Finished secret tooling iteration

- Completed move backwards to yaml secrets
REF; Mic92/sops-nix#604

.sops.yaml

@@ -15,10 +15,10 @@ keys:
   # ERROR; Age's extension for Yubikey derived age-keys is not yet merged into sops!
   # REF; https://github.com/getsops/sops/pull/1465
   #- &yubikey_bert_proesmans age1yubikey1...
-  - &development age13s286le0puqz79e96zkpxw9pwuv9jqvgptd4k2j0n257jvgpp5qs75nejw
+  - &development_key age13s286le0puqz79e96zkpxw9pwuv9jqvgptd4k2j0n257jvgpp5qs75nejw
   # HOST KEYS
-  - &host_buddy age14an6m226h8vu06nv5q83s7vl59ytq8j9dkaujvrwgsdj98kr0ukq0a5k0g
-  - &decryptor_development age1rwl0helkcqtlx6fevquwzlw354tu87fg3tmv4gzlwsraz2ttpu0q0h2dqt
+  - &buddy_decryptor age1c27gckzuezcu4cqf7ksakksnxm4k694kjslysysas80jctjuwevsgd0ew3
+  - &development_decryptor age1rwl0helkcqtlx6fevquwzlw354tu87fg3tmv4gzlwsraz2ttpu0q0h2dqt
 
 # NOTE; These rules are in effect when using the SOPS CLI.
 # Both creation of- and running the command updatekeys will modify the key material of files with sensitive content.
@@ -29,19 +29,19 @@ creation_rules:
   - path_regex: hosts/buddy/[^/]+\.encrypted\.yaml$
     key_groups:
       - age:
-          - *host_buddy
-          - *development
+          - *buddy_decryptor
+          - *development_key
 
   - path_regex: hosts/development/[^/]+\.encrypted\.yaml$
     key_groups:
       - age:
-          - *decryptor_development
-          - *development
+          - *development_decryptor
+          - *development_key
 
   # NOTE; No path_regex as fallback option
   #
   # WARN; Use `invoke update-sops-files` after updating key assignment to secret files!
   - key_groups:
       - age:
         #- *yubikey_bert_proesmans
-          - *development
+          - *development_key

nixosModules/hosts/buddy/keys.encrypted.yaml

@@ -0,0 +1,21 @@
+buddy_decrypter: ENC[AES256_GCM,data:mrtScK491/dADqn2QE9pzh87Fw5Ck9BSjKQHpaWObZ9UNG00UviuqiRvAU88uekciN0rtb+SOMY7Iyp3e6Gu6GGwhzxVcA+igQHG5vUL7Jgkz9mDvUkmh869x+hoyH41GkZqjHBDu3d1P7HkMGGj/8uZx1MW8atZJopU8MnlYWQ6jNmeL5M7aH6FWKMXtXmAxdtEi8mrip2e/PtGDnIL9mM813Rw6e0dE44chpfSrMogy4nRW1jt,iv:zcPIrJeRTXooyaKceZzGUi7/NK93zxOs7x7ihEXksfY=,tag:i54ZhU0Of5L+5K0ha+ICTw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age13s286le0puqz79e96zkpxw9pwuv9jqvgptd4k2j0n257jvgpp5qs75nejw
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSk9Cc3BQZXMyNkJVZ1lO
+        aUJhcSsvWkl0eGN5QWFpRlppS3RTWmlIeEFJCkxUNlhPTGFyQm0rRDdvdncxWlZx
+        WGIvcDc5K3NFOWEwNFNla3QvSVd6dTgKLS0tIGpKM3d1RnVXdjZQbFRtV2tyc2h4
+        OUpOV0V6U2FtckNoS0JHSlNDTEYzTTgKu3CB3muX8XNefBzI+Ydn1Da5kERepERp
+        1pJDoNwMqGyoilmlDtNEIu7W3gTnRCpPoddSqr/xhaueXqW89qj9cg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-08-04T12:32:10Z"
+  mac: ENC[AES256_GCM,data:zruU4w37DOsArIPpx5BOXH6pzRFEl07+UUe75GdEEXuE9b6qvcKaGzC0DOMCQvYzssK05Ikxj9LU34Sc/W96hhgw+772s9ZSe5XaSBlykN70Q64k7b5IVqKXa+/6qJp2nUgCQE1f9bxKqq0ITsHJMRkU35rZWojRlCFA6ao9eDE=,iv:eM5fdRxd6ZwejUzeft66C+Ln7bTvy28FhWLrm5VARYc=,tag:mDMOnzFwJrD9Eo242sjnbA==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0

nixosModules/hosts/buddy/secrets.encrypted.yaml

@@ -0,0 +1,21 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:0S1p/xEAJeUgrbpmVF1VC08TlRI+qlTJdZYf4jkvK63gov8+DFqs92mh1WTsyuZWu04PQw2Nz8SLXEg2VvJooXwFlblqc6vuBl/UwVZuDCwMgAl6BIP3Ja1ljCBzCdP5IOjpPsHrpH2cVxZ4HmznZNEkJkhdX2AnSnd2NV/kiCopmmUdRlLrmSL1uP1xEUmkMUWhKO0W4NbMHGl6njmQLhQNPodzhQwrTcEK5JZFQCn1DkPQAyKPA28TuaI+XM7gAX8Wer4IIcW3fWc0uxMZB1snzD+HH1/kEI32xHZmIbKprsV0tXJhkxPtk/P5ZN8X331PB2ycivULOTnMMoVZ04dmPip0yFhvV2lO+oJjDJIc0zp0CwOwgNRipwkT24Lwx/5XnNBo/QolIFFWA2Xe7ue8VG296PGDamUfcsDBMDwN5UknF77wfg/AXQBxZtU5IhhK/UzaoB/kniec8xOh5urmb4ISTqsOTyvKkjF6NE73llXIuy1K77zCMar1/YvunnK+ZzoczAFRK211uRutEhIO6ruUMBiTTcTwlie7PWJKMBo=,iv:bjqm6HIohTysvLYJQofHkQ/yRHwkc0qucAbH7wheO6c=,tag:2/pGxwUKGIsq8pixurY3Sw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age13s286le0puqz79e96zkpxw9pwuv9jqvgptd4k2j0n257jvgpp5qs75nejw
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM2tDRjM5eldtVmYzYnl0
+        ZytkemxDZmw5Tkl6QXN1OEVvRFVvcXdsdlNNCmRkb0QxcVpYS2RPOThrRmZha21R
+        cklpTStndlpOSWdjQ2JRbjNjWWVrZlEKLS0tIDVYOHJ6ckI1aDI4aWsxSWNLMDFO
+        aktOMVBTVDlrU3VEZk1hY0ZxcVl6ekEKU3Qax3MPVGyzFF0hJNTpl0YIw8XJmhai
+        R33YySG56117l+x8bT63IlcJAx76bPRiVXWAGB4a2RPug1RQ5USxUw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-08-04T12:37:45Z"
+  mac: ENC[AES256_GCM,data:fi/5VJPlzRP7FFPWbio/SC97yYSMypats9a/Ko+WBYfgl0Az/zAQFDu+Q9zaAp7C2izog6N77cCy27GTL9VUQeMNYbRaUyPywfcR16w/fn2MzTn32QAIaLS/mfxoBELs6cDLPos767N7ebi7OlqT+qBigAdSk3zNKYAjPnVEQOg=,iv:+tSjMMeGGlc5cvF2j15CC63oCrWJKghVU0FAlEcJ1Uo=,tag:XOlSyy2edtM1e//3EBf9cw==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0

nixosModules/hosts/development/default.nix

@@ -201,8 +201,16 @@
     owner = config.users.users.root.name;
     group = config.users.users.root.group;
     mode = "0400";
+    restartUnits = [ systemd.services.sshd.name ];
   };
 
+  services.openssh.hostKeys = [
+    {
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+  ];
+
   microvm.host.enable = lib.mkForce true;
   microvm.vms = {
     test = {

tasks.py

@@ -32,6 +32,21 @@ def default_decryptor_name(hostname: str) -> str:
     return f"{hostname}_decrypter"
 
 
+def find_string_in_file(file_path, needle):
+    try:
+        with open(file_path, "r") as file:
+            for line in file:
+                if needle in line:
+                    return True
+        return False
+    except FileNotFoundError:
+        print(f"find_string_in_file: The file at {file_path} was not found.")
+        raise
+    except Exception as e:
+        print(f"find_string_in_file: An error occurred: {e}")
+        raise
+
+
 @task
 # USAGE: invoke check
 def check(c: Any) -> None:
@@ -43,22 +58,13 @@ def check(c: Any) -> None:
 
 
 @task
-# USAGE: invoke check
-def format(c: Any) -> None:
-    """
-    Format the source code of this repository.
-    """
-    c.run("nix fmt")
-
-
-@task
-def update_sops_files(c: Any) -> None:
+def sops_files_update(c: Any) -> None:
     """
     Update all sops files according to .sops.yaml rules
     """
     environment = os.environ.copy()
     environment.pop("SOPS_AGE_KEY_FILE", None)
-    environment["SOPS_AGE_KEY"] = decrypt_dev_key()
+    environment["SOPS_AGE_KEY"] = dev_key_decrypt()
 
     subprocess.run(
         """
@@ -75,7 +81,7 @@ def private_opener(path: str, flags: int) -> Union[str, int]:
     return os.open(path, flags, 0o400)
 
 
-def decrypt_dev_key() -> str:
+def dev_key_decrypt() -> str:
     assert DEV_KEY.exists(), """
         The encrypted development key is not found next to the tasks.py file!
     """
@@ -134,7 +140,7 @@ def deploy(
 
     environment = os.environ.copy()
     environment.pop("SOPS_AGE_KEY_FILE", None)
-    environment["SOPS_AGE_KEY"] = decrypt_dev_key()
+    environment["SOPS_AGE_KEY"] = dev_key_decrypt()
 
     print(f"Decrypting AGE identity from {encrypted_file}:{secret_name}..")
     age_key = subprocess.run(
@@ -219,7 +225,7 @@ def secret_edit(
 
     environment = os.environ.copy()
     environment.pop("SOPS_AGE_KEY_FILE", None)
-    environment["SOPS_AGE_KEY"] = decrypt_dev_key()
+    environment["SOPS_AGE_KEY"] = dev_key_decrypt()
 
     result = subprocess.run(
         ["sops", encrypted_file.as_posix()],
@@ -237,7 +243,7 @@ def secret_edit(
 
 @task
 # USAGE; invoke create-ssh-key development ["secrets.encrypted.yaml"] ["ssh_host_ed25519_key"]
-def create_ssh_key(
+def ssh_key_create(
     c: Any,
     hostname: str,
     secrets_file: str = "secrets.encrypted.yaml",
@@ -320,9 +326,18 @@ def create_ssh_key(
             check=True,
         )
     else:
+        if find_string_in_file(encrypted_file, f"{secret_name}:"):
+            warnings.warn(
+                "The secret name is found in the encrypted file, it's very likely we're gonna overwrite existing data"
+            )
+            if not ask_user_input(
+                "Do you want to keep going and possibly overwrite your encrypted data?"
+            ):
+                raise ValueError("Process canceled as to not overwrite data")
+
         environment = os.environ.copy()
         environment.pop("SOPS_AGE_KEY_FILE", None)
-        environment["SOPS_AGE_KEY"] = decrypt_dev_key()
+        environment["SOPS_AGE_KEY"] = dev_key_decrypt()
 
         subprocess.run(
             [
@@ -342,7 +357,7 @@ def create_ssh_key(
 
 
 @task
-def create_development_key(c: Any, name: str = "development") -> None:
+def development_key_create(c: Any, name: str = "development") -> None:
     """
     Creates a new development key, password protect it, and store it at path {FLAKE}/<name>.age
 
@@ -354,7 +369,7 @@ def create_development_key(c: Any, name: str = "development") -> None:
 
 @task
 # USAGE; invoke create-decrypter-key development
-def create_decrypter_key(c: Any, hostname: str, secret_name: str = None) -> None:
+def decrypter_key_create(c: Any, hostname: str, secret_name: str = None) -> None:
     """
     Create a new AGE key for encrypting/decrypting all secrets provided to a host.
     """
@@ -412,9 +427,18 @@ def create_decrypter_key(c: Any, hostname: str, secret_name: str = None) -> None
         )
         return
 
+    if find_string_in_file(encrypted_file, f"{secret_name}:"):
+        warnings.warn(
+            "The secret name is found in the encrypted file, it's very likely we're gonna overwrite existing data"
+        )
+        if not ask_user_input(
+            "Do you want to keep going and possibly overwrite your encrypted data?"
+        ):
+            raise ValueError("Process canceled as to not overwrite data")
+
     environment = os.environ.copy()
     environment.pop("SOPS_AGE_KEY_FILE", None)
-    environment["SOPS_AGE_KEY"] = decrypt_dev_key()
+    environment["SOPS_AGE_KEY"] = dev_key_decrypt()
 
     subprocess.run(
         [