RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-30 11:37:44 +00:00
Code Issues Activity

Seperate secrets better

Browse source
This commit is contained in:
RGBCube 2024-01-15 10:26:09 +03:00
parent 52e80f9f0e
commit 3da95ae0bc
No known key found for this signature in database
14 changed files with 23 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -13,6 +13,8 @@
!lib/ !lib/
!secrets/ !secrets/
!secrets/cube/
!secrets/enka/
!.gitignore !.gitignore
!flake.lock !flake.lock

4
hosts/cube/default.nix
View file

@ -8,13 +8,13 @@
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
users.users.root.passwordFile = config.age.secrets."cube.rgb.password.hash".path; users.users.root.passwordFile = config.age.secrets."cube/password.hash.rgb".path;
users.users.rgb = normalUser { users.users.rgb = normalUser {
description = "RGB"; description = "RGB";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ keys.rgbcube ]; openssh.authorizedKeys.keys = [ keys.rgbcube ];
hashedPasswordFile = config.age.secrets."cube.rgb.password.hash".path; hashedPasswordFile = config.age.secrets."cube/password.hash.rgb".path;
}; };
}) })

4
hosts/cube/grafana.nix
View file

@ -5,7 +5,7 @@ let
fqdn = "metrics.${domain}"; fqdn = "metrics.${domain}";
in serverSystemConfiguration { in serverSystemConfiguration {
age.secrets."cube.grafana.password" = { age.secrets."cube/password.grafana" = {
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
}; };
@ -29,7 +29,7 @@ in serverSystemConfiguration {
settings.security = { settings.security = {
admin_email = "metrics@${domain}"; admin_email = "metrics@${domain}";
admin_password = "$__file{${config.age.secrets."cube.grafana.password".path}}"; admin_password = "$__file{${config.age.secrets."cube/passowrd.grafana".path}}";
}; };
}; };

2
hosts/cube/mail.nix
View file

@ -42,7 +42,7 @@ in serverSystemConfiguration {
loginAccounts."contact@${domain}" = { loginAccounts."contact@${domain}" = {
aliases = [ "@${domain}" ]; aliases = [ "@${domain}" ];
hashedPasswordFile = config.age.secrets."cube.mail.password.hash".path; hashedPasswordFile = config.age.secrets."cube/password.hash.mail".path;
}; };
}; };
} }

4
hosts/cube/nextcloud.nix
View file

@ -5,7 +5,7 @@ let
fqdn = "cloud.${domain}"; fqdn = "cloud.${domain}";
in serverSystemConfiguration { in serverSystemConfiguration {
age.secrets."cube.nextcloud.password" = { age.secrets."cube/password.nextcloud" = {
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
}; };
@ -19,7 +19,7 @@ in serverSystemConfiguration {
configureRedis = true; configureRedis = true;
config.adminuser = "admin"; config.adminuser = "admin";
config.adminpassFile = config.age.secrets."cube.nextcloud.password".path; config.adminpassFile = config.age.secrets."cube/password.nextcloud".path;
config.dbtype = "pgsql"; config.dbtype = "pgsql";
database.createLocally = true; database.createLocally = true;

6
hosts/enka/default.nix
View file

@ -7,18 +7,18 @@
time.timeZone = "Europe/Istanbul"; time.timeZone = "Europe/Istanbul";
users.users.root.hashedPasswordFile = config.age.secrets."enka.said.password.hash".path; users.users.root.hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;
users.users.said = graphicalUser { users.users.said = graphicalUser {
description = "Said"; description = "Said";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
hashedPasswordFile = config.age.secrets."enka.said.password.hash".path; hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;
uid = 1000; uid = 1000;
}; };
users.users.orhan = graphicalUser { users.users.orhan = graphicalUser {
description = "Orhan"; description = "Orhan";
hashedPasswordFile = config.age.secrets."enka.orhan.password.hash".path; hashedPasswordFile = config.age.secrets."enka/password.hash.orhan".path;
uid = 1001; uid = 1001;
}; };

0
secrets/cube.grafana.password.age → secrets/cube/grafana.password.age
View file

0
secrets/cube.id.age → secrets/cube/id.age
View file

0
secrets/cube.mail.password.hash.age → secrets/cube/mail.password.hash.age
View file

0
secrets/cube.nextcloud.password.age → secrets/cube/nextcloud.password.age
View file

0
secrets/cube.rgb.password.hash.age → secrets/cube/rgb.password.hash.age
View file

0
secrets/enka.orhan.password.hash.age → secrets/enka/orhan.password.hash.age
View file

0
secrets/enka.said.password.hash.age → secrets/enka/said.password.hash.age
View file

19
secrets/secrets.nix
View file

@ -4,12 +4,15 @@ rec {
cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube"; cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube";
}; };
"acme.age".publicKeys = [ keys.cube ]; "cube/id.age".publicKeys = [ keys.rgbcube ];
"cube.id.age".publicKeys = [ keys.rgbcube ];
"cube.grafana.password.age".publicKeys = [ keys.cube ]; "cube/password.hash.mail.age".publicKeys = [ keys.cube ];
"cube.mail.password.hash.age".publicKeys = [ keys.cube ]; "cube/password.hash.rgb.age".publicKeys = [ keys.cube ];
"cube.nextcloud.password.age".publicKeys = [ keys.cube ];
"cube.rgb.password.hash.age".publicKeys = [ keys.cube ]; "cube/password.acme.age".publicKeys = [ keys.cube ];
"enka.orhan.password.hash.age".publicKeys = [ keys.rgbcube ]; "cube/password.grafana.age".publicKeys = [ keys.cube ];
"enka.said.password.hash.age".publicKeys = [ keys.rgbcube ]; "cube/password.nextcloud.age".publicKeys = [ keys.cube ];
"enka/password.hash.orhan.age".publicKeys = [ keys.rgbcube ];
"enka/password.hash.said.age".publicKeys = [ keys.rgbcube ];
} }