Seperate secrets better

2025-07-30 11:37:44 +00:00 · 2024-01-15 10:26:09 +03:00 · 2024-01-15 10:26:09 +03:00 · 3da95ae0bc
commit 3da95ae0bc
parent 52e80f9f0e
14 changed files with 23 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,6 +13,8 @@
 !lib/

 !secrets/
+!secrets/cube/
+!secrets/enka/

 !.gitignore
 !flake.lock
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -8,13 +8,13 @@

  time.timeZone = "Europe/Amsterdam";

-  users.users.root.passwordFile = config.age.secrets."cube.rgb.password.hash".path;
+  users.users.root.passwordFile = config.age.secrets."cube/password.hash.rgb".path;

  users.users.rgb = normalUser {
    description                 = "RGB";
    extraGroups                 = [ "wheel" ];
    openssh.authorizedKeys.keys = [ keys.rgbcube ];
-    hashedPasswordFile          = config.age.secrets."cube.rgb.password.hash".path;
+    hashedPasswordFile          = config.age.secrets."cube/password.hash.rgb".path;
  };
 })

--- a/hosts/cube/grafana.nix
+++ b/hosts/cube/grafana.nix
@ -5,7 +5,7 @@ let

  fqdn = "metrics.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube.grafana.password" = {
+  age.secrets."cube/password.grafana" = {
    owner = "grafana";
    group = "grafana";
  };
@ -29,7 +29,7 @@ in serverSystemConfiguration {

    settings.security = {
      admin_email    = "metrics@${domain}";
-      admin_password = "$__file{${config.age.secrets."cube.grafana.password".path}}";
+      admin_password = "$__file{${config.age.secrets."cube/passowrd.grafana".path}}";
    };
  };

--- a/hosts/cube/mail.nix
+++ b/hosts/cube/mail.nix
@ -42,7 +42,7 @@ in serverSystemConfiguration {
    loginAccounts."contact@${domain}" = {
      aliases = [ "@${domain}" ];

-      hashedPasswordFile = config.age.secrets."cube.mail.password.hash".path;
+      hashedPasswordFile = config.age.secrets."cube/password.hash.mail".path;
    };
  };
 }
--- a/hosts/cube/nextcloud.nix
+++ b/hosts/cube/nextcloud.nix
@ -5,7 +5,7 @@ let

  fqdn = "cloud.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube.nextcloud.password" = {
+  age.secrets."cube/password.nextcloud" = {
    owner = "nextcloud";
    group = "nextcloud";
  };
@ -19,7 +19,7 @@ in serverSystemConfiguration {
    configureRedis = true;

    config.adminuser     = "admin";
-    config.adminpassFile = config.age.secrets."cube.nextcloud.password".path;
+    config.adminpassFile = config.age.secrets."cube/password.nextcloud".path;

    config.dbtype          = "pgsql";
    database.createLocally = true;
--- a/hosts/enka/default.nix
+++ b/hosts/enka/default.nix
@ -7,18 +7,18 @@

  time.timeZone = "Europe/Istanbul";

-  users.users.root.hashedPasswordFile = config.age.secrets."enka.said.password.hash".path;
+  users.users.root.hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;

  users.users.said = graphicalUser {
    description        = "Said";
    extraGroups        = [ "wheel" ];
-    hashedPasswordFile = config.age.secrets."enka.said.password.hash".path;
+    hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;
    uid                = 1000;
  };

  users.users.orhan = graphicalUser {
    description        = "Orhan";
-    hashedPasswordFile = config.age.secrets."enka.orhan.password.hash".path;
+    hashedPasswordFile = config.age.secrets."enka/password.hash.orhan".path;
    uid                = 1001;
  };

--- a/secrets/cube/grafana.password.age
+++ b/secrets/cube/grafana.password.age
--- a/secrets/cube/id.age
+++ b/secrets/cube/id.age
--- a/secrets/cube/mail.password.hash.age
+++ b/secrets/cube/mail.password.hash.age
--- a/secrets/cube/nextcloud.password.age
+++ b/secrets/cube/nextcloud.password.age
--- a/secrets/cube/rgb.password.hash.age
+++ b/secrets/cube/rgb.password.hash.age
--- a/secrets/enka/orhan.password.hash.age
+++ b/secrets/enka/orhan.password.hash.age
--- a/secrets/enka/said.password.hash.age
+++ b/secrets/enka/said.password.hash.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,12 +4,15 @@ rec {
    cube     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube";
  };

-  "acme.age".publicKeys                       = [ keys.cube ];
-  "cube.id.age".publicKeys                    = [ keys.rgbcube ];
-  "cube.grafana.password.age".publicKeys      = [ keys.cube ];
-  "cube.mail.password.hash.age".publicKeys    = [ keys.cube ];
-  "cube.nextcloud.password.age".publicKeys    = [ keys.cube ];
-  "cube.rgb.password.hash.age".publicKeys     = [ keys.cube ];
-  "enka.orhan.password.hash.age".publicKeys   = [ keys.rgbcube ];
-  "enka.said.password.hash.age".publicKeys    = [ keys.rgbcube ];
+  "cube/id.age".publicKeys                    = [ keys.rgbcube ];
+
+  "cube/password.hash.mail.age".publicKeys    = [ keys.cube ];
+  "cube/password.hash.rgb.age".publicKeys     = [ keys.cube ];
+
+  "cube/password.acme.age".publicKeys         = [ keys.cube ];
+  "cube/password.grafana.age".publicKeys      = [ keys.cube ];
+  "cube/password.nextcloud.age".publicKeys    = [ keys.cube ];
+
+  "enka/password.hash.orhan.age".publicKeys   = [ keys.rgbcube ];
+  "enka/password.hash.said.age".publicKeys    = [ keys.rgbcube ];
 }