flake.lock

@@ -240,11 +240,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1715447595,
+        "lastModified": 1715266358,
-        "narHash": "sha256-VsVAUQOj/cS1LCOmMjAGeRksXIAdPnFIjCQ0XLkCsT0=",
+        "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "062ca2a9370a27a35c524dc82d540e6e9824b652",
+        "rev": "f1010e0469db743d14519a1efd37e23f8513d714",
         "type": "github"
       },
       "original": {

flake.nix

@@ -132,7 +132,6 @@
         nix-remove-result-links
         nixfiles-auto-install
         nixfiles-generate-config
-        nixfiles-generate-backup-secrets
         nixfiles-update-ssh-host-keys
         print-afra
         ssh-gpg

hosts/hydra-1/cache.nix.clerie.de/index.txt

@@ -1,24 +0,0 @@
-Nix Cache by clerie
-
-Public key:
-
-  cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
-
-NixOS Configuration:
-
-  nix.settings = {
-    substituters = [
-      "https://cache.nix.clerie.de"
-    ];
-    trusted-public-keys = [
-      "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
-    ];
-  }
-
-Try:
-
-  nix build --substituters "https://cache.nix.clerie.de" \
-  --trusted-public-keys "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \
-  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"
-
-.-*..*-.

hosts/hydra-1/nix-cache.nix

@@ -13,40 +13,9 @@
       enableACME = true;
       forceSSL = true;
       locations."= /" = {
-        index = "/index.txt";
+        return = ''200 'Nix Cache by clerie\n\nPublic key:\n\n  nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=\n\nNixOS Configuration:\n\n  nix.settings = {\n    substituters = [\n      "https://nix-cache.clerie.de"\n    ];\n    trusted-public-keys = [\n      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="\n    ];\n  }\n\nTry:\n\n  nix build --substituters "https://nix-cache.clerie.de" \\\n  --trusted-public-keys "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \\\n  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"\n\n.-*..*-.' '';
-      };
-      locations."= /index.txt" = {
-        root = ./cache.nix.clerie.de;
-      };
-      locations."/" = {
-        proxyPass = "http://[::1]:5005";
         extraConfig = ''
-          proxy_redirect http:// https://;
+          types { } default_type "text/plain; charset=utf-8";
-          proxy_http_version 1.1;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection $connection_upgrade;
-        '';
-      };
-    };
-    "cache.nix.clerie.de" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."= /" = {
-        index = "/index.txt";
-      };
-      locations."= /index.txt" = {
-        root = ./cache.nix.clerie.de;
-      };
-      locations."= /nix/store/" = {
-        extraConfig = ''
-          return 404;
-        '';
-      };
-      locations."/nix/store/" = {
-        root = "/";
-        extraConfig = ''
-          autoindex on;
-          autoindex_exact_size off;
         '';
       };
       locations."/" = {

pkgs/clerie-sops/clerie-sops-edit.sh

@@ -5,42 +5,8 @@
 
 set -euo pipefail
 
-print_help() {
-	cat << EOF
-clerie-sops-edit <secrets_file> <action> <key>
-
-  This script allows editing single secrets in a secrets file by key.
-
-  <secrets_file> is a sops secrets file
-  <action> is one of "edit", "read", "set" and "append"
-  <key> is the key of the secret in the secrets file to modify
-EOF
-}
-
-if [[ $# != 3 ]]; then
-	print_help
-	exit 1
-fi
-
 SECRETS_FILE="$1"
-
+KEY="$2"
-if [[ ! -f "${SECRETS_FILE}" ]]; then
-	echo "File \"${SECRETS_FILE}\" does not exist"
-	echo
-	print_help
-	exit 1
-fi
-
-ACTION="$2"
-
-if ! echo "edit read set append" | grep -wq "${ACTION}"; then
-	echo "Action \"${ACTION}\" not supported"
-	echo
-	print_help
-	exit 1
-fi
-
-KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 
 if [[ -n $EDITOR ]]; then
@@ -48,36 +14,12 @@ if [[ -n $EDITOR ]]; then
 fi
 
 TMP_FILE="$(mktemp)"
-DECRYPT_ERROR_FILE="$(mktemp)"
 
-if ! clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" 2> "${DECRYPT_ERROR_FILE}"; then
+clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}"
-	# Ignore that the key does not exist, but fail for all other errors
-	if ! grep -q "component .* not found" "${DECRYPT_ERROR_FILE}"; then
-		cat "${DECRYPT_ERROR_FILE}"
-		exit 1
-	fi
-fi
 
 TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")"
 
-case "${ACTION}" in
+vim "${TMP_FILE}"
-	edit)
-		"${EDITOR}" "${TMP_FILE}"
-		;;
-	read)
-		cat "${TMP_FILE}"
-		;;
-	set)
-		cat > "${TMP_FILE}"
-		;;
-	append)
-		cat >> "${TMP_FILE}"
-		;;
-	*)
-		echo "Unsupported action"
-		exit 1
-		;;
-esac
 
 TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")"
 

pkgs/nixfiles/nixfiles-generate-backup-secrets.nix

@@ -4,7 +4,7 @@ pkgs.writeShellApplication {
   name = "nixfiles-generate-backup-secrets";
   text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
   runtimeInputs = with pkgs; [
-    clerie-sops-edit
+    agenix
     apacheHttpd
     git
     pwgen

pkgs/nixfiles/nixfiles-generate-backup-secrets.sh

@@ -12,9 +12,21 @@ target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
 target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
-echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
+mkdir -p "hosts/${host}/secrets"
-echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
-echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
 
-echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
+echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
-echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"
+
+echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
+
+echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
+
+prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
+cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
+mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
+
+prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
+cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
+mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"

pkgs/overlay.nix

@@ -11,7 +11,6 @@ final: prev: {
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
-  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
   print-afra = final.callPackage ./print-afra {};
   ssh-gpg = final.callPackage ./ssh-gpg {};

users/clerie/clerie_id-2023.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id