From f638f8c597da792127e1f0d67a7bec75bd3140fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 5 Nov 2023 18:56:11 +0100 Subject: [PATCH] chore: give all encrypted secrets the .age suffix --- hosts/droppie/configuration.nix | 2 +- hosts/pie/backup.nix | 4 +-- hosts/pie/ddclient.nix | 2 +- hosts/pie/firefly.nix | 33 ++++++++++++------ hosts/pie/invoiceplane.nix | 10 +++--- hosts/pie/paperless.nix | 6 ++-- .../graphical/sway/config/wayvnc/config.nix | 11 ------ secrets/{.fwknoprc => .fwknoprc.age} | Bin ...{b12f-env-secrets => b12f-env-secrets.age} | Bin secrets/{cat-test.ovpn => cat-test.ovpn.age} | Bin ...-ssh-root.key => droppie-ssh-root.key.age} | 0 secrets/{dyndns.key => dyndns.key.age} | 0 secrets/firefly-cron-secrets.env.age | 19 ++++++++++ ...secrets.env => firefly-db-secrets.env.age} | 0 ...s.env => firefly-importer-secrets.env.age} | Bin ...ly-secrets.env => firefly-secrets.env.age} | Bin ...ting.de-api.key => hosting.de-api.key.age} | Bin ...ts.env => invoiceplane-db-secrets.env.age} | 0 secrets/mopidy.conf | Bin 2753 -> 0 bytes .../{rclone-pie.conf => rclone-pie.conf.age} | Bin secrets/secrets.nix | 28 +++++++-------- ...ebar.pem => vnc-cert-chocolatebar.pem.age} | Bin ...tebar.pem => vnc-key-chocolatebar.pem.age} | Bin users/b12f/concepts-and-training.nix | 4 +-- users/b12f/default.nix | 2 +- 25 files changed, 69 insertions(+), 52 deletions(-) delete mode 100644 modules/graphical/sway/config/wayvnc/config.nix rename secrets/{.fwknoprc => .fwknoprc.age} (100%) rename secrets/{b12f-env-secrets => b12f-env-secrets.age} (100%) rename secrets/{cat-test.ovpn => cat-test.ovpn.age} (100%) rename secrets/{droppie-ssh-root.key => droppie-ssh-root.key.age} (100%) rename secrets/{dyndns.key => dyndns.key.age} (100%) create mode 100644 secrets/firefly-cron-secrets.env.age rename secrets/{firefly-db-secrets.env => firefly-db-secrets.env.age} (100%) rename secrets/{firefly-importer-secrets.env => firefly-importer-secrets.env.age} (100%) rename secrets/{firefly-secrets.env => firefly-secrets.env.age} (100%) rename secrets/{hosting.de-api.key => hosting.de-api.key.age} (100%) rename secrets/{invoiceplane-db-secrets.env => invoiceplane-db-secrets.env.age} (100%) delete mode 100644 secrets/mopidy.conf rename secrets/{rclone-pie.conf => rclone-pie.conf.age} (100%) rename secrets/{vnc-cert-chocolatebar.pem => vnc-cert-chocolatebar.pem.age} (100%) rename secrets/{vnc-key-chocolatebar.pem => vnc-key-chocolatebar.pem.age} (100%) diff --git a/hosts/droppie/configuration.nix b/hosts/droppie/configuration.nix index 20ba04d..703ba39 100644 --- a/hosts/droppie/configuration.nix +++ b/hosts/droppie/configuration.nix @@ -27,7 +27,7 @@ in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie age.secrets."droppie-ssh-root.key" = { - file = "${flake.self}/secrets/droppie-ssh-root.key"; + file = "${flake.self}/secrets/droppie-ssh-root.key.age"; path = "/home/${psCfg.user.name}/.ssh/id_ed25519"; mode = "400"; owner = psCfg.user.name; diff --git a/hosts/pie/backup.nix b/hosts/pie/backup.nix index a02d6ab..cc600e6 100644 --- a/hosts/pie/backup.nix +++ b/hosts/pie/backup.nix @@ -9,12 +9,12 @@ xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { age.secrets."rclone-pie.conf" = { - file = "${flake.self}/secrets/rclone-pie.conf"; + file = "${flake.self}/secrets/rclone-pie.conf.age"; path = "/root/.config/rclone/rclone.conf"; mode = "600"; }; - age.secrets."restic-password.age" = { + age.secrets."restic-password" = { file = "${flake.self}/secrets/restic-password.age"; mode = "600"; }; diff --git a/hosts/pie/ddclient.nix b/hosts/pie/ddclient.nix index 100b572..60f3146 100644 --- a/hosts/pie/ddclient.nix +++ b/hosts/pie/ddclient.nix @@ -37,7 +37,7 @@ in { }; age.secrets."dyndns.key" = { - file = "${flake.self}/secrets/dyndns.key"; + file = "${flake.self}/secrets/dyndns.key.age"; mode = "400"; owner = "root"; }; diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix index 0500dcd..9f9af64 100644 --- a/hosts/pie/firefly.nix +++ b/hosts/pie/firefly.nix @@ -10,17 +10,22 @@ backupDir = "/var/lib/firefly/backup"; in { age.secrets."firefly-secrets.env" = { - file = "${flake.self}/secrets/firefly-secrets.env"; + file = "${flake.self}/secrets/firefly-secrets.env.age"; mode = "600"; }; age.secrets."firefly-db-secrets.env" = { - file = "${flake.self}/secrets/firefly-db-secrets.env"; + file = "${flake.self}/secrets/firefly-db-secrets.env.age"; mode = "600"; }; age.secrets."firefly-importer-secrets.env" = { - file = "${flake.self}/secrets/firefly-importer-secrets.env"; + file = "${flake.self}/secrets/firefly-importer-secrets.env.age"; + mode = "600"; + }; + + age.secrets."firefly-cron-secrets.env" = { + file = "${flake.self}/secrets/firefly-cron-secrets.env.age"; mode = "600"; }; @@ -61,6 +66,7 @@ in { environmentFiles = [ ./.env.firefly config.age.secrets."firefly-secrets.env".path + config.age.secrets."firefly-cron-secrets.env".path ]; ports = [ "127.0.0.1:8080:8080" ]; dependsOn = [ "firefly-db" ]; @@ -93,12 +99,19 @@ in { dependsOn = [ "firefly" ]; }; - # containers."cron" = { - # image = "alpine"; - # autoStart = true; - # command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"''; - # extraOptions = [ "--network=firefly" ]; - # }; + containers."firefly-cron" = { + image = "alpine"; + autoStart = true; + cmd = [ + "sh" + "-c" + "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/$STATIC_CRON_TOKEN\" | crontab - && crond -f -L /dev/stdout" + ]; + environmentFiles = [ + config.age.secrets."firefly-cron-secrets.env".path + ]; + extraOptions = [ "--network=firefly" ]; + }; }; }; @@ -113,7 +126,7 @@ in { "/var/lib/firefly/upload" ]; initialize = true; - passwordFile = config.age.secrets."restic-password.age".path; + passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/FireflyIII"; backupPrepareCommand = '' diff --git a/hosts/pie/invoiceplane.nix b/hosts/pie/invoiceplane.nix index 9b8a23b..4755df6 100644 --- a/hosts/pie/invoiceplane.nix +++ b/hosts/pie/invoiceplane.nix @@ -9,14 +9,14 @@ xdg = config.home-manager.users."${psCfg.user.name}".xdg; backupDir = "/var/lib/invoiceplane/backup"; in { - age.secrets."invoiceplane-db-password.age" = { + age.secrets."invoiceplane-db-password" = { file = "${flake.self}/secrets/invoiceplane-db-password.age"; mode = "600"; owner = "invoiceplane"; }; age.secrets."invoiceplane-db-secrets.env" = { - file = "${flake.self}/secrets/invoiceplane-db-secrets.env"; + file = "${flake.self}/secrets/invoiceplane-db-secrets.env.age"; mode = "600"; }; @@ -26,7 +26,7 @@ in { database = { user = "invoiceplane"; name = "invoiceplane"; - passwordFile = config.age.secrets."invoiceplane-db-password.age".path; + passwordFile = config.age.secrets."invoiceplane-db-password".path; host = "127.0.0.1"; port = 3306; createLocally = false; @@ -74,11 +74,11 @@ in { "/var/lib/invoiceplane/invoicing.b12f.io" ]; initialize = true; - passwordFile = config.age.secrets."restic-password.age".path; + passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/InvoicePlane"; backupPrepareCommand = '' - PW=$(cat ${config.age.secrets."invoiceplane-db-password.age".path}) + PW=$(cat ${config.age.secrets."invoiceplane-db-password".path}) ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql" ''; rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; diff --git a/hosts/pie/paperless.nix b/hosts/pie/paperless.nix index 320c419..60bb61e 100644 --- a/hosts/pie/paperless.nix +++ b/hosts/pie/paperless.nix @@ -62,12 +62,12 @@ in { ]; age.secrets."rclone-pie.conf" = { - file = "${flake.self}/secrets/rclone-pie.conf"; + file = "${flake.self}/secrets/rclone-pie.conf.age"; path = "/root/.config/rclone/rclone.conf"; mode = "600"; }; - age.secrets."restic-password.age" = { + age.secrets."restic-password" = { file = "${flake.self}/secrets/restic-password.age"; mode = "600"; }; @@ -76,7 +76,7 @@ in { paperless = { paths = [ backupDir ]; initialize = true; - passwordFile = config.age.secrets."restic-password.age".path; + passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/Paperless"; backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; diff --git a/modules/graphical/sway/config/wayvnc/config.nix b/modules/graphical/sway/config/wayvnc/config.nix deleted file mode 100644 index 23a885d..0000000 --- a/modules/graphical/sway/config/wayvnc/config.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - psCfg, - pkgs, -}: " -address=0.0.0.0 -enable_auth=true -username=${psCfg.user.name} -password=testtest -private_key_file=/run/agenix/vnc-key.pem -certificate_file=/run/agenix/vnc-cert.pem -" diff --git a/secrets/.fwknoprc b/secrets/.fwknoprc.age similarity index 100% rename from secrets/.fwknoprc rename to secrets/.fwknoprc.age diff --git a/secrets/b12f-env-secrets b/secrets/b12f-env-secrets.age similarity index 100% rename from secrets/b12f-env-secrets rename to secrets/b12f-env-secrets.age diff --git a/secrets/cat-test.ovpn b/secrets/cat-test.ovpn.age similarity index 100% rename from secrets/cat-test.ovpn rename to secrets/cat-test.ovpn.age diff --git a/secrets/droppie-ssh-root.key b/secrets/droppie-ssh-root.key.age similarity index 100% rename from secrets/droppie-ssh-root.key rename to secrets/droppie-ssh-root.key.age diff --git a/secrets/dyndns.key b/secrets/dyndns.key.age similarity index 100% rename from secrets/dyndns.key rename to secrets/dyndns.key.age diff --git a/secrets/firefly-cron-secrets.env.age b/secrets/firefly-cron-secrets.env.age new file mode 100644 index 0000000..851a4d6 --- /dev/null +++ b/secrets/firefly-cron-secrets.env.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g gXgsQ6NkoJOl/wCYabj/qGDDA0YMzH8Zrt6GDCztHUc +1NdpzPbw1TVr37OfZtqRN+PQkID7+T5QKBzE44k0oOs +-> ssh-rsa kFDS0A +XW10XZsiDkvaWMLi4G5ZXQRN9iyAJjY9C11H5FadmEalm5KVfXBznEB4B21riU0E +RlRM8tBSJWSMztUIEElt+X4C7W4NMn67ZhxnP8Aeqkfx8u88YRGdw0cHW12I81nv +FRd3TOpcNAGDMEzX6o+SfvQyFiATmz2AQ5X3prURsQAB8v78rVZ9cF+AY02ceO0y +1ZN2EQs2hL+SOdgmW4qCsVp8Q+/92T11DdlE4qvWe8dl1GMYsbpJTjhJl1nsvQBh +obYMHgUiY2edrsStgK3ihi+Et3ibtUib5XYrPw6VzphO4P6afrmlUBzPUN9p9fYE +ySlG6rTkp4jDj1zcmtiAiKpQD2SwZ/dJCZL6b1sWsHzOktYa16aNB2OLsWtOlSYm +GknAFi814HA4QrbWfWOgZlfCerZHBZnWh8gC6M86x7DR9VDN5tF+HQCWM/IhwgKj +j055t9PK4POhZzrD0ZjbRJZwmGtIq8/S6bsgIyGAAhH3Ie76zL4e0e9gI99YwMXn +EftgbTOYQ8zBSoASxMPl3PYCtg8Q7bTqcDuLzVQ3JhIq8K6p7T+797mRw2uNSisi +vUiLnxvOxT2dyAeaDaRUEsPnxx33SHoTTuoZHz8gdSGU1Y+tDeOps/QprVfy+0mG +V2PWGjci30iN3NpZbv/EuOMMjwwl0iFzji8N50plfuo +-> o#R-grease .V $]$5c3( JcnS v@X +xrpywd9RbU3pbX+ZNUmp8+FASc8RQjaewO9pnQNaCZc4hujhllw +--- JcL1P3WGCeePUgXoEdtlaTakrSkh7zs2zRM8G9f1bUY +Zms{+T} r#R[UKGcq&k.+Vd^~8b4z:f` \ No newline at end of file diff --git a/secrets/firefly-db-secrets.env b/secrets/firefly-db-secrets.env.age similarity index 100% rename from secrets/firefly-db-secrets.env rename to secrets/firefly-db-secrets.env.age diff --git a/secrets/firefly-importer-secrets.env b/secrets/firefly-importer-secrets.env.age similarity index 100% rename from secrets/firefly-importer-secrets.env rename to secrets/firefly-importer-secrets.env.age diff --git a/secrets/firefly-secrets.env b/secrets/firefly-secrets.env.age similarity index 100% rename from secrets/firefly-secrets.env rename to secrets/firefly-secrets.env.age diff --git a/secrets/hosting.de-api.key b/secrets/hosting.de-api.key.age similarity index 100% rename from secrets/hosting.de-api.key rename to secrets/hosting.de-api.key.age diff --git a/secrets/invoiceplane-db-secrets.env b/secrets/invoiceplane-db-secrets.env.age similarity index 100% rename from secrets/invoiceplane-db-secrets.env rename to secrets/invoiceplane-db-secrets.env.age diff --git a/secrets/mopidy.conf b/secrets/mopidy.conf deleted file mode 100644 index ddb16289ecbc0c901c8b7c4cdb49565cbe3a6a35..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2753 zcmYk6{qNia9mfrZ2sJ#Y8wwaQaN=f}*IutrG8XT8ZLinIYp>Vqp+c{Z*N5xf_1e1@ zTtIL#qEb%XRzd!lBUT@2H zceqn~QO=f=bo#Ay;nxZn*s*I%mIXUpr;eg9xus571n+O*CnhsYRyrOf*_ukavezr_Ck@Oz zp0>!WEp^}T8Y`f~5;!I-%h5QX9JDE6olZN;&4Fm{|{`h+H~cjdO9YKItw| zoMyp(O;a+S0fB{3q{~s8>hNurl^kB8bwp$8J$lhtj7vzL>l87pt++13L7l)b9Hve5 zN|-a4p=BY_0N}`B2?`x1U&0Fn=G+ROiHO$Eq*|emLu}rqIj@2zt+?J#bFsnI<`K2h znX*dFn$r(MKsMHTt2r-KE$(FPG-umVS201G$%dR8Be<3%HPX$OVVLlJjm*2UW3OZr zM(5*H?1&0b%lnoVcMT9hv%#DLd7F@IHw?(cAfa-}peZG*avwx%nukCb=BW_nVQH~m zfi8*-bYKm3sg6vQ^HQ)ZdeDJm4;_hcD7N5?@Z_-RS2Dbsng%j$z+lSEgnmgZshI)t zT@o`AAOuN1=EvQIg2=j%#2wKQeRd5O6+g$u6K0*DGSOZLu0%xZ*`gf#d4U#+2etWT zgpCb=QQe}?lCOK_6(^hAUL!_TgwN%VIF`$+ z^no4Noo)pMyj+v1KFpN$*i&$@F&uPzL~Ow@*~yNleF`GsSd+02=%XT=l~@(es#XxI zw&$-V#2W7t1ARzg_=qr|5kE_`yuqn?UYEqgFv$gE)6BrZdngW=D-Gmfo*VYO%vcSn z(w6kN9c212^j4|NEo6DTo+1TV$5?CHj8%R!A zv_||maO-Ysl(%%tuT?q2k@Y13Bdc{apCJ8UfYdp`Zm7UImqc+Ecbs0y83Qj6{8@vA zaK6;YiMncueNCeCr0g5SOt;fThnmcKETxSE0Wyl-0s_32nCNgM&IU$fmKa2z^G73w zZ#os6wK930+H(h;kmYdEv1#9)bcI;mu+*Z48*(SA0u-KCqo`y)6*4(h)zVnFJfTJ; zA9@knB#}H4=L8lsnsn~iy=9#xtZ1$DbjfG1$eQwiz!{zP7%oPxoy;X6CI$m5XmnhJ z&KcPCF^ELk@;Z|vNQByE6pUNrl1goc!fOtn>Qf*Zt|_%PH0fM%7iGJw#x2rQS5Twi zcrVHo*yLwQj60Fm>BlWwhXql9x~1&ONSBO26lgW+rd68-qq;*j`DsNPVl6O5sT^p; zEXoSgOOZlWvhhs+e~u%jtwBw|2BnbomVqvKbE7CKk7A~CL+hhd2VOBYrX))=8BH=S z^1PhvV)LZJSa%R4A>S{%nG1}0WU*0)QVpho2inZi%XrqzPVOmnBfzag|1Cpx8C?L96J6%q(Y%xIFXwx_AQ^Ij39coROO|@;w7_Zh8 zK^aVDRi1!4Jd}e);Zj)))IBA|blS_<5|7Z@h{MxnigPTba9NPDYn*3WEuLl2CLC1_ zQ_l)jUss^Q^#`D5*#!Wntj8uBno8<&NuqOF9{3#<2Vr*7?RFz`(8JmY*I2o1zc%C= z#R78Gw$V@_wKk~-g$1nYvxQM5O24jP-jsEx8!ZSytE`b&3EH&Ob*cwx@+j@%j?B(G ztUrYtI86n-JL=)%5m3b-i$Fy!bYYt=mujVNe8qu!Ed%RL?XCb>UQy~3X_9kQX)#b} z^?Fh@l`JlR3@VfW!!>j&VRVR4Nl2Akykq5cvfb<#u0*qqx#bPlDPJ=cBAs?t6)BDF zJl;4e+;9@50vu@gp%I|+yj_lh$XB(xUtf7B%HT*|U+06i-?Rw~QQV}N(U@ChrdLQ) za$$~^Y{9cN0w}$HgP#zS$uL#t-ncVWMwa6C>1CV2hmr4;wNaSaMTsH=Ux|%anXOv5 z)WcWvC2t8}9S~e`#LXE(@z6og!uu6T^=csQu7*D8prW_t+#FGoWXy`6a(q!8VR!fo z*VXW!v&^;g}r1`PsO&ncM$|H?>E; zxW40U=fuffmtOnQ^@p!0KOgV^{VRKZxJP{{`uH*Drv6`#y!Fn7FJHOui7Sp2@qHh> zw}rpv%FDL2Z$5-Sc=dr3pZmsx_noy3Y5(K;Z$=N?_SP%AejW?k^Mm~l#<#rpo5Oz^ zZ##1HS>(M((U*Vp=*}aTKV-f=*#G*rbMD!l-1$lEjvt%5Uu#zT9(m)*=hx5u>&f)S z_dncs_6^5=_1kB|bDKAvJUHXj2mZ^APrv8-H>KabQ~%r>uV+6=>rU44A`>sQ_S!U^}AZ=SzDA^yGd)??eZ{pbAV-u+vj{PMP^4n99Q zhE1RF+`%~|+8<^)_`@x<= z%8t8_UG{}PA9z-Np}TMEANRsHK7QKX`E6$(`-G}rSABKUN5AwhNAA)OZ8}7K?Xtdg Od-URWuHMbQxcVOo@zIC? diff --git a/secrets/rclone-pie.conf b/secrets/rclone-pie.conf.age similarity index 100% rename from secrets/rclone-pie.conf rename to secrets/rclone-pie.conf.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e1f9529..ee0d18a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -41,27 +41,23 @@ let frikandel-host ]; in { - "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; - "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; + "dyndns.key.age".publicKeys = pieKeys ++ baseKeys; + "hosting.de-api.key.age".publicKeys = baseKeys; - "dyndns.key".publicKeys = pieKeys ++ baseKeys; - "hosting.de-api.key".publicKeys = baseKeys; + "droppie-ssh-root.key.age".publicKeys = droppieKeys ++ baseKeys; - "droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys; + "b12f-env-secrets.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; - "mopidy.conf".publicKeys = chocolatebarKeys ++ biolimoKeys ++ baseKeys; + ".fwknoprc.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; - "b12f-env-secrets".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; + "cat-test.ovpn.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; - ".fwknoprc".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; + "firefly-secrets.env.age".publicKeys = pieKeys ++ baseKeys; + "firefly-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys; + "firefly-importer-secrets.env.age".publicKeys = pieKeys ++ baseKeys; + "firefly-cron-secrets.env.age".publicKeys = pieKeys ++ baseKeys; - "cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; - - "firefly-secrets.env".publicKeys = pieKeys ++ baseKeys; - "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys; - "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys; - - "rclone-pie.conf".publicKeys = pieKeys ++ baseKeys; + "rclone-pie.conf.age".publicKeys = pieKeys ++ baseKeys; "restic-password.age".publicKeys = pieKeys ++ baseKeys; "wg-private-chocolatebar.age".publicKeys = chocolatebarKeys ++ baseKeys; @@ -71,5 +67,5 @@ in { "wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys; "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys; - "invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys; + "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys; } diff --git a/secrets/vnc-cert-chocolatebar.pem b/secrets/vnc-cert-chocolatebar.pem.age similarity index 100% rename from secrets/vnc-cert-chocolatebar.pem rename to secrets/vnc-cert-chocolatebar.pem.age diff --git a/secrets/vnc-key-chocolatebar.pem b/secrets/vnc-key-chocolatebar.pem.age similarity index 100% rename from secrets/vnc-key-chocolatebar.pem rename to secrets/vnc-key-chocolatebar.pem.age diff --git a/users/b12f/concepts-and-training.nix b/users/b12f/concepts-and-training.nix index 2cb9abd..f0e245a 100644 --- a/users/b12f/concepts-and-training.nix +++ b/users/b12f/concepts-and-training.nix @@ -10,13 +10,13 @@ with lib; let xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { age.secrets."cat-test.ovpn" = { - file = "${flake.self}/secrets/cat-test.ovpn"; + file = "${flake.self}/secrets/cat-test.ovpn.age"; mode = "700"; owner = psCfg.user.name; }; age.secrets.".fwknoprc" = { - file = "${flake.self}/secrets/.fwknoprc"; + file = "${flake.self}/secrets/.fwknoprc.age"; mode = "600"; }; diff --git a/users/b12f/default.nix b/users/b12f/default.nix index bbd0a59..9980a83 100644 --- a/users/b12f/default.nix +++ b/users/b12f/default.nix @@ -14,7 +14,7 @@ in { config = { age.secrets.b12f-env-secrets = { - file = "${flake.self}/secrets/b12f-env-secrets"; + file = "${flake.self}/secrets/b12f-env-secrets.age"; mode = "400"; owner = psCfg.user.name; };