b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

chore: give all encrypted secrets the .age suffix

Browse source
This commit is contained in:
Benjamin Bädorf 2023-11-05 18:56:11 +01:00
parent 8662a3e311
commit f638f8c597
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
25 changed files with 69 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/droppie/configuration.nix
View file

@ -27,7 +27,7 @@ in {
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
age.secrets."droppie-ssh-root.key" = { age.secrets."droppie-ssh-root.key" = {
file = "${flake.self}/secrets/droppie-ssh-root.key"; file = "${flake.self}/secrets/droppie-ssh-root.key.age";
path = "/home/${psCfg.user.name}/.ssh/id_ed25519"; path = "/home/${psCfg.user.name}/.ssh/id_ed25519";
mode = "400"; mode = "400";
owner = psCfg.user.name; owner = psCfg.user.name;

4
hosts/pie/backup.nix
View file

@ -9,12 +9,12 @@
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
age.secrets."rclone-pie.conf" = { age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf"; file = "${flake.self}/secrets/rclone-pie.conf.age";
path = "/root/.config/rclone/rclone.conf"; path = "/root/.config/rclone/rclone.conf";
mode = "600"; mode = "600";
}; };
age.secrets."restic-password.age" = { age.secrets."restic-password" = {
file = "${flake.self}/secrets/restic-password.age"; file = "${flake.self}/secrets/restic-password.age";
mode = "600"; mode = "600";
}; };

2
hosts/pie/ddclient.nix
View file

@ -37,7 +37,7 @@ in {
}; };
age.secrets."dyndns.key" = { age.secrets."dyndns.key" = {
file = "${flake.self}/secrets/dyndns.key"; file = "${flake.self}/secrets/dyndns.key.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };

33
hosts/pie/firefly.nix
View file

@ -10,17 +10,22 @@
backupDir = "/var/lib/firefly/backup"; backupDir = "/var/lib/firefly/backup";
in { in {
age.secrets."firefly-secrets.env" = { age.secrets."firefly-secrets.env" = {
file = "${flake.self}/secrets/firefly-secrets.env"; file = "${flake.self}/secrets/firefly-secrets.env.age";
mode = "600"; mode = "600";
}; };
age.secrets."firefly-db-secrets.env" = { age.secrets."firefly-db-secrets.env" = {
file = "${flake.self}/secrets/firefly-db-secrets.env"; file = "${flake.self}/secrets/firefly-db-secrets.env.age";
mode = "600"; mode = "600";
}; };
age.secrets."firefly-importer-secrets.env" = { age.secrets."firefly-importer-secrets.env" = {
file = "${flake.self}/secrets/firefly-importer-secrets.env"; file = "${flake.self}/secrets/firefly-importer-secrets.env.age";
mode = "600";
};
age.secrets."firefly-cron-secrets.env" = {
file = "${flake.self}/secrets/firefly-cron-secrets.env.age";
mode = "600"; mode = "600";
}; };
@ -61,6 +66,7 @@ in {
environmentFiles = [ environmentFiles = [
./.env.firefly ./.env.firefly
config.age.secrets."firefly-secrets.env".path config.age.secrets."firefly-secrets.env".path
config.age.secrets."firefly-cron-secrets.env".path
]; ];
ports = [ "127.0.0.1:8080:8080" ]; ports = [ "127.0.0.1:8080:8080" ];
dependsOn = [ "firefly-db" ]; dependsOn = [ "firefly-db" ];
@ -93,12 +99,19 @@ in {
dependsOn = [ "firefly" ]; dependsOn = [ "firefly" ];
}; };
# containers."cron" = { containers."firefly-cron" = {
# image = "alpine"; image = "alpine";
# autoStart = true; autoStart = true;
# command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"''; cmd = [
# extraOptions = [ "--network=firefly" ]; "sh"
# }; "-c"
"echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/$STATIC_CRON_TOKEN\" | crontab - && crond -f -L /dev/stdout"
];
environmentFiles = [
config.age.secrets."firefly-cron-secrets.env".path
];
extraOptions = [ "--network=firefly" ];
};
}; };
}; };
@ -113,7 +126,7 @@ in {
"/var/lib/firefly/upload" "/var/lib/firefly/upload"
]; ];
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-password.age".path; passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/FireflyIII"; repository = "rclone:cloud.pub.solar:/backups/FireflyIII";
backupPrepareCommand = '' backupPrepareCommand = ''

10
hosts/pie/invoiceplane.nix
View file

@ -9,14 +9,14 @@
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/invoiceplane/backup"; backupDir = "/var/lib/invoiceplane/backup";
in { in {
age.secrets."invoiceplane-db-password.age" = { age.secrets."invoiceplane-db-password" = {
file = "${flake.self}/secrets/invoiceplane-db-password.age"; file = "${flake.self}/secrets/invoiceplane-db-password.age";
mode = "600"; mode = "600";
owner = "invoiceplane"; owner = "invoiceplane";
}; };
age.secrets."invoiceplane-db-secrets.env" = { age.secrets."invoiceplane-db-secrets.env" = {
file = "${flake.self}/secrets/invoiceplane-db-secrets.env"; file = "${flake.self}/secrets/invoiceplane-db-secrets.env.age";
mode = "600"; mode = "600";
}; };
@ -26,7 +26,7 @@ in {
database = { database = {
user = "invoiceplane"; user = "invoiceplane";
name = "invoiceplane"; name = "invoiceplane";
passwordFile = config.age.secrets."invoiceplane-db-password.age".path; passwordFile = config.age.secrets."invoiceplane-db-password".path;
host = "127.0.0.1"; host = "127.0.0.1";
port = 3306; port = 3306;
createLocally = false; createLocally = false;
@ -74,11 +74,11 @@ in {
"/var/lib/invoiceplane/invoicing.b12f.io" "/var/lib/invoiceplane/invoicing.b12f.io"
]; ];
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-password.age".path; passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/InvoicePlane"; repository = "rclone:cloud.pub.solar:/backups/InvoicePlane";
backupPrepareCommand = '' backupPrepareCommand = ''
PW=$(cat ${config.age.secrets."invoiceplane-db-password.age".path}) PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql" ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
''; '';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;

6
hosts/pie/paperless.nix
View file

@ -62,12 +62,12 @@ in {
]; ];
age.secrets."rclone-pie.conf" = { age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf"; file = "${flake.self}/secrets/rclone-pie.conf.age";
path = "/root/.config/rclone/rclone.conf"; path = "/root/.config/rclone/rclone.conf";
mode = "600"; mode = "600";
}; };
age.secrets."restic-password.age" = { age.secrets."restic-password" = {
file = "${flake.self}/secrets/restic-password.age"; file = "${flake.self}/secrets/restic-password.age";
mode = "600"; mode = "600";
}; };
@ -76,7 +76,7 @@ in {
paperless = { paperless = {
paths = [ backupDir ]; paths = [ backupDir ];
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-password.age".path; passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Paperless"; repository = "rclone:cloud.pub.solar:/backups/Paperless";
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";

11
modules/graphical/sway/config/wayvnc/config.nix
View file

@ -1,11 +0,0 @@
{
psCfg,
pkgs,
}: "
address=0.0.0.0
enable_auth=true
username=${psCfg.user.name}
password=testtest
private_key_file=/run/agenix/vnc-key.pem
certificate_file=/run/agenix/vnc-cert.pem
"

0
secrets/.fwknoprc → secrets/.fwknoprc.age
View file

0
secrets/b12f-env-secrets → secrets/b12f-env-secrets.age
View file

0
secrets/cat-test.ovpn → secrets/cat-test.ovpn.age
View file

0
secrets/droppie-ssh-root.key → secrets/droppie-ssh-root.key.age
View file

0
secrets/dyndns.key → secrets/dyndns.key.age
View file

19
secrets/firefly-cron-secrets.env.age Normal file
View file

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g gXgsQ6NkoJOl/wCYabj/qGDDA0YMzH8Zrt6GDCztHUc
1NdpzPbw1TVr37OfZtqRN+PQkID7+T5QKBzE44k0oOs
-> ssh-rsa kFDS0A
XW10XZsiDkvaWMLi4G5ZXQRN9iyAJjY9C11H5FadmEalm5KVfXBznEB4B21riU0E
RlRM8tBSJWSMztUIEElt+X4C7W4NMn67ZhxnP8Aeqkfx8u88YRGdw0cHW12I81nv
FRd3TOpcNAGDMEzX6o+SfvQyFiATmz2AQ5X3prURsQAB8v78rVZ9cF+AY02ceO0y
1ZN2EQs2hL+SOdgmW4qCsVp8Q+/92T11DdlE4qvWe8dl1GMYsbpJTjhJl1nsvQBh
obYMHgUiY2edrsStgK3ihi+Et3ibtUib5XYrPw6VzphO4P6afrmlUBzPUN9p9fYE
ySlG6rTkp4jDj1zcmtiAiKpQD2SwZ/dJCZL6b1sWsHzOktYa16aNB2OLsWtOlSYm
GknAFi814HA4QrbWfWOgZlfCerZHBZnWh8gC6M86x7DR9VDN5tF+HQCWM/IhwgKj
j055t9PK4POhZzrD0ZjbRJZwmGtIq8/S6bsgIyGAAhH3Ie76zL4e0e9gI99YwMXn
EftgbTOYQ8zBSoASxMPl3PYCtg8Q7bTqcDuLzVQ3JhIq8K6p7T+797mRw2uNSisi
vUiLnxvOxT2dyAeaDaRUEsPnxx33SHoTTuoZHz8gdSGU1Y+tDeOps/QprVfy+0mG
V2PWGjci30iN3NpZbv/EuOMMjwwl0iFzji8N50plfuo
-> o#R-grease .V $]$5c3( JcnS v@X
xrpywd9RbU3pbX+ZNUmp8+FASc8RQjaewO9pnQNaCZc4hujhllw
--- JcL1P3WGCeePUgXoEdtlaTakrSkh7zs2zRM8G9f1bUY
śZśŁmsÝ{+T}» Ţr™·É#ÍĘR[™ăU˘Kć‡ř“Gýc¸Ć q&k.+Vd€^~©Ž8¤Żb4±úz:f<><17>ä`Ď

0
secrets/firefly-db-secrets.env → secrets/firefly-db-secrets.env.age
View file

0
secrets/firefly-importer-secrets.env → secrets/firefly-importer-secrets.env.age
View file

0
secrets/firefly-secrets.env → secrets/firefly-secrets.env.age
View file

0
secrets/hosting.de-api.key → secrets/hosting.de-api.key.age
View file

0
secrets/invoiceplane-db-secrets.env → secrets/invoiceplane-db-secrets.env.age
View file

BIN
secrets/mopidy.conf
View file

Binary file not shown.

0
secrets/rclone-pie.conf → secrets/rclone-pie.conf.age
View file

28
secrets/secrets.nix
View file

@ -41,27 +41,23 @@ let
frikandel-host frikandel-host
]; ];
in { in {
"vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; "dyndns.key.age".publicKeys = pieKeys ++ baseKeys;
"vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; "hosting.de-api.key.age".publicKeys = baseKeys;
"dyndns.key".publicKeys = pieKeys ++ baseKeys; "droppie-ssh-root.key.age".publicKeys = droppieKeys ++ baseKeys;
"hosting.de-api.key".publicKeys = baseKeys;
"droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys; "b12f-env-secrets.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
"mopidy.conf".publicKeys = chocolatebarKeys ++ biolimoKeys ++ baseKeys; ".fwknoprc.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
"b12f-env-secrets".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; "cat-test.ovpn.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
".fwknoprc".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; "firefly-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"firefly-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"firefly-importer-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"firefly-cron-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; "rclone-pie.conf.age".publicKeys = pieKeys ++ baseKeys;
"firefly-secrets.env".publicKeys = pieKeys ++ baseKeys;
"firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
"firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
"rclone-pie.conf".publicKeys = pieKeys ++ baseKeys;
"restic-password.age".publicKeys = pieKeys ++ baseKeys; "restic-password.age".publicKeys = pieKeys ++ baseKeys;
"wg-private-chocolatebar.age".publicKeys = chocolatebarKeys ++ baseKeys; "wg-private-chocolatebar.age".publicKeys = chocolatebarKeys ++ baseKeys;
@ -71,5 +67,5 @@ in {
"wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys; "wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys;
"invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys; "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
"invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys; "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
} }

0
secrets/vnc-cert-chocolatebar.pem → secrets/vnc-cert-chocolatebar.pem.age
View file

0
secrets/vnc-key-chocolatebar.pem → secrets/vnc-key-chocolatebar.pem.age
View file

4
users/b12f/concepts-and-training.nix
View file

@ -10,13 +10,13 @@ with lib; let
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
age.secrets."cat-test.ovpn" = { age.secrets."cat-test.ovpn" = {
file = "${flake.self}/secrets/cat-test.ovpn"; file = "${flake.self}/secrets/cat-test.ovpn.age";
mode = "700"; mode = "700";
owner = psCfg.user.name; owner = psCfg.user.name;
}; };
age.secrets.".fwknoprc" = { age.secrets.".fwknoprc" = {
file = "${flake.self}/secrets/.fwknoprc"; file = "${flake.self}/secrets/.fwknoprc.age";
mode = "600"; mode = "600";
}; };

2
users/b12f/default.nix
View file

@ -14,7 +14,7 @@ in {
config = { config = {
age.secrets.b12f-env-secrets = { age.secrets.b12f-env-secrets = {
file = "${flake.self}/secrets/b12f-env-secrets"; file = "${flake.self}/secrets/b12f-env-secrets.age";
mode = "400"; mode = "400";
owner = psCfg.user.name; owner = psCfg.user.name;
}; };