0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

reorganize secrets

Browse source
This commit is contained in:
Grisha Shipunov 2025-01-19 20:46:38 +01:00
parent 42128ebbe1
commit 76e043171c
14 changed files with 49 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.sops.yaml
View file

@ -8,31 +8,31 @@ keys:
- &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8 - &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
creation_rules: creation_rules:
- path_regex: secrets/toaster/[^/]+\.yaml$ - path_regex: hosts/toaster/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_oxa - *admin_oxa
age: age:
- *toaster - *toaster
- path_regex: secrets/cloud/[^/]+\.yaml$ - path_regex: hosts/cloud/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_oxa - *admin_oxa
age: age:
- *cloud - *cloud
- path_regex: secrets/minime/[^/]+\.yaml$ - path_regex: hosts/minime/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_oxa - *admin_oxa
age: age:
- *minime - *minime
- path_regex: secrets/auth/[^/]+\.yaml$ - path_regex: hosts/auth/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_oxa - *admin_oxa
age: age:
- *auth - *auth
- path_regex: secrets/radicale/[^/]+\.yaml$ - path_regex: hosts/radicale/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:
- *admin_oxa - *admin_oxa

2
hosts/auth/default.nix
View file

@ -6,7 +6,7 @@ in
imports = [ imports = [
./keycloak.nix ./keycloak.nix
]; ];
sops.defaultSopsFile = ../../secrets/auth/secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = { sops.secrets = {

0
secrets/auth/secrets.yaml → hosts/auth/secrets.yaml
View file

15
hosts/cloud/default.nix
View file

@ -1,10 +1,21 @@
{ ... }: { config, ... }:
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./proxy ./proxy
./secrets.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
};
} }

14
hosts/cloud/secrets.nix
View file

@ -1,14 +0,0 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/cloud/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
"wg/0xa-proxy" = {
owner = config.users.users.systemd-network.name;
};
};
}

0
secrets/cloud/secrets.yaml → hosts/cloud/secrets.yaml
View file

12
hosts/minime/default.nix
View file

@ -1,10 +1,18 @@
{ ... }: { config, ... }:
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking ./networking
./secrets.nix
./zfs.nix ./zfs.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
};
} }

11
hosts/minime/secrets.nix
View file

@ -1,11 +0,0 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/minime/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
};
}

0
secrets/minime/secrets.yaml → hosts/minime/secrets.yaml
View file

2
hosts/radicale/default.nix
View file

@ -3,7 +3,7 @@ let
mac = "02:00:00:00:00:02"; mac = "02:00:00:00:00:02";
in in
{ {
sops.defaultSopsFile = ../../secrets/radicale/secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = { sops.secrets = {

0
secrets/radicale/secrets.yaml → hosts/radicale/secrets.yaml
View file

21
hosts/toaster/default.nix
View file

@ -1,15 +1,32 @@
{ pkgs, ... }: { pkgs, config, ... }:
{ {
imports = [ imports = [
./amd.nix ./amd.nix
./hardware-configuration.nix ./hardware-configuration.nix
# ./irc.nix # ./irc.nix
./network ./network
./secrets.nix
./secure-boot.nix ./secure-boot.nix
./zfs.nix ./zfs.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/zw" = {
owner = config.users.users.systemd-network.name;
};
"wg/dvb" = {
owner = config.users.users.systemd-network.name;
};
"wg/mullvad" = {
owner = config.users.users.systemd-network.name;
};
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
};
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.

20
hosts/toaster/secrets.nix
View file

@ -1,20 +0,0 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/zw" = {
owner = config.users.users.systemd-network.name;
};
"wg/dvb" = {
owner = config.users.users.systemd-network.name;
};
"wg/mullvad" = {
owner = config.users.users.systemd-network.name;
};
"wg/0xa-mgmt" = {
owner = config.users.users.systemd-network.name;
};
};
}

0
secrets/toaster/secrets.yaml → hosts/toaster/secrets.yaml
View file