Sanify agenix situation

2025-07-29 19:17:45 +00:00 · 2024-03-27 09:37:43 +03:00 · 2024-03-27 09:37:43 +03:00 · f145bdaa4a
commit f145bdaa4a
parent a6b9665856
37 changed files with 134 additions and 116 deletions
--- a/hosts/cube/acme/default.nix
+++ b/hosts/cube/acme/default.nix
@ -3,11 +3,13 @@
 let
  inherit (config.networking) domain;
 in serverSystemConfiguration {
+  age.secrets."hosts/cube/acme/password".file = ./password.age;
+
  security.acme = {
    acceptTerms = true;

    defaults = {
-      environmentFile = config.age.secrets."cube/password.acme".path;
+      environmentFile = config.age.secrets."hosts/cube/acme/password".path;
      dnsProvider     = "cloudflare";
      dnsResolver     = "1.1.1.1";
      email           = "security@${domain}";
--- a/hosts/cube/acme/password.age
+++ b/hosts/cube/acme/password.age
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -8,13 +8,15 @@

  time.timeZone = "Europe/Amsterdam";

-  users.users.root.hashedPasswordFile = config.age.secrets."cube/password.hash.rgb".path;
+  age.secrets."hosts/cube/password.rgb".file = ./password.rgb.age;
+
+  users.users.root.hashedPasswordFile = config.age.secrets."hosts/cube/password.rgb".path;

  users.users.rgb = normalUser {
    description                 = "RGB";
    extraGroups                 = [ "wheel" ];
    openssh.authorizedKeys.keys = [ keys.enka ];
-    hashedPasswordFile          = config.age.secrets."cube/password.hash.rgb".path;
+    hashedPasswordFile          = config.age.secrets."hosts/cube/password.rgb".path;
  };
 })

--- a/hosts/cube/forgejo/default.nix
+++ b/hosts/cube/forgejo/default.nix
@ -5,8 +5,14 @@ let

  fqdn = "git.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube/password.mail.forgejo".owner   = "forgejo";
-  age.secrets."cube/password.runner.forgejo".owner = "forgejo";
+  age.secrets."hosts/cube/forgejo/password.mail" = {
+    file  = ./password.mail.age;
+    owner = "forgejo";
+  };
+  age.secrets."hosts/cube/forgejo/password.runner" = {
+    file  = ./password.runner.age;
+    owner = "forgejo";
+  };

  services.postgresql = {
    ensureDatabases = [ "forgejo" ];
@ -36,7 +42,7 @@ in serverSystemConfiguration {
        "act:docker://ghcr.io/catthehacker/ubuntu:act-latest"
      ];

-      tokenFile = config.age.secrets."cube/password.runner.forgejo".path;
+      tokenFile = config.age.secrets."hosts/cube/forgejo/password.runner".path;

      settings = {
        cache.enabled     = true;
@ -59,7 +65,7 @@ in serverSystemConfiguration {
  services.forgejo = enabled {
    lfs = enabled {};

-    mailerPasswordFile = config.age.secrets."cube/password.mail.forgejo".path;
+    mailerPasswordFile = config.age.secrets."hosts/cube/forgejo/password.mail".path;

    database = {
      socket = "/run/postgresql";
--- a/hosts/cube/forgejo/password.mail.age
+++ b/hosts/cube/forgejo/password.mail.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw k4u86tbxSaZTIr9QzN2P+md9WwGvn93jOXqR2JHWy30
+tG7p/GaP0MhTqbAin3KmIMCrE67Ls3NYoztcJT8r7po
+--- cmz8sBFqHk8RyAae/gBqrWgjCyHrVtngjZGn1xQOze8
+9rgM’Ð×¶9±¬¹¥òíªgù<67>šÉzã<7A>
+ý@ÕÙðuO·Þê0×¥ôa
--- a/hosts/cube/forgejo/password.runner.age
+++ b/hosts/cube/forgejo/password.runner.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw rraoMjYwD6IIkmgyiDKlij2+bLqY5PNyMU5IPQ4mvjI
+/yttaAf7neHJ69LYh6p33gRBXIZA4oxWS5DDMnfOhhM
+--- o+/I/vPxFdL9orC3PsBTazOrwG6Le8uLMUYiHE4XMj8
+¬¨<EFBFBD>
±]}ÍWž{[a'mdú€AÈU‰Ô¬ì7z*ÌY9"èÍ|±1dvùQxcŸ¶Ç“<C387>à"®0ñÆÔpÖò¿Œr½:ÇÅÑ
--- a/hosts/cube/grafana/default.nix
+++ b/hosts/cube/grafana/default.nix
@ -5,8 +5,14 @@ let

  fqdn = "metrics.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube/password.grafana".owner      = "grafana";
-  age.secrets."cube/password.mail.grafana".owner = "grafana";
+  age.secrets."hosts/cube/grafana/password" = {
+    file  = ./password.age;
+    owner = "grafana";
+  };
+  age.secrets."hosts/cube/grafana/password.mail" = {
+    file  = ./password.mail.age;
+    owner = "grafana";
+  };

  services.fail2ban.jails.grafana.settings = {
    filter       = "grafana";
@ -46,7 +52,7 @@ in serverSystemConfiguration {

    settings.security = {
      admin_email    = "metrics@${domain}";
-      admin_password = "$__file{${config.age.secrets."cube/password.grafana".path}}";
+      admin_password = "$__file{${config.age.secrets."hosts/cube/grafana/password".path}}";
      admin_user     = "admin";

      cookie_secure    = true;
@ -58,7 +64,7 @@ in serverSystemConfiguration {
    settings.smtp = {
      enabled = true;

-      password        = "$__file{${config.age.secrets."cube/password.mail.grafana".path}}";
+      password        = "$__file{${config.age.secrets."hosts/cube/grafana/password.mail".path}}";
      startTLS_policy = "MandatoryStartTLS";

      ehlo_identity = "contact@${domain}";
--- a/hosts/cube/grafana/password.age
+++ b/hosts/cube/grafana/password.age
--- a/hosts/cube/grafana/password.mail.age
+++ b/hosts/cube/grafana/password.mail.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw xkWa1fXAqQk5S+VNegGJpwGGDK0S3U+/QqPqSJgDUzI
+xQRrNt48YL6ueLKKN4VXZuwzP0wu7AykvShOTv06YVQ
+--- pEof9mZkQfWKgX5jrFGissq6m8/CvS7O2G52d/XbS8w
+Ñ,5 ÜK¬h×¾#s®(	‘z™_IipY/ð=¸£Ü¯øßRw•S“¹
--- a/hosts/cube/mail/default.nix
+++ b/hosts/cube/mail/default.nix
@ -5,6 +5,8 @@ let

  fqdn = "mail.${domain}";
 in serverSystemConfiguration {
+  age.secrets."hosts/cube/mail/password".file = ./password.age;
+
  services.prometheus = {
    exporters.postfix = enabled {
      port = 9040;
@ -72,7 +74,7 @@ in serverSystemConfiguration {
    loginAccounts."contact@${domain}" = {
      aliases = [ "@${domain}" ];

-      hashedPasswordFile = config.age.secrets."cube/password.hash.mail".path;
+      hashedPasswordFile = config.age.secrets."hosts/cube/mail/password".path;
    };
  };
 }
--- a/hosts/cube/mail/password.age
+++ b/hosts/cube/mail/password.age
--- a/hosts/cube/matrix-synapse/default.nix
+++ b/hosts/cube/matrix-synapse/default.nix
@ -35,8 +35,14 @@ let
  synapsePort = 8001;
  syncPort    = 8002;
 in serverSystemConfiguration {
-  age.secrets."cube/password.secret.matrix-synapse".owner = "matrix-synapse";
-  age.secrets."cube/password.sync.matrix-synapse".owner   = "matrix-synapse";
+  age.secrets."hosts/cube/matrix-synapse/password.secret" = {
+    file  = ./password.secret.age;
+    owner = "matrix-synapse";
+  };
+  age.secrets."hosts/cube/matrix-synapse/password.sync" = {
+    file  = ./password.sync.age;
+    owner = "matrix-synapse";
+  };

  services.postgresql = {
    ensureDatabases = [ "matrix-synapse" "matrix-sliding-sync" ];
@ -82,7 +88,7 @@ in serverSystemConfiguration {
    };

    # Sets registration_shared_secret.
-    extraConfigFiles = [ config.age.secrets."cube/password.secret.matrix-synapse".path ];
+    extraConfigFiles = [ config.age.secrets."hosts/cube/matrix-synapse/password.secret".path ];

    settings.listeners = [{
      port = synapsePort;
@ -109,7 +115,7 @@ in serverSystemConfiguration {
  }];

  services.matrix-sliding-sync = enabled {
-    environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path;
+    environmentFile = config.age.secrets."hosts/cube/matrix-synapse/password.sync".path;
    settings        = {
      SYNCV3_SERVER   = "https://${chatDomain}";
      SYNCV3_DB       = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
--- a/hosts/cube/matrix-synapse/password.secret.age
+++ b/hosts/cube/matrix-synapse/password.secret.age
--- a/hosts/cube/matrix-synapse/password.sync.age
+++ b/hosts/cube/matrix-synapse/password.sync.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw qnll3AmLOYVpsLP78bOa0F20HjoN0dOFK2Rk/Ye5w24
+Gsmy22GHYX+0dlrUJalVlPXTWyzCz7q9W5gQza71XbA
+--- UQhQek9ss1w8rqxj7HQxh8H/uaIsTK5SIfxqCAe1xoQ
+ÈfÉ<>ZôržŽ–U¬Z'²P<C2B2>•‹<E280A2>~@þŽf ã‡5_<35>Ëcru<72>ùÒË/<£÷ÚQ°é|–fYŠ‹[‡rò^²<>SO6}Ð>
+d!ÈHkZõXr$j	[—\ín½‹…BüÃ(/ëÈÐÏ#
--- a/hosts/cube/nextcloud/default.nix
+++ b/hosts/cube/nextcloud/default.nix
@ -5,7 +5,10 @@ let

  fqdn = "cloud.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube/password.nextcloud".owner = "nextcloud";
+  age.secrets."hosts/cube/nextcloud/password" = {
+    file  = ./password.age;
+    owner = "nextcloud";
+  };

  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
@ -39,7 +42,7 @@ in serverSystemConfiguration {
    configureRedis = true;

    config.adminuser     = "admin";
-    config.adminpassFile = config.age.secrets."cube/password.nextcloud".path;
+    config.adminpassFile = config.age.secrets."hosts/cube/nextcloud/password".path;

    config.dbhost = "/run/postgresql";
    config.dbtype = "pgsql";
--- a/hosts/cube/nextcloud/password.age
+++ b/hosts/cube/nextcloud/password.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 3QOn//uIWJTnBEVz3bn3s3yQlAeGDCynaJ4C+2Zi8iE
+AsPa4woWILuLVS0bvkLBddda9mQqJ9CS1hkWwhNrLg8
+--- 7XNX3eRRei1LrcRiQSLgHJ0OkYt145uDVq+gtN/A9tk
+\õ˜²KD r.'Q…î‰ø°ü<C2B0>¦”¡DöÕML3óIš•Çû½3ðì
--- a/hosts/cube/password.rgb.age
+++ b/hosts/cube/password.rgb.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 5+B9syGilyIjTRiIbR/tQqIRZ5ZUax8gOIZR62lYGhw
+vTzxsGNvqnZKGkDHy2+gyIIPqLXZltVBzwEQ5HeuLO0
+--- eRFepEnDGHeb96HOq0kZOvILnQlL/WCf8fnVJbFHP8w
+iaõþëo'DÝÌ—êc[‰º\;m/¤ÖëKÝ‚Éù€ªðsÒê0óñ rð½û)Vàöh}–¬™Ïxhðâzq¡A}w¢ÚDª—Ù«V÷×P1jÛ›Ó%ÁµJ-
--- a/hosts/enka/default.nix
+++ b/hosts/enka/default.nix
@ -6,18 +6,21 @@

  time.timeZone = "Europe/Istanbul";

-  users.users.root.hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;
+  age.secrets."hosts/enka/password.said".file  = ./password.said.age;
+  age.secrets."hosts/enka/password.orhan".file = ./password.orhan.age;
+
+  users.users.root.hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path;

  users.users.said = graphicalUser {
    description        = "Said";
    extraGroups        = [ "wheel" ];
-    hashedPasswordFile = config.age.secrets."enka/password.hash.said".path;
+    hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path;
    uid                = 1000;
  };

  users.users.orhan = graphicalUser {
    description        = "Orhan";
-    hashedPasswordFile = config.age.secrets."enka/password.hash.orhan".path;
+    hashedPasswordFile = config.age.secrets."hosts/enka/password.orhan".path;
    uid                = 1001;
  };

--- a/hosts/enka/password.orhan.age
+++ b/hosts/enka/password.orhan.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-rsa jPaU3Q
+M19jE1+l5CGuAbWy3AAhJcVtW9E1b8al9rgjSJ26ESewP5fipabiW8/KEA6QowU4
+NbFFu9Za0Sqo2ly5AS7kubYROCYQE238cZgMfVG15nFmIP1s3MY8hNZFaeJdjYJW
+W8SLTddBA5xWBzfNH2ZtW7KBICMgl5+mKAj35pB6qxcZjj274llFy8d8Xs0UsyDW
+4exLZdzbgCXC5JXVgZpOR0Ou0AdJPtHIxYmkaS+gjkr45fSo3XGSepxRw+SOlkV/
+0kQgyw5KPPNZZ9wXo89P4zponyWNqQCKPaxXbGJl44mKBXLxFSvCPjjuAZ7cZ+xn
+vd2ZcwztgLV84JT5pSJbUwjo6a5GrzOJ3/frxYgG4MK5foM8iyZ6cHFpNVeyOx/b
+IhfCdFc71+c+hfLpa1OETlKYEVYHDQ/nuAELAy81bfEa8OL1yh8q75gJZukgwWX8
+QEJLzwsN/496uBbFwwjj05R4feu35Iql1XLqOrTaixUA6uSdWjsnJscENFpchfzI
+
+--- 06pUnwHPhIIgovnUcakwOCjfK5Et4twJF8NChBf3G9o
+
àçg–0FÓ»ÄÍ±õ*¯›’ŠŽUö;¢ÄÇÍGK½sÏqH-ÞŒ-Mí«
v%Ç ¾o÷ºjdOx¸çCkìëÞÕÌçJrº‹ªeÑn±:ÿKãBÓMœ7’
--- a/hosts/enka/password.said.age
+++ b/hosts/enka/password.said.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-rsa jPaU3Q
+fNM8bL9QB/wvgB+MZOfWXDrPMCc/2bs3B5t1xgXe/Z6I0HXcnL/G1ipebvth/+Mr
+Wv6bMPgPPwrxvWaoC84PHTclp8kqsipTYO4r40cB5F7Yyq+oBOHlm3Kd1SGSPQQn
+FPCA0BxFhYQuHtQuqEdoMRZ5YxgoxWoso1gAAMzcnhac9HVK595F4HITpYzs453Q
+UTW+c1UigqvI70YNKo2jNSqAwJh2rA4EP/ivz5Y0fOv/WD8TpygbFdbFhvLZ4rBS
+NveQrMJcha/KArzu5cxYuQq+vF7ckGmPygGSMGkXCbb66ET8Mj/daBhfPfZ+nC+v
+eaBOlAJ4y+jUwajn3PlWelOjUTNoDHdp8I/xHtJs1avmlWhv8pdA/vR/61C0mApd
+39uzl2XsnvKQkqlE2CD618h1xsmXk9RDxzUzDuejO0Kv1Of7+SsR1Swk7IKaJQpB
+SzAfBCtnJxRsTIDVcBvqtb1cJiBgJt5/FFN8IGa9C0Hf3lFvB8qqR2BlwijhfGi/
+
+--- JmxH14QpQiLryhESgYyK4H7fpol168CbjecUwfnRFRM
+bd!<&Š¦<C5A0>-1e³ƒs”Äƒ¼{OqóG¡~Çû.c¸Šm‰u!Õ$(!/Ää¾aš§§æ´svz¡áw6ãCü¾êE2¢÷>ñ.xBÞb=€ËÿºÔ<C2BA>gjÎ<xàáýN