secrets: refactor and separate
All secrets are now separated per host, i.e. hermes and bebop only deploy the secrets that they need. - Code is duplicated across agenix.nix files in both hosts, but that is a problem for another day - outline secret is removed as well as allowing broken nginx package for it - onedrive upload secrets are also removed now, since I haven't used them for nearly 2 years now.
This commit is contained in:
parent
873741929c
commit
87f024f7ea
23 changed files with 65 additions and 65 deletions
|
@ -112,7 +112,7 @@
|
|||
./hosts/bebop/gitea.nix
|
||||
|
||||
agenix.nixosModules.age
|
||||
./hosts/hermes/secrets/agenix.nix
|
||||
./hosts/bebop/secrets/agenix.nix
|
||||
|
||||
# User-specific config : Home-manager
|
||||
home-manager.nixosModules.home-manager
|
||||
|
|
|
@ -26,14 +26,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# because stupid getoutline.com
|
||||
nixpkgs.config = {
|
||||
allowUnfree = true;
|
||||
permittedInsecurePackages = [
|
||||
"nodejs-16.20.0"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-label/NIXOS_SD";
|
||||
|
|
40
hosts/bebop/secrets/agenix.nix
Normal file
40
hosts/bebop/secrets/agenix.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{ lib, ... }:
|
||||
|
||||
# copied pretty much verbatim from hlissner's dotfiles repo:
|
||||
# https://github.com/hlissner/dotfiles/blob/4539d607778820cd6fd97b6c81c1cfcd6cb7e226/modules/agenix.nix
|
||||
#
|
||||
# I get the idea and understand what the code does, but it will probably take a while to fully write
|
||||
# something like this myself
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
let
|
||||
secretsDir = ./.;
|
||||
secretsFile = "${secretsDir}/secrets.nix";
|
||||
payas = "payas";
|
||||
in
|
||||
{
|
||||
# imports = [ agenix.nixosModules.age ];
|
||||
|
||||
# TODO: Find a way to make agenix available in the runtime NixOS evaluation
|
||||
# environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
|
||||
|
||||
age = {
|
||||
secrets =
|
||||
if pathExists secretsFile
|
||||
then
|
||||
mapAttrs'
|
||||
(n: _: nameValuePair (removeSuffix ".age" n)
|
||||
{
|
||||
file = "${secretsDir}/${n}";
|
||||
owner = payas;
|
||||
})
|
||||
(import secretsFile)
|
||||
else
|
||||
{ };
|
||||
identityPaths = lib.mkForce
|
||||
[
|
||||
"/home/payas/.ssh/age"
|
||||
];
|
||||
};
|
||||
}
|
6
hosts/bebop/secrets/enterprise-nix-cache-key-sec.age
Normal file
6
hosts/bebop/secrets/enterprise-nix-cache-key-sec.age
Normal file
|
@ -0,0 +1,6 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w 7No0DsdBZnT2q+pEyfZWs25tzwCG5pufTlfY7rHnbWk
|
||||
p96mO5AcA5Heio2zXSxl0G2YmOuU3pzZtwcqJHc1QdE
|
||||
--- jaEARnhHeBNOSUwjMYYQPyh5f18qRFmMCnW71H6itqU
|
||||
Ãx³qH1Y©^œSZ: ~äÅk^Á²˜‘»t6Oým^Í©ž<Úå€EÂÄDU‰/ϳqhÞ/×ÙE¶¶i/z^7£ª–ZÂT4ÿ…+Sãe‰‚ƒ9ƒ¹¥ÃfÍ
|
||||
<EFBFBD>z®“{c\m&rͺZÿ©rϾþ¨O·Ð”»z{þn2КÖi<C396>u`
|
18
hosts/bebop/secrets/secrets.nix
Normal file
18
hosts/bebop/secrets/secrets.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
let
|
||||
ageKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise";
|
||||
in
|
||||
{
|
||||
"enterprise-nix-cache-key-sec.age".publicKeys = [ ageKey ];
|
||||
"minio.age".publicKeys = [ ageKey ];
|
||||
"minio_secret_key.age".publicKeys = [ ageKey ];
|
||||
"tunnel_bebop.json.age".publicKeys = [ ageKey ];
|
||||
"vaultwarden.age".publicKeys = [ ageKey ];
|
||||
"vaultwarden_smtp.age".publicKeys = [ ageKey ];
|
||||
"gandalf_mail.age".publicKeys = [ ageKey ];
|
||||
"nginx.age".publicKeys = [ ageKey ];
|
||||
"etebase.age".publicKeys = [ ageKey ];
|
||||
"photoprism.age".publicKeys = [ ageKey ];
|
||||
"kavita_token_key.age".publicKeys = [ ageKey ];
|
||||
"freshrss.age".publicKeys = [ ageKey ];
|
||||
"tiddlywiki.csv.age".publicKeys = [ ageKey ];
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w ccKo6iVUtF/88bxSy1B8xnRYBUkbnbi/heOcS0zYEDY
|
||||
Rraz/mFj1fR95kJZRCSJ7SRAQUtgHjOZJi0VvzYGmvk
|
||||
-> ZwkrMG-grease <?G)_dY N !KANB*" -hB+Su(
|
||||
U5LEeJZOBtIWPWGBEQ
|
||||
--- yE1a37Lu918LVJumhD9gYvxWb/6OweXzYrOeoC+tnp8
|
||||
ã_×ñæ<C3B1>â¢6Ñép4äÕ·Æ‹Þ,«ïÆ}Zf‘?OZÞ£;Ä5§›dCÖ×_ÄkÂ"dcÓ@ÛC¹Ê±@Bž<42>B›lËižum)±P?¢Ç—²·yÍ0ð(!¢Ëô]â=3‰îæ!I‡{Cúö˜ªêž.kcÛ}»¾<C2BB>ò|í·hàá®
|
|
@ -1,8 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w 5OnF9DkSjroG96Q88oo04Q1EINi3wcN/vfyzKALrMww
|
||||
kBc2w/X+Od+ouik4AsH7YZlNoZGPfWGt1NXUip9yfwY
|
||||
-> g(-grease A
|
||||
zT177g
|
||||
--- JFz13LrERcGNmpmtjp9IK92FDyAUpxK00Kal7CsYyZ8
|
||||
ñþºÆÅn_1ÙH"ž›Q[2Àvh%ê¾E…AînÀԜͥIáÏE@Í¿s†,Ÿ4]\FÂ[”jöÈ`oÓ¼=}…~®g>•ÈPÎHÈÃ
|
||||
e>'¶FÚø÷ÿÞ™·C¹¯'@ðV;ŒÞš¸ÖÛSc$Љ@˜`/›E|Uà’aƒtì“
|
|
@ -1,7 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w xC37tag9WURP2fyg2vt/Tkvs+pkFOgBFU0HSwfQc6gc
|
||||
6f+DHMOjT9aIaLLn+ukes2/085qbvXJgZ8REat47EKg
|
||||
-> /1g%3-grease "qXX]O% QE<} 'Kp
|
||||
ukubmfrVBsEDG4LiEZFOoDlkxFPRwUarOdwWY10S
|
||||
--- S3VCXmTrn6hBiGhDZaTCUlcWixX/yqTis7s7v5zHFnE
|
||||
ü']¼p
y"`ob«\oÌN»&iƒÆçMh‚ÜvîÝ¡7^<5E>¬Ñ<C2AC>ã@™O’4#JÆ
|
|
@ -3,23 +3,7 @@ let
|
|||
in
|
||||
{
|
||||
"maildir_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
|
||||
"syncthing_relekarpayas_googledrive.age".publicKeys = [ ageKey ];
|
||||
"syncthing_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
|
||||
"org_relekarpayas_googledrive.age".publicKeys = [ ageKey ];
|
||||
"org_relekarpayas_onedrive.age".publicKeys = [ ageKey ];
|
||||
"mu4e_gmail.age".publicKeys = [ ageKey ];
|
||||
"enterprise-nix-cache-key-sec.age".publicKeys = [ ageKey ];
|
||||
"chatgpt_api_key.age".publicKeys = [ ageKey ];
|
||||
"minio.age".publicKeys = [ ageKey ];
|
||||
"minio_secret_key.age".publicKeys = [ ageKey ];
|
||||
"tunnel_bebop.json.age".publicKeys = [ ageKey ];
|
||||
"vaultwarden.age".publicKeys = [ ageKey ];
|
||||
"vaultwarden_smtp.age".publicKeys = [ ageKey ];
|
||||
"gandalf_mail.age".publicKeys = [ ageKey ];
|
||||
"nginx.age".publicKeys = [ ageKey ];
|
||||
"etebase.age".publicKeys = [ ageKey ];
|
||||
"photoprism.age".publicKeys = [ ageKey ];
|
||||
"kavita_token_key.age".publicKeys = [ ageKey ];
|
||||
"freshrss.age".publicKeys = [ ageKey ];
|
||||
"tiddlywiki.csv.age".publicKeys = [ ageKey ];
|
||||
}
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w O2oC8+mG4ddds/vWrEgoKcH/08Uf+Asb+5IMvHFaC04
|
||||
zTptkB7UdU0BGm2tOUTjllYHsv3tEkt+k61VgyCnnZw
|
||||
-> A$-grease 2MWD =a@~f
|
||||
h1ff7UE4JFUCf2hRMDEBnOrsvbEztceDSaMVTyzzzsf+D9TYLeA7Liv8zJuOu1PV
|
||||
pTCXhpWqO0Th9ol9fJc3eQ7MxuiGOSGm6H65HPIjgxWJNSLmNg
|
||||
--- vbumS83Qmuc1aOt0o7Rut1P5kSVix/AKL7SLJBKVD6A
|
||||
-›:VÅøhN¡Õëüû41þž¨N<ÃY´ãirò
|
||||
€uÏß<EFBFBD>Â'q#P—xJLd‰ë9v:4äŽ7rpÝ&º\<5C>CÒ]=ê
9uWÙÍ÷…r£¹ñÆkdÇ>+ç@·!ÍÞy@W“o$ñ<>þ|(žD¨4G0&ýÔÝ¡
|
|
@ -1,9 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w cC14jHh4xEnU4ytYVPvsHFItTP32ejCva6JIfyL7yCg
|
||||
OynqzGM3787awMhBuUuSq3+LNiw8BQbQzPDH3fx08aU
|
||||
-> 1}N-grease 63VK8 ' \ S=if
|
||||
ZACSbwxOec//qcHEPOWoc9lTTcf6eIK2g2Bw4xXjqYD5/F08jXx5By4REgLsvg7h
|
||||
jzGImN08q5msOunmJNlc5AV2lWvUVU7860sn/5ZLJQ5/F9G5Rl2fK7xs
|
||||
--- 8m6Tz3ExeYuw/IiMYJu3jGbTqhQNaKXNc7Y6BIDQuxc
|
||||
Fgî);ÐÍCd<43><64>Ó=gA/"´¥:ë-Ã
]ºº@XñgOÌ2j…Ÿ=«Ø7,ð”WäãŠ?påd´Dæßÿ_ÙëI†Ÿ<07>qVóóÝ®°‹‘nzù¢í‹œ—<C593>è!y[i’hC¨f³\Ãú@AL_©R+\ÅýNCK<43>?Q÷
|
||||
íã
|
Reference in a new issue