reorganize secrets

2025-01-19 20:46:38 +01:00 · 2025-01-19 20:46:38 +01:00 · 76e043171c
commit 76e043171c
parent 42128ebbe1
14 changed files with 49 additions and 58 deletions
--- a/hosts/toaster/default.nix
+++ b/hosts/toaster/default.nix
@ -1,15 +1,32 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
  imports = [
    ./amd.nix
    ./hardware-configuration.nix
    # ./irc.nix
    ./network
-    ./secrets.nix
    ./secure-boot.nix
    ./zfs.nix
  ];

+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/zw" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/dvb" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/mullvad" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/0xa-mgmt" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
  nixpkgs.config.allowUnfree = true;

  # Use the systemd-boot EFI boot loader.
--- a/hosts/toaster/secrets.nix
+++ b/hosts/toaster/secrets.nix
@ -1,20 +0,0 @@
-{ config, ... }:
-{
-  sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-
-  sops.secrets = {
-    "wg/zw" = {
-      owner = config.users.users.systemd-network.name;
-    };
-    "wg/dvb" = {
-      owner = config.users.users.systemd-network.name;
-    };
-    "wg/mullvad" = {
-      owner = config.users.users.systemd-network.name;
-    };
-    "wg/0xa-mgmt" = {
-      owner = config.users.users.systemd-network.name;
-    };
-  };
-}
--- a/hosts/toaster/secrets.yaml
+++ b/hosts/toaster/secrets.yaml
@ -0,0 +1,50 @@
+wg:
+    mullvad: ENC[AES256_GCM,data:P9acMXooRll8i81RIBVb0OxFdzx2WsGgVKqX+BoV7cvPGWJK5FRIF8KAcqg=,iv:kq+3guPx2+reDqmfHuhWEvUsKNynG+t7LYRNp5kFLoQ=,tag:Aj0P7IrrTdRK59aBMjPx5Q==,type:str]
+    zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
+    0xa-mgmt: ENC[AES256_GCM,data:THKgWJs4bxNYwnl1FQzXSC0xIuv1r0jSByQgwoKau34sddgTzztRHbSztGs=,iv:wn08l8hlSORlyD8XpF6pk6F3HTsT345xp8XxkJVUKcY=,tag:oP+5+cunkQ5KVf6PB5Rirw==,type:str]
+    dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
+mail:
+    oxapentane.com: ENC[AES256_GCM,data:HW1xcclr5CiUFVF8As79ZZH1c14sl4T0l18=,iv:leAVYaQkMuJewkCZc3fTUUNzZ9BDjV5CuT84bzvhrrs=,tag:Mm8OB8gLbmUwKSLugTR6GA==,type:str]
+    shipunov.xyz: ENC[AES256_GCM,data:cg+P+FrZ2icjfhwDGKGyUH9DejSZHpNs2bcSBPyz8g==,iv:XZFaSXnGmTL9j2sEyt5Q7+pe6rr+WA/0UGq/2Gl5DTI=,tag:oq+5EuJWJKwK3h0/e6Uozw==,type:str]
+    dvb.solutions: ENC[AES256_GCM,data:GSjPIPA5TGMWfhdRzTsiHPfXFVGLVSpJvJG+I++i,iv:EBlk00wqADCuYTzuVcuX9kSn6TVBfN12UlcXyps6TtE=,tag:G7rKTngN4v2FtuhQEMdUQQ==,type:str]
+    tlm.solutions: ENC[AES256_GCM,data:ncTMh/jw+YmcmcVU/c1I36vV1CwtmtYwfyDUx9w9,iv:vPnmdvDnEJ9FF4rDkSfPnLWebleSgI/yG7qOgJfq5ic=,tag:z4w4LOGf2v0TBSxrHULBsw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1avaphjah4k8n80jrnraeqh9r94fu6awd6k37z4zfjssl5ft07qkqmuehcm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibGw3UTUzNHg2dDJGYmYx
+            Vis5WlhqeXUybmtxTU9XWEFLcjc1VEErOTN3CmZYa2kzcUdNQURVTG5NeUpSb0I0
+            STdQb1NqSWJoK1pmYXA5UXM5NDRFWVUKLS0tIDNWTmVTcDdneUEwemtWZVNZVFdz
+            bDRBWjJJSDl3bDkxenR1S2NMZW91dW8Kzhc/6HeEJfLGDaKdRSbpaMdR7XaBxdQI
+            jnAySJCGsXxCPebRtCIdDnoLjdqdzEggEhRh27JOpeOiEukLmakPMA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-11T01:25:11Z"
+    mac: ENC[AES256_GCM,data:Y11oSAhVwjYkuONxlWFKRTswaCMsj6/61HQgEZ9tKOxHK0mfx6CiJGqNKud7XDAebmqB3uIYNJ8zYKvM2D0+vLBp5Kk+bQX0tNXf1HXVJPYzE1GA+Wg5ZKYM5HZ339XiEEBZEbTU+ptMw2YO9mhDxYA6UnPPQ2IHNPgB/yrgfxM=,iv:iHERfH1sf35DgFYr6FkwxRxnF+qppWOqw1XJ/rJi3DU=,tag:L09jwVXKzSnACp2TSpEV2w==,type:str]
+    pgp:
+        - created_at: "2025-01-02T22:57:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ//fH+XzwM0ARlUGFK0/WDVXb4fR8364JdtrWp1njqYQBme
+            rRtIuyYWg7b4c1K9frX+3Ftei6EhZTejgyoSulQkOD5X7L726iik8kaJxtkH0Ubl
+            Hmak4viT9r4cCBYBBCsDQgojAImgNvaW+DyX4UFOyr0asnUEVj4N1/eejxPteXfj
+            c4+PzKKkliRpwUj4OZufmxcZvFi3XBy1AIgji9EpZkG6mGeeRpchJdA7kFWlO0fl
+            wUuDjudqSMr2hOySfOI/AW+4QgWo1t6uZwIi4VWMmI2h3hlAbsWfYiLMXqIB8RpF
+            lx30HdcFmZwfmVyT5n+oFlV4kPWPNvc0lLDvoZdKpsXIeuhMWKdrRZ2XmDE6F+rQ
+            PE4tT46vR4uCHNSAiLYhAY+yr2ic5w+Damv80mxsnGBrFhh93/5grJRSQ+iZcr1D
+            hu4nMAiw7xdkjgVHJrZZ0YEh9cXD74oUfvE7T201h2ppFEAzYaDrwuIuFqJmFew/
+            /meRImzoCpp2H2cAsol90kxVdNc+yQerNqknkNBU6TCWB5HkcEa1xM5PER2s8cHd
+            KK5ej1DzNgQHN41N3zv1xyd2HXOOgVXYwITkHU0BNFBowpf2JScUcVMWYtuZ2Mlh
+            izVM0pJwx7bJgZqVnpZsxyzSOD3I6ufS61VMp5RVOS/58qih2BNsTys3DtmaFcvS
+            XgFD1Mr9Ul4xIyF2akUeGU5n+fRZnIwtM7JmcJGjlg1nQPvRFZSLrYBs83TPrftS
+            zQv+xyb6mPo91iHqe/ey3JbB/+/uSkVSZsBL05thYNLucQJ0L3r0qhc6gnQxNNo=
+            =DYwa
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2