From 76e043171c9a6cd7957ddee5d792740ada93b8ce Mon Sep 17 00:00:00 2001 From: Grisha Shipunov Date: Sun, 19 Jan 2025 20:46:38 +0100 Subject: [PATCH] reorganize secrets --- .sops.yaml | 10 +++++----- hosts/auth/default.nix | 2 +- {secrets => hosts}/auth/secrets.yaml | 0 hosts/cloud/default.nix | 15 +++++++++++++-- hosts/cloud/secrets.nix | 14 -------------- {secrets => hosts}/cloud/secrets.yaml | 0 hosts/minime/default.nix | 12 ++++++++++-- hosts/minime/secrets.nix | 11 ----------- {secrets => hosts}/minime/secrets.yaml | 0 hosts/radicale/default.nix | 2 +- {secrets => hosts}/radicale/secrets.yaml | 0 hosts/toaster/default.nix | 21 +++++++++++++++++++-- hosts/toaster/secrets.nix | 20 -------------------- {secrets => hosts}/toaster/secrets.yaml | 0 14 files changed, 49 insertions(+), 58 deletions(-) rename {secrets => hosts}/auth/secrets.yaml (100%) delete mode 100644 hosts/cloud/secrets.nix rename {secrets => hosts}/cloud/secrets.yaml (100%) delete mode 100644 hosts/minime/secrets.nix rename {secrets => hosts}/minime/secrets.yaml (100%) rename {secrets => hosts}/radicale/secrets.yaml (100%) delete mode 100644 hosts/toaster/secrets.nix rename {secrets => hosts}/toaster/secrets.yaml (100%) diff --git a/.sops.yaml b/.sops.yaml index edd87ec..9e590d1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,31 +8,31 @@ keys: - &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8 - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c creation_rules: - - path_regex: secrets/toaster/[^/]+\.yaml$ + - path_regex: hosts/toaster/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa age: - *toaster - - path_regex: secrets/cloud/[^/]+\.yaml$ + - path_regex: hosts/cloud/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa age: - *cloud - - path_regex: secrets/minime/[^/]+\.yaml$ + - path_regex: hosts/minime/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa age: - *minime - - path_regex: secrets/auth/[^/]+\.yaml$ + - path_regex: hosts/auth/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa age: - *auth - - path_regex: secrets/radicale/[^/]+\.yaml$ + - path_regex: hosts/radicale/[^/]+\.yaml$ key_groups: - pgp: - *admin_oxa diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index b4c23f1..dbc585c 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -6,7 +6,7 @@ in imports = [ ./keycloak.nix ]; - sops.defaultSopsFile = ../../secrets/auth/secrets.yaml; + sops.defaultSopsFile = ./secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets = { diff --git a/secrets/auth/secrets.yaml b/hosts/auth/secrets.yaml similarity index 100% rename from secrets/auth/secrets.yaml rename to hosts/auth/secrets.yaml diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix index c848297..0c2dbca 100644 --- a/hosts/cloud/default.nix +++ b/hosts/cloud/default.nix @@ -1,10 +1,21 @@ -{ ... }: +{ config, ... }: { imports = [ ./configuration.nix ./hardware-configuration.nix ./networking.nix ./proxy - ./secrets.nix ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-mgmt" = { + owner = config.users.users.systemd-network.name; + }; + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; + }; } diff --git a/hosts/cloud/secrets.nix b/hosts/cloud/secrets.nix deleted file mode 100644 index e1d492f..0000000 --- a/hosts/cloud/secrets.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, ... }: -{ - sops.defaultSopsFile = ../../secrets/cloud/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets = { - "wg/0xa-mgmt" = { - owner = config.users.users.systemd-network.name; - }; - "wg/0xa-proxy" = { - owner = config.users.users.systemd-network.name; - }; - }; -} diff --git a/secrets/cloud/secrets.yaml b/hosts/cloud/secrets.yaml similarity index 100% rename from secrets/cloud/secrets.yaml rename to hosts/cloud/secrets.yaml diff --git a/hosts/minime/default.nix b/hosts/minime/default.nix index 95f1f6b..6c07f2d 100644 --- a/hosts/minime/default.nix +++ b/hosts/minime/default.nix @@ -1,10 +1,18 @@ -{ ... }: +{ config, ... }: { imports = [ ./configuration.nix ./hardware-configuration.nix ./networking - ./secrets.nix ./zfs.nix ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-mgmt" = { + owner = config.users.users.systemd-network.name; + }; + }; } diff --git a/hosts/minime/secrets.nix b/hosts/minime/secrets.nix deleted file mode 100644 index 3bf2649..0000000 --- a/hosts/minime/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: -{ - sops.defaultSopsFile = ../../secrets/minime/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets = { - "wg/0xa-mgmt" = { - owner = config.users.users.systemd-network.name; - }; - }; -} diff --git a/secrets/minime/secrets.yaml b/hosts/minime/secrets.yaml similarity index 100% rename from secrets/minime/secrets.yaml rename to hosts/minime/secrets.yaml diff --git a/hosts/radicale/default.nix b/hosts/radicale/default.nix index 7ed8f11..f2d14fb 100644 --- a/hosts/radicale/default.nix +++ b/hosts/radicale/default.nix @@ -3,7 +3,7 @@ let mac = "02:00:00:00:00:02"; in { - sops.defaultSopsFile = ../../secrets/radicale/secrets.yaml; + sops.defaultSopsFile = ./secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets = { diff --git a/secrets/radicale/secrets.yaml b/hosts/radicale/secrets.yaml similarity index 100% rename from secrets/radicale/secrets.yaml rename to hosts/radicale/secrets.yaml diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index c3b087d..f3afe11 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -1,15 +1,32 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ ./amd.nix ./hardware-configuration.nix # ./irc.nix ./network - ./secrets.nix ./secure-boot.nix ./zfs.nix ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/zw" = { + owner = config.users.users.systemd-network.name; + }; + "wg/dvb" = { + owner = config.users.users.systemd-network.name; + }; + "wg/mullvad" = { + owner = config.users.users.systemd-network.name; + }; + "wg/0xa-mgmt" = { + owner = config.users.users.systemd-network.name; + }; + }; + nixpkgs.config.allowUnfree = true; # Use the systemd-boot EFI boot loader. diff --git a/hosts/toaster/secrets.nix b/hosts/toaster/secrets.nix deleted file mode 100644 index f60c734..0000000 --- a/hosts/toaster/secrets.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, ... }: -{ - sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - sops.secrets = { - "wg/zw" = { - owner = config.users.users.systemd-network.name; - }; - "wg/dvb" = { - owner = config.users.users.systemd-network.name; - }; - "wg/mullvad" = { - owner = config.users.users.systemd-network.name; - }; - "wg/0xa-mgmt" = { - owner = config.users.users.systemd-network.name; - }; - }; -} diff --git a/secrets/toaster/secrets.yaml b/hosts/toaster/secrets.yaml similarity index 100% rename from secrets/toaster/secrets.yaml rename to hosts/toaster/secrets.yaml