payas/nixos
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

secrets: refactor and separate

Browse source 
All secrets are now separated per host, i.e. hermes and bebop only
deploy the secrets that they need.

- Code is duplicated across agenix.nix files in both hosts, but that is
a problem for another day
- outline secret is removed as well as allowing broken nginx package for
it
- onedrive upload secrets are also removed now, since I haven't used
them for nearly 2 years now.
This commit is contained in:
Payas Relekar 2023-09-23 11:04:05 +05:30
parent 873741929c
commit 87f024f7ea
23 changed files with 65 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -112,7 +112,7 @@
./hosts/bebop/gitea.nix
agenix.nixosModules.age
./hosts/hermes/secrets/agenix.nix
./hosts/bebop/secrets/agenix.nix
# User-specific config : Home-manager
home-manager.nixosModules.home-manager

8
hosts/bebop/configuration.nix
View file

@ -26,14 +26,6 @@ in
};
};
# because stupid getoutline.com
nixpkgs.config = {
allowUnfree = true;
permittedInsecurePackages = [
"nodejs-16.20.0"
];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";

40
hosts/bebop/secrets/agenix.nix Normal file
View file

@ -0,0 +1,40 @@
{ lib, ... }:
# copied pretty much verbatim from hlissner's dotfiles repo:
# https://github.com/hlissner/dotfiles/blob/4539d607778820cd6fd97b6c81c1cfcd6cb7e226/modules/agenix.nix
#
# I get the idea and understand what the code does, but it will probably take a while to fully write
# something like this myself
with builtins;
with lib;
let
secretsDir = ./.;
secretsFile = "${secretsDir}/secrets.nix";
payas = "payas";
in
{
# imports = [ agenix.nixosModules.age ];
# TODO: Find a way to make agenix available in the runtime NixOS evaluation
# environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
age = {
secrets =
if pathExists secretsFile
then
mapAttrs'
(n: _: nameValuePair (removeSuffix ".age" n)
{
file = "${secretsDir}/${n}";
owner = payas;
})
(import secretsFile)
else
{ };
identityPaths = lib.mkForce
[
"/home/payas/.ssh/age"
];
};
}

6
hosts/bebop/secrets/enterprise-nix-cache-key-sec.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w 7No0DsdBZnT2q+pEyfZWs25tzwCG5pufTlfY7rHnbWk
p96mO5AcA5Heio2zXSxl0G2YmOuU3pzZtwcqJHc1QdE
--- jaEARnhHeBNOSUwjMYYQPyh5f18qRFmMCnW71H6itqU
Ãx³qH1Y©^œSZ: ~äÅk^ Á²˜»t6Oým^Í©ž<Úå€EÂÄDU‰/ϳqhÞ/×ÙE¶¶i/z^7£ªZÂT4ÿ…+Sãeƒ9ƒ¹¥ÃfÍ­
<EFBFBD>z®“{c\m&rͺZÿ©rϾþ¨O·Ð”»z{þn2КÖi<C396>u`

0
hosts/hermes/secrets/etebase.age → hosts/bebop/secrets/etebase.age
View file

0
hosts/hermes/secrets/freshrss.age → hosts/bebop/secrets/freshrss.age
View file

0
hosts/hermes/secrets/gandalf_mail.age → hosts/bebop/secrets/gandalf_mail.age
View file

0
hosts/hermes/secrets/kavita_token_key.age → hosts/bebop/secrets/kavita_token_key.age
View file

0
hosts/hermes/secrets/minio.age → hosts/bebop/secrets/minio.age
View file

0
hosts/hermes/secrets/minio_secret_key.age → hosts/bebop/secrets/minio_secret_key.age
View file

0
hosts/hermes/secrets/nginx.age → hosts/bebop/secrets/nginx.age
View file

0
hosts/hermes/secrets/photoprism.age → hosts/bebop/secrets/photoprism.age
View file

18
hosts/bebop/secrets/secrets.nix Normal file
View file

@ -0,0 +1,18 @@
let
ageKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise";
in
{
"enterprise-nix-cache-key-sec.age".publicKeys = [ ageKey ];
"minio.age".publicKeys = [ ageKey ];
"minio_secret_key.age".publicKeys = [ ageKey ];
"tunnel_bebop.json.age".publicKeys = [ ageKey ];
"vaultwarden.age".publicKeys = [ ageKey ];
"vaultwarden_smtp.age".publicKeys = [ ageKey ];
"gandalf_mail.age".publicKeys = [ ageKey ];
"nginx.age".publicKeys = [ ageKey ];
"etebase.age".publicKeys = [ ageKey ];
"photoprism.age".publicKeys = [ ageKey ];
"kavita_token_key.age".publicKeys = [ ageKey ];
"freshrss.age".publicKeys = [ ageKey ];
"tiddlywiki.csv.age".publicKeys = [ ageKey ];
}

0
hosts/hermes/secrets/tiddlywiki.csv.age → hosts/bebop/secrets/tiddlywiki.csv.age
View file

0
hosts/hermes/secrets/tunnel_bebop.json.age → hosts/bebop/secrets/tunnel_bebop.json.age
View file

0
hosts/hermes/secrets/vaultwarden.age → hosts/bebop/secrets/vaultwarden.age
View file

0
hosts/hermes/secrets/vaultwarden_smtp.age → hosts/bebop/secrets/vaultwarden_smtp.age
View file

7
hosts/hermes/secrets/org_relekarpayas_googledrive.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w ccKo6iVUtF/88bxSy1B8xnRYBUkbnbi/heOcS0zYEDY
Rraz/mFj1fR95kJZRCSJ7SRAQUtgHjOZJi0VvzYGmvk
-> ZwkrMG-grease <?G)_dY N !KANB*" -hB+Su(
U5LEeJZOBtIWPWGBEQ
--- yE1a37Lu918LVJumhD9gYvxWb/6OweXzYrOeoC+tnp8
ã_× ñæ<C3B1>â¢6Ñép4äÕ·ÆÞ,«ïÆ}Zf?OZÞ£;Ä5§dCÖ×­_ÄkÂ"dcÓ@ÛC­¹Ê±@Bž<42>BlËižum)±P?¢Ç—²·yÍ0ð(!¢Ëô]â=3‰îæ!I‡{Cúö˜ªêž.kcÛ}»¾<C2BB>ò|í·hàá®

8
hosts/hermes/secrets/org_relekarpayas_onedrive.age
View file

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w 5OnF9DkSjroG96Q88oo04Q1EINi3wcN/vfyzKALrMww
kBc2w/X+Od+ouik4AsH7YZlNoZGPfWGt1NXUip9yfwY
-> g(-grease A
zT177g
--- JFz13LrERcGNmpmtjp9IK92FDyAUpxK00Kal7CsYyZ8
ñþºÆÅn_1ÙH"žQ[2Àvh%ê¾E…AînÀԜͥIáÏE@Í¿s†,Ÿ4]\FÂ[”jöÈ`oÓ¼=}…~®g>•ÈPÎHÈÃ
e>'¶FÚø÷ÿÞ™·C¹¯'@ðVÞš¸ÖÛSc$Љ@˜`/E|Uàtì“

7
hosts/hermes/secrets/outline_gmail.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w xC37tag9WURP2fyg2vt/Tkvs+pkFOgBFU0HSwfQc6gc
6f+DHMOjT9aIaLLn+ukes2/085qbvXJgZ8REat47EKg
-> /1g%3-grease "qXX]O% QE<} 'Kp
ukubmfrVBsEDG4LiEZFOoDlkxFPRwUarOdwWY10S
--- S3VCXmTrn6hBiGhDZaTCUlcWixX/yqTis7s7v5zHFnE
ü']¼p y"`ob«\oÌN»&iƒÆçMhÜvîÝ¡7^<5E>¬Ñ<C2AC>ã@™O4#JÆ 

16
hosts/hermes/secrets/secrets.nix
View file

@ -3,23 +3,7 @@ let
in
{
"maildir_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
"syncthing_relekarpayas_googledrive.age".publicKeys = [ ageKey ];
"syncthing_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
"org_relekarpayas_googledrive.age".publicKeys = [ ageKey ];
"org_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
"mu4e_gmail.age".publicKeys = [ ageKey ];
"enterprise-nix-cache-key-sec.age".publicKeys = [ ageKey ];
"chatgpt_api_key.age".publicKeys = [ ageKey ];
"minio.age".publicKeys = [ ageKey ];
"minio_secret_key.age".publicKeys = [ ageKey ];
"tunnel_bebop.json.age".publicKeys = [ ageKey ];
"vaultwarden.age".publicKeys = [ ageKey ];
"vaultwarden_smtp.age".publicKeys = [ ageKey ];
"gandalf_mail.age".publicKeys = [ ageKey ];
"nginx.age".publicKeys = [ ageKey ];
"etebase.age".publicKeys = [ ageKey ];
"photoprism.age".publicKeys = [ ageKey ];
"kavita_token_key.age".publicKeys = [ ageKey ];
"freshrss.age".publicKeys = [ ageKey ];
"tiddlywiki.csv.age".publicKeys = [ ageKey ];
}

9
hosts/hermes/secrets/syncthing_relekarpayas_googledrive.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w O2oC8+mG4ddds/vWrEgoKcH/08Uf+Asb+5IMvHFaC04
zTptkB7UdU0BGm2tOUTjllYHsv3tEkt+k61VgyCnnZw
-> A$-grease 2MWD =a@~f
h1ff7UE4JFUCf2hRMDEBnOrsvbEztceDSaMVTyzzzsf+D9TYLeA7Liv8zJuOu1PV
pTCXhpWqO0Th9ol9fJc3eQ7MxuiGOSGm6H65HPIjgxWJNSLmNg
--- vbumS83Qmuc1aOt0o7Rut1P5kSVix/AKL7SLJBKVD6A
-:VÅøhN¡Õëüû41þž¨N<ÃY´­­ãirò­
€uÏß<EFBFBD>Â'q#P—xJLd‰ë9v:4äŽ7rpÝ&º\<5C>CÒ]=ê 9uWÙÍ÷…r£¹ñÆkdÇ>+ç@·!ÍÞy@W“o$ñ<>þ|(žD¨4G0&ýÔÝ¡

9
hosts/hermes/secrets/syncthing_relekarpayas_onedrive.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dy7D9w cC14jHh4xEnU4ytYVPvsHFItTP32ejCva6JIfyL7yCg
OynqzGM3787awMhBuUuSq3+LNiw8BQbQzPDH3fx08aU
-> 1}N-grease 63VK8 ' \ S=if
ZACSbwxOec//qcHEPOWoc9lTTcf6eIK2g2Bw4xXjqYD5/F08jXx5By4REgLsvg7h
jzGImN08q5msOunmJNlc5AV2lWvUVU7860sn/5ZLJQ5/F9G5Rl2fK7xs
--- 8m6Tz3ExeYuw/IiMYJu3jGbTqhQNaKXNc7Y6BIDQuxc
Fgî);ÐÍ­Cd<43><64>Ó=gA/"´¥:ë-à ]ºº@XñgOÌ2j…Ÿ=«Ø7,ð”WäãŠ?på d´Dæßÿ_ÙëI†Ÿ<07>qVóóÝ®°nzù¢휗<C593>è!y[ihC¨f³\Ãú@AL_©R+\ÅýNCK<43>?Q÷
íã