A Demo of Mozilla SOPS
SOPS_LATEST_VERSION=$(curl -s "https://api.github.com/repos/mozilla/sops/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
curl -Lo sops.deb "https://github.com/mozilla/sops/releases/latest/download/sops_${SOPS_LATEST_VERSION}_amd64.deb"
sudo apt --fix-broken install ./sops.deb
rm -rf sops.deb
curl -Lo sops.rpm "https://github.com/mozilla/sops/releases/latest/download/sops_${SOPS_LATEST_VERSION}_x86_64.rpm"
sudo dnf localinstall ./sops.rpm
rm -rf sops.rpm
sops -v
curl -Lo age.tar.gz "https://github.com/FiloSottile/age/releases/latest/download/age-v${AGE_LATEST_VERSION}-linux-amd64.tar.gz"
tar xf age.tar.gz
sudo mv age/age /usr/local/bin sudo mv age/age-keygen /usr/local/bin
age -version
age-keygen -version
mkdir ~/.sops && cd ~/.sops && age-keygen -o key
echo "export SOPS_AGE_KEY_FILE=$HOME/.sops/key" >> ~/.bashrc && . "$HOME"/.bashrc
echo "typeset -g SOPS_AGE_KEY_FILE=$HOME/.sops/key" >> ~/.zshrc && . "$HOME"/.zshrc
version: '3'
services:
auth:
container_name: auth
image: authelia/authelia:latest
expose:
- 9091
volumes:
- /opt/appdata/authelia:/config:Z
labels:
traefik.enable: true
traefik.http.routers.auth.entryPoints: https
networks:
- traefik-socket-proxy
restart: unless-stopped
depends_on:
- redis
- mariadb
redis:
container_name: redis
image: bitnami/redis:latest
expose:
- 6379
volumes:
- /opt/appdata/redis:/bitnami/
environment:
REDIS_PASSWORD: "${REDIS_PASS}"
networks:
- traefik-socket-proxy
restart: unless-stopped
mariadb:
container_name: mariadb
image: linuxserver/mariadb:latest
expose:
- 3306
volumes:
- /opt/appdata/mariadb:/config
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT}"
MYSQL_ROOT_USER: root
MYSQL_DATABASE: authelia
MYSQL_USER: authelia
MYSQL_PASSWORD: "${MYSQL_DB}"
networks:
- traefik-socket-proxy
restart: unless-stopped
networks:
traefik-socket-proxy:
driver: bridge
external: true
sops --encrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(.*PASSWORD:)$' --in-place ./secret.yaml
This command is using the sops
tool to encrypt a YAML file ./secret.yaml
in place.
The options used in this command are:
-
--encrypt
: This option tellssops
to encrypt the secrets in the file. -
--age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)")
: This option specifies the encryption algorithm to use, in this caseage
. Thecat
command is used to read the contents of the file specified by the environment variable$SOPS_AGE_KEY_FILE
, and thegrep
command is used to extract the public key from that file. The extracted key is passed tosops
as an argument to the--age
option. -
--encrypted-regex '^(.*PASSWORD:)$'
: This option specifies a regular expression thatsops
will use to identify secrets in the file. In this case, the regex matches any string that starts with any number of characters (.
) and ends with the string"PASSWORD:"
. -
--in-place
: This option tellssops
to modify the file in place, rather than writing the encrypted secrets to a new file.
in the case of the above example sops will encrypt the values of the environment variables REDIS_PASS
, MYSQL_ROOT
, and MYSQL_DB
in the YAML file specified.
These values are assigned to the environment variables in the redis
and mariadb
services and can be seen in the following lines:
environment:
REDIS_PASSWORD: "${REDIS_PASS}"
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT}"
MYSQL_PASSWORD: "${MYSQL_DB}"
The encrypted values will be written back to the same file, replacing the original clear-text values.
sops --decrypt --age $(cat $SOPS_AGE_KEY_FILE |grep -oP "public key: \K(.*)") --encrypted-regex '^(.*PASSWORD:)$' --in-place ./secret.yaml
The above command using the sops
tool will decrypt the values of environment variables that were encrypted in the YAML file specified.
The regular expression specified in the sops
command '^(.*PASSWORD:)$'
matches strings that end with the string PASSWORD:
, so these environment variables will be decrypted by sops
. The decrypted values will be written back to the same file, replacing the encrypted values.
The --age
option specifies the age public key to use for decryption. The value for this option is obtained from the file specified in the $SOPS_AGE_KEY_FILE
variable and is extracted using grep
with the -oP
option to only print the matched part of the string. The regular expression "public key: \K(.*)"
matches the string "public key: "
followed by any characters, capturing the characters into a group that is printed by grep
.