ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: move secrets off-shore

Browse source
This commit is contained in:
ooks-io 2025-01-20 20:57:53 +11:00
parent 0ecc1cbf40
commit d3d0ae8fcb
23 changed files with 231 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

237
flake.lock generated
View file

@ -3,22 +3,19 @@
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
"home-manager": [ "home-manager": "home-manager_2",
"home-manager"
],
"nixpkgs": [ "nixpkgs": [
"secrets",
"nixpkgs" "nixpkgs"
], ],
"systems": [ "systems": "systems"
"systems"
]
}, },
"locked": { "locked": {
"lastModified": 1723293904, "lastModified": 1736955230,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,6 +24,28 @@
"type": "github" "type": "github"
} }
}, },
"agenix-rekey": {
"inputs": {
"devshell": "devshell",
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1737124467,
"narHash": "sha256-askwM5GDYo4xy/UARNXUvn7lKERyNp31BcES/t4Ki2Y=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "27c5fc5b763321054832d0c96a9259d849b2f58a",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "agenix-rekey",
"type": "github"
}
},
"aquamarine": { "aquamarine": {
"inputs": { "inputs": {
"hyprutils": [ "hyprutils": [
@ -78,6 +97,7 @@
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"secrets",
"agenix", "agenix",
"nixpkgs" "nixpkgs"
] ]
@ -97,6 +117,28 @@
"type": "github" "type": "github"
} }
}, },
"devshell": {
"inputs": {
"nixpkgs": [
"secrets",
"agenix-rekey",
"nixpkgs"
]
},
"locked": {
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"firefox-addons": { "firefox-addons": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
@ -136,6 +178,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
@ -154,6 +212,28 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"secrets",
"agenix-rekey",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1629284811, "lastModified": 1629284811,
@ -191,7 +271,7 @@
}, },
"flake-utils_3": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -229,6 +309,29 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": {
"inputs": {
"nixpkgs": [
"secrets",
"agenix-rekey",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -249,6 +352,28 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"secrets",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"hyprcursor": { "hyprcursor": {
"inputs": { "inputs": {
"hyprlang": [ "hyprlang": [
@ -892,6 +1017,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": {
"locked": {
"lastModified": 1735471104,
"narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nmd": { "nmd": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -2990,6 +3131,30 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore_2",
"nixpkgs": [
"secrets",
"agenix-rekey",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"rnix-lsp": { "rnix-lsp": {
"inputs": { "inputs": {
"naersk": "naersk", "naersk": "naersk",
@ -3012,7 +3177,6 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
@ -3027,7 +3191,7 @@
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nvf": "nvf", "nvf": "nvf",
"secrets": "secrets", "secrets": "secrets",
"systems": "systems", "systems": "systems_2",
"zjstatus": "zjstatus" "zjstatus": "zjstatus"
} }
}, },
@ -3076,6 +3240,8 @@
}, },
"secrets": { "secrets": {
"inputs": { "inputs": {
"agenix": "agenix",
"agenix-rekey": "agenix-rekey",
"flake-parts": [ "flake-parts": [
"flake-parts" "flake-parts"
], ],
@ -3087,11 +3253,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737094724, "lastModified": 1737363899,
"narHash": "sha256-PeNJWuk+zNrqCsrSbElfFmMP+R5E0uFaAgW9tWG03ag=", "narHash": "sha256-9W7+5Mx2J60I/s6mgq6iRcxIV06nrBr6KWzN55GWnYE=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "dbbf390c798a14bb316681e62fe56355d9ea88f6", "rev": "ec8227f9dacaef659249df279d6fd98776ebaeb6",
"revCount": 4, "revCount": 25,
"type": "git", "type": "git",
"url": "ssh://git@github.com/ooks-io/kunzen" "url": "ssh://git@github.com/ooks-io/kunzen"
}, },
@ -3101,6 +3267,21 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -3115,7 +3296,7 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": { "systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -3130,6 +3311,28 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"secrets",
"agenix-rekey",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735135567,
"narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9e09d30a644c57257715902efbb3adc56c79cf28",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": { "utils": {
"locked": { "locked": {
"lastModified": 1656928814, "lastModified": 1656928814,

9
flake.nix
View file

@ -26,15 +26,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
systems.follows = "systems";
home-manager.follows = "home-manager";
};
};
nix-index-db = { nix-index-db = {
url = "github:nix-community/nix-index-database"; url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

2
modules/nixos/base/admin.nix
View file

@ -1,10 +1,10 @@
{ {
config, config,
pkgs, pkgs,
keys,
... ...
}: let }: let
inherit (config.ooknet.host) admin; inherit (config.ooknet.host) admin;
inherit (config.ooknet.secrets) keys;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in { in {

1
modules/nixos/base/default.nix
View file

@ -7,7 +7,6 @@
./admin.nix ./admin.nix
./locale.nix ./locale.nix
./options.nix ./options.nix
./secrets.nix
./openssh.nix ./openssh.nix
./tailscale.nix ./tailscale.nix
./networking.nix ./networking.nix

2
modules/nixos/base/distributed-builds.nix
View file

@ -1,5 +1,4 @@
{ {
keys,
config, config,
lib, lib,
... ...
@ -7,6 +6,7 @@
inherit (lib) mkIf; inherit (lib) mkIf;
inherit (config.ooknet.host) admin; inherit (config.ooknet.host) admin;
inherit (config.networking) hostName; inherit (config.networking) hostName;
inherit (config.ooknet.secrets) keys;
mkBuilderMachine = { mkBuilderMachine = {
host, host,

1
modules/nixos/base/nix.nix
View file

@ -23,7 +23,6 @@ in {
defaultPackages = []; defaultPackages = [];
systemPackages = attrValues { systemPackages = attrValues {
inherit (pkgs) git deadnix statix; inherit (pkgs) git deadnix statix;
inherit (inputs'.agenix.packages) default;
}; };
# location of the configuration flake # location of the configuration flake

43
modules/nixos/base/secrets.nix
View file

@ -1,43 +0,0 @@
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet) host;
inherit (host) admin;
inherit (config.services) tailscale transmission;
in {
age.identityPaths = [
"/home/${admin.name}/.ssh/id_ed25519"
];
age.secrets = {
tailscale-auth = mkIf tailscale.enable {
file = "${self}/secrets/tailscale-auth.age";
mode = "444";
};
github_key = mkIf admin.homeManager {
file = "${self}/secrets/github_key.age";
path = "/home/${admin.name}/.ssh/github_key";
owner = "${admin.name}";
group = "users";
};
ooknet_org = mkIf admin.homeManager {
file = "${self}/secrets/ooknet_org.age";
path = "/home/${admin.name}/.ssh/ooknet_org";
owner = "${admin.name}";
group = "users";
};
spotify_key = mkIf admin.homeManager {
file = "${self}/secrets/spotify_key.age";
owner = "${admin.name}";
group = "users";
};
"mullvad_wg.conf" = mkIf transmission.enable {
file = "${self}/secrets/mullvad_wg.age";
};
};
}

10
modules/nixos/server/services/ookflix/lib.nix
View file

@ -132,14 +132,6 @@
}; };
}; };
mkServiceSecret = name: service: {
${name} = {
file = "${self}/secrets/containers/${name}.age";
owner = cfg.services.${service}.user.name;
group = cfg.services.${service}.group.name;
};
};
mkNetworkService = name: _network: mkNetworkService = name: _network:
nameValuePair "podman-network-${name}" { nameValuePair "podman-network-${name}" {
description = "Podman network ${name} for ookflix"; description = "Podman network ${name} for ookflix";
@ -151,5 +143,5 @@
}; };
}; };
in { in {
inherit mkServiceStateFile mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService; inherit mkServiceStateFile mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
} }

3
modules/nixos/server/services/ookflix/networking/gluetun.nix
View file

@ -6,14 +6,13 @@
... ...
}: let }: let
ookflixLib = import ../lib.nix {inherit self lib config;}; ookflixLib = import ../lib.nix {inherit self lib config;};
inherit (ookflixLib) mkServiceUser mkServiceSecret; inherit (ookflixLib) mkServiceUser;
inherit (lib) mkIf; inherit (lib) mkIf;
inherit (ook.lib.container) mkContainerEnvironment; inherit (ook.lib.container) mkContainerEnvironment;
inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun; inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun;
in { in {
config = mkIf gluetun.enable { config = mkIf gluetun.enable {
users = mkServiceUser gluetun.user.name; users = mkServiceUser gluetun.user.name;
age.secrets = mkServiceSecret "vpn_env" "gluetun";
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
# vpn container # vpn container
gluetun = mkIf gluetun.enable { gluetun = mkIf gluetun.enable {

3
modules/nixos/server/services/ookflix/networking/traefik.nix
View file

@ -6,7 +6,7 @@
... ...
}: let }: let
ookflixLib = import ../lib.nix {inherit self lib config;}; ookflixLib = import ../lib.nix {inherit self lib config;};
inherit (ookflixLib) mkServiceUser mkServiceSecret mkServiceStateDir mkServiceStateFile; inherit (ookflixLib) mkServiceUser mkServiceStateDir mkServiceStateFile;
inherit (lib) mkIf; inherit (lib) mkIf;
inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort; inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort;
inherit (config.ooknet) server; inherit (config.ooknet) server;
@ -19,7 +19,6 @@ in {
traefikStateDir = mkServiceStateDir "traefik"; traefikStateDir = mkServiceStateDir "traefik";
traefikAcmeFile = mkServiceStateFile "traefik" "acme.json"; traefikAcmeFile = mkServiceStateFile "traefik" "acme.json";
}; };
age.secrets = mkServiceSecret "cf_creds" "traefik";
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
# vpn container # vpn container
traefik = mkIf traefik.enable { traefik = mkIf traefik.enable {

1
outputs/default.nix
View file

@ -4,7 +4,6 @@
./lib ./lib
./hozen ./hozen
./hosts ./hosts
./keys.nix
./pkgs ./pkgs
./images.nix ./images.nix
./devshells ./devshells

6
outputs/images.nix
View file

@ -1,8 +1,4 @@
{ {self, ...}: {
ook,
self,
...
}: {
flake.images = { flake.images = {
ooknode = self.nixosConfigurations.ooknode.config.system.build.image; ooknode = self.nixosConfigurations.ooknode.config.system.build.image;
}; };

6
outputs/keys.nix
View file

@ -1,6 +0,0 @@
let
keys = import ../secrets/keys.nix;
in {
perSystem._module.args.keys = keys;
flake.keys = keys;
}

10
outputs/lib/builders.nix
View file

@ -7,9 +7,9 @@
inherit (inputs) nixpkgs; inherit (inputs) nixpkgs;
inherit (lib) singleton recursiveUpdate mkDefault; inherit (lib) singleton recursiveUpdate mkDefault;
inherit (builtins) concatLists; inherit (builtins) concatLists;
inherit (self) hozen keys ook; inherit (self) hozen ook;
inherit (inputs.secrets.nixosModules) secrets;
hm = inputs.home-manager.nixosModules.home-manager; hm = inputs.home-manager.nixosModules.home-manager;
agenix = inputs.agenix.nixosModules.default;
nixosModules = "${self}/modules/nixos"; nixosModules = "${self}/modules/nixos";
baseModules = nixosModules + "/base"; baseModules = nixosModules + "/base";
hardwareModules = nixosModules + "/hardware"; hardwareModules = nixosModules + "/hardware";
@ -22,7 +22,7 @@
(baseModules + "/admin.nix") (baseModules + "/admin.nix")
(baseModules + "/ssh.nix") (baseModules + "/ssh.nix")
]; ];
core = [baseModules hardwareModules consoleModules appearanceModules hm agenix]; core = [baseModules hardwareModules consoleModules appearanceModules hm secrets];
hostModules = "${self}/hosts"; hostModules = "${self}/hosts";
mkNixos = nixpkgs.lib.nixosSystem; mkNixos = nixpkgs.lib.nixosSystem;
@ -44,7 +44,7 @@
mkNixos { mkNixos {
specialArgs = specialArgs =
recursiveUpdate { recursiveUpdate {
inherit hozen ook keys lib inputs self inputs' self'; inherit hozen ook lib inputs self inputs' self';
} }
specialArgs; specialArgs;
modules = concatLists [ modules = concatLists [
@ -123,7 +123,7 @@
... ...
}: }:
mkNixos { mkNixos {
specialArgs = {inherit keys inputs lib self;}; specialArgs = {inherit inputs lib self;};
modules = concatLists [ modules = concatLists [
(singleton { (singleton {
networking.hostName = hostname; networking.hostName = hostname;

19
secrets/containers/cf_creds.age
View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xeHnUA orzYvtHssnqm5RxM5aa2/9C8WE+b71dDA2I2Xazhc2k
zkiBhnB7MdSIxrT/Sh14pHGU9ipGkBrrhNrHjW6lbJw
-> ssh-ed25519 6HvatA tABXMcWyBkSJWrl3MM76eJGJSU0XKQTG6lmFWIS/qxs
ZZ3PYHKqbbdz0kDCTXhQBGCnWGsXLqZmdNjlWpT8SY4
-> ssh-ed25519 3DwG4w GUdLU60u2plRSDoFkAoNep5USX5Lj6jLrIQHzxYyPkI
5dnetJBkJeSe12iczuOMnJO8K0gkB5qhPL1UbGAslzI
-> ssh-ed25519 Nn8WxA wnQzj5PqL1EoXisYGabcHzChGBZWvis+CSTE+6eCMEk
fw4XLdF7kIIWBVVDu3DBxtxdYxBSsXozpJQ7p0No8I4
-> ssh-ed25519 Gd+9pg TIdiOlNUhp4fkQPQi3PItzVBssM1TxoDYZNCB0GYryw
Ch+pJ6BEO/oUTeUn3t8qaiVuLaRgf9GUO4jpAgnJstY
-> ssh-ed25519 eMj+Jg 83Cbf9k7T0DRcE7hFchQWEj/pR+qNGTLIdXDmbWMeT4
PqOzucTkTSQg92Vd8ZMLX6cDKyESCE4v9VVHJlAfFyg
-> ssh-ed25519 MQ/7Ew f4axkHyjiTOsbiYu90MAirHKoB9S70dK11JDtMKmSkc
Rb2+dIewpW0bL+qJtAxIgVAyWqTDZI9dcwMQR/0pg3s
-> ssh-ed25519 3DwG4w FYRpJ1zJZmOil2/X+URrw03KXZk7qZoMO1/P+BJGCxo
SRBJ/FOUbisy7Dhd5tXd4fN8HWM95L6oDQOjzmM5St8
--- /7SydLy/XxsnVqTD5ffym1MnyKzVyvvhIbazmf4oB18
4ðÒ9Œ¯ÅaCr¨™Bññ"<22>Òe•5Š¢nö9ÂuF?ùyÛæÍk ¤µÓßbDB¸+Í™‰—D¨b÷HŠ©õôb»“^Í<>LóøÝÓ»©Ñö÷ÐV*^žûË¿ÉL‡¼Ï™J8_6S·ÂÀÅ$+¼ÈK:$

BIN
secrets/containers/vpn_env.age
View file

Binary file not shown.

BIN
secrets/github_key.age
View file

Binary file not shown.

28
secrets/keys.nix
View file

@ -1,28 +0,0 @@
let
users = {
ooks = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx2kNirkcFrNji+qz7KX+zdRxpgJyOwK0vyBrx9Ae3c";
};
hosts = {
ooksdesk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
ooksmedia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7ttz1jTy+byfzi874vogy3ZPLW9+8W2o512tdsqUUV";
ookst480s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWFZwTuHIITHa7s4Zp6KPF2suZIMXZbe085OiG0GRh5";
ooksphone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINredx07UAk2l1wUPujYnmJci1+XEmcUuSX0DIYg6Vzz";
ooksmicro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUSu2iy3GvMXT5eEDAymIwSQe8UuVG5GH5FJ408JiG4";
ooksx1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBR6Cyx64Qjth/4aS2x95scEkfiOnsCzufMZW5e41bfE";
};
workstations = [
hosts.ooksdesk
hosts.ooksmedia
hosts.ookst480s
hosts.ooksphone
hosts.ooksmicro
hosts.ooksx1
];
servers = [
hosts.ooksmedia
];
in {
inherit users servers hosts workstations;
}

BIN
secrets/mullvad_wg.age
View file

Binary file not shown.

BIN
secrets/ooknet_org.age
View file

Binary file not shown.

12
secrets/secrets.nix
View file

@ -1,12 +0,0 @@
let
keys = import ./keys.nix;
inherit (keys) users workstations servers;
in {
"tailscale-auth.age".publicKeys = [users.ooks] ++ workstations;
"github_key.age".publicKeys = [users.ooks] ++ workstations;
"spotify_key.age".publicKeys = [users.ooks] ++ workstations;
"ooknet_org.age".publicKeys = [users.ooks] ++ workstations;
"mullvad_wg.age".publicKeys = [users.ooks] ++ workstations ++ servers;
"containers/vpn_env.age".publicKeys = [users.ooks] ++ workstations ++ servers;
"containers/cf_creds.age".publicKeys = [users.ooks] ++ workstations ++ servers;
}

17
secrets/spotify_key.age
View file

@ -1,17 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 xeHnUA +isoneTG5GTQVZ2mkNWJMApJL0EbtlRg2lE7CFPVs0o
b0katAQ3DeRRTZZKzexJMM5JtcqY6pPpz1Z017ZmVBw
-> ssh-ed25519 6HvatA Knq4A7wvjmXnWAikVSbv9BALW7f0lph2bQsiyUcilSo
SFHeWqjVO5jxnNW0cgE9qJrg0xG8SkEfZ87GpE77EZ8
-> ssh-ed25519 3DwG4w j7k+whyqKrKrkQCIMkOHl+EpCsIlJqtfqBShCc1ZGkk
vLwteoZ9DvjAecJJhPzcXvnMVsKWEDwHiL76fm2PTC0
-> ssh-ed25519 Nn8WxA ENSIpye6C7RaxwmUQP4fGD3NZ/mXh7Q0gyNsdvEGyxU
zhKepo7NqWe4NVTRcTcqKJavgZdHAXi5TK8nsHqRJNA
-> ssh-ed25519 Gd+9pg wlz2TZrZVdNz9yBugvydWeUgc/430iOPpDP3+aJ0nDo
ST+uLYDvOg95qXN86vsvKmlr56sttg7Z7l4OAJfgytI
-> ssh-ed25519 eMj+Jg XP+CWaVkKTzptg2lpmPcT0d+K3JoDTfmFjpyKouqwXk
WGrv56kthwxT88xXSyaPecLklfumxva9RxCoFNZwVTU
-> ssh-ed25519 MQ/7Ew XgTs4XL6bGspzSFdT2IW4BW3MPjdP0YiLQqo0SDR+EI
18MBJWrgjk3J58EPZjwW/OwAo3bKG+jHztowqQeYG5M
--- nxPnfZNn24Q70LqqEO2Mo76xPcaBuZ7OEYXTO0Ac/wk
”Þê4ª¨V+Ô_<P|Í(ŽH3ìj¢S<C2A2>#(åv¥pþ¥ØjÈüè8a—ßc6DïÔøèðd'(qÜZA[

BIN
secrets/tailscale-auth.age
View file

Binary file not shown.