1
0

Introduce agenix secrets management

This commit is contained in:
clerie 2023-05-01 11:37:33 +02:00
parent ce766a8f90
commit 09b043c26c
8 changed files with 86 additions and 1 deletions

View File

@ -1,5 +1,48 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm",
"repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"nixos-exporter": {
"inputs": {
"nixpkgs": [
@ -54,6 +97,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"nixos-exporter": "nixos-exporter",
"nixpkgs": "nixpkgs",
"nixpkgs-schule": "nixpkgs-schule",

View File

@ -2,6 +2,10 @@
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-schule.url = "github:NixOS/nixpkgs/nixos-unstable";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-exporter = {
url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
inputs.nixpkgs.follows = "nixpkgs";

View File

@ -6,6 +6,8 @@
./hardware-configuration.nix
../../configuration/proxmox-vm
./secrets
./restic-server.nix
];

View File

@ -8,6 +8,15 @@
listenAddress = "[::1]:43242";
};
# restic rest server does not support --htpasswd-file in the current version of nixpkgs
# until then we copy the secrets to the common location
age.secrets.restic-server-cyan-htpasswd = {
path = "/mnt/clerie-backup/cyan/.htpasswd";
symlink = false;
owner = "restic";
group = "restic";
};
services.nginx.virtualHosts."cyan.backup.clerie.de" = {
enableACME = true;
forceSSL = true;

View File

@ -0,0 +1,5 @@
{ ... }:
{
age.secrets.restic-server-cyan-htpasswd.file = ./restic-server-cyan-htpasswd.age;
}

View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 HwR33w zPP2GxmlabgLkMMW9DqpdAiMUXTPTwZ8Y1aHAKoOUU4
oqGSUZMztWoercL/DD/Qagn8VE4U8KPzPrjmLXHGb5I
-> ssh-ed25519 ILP4Ew cLYC1UCOo1XSvnViQZfXKUClDkO9SZZZsHR2yxGm2Dc
1cyw/j8XQk/ztE6fEtZtjQ8cX4mkF5FrAWgZfyENV4c
-> P-grease uB// Mn0<WD U%HyAy#v
X5sX6sC2qXAKtRCcLA0TMmpSoVCoCYlcz+efVNPfala+Yh+z3kXjZIoVohtBc8Bi
Jy8fizfJEv6u7bPhdoytSEoQtMiTMw
--- /ymN2GqfIuI/2cqu7PFU0oO6RYfp3ZX1b9AX/YA2xJs
fhù7ØèÚf`Ÿý:È—UJ¨JXZ©ÌÙ(‰å§êº¯AÅ_˜aÂkiSÈïgKŽesO¼í)¬§6ncQFH¸ r•åPš<29‘ÿÉ{ƒ:ñ9 l&»mß°!ÕAæV¬ì¦ i

View File

@ -1,4 +1,4 @@
{ self, nixpkgs, nixos-exporter, solid-xmpp-alarm, ... }@inputs:
{ self, nixpkgs, agenix, nixos-exporter, solid-xmpp-alarm, ... }@inputs:
rec {
generateNixosSystem = {
@ -28,6 +28,7 @@ rec {
];
clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
})
agenix.nixosModules.default
solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
(../hosts + "/${name}/configuration.nix")
];

10
secrets.nix Normal file
View File

@ -0,0 +1,10 @@
let
users = {
clerie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id";
};
hosts = {
clerie-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ";
};
in {
"hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age".publicKeys = [ users.clerie hosts.clerie-backup ];
}