From d3d0ae8fcbb4911dae768b41b4fb10bced4dac6e Mon Sep 17 00:00:00 2001 From: ooks-io Date: Mon, 20 Jan 2025 20:57:53 +1100 Subject: [PATCH] refactor: move secrets off-shore --- flake.lock | 237 ++++++++++++++++-- flake.nix | 9 - modules/nixos/base/admin.nix | 2 +- modules/nixos/base/default.nix | 1 - modules/nixos/base/distributed-builds.nix | 2 +- modules/nixos/base/nix.nix | 1 - modules/nixos/base/secrets.nix | 43 ---- modules/nixos/server/services/ookflix/lib.nix | 10 +- .../services/ookflix/networking/gluetun.nix | 3 +- .../services/ookflix/networking/traefik.nix | 3 +- outputs/default.nix | 1 - outputs/images.nix | 6 +- outputs/keys.nix | 6 - outputs/lib/builders.nix | 10 +- secrets/containers/cf_creds.age | 19 -- secrets/containers/vpn_env.age | Bin 1158 -> 0 bytes secrets/github_key.age | Bin 1260 -> 0 bytes secrets/keys.nix | 28 --- secrets/mullvad_wg.age | Bin 1232 -> 0 bytes secrets/ooknet_org.age | Bin 1259 -> 0 bytes secrets/secrets.nix | 12 - secrets/spotify_key.age | 17 -- secrets/tailscale-auth.age | Bin 934 -> 0 bytes 23 files changed, 231 insertions(+), 179 deletions(-) delete mode 100644 modules/nixos/base/secrets.nix delete mode 100644 outputs/keys.nix delete mode 100644 secrets/containers/cf_creds.age delete mode 100644 secrets/containers/vpn_env.age delete mode 100644 secrets/github_key.age delete mode 100644 secrets/keys.nix delete mode 100644 secrets/mullvad_wg.age delete mode 100644 secrets/ooknet_org.age delete mode 100644 secrets/secrets.nix delete mode 100644 secrets/spotify_key.age delete mode 100644 secrets/tailscale-auth.age diff --git a/flake.lock b/flake.lock index ae36e2d..b282215 100644 --- a/flake.lock +++ b/flake.lock @@ -3,22 +3,19 @@ "agenix": { "inputs": { "darwin": "darwin", - "home-manager": [ - "home-manager" - ], + "home-manager": "home-manager_2", "nixpkgs": [ + "secrets", "nixpkgs" ], - "systems": [ - "systems" - ] + "systems": "systems" }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1736955230, + "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "type": "github" }, "original": { @@ -27,6 +24,28 @@ "type": "github" } }, + "agenix-rekey": { + "inputs": { + "devshell": "devshell", + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_4", + "pre-commit-hooks": "pre-commit-hooks_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1737124467, + "narHash": "sha256-askwM5GDYo4xy/UARNXUvn7lKERyNp31BcES/t4Ki2Y=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "27c5fc5b763321054832d0c96a9259d849b2f58a", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, "aquamarine": { "inputs": { "hyprutils": [ @@ -78,6 +97,7 @@ "darwin": { "inputs": { "nixpkgs": [ + "secrets", "agenix", "nixpkgs" ] @@ -97,6 +117,28 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "secrets", + "agenix-rekey", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", + "owner": "numtide", + "repo": "devshell", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "firefox-addons": { "inputs": { "flake-utils": "flake-utils", @@ -136,6 +178,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -154,6 +212,28 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "secrets", + "agenix-rekey", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1629284811, @@ -191,7 +271,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -229,6 +309,29 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "secrets", + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -249,6 +352,28 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "secrets", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "hyprcursor": { "inputs": { "hyprlang": [ @@ -892,6 +1017,22 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1735471104, + "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nmd": { "flake": false, "locked": { @@ -2990,6 +3131,30 @@ "type": "github" } }, + "pre-commit-hooks_2": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore_2", + "nixpkgs": [ + "secrets", + "agenix-rekey", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735882644, + "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "rnix-lsp": { "inputs": { "naersk": "naersk", @@ -3012,7 +3177,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "firefox-addons": "firefox-addons", "flake-parts": "flake-parts", "flake-utils": "flake-utils_2", @@ -3027,7 +3191,7 @@ "nixpkgs": "nixpkgs_2", "nvf": "nvf", "secrets": "secrets", - "systems": "systems", + "systems": "systems_2", "zjstatus": "zjstatus" } }, @@ -3076,6 +3240,8 @@ }, "secrets": { "inputs": { + "agenix": "agenix", + "agenix-rekey": "agenix-rekey", "flake-parts": [ "flake-parts" ], @@ -3087,11 +3253,11 @@ ] }, "locked": { - "lastModified": 1737094724, - "narHash": "sha256-PeNJWuk+zNrqCsrSbElfFmMP+R5E0uFaAgW9tWG03ag=", + "lastModified": 1737363899, + "narHash": "sha256-9W7+5Mx2J60I/s6mgq6iRcxIV06nrBr6KWzN55GWnYE=", "ref": "refs/heads/master", - "rev": "dbbf390c798a14bb316681e62fe56355d9ea88f6", - "revCount": 4, + "rev": "ec8227f9dacaef659249df279d6fd98776ebaeb6", + "revCount": 25, "type": "git", "url": "ssh://git@github.com/ooks-io/kunzen" }, @@ -3101,6 +3267,21 @@ } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -3115,7 +3296,7 @@ "type": "github" } }, - "systems_2": { + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -3130,6 +3311,28 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "secrets", + "agenix-rekey", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735135567, + "narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9e09d30a644c57257715902efbb3adc56c79cf28", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1656928814, diff --git a/flake.nix b/flake.nix index 0034cd4..176273c 100644 --- a/flake.nix +++ b/flake.nix @@ -26,15 +26,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - agenix = { - url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - systems.follows = "systems"; - home-manager.follows = "home-manager"; - }; - }; - nix-index-db = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/nixos/base/admin.nix b/modules/nixos/base/admin.nix index 4a4e122..f3c5a61 100644 --- a/modules/nixos/base/admin.nix +++ b/modules/nixos/base/admin.nix @@ -1,10 +1,10 @@ { config, pkgs, - keys, ... }: let inherit (config.ooknet.host) admin; + inherit (config.ooknet.secrets) keys; ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; in { diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix index 018ada6..ca1e4eb 100644 --- a/modules/nixos/base/default.nix +++ b/modules/nixos/base/default.nix @@ -7,7 +7,6 @@ ./admin.nix ./locale.nix ./options.nix - ./secrets.nix ./openssh.nix ./tailscale.nix ./networking.nix diff --git a/modules/nixos/base/distributed-builds.nix b/modules/nixos/base/distributed-builds.nix index 7b469d4..b125c8f 100644 --- a/modules/nixos/base/distributed-builds.nix +++ b/modules/nixos/base/distributed-builds.nix @@ -1,5 +1,4 @@ { - keys, config, lib, ... @@ -7,6 +6,7 @@ inherit (lib) mkIf; inherit (config.ooknet.host) admin; inherit (config.networking) hostName; + inherit (config.ooknet.secrets) keys; mkBuilderMachine = { host, diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix index e144164..e83f449 100644 --- a/modules/nixos/base/nix.nix +++ b/modules/nixos/base/nix.nix @@ -23,7 +23,6 @@ in { defaultPackages = []; systemPackages = attrValues { inherit (pkgs) git deadnix statix; - inherit (inputs'.agenix.packages) default; }; # location of the configuration flake diff --git a/modules/nixos/base/secrets.nix b/modules/nixos/base/secrets.nix deleted file mode 100644 index 8de6673..0000000 --- a/modules/nixos/base/secrets.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - config, - lib, - self, - ... -}: let - inherit (lib) mkIf; - - inherit (config.ooknet) host; - inherit (host) admin; - inherit (config.services) tailscale transmission; -in { - age.identityPaths = [ - "/home/${admin.name}/.ssh/id_ed25519" - ]; - - age.secrets = { - tailscale-auth = mkIf tailscale.enable { - file = "${self}/secrets/tailscale-auth.age"; - mode = "444"; - }; - github_key = mkIf admin.homeManager { - file = "${self}/secrets/github_key.age"; - path = "/home/${admin.name}/.ssh/github_key"; - owner = "${admin.name}"; - group = "users"; - }; - ooknet_org = mkIf admin.homeManager { - file = "${self}/secrets/ooknet_org.age"; - path = "/home/${admin.name}/.ssh/ooknet_org"; - owner = "${admin.name}"; - group = "users"; - }; - spotify_key = mkIf admin.homeManager { - file = "${self}/secrets/spotify_key.age"; - owner = "${admin.name}"; - group = "users"; - }; - "mullvad_wg.conf" = mkIf transmission.enable { - file = "${self}/secrets/mullvad_wg.age"; - }; - }; -} diff --git a/modules/nixos/server/services/ookflix/lib.nix b/modules/nixos/server/services/ookflix/lib.nix index 77d0c2e..3cd0adb 100644 --- a/modules/nixos/server/services/ookflix/lib.nix +++ b/modules/nixos/server/services/ookflix/lib.nix @@ -132,14 +132,6 @@ }; }; - mkServiceSecret = name: service: { - ${name} = { - file = "${self}/secrets/containers/${name}.age"; - owner = cfg.services.${service}.user.name; - group = cfg.services.${service}.group.name; - }; - }; - mkNetworkService = name: _network: nameValuePair "podman-network-${name}" { description = "Podman network ${name} for ookflix"; @@ -151,5 +143,5 @@ }; }; in { - inherit mkServiceStateFile mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService; + inherit mkServiceStateFile mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService; } diff --git a/modules/nixos/server/services/ookflix/networking/gluetun.nix b/modules/nixos/server/services/ookflix/networking/gluetun.nix index 4131a93..91f500e 100644 --- a/modules/nixos/server/services/ookflix/networking/gluetun.nix +++ b/modules/nixos/server/services/ookflix/networking/gluetun.nix @@ -6,14 +6,13 @@ ... }: let ookflixLib = import ../lib.nix {inherit self lib config;}; - inherit (ookflixLib) mkServiceUser mkServiceSecret; + inherit (ookflixLib) mkServiceUser; inherit (lib) mkIf; inherit (ook.lib.container) mkContainerEnvironment; inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun; in { config = mkIf gluetun.enable { users = mkServiceUser gluetun.user.name; - age.secrets = mkServiceSecret "vpn_env" "gluetun"; virtualisation.oci-containers.containers = { # vpn container gluetun = mkIf gluetun.enable { diff --git a/modules/nixos/server/services/ookflix/networking/traefik.nix b/modules/nixos/server/services/ookflix/networking/traefik.nix index 2adae8c..c976e7e 100644 --- a/modules/nixos/server/services/ookflix/networking/traefik.nix +++ b/modules/nixos/server/services/ookflix/networking/traefik.nix @@ -6,7 +6,7 @@ ... }: let ookflixLib = import ../lib.nix {inherit self lib config;}; - inherit (ookflixLib) mkServiceUser mkServiceSecret mkServiceStateDir mkServiceStateFile; + inherit (ookflixLib) mkServiceUser mkServiceStateDir mkServiceStateFile; inherit (lib) mkIf; inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort; inherit (config.ooknet) server; @@ -19,7 +19,6 @@ in { traefikStateDir = mkServiceStateDir "traefik"; traefikAcmeFile = mkServiceStateFile "traefik" "acme.json"; }; - age.secrets = mkServiceSecret "cf_creds" "traefik"; virtualisation.oci-containers.containers = { # vpn container traefik = mkIf traefik.enable { diff --git a/outputs/default.nix b/outputs/default.nix index 2a45066..8104347 100644 --- a/outputs/default.nix +++ b/outputs/default.nix @@ -4,7 +4,6 @@ ./lib ./hozen ./hosts - ./keys.nix ./pkgs ./images.nix ./devshells diff --git a/outputs/images.nix b/outputs/images.nix index 3b20e5e..8e15f51 100644 --- a/outputs/images.nix +++ b/outputs/images.nix @@ -1,8 +1,4 @@ -{ - ook, - self, - ... -}: { +{self, ...}: { flake.images = { ooknode = self.nixosConfigurations.ooknode.config.system.build.image; }; diff --git a/outputs/keys.nix b/outputs/keys.nix deleted file mode 100644 index 7c84285..0000000 --- a/outputs/keys.nix +++ /dev/null @@ -1,6 +0,0 @@ -let - keys = import ../secrets/keys.nix; -in { - perSystem._module.args.keys = keys; - flake.keys = keys; -} diff --git a/outputs/lib/builders.nix b/outputs/lib/builders.nix index ae85425..0c9677a 100644 --- a/outputs/lib/builders.nix +++ b/outputs/lib/builders.nix @@ -7,9 +7,9 @@ inherit (inputs) nixpkgs; inherit (lib) singleton recursiveUpdate mkDefault; inherit (builtins) concatLists; - inherit (self) hozen keys ook; + inherit (self) hozen ook; + inherit (inputs.secrets.nixosModules) secrets; hm = inputs.home-manager.nixosModules.home-manager; - agenix = inputs.agenix.nixosModules.default; nixosModules = "${self}/modules/nixos"; baseModules = nixosModules + "/base"; hardwareModules = nixosModules + "/hardware"; @@ -22,7 +22,7 @@ (baseModules + "/admin.nix") (baseModules + "/ssh.nix") ]; - core = [baseModules hardwareModules consoleModules appearanceModules hm agenix]; + core = [baseModules hardwareModules consoleModules appearanceModules hm secrets]; hostModules = "${self}/hosts"; mkNixos = nixpkgs.lib.nixosSystem; @@ -44,7 +44,7 @@ mkNixos { specialArgs = recursiveUpdate { - inherit hozen ook keys lib inputs self inputs' self'; + inherit hozen ook lib inputs self inputs' self'; } specialArgs; modules = concatLists [ @@ -123,7 +123,7 @@ ... }: mkNixos { - specialArgs = {inherit keys inputs lib self;}; + specialArgs = {inherit inputs lib self;}; modules = concatLists [ (singleton { networking.hostName = hostname; diff --git a/secrets/containers/cf_creds.age b/secrets/containers/cf_creds.age deleted file mode 100644 index 702af9d..0000000 --- a/secrets/containers/cf_creds.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xeHnUA orzYvtHssnqm5RxM5aa2/9C8WE+b71dDA2I2Xazhc2k -zkiBhnB7MdSIxrT/Sh14pHGU9ipGkBrrhNrHjW6lbJw --> ssh-ed25519 6HvatA tABXMcWyBkSJWrl3MM76eJGJSU0XKQTG6lmFWIS/qxs -ZZ3PYHKqbbdz0kDCTXhQBGCnWGsXLqZmdNjlWpT8SY4 --> ssh-ed25519 3DwG4w GUdLU60u2plRSDoFkAoNep5USX5Lj6jLrIQHzxYyPkI -5dnetJBkJeSe12iczuOMnJO8K0gkB5qhPL1UbGAslzI --> ssh-ed25519 Nn8WxA wnQzj5PqL1EoXisYGabcHzChGBZWvis+CSTE+6eCMEk -fw4XLdF7kIIWBVVDu3DBxtxdYxBSsXozpJQ7p0No8I4 --> ssh-ed25519 Gd+9pg TIdiOlNUhp4fkQPQi3PItzVBssM1TxoDYZNCB0GYryw -Ch+pJ6BEO/oUTeUn3t8qaiVuLaRgf9GUO4jpAgnJstY --> ssh-ed25519 eMj+Jg 83Cbf9k7T0DRcE7hFchQWEj/pR+qNGTLIdXDmbWMeT4 -PqOzucTkTSQg92Vd8ZMLX6cDKyESCE4v9VVHJlAfFyg --> ssh-ed25519 MQ/7Ew f4axkHyjiTOsbiYu90MAirHKoB9S70dK11JDtMKmSkc -Rb2+dIewpW0bL+qJtAxIgVAyWqTDZI9dcwMQR/0pg3s --> ssh-ed25519 3DwG4w FYRpJ1zJZmOil2/X+URrw03KXZk7qZoMO1/P+BJGCxo -SRBJ/FOUbisy7Dhd5tXd4fN8HWM95L6oDQOjzmM5St8 ---- /7SydLy/XxsnVqTD5ffym1MnyKzVyvvhIbazmf4oB18 -49aCrB"e5n9uF?ykbDB+͙DbHb^͝LӻV*^˖LϙJ8_6S$+K:$ \ No newline at end of file diff --git a/secrets/containers/vpn_env.age b/secrets/containers/vpn_env.age deleted file mode 100644 index 346dda6c48e63b5f02e64cdabf9b9609d1cf9062..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1158 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyNcG4IbyNuO_s*(H zObstJNOp{H4mQd#^s)JoBtJXUBi%A8T|3Y}FqA8!z}VbfTR$-{BEz{br6|kPSKBYF zyd*O}IoQG{)1x%AEXBK^$k9BsG#TACW0!JwlX8Vjvv5O`;9$gNme^*0`DyO{2 zEJ#-{i1Kzd3MdP!%yx6kx2#Cs zE!8(m+bdncEi}X}z{w!OKg6>*Am2FIz)U+hA}!n`!pSMnrQFTWGFLmwD?Ft%DKDKX z!nD}9B+)XzSUb=#H6q79B-=S4E7`oXyg0EU%-74;!`!1pJ1{q`FbczOzJdDYuH_0& zMxpv?{?5r>E`_G1!KQx6nZ<_w5xK?M0paH1L4oFJNiNwX`q~90#>rf+IR*Jq9^rl- zJ|(G0!ZHp^-t!kz5?k{z5wqkL_rAUi_Ku8%K%Or=wPOJ9c{=+V$hN(%d5x z`-&59?*8j)*ZDw8`=BPKQ7b#)c=1C5Q#Dhy1t4T~!> zBBH!YOT7b1^DRPBirg#{y&|HLiXB5sO)I>N{XMyCJq^#PTb`X4&3I|cekPL;79Ydp zW9xrke{f*pzprhbEGD0|v^NE?i0l=<^!D9jor!FRX16bmKESoL=roT>%ESpD&4U-)F6s;MTIir1c_GF& zC(d_OSSRP{CXJ3X@ZjyV4IetYn}$D(O1 zv$?B9jA#Gh?Q+d{ef{P6**Ah#uy(IEFW$P;`O;U;N#XT!oz}t4t&M6$lD&mt%q_b= z*PT~P@v!TW{%+ZG%)2i13P*5C)*ho1Vo&)c>X^8mH6?!DDt_kA`r|x~5|)>(ZSM;i z7fw2?u)S}aoLXOwrfBR_u19vSSQ?(~61!9X;E3@(qdhstmCx-df8euh=$e`1^_zS)FuD` diff --git a/secrets/keys.nix b/secrets/keys.nix deleted file mode 100644 index 59036c6..0000000 --- a/secrets/keys.nix +++ /dev/null @@ -1,28 +0,0 @@ -let - users = { - ooks = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx2kNirkcFrNji+qz7KX+zdRxpgJyOwK0vyBrx9Ae3c"; - }; - - hosts = { - ooksdesk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk"; - ooksmedia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7ttz1jTy+byfzi874vogy3ZPLW9+8W2o512tdsqUUV"; - ookst480s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWFZwTuHIITHa7s4Zp6KPF2suZIMXZbe085OiG0GRh5"; - ooksphone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINredx07UAk2l1wUPujYnmJci1+XEmcUuSX0DIYg6Vzz"; - ooksmicro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUSu2iy3GvMXT5eEDAymIwSQe8UuVG5GH5FJ408JiG4"; - ooksx1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBR6Cyx64Qjth/4aS2x95scEkfiOnsCzufMZW5e41bfE"; - }; - - workstations = [ - hosts.ooksdesk - hosts.ooksmedia - hosts.ookst480s - hosts.ooksphone - hosts.ooksmicro - hosts.ooksx1 - ]; - servers = [ - hosts.ooksmedia - ]; -in { - inherit users servers hosts workstations; -} diff --git a/secrets/mullvad_wg.age b/secrets/mullvad_wg.age deleted file mode 100644 index 0c86499e9af1f4167f61364512758322f4c37554..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1232 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyNcG4IbyP@BHOokk z^7OOx&MOP9sPOO&FfR5mNb`5{PcL-wFmMiVuQJPVb+2;Ca^x!VhzvHfFf@ruDNGJ? zbk}!EN(}ZY_6hd#^YnEOO$*Des&I7l%s2B3az(ez%%d!^#8JUKDJ@IeOFPH7D%344 zASKi(IH1@qDA_D8H`1cmwb0ihB_Jff$loZ_DU>Taz_Z+=Dmg;m*Ds?yy~sJqGTG6r zAh^gSsJuL_JijW@Ak^C^JvlYf0K+z8mvVQLas{7K$Edu@ypoJWqpb4mY}W$M^c-Jp zgMfVPK>rM5{Z#!R&s_fquMCe0Pp*i{w0xudTmy6WqSCUI5NBgpb285Zp zRd|G!<(jy7SU6_7mvecUx%gDMm{dl3hm^Q^YWqc)B^jGX6?)}|8}%W)zU-l2+_g9bgh17U5ZFo~|9{pInfh?N}0(X6|C*SY=w~6zXiAY@TDBmW*y& zs&AIISGs~2bP6p_BL3m!VX+%+GhLfXdgfCZ#Q$TQuqf1FjRbHe~TBM(OX<=@8 zS#n}|Nno~*wrjY1jzw6QWpP%fS2~xjuC79$bCg%UUv9WdiIY!Kfn`-jh*xM1kx6BsV=|Y#v95FYUZKitqb=v0J8XF(>h?``3cYgokK7N#$1XxV z2N#!zI-R`4|3bybkwL70bK^bN>ovCBZLfEkgl=o?+*>8HV2hdmhdj#(s&C?AV;XO? zH^t~r;R|4LO6+V%l0MtGVe@%4d4?MvWlXEtwjH-@n6hFPOCzh6<4U6x-HMHy8(v;H z`Ic>)#tGB3OE*NW7e6R#$=xMejv;8-z}uJ!iUmdtcY-6;;jA(%+BW>{&UvSe*OV zU)ieuxRr_;GfrCyulw|&WHzHT=U4UrM`s=N*6VDTFv0it52HPSn|YLlRJ0~ZYlu02`&bLI3~& diff --git a/secrets/ooknet_org.age b/secrets/ooknet_org.age deleted file mode 100644 index e957cac827c9731cfceeb3c380ab8b9ed2ad5ad8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1259 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyNcG4IbyTQu&+yFf z(GT%Wa>+<9(+=^r3@-EVO)@D>w=hqM$Z?BGGs-A-DGV?T59RVSNl#5rG4^ox$n?(+ zFVA%`&(1SWvdjo7DNMV zBtO+4u{_z$u`<}u%d8~d(BG?~G{D`z$Sv47J)bKoG|{EfNk2^6-NMm8JJ&hK(Y4Ij zG9ol5-O?yDSvxet*frJFFx0%TG!)%7W0!JwlX8WO%uqu!Z~bHwW50mPz>q|jV8f6w z*ZfkSRPXd+%fuwNl7fOnN1w7n_du>l*CLmKken3%z{>Q@ET1gz3~#UEe3wGM$RbC- z^z!1wjB?+^GIKY5i*$6`{PHZqD;yQFQamlaf-`f|0+Pytj7w9B-P3ZT3_Jn@y+fm_ zObtCF9n&fb3cQPba(ubc%FJ_&JoJ52L(9yJ%ah78Q^LygBD9UFd_tVHJqo;Ca!iZN z^S!gRvoUOQPtmq4NLL8;Fmwt^FO4cN%kWApF->wz^K{R3HFq+rs`PdAPD&3CO>r!X z^fR?c59Eq4&MF9V&Wj2(35!fDEK2p!&koB9E=lny4b3x(@`}ocNXsjT%5yCAEl2lT zs&AIISGq!KwrhS)RknXrse77>N3LFz}(N!jk9iMi$#+Ky=+ZdnxtNja5)g+WCw`XR3FNv>SFy1EK}h3Tewe#NF~UQUVW zuEmw9IaLN(p^;u8M&`an{%+>QhLIJah9;gB-ho^Tq{~%1w6^+7vH$-6Q|?);NC{UH zv!{vVv(x3=$^mz_SUa4%^ZClBne&>$oHuR@5S&zf=)w${XP0j;DbraRwRz!zg=>sA zduPSF?oHgymCVxVa!Bx?Q*VQg8E2d46RiVsNjm!fUiNL=ov~gwW%t|AklU@Za;7J( zWawVjzyDp)b(TPh+jc#3bzFDOOSoxsFZ|_vPn%6Fob3@;I(EMMvaEvTiqPs88&+nX zc=W0`TgO>_?(=}wJ9QowA!&>GQ#HPw)QwYL$!Vml!O@!ZY}Kr0hBB55i5Jq=_Hr{d;iul~ySh`VwBKXCl~BaTn{X0t3D z8YKkUb&HQiW-=Yy^SgP|nK0>PlLA_pE6XE3rpsFKuFY;z*b^7FqHTTl!AUD8E;;o3 z*}||!J;TJNF77`SDQhIo)?Ig!o%H9);tjnkBrHz<<1ckKHHu1W^_jfm_3B#_3XArA zQM+xm?`xHJUX#Ffk3*JUowgTtWqRm!-mT&4KIl*|aTU|n66H%>A6ch)?3*R<`kH=v I{;T&o00NKPF8}}l diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index d48d549..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,12 +0,0 @@ -let - keys = import ./keys.nix; - inherit (keys) users workstations servers; -in { - "tailscale-auth.age".publicKeys = [users.ooks] ++ workstations; - "github_key.age".publicKeys = [users.ooks] ++ workstations; - "spotify_key.age".publicKeys = [users.ooks] ++ workstations; - "ooknet_org.age".publicKeys = [users.ooks] ++ workstations; - "mullvad_wg.age".publicKeys = [users.ooks] ++ workstations ++ servers; - "containers/vpn_env.age".publicKeys = [users.ooks] ++ workstations ++ servers; - "containers/cf_creds.age".publicKeys = [users.ooks] ++ workstations ++ servers; -} diff --git a/secrets/spotify_key.age b/secrets/spotify_key.age deleted file mode 100644 index 06f0b6b..0000000 --- a/secrets/spotify_key.age +++ /dev/null @@ -1,17 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 xeHnUA +isoneTG5GTQVZ2mkNWJMApJL0EbtlRg2lE7CFPVs0o -b0katAQ3DeRRTZZKzexJMM5JtcqY6pPpz1Z017ZmVBw --> ssh-ed25519 6HvatA Knq4A7wvjmXnWAikVSbv9BALW7f0lph2bQsiyUcilSo -SFHeWqjVO5jxnNW0cgE9qJrg0xG8SkEfZ87GpE77EZ8 --> ssh-ed25519 3DwG4w j7k+whyqKrKrkQCIMkOHl+EpCsIlJqtfqBShCc1ZGkk -vLwteoZ9DvjAecJJhPzcXvnMVsKWEDwHiL76fm2PTC0 --> ssh-ed25519 Nn8WxA ENSIpye6C7RaxwmUQP4fGD3NZ/mXh7Q0gyNsdvEGyxU -zhKepo7NqWe4NVTRcTcqKJavgZdHAXi5TK8nsHqRJNA --> ssh-ed25519 Gd+9pg wlz2TZrZVdNz9yBugvydWeUgc/430iOPpDP3+aJ0nDo -ST+uLYDvOg95qXN86vsvKmlr56sttg7Z7l4OAJfgytI --> ssh-ed25519 eMj+Jg XP+CWaVkKTzptg2lpmPcT0d+K3JoDTfmFjpyKouqwXk -WGrv56kthwxT88xXSyaPecLklfumxva9RxCoFNZwVTU --> ssh-ed25519 MQ/7Ew XgTs4XL6bGspzSFdT2IW4BW3MPjdP0YiLQqo0SDR+EI -18MBJWrgjk3J58EPZjwW/OwAo3bKG+jHztowqQeYG5M ---- nxPnfZNn24Q70LqqEO2Mo76xPcaBuZ7OEYXTO0Ac/wk -4V+_1Fs;an z2y(9sbuKB-G0n(wHBK=w4l;Dita2-Jt#H*3bIne74%YTa59M+X%kqxYcMlITFwb&H zb~i{0cehA2(00-H2upJDPbn!%at+OoNUq8)cSN_%%%d!^#8DwASwE`0z|z~#vBbrx zq%7FmGAy7tF~riyA}KW6H_Fq;E5ax#qdY$(B$O*MGcP>dAX(ef+rZmD(9grkBrnaP zqAIv7%F)T+!pt{4&CDaPtR%`M0K+z8mvVQLa)t67NAD2FVDq937w^DGgR0~-Z4b+g zL~}zA*GeyoL>HI5aQBP=gOE~pUoNw7(@+cjqH@>pl(Imxa+kzH^C|;J%ZSv}48LSw ze~sw}2IJxEerke(Yxh3UVdZedh=LDx&7G#_G zMEX=1`=Z0Ra?5*e80S`}QBn-Wx6U~Fh&8s?iBTIN#d z9#!b>me1vurCs2eCd3aH2lC!5}iBZ0Ocvz)pgqx|CYh+|dSXjEYvnN-Y zenC!go^M`JVMUTxl}E9EQdq8gg_om2k&9WltG;_$PM~K>Sypj|zX`f+zJdDYuH_2O zS>AqYBX@0KhWl=t1 zDVf^A9)%VGPRUi4?g7aLCZ?6C{$_zW#bw!s#^HITnI>Giy1EMC`C+;KS%HN{=0yfR z9+s9NNm1#J#^nW7IfjKfmX7Wg-mW=SZowrkmcCpJ?+?oxibR!W&r7}}dBSMx`a@sO zi>0&eQI}TGH~$l4d_I1C$l2za@2AUk4~W<2t(#Vt+gAHsC2!{Me+5rh-fT^sm&>`- e+as6R-#>GLkjDPT_{%28_VTd@P2u%nTm%3caWo|W