staging: fix secrets

flake.lock

@@ -1,30 +1,5 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": [
-          "home-manager"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1736955230,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -41,70 +16,6 @@
         "type": "gitlab"
       }
     },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
-    "deploy-rs": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1727447169,
-        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
-        "type": "github"
-      },
-      "original": {
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "type": "github"
-      }
-    },
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744145203,
-        "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -121,22 +32,6 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
@@ -280,9 +175,6 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
-        "deploy-rs": "deploy-rs",
-        "disko": "disko",
         "flake-parts": "flake-parts",
         "home-manager": "home-manager",
         "invoiceplane-template": "invoiceplane-template",
@@ -296,7 +188,7 @@
     "simple-nixos-mailserver": {
       "inputs": {
         "blobs": "blobs",
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
@@ -318,54 +210,6 @@
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "utils": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

staging/flake.lock

@@ -252,7 +252,7 @@
       },
       "locked": {
         "lastModified": 0,
-        "narHash": "sha256-1OUOVLSC8NMqoKi29oMPfdK1Zw+vuEjE1xehfgBbs54=",
+        "narHash": "sha256-5HBdgwzMiOVThrpkmaJ8GrJ3S+Qn74AhQ4Xf1gIL1CE=",
         "path": "../",
         "type": "path"
       },

staging/hosts/cassiopeia/acme.nix

@@ -7,7 +7,7 @@
 }:
 {
   age.secrets."hostingde-acme-secrets" = {
-    file = "${flake.self}/secrets/momo/hostingde-acme-secrets.age";
+    file = "${flake.self}/secrets/hostingde-acme-secrets.age";
     mode = "400";
     owner = "acme";
   };

staging/hosts/cassiopeia/kanidm.nix

@@ -7,12 +7,12 @@
 }:
 {
   age.secrets."kanidm-admin-password" = {
-    file = "${flake.self}/secrets/staging/kanidm-admin-password.age";
+    file = "${flake.self}/secrets/kanidm-admin-password.age";
     mode = "400";
     owner = "kanidm";
   };
   age.secrets."kanidm-idm-admin-password" = {
-    file = "${flake.self}/secrets/staging/kanidm-idm-admin-password.age";
+    file = "${flake.self}/secrets/kanidm-idm-admin-password.age";
     mode = "400";
     owner = "kanidm";
   };

staging/hosts/cassiopeia/monitoring.nix

@@ -5,7 +5,7 @@
 }:
 {
   age.secrets.alloy-basic-auth-password = {
-    file = "${flake.self}/secrets/staging/alloy-basic-auth-password.age";
+    file = "${flake.self}/secrets/alloy-basic-auth-password.age";
     path = "/etc/alloy/secrets.alloy";
     symlink = false;
     mode = "400";
@@ -17,14 +17,14 @@
   };
 
   age.secrets.grafana-oidc-secret = {
-    file = "${flake.self}/secrets/staging/grafana-oidc-secret.age";
+    file = "${flake.self}/secrets/grafana-oidc-secret.age";
     owner = "grafana";
     group = "kanidm";
     mode = "440";
   };
 
   age.secrets.grafana-admin-password = {
-    file = "${flake.self}/secrets/staging/grafana-admin-password.age";
+    file = "${flake.self}/secrets/grafana-admin-password.age";
     owner = "grafana";
     mode = "400";
   };

staging/hosts/cassiopeia/nextcloud-signaling.nix

@@ -2,39 +2,39 @@
 
 {
   age.secrets."signaling-nextcloud-secret" = {
-    file = "${flake.self}/secrets/staging/signaling-nextcloud-secret.age";
+    file = "${flake.self}/secrets/signaling-nextcloud-secret.age";
     mode = "400";
     owner = "turnserver";
     group = "nextcloud";
   };
 
   age.secrets."signaling-internal-secret" = {
-    file = "${flake.self}/secrets/staging/signaling-internal-secret.age";
+    file = "${flake.self}/secrets/signaling-internal-secret.age";
     mode = "400";
     owner = "turnserver";
   };
 
   age.secrets."janus-api-key" = {
-    file = "${flake.self}/secrets/staging/janus-api-key.age";
+    file = "${flake.self}/secrets/janus-api-key.age";
     mode = "400";
     owner = "janus";
     group = "turnserver";
   };
 
   age.secrets."signaling-block-key" = {
-    file = "${flake.self}/secrets/staging/signaling-block-key.age";
+    file = "${flake.self}/secrets/signaling-block-key.age";
     mode = "400";
     owner = "turnserver";
   };
 
   age.secrets."signaling-hash-key" = {
-    file = "${flake.self}/secrets/staging/signaling-hash-key.age";
+    file = "${flake.self}/secrets/signaling-hash-key.age";
     mode = "400";
     owner = "turnserver";
   };
 
   age.secrets."coturn-static-auth-secret" = {
-    file = "${flake.self}/secrets/staging/coturn_static_auth_secret.age";
+    file = "${flake.self}/secrets/coturn_static_auth_secret.age";
     mode = "400";
     owner = "turnserver";
     group = "nextcloud";

staging/hosts/cassiopeia/nextcloud.nix

@@ -7,19 +7,19 @@
 }:
 {
   age.secrets."nextcloud-secrets" = {
-    file = "${flake.self}/secrets/staging/nextcloud-secrets.age";
+    file = "${flake.self}/secrets/nextcloud-secrets.age";
     mode = "400";
     owner = "nextcloud";
   };
 
   age.secrets."nextcloud-admin-pass" = {
-    file = "${flake.self}/secrets/staging/nextcloud-admin-pass.age";
+    file = "${flake.self}/secrets/nextcloud-admin-pass.age";
     mode = "400";
     owner = "nextcloud";
   };
 
   age.secrets."nextcloud-oidc-secret" = {
-    file = "${flake.self}/secrets/staging/nextcloud-oidc-secret.age";
+    file = "${flake.self}/secrets/nextcloud-oidc-secret.age";
     mode = "440";
     owner = "nextcloud";
     group = "kanidm";

staging/hosts/cassiopeia/paperless.nix

@@ -7,19 +7,19 @@
 }:
 {
   age.secrets."paperless.env" = {
-    file = "${flake.self}/secrets/staging/paperless.env.age";
+    file = "${flake.self}/secrets/paperless.env.age";
     mode = "400";
     owner = "paperless";
   };
 
   age.secrets."kanidm-paperless-secret" = {
-    file = "${flake.self}/secrets/staging/kanidm-paperless-secret.age";
+    file = "${flake.self}/secrets/kanidm-paperless-secret.age";
     mode = "400";
     owner = "kanidm";
   };
 
   age.secrets."paperless-superuser-password" = {
-    file = "${flake.self}/secrets/staging/paperless-superuser-password.age";
+    file = "${flake.self}/secrets/paperless-superuser-password.age";
     mode = "400";
     owner = "kanidm";
   };

staging/hosts/cassiopeia/smtp-settings.nix

@@ -2,7 +2,7 @@
 
 {
   age.secrets."email-smtp-password" = {
-    file = "${flake.self}/secrets/staging/email-smtp-password.age";
+    file = "${flake.self}/secrets/email-smtp-password.age";
     owner = "grafana";
   };
 

staging/hosts/cassiopeia/wireguard.nix

@@ -8,7 +8,7 @@ let
   wireguardIPv6 = "fd00:3031:3031:3031:3031:1::";
 in
 {
-  age.secrets.wg-private-key.file = "${flake.self}/secrets/staging/cassiopeia-wg-private-key.age";
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/cassiopeia-wg-private-key.age";
 
   momo-cloud.wireguard = {
     enable = true;

staging/secrets/hostingde-acme-secrets.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 FuRdVg +GfsNE+29LaaqZt+jmxD1t4GQS+Pxy9FzLctarZKPwg
+69+gRW3XcOlk8xZfIOaYKBueNKKz12TY7YCFR0l1K6E
+-> ssh-ed25519 SUhILQ Zs5shlXGvWPAyEVJaB1UR5Abje8dcT2+k7umfPzduQw
+Wp9t/m6P+rwJ8judormWBSkVdXiOGLs49NMcGrgm0uY
+-> ssh-rsa f5THog
+t0VcnDQuocJwYo0ogFGZj5yKGB4235Z/aznzwnAjHDtvr/Gzv4bcLCM3jmWl9ePX
+sPQW6M0kS7WTGYDAm1ualAEtEPKISFAeeLOS6rXI+yfX3sr1T+0Ygwy160N/EiCA
+NrKLakm0tjohSO4h3mzrfb9hY9E3IB30n+oM3Ti9EPawjIm9w+QAFyFEKkv8opDr
+MZ4FekcKl/xwJ2/NcwsD3rafDHF9ryhzeUvvckPdNDq6qwYOdTO41wwueb8B180+
+aGL1HSzI/TJ20sLFZ9mW5XOR7yLQ4zHLY+XRPhLNikOkhgCd3rcZS6oMvpawSNza
+AEqlxVxQ5BxJsLTaBiRSmVSZxrzM4nzFfLV6xZ1aNy4LNiUpWtFSyaCFzn+vw/6C
+w2Knk5OLtw3KudNcfLHR05fvlW/vImadsxmMO1Oo7aFXLjGrnYJjrUj2NRT0i2tQ
+exmUJlnK3Cb8pxVOTCk4dFm/p7MuhyOaaPNKA1tRp4va40r5f65T+uPTPud8VqOJ
+ugKIYSZ6HsRxU3XvIx+9W+9bDGTdHPrY+V4a0urzLLuFby1/ShJHE6/X91tW1eKR
+hyv9UBKLacZx0vBxi6JtQ+ei+DMqQvCHmisz7XrIxdTo5bUBfro1Aav3I6jSfS8z
+SW1P1R83o1xjXejLKoreuM7GQZRXEK3bbEjhAJeY/sw
+-> ssh-rsa kFDS0A
+g39E538YXbjmjapcSHC3Tf4uwofUyb+4JV/4v2AjD7IxD2cE3eyM6Zim5V6T1hnT
+HH4yGOY47ju9Dy7jlyNdTGx2//P84o4IWzM80nQb8d/oQvYXUYFQ+Aj8GEjMuUnc
+xXZYx8VYnEOTWgNmHTZsavfV3PQ+nXCxnmqaiZd2YwizCZvkeu6aCWV2oUpt9vI3
+LfJxoJwiyLczVsjEDjG4bIQftz0ZEMv8ythm1nGoLE+jS3HJ6SB7zLi16YOuHmWP
+l4LEiEyqOs+ZLAn4DF9iwthQNbG+Vrv34Ulvj3pLSyDyWvxtNjKqdtChuFIERRA6
+8cYsAsVWfvub+AC+iaVyWKncLF4c6Lo2SesIHvgH2jEU9bl2IxM9A5aE+/FkB0vA
+hSFKFL6hsior8Ce33Ecyk2K1HnbukkX/hMINJFA1AdtMbmKka03ne3xFnXJKfPAf
+iWKUT9if95rdeSV/zm9h0V7Y/9e7EVceVGyaPhAh3eKOPdyLUKfayC0Br9UZ3EM1
+2ycr7qJq3xWicrMIN8LEqbvCgfvgnlrDiU3zyiq7oLObCaZx0tqFi2Vc/8+lORwp
+YjxUY7U4MjLRLVIYo2CBJMCKHKiDXWpDPmeIogX/bLLVGDloadpxpAcTdwFbMCAu
+o74BfXiA3GLFaGcI+HSmMeGjWTs/p8YF/V827MPUPF4
+-> piv-p256 vRzPNw AkzWteQ1FyneTlqT/V8GASrsZ85hu/V6FaLkA/D3VruY
+3mYmrK1nhDVRPivi3myAatIvwmLaTiR6VH4SGRCEJ4M
+-> piv-p256 zqq/iw A/gYlm4uEB2K4pTZ7kSGcW/mlSko5fzzIHHxr6iyvJKX
+PJMfU6G4Iuol3mEPKCZFB4Gm1sxDzUCUMV23y/atySQ
+-> ssh-ed25519 YFSOsg QmZyYwfvcZ+e0fyaN+N8u/ghhJqQmsAjFS4wbO37K0Q
+Xqj+zMT7c4eIGG+V1V51ygB5kLcM4iCmvXUXi21zSpU
+-> ssh-ed25519 iHV63A 9ts4Qy9POpHwwPA8xYz9+PSYPfwixsQMGJINMERVbRE
+F3ulq5/9aQX3TZzjIOn9r3WWd5h9f54d5R+GZ8+fNVw
+-> ssh-ed25519 BVsyTA SaUWG5PfOGmpp94TnoDIlA4nRbxvrZngXZTg9z6lEzo
+MIOFO9SDDERuB0d/3zodHiwVyk+Y1tcrUaosMCscJ50
+-> ssh-ed25519 +3V2lQ 1f/SJwQhAd5dJfyVWWrBdiywEncr8yBrf8XAyGkjfiI
+n+JHrY4uI+U1jG/khQ2oI4BH3eP1hGB6s8IPmxD8eMY
+--- CtPxNW5OAk+zvW3jb9VYIhNzVZk6h4HnjxgAHuC92BQ
+t¨˜4É•Í
<0E>"¸Ãö:Ð^dŸ¡P*Ô™&NâU=óï³ ¯³¬8Wí¨5ÝêZCÊ3-¨CüùKBX
ú<>ÒúfŠ<66>¶ÛfÞ‘‹áŠ¯£YXÖƒÀ
D®§ª†Ú$¼w

staging/secrets/secrets.nix

@@ -10,26 +10,27 @@ let
   cassiopeiaKeys = [ cassiopeia-host ];
 in
 {
-  "staging/cassiopeia-wg-private-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/kanidm-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/kanidm-idm-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "hostingde-acme-secrets.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "cassiopeia-wg-private-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "kanidm-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "kanidm-idm-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
 
-  "staging/nextcloud-oidc-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/nextcloud-admin-pass.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/nextcloud-secrets.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "nextcloud-oidc-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "nextcloud-admin-pass.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "nextcloud-secrets.age".publicKeys = cassiopeiaKeys ++ adminKeys;
 
-  "staging/signaling-block-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/signaling-hash-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/signaling-internal-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/signaling-nextcloud-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "signaling-block-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "signaling-hash-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "signaling-internal-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "signaling-nextcloud-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
 
-  "staging/alloy-basic-auth-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/coturn_static_auth_secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/email-smtp-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/grafana-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/grafana-oidc-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/janus-api-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/kanidm-paperless-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/paperless.env.age".publicKeys = cassiopeiaKeys ++ adminKeys;
-  "staging/paperless-superuser-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "alloy-basic-auth-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "coturn_static_auth_secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "email-smtp-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "grafana-admin-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "grafana-oidc-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "janus-api-key.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "kanidm-paperless-secret.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "paperless.env.age".publicKeys = cassiopeiaKeys ++ adminKeys;
+  "paperless-superuser-password.age".publicKeys = cassiopeiaKeys ++ adminKeys;
 }