chore: give all encrypted secrets the .age suffix
This commit is contained in:
parent
8662a3e311
commit
f638f8c597
|
@ -27,7 +27,7 @@ in {
|
|||
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
|
||||
age.secrets."droppie-ssh-root.key" = {
|
||||
file = "${flake.self}/secrets/droppie-ssh-root.key";
|
||||
file = "${flake.self}/secrets/droppie-ssh-root.key.age";
|
||||
path = "/home/${psCfg.user.name}/.ssh/id_ed25519";
|
||||
mode = "400";
|
||||
owner = psCfg.user.name;
|
||||
|
|
|
@ -9,12 +9,12 @@
|
|||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in {
|
||||
age.secrets."rclone-pie.conf" = {
|
||||
file = "${flake.self}/secrets/rclone-pie.conf";
|
||||
file = "${flake.self}/secrets/rclone-pie.conf.age";
|
||||
path = "/root/.config/rclone/rclone.conf";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."restic-password.age" = {
|
||||
age.secrets."restic-password" = {
|
||||
file = "${flake.self}/secrets/restic-password.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
|
|
@ -37,7 +37,7 @@ in {
|
|||
};
|
||||
|
||||
age.secrets."dyndns.key" = {
|
||||
file = "${flake.self}/secrets/dyndns.key";
|
||||
file = "${flake.self}/secrets/dyndns.key.age";
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
};
|
||||
|
|
|
@ -10,17 +10,22 @@
|
|||
backupDir = "/var/lib/firefly/backup";
|
||||
in {
|
||||
age.secrets."firefly-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-secrets.env";
|
||||
file = "${flake.self}/secrets/firefly-secrets.env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."firefly-db-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-db-secrets.env";
|
||||
file = "${flake.self}/secrets/firefly-db-secrets.env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."firefly-importer-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-importer-secrets.env";
|
||||
file = "${flake.self}/secrets/firefly-importer-secrets.env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."firefly-cron-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-cron-secrets.env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
|
@ -61,6 +66,7 @@ in {
|
|||
environmentFiles = [
|
||||
./.env.firefly
|
||||
config.age.secrets."firefly-secrets.env".path
|
||||
config.age.secrets."firefly-cron-secrets.env".path
|
||||
];
|
||||
ports = [ "127.0.0.1:8080:8080" ];
|
||||
dependsOn = [ "firefly-db" ];
|
||||
|
@ -93,12 +99,19 @@ in {
|
|||
dependsOn = [ "firefly" ];
|
||||
};
|
||||
|
||||
# containers."cron" = {
|
||||
# image = "alpine";
|
||||
# autoStart = true;
|
||||
# command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"'';
|
||||
# extraOptions = [ "--network=firefly" ];
|
||||
# };
|
||||
containers."firefly-cron" = {
|
||||
image = "alpine";
|
||||
autoStart = true;
|
||||
cmd = [
|
||||
"sh"
|
||||
"-c"
|
||||
"echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/$STATIC_CRON_TOKEN\" | crontab - && crond -f -L /dev/stdout"
|
||||
];
|
||||
environmentFiles = [
|
||||
config.age.secrets."firefly-cron-secrets.env".path
|
||||
];
|
||||
extraOptions = [ "--network=firefly" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -113,7 +126,7 @@ in {
|
|||
"/var/lib/firefly/upload"
|
||||
];
|
||||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-password.age".path;
|
||||
passwordFile = config.age.secrets."restic-password".path;
|
||||
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
||||
repository = "rclone:cloud.pub.solar:/backups/FireflyIII";
|
||||
backupPrepareCommand = ''
|
||||
|
|
|
@ -9,14 +9,14 @@
|
|||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
backupDir = "/var/lib/invoiceplane/backup";
|
||||
in {
|
||||
age.secrets."invoiceplane-db-password.age" = {
|
||||
age.secrets."invoiceplane-db-password" = {
|
||||
file = "${flake.self}/secrets/invoiceplane-db-password.age";
|
||||
mode = "600";
|
||||
owner = "invoiceplane";
|
||||
};
|
||||
|
||||
age.secrets."invoiceplane-db-secrets.env" = {
|
||||
file = "${flake.self}/secrets/invoiceplane-db-secrets.env";
|
||||
file = "${flake.self}/secrets/invoiceplane-db-secrets.env.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
|
@ -26,7 +26,7 @@ in {
|
|||
database = {
|
||||
user = "invoiceplane";
|
||||
name = "invoiceplane";
|
||||
passwordFile = config.age.secrets."invoiceplane-db-password.age".path;
|
||||
passwordFile = config.age.secrets."invoiceplane-db-password".path;
|
||||
host = "127.0.0.1";
|
||||
port = 3306;
|
||||
createLocally = false;
|
||||
|
@ -74,11 +74,11 @@ in {
|
|||
"/var/lib/invoiceplane/invoicing.b12f.io"
|
||||
];
|
||||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-password.age".path;
|
||||
passwordFile = config.age.secrets."restic-password".path;
|
||||
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
||||
repository = "rclone:cloud.pub.solar:/backups/InvoicePlane";
|
||||
backupPrepareCommand = ''
|
||||
PW=$(cat ${config.age.secrets."invoiceplane-db-password.age".path})
|
||||
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
|
||||
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
|
||||
'';
|
||||
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
|
||||
|
|
|
@ -62,12 +62,12 @@ in {
|
|||
];
|
||||
|
||||
age.secrets."rclone-pie.conf" = {
|
||||
file = "${flake.self}/secrets/rclone-pie.conf";
|
||||
file = "${flake.self}/secrets/rclone-pie.conf.age";
|
||||
path = "/root/.config/rclone/rclone.conf";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."restic-password.age" = {
|
||||
age.secrets."restic-password" = {
|
||||
file = "${flake.self}/secrets/restic-password.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
@ -76,7 +76,7 @@ in {
|
|||
paperless = {
|
||||
paths = [ backupDir ];
|
||||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-password.age".path;
|
||||
passwordFile = config.age.secrets."restic-password".path;
|
||||
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
||||
repository = "rclone:cloud.pub.solar:/backups/Paperless";
|
||||
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
psCfg,
|
||||
pkgs,
|
||||
}: "
|
||||
address=0.0.0.0
|
||||
enable_auth=true
|
||||
username=${psCfg.user.name}
|
||||
password=testtest
|
||||
private_key_file=/run/agenix/vnc-key.pem
|
||||
certificate_file=/run/agenix/vnc-cert.pem
|
||||
"
|
19
secrets/firefly-cron-secrets.env.age
Normal file
19
secrets/firefly-cron-secrets.env.age
Normal file
|
@ -0,0 +1,19 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 8bHz7g gXgsQ6NkoJOl/wCYabj/qGDDA0YMzH8Zrt6GDCztHUc
|
||||
1NdpzPbw1TVr37OfZtqRN+PQkID7+T5QKBzE44k0oOs
|
||||
-> ssh-rsa kFDS0A
|
||||
XW10XZsiDkvaWMLi4G5ZXQRN9iyAJjY9C11H5FadmEalm5KVfXBznEB4B21riU0E
|
||||
RlRM8tBSJWSMztUIEElt+X4C7W4NMn67ZhxnP8Aeqkfx8u88YRGdw0cHW12I81nv
|
||||
FRd3TOpcNAGDMEzX6o+SfvQyFiATmz2AQ5X3prURsQAB8v78rVZ9cF+AY02ceO0y
|
||||
1ZN2EQs2hL+SOdgmW4qCsVp8Q+/92T11DdlE4qvWe8dl1GMYsbpJTjhJl1nsvQBh
|
||||
obYMHgUiY2edrsStgK3ihi+Et3ibtUib5XYrPw6VzphO4P6afrmlUBzPUN9p9fYE
|
||||
ySlG6rTkp4jDj1zcmtiAiKpQD2SwZ/dJCZL6b1sWsHzOktYa16aNB2OLsWtOlSYm
|
||||
GknAFi814HA4QrbWfWOgZlfCerZHBZnWh8gC6M86x7DR9VDN5tF+HQCWM/IhwgKj
|
||||
j055t9PK4POhZzrD0ZjbRJZwmGtIq8/S6bsgIyGAAhH3Ie76zL4e0e9gI99YwMXn
|
||||
EftgbTOYQ8zBSoASxMPl3PYCtg8Q7bTqcDuLzVQ3JhIq8K6p7T+797mRw2uNSisi
|
||||
vUiLnxvOxT2dyAeaDaRUEsPnxx33SHoTTuoZHz8gdSGU1Y+tDeOps/QprVfy+0mG
|
||||
V2PWGjci30iN3NpZbv/EuOMMjwwl0iFzji8N50plfuo
|
||||
-> o#R-grease .V $]$5c3( JcnS v@X
|
||||
xrpywd9RbU3pbX+ZNUmp8+FASc8RQjaewO9pnQNaCZc4hujhllw
|
||||
--- JcL1P3WGCeePUgXoEdtlaTakrSkh7zs2zRM8G9f1bUY
|
||||
śZśŁmsÝ{+T}» Ţr‹™·É#ÍĘR[™ăU˘K拇ř“Gýc¸Ć q&k.+Vd€^~©’Ž8¤Żb4±úz:f<><17>ä`Ď
|
Binary file not shown.
|
@ -41,27 +41,23 @@ let
|
|||
frikandel-host
|
||||
];
|
||||
in {
|
||||
"vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
|
||||
"vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
|
||||
"dyndns.key.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"hosting.de-api.key.age".publicKeys = baseKeys;
|
||||
|
||||
"dyndns.key".publicKeys = pieKeys ++ baseKeys;
|
||||
"hosting.de-api.key".publicKeys = baseKeys;
|
||||
"droppie-ssh-root.key.age".publicKeys = droppieKeys ++ baseKeys;
|
||||
|
||||
"droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys;
|
||||
"b12f-env-secrets.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
|
||||
"mopidy.conf".publicKeys = chocolatebarKeys ++ biolimoKeys ++ baseKeys;
|
||||
".fwknoprc.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
|
||||
"b12f-env-secrets".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
"cat-test.ovpn.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
|
||||
".fwknoprc".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
"firefly-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"firefly-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"firefly-importer-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"firefly-cron-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
|
||||
"firefly-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
"firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
"firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"rclone-pie.conf".publicKeys = pieKeys ++ baseKeys;
|
||||
"rclone-pie.conf.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"restic-password.age".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"wg-private-chocolatebar.age".publicKeys = chocolatebarKeys ++ baseKeys;
|
||||
|
@ -71,5 +67,5 @@ in {
|
|||
"wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys;
|
||||
|
||||
"invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
|
||||
"invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
"invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
|
||||
}
|
||||
|
|
|
@ -10,13 +10,13 @@ with lib; let
|
|||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in {
|
||||
age.secrets."cat-test.ovpn" = {
|
||||
file = "${flake.self}/secrets/cat-test.ovpn";
|
||||
file = "${flake.self}/secrets/cat-test.ovpn.age";
|
||||
mode = "700";
|
||||
owner = psCfg.user.name;
|
||||
};
|
||||
|
||||
age.secrets.".fwknoprc" = {
|
||||
file = "${flake.self}/secrets/.fwknoprc";
|
||||
file = "${flake.self}/secrets/.fwknoprc.age";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ in {
|
|||
|
||||
config = {
|
||||
age.secrets.b12f-env-secrets = {
|
||||
file = "${flake.self}/secrets/b12f-env-secrets";
|
||||
file = "${flake.self}/secrets/b12f-env-secrets.age";
|
||||
mode = "400";
|
||||
owner = psCfg.user.name;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue