhg==,iv:TmptqgLRaugwq3NiGxOvM9NdnkflNLQsYoRp8fIXq0c=,tag:fXeinqe8eUn/a+MNbiKrzw==,type:str]
-    VPN_TYPE: ENC[AES256_GCM,data:1GAuiUTCew==,iv:yZFHMMXt4Z4PR5tUJ0e7k8bJbjTFPY46X2AW6LB68xE=,tag:gtveZD34ZzXXHSekDPi93Q==,type:str]
-    SERVER_COUNTRIES: ENC[AES256_GCM,data:D6O0wIPGYMBzL28=,iv:p4RoFg0iSGrLRzkw5cbOj9F0Ty+soASiwgDbwHsn2rU=,tag:PeMGdEoYSJjKv5jkiaQn3w==,type:str]
-    FIREWALL_INPUT_PORTS: ENC[AES256_GCM,data:IDFDixwvkY4YG1A=,iv:FyDaKtjza6zC1g5soqhvi5MmjGV5Ap3tFBht3zx6emM=,tag:HyNwf1wRhBoRq1CaRAtH+Q==,type:str]
-    OPENVPN_CIPHERS: ENC[AES256_GCM,data:V/VGTVVTlCsz1dg=,iv:eK6noWENyRrR5lUd8XwuAOgKz3MX1kqY3VKwvBQy0h4=,tag:JOH3Eym5k6DiBoUgpvePoA==,type:str]
-    OPENVPN_USER: ENC[AES256_GCM,data:RnZRnVakr1tPraU7PF3J1Q==,iv:1cXVtF4VfYq8Y41HVndFraxoZtwM/r4EHsowfRucBko=,tag:UgkcS89V7QKOF7ZS5Qqi+g==,type:str]
+    TZ: ENC[AES256_GCM,data:1Qc++nXCtW8Cixy4uA==,iv:8DfkaFEa9w9quxnP7xOJoi7vS5JvK7rpDPEplJV4UGc=,tag:v3TMeVVltnS1wlz3HbXqig==,type:str]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:Cc/yqmVmNw==,iv:fWWJUUtgvcP/ILuhkkybWLrh4fLsyYjrb0bOHyTn0I0=,tag:wEqJ9VaYL/dWwQgYUDZeGg==,type:str]
+    VPN_TYPE: ENC[AES256_GCM,data:e3/Pr2DBFg==,iv:eQtcNh34rZMcgp8cCaUhqB/23JWGebEA7kOD76tM1iQ=,tag:m1xYFsi2ituPNnVvNWmQQw==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:MC8z2bPK5yTGsOQ=,iv:dJfwfqxLdd/cedWuSlLwGZn14eW1+Im/2+MSC1ldhNM=,tag:pAKK06O8AGiG03TeRkdtWA==,type:str]
+    FIREWALL_INPUT_PORTS: ENC[AES256_GCM,data:lOtPRm9CDgA/soo=,iv:Prcfoqvu8OAMMIoAwC/UBzC5gyEP9J/K9e7ZcI/B4Yc=,tag:o7cltWh/RzUu2+ahL/nC3Q==,type:str]
+    OPENVPN_CIPHERS: ENC[AES256_GCM,data:37hTpNZms8BKA+c=,iv:6qp+Lo0GTz4DV+m2Jc2xd7R05pP4WAtpV7Xlv4swoRA=,tag:2X1frGnd9Xffmifu0uG48A==,type:str]
+    OPENVPN_USER: ENC[AES256_GCM,data:Ei4dvkwiBeTo4cpUB8wSzg==,iv:uDefNem9MvGBnQSxANEXc3C6iHnlxyi/CVNQvw9twN0=,tag:zaM8xIKRRp2kUiStNT+n+w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -19,23 +19,23 @@ sops:
        - recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpc3pXZzMraGJONnVHRGta
-            Y0J6aDB0R0NMWmpMSFcyTTk5bkJaU3NPUldJCjgydmdOZGdoaUVCb2F2amVndnFZ
-            VUgxeW1IRlRUdWRydkg4TzdSTkY5b2sKLS0tIEdCcGFBMkJ2MldMMUlsaUpoeEhF
-            RUhxNlF4NTRROXVMWExuNi9hRmJBMWcKkSzzsaY7I46F15Y11c+9J4EcoT7lqG83
-            dSdTUHsbvNBsYYGYFUkHpRr7XEgnWWecV3lpzoVYLnmvJXCwFCK8Ug==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeHdxWFFlOFZ2d0VwQnJR
+            dVB6Qk9WSm1ERXlsSFFRazRWVlpIRC8xU1RnCjMyVGpRMUZ4clBwazVLY0FZRDlV
+            OE8xQnVwQnVSSkkxcWt5RUFCUmtubFUKLS0tIHdxS242Yjg3SGoybU1jV0VxNzY3
+            c1ZHNk1RSTdNMUt4SjBqa2NZNmtLVzQKVXmBSA2HTwWLYU4/LAw4FLTacCS4IJKN
+            SWexKEcxg4bBuMP+GZauhZY5RSK+7IDdshJkXll3TP0iM6ztt6gvXA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
+        - recipient: age1uet38mkyg2uacft9tzdfuql6y5vf9d97h4dvfq2fm5gew7rz4usqm3a7tf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVEtQbTF1eVhmM0xsd2tU
-            b1R5ME1PRVkrbCtTRHdFM1BWSEcrMEhEUTE4Ck5aWkQvZThOMVJpN2x2Z053WTcz
-            bDVnQTFhYjV0QWZJbC9KaG9IVlY0T1UKLS0tIDkxaXJVWlQrK2VqODBHY3RDTzBR
-            QUFpRStodHhkTmxjNEpXQ2UxSjArN0EKnzsoVUTuiJIzTlhKNCSZpPHiRRs+KSAF
-            cyZPHvxn+xebB0jkMF6awXhruPdKHwNeijGKTzVm2RtKgjX+2YMaUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYzh1MzhidDJhVkx3R3dJ
+            LzJ3R1VGN1hsbjBkMmo0TGY5REFSQ0s4Vng0CmhGL3FsTm01eUttSUpORkdZT1c4
+            TitCNzNYcGxtdkM5SUFLcW5QQ0NxOGcKLS0tIG8zVWlMZEZRVHdtSExaUUFxdHdy
+            MjJseVM2R2FWM1ZKZjY4azNpaUZva3MKa6NxII3XcJVIhUyzn9aPWs2cLT/YBUR2
+            OjCmnosYznV+DxjKeTuXgMK+spvz7WbBzUkcCPTgB9I/NPnuDpDrJA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-13T19:04:15Z"
-    mac: ENC[AES256_GCM,data:gXXZVu6iVZ6wqlKe4WDpQABHoxirZ1suZnaiQ+ru4sOPEQSGr2k6qyTA4uXcxSbtiw9g3JX9N34ZB2I3jNPbS+I2sfOvEr1VWe639k9OUDcWNOMEWNjK+PIiF9x81SJab9og4Z/2mdFuRXDAG9CHX6Q/sLEbsP3vpZgXeL7Xs38=,iv:yJeJPq2InZN+ewWd4yvSPTjNNo9MSgzbbxBUHL2ZCjs=,tag:2qCHVAvsucnr8yA0dkMXkA==,type:str]
+    lastmodified: "2025-01-24T20:18:44Z"
+    mac: ENC[AES256_GCM,data:cqLdb0hR4KUyxZpkXoezREg5+pLxiD080+AIMKDe4uT8MxNRdBfj7d+e9reCbi4Ev9Z1Os3Ds2B/IaS5xIbiS5xm9b1FhIoOogJkIKY3YbkU2ifnvtrddQua9S3X0/JD/fJ6Dp4OFsS6cIWccahdR9plbMTXW5Ex/MZdiId6oUU=,iv:CDpY2i6QMyvvenGlxvdYYtf4p5RVd/ALndxlDnk/7cQ=,tag:IF7DmCc0tMsLTaIub+c2hQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.9.0
--- a/readme.md
+++ b/readme.md
@@ -31,12 +31,13 @@ Go to https://gitea.home.joemonk.co.uk/joe/kairos-custom and add the new package
 This image will be built when pushed  
 Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image as per the docs (not tested yet)

-## Upgrading/reinstalling
+## Upgrading

- Update the `kairos-config.yaml` to update the image or other settings  
- SSH into the server (`ssh 192.168.1.101`)  
- Run `kairos-agent webui` to start the web ui  
- Go to http://192.168.1.101:8080 and drop in the new config
+SSH into the server and run `sudo kairos-agent upgrade --source oci:gitea.home.joemonk.co.uk/joe/kairos-custom:3`, restart and confirm all is good then run `sudo kairos-agent upgrade --recovery --source oci:gitea.home.joemonk.co.uk/joe/kairos-custom:3` to update the recovery image too.
+
+## Reset
+
+Reboot to the recovery image with `kairos-agent bootentry --select statereset` to clear all data.

 ## Kubectl

@@ -60,6 +61,10 @@ kubectl create secret generic sops-age \

 Update the encryption with `sops updatekeys`, then delete age.agekey.

+TODO - This doesn't appear to work as expected, need to do:
+  - `sops -d -i apps/gluetun/secret.yaml`
+  - `sops -e -i apps/gluetun/secret.yaml`
+
 ### Using sops

 #### Encrypting