hosts/storage-2: Migrate secrets to sops

2024-05-02 13:10:17 +02:00
parent b8e666c075
commit c8c9526241
6 changed files with 33 additions and 34 deletions
--- a/hosts/storage-2/firmware.nix
+++ b/hosts/storage-2/firmware.nix
@@ -3,7 +3,7 @@
 with lib;

 {
-  age.secrets.firmware-htpasswd = {
+  sops.secrets.firmware-htpasswd = {
    owner = "nginx";
    group = "nginx";
  };
@@ -14,7 +14,7 @@ with lib;
      forceSSL = true;
      locations."/" = {
        alias = "/data/firmware/";
-        basicAuthFile = config.age.secrets.firmware-htpasswd.path;
+        basicAuthFile = config.sops.secrets.firmware-htpasswd.path;
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
--- a/hosts/storage-2/mixcloud.nix
+++ b/hosts/storage-2/mixcloud.nix
@@ -46,7 +46,7 @@ let
  );

 in {
-  age.secrets.mixcloud-htpasswd = {
+  sops.secrets.mixcloud-htpasswd = {
    owner = "nginx";
    group = "nginx";
  };
@@ -57,7 +57,7 @@ in {
      forceSSL = true;
      locations."/" = {
        alias = "/data/mixcloud/";
-        basicAuthFile = config.age.secrets.mixcloud-htpasswd.path;
+        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
@@ -65,7 +65,7 @@ in {
      };
      locations."/media/" = {
        alias = "/data/media/";
-        basicAuthFile = config.age.secrets.mixcloud-htpasswd.path;
+        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
        extraConfig = ''
          autoindex on;
          autoindex_exact_size off;
--- a/hosts/storage-2/secrets.json
+++ b/hosts/storage-2/secrets.json
@@ -0,0 +1,28 @@
+{
+	"firmware-htpasswd": "ENC[AES256_GCM,data:ylMqgwtpUNRBatpPqbUI+NB3l5mOHr1SVT5uQg0nP0LRG2oLIFnyYh9eYYVGu5iAA6pxL/7gtRwQNVCvA1JSuGcJ,iv:zO6xNv8MxnslYTCwd3GtWFa+ps1iOF1za9QnpJpOGvc=,tag:CNsFnwvjkWqHc4Bsn1Rynw==,type:str]",
+	"mixcloud-htpasswd": "ENC[AES256_GCM,data:RblDvL92Vm0jsKInl9oKiX5z4VTnAy4tSpmecWp0bNOX338NCDlu297k5Bqw,iv:+d84h4Spmin2w8kHONG3qlIRbaWXSjRlS444FwRXby0=,tag:IbixitLWxScQA+fsnmXWgA==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:toOPf8RottCJag7I5x59/0ggbORyq1SdcZJfVQw96NbZZ8gaaeYnaSsxq7Q=,iv:clPx1xB04W0RTkudwNXYRLjxCSAB7CCTRRBoNwYQVVc=,tag:2iROztOF91tt3WuZssgr4w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13grrd0zhs6r56ge7jqht6q3ptsr5cmw7nhuyqqjjl708e6zycakstrrrl9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb2JreUo3VGFkMkZJa3Jv\nVUlNOUsxZElzaGV5bnNHZ0gycnZnTW5WUGtRClR6Tmk4cEg0clA3SUJnQjVCVzdP\nTi9BZUttWmxHYkNPeWtCZkhTd1lEMUEKLS0tIHVpOVc1YXR1VkJCa3pBcWJxdmdB\nR2Q1T0VXMHljb3d3R3lkUEJaT3ErRzAKximuwssNcIW5QAsygUEpUGNtHV9/UeuN\n6CD8OeyTg7QkNhP/lZZctN7cPMXIHaPCnj7tuzH8sRJtZZHM5vBKhg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-02T10:49:41Z",
+		"mac": "ENC[AES256_GCM,data:9Ru61GXs1b4aOlqDGWjc8yKaLh02zZlld1udCLgtCfBnEQFHsBuR4uZIOIoS4YBpBB6KsX5ocIcJ7581AL0+2wjQ4LfopDO3kVTjxGGtxcbfOahluACH6TLdUIXFLDR+v7dTAA+/rqt6ogtIo2c1Wbu88OR/aSVe9akx8jUhabw=,iv:yNFmyHPq/c83ILDa2igJpu2d0gd8Oyieyjc3k3TTr9Y=,tag:66CHYLcNif1aCzkSs4M/Vg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-02T10:48:16Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/9GpO3+kXtPL7TNX8upozCD/fnrtqy7GNpzYu69NEG5YKg\nm/gXla8KZGYcsZJJsbyBnBrU4MxLhHb0Pc7voMlEEng8x2nOa/kD8yrr3DUExV+M\n+tOvipiy5qdrkS4/sVt3EAyvnzEJUBs/H/ynTvjG962V/21PsCFz7uBbMUoHGY/a\n4nwO1ElG5AoM2Q5HIqC13mijnXtTbMvd9XAweqZhtvhyrZ3opX1GRxEZrFLiGZG1\ncG23H/IxHDBNlHgwIlT0SKbT1z4WgKLRsRPxuDpIAV5CUYJAzlqj37q8MCP89OQQ\n5XAN1y/i0g+1O19fcKmfNTH8yz55kFuaPFH8Y3OOEftr1v/5bmMz14ot+UXai6gb\nCpGjDmQzcxDm8izUIqSniD7rgrFsw8UACBt1QM7IzsXFKsWwRYQ+nwOBhr5mNJVu\n8halA+ZYfW/a4wvJMnZpH2Jlbv/sf+2yKWYqBwnefalPQ91ZLnse8Keg0FHliqYi\n0BZK+DSUSIMwz1ZPm56bRPUrwrILpu51SuL/UuPKO8hI+GqSN2aQD9HJ7firHcy+\nCVm1pbIeJ/mSq3370R/C/pxzvvn6MJ8y3fOiTdNFAOYYlzqlu8gHLjZOCdU6RVCC\nYE6LWfh2d2WyaeY4VCUYNll+g3lokTx6eT1+Nc4ayP/uqudjPmbjY3etEystxnmF\nAgwDvZ9WSAhwutIBD/sGKzl6LhYaL4Mu0/GIE9dIOBvblGQn6Sf9fkCIZ84PnfS+\n7H3aMI25giGSqcouFQap3/swduTqEMn2QgsDQEstpToGT8Si847087s++LbmbEz4\nGmMAR2Dml3pXRDUxOOqyvxpyQnyyfTQE29x7kQvfqFdlFYVeyPT8jYN4yW4Wrz+N\neV0oOVwcrtyYCLzR2k5IkwWOUWnPhBMrUNnnw5kLEU7r6ECgA64qPqrReL7T9Hic\nM4Z8wt7F1nQvuwHISCRUd282PGyyhkj0Rcib+KuHRhUFGpbKnWOKBrTrq3DaQQAw\ngoP7Y6SXcvyaAHE8Abf2XDYSkztYlpZHb0DWP+Ckjhwcn2qS9nhA6Cje9UAMP289\nrsLjN+pg+5urhlZBUswCesf23eS3vaCVeLbDxbiYbDunz/ksD523LFkDvw8t/DaE\nGz+iib2UGld42gBM/NJNpA8mN8R9iUZMGoMDC51/fFqAcC4d3kAdczh0W9V0/cUb\nsfkDFKFxPZmC3nC/KIC1L5vm2xhcR+tzS64jh4HU3PYW9Dfsxi7QWjoC7TTCrHzt\nqgMdYyAFZQqGb/g5r1/OyhPOIJTRFRPBlO6wpi04ksIb9oGmllDMa0ebpDpsxo8J\n0b913T+t1ivwPzJTDvDcQR7xn4S5QmLsQIZxaa+7rQO6sfkgzSLAuFHRG2La14UC\nDAM1GWv08EiACgEP/iZXnM72tWzU2w3LTa2DdfaVRXUiGokXAs4owZBesdrMIIqs\ncD1WTCitCnZf9z2alKncaHI7sI4lKydF+nNIqBjh0vBU+9PlkAGWqWA3WDhJygGn\nge7y9JoxTqskGEarSn8eL0neuBRfwwueP//xIZkfTTmevoM8hktnYJHHl0A09Bow\n25B9Ur558x7RdZhoz5m9YZWeAIy4HEWPaSPxc9afepPktmdqmbwg3kpr5rWHLb5e\n30/aU+bocKdRcAksB+kgkHfEckE11tafo/r/C2nsHdz8WKVko9lXQDAvML8eJsoO\n8T8YR3SNQPPl+uTGIeKYnK94P1o+Ro6mOJOi0Whia2TJE5qOTnbjjNB2Wo5nc2r7\nGpX8PnkAazJzjBwgI0iFZildlGcKM4clgcblU9v+2r/exNXYXM57Yf59+5W8tplZ\nF6Lq2TPRofa8ej2vkWL6esQmUlM4BSE1WvbQXYXDFVQjuVQGX0FA67dUoNP7jjqU\nN12qOjCUIJ2qX3o4+0wKGnsCL+xb47P7JPhtiyyYx3oVsxXSFwhvow6iCgCa3P71\nN+rvUmZNA5tfMDEaZQTHe381viO/nhumT4lrgDRS22DX1gIFe3tRs79NQQXlLvsV\nL0EyfhUDO6mnkDoKOZw43w8n0qvkhhZ89/lBWWp4kWuwWoW9/AKa1ZzINHX61GgB\nCQIQHpIHxtY5bjVgWuvo/RkjcILqOFEit6MH3SsLdM1RciDZfZxAj5YxvzLIw36c\nx1RtrKqxKveIZfuxh6bZwKgjkxTNaZTgqs7fz9JrGqiC+ghRWVDyQX/psRyb6fBp\n9/FTV7l6mQ==\n=61m1\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
--- a/hosts/storage-2/secrets/firmware-htpasswd.age
+++ b/hosts/storage-2/secrets/firmware-htpasswd.age
@@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 HwR33w AtsznTAUQumy3G6fSBwIiezL2Zdzl33t9TU3hDotcRs
-eG+bBDB+MOQk7cHx+3Ha/n83t2QEbZunRYi0idRF9RQ
-> ssh-ed25519 pI7EWw egjmvw3f6zrl0XmxI7xWhKsPl8PXTkZDSY84VbtJTG4
-MFsjDhp5UrprE3w7q9W3ZmGlkNnOFbsJNVjfeO11trw
-> 0=-grease Fi`a + >zPFov* a
-nx2zvPHhzkSNi/8oxnL07qefB248BCwJMjpVTc8i5j5aedELas87iI/WppKoa/tq
-/jYLHztLjqKy412YvA0xuzR6yZ7G
--- 7M+CSupk4WV36DU/c8ZtODB6N8kuhttk4aLMULp8/Zc
-<1B>!U<><55><EFBFBD><EFBFBD>թ<EFBFBD>ұm<D2B1><6D>L<EFBFBD><0C>s<EFBFBD>aYh?<3F>Uaq<71>a<EFBFBD>}<7D><16> <20><EFBFBD><C28E><EFBFBD><EFBFBD><EFBFBD><EFBFBD>l@Eqǘ<12><><EFBFBD><EFBFBD>w<EFBFBD>䍯<EFBFBD><E48DAF><EFBFBD>*.<2E><>L<EFBFBD>ѓJeFy@=	J<><4A><EFBFBD><EFBFBD><EFBFBD>
--- a/hosts/storage-2/secrets/mixcloud-htpasswd.age
+++ b/hosts/storage-2/secrets/mixcloud-htpasswd.age
@@ -1,10 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 HwR33w Q6P3HFyTE3FEsrjnBx3TWIdv16GYLdAmnTZE2W5uex4
-A30r0PifK1ioVSgCTQen0gOlwKtbsAiD5YJPkQ98dIA
-> ssh-ed25519 pI7EWw pFiBE+L4RrpIdOZH7EFHtQ+pVXSDMCtGbewbGAKDlkk
-5jicuCBcbH2Ob1jtoZrrm+jNNgw94Co3/A2tRrrNgxY
-> :7)u]4Em-grease Xe>q ~'eWf Vx;#t
-fJtUbOaM0w5wrhpUl3dvjZ9BXimgrjK5eYs3g358AIEs/+BbuuR4ogCZsLyv9bXd
-smyFqW2xoxiANWGWWGY
--- ba8304R6wM3M05dDRmIwZkwgrLUzwlrSGU3cGTpi00w
-~H<10><>a<EFBFBD>Hg<1D><>cެ|<05>v<1B><>|Js-β}<7D><><06><><EFBFBD>VF<56><46><EFBFBD>L<01><><1E>tme%<25>rqxC<78><43><10><>;Ғ<><D292><EFBFBD>֋7<1B>
--- a/hosts/storage-2/secrets/wg-monitoring.age
+++ b/hosts/storage-2/secrets/wg-monitoring.age
@@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 HwR33w 3DdeLEaXCmEsm5U5idLUPb2t25cbd66Cppf0xcF3GEs
-V7g2WywINm7qB7WcV/zL490I/7vCqudlnzNXY1Ckzrg
-> ssh-ed25519 pI7EWw HNBoCvxcX9qEJHzjO/8RxPgsy7J1RmqROFKTf/bIcgs
-9JSsE7iqZ+1h5YfPPI6v4fth9wdFP8qfU/mNkaTQr6s
-> 9Kh.qZ]-grease
-gx3ohTVB+gSV
--- OzhRO0ke2wUPWxBayTpVLE2leygx0pT60PTpcTlVgis
-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>a<EFBFBD>lP<EFBFBD>$c8<63>G<EFBFBD>j<EFBFBD><6A><EFBFBD><EFBFBD>T<EFBFBD><54><EFBFBD><EFBFBD><1D><18>G<EFBFBD><47>P͉{"<22>R<>c0Y=<3D><>><1C>>퉆f<ED8986><66>߸i<0E>