From 9c7c9ab183a47bf23769f82148f3127bbfc580ab Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 14:07:46 +0200 Subject: [PATCH 01/12] hosts/web-2: Fix mime types for gpg and ssh public keys served via clerie.de --- hosts/web-2/clerie.nix | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/hosts/web-2/clerie.nix b/hosts/web-2/clerie.nix index ed5af54..4802739 100644 --- a/hosts/web-2/clerie.nix +++ b/hosts/web-2/clerie.nix @@ -19,28 +19,41 @@ hash = "sha256-GBAclFkcIzCPi8P+UmATw01uzND3EoUYXiytjVnEjtc="; }; locations."/ssh" = { + extraConfig = '' + types { + text/plain pub; + } + ''; root = pkgs.clerie-keys; }; locations."= /ssh/known_hosts" = { alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix); extraConfig = '' - types { } default_type "text/plain; charset=utf-8"; + types { } + default_type "text/plain; charset=utf-8"; ''; }; locations."/gpg" = { + extraConfig = '' + types { + text/plain asc; + } + ''; root = pkgs.clerie-keys; }; locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = { root = pkgs.clerie-keys; extraConfig = '' - types { } default_type application/octet-stream; + types { } + default_type application/octet-stream; add_header Access-Control-Allow-Origin * always; try_files /gpg/clerie@clerie.de =404; ''; }; locations."= /.well-known/openpgpkey/policy" = { extraConfig = '' - types { } default_type application/octet-stream; + types { } + default_type application/octet-stream; add_header Access-Control-Allow-Origin * always; ''; return = "200 ''"; From 28e1168c7eac00869677ac67836777113930541e Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 14:20:23 +0200 Subject: [PATCH 02/12] hosts/web-2: Update clerie.de --- hosts/web-2/clerie.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/web-2/clerie.nix b/hosts/web-2/clerie.nix index 4802739..b6e3d72 100644 --- a/hosts/web-2/clerie.nix +++ b/hosts/web-2/clerie.nix @@ -15,8 +15,8 @@ forceSSL = true; root = pkgs.fetchgit { url = "https://git.clerie.de/clerie/clerie.de.git"; - rev = "6ae72f9c8616fe005474a1244dbdf8efd61a07a0"; - hash = "sha256-GBAclFkcIzCPi8P+UmATw01uzND3EoUYXiytjVnEjtc="; + rev = "785693e6826c6377c3f3200274c281d2ef3317b3"; + hash = "sha256-cyTHOOm7hpPUD8paKB7Wci3RYAo6Jr/MI/Xqx4iwXwY="; }; locations."/ssh" = { extraConfig = '' From 9fd359f14eb8daa6cfbd2ccfd17c357e7a3f44da Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 14:31:16 +0200 Subject: [PATCH 03/12] hosts/web-2: Remove md.clerie.de --- hosts/web-2/configuration.nix | 1 - hosts/web-2/hedgedoc.nix | 42 ----------------------------------- 2 files changed, 43 deletions(-) delete mode 100644 hosts/web-2/hedgedoc.nix diff --git a/hosts/web-2/configuration.nix b/hosts/web-2/configuration.nix index cf63314..65a3e45 100644 --- a/hosts/web-2/configuration.nix +++ b/hosts/web-2/configuration.nix @@ -12,7 +12,6 @@ ./drop.nix ./fieldpoc.nix ./gitea.nix - ./hedgedoc.nix ./iot-data.nix ./ip.nix ./legal.nix diff --git a/hosts/web-2/hedgedoc.nix b/hosts/web-2/hedgedoc.nix deleted file mode 100644 index 6dc5625..0000000 --- a/hosts/web-2/hedgedoc.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ ... }: - -{ - services.hedgedoc = { - enable = true; - settings = { - domain = "md.clerie.de"; - protocolUseSSL = true; - db = { - dialect = "postgres"; - host = "/run/postgresql"; - }; - port = 3835; - host = "::1"; - - allowEmailRegister = false; - }; - }; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [ - { - name = "hedgedoc"; - ensureDBOwnership = true; - } - ]; - }; - - services.nginx.virtualHosts = { - "md.clerie.de" = { - enableACME = true; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://[::1]:3835"; - proxyWebsockets = true; - }; - }; - }; - }; -} From 27fb1be845e8ed5cedf025d753114983f394a8df Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 14:38:13 +0200 Subject: [PATCH 04/12] users/clerie: Remove obsolete ssh keys --- secrets.nix | 2 +- users/clerie/clerie_id-2023.pub | 1 + users/clerie/clerie_id-2024.pub | 1 - users/clerie/default.nix | 2 -- users/clerie/ssh.pub | 2 +- 5 files changed, 3 insertions(+), 5 deletions(-) create mode 100644 users/clerie/clerie_id-2023.pub delete mode 100644 users/clerie/clerie_id-2024.pub diff --git a/secrets.nix b/secrets.nix index a9ee68d..a504883 100644 --- a/secrets.nix +++ b/secrets.nix @@ -72,7 +72,7 @@ let value = { publicKeys = [ # Hardcode clerie's public key here - users.clerie + (builtins.readFile (./users + "/clerie/ssh.pub")) # No other user should have access to any secrets # A host should only have access to their own secrets diff --git a/users/clerie/clerie_id-2023.pub b/users/clerie/clerie_id-2023.pub new file mode 100644 index 0000000..3355d9a --- /dev/null +++ b/users/clerie/clerie_id-2023.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id diff --git a/users/clerie/clerie_id-2024.pub b/users/clerie/clerie_id-2024.pub deleted file mode 100644 index a541ea0..0000000 --- a/users/clerie/clerie_id-2024.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC17V4z147CtKGMvnAEC8BATO2Dttut9T8q0eIxGwmCVO96s/E2ZbxQSjqp9FOuAhD7xJH4kUf4uwlM8yU6sFnWPLbawFxlbyLChTurv2GV5polkqP7awHU7WP2DpO8vhPYcoo5w2GI/q/IfL1+6KHqAuqenQw6H/fERllMkYnqyLcJqfoyfFXD6r/TJfhpB5ryoIeX45sakZvjtrIYpGjjHMjlHu8RG8zuad6UHTg7NqLnYCk2aGcvvA8H1OP/vfuAElhwwVEekKD2VvDcARmXyRyzKl7qCoqXZLRHrlDH+oqKzQLctTjDmGJtETW2Oca3NM6fp6xuuI8NHQhNq1SghoIQDu4LcdHQtclc5a8oOV3C6O6fpgTZI99gp6OcvRGuyAO43uKOg/BmegRDs7AapVsm1+um5hwLdI5wFzMvhpWJw7j7D9hfIS9K8VmLULKy6q+G4fg4s9QklxOg5ExgxUnWnANsgXvct6k8dr0IkZtcVzLGc86XPP0Qd5Rgtcb6JYITSezssL7Gn+rLnNhvKQZVoeOCJ4vyB9OFwcv0ESs9Cx8tg2ZDZpYSkVMoIhoi3LUCinozineRypy3+ItrMRm+PD8wEPZGlwcAaFhDSAML+xpKSCt0c1EqLsF8CtadbXuyNn3DsNaOzWWQha+47HiVl8QipSfF751hVtTH9Q== openpgp:0xDEC2998F diff --git a/users/clerie/default.nix b/users/clerie/default.nix index d9d939b..883a373 100644 --- a/users/clerie/default.nix +++ b/users/clerie/default.nix @@ -11,8 +11,6 @@ ]; openssh.authorizedKeys.keys = [ (builtins.readFile ./ssh.pub) - (builtins.readFile ./clerie_id-2024.pub) - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie" ]; }; diff --git a/users/clerie/ssh.pub b/users/clerie/ssh.pub index 3355d9a..a541ea0 100644 --- a/users/clerie/ssh.pub +++ b/users/clerie/ssh.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC17V4z147CtKGMvnAEC8BATO2Dttut9T8q0eIxGwmCVO96s/E2ZbxQSjqp9FOuAhD7xJH4kUf4uwlM8yU6sFnWPLbawFxlbyLChTurv2GV5polkqP7awHU7WP2DpO8vhPYcoo5w2GI/q/IfL1+6KHqAuqenQw6H/fERllMkYnqyLcJqfoyfFXD6r/TJfhpB5ryoIeX45sakZvjtrIYpGjjHMjlHu8RG8zuad6UHTg7NqLnYCk2aGcvvA8H1OP/vfuAElhwwVEekKD2VvDcARmXyRyzKl7qCoqXZLRHrlDH+oqKzQLctTjDmGJtETW2Oca3NM6fp6xuuI8NHQhNq1SghoIQDu4LcdHQtclc5a8oOV3C6O6fpgTZI99gp6OcvRGuyAO43uKOg/BmegRDs7AapVsm1+um5hwLdI5wFzMvhpWJw7j7D9hfIS9K8VmLULKy6q+G4fg4s9QklxOg5ExgxUnWnANsgXvct6k8dr0IkZtcVzLGc86XPP0Qd5Rgtcb6JYITSezssL7Gn+rLnNhvKQZVoeOCJ4vyB9OFwcv0ESs9Cx8tg2ZDZpYSkVMoIhoi3LUCinozineRypy3+ItrMRm+PD8wEPZGlwcAaFhDSAML+xpKSCt0c1EqLsF8CtadbXuyNn3DsNaOzWWQha+47HiVl8QipSfF751hVtTH9Q== openpgp:0xDEC2998F From a7b8569ed8386dd9444a775012c5c729b9205cbf Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 14:53:54 +0200 Subject: [PATCH 05/12] hosts/zinc: Migrate secrets to sops --- hosts/zinc/secrets.json | 26 ++++++++++++++++++++++++++ hosts/zinc/secrets/wg-clerie.age | 10 ---------- 2 files changed, 26 insertions(+), 10 deletions(-) create mode 100644 hosts/zinc/secrets.json delete mode 100644 hosts/zinc/secrets/wg-clerie.age diff --git a/hosts/zinc/secrets.json b/hosts/zinc/secrets.json new file mode 100644 index 0000000..cf23944 --- /dev/null +++ b/hosts/zinc/secrets.json @@ -0,0 +1,26 @@ +{ + "wg-clerie": "ENC[AES256_GCM,data:ur9cCDLDzLinS3kDNjBjdB9LOqWqGeHsUsJyqEP0wCHcTAd2FkzAMNm7RpE=,iv:EsldkKZ+u7zE4Dw5CApoN61nqcCsuxt2tH4hJ844iuQ=,tag:EFJsNvOaM0nSS5WVoEMXpg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1kujyx47uakll5pnwwknll474wz9euswcxwhmkfq44r8jr9a9u3cqu62dlq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpU1UveW93VFdyKzkvKzVt\nWnZzTEl4M0NRSExydktBSnN5R05IaXdQRXpRCkM5Wm5uT08vNDl0WDdWa1loZnZQ\nVGk2alJqZGs4Wkt5eFh2bzlQRHFmSW8KLS0tIEtVOXE1QnNkdUYwZjYrY2NuMzhs\nMG9DdjR2T05ERnhFWWgyR2FCQmhDSzgKvhFmOk89P5SXSNr3A98XMT4658ek+0Z1\nfZBQGNHrepztC2X4bzxUd5sDbZYRJEljahbdvx8jiP5Kg2O6sskL5Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T12:43:13Z", + "mac": "ENC[AES256_GCM,data:7r5LBkFsB+KFFe5ULPNSOEoC8qGtN5/EhMRyOOGhTdTVdkUxdiLjSyfw1j8Aw5K+YTyYNdA0g0Wrl9VGgttYE39RinEpnCkk4xXaNM6QidADxoa4CJ3Wh9t3zngbu89CqrT4h3GBOLrMP5XIuabDzq2Jb03NOmIacbgEgl4+lgg=,iv:uvz9nyYZ0zhJnjVc+HOsaFqFkeftpX+7l5CvKCrWKB0=,tag:/eP1uLjFofjI+Av/LiOstQ==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T12:43:01Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+JY4laX1ouqePr/W36zHFOWyJOxj1Xc6mDqzijxbuOr/O\nEbF0WQCb2PiZLZ+rFJdOC/d9znS7Yb+LnSFk4bagYtb8WU6L+3mBQIdBmu60sjqe\nY36QgYiUJ8Gn0n+ZgfEWmBlJJHOF3jl7x94U4SjyOQRijhz6GRP9YuSuepXjd0i4\ngSbusLNslmO1O9hpjxzP4DuZBwpVlg6w2KFdjv0hcboYexp16Mhto+jnR1VavSLG\n4pWNPSpGiRbeDMP/0TKCk73G+Foc1qj3XEEN5ZMGGNv+q/rYtmzqkhn7+45dLZB4\n6/tykjbtemD5MRY57qzxE+S0HjDy/qGx9wJ+QXkKe/N0yiDsTlWv9/0EzTRnKpf1\nKIB5G2LIRLYoH+VnRUmWF6mMS4TVcIBZBuvUJWO46WcXFM624aL0+n+UPCkGxnAB\nKc6+YCCrR/9CQYVodz1BG1aILJj3iu+j2ce1Wz7NSu8vr98h1etcWclH6AksgNcj\nzQgtblO6LJB8Nb4FcNwx0+dEqxXyl2Wx7/d1DA3gcXclXEQOXnXDQGhUrR8/6Y9U\n///PgU1BLeTQh/1uAVe6cJBxj1uH2XF+8wjwBRUChSozcj9lSFIRd4uyBoEkbM/a\nQPWgD4WT0YaOlA4Df/x+iaslKoPTU3TQZjbfPSYmqOZaA/uux8Thmvnzub6QC+6F\nAgwDvZ9WSAhwutIBD/9bUeDrADkWVzrU2DAI3drGKPwxCPd59n46HsXchPqdUYTS\nKdYsIpGfV9W+ns6CpCVriwaSXRsuZQnBJA/t9B7nHwlFKlDsTAJ0ERni5lJMY7fz\nP5h+0q29Nh0Yys/FNFK/Q8WdSXwDo+19zYi/nBGve01ezThKNrXBQRov45D8rHHw\nOu8Df/G2q2TfXVBOLT3K12i2nyUov9ggIqNNpAsurOO5sL8sx84ff9vCoa896LjO\nQKFWZUh7xLRzC7NBbuYyEiaL8z/mU2XPt5pooOdUGDKlkwuCxeHOFiAf6MZobSHf\nDUeKAXhD3/RDf7NWQaAti0a99oCjm5sz1ldkjVg6j4Hi7nsrVitTBI7LN+mW4ESz\nM4VXIhIlbVRzci/efpPXFA0j35E3tPtVJUEhJBZGXb/kUlu/z9qE78ykGM9Fhc6k\n8A7Bu3xhCGSRpoEOa3LROFHP+OM4zAx6MrDVKE2IV3rp3T65v3X99aCkptEbTe+7\nOr3PdZ1xKXG1TM95iowmHRGDRGI8GEYiD5+cEYoNnC6QJGaEni7RIbNzsz+2ywyF\nmsR27oPpPmBJxTR1w87mSrvc9mv/q3oqLqch8Fhvn7olYpQIR9TunvXtMfhSZbQT\nIACDuWt2KIw2uKUZsKlrbU7j/myQ3/+6wRWzkA+pmDCEgq4dZQ5cXnj5uOHTLoUC\nDAM1GWv08EiACgEP/iLSnmPQRmFkiL0zjZ5tGmRFp1rhspv2gqGSHyaG6loYRu3P\nya/8CU+4JpANhshJMtVxMamMkYoiFAXNQB8sGHC9LoL71Hcu5L1/7cZbu8TX/5kw\nf53n3V8KmoGldLp7bIov7d3H7jaBPe9NeO5T77jTjmLVtC9lgBuF5fH9/211Db+/\nh2TJnzZNNA5HNdOHfyzy0y09/NVp43W8aKqxzz4wKBC1M2/ZUWSNh1o67xr9Y8hz\nYJ1E4Xj/g+0WEraaZZOH8OcvVapYqU/zTxR2aLy+VT/CD5iUOJmb8s38kPkbHoo6\nVR01XTxC9li97UG/16AMbtB66+ADh04MItQ5GEfPkf7tRHEyIEoo9ww0yRjTOK5O\nte7F+wPJagISmxe7NiI64NAaSZDPwmyBA843g0PjWxJBOuQiV3qYxXB7myGSd64P\nUatSQf9QO6viZ+6FZu1C8D/FGPuCw7OMSiKY/qB4EV99A85nYuHN0LGG/MUMOYRi\ng4bbbqFnjj/Y/E48XrADsSVbh5/0RPdEIiuF4DVfa66Pru6SaA3Mynp6zSmwqLWA\n34cKFnQ6v8tjW3SKeXdAdfOYbeJ3DG/41hE2nAG0LRd4VUdeITvc6li7h8L4rPXM\nQpeCdSfLTKIzJ4VS3esOIgPAxxJPjzPP0zvbsjnuve+IgoGRocKhbpAhoesg1GgB\nCQIQupq2OyF0/r1n968M6FpEN1f6yJceIUSGKXUjxL4jVS5T5SPbRw/cbCvMv9xg\n61/VNHirgTre7CEo2zmJPRIY8g82PA+JkLyRFRwEKsAngYsYdZtMH5CVoXfu73U3\nbT/SWbcB4Q==\n=uw6j\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/zinc/secrets/wg-clerie.age b/hosts/zinc/secrets/wg-clerie.age deleted file mode 100644 index 6df5bd9..0000000 --- a/hosts/zinc/secrets/wg-clerie.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w RJr/aWAuz9pHJyeiT4VGl24oBL3PW/h2yhMlNKdeH3k -KsHqO3xKdVMgtgXFYFKD7sapwaQBDX70yUMwFqVSsc4 --> ssh-ed25519 h49YJA woMEtKliLp92iPq8OFK2okbFbZbqtsH2LIRYyBQEs1U -BJRYOXn4Yg5IzJxOukdzvlrZadralTdJg7FKcz4yV9c --> 5R?-grease @H*!dd.z qES\G 7JLNzC -AzZ7dZCu+BRUNqJ7Qikw8fbSxSlP7IOm1/9DmYNm6KJIQbNLqrdCfMI8i5G7hbEG -pGVLYCrnZudEPKmEI7WtgGsQ ---- DEhkE0BvIaahPO/+T8NzqSCNg2hmbdCwTSF2faMECgk -߃Cиgu1" Zc1 53)bf]QDF k:c;iQwnqTbmbcHoo \ No newline at end of file From ba30850a81f2e45e7f5e660ea872453747baaba9 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 15:05:16 +0200 Subject: [PATCH 06/12] hosts/aluminium: Migrate secrets to sops --- hosts/aluminium/fieldpoc.nix | 4 +-- hosts/aluminium/secrets.json | 27 +++++++++++++++++++ .../secrets/fieldpoc-ommpassword.age | 10 ------- .../aluminium/secrets/fieldpoc-sipsecret.age | 11 -------- 4 files changed, 29 insertions(+), 23 deletions(-) create mode 100644 hosts/aluminium/secrets.json delete mode 100644 hosts/aluminium/secrets/fieldpoc-ommpassword.age delete mode 100644 hosts/aluminium/secrets/fieldpoc-sipsecret.age diff --git a/hosts/aluminium/fieldpoc.nix b/hosts/aluminium/fieldpoc.nix index 3e93039..3df29cc 100644 --- a/hosts/aluminium/fieldpoc.nix +++ b/hosts/aluminium/fieldpoc.nix @@ -9,8 +9,8 @@ enable = true; ommIp = "10.42.132.2"; ommUser = "omm"; - ommPasswordPath = config.age.secrets.fieldpoc-ommpassword.path; - sipsecretPath = config.age.secrets.fieldpoc-sipsecret.path; + ommPasswordPath = config.sops.secrets.fieldpoc-ommpassword.path; + sipsecretPath = config.sops.secrets.fieldpoc-sipsecret.path; dhcp = { enable = true; interface = "enp3s0"; diff --git a/hosts/aluminium/secrets.json b/hosts/aluminium/secrets.json new file mode 100644 index 0000000..f44b62f --- /dev/null +++ b/hosts/aluminium/secrets.json @@ -0,0 +1,27 @@ +{ + "fieldpoc-ommpassword": "ENC[AES256_GCM,data:F856G4jZjbj7RQ==,iv:svnlwqEPMDHHlSSv5Anv7w7TlDjHUBmKqiBL+IBV+1w=,tag:fnySgzaHzf2paWEBwD4DYg==,type:str]", + "fieldpoc-sipsecret": "ENC[AES256_GCM,data:ysnHLFHPbOcgTfoAmZy+3Q==,iv:6G66WDGzuyfTzezVK0uwY5Ihv22dR7x7g/A1fvxUhjk=,tag:WUVNU6Bw5u0kyHpyFsKmaw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age12nr9jt7u04ef0uf3h3pmh5wsw0t5ax7flwtk0t57zhsqj7s0lvnqxdgtu4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SVJHaWVpVFRtZ0tiTElr\ndk5jem4xbm1rTDdkNFdEanR3eGljak4ySUFrCkVSKzhOMzB6elR6WlFtaW5vTXZK\nVE1TZ0pLcmo5alJnL2thVWVvRmV5YjgKLS0tIFJUY3pVKzhoSDNpQ0Z4TC9vdmNL\nc0RlZ1pVUmhIMjRPd1ltZFBlMXZhZncKgtH6HYaK9GLPmwHpIRXwwyhWLqHVvhDV\nRCusRPXi7vpl9Codn/gKa1yhtS+Nbrftpfibcf4Zpp6tbICBJw6Chw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T12:55:36Z", + "mac": "ENC[AES256_GCM,data:rYVMHm97fym9o88cF6IjPsOl1ZgIafIlvw3BhS3y1tFKuiIAmsqL+DvD+yy8oLz2atvyxIdcKihDRNoriC6V80WZg2jqedSbkK0QQHng8z+9KE0SAfoacuJqb/SMULOPVvW81Zhox3Y0fbSVdO3WScx7Z0czNBZ0JGWVObRFbHY=,iv:97/B4g0JTHLlyR9yV8xqhhDnkDDfS9VhsXFb8v3pMVs=,tag:No47WYn/Uk6R2mq2j2gpzw==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T12:54:53Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPARAAqgQosLYib0E8DjzA2YFhXqSvsDhRQblHDMNgTuO2/LkB\nVFj674m60/04eFHkUzAo1Ix9W8ji3Q/vVLJ/bLcfx4mGS7atBNzCFHlRrXPcSS5v\nMyihaRqfusweNTwYF64aQ2iE/EWjEDRo4Ssl5aOoilnPHpIqaTyeIbejzHoZWqqi\n7GZttP33NiQP0iWVO4SXlwkF5yuZT6qaHjUIOQEGImz5q87eMUtTNm+Xf3Qx/jAw\nqSkxwN5ySMuMcMqGpShhztoXpe123YlvNr22fZzkBHU5AwakscC5nf8skaMc2Lrh\nJ/+qFL2tWdgEf/fPd7aYFEIuC2YdJRo+yGMZ9s2VjD9ZlBQUFd8KZhytxmzoO3rW\nNKPM7/4tMyhdomt+uKqQNrVDOFMdyR+xLowyGgVqn9MDDDcnQhEdGyqk+WEeQCWN\nXlrQEVshHvC0YTIIXoyFljmMo/z251FoVY8+PHZOQzAJB2RyUIzjEDTX3a7xDNff\n5j9THrSloPLXuW9lXQO8qX8h/50GbJ2Hjpapslx3jhYx7viOHp2h3ojXbNditrIE\nWHEw679IjgTuantfnTzy1NPtIVvH5twrncPRdRsOqVVL4UHI66O5SCATAuVFXM7O\n+ZlLZS3TnuHE9JDlmV1Ts065VB3iYxXA/3p78gCcVp9otQVeDSVq3PTmKzUCLbSF\nAgwDvZ9WSAhwutIBD/9xwPiMUY60fKMS5/BoFYxKB4Ml41MalHdSURmU5IMp5oax\ngykVOoWmOTw3pm90lsZg809SwO3rbJjejMzzUZZpN+vN2pJbZeqRaY7Av/y1K6Sq\nlWXY7Jzbw2bI3JDPVq0tetM4EixGyN+P5p4tVB07BxKzbaN7dCFWk8EkFZBS5Fg9\nQiqLBwk1EofEsZHEbw6BYPivYHi0Cy63ghQ8t66SfhMyh+s2t9jPFB7s24UACaOe\nQ2aC1CP+kDvEMIlS3StNcHGUvZ73/CAkbTmbb0gynFw3odNN7+8tWHmWL3J+0RaO\n0TfXABH8/A3zka97IoZvMt9SqO0FT9VrxE2xBp318rsTfQrkYN8UiiBfvGjI6Gc2\nlZ7qXgFa1tlzYmTjYYs6TCxyT0a8mCt7wOS5yFkph4pXEumJIhh7nmJlr3/gdapt\nwA/LhAq63+UNCGvAKum2XdfwycLDvxciyz40c0ZN25SDQ+2WQp51/GESvVQNDyIc\ngI+BTFSxVjW2Qs7WdN2dJeQ7bLmN0EpGNGszHYiz/T0zowvuUiOrfjVdoNigSPwR\nSeNDI7KQ+miLiqLCSSNTF6D3MlstHBXeEfGLbJ1qFvT4hX5ErI0xmn3lVeAeQIAu\nW9wMvtmMtt7XAef9hzyUUKvnkf3pQw+GBtvY4/pCJrFWKw8vADmLZ56t8UlNFIUC\nDAM1GWv08EiACgEP/icY5+u/9/LLXcnQ0gUsOwL1ChTAOnJxl2Dfu6Wdl/Xohe20\n6VsznYeAyOQ7pq0yweTRYejx96S5M1H+M6uZJPt4lMUaX4/WwM0zJeRH0nsaqbQT\nr6YUZX+jWKhVtuHZinmSLLo5Kj/DH2DPkDPH+ZZbPHjbsltPnYggx8x5NfseN1wO\nLe/dUCz3uH0LhgMpIxeQRWJSkstV64F907SyuU8fqaQJbq28YuEYZS99yE4VTUH/\nYion7EfHpAU54f9SfAahe4VL4hvDIKQ5qbC8JiiQnPYXElNwvQnDwOpysOAq9LQL\n0VXanXeQf/mXfjRc+NiiF+7sfavSRNmIkKOm8xEgdEASQ8lh4UDhoA8mcSnB1dFJ\nAt8YOmkPEC7kplF2wQNFI0RpI+xsJ4hxsCZ3QFoXNwHK1HbeEZ7/FxtSvzxFdXsx\nNyB7EagsIMq/G6R4J9rWCHAf9LKlnFNyVzMin2LoOUtp17yvODXOszKVEj38TMfr\nz9K31QTellrFzJCNTY1VwZyb1JJfiVsbGCqJTbILB3SYV36Lwb3neAvK1P4KsVFY\nDIqMHeY3oLoxLyHRajtjKxhYTwjB3c0ov2IAqOszAvwnO9YBClxeewMt2/Vv2Eok\nzgkEV3cTSZCtPPhF7+C/0bZ35A1MDNXaG1AyQS+4idN0a3LuIgROF3Ow8gB81GgB\nCQIQBdPtKSJqTekbsvXlb4HEHZmjdwjoinMUiuDjAsccGSAvuEqC85NLKjn3+KpK\n7nYnI6NAI6SJ4IUy6YJ4/nKPw6hKTEn442rhUDMmQ3dmCMQFBTLx+VSUpsHE2SSL\nyZ8fqDq6Dw==\n=LtRd\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/aluminium/secrets/fieldpoc-ommpassword.age b/hosts/aluminium/secrets/fieldpoc-ommpassword.age deleted file mode 100644 index aa6e00e..0000000 --- a/hosts/aluminium/secrets/fieldpoc-ommpassword.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w dvnkhXiz/AAZa3xT6RDx8OIQnBihgUiBddXtVB85JTA -NqFXVizLIgp08r41jP1myZ/sfOcHYRk7qvPrRjH0KUA --> ssh-ed25519 GUpvaA X5Nhz0ppW4smw1cVZ0xPwcgcCREpcF4OHIjgwelm6Eo -N3rA06TZIEOgXGROcTUHlGSN4jpisGbMXX3WnHoIKek --> }zICz2Kn-grease ;yh -NSFTNcxuAeDoIHy7HqGJn6FD7t3admS1EiIlVuPvcY0X8lqUKACMAym8GcCd2vrQ -VF1NK0BsKgW1j6uUFASqBn5/us2Nx6/mwxdaX4QBGINlkas+/zN53bM ---- e+nEDx4JO9clhnhTKZLeTuUdfRSHNJS+kY2UA46j8CM -H>9㱡(Plk?Cڏ,x}W?a* \ No newline at end of file diff --git a/hosts/aluminium/secrets/fieldpoc-sipsecret.age b/hosts/aluminium/secrets/fieldpoc-sipsecret.age deleted file mode 100644 index 317cfe9..0000000 --- a/hosts/aluminium/secrets/fieldpoc-sipsecret.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w IXd1561I7Ia8Vr1nlqcMCMN9xF0LXlpXPJUIW102UBI -KFpKJdE6ge2yE+kp1pYcHnmn3th0m0X2iETZ8rFze48 --> ssh-ed25519 GUpvaA VyC2gxp7m7uz9ba1qmjQ05Cbi1ZXpkCU9ydwpYMAlyw -LC3flGQhaBdl8LeJnG5HbEBXcmEbDarWqZ/XFGhUAoI --> _7e:/rX-grease ~R' V -KlOMxJRircN7onkmcF3Omw8Nseg0kgx9CsqdRsWV9jVV8+aY/4SFRC2cllIDOIQa -71hNmC6LqcOW ---- zr22gxWcsyuMcUg3gXiIUPvbsV/dE2hRvWD+e6i1B98 -1("Sb/Q<*nI$IgfX݆ - \ No newline at end of file From 1e45b643878764078e09c43ff4c4048332202bf7 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 15:07:58 +0200 Subject: [PATCH 07/12] hosts/carbon: Migrate secrets to sops --- hosts/carbon/secrets.json | 26 ++++++++++++++++++++++++++ hosts/carbon/secrets/wg-monitoring.age | 9 --------- 2 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 hosts/carbon/secrets.json delete mode 100644 hosts/carbon/secrets/wg-monitoring.age diff --git a/hosts/carbon/secrets.json b/hosts/carbon/secrets.json new file mode 100644 index 0000000..b2ef8ab --- /dev/null +++ b/hosts/carbon/secrets.json @@ -0,0 +1,26 @@ +{ + "wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T13:06:06Z", + "mac": "ENC[AES256_GCM,data:Suz7S6XzlEMvVVRMb1YIkeiZWRcnadFeX6oswLiZSc4w35Xw/nn/XY1wsWTZEXj+TecEyhWJDzw27mKLRoqClA9BqPT0E1nzkXMjb2aTp72DjrI6VuBmbuUDBQgKDXToEfrv3/H5ovAT1s69nlxYDqUq185KR2eMqhsJPUwMRSw=,iv:0vj9ezTPxPyx751iEY++GMnzuQ/HM0tgLwAeJpk7CAk=,tag:7nYfqhy4R5JOYR0majlafg==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T13:05:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//ZkYls0F1NMJDUkJw7tOO+pgRm6R8u29qNLAbGMtMGGqB\nwc69WpYfO7hy2IQKGcGBp/Qrp5+gpmNBGjyq6AKEaox1TKCu2drKVRClH/Htzjhe\niAllegoS1Z0W8RGze3C9i5SiUHvVaK3c2iUJ8bCTitTgUZNvteCCgXECL42Jjb49\neGZSsTDkSUr89wECHs5thx8SV2hcYk+mZk7J/yZO54BVHxZXPfYdgyINwWnmU1vf\nqOnePaIBiRTz3+ICvb9pnndlO3KEXClnBq3N6q9IcNgfH/eCenQPc6Z2TRS/2aGl\nBvK+zygO9QJVJcprNx2WdTahf6fXGU8ZmvWj9R3wv62KmQNTWmLQzCEzpTxkfpnw\nMY2WTSFZ4EHm8xSzQMJK7QyXLyH8tOemqb/sRJpaFdvLIw66nmQtAHnY9xcKSOrC\nGdN0pyX7yEtFajgRfPU2kQb9wzyoj3hRU2lNlsvJC58R+rMLsNw5FT4+LFC2RBO4\n+E7th4fFEj6dyFfISRZfi/Rj4FWBtHLxLBm15xEYRoblciQDb0o3Qh0SIgbxnaCG\nM3Dp8zJ1EiWLPtxUo/G/8P0MkfbzuO9h07ypM/Y8r40Yrbxb4QFadXEeYcNMaRGz\n2UW84LNipLeirwQVajQv5FsCRiBCcU6hoJ9MCgDWKWDU45yFy5UBCZ88KH5PdUyF\nAgwDvZ9WSAhwutIBD/4iGSjtc9LI4OR6UXOWwm78lR685QvVy4zwdwaFzwXECWGn\niPKj8H8ku9DxxxSr316/8eC0IEs2mcyU62yVbrGP5fp9zsNnQKp1LQVPx+9tyzi3\nKrIL1nFQreMtqSKn7w/HDWG2HubbgazZAs97tN9hTVtMHCE5bu6nmRcBnnzNX248\nH+kFACSdP7Oya2TiJNqSs8JrB/BSZu2nk/yVwDd6y+mgkXKDjzIUK8B6NMP7cwf/\n4ukNkhgCaO4vGboKl6DIIMtkEkGlPcxqid3XRSai+KyB1hucDei+ZwCKWgR1W6PW\nYNTZdL6gwz/t5AMxoT1y8lnoNrtmvv6HzmlytKeuK64h1oOwwUdruJFnGGGVVfuC\nLoJPKF7CX4JGPW3hvofrXMfaJTBj5cyuUga02yiLfYbT4bUqb78dOt9AeKx4Hkej\nZvmFoaivMwWg5rkKjt9frI4b8ST/J0tmqwdLzYsrUUdBItviBEulv46jYlHw/qME\nP2hLgr2IeSEutaxyYxQl07rg8b43T8RvsRsQ/ySKn+Z8qC7sDxzXsRLeHuOoZnDD\nyf1UTSt9dfKY6oJ8SKd8Q0wSPMcVd5KgW/WIV8Wp3he63ONOdmiQgLhF++xFtK//\n0OXLvXVsT0qQBBCY7sPdfVQsSpjENl0ef2o4+5MirIzoFTQdRk3jINnoGzmQu4UC\nDAM1GWv08EiACgEP/0Q/h8MGGVjAvJGxloY/Ed4gvn2rVn7Uw6XPUktSoUQnwq9A\npmMsVDnrw2NWjWktjjgFC6HbMtkAlNH7UukxCzvTimwl5KOib8Yk+CKME6KGlFmh\nvEfx6YRmvDrE8qYVM4MYXccXUW4vbbzGJl9ReRH3ouvlxSIeZ8zH28EUE8ntVok9\njNcUHt05SFrM8O5LdjsCOEV1ltG8IWIPL4kVVDWDgy6WHzm7+lcWmGn0B9Astrpp\nxKnk/mjJoivoUpJoZcFpr5U8O4kcCrwmQJppn6/8xiJuoFWbSjbWw7M4BPWK3LOF\nRmgfv8OVgZ/DvR6uCkTXg+yc60s3DvbJ9KSLSjPguxcmUPNTZwZrH1fcsbgpSgfS\njGb0GouQDNY62DsfyGS1JEGiuG2SZPZajIbOVPkuxYvUbscPWjdJhwvRdhdF3/6t\n4tAM9b1Uf+xmFhbHBcqAeQIRxCSERYVeGuHxg5JOVmQkjFOJptFZgJEVCqP/0bPA\n+AoSF/Wq9IpuKH+dirU9RVATc35F4GP4gc0mKjR03i84+DDYvB3l8oeDDlYUygga\nueK2+HX7BDeQmdh4nWxV/7An1owt3DATj2dve437cqUtXhgWprea9VOzzl0shZyw\niIRukJq7A0IJA70gPXNOhLhls4fv9VdecNlbuF8NROA7t9Fwx0G36uysfARe1GgB\nCQIQnwDSpF57ZfhaQjNGmGCGXW51ARrlC9gHevQ2M8gIt9TowIJvkUJRP+1rsDXq\nGekIV6a+rNpbr9Lbgh7EbEG+OoHRSLD1sk5aK5nNQRUqlQprNqfxJ+wr6qkqYdGQ\nYLcwaMzwBw==\n=CejJ\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/carbon/secrets/wg-monitoring.age b/hosts/carbon/secrets/wg-monitoring.age deleted file mode 100644 index 5299c29..0000000 --- a/hosts/carbon/secrets/wg-monitoring.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w IkxlO8D2o7SoBGyg9/edvw97sAqj9e1nUtQk9ci8tws -t3mju7vCMEQcOs21Q56U53hTYyplMlj8L89oVVcgifQ --> ssh-ed25519 5EcjHQ W1oWURPqGGfSwDZbIfqKVBBL+fMdLh1KnW3mMqALWmA -RbuAx/Sgj4wmuzijnjtS2Mai3n0T+89qSv2v5pxDfVw --> w)}-grease $do -nc2bWeMeBxc3hd4XkX/k+isQudb0VZBD ---- 3Smsch2WrfWCMaeQffV+52LBY11YTtUa9K40DWrsAzY -כuInm)nO' q̨r R{T=+ïjc? Hw]dBa \ No newline at end of file From 1da102386dbe77ba0cfa26c35a7cc523daea1344 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 15:23:34 +0200 Subject: [PATCH 08/12] hosts/krypton: Migrate secrets to sops --- hosts/krypton/secrets.json | 29 ++++++++++++++++++ .../secrets/clerie-backup-job-main.age | Bin 419 -> 0 bytes .../secrets/clerie-backup-target-cyan.age | Bin 463 -> 0 bytes .../secrets/clerie-backup-target-magenta.age | 11 ------- hosts/krypton/secrets/wg-clerie.age | 9 ------ 5 files changed, 29 insertions(+), 20 deletions(-) create mode 100644 hosts/krypton/secrets.json delete mode 100644 hosts/krypton/secrets/clerie-backup-job-main.age delete mode 100644 hosts/krypton/secrets/clerie-backup-target-cyan.age delete mode 100644 hosts/krypton/secrets/clerie-backup-target-magenta.age delete mode 100644 hosts/krypton/secrets/wg-clerie.age diff --git a/hosts/krypton/secrets.json b/hosts/krypton/secrets.json new file mode 100644 index 0000000..cb703e0 --- /dev/null +++ b/hosts/krypton/secrets.json @@ -0,0 +1,29 @@ +{ + "clerie-backup-job-main": "ENC[AES256_GCM,data:cAjyW2/vT9XRdfLVfzAboPgxORi/ji6Vznw5SifgIX07Y1IipfMy5axCzh9HmfdaSlasrn/r4GAeW4zV1ROolw==,iv:TwE1Vovs9Lec079lf3F/0lO5VmCstUoI9PxSec31O3k=,tag:fuy/Kg1ZQAEZdEk6OMpoZg==,type:str]", + "clerie-backup-target-cyan": "ENC[AES256_GCM,data:IWIeEQk/apNO/m2eC+4EANkXriGptG9S3H3IWY1lWHJ0UTDZbBLYizRbP5EwS38vGgsymUzvJv5mdIKEzGyBKQ==,iv:3nuh0A8pDoeCtMj8HBhuv/5uRawXJsd+LfXb4VRPd/o=,tag:TJPxg+9CQ7l7ENwKzhqkeA==,type:str]", + "clerie-backup-target-magenta": "ENC[AES256_GCM,data:Ql3mqe3GVsS8yF2pvZj4MItCUG1/tPnMhAsvN21iWSNEiRS48Pt6/+sx2n7Xo8gOvMXJuxSUZnBvgLWCUQhysw==,iv:2+lmmNt0mgqFvd6JUcSo/6MZmJvD/wnkF/IOvTIMmVU=,tag:k8D1U+bS1T07HRqnlI0Ybg==,type:str]", + "wg-clerie": "ENC[AES256_GCM,data:m3zjtNxBCrfJ/ESesHGEPTLrYq0mfLDl/ZlIxpNyX2ONNe5swiktBURLdHQ=,iv:yK8eHemA5VPH4BM/5fKbz0bmWfrMRU1d/rQNUWUAar8=,tag:p4kTdpmnuCZKX8vTO3ndZA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1mg72cmpk494cpfcxqm4a8jjfje7hkx5jm63rvqnctz5xexxf5udq86nt5g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Y25VWS83OU5GckN3Ry9n\nbDcra1liZm5GNU1pK1FqRjlWb2ZsR3Axdmk0CkVhVmxrbGh5VVAwbnBaSGRHY1dm\nMVBzWWlEdGc4bm1pZlA5TFRmVXkvRHMKLS0tIFU0UXBmMDczWU1VM2NaanZnSDZT\nSVRmRlBGVHpOeTh6a21LUjFQMlQ4YlEKwtXhnq72eSDxlJtffZORc8k6F+z90O6w\nJcIMQVkVYGXk+AdGQH/FC1R/0Y11Bl/1mI/T3jIxfRXYgXiribTLOA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T13:21:18Z", + "mac": "ENC[AES256_GCM,data:UFJv7bRwWYac+ZrDBBDzWiAy600/Q6qLR67uSr3FMBok/M1i9Krby+bf5YR1raRsTMeIPI8X4yqOs4852P1CRIWKCeDuhr9NSA7WJsIJ0HoWRjhMHvr+TYQcCw42cMQ6tHtkA6+kjI+uGYXR/KliEWz6CCGuIxpx1dRv/kqf+ac=,iv:CWcOA0IoN3gb/grUaRR+ETL3RSp95/6AtRbUEhH3D+U=,tag:Kc4l+oDYSpfPxZprkzE+dA==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T13:20:01Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+M3IkbIxRCm3arVo7nLrOF9tgtVytEHtxFyTc7Gfp5o1C\nz3u45WmI8mXG3UqCczHFmihaY6XQrLJkSQefnKkw5PPGKTOX3QiI92wdF2tkj6ib\nZTpNRsRutGUZtu3xSvq74uBt3p7a5PJQtl4GS7zqrMKdeZbseQK1Mf3Ezncwn9xb\npcu7bYeQhwIc8zpoOvPQr6Y/8dHakWHuOGIk5LAXKAHT0CKwM+PEJQu7Delna3HE\n7l5EEmiklmfVDoM49AjgA2LN2av7naCsEfwfN1k2oy9EXKuuUb3jlCpa9DpFTbLu\njY69ITOyePx2vMww+HFVSyLMZ8NaA80aV/2tbJiJRPruDFU6QjJRDYA2jcKnHXIW\nDTTC+ZqIxbizgRcjJC8M+0qafd0RdwcL2nBO795bBtVzMncXWyH/NAFqehqvb3c4\n1VjBemqrPZBNTFMuJx8sEQVv1ZUbjybMSA++1iNA8eWJR44rbmNe+1Ie7aTecjAo\nbR8CnpREPPJ2DAQ1QQzG3JDWdrI7yiEXLSpzme2Qju4Vsc4heuerPBCJJYTZCqsk\nOgZnUpzKX8bPT1GoqaLuyK7CNL7XRsoHRbItYQ7Cd/PLsLt7cO8kJ/ox9CYSVeN/\nefKY4YVE0HQP7sewzAArHQcapZjeG1Q1+yxfzuL8Dwi4smsXarOaHO6Kg6LrnU2F\nAgwDvZ9WSAhwutIBD/41WAEJg6UPkwyHT8Ng7YbtCGwOgHaz0oF0uk/RnUTrFg/l\nu5mHtnR7gL8fHPewSi6nIAWbXMyDjVhhMaPiyXxYkUYA0VJcpnaStUWKNZoEgSkH\nR95IgyEB7ZeehQ91X2oYc+fdLvklaCTH7VYRe1CaCQRufKSI6Hgm8BucPFV0Go/y\nUwGtDjB1VXeXU0S403L/QY7GlW1jXXl13Te/21/Xl2B/gZbitnex8FQBXDZAKCRF\nIU/KcD9IE6Acb6e8zQyAPDPL9AO/mAFz2ukGJQ443Nn14jXRNDtusiAoS2Uy7D2B\ner9ZflX+tMLpeGnm/hJPQemLeqiMwU/bcxqeZSwWFPCeks83InbvAao55PxmwT87\nT9EaGIuTFGWdI9BfKxt6qWI+W9ofsKd6wVEjj+yHqCIHUXeUcyi/rX0Y/hLpgcSf\n8MxxKVOHNGcCd7LDAYvxdKEEzSehs8fBIDwq+lJ417VfrxssUJnGMmxWYisPmvYD\nM6fOT8N7nB1pEsyqy5DnjDRtWWfeYvOCTqKdiVkbMzf2xzX2v49LmOghoHekPIfX\nmsU5jClQEBpWd6OsGz+5ofZv/qI1E8sBfbDmC7w6ZV4j2fAIpiLWRofeAKxuH6CV\nliAUr4yfDKJcMl51Jc47LjmucRWdIJvzWTI1T9B92FcgX4QR+cPo+JiE16fwpIUC\nDAM1GWv08EiACgEP/AtQE2phftv+vC+hyDkeCvAYoghJ5AAbmf19Zhkbx5IOKGcd\nuIATwpdu+zXT50QxIWhpCTy3O5ydWfnIIecLB+pA/m5H32j0NkawPdsuz800gndt\n8LUoT98ALm6bMv4xfOFbI9BvGSUUm37oLvK/xVIM+1L+4UfsJ8yTZPUTzbqSOTTP\nvJuDSnRScDRhUsmQUUa7icoH/tjYfbNEdSaUN+PzyvQsHBfedsThGjm41IxhTbT4\n+axNCpPwBH6H36mvqPmXqg3ty6696EwPXAspBJBT3Z0Y9y6f/mrF4bCDliLtqtf+\nFlKnjqSxZv1C6d0I1ExjkxB3FAiXnrH3Efpbd/AIgtaEqHDgCdVYZU+oIVI7q3s2\nxUqSnUF8oBcOnH97Hv8B/cUZ3susfFv+wji0c+T4whmnQultiNOrHqPtu2ZbNA+n\nXiU/qla8TCy1wQlBmPcCZSqXYlYBF+wUP+oO0wqztNbfQ2E6mxot+J+UBpVpI+VW\ntESabVHLtpT3pcDfUv3yIrXcGkrBwt5gwYCkMvbyWKnJ2fmBBuhFpKYos47QlAnb\nf92frPEZm92QUJwNWm/bZ7O/YfrGef8Ckkv+gPKYlqG1zwJ+si0KLp2W7WLwwHSv\nCeeyaTADB5IKd0PTehdizGmI6TACaO0VcE8SmfI3fDiGA6uJ25pseEpy3j5B1GgB\nCQIQjUqiPSc+z4VvCYaH3fKH3if9WWbk32tRgTA/ANmYmCO8Em8P2Dfi2MToIAqi\ngZLdx2kQHf+TnnbFly2QrRdoA/pAbuc2/4/wNcBTPaN1Aq8RDkalG+Hpd20jHuRJ\nHOZBWaG2ww==\n=k+uJ\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/krypton/secrets/clerie-backup-job-main.age b/hosts/krypton/secrets/clerie-backup-job-main.age deleted file mode 100644 index a902b38b15dfd3646b5c0ae1f367d5a979c2ae34..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 419 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlC=W6=E?3BKb@XvG zbc#&3sEG2`FEt4;%`Zvx$V$(0Da~**^vKUMG|GyK@GtSm4CP96%*l*2%qn(uw8)S0 zFUU$WEsTmX(KaXxC<;t8)%P<_FK|n9F31lJ@5I&003ZbO4twZn4MHcY?3B@6GWkHzPhYkn&eHJ;9*Vku1QIouQo|%PoBK( zq8Hgg#e=fb5QgAoe?XXcstVGx!e9qcP!O*^f8ZI65P_z{bP>;jXnH$JN0pqyhhh=1UVQ22l+>iuhU-1K^Iy~Z7FjS&cN}|kiCPQq{8CR=r zWHVe-o|<_`!-(`4w>zj<=`QFmCQ%1@@xBF}(f?bS`z$@e-BNECNyyJg5AFcTHAKe~ z%5BD&F<=M9>H$3sVvPb;7-7StY%ql*xFjiR(0BT3knve7fh``kl%g@`cHOLPcy0{; zZF1*Ej~JzBkRhDU%?HAPfstE9dodP8mhDM4E7)iP9GRY^cHf!+HYh7xQEgatQ)T?^ zEx9XmutXR^5V!{7q+725Lr>;rldVxgG2mzk)%&^`D$QQlqsE#T)*#o$PHwGEH2&z> zIVZhY3H9cqL-*Gc_Rf0w_V~R%{d)Bb|MKbg ssh-ed25519 HwR33w VDZ3mtQaW1MsXQ6gan2Xcfv4/8IHHdMsPqCZDuauPEE -WSUmbw8NXcgkJf06iNFGsx7tNiVt7VAnynqroRymbkU --> ssh-ed25519 xvh52g ie1NcuCJIJrPX4oklSLXEoxd6YmapsbOr4wf6TrJYEM -lx5xuRHZXXG1YuYoDUlvPZxxtfDE1Sv/aStz53mJ4nI --> ,TT@-grease 6JH, x4O9 $E$9`?` & -pd1+tQGZkVIl7xbEsdJw9zQiNjy2/83PF+uAaekiLTolgHXmPWIp70ZsL6oHA/G6 -y1JOCL9l03GSgbpx ---- Lv/Xf3QnA523yOR63Gugq9mvfen5+YR2OYwGEim59B4 -JM~@g&V<|f ssh-ed25519 HwR33w 0Y7NesE81LYY2VHbm19hKWEo8p9S8T5aMnQku3wxQBw -zwmczl908y+wPZ2p9F+zqNxZ5i71lp3HztvBAVCWmcg --> ssh-ed25519 xvh52g UKiSotdLrKTXzD2NI55W/os6CSeZNbq95aC+ThyVRAs -k539/K+GeDXttvFpAaNPEB73lXlnWuRmFU7p5D1xT2U --> E29ePW!@-grease -Og ---- RTfeDZoUpF9cpXKRKKlQmnoooxVj7nRB+ef1G4bgvDI -^pͧù|l`mibh5֒4l%np + ]i Date: Fri, 10 May 2024 15:27:40 +0200 Subject: [PATCH 09/12] hosts/palladium: Migrate secrets to sops --- hosts/palladium/secrets.json | 26 +++++++++++++++++++++++ hosts/palladium/secrets/wg-monitoring.age | 10 --------- 2 files changed, 26 insertions(+), 10 deletions(-) create mode 100644 hosts/palladium/secrets.json delete mode 100644 hosts/palladium/secrets/wg-monitoring.age diff --git a/hosts/palladium/secrets.json b/hosts/palladium/secrets.json new file mode 100644 index 0000000..beb004f --- /dev/null +++ b/hosts/palladium/secrets.json @@ -0,0 +1,26 @@ +{ + "wg-monitoring": "ENC[AES256_GCM,data:ip6L61RXAVxaPqizhNTr6zVvKgd40CAsgeNFoAXMARM1nl146ayHK2q7mhc=,iv:G4WLmcPpJOxTcW0bHuEwWmth6u8fYoH7GmpkMo8Z3TQ=,tag:xJ+wCVEUMdqfXPcwgr9WSw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1tl2cd730ctn6jcgg0vf8c5gg9722umk30zwvcwxhejh26p3gt3ds92msyx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNHllOHpoYkNyQXMwL002\nRDR4eFVRemc4bW8vYS9GWHFkcmpRbWFFc2tzCmFjV1ZNTzhOYjM4VWltRGhaQ0RP\naC9vN2hrM3NSTDlSd1ZJTldXamJ4NUUKLS0tIDFuUzRKWWQrUFU1SXNqdEV2R1lM\nWXU1by9rYTBINTVralo0TTJmSEZHMm8KYEggCHnOyMcQSdJ9+Ujf61OANuja0ZIf\n+wa9ugc2OZrOYepkjN5X/bETdKfU33pIAL208N9HcOttfhcZq70yUQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T13:25:28Z", + "mac": "ENC[AES256_GCM,data:fLw0q9h+rlAAiXjtCJeGPi0COEt/UvApRiOpE+ydSrD/jXy+vh2OVW57UZPRBCP1mWtqfUJLiT1BZyOWor7dsPfTvaxCQmYhGcKBLucFEaiUovGgVjxJloD8hDJvSG9SJnlIiDobMsG87MsEWpi70oAbQu3/d4JT1BPSaRpvsjI=,iv:iS7tFqZMa0OzA5ASKPS6CSNTJYYJ0zhjLmBcipjLapg=,tag:Lspazw8Pi5Dxqcrk35A6tA==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T13:25:16Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+KsEUiNCgfajBMEEFsqHqNG3utLNQSLOd6VX/Rk56CjT9\nUtfiCdZCSzrtyT3Anu72auTJ+PHNAVhhHPcDiUcwY9JYXEXNETzEn0U/byS+kvOD\nNTpcpR1gSxJCj1aDqDDpfQQ02hSpKO4iw0B71gKcekUXcD2AQeeW0Djq60CusWVk\nRgC3odnyTr1CN1+JRtKVZKIa78rfOkyhmFP2G2gvsSHhUBd5RtMhJdfYVUTMIKXO\nQFB2IGCoIzE0zDitCcAZ8q6Dc8lBuAvNSiVkFanJn7e7etU3JwDhYsZKRO7jvNX3\nmjHnQ9vf0idCWAi0oabZQ1OGdwPbtjssxmQkzzR8R/paw+iRB50i1UG3/5ehXTV4\nTp/2rEwrsF8jO1bahTcrJirR7RPLEy2BvJ4ALzmEYrIoEwWuCIexrY+e2C2rXpy5\nK2+9Ch0YCaz8sc700bgO5ZkyvnmnbVJxGCaMGQtT9LXiEWvc36sUXhbEGJ0K782Z\n7uVFRs4xWsrUQHo8lFTfW/vLZDq7FvkGnDf5xnoEJp4BNYvYmMmsFiaygkbbqEdH\n2aHRCam9q5zcuBq+aA40KI1P4adIFgij+fijwQ+019JrfaMEXcmwgtOfkb2OZNOF\nXQ3tRgYLaxSae7BYJA4uTaFq60kpp1c8qgxw3WKPEiHywtl/SaPcx1XD9VJoVTGF\nAgwDvZ9WSAhwutIBD/9O0inQ/HmpwtD1AnE89SuZNuGQty71LVhX2PQQWsUdQOuz\ndKZN1wy6UxIImFGisBodUH+48k1DjbkDjL5cLSAUOt9OhAxW2Ubp6HA6wDJPqWj1\nYQMHKmHlf2zh5G1qTUXV3NNw6hSaWejVDS73WNODv1WfUFXrPN9DVLaPsS/RJo2Q\nAoDG/iedeQhIIBwrLIcQ8ttjv9MTI1GzsNRC/CjxQpDnHabqQzFzenjnVRLDXcmr\nwfw0HeTPeNh+pLYb+sBqzGUP0j1GWui99/6NUeo/TloBWJbIung4wq23gYZbHn+K\nbWJSxSy980mvjCXiRukzXlNJMwLZDVoBlPQSbe/pOApHM9HTScZ+3VcLlYOPjgZk\nhnCvFNm+4/00ZgF+tcvLOugIfqwxvOuqW4gGGhNAycHinJZuSfDHYe6zCfEiqc7t\nnHlbhNvlhC8zDu+fOurC2ju5eGv8LqFiobfsBFVdKpl9Gj7yg00S+QmjBcz0lkE9\n1BftwEQaj+r4EDa4cJHSgP+K76utv4Xzt9hHZZJo7hvii+lGxFI7rBm0xbV5bSuY\ntOhN6d98HH2++AoXufIW5vmnydGk2NXu7O8vi6sQWzoqed84ZHbJDWLQawQ8YQlR\nkbht2PzH4+rq1oOVHbLslxWkYF9WMsQRUef6ALNpys/Dj8N54gEN4RTV+SxIVoUC\nDAM1GWv08EiACgEP/1eiG0aASQogSByxl8ZbRjRg768YVR1fwTa8GG5tE7wfcGiI\njZF2TI+yQWt7gRS4AKNm1gfWEEjCH1tBOj53/Wfwn9ZuGoNqboA2jgsh2rnVVSXR\nOdXK3is/FMh9JREr669be83nnQ8fNP8nIz3snEvKVYVGcdsdkDXBz4GKmJx52NNb\nauL+4w14/0PydCVH/njsFY8FyWqP9lUFgpJU8jHjX28oTB3khwWrDs0THwqilTFn\nhFjgeCy555zeh5rDpBDPdPbLUNd094RB15zaKzn2dC15F8DMCLoA9ASNET7S/+u3\n1SjvI4XnOpxK9hyETcwjzbWJc2gV7U38VqxhQW9Vch3AvXOufMMTm6cobLjiwxjF\nl3XTMJ5GvHDZXCwrGEapy9GbHQjbd9yi0iFgfSGV4nkNmCj1jtAMUngdCqELDVU2\nZe3a8IeJswlTteGlXAM5mwnDaegMsiD/vwsq5Rtl0gs3iI3uIN4RFXuvxP+UeJ/c\ndJWqpF8vcQI4qGN3kxgB30I7mUiz1aggv5uw6nDWRJHTQKLeOkV8ssTq4FLs4XYL\n4z4qmMT5i+8bGu575py/LRDjvXBldeitnQj1jAN2y/uPNVWsZqU3S+OkEosYIgSQ\njAe3N0EyH5k3j7j43x91toYOCAkulAuPkox6GyUKKq4dCPWxg9fqQ8u4PaSN1GYB\nCQIQ3+GP0DNWupTIkTS4Bk1LwbT99lyr2DyExqb2pgXmzn05Qs6CE4+jcIxXnmUQ\nzCl6PLiw+DJ1nq5gKtTrkO96HtHGyfPiUunDZXty1/zNltYjedk7ebkWF3LNXBhE\nK38c6yE=\n=w0Nn\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/palladium/secrets/wg-monitoring.age b/hosts/palladium/secrets/wg-monitoring.age deleted file mode 100644 index 0427982..0000000 --- a/hosts/palladium/secrets/wg-monitoring.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w ctm6hruSuzSBwGGcW9x7qIIFe7z+AGhlO8ICU8cwO3U -9fhK5PdJJn7BpM9Vplrpi1Gcofpzafv30z+O2SuEVR0 --> ssh-ed25519 RfitmQ fnVZmd42HVD6iBkEzEGn57D4LNMcYfWXeRpnRutjNyY -s1+OrASe6ONf9kVgfBiAuoSd8314h4ek6yoz+mL04Cw --> nTx'S6-grease 1Dt%/ -mr9/gUTNOMrFAQVmUgVVfXpkKk+aXes6CulorL24APwN9dL1GPEOWdP3v1NEFcR1 -db6L78xilCtNf/jszgpMFYh5ctehauTa ---- EkgK0s3mBI1KvlZIWl5iB+p9xu6of0oL3NEVV+Jcjfc -+0xE~T:֟Tj~cL@wDXDNJ4s׳DSK/V!oU_x: \ No newline at end of file From e094afc4a0531b0e481ac5e003dd3b1fe96afb7d Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 15:36:09 +0200 Subject: [PATCH 10/12] hosts/web-2: Migrate secrets to sops --- hosts/web-2/radicale.nix | 4 +-- hosts/web-2/secrets.json | 30 ++++++++++++++++++ .../web-2/secrets/clerie-backup-job-main.age | Bin 508 -> 0 bytes .../secrets/clerie-backup-target-cyan.age | Bin 531 -> 0 bytes .../secrets/clerie-backup-target-magenta.age | 10 ------ hosts/web-2/secrets/radicale-htpasswd.age | 11 ------- hosts/web-2/secrets/wg-monitoring.age | 9 ------ 7 files changed, 32 insertions(+), 32 deletions(-) create mode 100644 hosts/web-2/secrets.json delete mode 100644 hosts/web-2/secrets/clerie-backup-job-main.age delete mode 100644 hosts/web-2/secrets/clerie-backup-target-cyan.age delete mode 100644 hosts/web-2/secrets/clerie-backup-target-magenta.age delete mode 100644 hosts/web-2/secrets/radicale-htpasswd.age delete mode 100644 hosts/web-2/secrets/wg-monitoring.age diff --git a/hosts/web-2/radicale.nix b/hosts/web-2/radicale.nix index d2936fd..3ad1ede 100644 --- a/hosts/web-2/radicale.nix +++ b/hosts/web-2/radicale.nix @@ -1,7 +1,7 @@ { config, ... }: { - age.secrets.radicale-htpasswd = { + sops.secrets.radicale-htpasswd = { owner = "radicale"; group = "radicale"; }; @@ -14,7 +14,7 @@ }; auth = { type = "htpasswd"; - htpasswd_filename = config.age.secrets.radicale-htpasswd.path; + htpasswd_filename = config.sops.secrets.radicale-htpasswd.path; htpasswd_encryption = "bcrypt"; }; storage = { diff --git a/hosts/web-2/secrets.json b/hosts/web-2/secrets.json new file mode 100644 index 0000000..b9048bd --- /dev/null +++ b/hosts/web-2/secrets.json @@ -0,0 +1,30 @@ +{ + "clerie-backup-job-main": "ENC[AES256_GCM,data:AoreXT9N9blmaSsIVF+fWuGPVc8Fi1J4uQDrjtY6fzQFCFM9Yk0JQT/+POGiltOUkJSd+Ua1yKAxQ6zoR33WvQ==,iv:He82CVLKZ0dMBpkNzzrnUZhZcuFJXcWDmBKCJhBPrBA=,tag:EDDBVAcceURYV2SL2qEuyQ==,type:str]", + "clerie-backup-target-cyan": "ENC[AES256_GCM,data:G6ILFo1w1SVs7b5pIk/JdFvcIXdIaKFL5qKxrchxLedlovltnnRuufxfKivgjWgjTeVV78WNJMRVQVwXIcBhLg==,iv:gUjvjG04ClAxyFqhhj60XTWX6gbJELRRbUT/EbXxa+o=,tag:hsfmuQh0GRCRVm7NUnBInw==,type:str]", + "clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]", + "wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]", + "radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-10T13:32:34Z", + "mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]", + "pgp": [ + { + "created_at": "2024-05-10T13:29:58Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/9EWbkWn0T2rknNHaAwSKis43wQe9ItWzi1KNaGtE2yJt6\nvFWN43+Uop58NQqRsQiBD+wXrrkZCceIsiwT11FiOr1xwxm+j5Dt9ItfYG4SLPQy\ndRCgABRHXkJTlizFLBqhNH+m28rVeP2rjv/VISnX9dsaN3wBe1SQdCWahirbdoUZ\n3pQAJKDqptEp8MwW9OYhQf0A+etUKGyY1UZBdizgGI+FQH3NASDq/TbfzytE2h7f\nk4ptT0Wn3CqIeqSRwQ89x2ma/pmN/7sHvC0wmmyCuL8m59EGwX4pMu5jk249n8S9\nfi0PFsaPa150wCcsF3G9K9RpxzKJOQ5ysWbKKzKTvc9KIzeGzC4BjEwaSu1mtqmb\n7JVjbwXPUD1QbbB8Vymd0LUcUg20rMHqExMvOJfYwVb+eUMUdYJQHNpmOpRAlgkr\n8cd5bPWmFiWyCZ6DaEUA+cdtLHkrz1nWkrlG2n3K+7aSCVRZayheraIP53uMG9Ng\n3Co1mTrHy6bLAT+keRWseOEkCnAFGns+Il6v4dign4Q7hQ9Ovp2d3kMj4uWOHrd7\nyWUKIUT2ejTF3iM6UoNF8POvtgMD0ZmwMI0wZlc1FE6pkSAVC/1lEUqE4eT+l/Mv\nLCDF5ktd7MBdsMzdEbsVV55D9/vRb4AP8cccof5/akeZbbj9A5spWcBzApLv5MuF\nAgwDvZ9WSAhwutIBD/4o7j58zECSLtSHa3E8hDt1zy4u5Bbddtldzk6ItW78nJWK\nPHU0+IoTWAybSkqD8NBVMyo4ijHs5ipmvmeJ+DIdpR7219VFfBAr36suP0F0f2dg\nVQOsbZdeDar1sqacmcHcdqaBgkVW+M8A216moCld582Yy8JvGVvRSW647mBnhgW9\npkcuT+zKQJUwczXSUw/y23w+9qiuby3CmiJuAWFMVRT4E36cl9xAaezafDfp8doC\nZ4AcATAvZtLIOHKg3XjYzJyzuN0pyocTZu4x4PiJsHLtx34WOivwU3i0Iu9J/2VE\nDvXsWRql/P/r5O5U7np4cDGHR/siaJvHx9nbZOottisETAWGI+V/QnVTqzUEcK8C\nu4PGrgaPyFHtW/rDAcINU/tmLB78FM+BgNXJNxBDeJgoRQ9VB0nHlDT4pOZ5Bdo6\nkmxi/bCWpasThNE0EEQRMhNr1zXMwxaD5/enm4wIY6oXDmIxAf5Cj+rHPrCSiBpV\npge6xBhXGQSZMJT+QAQPwAu3l0g52DKIb8zJaLMCRnpra48W7dFRpIRb8LV3G4PQ\n7xxiSTO0NE1GbYMmqC/LU7RgRRqt2P0y5VaHqHSFwjdJpHk/zdoZ2QCh36Wtc3nw\nvTP7crZVZj0oYKenMBIIYOR74GY0L92Owxd1yNi+YdKtnFzXzvPtqrldx/Ps7IUC\nDAM1GWv08EiACgEP/1Red5Qltvhdb7UN06EYmZtbqf/ERExu8Zom4C1887HHOz/d\nkq/uOfXo4PHfEI/8mkcV5FDZ0kI1sGYXv9czLiImAwwPRD2klo4irfvBSWZglRE2\nO5sa2xPkeiXyaWkOeV48fm7c1TxUSzA5olFZad4z+3LzkEv2qyVJJZ6MW3We1wu6\nYXyGesF1oJQZb4GxQr6feknlG9WP35spMk/9s3zR6ZQCdgm1VZx50vfzpgbvVo8D\nySnVCWUqG6/3PTToMxm+LndE5ejbFOvubh7ppgsceOZyDsPNGPA3tVwJDZU/T2DC\n0D9M3F0DHUe1aNzQAA+CUgRiC1F95IgHtXUcCfF4aDtDmvHOMjDwKlxpeE00Qthp\nxms00wT+I0Wt0ieTErmHJHmpkGtGdr3aQXi4LFS6EZhleWdZkJXko/UBIsxfLKji\naEdz3sooHTVBUxQ6qmieVwZQBS5dFbqxoRId/y71QjW6whVi7JpAzUZ9J9Av503b\nxYrJrrfiUM/qmH7/EcBaYWZUDwzh6E71G/luyiGrJYlXV7mp7I2yw1EDYpDCz084\ngUQTdKtav6YNUFE8IWvK5mmXCnnWTmiOhxmomGcJC8s9CXoBYaC7ItxqkeeLcMaD\nYl2RcCSsynJpicJx5oDKr/J1EX92e9RzGYrgdmvVhlSGDBqpXL2+6n0wm1qG1GYB\nCQIQf4J+4HW3sHrDVXEDvuxA4sebLViuSm9+YkwCEIp5TvqVH9O3y1TMS0/MK15N\n6KomgzU9q8N7MsR07NoOMWYGF99RB/4/7lIIlN79g6jwqPuXbqZPFMf51woXb8Mo\nUn5pu94=\n=binq\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/web-2/secrets/clerie-backup-job-main.age b/hosts/web-2/secrets/clerie-backup-job-main.age deleted file mode 100644 index 45c9fde0fd9735e0dc6725d9a93c01ea86300963..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 508 zcmZ9_O>dK6003a)Nzr5`ix*G0?V^Z)w3K;RQlL=2N`cX?s8J{s$|%tC@pgDHGucc` zws`PvJn2Cb6R(>17rf1wT|F4R8E+=WtIr>JoWMu@WW3nRifNkMOcw!G5fHis=Xr?w z-mPYn*o3>lAV~lhge~@FeZ&)GjGVZ>J_s$uHcFor8F63`sn}BH!CVm76!MHJT=x!{QZZ$y$HxDHDozLzR(+V3PCPi88l*V?2NO9LfvJB#9({9SpB?uRN4g*%P9Lu;4p(qMtOa;`e%ZRRL z^7B+h)LGV`IvN4kk+3vLRd8&(Q3MJzhVDIcy@!JS_~2yi%Ejj0cSma*E6TZz{qK=h z{y4sR*8fnhzI9JOKL7RT&dW2c!Z;uOx%BPD1&sOnbmiJ;)!*lpFQ><^q``0c=K*zi W^5k~%`Tpx0myh0b_YU8SpZ)@O>a5xT diff --git a/hosts/web-2/secrets/clerie-backup-target-cyan.age b/hosts/web-2/secrets/clerie-backup-target-cyan.age deleted file mode 100644 index 914b016b1ffaab9f1af9012026430a9ca1cfc1f3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 531 zcmZ9_J&%)M003Z3V~qR)6QeeI)4g(Sfqpp{=>ercEA(0l3`QsvO5ue9<)f3MiHnQ5 zTXfZb;NWtJlhMTJbjeK@qlq~uxNw;F_?DwRFI2_YUPOuji}k)YZx44V?$b6zr9LYocTW?%YfAZ@fd~|Zn`Ey8JJl;Qe_VMh!bF}&XiG25M*Drn|o9)f@VCVSj+wCuJ1`5sH nei@Wr^zT1(Pwu{oOIJ_-Ub*nwxN!#Vd_L?yeZJmGFTMT;;99)a diff --git a/hosts/web-2/secrets/clerie-backup-target-magenta.age b/hosts/web-2/secrets/clerie-backup-target-magenta.age deleted file mode 100644 index 50b8b6c..0000000 --- a/hosts/web-2/secrets/clerie-backup-target-magenta.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w xLbOv/c4pjyh513O2LPkoKcprKZbM+217yy1a8Z7AFo -83NxTqotYXOM+w+gCR3zHdar9kNabgar0/eJBewO3DY --> ssh-ed25519 1nn+0Q Oc01U+rgGAizyKzhgvmqThlXAEMuhlRAqsQL+/ozQFs -xHxOl3ESipcMZdnulTxC7W628patS2eO6681oNZa/6g --> e[x'-grease 6N W+gfF\l \ x}~ -yqY9BH/fmjHn2QizHe1/DRDfTJmSAVPuJlIOmeuXWfhhfiauy6ia/DjbgVjcyqha -XarEaYsvkI4JqKODHRRaiJ1i3TOs2Cdk ---- 5wtIT/mhGMy8kQHbzO1h9Wj7OgX1ax8bk6k05tfLhsQ -0I԰Ȭ5H,oqeH}r2,Ъ\4U#] Z"+jy&W O~(өg ~A? \ No newline at end of file diff --git a/hosts/web-2/secrets/radicale-htpasswd.age b/hosts/web-2/secrets/radicale-htpasswd.age deleted file mode 100644 index 181070b..0000000 --- a/hosts/web-2/secrets/radicale-htpasswd.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w +w13fgMLBeHKig0VX67/mlhQb0EPSJAFTu//velYNRY -irMedsePNfFFOYhKksrqLcLdNdYHMxFy4iTPneIOtWU --> ssh-ed25519 1nn+0Q KpFGP/y4zZ8E8Jut8Gpea1DLH6rXGKODLE3IPTbzOUo -p28M4shr97sqqTBAxB1fQRNCj2E+xio3TboKZ/6smb8 --> rXRB4)-grease -t3CdM1EbN2yfSeKURCJRMTZ4w9FtXu6+Y8PWxo2RTV0fyv6XJdrq1jn1n4IflQLP -CV3H9FlQp4Lg/bdqVZDqDoMJ6dprVWK4rACnF6/tRRkZR4Ndfk4JRRWtWBOfR/ax -GWNb ---- yNRoOEai4ypvo0uGZYI1q/qwzS4wIZFXQEGYcW+H/wc - Ze0_D@Ε>[KOQBuP9TGg(9pZ@1&RZOCp$krlg!\=W׃(Vq \ No newline at end of file diff --git a/hosts/web-2/secrets/wg-monitoring.age b/hosts/web-2/secrets/wg-monitoring.age deleted file mode 100644 index ae28b6a..0000000 --- a/hosts/web-2/secrets/wg-monitoring.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w ZWn7K/SI1OWS0FslI6Vz+KooVyWXuww4dNa5y0O1+Xo -P723ghoGExFpcMYjdvcZrvT1eOG/pmccI3IO0/UnaAw --> ssh-ed25519 1nn+0Q IL+SAfWJvd1KPV1z1kAyoLu3o/t6qdCx4cHjplqkaAo -5io07rjFwtbvmgvA2sYn0VsjdtHi0AA1JRwhH5yijpI --> m2cEFebO-grease )(5.!z\ - ---- 4ILHmhv4fz6NZaWVYAKmFGY4ojpt4WQu3ulxz0R5FCA -(Եnl*Ujˮî:U51rڠ‡A ޴cCN|_X.s[K& \ No newline at end of file From d0bd09896a07c8c45ff27d0f5d983399f2025781 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 16:23:41 +0200 Subject: [PATCH 11/12] secrets.nix: Remove age secrets management --- configuration/common/programs.nix | 1 - flake.lock | 44 ------------ flake.nix | 10 +-- lib/flake-helper.nix | 13 +--- modules/backup/default.nix | 12 ++-- modules/monitoring/default.nix | 3 +- modules/wg-clerie/default.nix | 3 +- modules/wireguard-initrd/default.nix | 2 +- pkgs/nixfiles/nixfiles-add-secret.nix | 11 --- pkgs/nixfiles/nixfiles-add-secret.sh | 15 ----- pkgs/overlay.nix | 2 - secrets.nix | 96 --------------------------- 12 files changed, 9 insertions(+), 203 deletions(-) delete mode 100644 pkgs/nixfiles/nixfiles-add-secret.nix delete mode 100755 pkgs/nixfiles/nixfiles-add-secret.sh delete mode 100644 secrets.nix diff --git a/configuration/common/programs.nix b/configuration/common/programs.nix index f68ac3c..61e70be 100644 --- a/configuration/common/programs.nix +++ b/configuration/common/programs.nix @@ -14,7 +14,6 @@ # Deployment bij colmena - agenix clerie-sops clerie-sops-edit sops diff --git a/flake.lock b/flake.lock index 2e2f32e..226df0c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682101079, - "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", - "owner": "ryantm", - "repo": "agenix", - "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "bij": { "inputs": { "nixpkgs": [ @@ -59,28 +38,6 @@ "url": "https://git.clerie.de/clerie/chaosevents.git" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "fernglas": { "inputs": { "flake-utils": "flake-utils", @@ -299,7 +256,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "bij": "bij", "chaosevents": "chaosevents", "fernglas": "fernglas", diff --git a/flake.nix b/flake.nix index 08b3f9b..06f22f9 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-krypton.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - agenix = { - url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; bij = { url = "git+https://git.clerie.de/clerie/bij.git"; inputs.nixpkgs.follows = "nixpkgs"; @@ -37,7 +33,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let + outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let lib = import ./lib inputs; helper = lib.flake-helper; in { @@ -115,8 +111,6 @@ overlays = [ self.overlays.clerie (_: _: { - inherit (agenix.packages.${system}) - agenix; inherit (chaosevents.packages.${system}) chaosevents; inherit (ssh-to-age.packages.${system}) @@ -136,9 +130,7 @@ chromium-incognito iot-data nix-remove-result-links - nixfiles-add-secret nixfiles-auto-install - nixfiles-generate-backup-secrets nixfiles-generate-config nixfiles-update-ssh-host-keys print-afra diff --git a/lib/flake-helper.nix b/lib/flake-helper.nix index e852414..1778c7b 100644 --- a/lib/flake-helper.nix +++ b/lib/flake-helper.nix @@ -1,4 +1,4 @@ -{ self, nixpkgs, agenix, bij, chaosevents, fernglas, fieldpoc, nixos-exporter, solid-xmpp-alarm, sops-nix, ... }@inputs: +{ self, nixpkgs, bij, chaosevents, fernglas, fieldpoc, nixos-exporter, solid-xmpp-alarm, sops-nix, ... }@inputs: rec { generateNixosSystem = { @@ -28,8 +28,6 @@ rec { nixpkgs.overlays = [ self.overlays.clerie (_: _: { - inherit (agenix.packages."x86_64-linux") - agenix; inherit (bij.packages."${system}") bij; inherit (chaosevents.packages."x86_64-linux") @@ -38,21 +36,12 @@ rec { ]; clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; }; }) - agenix.nixosModules.default fernglas.nixosModules.default fieldpoc.nixosModules.default nixos-exporter.nixosModules.default solid-xmpp-alarm.nixosModules.solid-xmpp-alarm sops-nix.nixosModules.sops (../hosts + "/${name}/configuration.nix") - # Automatically load secrets from the hosts secrets directory - ({ lib, ... }: let - secretsPath = ../hosts + "/${name}/secrets"; - in { - age.secrets = lib.mapAttrs' (filename: _: lib.nameValuePair (lib.removeSuffix ".age" filename) { - file = secretsPath + "/${filename}"; - }) (lib.filterAttrs (name: type: (type == "regular") && (lib.hasSuffix ".age" name) ) (if builtins.pathExists secretsPath then builtins.readDir secretsPath else {})); - }) # Automatically load secrets from sops file for host ({ config, lib, ... }: { sops.defaultSopsFile = ../hosts + "/${name}/secrets.json"; diff --git a/modules/backup/default.nix b/modules/backup/default.nix index 6db5467..e63198a 100644 --- a/modules/backup/default.nix +++ b/modules/backup/default.nix @@ -23,12 +23,10 @@ let backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else - if builtins.elem "clerie-backup-job-${jobName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-job-${jobName}".path else - config.age.secrets."clerie-backup-job-${jobName}".path; + config.sops.secrets."clerie-backup-job-${jobName}".path; repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath; targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else - if builtins.elem "clerie-backup-target-${targetName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-target-${targetName}".path else - config.age.secrets."clerie-backup-target-${targetName}".path; + config.sops.secrets."clerie-backup-target-${targetName}".path; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; in nameValuePair "clerie-backup-${jobName}-${targetName}" { @@ -73,12 +71,10 @@ let backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else - if builtins.elem "clerie-backup-job-${jobName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-job-${jobName}".path else - config.age.secrets."clerie-backup-job-${jobName}".path; + config.sops.secrets."clerie-backup-job-${jobName}".path; repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath; targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else - if builtins.elem "clerie-backup-target-${targetName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-target-${targetName}".path else - config.age.secrets."clerie-backup-target-${targetName}".path; + config.sops.secrets."clerie-backup-target-${targetName}".path; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; in pkgs.writeShellApplication { name = "clerie-backup-${jobName}-${targetName}"; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index 831560f..e543a5a 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -55,8 +55,7 @@ in } ]; privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else - if builtins.elem "wg-monitoring" (attrNames config.sops.secrets) then config.sops.secrets.wg-monitoring.path else - config.age.secrets.wg-monitoring.path; + config.sops.secrets.wg-monitoring.path; }; }; diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix index aa690ad..234bddc 100644 --- a/modules/wg-clerie/default.nix +++ b/modules/wg-clerie/default.nix @@ -66,8 +66,7 @@ in networking.wireguard.interfaces = { wg-clerie = { privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else - if builtins.elem "wg-clerie" (attrNames config.sops.secrets) then config.sops.secrets.wg-clerie.path else - config.age.secrets.wg-clerie.path; + config.sops.secrets.wg-clerie.path; ips = cfg.ipv6s ++ cfg.ipv4s; table = "wg-clerie"; peers = [ diff --git a/modules/wireguard-initrd/default.nix b/modules/wireguard-initrd/default.nix index 628b640..24acd5a 100644 --- a/modules/wireguard-initrd/default.nix +++ b/modules/wireguard-initrd/default.nix @@ -98,7 +98,7 @@ in ''; boot.initrd.secrets = { - "/var/src/secrets/wireguard/wg-initrd" = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile; + "/var/src/secrets/wireguard/wg-initrd" = cfg.privateKeyFile; }; }; } diff --git a/pkgs/nixfiles/nixfiles-add-secret.nix b/pkgs/nixfiles/nixfiles-add-secret.nix deleted file mode 100644 index 05cc0e5..0000000 --- a/pkgs/nixfiles/nixfiles-add-secret.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeShellApplication { - name = "nixfiles-add-secret"; - text = builtins.readFile ./nixfiles-add-secret.sh; - runtimeInputs = with pkgs; [ - agenix - git - ]; -} - diff --git a/pkgs/nixfiles/nixfiles-add-secret.sh b/pkgs/nixfiles/nixfiles-add-secret.sh deleted file mode 100755 index e6345e0..0000000 --- a/pkgs/nixfiles/nixfiles-add-secret.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -cd "$(git rev-parse --show-toplevel)" - -host="$1" -secret="$2" - -mkdir -p "hosts/${host}/secrets" - -agenix -e "hosts/${host}/secrets/new" - -mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age" - diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index d0e44da..4f53201 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -9,9 +9,7 @@ final: prev: { chromium-incognito = final.callPackage ./chromium-incognito {}; iot-data = final.python3.pkgs.callPackage ./iot-data {}; nix-remove-result-links = final.callPackage ./nix-remove-result-links {}; - nixfiles-add-secret = final.callPackage ./nixfiles/nixfiles-add-secret.nix {}; nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {}; - nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {}; nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; print-afra = final.callPackage ./print-afra {}; diff --git a/secrets.nix b/secrets.nix deleted file mode 100644 index a504883..0000000 --- a/secrets.nix +++ /dev/null @@ -1,96 +0,0 @@ -/* - Because I'm way too lazy I'm automatically generating the secret files config. - Secrets can be found below - hosts/${hostname}/secrets/*.age - - Pubkeys can be found for the specific host below - hosts/${hostname}/ssh.pub - The users have their keys below - users/${username}/ssh.pub - - Secrets get encrypted for the host they are in and the users specified. - - Every host with a secrets directory has an entry for a secret called "new". - This exist to overcome the chicken and egg problem. - Create a secret with them name new in the specific secrets directory and rename it afterwards with the suffix .age. -*/ - -let - /* - Returns an attrset for a given directory, - having the name of a subdirectory as its attribute names - and the contents of the containing ssh.pub file as their value - - { - clerie = "ssh-ed25519 AAAA..."; - } - */ - pubkeysFor = directory: let - instances = builtins.attrNames (builtins.readDir directory); - instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances; - in - builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey); - - users = pubkeysFor ./users; - hosts = pubkeysFor ./hosts; - - /* - Returns secret configuration for a given hostname - */ - secretsForHost = hostname: let - /* - Returns a list of all file names in the secrets directory of the specified host - */ - secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets")); - - /* - Returns all file names that end with .age - */ - listOfSecrets = builtins.filter (i: - # Make sure the file name is longer than the file extension - (builtins.stringLength i) > 4 - # Take the last four letters of the file name and check if it is .age - && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age" - ) secretsFiles; - - in - if - # Make sure the host has a secrets directory - builtins.pathExists (./hosts + "/${hostname}/secrets") - # Make sure the host has a public ssh key provided - && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") - then - /* - This map specifies all public keys for which a given secret file should be encrypted - It returns a list of name value pairs - The name is the path to the secret file - The value is an attribute set containing a list of public keys as a string - */ - map - (secret: { - name = "hosts/${hostname}/secrets/${secret}"; - value = { - publicKeys = [ - # Hardcode clerie's public key here - (builtins.readFile (./users + "/clerie/ssh.pub")) - # No other user should have access to any secrets - - # A host should only have access to their own secrets - hosts."${hostname}" - ]; - }; - }) - # All file names of already existing secrets plus the magic "new" secret - (listOfSecrets ++ [ "new" ]) - else - # Answer with an empty list, if no secrets are provided for a host - []; -in - # We just have a list of name value pairs that need to get transformed into an attribute set - builtins.listToAttrs ( - builtins.concatMap - # Provide a list of secrets for a given hostname - (hostname: secretsForHost hostname) - # Names of all hosts - (builtins.attrNames (builtins.readDir ./hosts)) - ) From cc0e575c58b92df6ae0f922837ce5e23fb365af1 Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Sat, 11 May 2024 03:05:05 +0200 Subject: [PATCH 12/12] Update nixpkgs 2024-05-11-01-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 226df0c..4e683c3 100644 --- a/flake.lock +++ b/flake.lock @@ -240,11 +240,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1712963716, - "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=", + "lastModified": 1715266358, + "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176", + "rev": "f1010e0469db743d14519a1efd37e23f8513d714", "type": "github" }, "original": {