From f145bdaa4af8b4b68a7d8270eb685d4168bbde10 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Wed, 27 Mar 2024 09:37:43 +0300 Subject: [PATCH] Sanify agenix situation --- .gitignore | 13 +++++--- flake.nix | 9 ++--- hosts/cube/{acme.nix => acme/default.nix} | 4 ++- hosts/cube/acme/password.age | Bin 0 -> 385 bytes hosts/cube/default.nix | 6 ++-- .../cube/{forgejo.nix => forgejo/default.nix} | 14 +++++--- .../cube/forgejo/password.mail.age | 0 .../cube/forgejo/password.runner.age | 0 .../cube/{grafana.nix => grafana/default.nix} | 14 +++++--- hosts/cube/grafana/password.age | Bin 0 -> 223 bytes hosts/cube/grafana/password.mail.age | 5 +++ hosts/cube/{mail.nix => mail/default.nix} | 4 ++- hosts/cube/mail/password.age | Bin 0 -> 273 bytes .../default.nix} | 14 +++++--- hosts/cube/matrix-synapse/password.secret.age | Bin 0 -> 307 bytes hosts/cube/matrix-synapse/password.sync.age | 6 ++++ hosts/cube/nextcloud/default.nix | 7 ++-- hosts/cube/nextcloud/password.age | 5 +++ hosts/cube/password.rgb.age | 5 +++ hosts/enka/default.nix | 9 +++-- hosts/enka/password.orhan.age | 13 ++++++++ hosts/enka/password.said.age | 13 ++++++++ keys.nix | 4 +++ secrets.nix | 18 ++++++++++ secrets/cube/id.age | Bin 611 -> 0 bytes secrets/cube/password.acme.age | 5 --- secrets/cube/password.grafana.age | 5 --- secrets/cube/password.hash.mail.age | 5 --- secrets/cube/password.hash.rgb.age | 7 ---- secrets/cube/password.mail.grafana.age | 6 ---- secrets/cube/password.nextcloud.age | 5 --- .../cube/password.secret.matrix-synapse.age | Bin 307 -> 0 bytes secrets/cube/password.sync.matrix-synapse.age | Bin 293 -> 0 bytes secrets/default.nix | 10 ------ secrets/enka/password.hash.orhan.age | 13 -------- secrets/enka/password.hash.said.age | Bin 702 -> 0 bytes secrets/secrets.nix | 31 ------------------ 37 files changed, 134 insertions(+), 116 deletions(-) rename hosts/cube/{acme.nix => acme/default.nix} (74%) create mode 100644 hosts/cube/acme/password.age rename hosts/cube/{forgejo.nix => forgejo/default.nix} (88%) rename secrets/cube/password.mail.forgejo.age => hosts/cube/forgejo/password.mail.age (100%) rename secrets/cube/password.runner.forgejo.age => hosts/cube/forgejo/password.runner.age (100%) rename hosts/cube/{grafana.nix => grafana/default.nix} (80%) create mode 100644 hosts/cube/grafana/password.age create mode 100644 hosts/cube/grafana/password.mail.age rename hosts/cube/{mail.nix => mail/default.nix} (91%) create mode 100644 hosts/cube/mail/password.age rename hosts/cube/{matrix-synapse.nix => matrix-synapse/default.nix} (88%) create mode 100644 hosts/cube/matrix-synapse/password.secret.age create mode 100644 hosts/cube/matrix-synapse/password.sync.age create mode 100644 hosts/cube/nextcloud/password.age create mode 100644 hosts/cube/password.rgb.age create mode 100644 hosts/enka/password.orhan.age create mode 100644 hosts/enka/password.said.age create mode 100644 keys.nix create mode 100644 secrets.nix delete mode 100644 secrets/cube/id.age delete mode 100644 secrets/cube/password.acme.age delete mode 100644 secrets/cube/password.grafana.age delete mode 100644 secrets/cube/password.hash.mail.age delete mode 100644 secrets/cube/password.hash.rgb.age delete mode 100644 secrets/cube/password.mail.grafana.age delete mode 100644 secrets/cube/password.nextcloud.age delete mode 100644 secrets/cube/password.secret.matrix-synapse.age delete mode 100644 secrets/cube/password.sync.matrix-synapse.age delete mode 100644 secrets/default.nix delete mode 100644 secrets/enka/password.hash.orhan.age delete mode 100644 secrets/enka/password.hash.said.age delete mode 100644 secrets/secrets.nix diff --git a/.gitignore b/.gitignore index 9d392ca..b4f8486 100644 --- a/.gitignore +++ b/.gitignore @@ -2,9 +2,18 @@ !derivations/ +!docs/ + !hosts/ + !hosts/enka/ + !hosts/cube/ +!hosts/cube/acme/ +!hosts/cube/forgejo/ +!hosts/cube/grafana/ +!hosts/cube/mail/ +!hosts/cube/matrix-synapse/ !hosts/cube/nextcloud/ !modules/ @@ -14,10 +23,6 @@ !lib/ -!secrets/ -!secrets/cube/ -!secrets/enka/ - !.gitignore !flake.lock diff --git a/flake.nix b/flake.nix index 576586c..fa9efe4 100644 --- a/flake.nix +++ b/flake.nix @@ -161,7 +161,7 @@ }; in defaults // other; - keys = (import ./secrets/secrets.nix).keys; + keys = import ./keys.nix; theme = themes.custom (themes.raw.gruvbox-dark-hard // { cornerRadius = 8; @@ -202,7 +202,9 @@ mapDirectory = function: directory: with builtins; attrValues (mapAttrs function (readDir directory)); - nullIfUnderscore = name: if (builtins.substring 0 1 name) == "_" then + nullIfUnderscoreOrNotNix = name: if (builtins.substring 0 1 name) == "_" then + null + else if lib.hasSuffix ".age" name then null else name; @@ -210,12 +212,11 @@ filterNull = builtins.filter (x: x != null); importDirectory = directory: - filterNull (mapDirectory (name: _: lib.mapNullable (name: /${directory}/${name}) (nullIfUnderscore name)) directory); + filterNull (mapDirectory (name: _: lib.mapNullable (name: /${directory}/${name}) (nullIfUnderscoreOrNotNix name)) directory); in [ homeManager.nixosModules.default ageNix.nixosModules.default - ./secrets simpleMail.nixosModules.default diff --git a/hosts/cube/acme.nix b/hosts/cube/acme/default.nix similarity index 74% rename from hosts/cube/acme.nix rename to hosts/cube/acme/default.nix index afe2190..9aa3416 100644 --- a/hosts/cube/acme.nix +++ b/hosts/cube/acme/default.nix @@ -3,11 +3,13 @@ let inherit (config.networking) domain; in serverSystemConfiguration { + age.secrets."hosts/cube/acme/password".file = ./password.age; + security.acme = { acceptTerms = true; defaults = { - environmentFile = config.age.secrets."cube/password.acme".path; + environmentFile = config.age.secrets."hosts/cube/acme/password".path; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1"; email = "security@${domain}"; diff --git a/hosts/cube/acme/password.age b/hosts/cube/acme/password.age new file mode 100644 index 0000000000000000000000000000000000000000..ccb115a6ca164f64db654033be2c389e739f22a3 GIT binary patch literal 385 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOV^j4K~k7 zHq$P4OAPS}aW67+OH500tO%>}3rh6O3ev9hsWb`;$+M_*jO2234h&99D)vkY3Uv!l zN(pz1@XjqY$jovLFLVshuX0NDcM9{$tMJWFapcm~)m1Qe&I*b2Ps}f~C`ok556bc` z4hhdp3$=8~ED8wn(+?@}D9v^*HxBem4dp89{WGJ4ZHbcNIYZru6^zGPt$EX%?^tQi zINYQ=@0r>5Rtt#*Uv&<=UE^QWnc(2~y-2vd`S-)sO-e!^u10@55|#LMWypz$9HY5U z^Jm>m{dahKg7)s5lB{_)JQLO%Y@K-L4fCW~jW@+JHwPEr%~skNY9%5&KT~MG(L>&{ zD;5n5cMcwj@KSqSo4LfKB`(1{lQ(%7UE8>S;v;tew!5IZ literal 0 HcmV?d00001 diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix index eea5140..87318aa 100644 --- a/hosts/cube/default.nix +++ b/hosts/cube/default.nix @@ -8,13 +8,15 @@ time.timeZone = "Europe/Amsterdam"; - users.users.root.hashedPasswordFile = config.age.secrets."cube/password.hash.rgb".path; + age.secrets."hosts/cube/password.rgb".file = ./password.rgb.age; + + users.users.root.hashedPasswordFile = config.age.secrets."hosts/cube/password.rgb".path; users.users.rgb = normalUser { description = "RGB"; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ keys.enka ]; - hashedPasswordFile = config.age.secrets."cube/password.hash.rgb".path; + hashedPasswordFile = config.age.secrets."hosts/cube/password.rgb".path; }; }) diff --git a/hosts/cube/forgejo.nix b/hosts/cube/forgejo/default.nix similarity index 88% rename from hosts/cube/forgejo.nix rename to hosts/cube/forgejo/default.nix index 37d184e..ceca47e 100644 --- a/hosts/cube/forgejo.nix +++ b/hosts/cube/forgejo/default.nix @@ -5,8 +5,14 @@ let fqdn = "git.${domain}"; in serverSystemConfiguration { - age.secrets."cube/password.mail.forgejo".owner = "forgejo"; - age.secrets."cube/password.runner.forgejo".owner = "forgejo"; + age.secrets."hosts/cube/forgejo/password.mail" = { + file = ./password.mail.age; + owner = "forgejo"; + }; + age.secrets."hosts/cube/forgejo/password.runner" = { + file = ./password.runner.age; + owner = "forgejo"; + }; services.postgresql = { ensureDatabases = [ "forgejo" ]; @@ -36,7 +42,7 @@ in serverSystemConfiguration { "act:docker://ghcr.io/catthehacker/ubuntu:act-latest" ]; - tokenFile = config.age.secrets."cube/password.runner.forgejo".path; + tokenFile = config.age.secrets."hosts/cube/forgejo/password.runner".path; settings = { cache.enabled = true; @@ -59,7 +65,7 @@ in serverSystemConfiguration { services.forgejo = enabled { lfs = enabled {}; - mailerPasswordFile = config.age.secrets."cube/password.mail.forgejo".path; + mailerPasswordFile = config.age.secrets."hosts/cube/forgejo/password.mail".path; database = { socket = "/run/postgresql"; diff --git a/secrets/cube/password.mail.forgejo.age b/hosts/cube/forgejo/password.mail.age similarity index 100% rename from secrets/cube/password.mail.forgejo.age rename to hosts/cube/forgejo/password.mail.age diff --git a/secrets/cube/password.runner.forgejo.age b/hosts/cube/forgejo/password.runner.age similarity index 100% rename from secrets/cube/password.runner.forgejo.age rename to hosts/cube/forgejo/password.runner.age diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana/default.nix similarity index 80% rename from hosts/cube/grafana.nix rename to hosts/cube/grafana/default.nix index c4b49d1..1031e34 100644 --- a/hosts/cube/grafana.nix +++ b/hosts/cube/grafana/default.nix @@ -5,8 +5,14 @@ let fqdn = "metrics.${domain}"; in serverSystemConfiguration { - age.secrets."cube/password.grafana".owner = "grafana"; - age.secrets."cube/password.mail.grafana".owner = "grafana"; + age.secrets."hosts/cube/grafana/password" = { + file = ./password.age; + owner = "grafana"; + }; + age.secrets."hosts/cube/grafana/password.mail" = { + file = ./password.mail.age; + owner = "grafana"; + }; services.fail2ban.jails.grafana.settings = { filter = "grafana"; @@ -46,7 +52,7 @@ in serverSystemConfiguration { settings.security = { admin_email = "metrics@${domain}"; - admin_password = "$__file{${config.age.secrets."cube/password.grafana".path}}"; + admin_password = "$__file{${config.age.secrets."hosts/cube/grafana/password".path}}"; admin_user = "admin"; cookie_secure = true; @@ -58,7 +64,7 @@ in serverSystemConfiguration { settings.smtp = { enabled = true; - password = "$__file{${config.age.secrets."cube/password.mail.grafana".path}}"; + password = "$__file{${config.age.secrets."hosts/cube/grafana/password.mail".path}}"; startTLS_policy = "MandatoryStartTLS"; ehlo_identity = "contact@${domain}"; diff --git a/hosts/cube/grafana/password.age b/hosts/cube/grafana/password.age new file mode 100644 index 0000000000000000000000000000000000000000..a9816e2a2bd5bce43798b8a2a61b538bfa3ad545 GIT binary patch literal 223 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOWJe3`}-% zNpo}$j|y}4Hup0LFE=a+PP1_G_lU44cQj3OObzr*EzQo!HsG?b$PZ4=&DKuTPWP^` zC=PcG$O=pI2y`>IEGaV5E^ul3%6W1OXRir)0Hba0E3H8%>V!Z literal 0 HcmV?d00001 diff --git a/hosts/cube/grafana/password.mail.age b/hosts/cube/grafana/password.mail.age new file mode 100644 index 0000000..01e8aee --- /dev/null +++ b/hosts/cube/grafana/password.mail.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw xkWa1fXAqQk5S+VNegGJpwGGDK0S3U+/QqPqSJgDUzI +xQRrNt48YL6ueLKKN4VXZuwzP0wu7AykvShOTv06YVQ +--- pEof9mZkQfWKgX5jrFGissq6m8/CvS7O2G52d/XbS8w +,5Kh#s( z_IipY/=ܯRwS \ No newline at end of file diff --git a/hosts/cube/mail.nix b/hosts/cube/mail/default.nix similarity index 91% rename from hosts/cube/mail.nix rename to hosts/cube/mail/default.nix index 6b2fae5..fef217c 100644 --- a/hosts/cube/mail.nix +++ b/hosts/cube/mail/default.nix @@ -5,6 +5,8 @@ let fqdn = "mail.${domain}"; in serverSystemConfiguration { + age.secrets."hosts/cube/mail/password".file = ./password.age; + services.prometheus = { exporters.postfix = enabled { port = 9040; @@ -72,7 +74,7 @@ in serverSystemConfiguration { loginAccounts."contact@${domain}" = { aliases = [ "@${domain}" ]; - hashedPasswordFile = config.age.secrets."cube/password.hash.mail".path; + hashedPasswordFile = config.age.secrets."hosts/cube/mail/password".path; }; }; } diff --git a/hosts/cube/mail/password.age b/hosts/cube/mail/password.age new file mode 100644 index 0000000000000000000000000000000000000000..54765f939364ab09ba72f5e52bd8d28533a77308 GIT binary patch literal 273 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOX7G2rJ1e zj0*75HjW6&OmVI9Pc|#a$jb`MatV)cG7ZT0@(wX{PYH6%FyP8AD)-j6j4TW^bSXFT zP4hC#@J@3nOf5GH@bHQ#w(tr~3=b@_$SF$=aplt0)m2FH$uSMiE_NyiGtRSc@vw++ zt8jBmOD)n5EOJisH1=>z%d|9h3JwaZ4CH#~R?q)4eq-2N-VZkpnzrsJt&Zpl{QKbf zOg*ls$(&&Y!NKeM>TL>^ta|f$qh(eR!)7;wPZQmz-}K9PpuM+3S1!*fYlVnPvDf^r YsbQP`9JD^s{qJD6-H+&vRzVR90TtkA2><{9 literal 0 HcmV?d00001 diff --git a/hosts/cube/matrix-synapse.nix b/hosts/cube/matrix-synapse/default.nix similarity index 88% rename from hosts/cube/matrix-synapse.nix rename to hosts/cube/matrix-synapse/default.nix index 72e27ca..e53b84e 100644 --- a/hosts/cube/matrix-synapse.nix +++ b/hosts/cube/matrix-synapse/default.nix @@ -35,8 +35,14 @@ let synapsePort = 8001; syncPort = 8002; in serverSystemConfiguration { - age.secrets."cube/password.secret.matrix-synapse".owner = "matrix-synapse"; - age.secrets."cube/password.sync.matrix-synapse".owner = "matrix-synapse"; + age.secrets."hosts/cube/matrix-synapse/password.secret" = { + file = ./password.secret.age; + owner = "matrix-synapse"; + }; + age.secrets."hosts/cube/matrix-synapse/password.sync" = { + file = ./password.sync.age; + owner = "matrix-synapse"; + }; services.postgresql = { ensureDatabases = [ "matrix-synapse" "matrix-sliding-sync" ]; @@ -82,7 +88,7 @@ in serverSystemConfiguration { }; # Sets registration_shared_secret. - extraConfigFiles = [ config.age.secrets."cube/password.secret.matrix-synapse".path ]; + extraConfigFiles = [ config.age.secrets."hosts/cube/matrix-synapse/password.secret".path ]; settings.listeners = [{ port = synapsePort; @@ -109,7 +115,7 @@ in serverSystemConfiguration { }]; services.matrix-sliding-sync = enabled { - environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path; + environmentFile = config.age.secrets."hosts/cube/matrix-synapse/password.sync".path; settings = { SYNCV3_SERVER = "https://${chatDomain}"; SYNCV3_DB = "postgresql:///matrix-sliding-sync?host=/run/postgresql"; diff --git a/hosts/cube/matrix-synapse/password.secret.age b/hosts/cube/matrix-synapse/password.secret.age new file mode 100644 index 0000000000000000000000000000000000000000..40911acee1e228f3a736b0aa003006093da20079 GIT binary patch literal 307 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DObqOH%QMl z*0(e@EeXsDFZVCVH>pa@^!5o#uE@)D%k>K~H?v4e2`ViPGU2lH3Jnj+%&-jcEeQ`U z^ejru3NkD%uJm%x@$)EiD-5%Y$o6(GO0CSvGvU(J)m3mz2~La13`ufJ_wn?}Daee} z)(*^e@;5hjEp$##iAb$Xj56>vF$mOl^yCs0on~v8Flon|nHFK83LF1@{ImOJ;MD1V zDlhzBB9nA1FL%QG1v{AY%maR{G-+kXu=u`e+39&^O7$~sp1$SE(y>x{)A02hQ&dG= z&9?X966>y}eU@uKaN*ANuTPauyjOe@J?YD3?PHqv8aRH$^KuKn-T9dDzD2-g+q(Q+ Jz2c1v+W@QgeU< ssh-ed25519 +rZ0Tw qnll3AmLOYVpsLP78bOa0F20HjoN0dOFK2Rk/Ye5w24 +Gsmy22GHYX+0dlrUJalVlPXTWyzCz7q9W5gQza71XbA +--- UQhQek9ss1w8rqxj7HQxh8H/uaIsTK5SIfxqCAe1xoQ +fɏ ZrUZ'P~@f 5_cru/<Q|fY[r^SO6}> +d!HkZXr$j [\nB(/# \ No newline at end of file diff --git a/hosts/cube/nextcloud/default.nix b/hosts/cube/nextcloud/default.nix index e6075eb..f5dfdba 100644 --- a/hosts/cube/nextcloud/default.nix +++ b/hosts/cube/nextcloud/default.nix @@ -5,7 +5,10 @@ let fqdn = "cloud.${domain}"; in serverSystemConfiguration { - age.secrets."cube/password.nextcloud".owner = "nextcloud"; + age.secrets."hosts/cube/nextcloud/password" = { + file = ./password.age; + owner = "nextcloud"; + }; services.postgresql = { ensureDatabases = [ "nextcloud" ]; @@ -39,7 +42,7 @@ in serverSystemConfiguration { configureRedis = true; config.adminuser = "admin"; - config.adminpassFile = config.age.secrets."cube/password.nextcloud".path; + config.adminpassFile = config.age.secrets."hosts/cube/nextcloud/password".path; config.dbhost = "/run/postgresql"; config.dbtype = "pgsql"; diff --git a/hosts/cube/nextcloud/password.age b/hosts/cube/nextcloud/password.age new file mode 100644 index 0000000..5836b95 --- /dev/null +++ b/hosts/cube/nextcloud/password.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw 3QOn//uIWJTnBEVz3bn3s3yQlAeGDCynaJ4C+2Zi8iE +AsPa4woWILuLVS0bvkLBddda9mQqJ9CS1hkWwhNrLg8 +--- 7XNX3eRRei1LrcRiQSLgHJ0OkYt145uDVq+gtN/A9tk +\KDr.'QDML3I3 \ No newline at end of file diff --git a/hosts/cube/password.rgb.age b/hosts/cube/password.rgb.age new file mode 100644 index 0000000..fc247cc --- /dev/null +++ b/hosts/cube/password.rgb.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw 5+B9syGilyIjTRiIbR/tQqIRZ5ZUax8gOIZR62lYGhw +vTzxsGNvqnZKGkDHy2+gyIIPqLXZltVBzwEQ5HeuLO0 +--- eRFepEnDGHeb96HOq0kZOvILnQlL/WCf8fnVJbFHP8w +iao'D̗c[\;m/K݂s0 r)Vh}xhzqA}wD ٫VP1jۛ%J- \ No newline at end of file diff --git a/hosts/enka/default.nix b/hosts/enka/default.nix index 4f66372..f7cf2a7 100644 --- a/hosts/enka/default.nix +++ b/hosts/enka/default.nix @@ -6,18 +6,21 @@ time.timeZone = "Europe/Istanbul"; - users.users.root.hashedPasswordFile = config.age.secrets."enka/password.hash.said".path; + age.secrets."hosts/enka/password.said".file = ./password.said.age; + age.secrets."hosts/enka/password.orhan".file = ./password.orhan.age; + + users.users.root.hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path; users.users.said = graphicalUser { description = "Said"; extraGroups = [ "wheel" ]; - hashedPasswordFile = config.age.secrets."enka/password.hash.said".path; + hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path; uid = 1000; }; users.users.orhan = graphicalUser { description = "Orhan"; - hashedPasswordFile = config.age.secrets."enka/password.hash.orhan".path; + hashedPasswordFile = config.age.secrets."hosts/enka/password.orhan".path; uid = 1001; }; diff --git a/hosts/enka/password.orhan.age b/hosts/enka/password.orhan.age new file mode 100644 index 0000000..2f79af2 --- /dev/null +++ b/hosts/enka/password.orhan.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-rsa jPaU3Q +M19jE1+l5CGuAbWy3AAhJcVtW9E1b8al9rgjSJ26ESewP5fipabiW8/KEA6QowU4 +NbFFu9Za0Sqo2ly5AS7kubYROCYQE238cZgMfVG15nFmIP1s3MY8hNZFaeJdjYJW +W8SLTddBA5xWBzfNH2ZtW7KBICMgl5+mKAj35pB6qxcZjj274llFy8d8Xs0UsyDW +4exLZdzbgCXC5JXVgZpOR0Ou0AdJPtHIxYmkaS+gjkr45fSo3XGSepxRw+SOlkV/ +0kQgyw5KPPNZZ9wXo89P4zponyWNqQCKPaxXbGJl44mKBXLxFSvCPjjuAZ7cZ+xn +vd2ZcwztgLV84JT5pSJbUwjo6a5GrzOJ3/frxYgG4MK5foM8iyZ6cHFpNVeyOx/b +IhfCdFc71+c+hfLpa1OETlKYEVYHDQ/nuAELAy81bfEa8OL1yh8q75gJZukgwWX8 +QEJLzwsN/496uBbFwwjj05R4feu35Iql1XLqOrTaixUA6uSdWjsnJscENFpchfzI + +--- 06pUnwHPhIIgovnUcakwOCjfK5Et4twJF8NChBf3G9o + g0Fӻͱ*U;GKsqH-ތ-M v% ojdOxCkJren:KBM7 \ No newline at end of file diff --git a/hosts/enka/password.said.age b/hosts/enka/password.said.age new file mode 100644 index 0000000..fb4dcd2 --- /dev/null +++ b/hosts/enka/password.said.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-rsa jPaU3Q +fNM8bL9QB/wvgB+MZOfWXDrPMCc/2bs3B5t1xgXe/Z6I0HXcnL/G1ipebvth/+Mr +Wv6bMPgPPwrxvWaoC84PHTclp8kqsipTYO4r40cB5F7Yyq+oBOHlm3Kd1SGSPQQn +FPCA0BxFhYQuHtQuqEdoMRZ5YxgoxWoso1gAAMzcnhac9HVK595F4HITpYzs453Q +UTW+c1UigqvI70YNKo2jNSqAwJh2rA4EP/ivz5Y0fOv/WD8TpygbFdbFhvLZ4rBS +NveQrMJcha/KArzu5cxYuQq+vF7ckGmPygGSMGkXCbb66ET8Mj/daBhfPfZ+nC+v +eaBOlAJ4y+jUwajn3PlWelOjUTNoDHdp8I/xHtJs1avmlWhv8pdA/vR/61C0mApd +39uzl2XsnvKQkqlE2CD618h1xsmXk9RDxzUzDuejO0Kv1Of7+SsR1Swk7IKaJQpB +SzAfBCtnJxRsTIDVcBvqtb1cJiBgJt5/FFN8IGa9C0Hf3lFvB8qqR2BlwijhfGi/ + +--- JmxH14QpQiLryhESgYyK4H7fpol168CbjecUwfnRFRM +bd!<&-1esă{OqG~.cmu!$(!/asvzw6CE2>.xBb=Ԑgj@wzHsR9M)m2EUEH<+=$_xt$F(@-K@CeE- ztuWO0_fOMK4RkF{s!9sYt8(@*uE+|gG~jA^A;-6EQz);^DZ@`M{QoF$sCeB_*`oLi2(1;%=p*c#rbVFb;W80gSrZCXZwxG9bUoeJoRo-9xy*KEP$mi|98O?N8U79o@QB ssh-ed25519 +rZ0Tw FIt0hA2bl/r3zRNh/Ge0falVQFtN0nEaEnB+yVM8xAQ -R5FMyM3mvsY9VN5M5BZUnONIXYEK+apQAz/eo23u6pY ---- YmsJMVVOqUkeffeu8Y0kvQj1jPw7LHPc3t8kMGME5mM -Э2RCם;fm {))gN)}U4zrZ~{A;f%4awb.ϗqQ7S$ɠ||G4oWZKR4ﮭ˽[onB"dl4ð9U~cG,N 0`鿇 \ No newline at end of file diff --git a/secrets/cube/password.grafana.age b/secrets/cube/password.grafana.age deleted file mode 100644 index 2994a4b..0000000 --- a/secrets/cube/password.grafana.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw IRSz6OlQIRTzg02u754CEOKaatzt740YzfhowALePwc -j82Zc4XLnEUnuvt5bnvcxMpHp80UWt24JimfA4MOoKA ---- jBWCSgdLuA6ATl35gBsNwKT8Wv9gcsovQGqljlqqxRw -O4ўC*/\]$GoH$X> \ No newline at end of file diff --git a/secrets/cube/password.hash.mail.age b/secrets/cube/password.hash.mail.age deleted file mode 100644 index ee2e918..0000000 --- a/secrets/cube/password.hash.mail.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw 9umH7uCQ70QwO6MxQutKpazOcTfLH2w0XoEbhKIVCls -052qFDNcYPVtpAd9o/gVl2h/yR5LviLYPKXD4mxdDkE ---- uldKptLWhSWkYbOwoOKRCUaIvRkHmAeK5j8KQ6jspHI -rpY86ώ/:OtkU0q 8xkX@2 g}zv.iI<:Y \ No newline at end of file diff --git a/secrets/cube/password.hash.rgb.age b/secrets/cube/password.hash.rgb.age deleted file mode 100644 index fdf511c..0000000 --- a/secrets/cube/password.hash.rgb.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw pavYW4DxwidelX0yh6W3xD0uGv+RSK8AOGccIXRbu24 -SB21TrxyZUNxBaBjrCWHDGRyeUWAM5jbM/Ps2w1GdgM ---- js5hNinbe1Y7pq6RF75ScCdjMU/IxYJk9m9zbQUz9z4 -V`D9U|ӞT -GCyGu0m9GQ(k'g+腍 -?o )s>$g7?Lo:X{ \ No newline at end of file diff --git a/secrets/cube/password.mail.grafana.age b/secrets/cube/password.mail.grafana.age deleted file mode 100644 index 2113e92..0000000 --- a/secrets/cube/password.mail.grafana.age +++ /dev/null @@ -1,6 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw k4u86tbxSaZTIr9QzN2P+md9WwGvn93jOXqR2JHWy30 -tG7p/GaP0MhTqbAin3KmIMCrE67Ls3NYoztcJT8r7po ---- cmz8sBFqHk8RyAae/gBqrWgjCyHrVtngjZGn1xQOze8 -9rgM׶9gz -@uO0ץa \ No newline at end of file diff --git a/secrets/cube/password.nextcloud.age b/secrets/cube/password.nextcloud.age deleted file mode 100644 index 17033a8..0000000 --- a/secrets/cube/password.nextcloud.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw okdsP260oVUSzMwXwa71LPNIxKCH9IqA99r632rFk0M -IYV5CmqbsbDX4GhLA+OkcPTXD0Cen+8s1AQ0wzyeSbc ---- QDLGYNZYfCfioRt85MeDYj5bXY21Zsx8NA9IGae6Mvo -Ҽ M`2.|sYWY&SChz \ No newline at end of file diff --git a/secrets/cube/password.secret.matrix-synapse.age b/secrets/cube/password.secret.matrix-synapse.age deleted file mode 100644 index 9b9c21356184b5294f305c2e341a463a101c4821..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 307 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOZSc4%GH9 z@;59nt||}H&yKLr56B6rO41K0%MQ4W+EzQbx(#|k5 z(KgP^E!8&hFwQOy&U7}iFx5`9%nMC)ayKwe&*#$B)m6wSH#PJxDo-~oPYN~FE;fxa zPs;W(vZyEx^7aX;^fSp$F}H9^Gj+-H$mcRE@vQslljd`i)$@*IkBrFauagu6?svRd zJ!?gLcJ{B-!^=Mg`rR^=E>x2F+n}zUt(APfQ0mvW>B(|zH{K~;=CzMwSoA9OgsGU} z*SHl&DlaBSeDX7Gx4il4T+-vJ-`l6JUBdTo7TbZMjr#8{otv7mruoQ^<^Ai7HqWe9 JJ*gQx8vu$ec{Bh3 diff --git a/secrets/cube/password.sync.matrix-synapse.age b/secrets/cube/password.sync.matrix-synapse.age deleted file mode 100644 index 6d47c5b6a1646aac392fadc55d164a0f2ec0175a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 293 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOYeaF7q}v zsH*fgH7~MstV}e_Dkv{3Pb;j>)`62@ymZKDz)I5$?~b5Z;rF!4{lK%_NQX) tO=X%X;Y%bee=|=gy`NyN6d5q1YTD0vj4Pi%-~T#LRPqPIHL?Fq#{srpZV~_h diff --git a/secrets/default.nix b/secrets/default.nix deleted file mode 100644 index 9c0259c..0000000 --- a/secrets/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ lib, ulib, ... }: with ulib; - -systemConfiguration { - age.secrets = lib.genAttrs - (map - (lib.removeSuffix ".age") - (builtins.attrNames - (builtins.removeAttrs (import ./secrets.nix) [ "keys" ]))) - (name: { file = ./${name}.age; }); -} diff --git a/secrets/enka/password.hash.orhan.age b/secrets/enka/password.hash.orhan.age deleted file mode 100644 index f01abf4..0000000 --- a/secrets/enka/password.hash.orhan.age +++ /dev/null @@ -1,13 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa jPaU3Q -uVq0J1PS5EJlU6sFDxSNuyh2qBcZvvrtYpLyRNThxQOg3K7eP/lnTgrR3LADUfgq -drnhATToI5JvYpahIr6qio40pmVVSP2KbOQdoRFC4i1zGAQEy6NgGPLdmeZ76wIx -dMBiwDPcUH2+Vxy5oRGbT0NGkUWHvU58axlFpC85IrSmdLFDISyd5WcWNZwG72Jh -Cw6RCRe+dOp7RDNmE9UEu9CTGaGgKtkDqxNgGX1ZnjhPNmYbCLs8ncUEPCRBLc5C -0jYgPHgLlBXE+rTUkJgiKFwqfv4G0f5VFW94ndDgUoek/d/+cOOkHvzwfSG5Ap1L -6Ib2R667NDTBtxYggT2BLsNJz/vZNRz3vcABPQYHcBfbsgwoJ+p6KGrDOV8xhZ9L -NEo5MCaksIcRBDLYI0cRICgl/mPyZTs+GkXv21dS7yYU662+5hHYcHOXLd7CF48a -h+m74qmi0cDOJI8yEAyGi6lBGjMCdu64fMoog1XhUh+q31oTrVT4NNdflM4hWSzo - ---- uTCYebEZ6buIwDxK6HNo9itri05JHpbrZbeYynquS8I -Б"$6rubrY[eBN۴-̏mb1W|&8S) *n%E~ͨX:fቶ}o?EzhXM \ No newline at end of file diff --git a/secrets/enka/password.hash.said.age b/secrets/enka/password.hash.said.age deleted file mode 100644 index 902ccfa8354eae651881cea453cc67a3c6599d75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 702 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#|$3P=n!4&*9LOUh33FV`+g zDlkY-GtDv03op;n4h!`w_01~r_sQ|eEDJ9R@H8t*_AYe{jmpl=iZXL^^a!X7s&c6) zH#Xp^jP&wy_A=5oOR6&T4==Ou_sPi)Gxx|%E^u|KG|VV7@-8nZPRlhZ$ni}p@z1SH zDGzikEh-F%^p6VgGc_&d^7o01iu6nmGbt`lcP>oI3=U1qaVv9)aEZ`QbuUQ|FfB<= zF7*h{4bLkp&-6Bks7OikDkv>8E6Ix}$;tEf=5on#^$j()NR8C@)($VPEY0>Zcgi(3 z^!7I`3<_~Gt}2cw$Z$2w_je3SHE}bFFe}WqOmYf0D9LcIj5Np$HsUIAcQo<0G%a-Y za`(*h2uUhTarFz=HpnU|&NNT+F?KTv4Kenr2uQTd&MNdZ^DHkjNs07McP(&s^vE#r zFw5YIunf&ED+u@WGBXTtGAIv8D-1P_%*;%W)YkU1@J%xJ%Z_sK(hm%`@N}sP$Z!g9 z^fN8Bta5P;HL=hxF!qn+$}S8JOe}K^4>c<>4Ndhi4vZ>Jvj{WJFfOxj@(6P`bPM!z zt4vCC4tB2at1L(iGxaYrFAFm@Obe_ma7;BS=E^82u5e0=3d;*La!fDvP0KVZ2usRO zFLCosb~7<^&vdEq$#JVNkIXGENvh2C%F(w-%t^LL&BzZ)EzCCzso>($)zww-D>Zb~ zF03kZcP|ReHFHf0^C&9|DAdn%OmV4l^Nz~Uu1G9M4sdr4H1p+Jn^a)ve$s4K`i;3C zy9=iN6h0E&`%{M3we9%xn1(i2`+1@FkJZ_&>S6ei87(Qq^u^xxQb1aK7W>2b>%0Ux lwfojTGh84a9{Bx!isashjW3TripoD)7V%;7E$d48lK?Vj_wWD! diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index 3868d89..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,31 +0,0 @@ -let - keys = { - enka = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka"; - cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube"; - }; - - key = key: [ key ]; -in with keys; { - inherit keys; - - "cube/id.age".publicKeys = key cube; - - "cube/password.hash.mail.age".publicKeys = key cube; - "cube/password.hash.rgb.age".publicKeys = key cube; - - "cube/password.acme.age".publicKeys = key cube; - - "cube/password.mail.forgejo.age".publicKeys = key cube; - "cube/password.runner.forgejo.age".publicKeys = key cube; - - "cube/password.grafana.age".publicKeys = key cube; - "cube/password.mail.grafana.age".publicKeys = key cube; - - "cube/password.secret.matrix-synapse.age".publicKeys = key cube; - "cube/password.sync.matrix-synapse.age".publicKeys = key cube; - - "cube/password.nextcloud.age".publicKeys = key cube; - - "enka/password.hash.orhan.age".publicKeys = key enka; - "enka/password.hash.said.age".publicKeys = key enka; -}