flake: migrate to agenix-rekey

2025-02-18 21:47:38 -05:00 · 2025-02-18 21:47:38 -05:00 · b54be3998f
commit b54be3998f
parent 26734c2196
61 changed files with 306 additions and 190 deletions
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@ -10,6 +10,8 @@
    ./hardware-configuration.nix
    ./disks.nix

+    ./secrets
+
    ./web.nix

    private.nixosModules.minecraft-servers
@ -37,6 +39,8 @@

  info.loc.purdue = true;

+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
+
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.binfmt.addEmulatedSystemsToNixSandbox = true;

--- a/hosts/Infini-DL360/forgejo.nix
+++ b/hosts/Infini-DL360/forgejo.nix
@ -27,7 +27,7 @@ in

    lfs.enable = true;

-    secrets.mailer.PASSWD = secrets.smtp-password;
+    secrets.mailer.PASSWD = secrets.smtp-noreply;
    settings = {
      server = {
        ROOT_URL = "https://${domain}/";
--- a/hosts/Infini-DL360/secrets/authentik-ldap.age
+++ b/hosts/Infini-DL360/secrets/authentik-ldap.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AmrcqFPgfqImIMZx45MXeqD5XP2MCpnIIXTjfVZXFOtv
+IgBH5MFAJJ5vP82Jtvmr/NcaCK1F/qSWQHM1PbtKu5Q
+-> piv-p256 5utyxg A80LKCGYw597lm0Oo8kBKLIWcwnOCjDr3FiyIDrAmkSZ
+R9tdgHAfuVNs2nXD+ml7l/jjXvf0cD2b5wALOVzEH9o
+-> BLl-grease d)6dWO5 2P
+/fvI/IO/OJV/4sF+ENnj1AQx9fRf0cLMy90ASBvl9Cdwtdnrx4ly8ZOS57rSNSO1
+JJFsEd9M3lKRElvYsXADC0cOBsK5hg
+--- BNRWm9qA1JnQ71Yf9vAeVa7B5qzUf00mjVHJeFCKjQQ
+£4ráý(	„Œï&@þ
»ÖÆO¤‰øªÖ›SÖÉÓAãÛþ®å?¯·,{²ÅÉšPDÃ(¦m|ÒÊö`˜7Ü 8Ómf2ªæìp; 9nÌ}DÐUÃùü™†bùãÏÔÄ‡É(uû?A±¡	V ”Ü(4"’h ÀßÖ“R;,6»?8¶
+È‰“ÙæÙç
--- a/hosts/Infini-DL360/secrets/authentik.age
+++ b/hosts/Infini-DL360/secrets/authentik.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AwjgvoXQnw3dGl+3NzZwbtobCzYQqSEwu3o68itzJXk3
+9J7aPKsJ/dZOoCKNGZWnxOH8a2TNX5D9hBStFgqDOH4
+-> piv-p256 5utyxg AyFGfXw60hWpTNvCXaVNTk0UN8WX8dEwIOMYkwtHLXJF
+Zy5cd5saG4jfF5ZXkZ9TJpvscxfgDV2xGALY1yyY66w
+-> m(-grease [FxH /SCRkN 2\>
+HvqiMVBno3sBsl9eg4Lkr7F/f/dB8pxihcekBG0ntbQApRwxawj37/wjXKOYAX43
+OL4wHohhU91u+4eOv8E1K3OOpXy3aVn7WTjk/6ftA2oxLCy1QzQKpg
+--- fpnPuiVpzrB09e3CvSUY/Y7tQyCc6v6FuRkml07bqD4
+®D\…ìƒâˆèLUŽx‚¤²“Z<E2809C>5œñõ»ÉEm}"&<26>ËÄù&³©Öø&çð*ÅTwä×ïV2¼ñ‰p‰Z¥<02>YsÅŸtãWÝ;<3B>Z’BO…‘,Œï	’§ˆ—Y§Å¯|mMú$…Â`tŠ‰:÷ÏjÜa›œÃ}1)YxÃtà*øŠIÅœZC|-Ãê~qu‰O]V^™IvØk˜—à:—“R¾%ßŠI'áYÀXóZÕ¢1iV±=bÂÉ‚Iñ<49>*ºYµÝeq™
--- a/hosts/Infini-DL360/secrets/default.nix
+++ b/hosts/Infini-DL360/secrets/default.nix
@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  inherit (lib.our.secrets) withGroup withOwnerGroup;
+in
+{
+  age.secrets = {
+    authentik-ldap.rekeyFile = ./authentik-ldap.age;
+    authentik.rekeyFile = ./authentik.age;
+    freshrss = withOwnerGroup "freshrss" ./freshrss.age;
+    hedgedoc = withOwnerGroup "hedgedoc" ./hedgedoc.age;
+    hydra = withGroup "hydra" ./hydra.age;
+    ovpn.rekeyFile = ./ovpn.age;
+    radicale-ldap = withOwnerGroup "radicale" ./radicale-ldap.age;
+    searx.rekeyFile = ./searx.age;
+    vaultwarden.rekeyFile = ./vaultwarden.age;
+  };
+}
--- a/hosts/Infini-DL360/secrets/freshrss.age
+++ b/hosts/Infini-DL360/secrets/freshrss.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AzMC4XpUhKiVaI2xhQRTQoyV+RjMz5Aoj3gZsgc8PBK3
+CGLI4lL+4xWaMviHW7FofruIZVFES0H/WFSzsbXDjcY
+-> piv-p256 5utyxg AieYOjyIS2APXJfkY/qJ0UmoIuHwO3oIH8MSHh5o2M37
+GCEG5cxBQ5k/3UGm76bNtsPsHzv5yGSJ7iEn3h3wops
+-> -W-grease Gh{uU
+RobG9ho0acfDe+0qEBmtRyejJy7E272b3vzuegQ2twAl2xTYinWOx286sVpRPc7W
+vJNCu9BCDGlIFnQoP2R1gm2eQrI6InNOOh3Q/IZ736ieAhbDvJbm/3BWqRmRRylY
+dfEg
+--- 3XHaD7Zc6JTUxZl/ouKGxmCVvkbjLw2E+TDAf6PwLLo
+÷u,MÏ<4D>HS3JkYÿû5ù`5Œ;m<C¾y?E¬ÙV~jx¶«½ßZ<C39F>ff‚Ä!3N}
--- a/hosts/Infini-DL360/secrets/hedgedoc.age
+++ b/hosts/Infini-DL360/secrets/hedgedoc.age
--- a/hosts/Infini-DL360/secrets/hydra.age
+++ b/hosts/Infini-DL360/secrets/hydra.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q Ai6/RXPumKBsTij/p4Yzze3wuc+lCeCjrficqXR6a+cX
+gGZZ+9hfSefCPpgkEyxiGLBw6HeIRlihlHpRW0flyHs
+-> piv-p256 5utyxg AmJA1H1XKyJf8SH9aGgJGwgBCsW5c0VbYOih82p73tS7
+MclhdvYabgDkKl+K+rFxiRvbLLudscVAENFacJraIvA
+-> ^4f5%t8(-grease ? G
+aNFXQBBqAcfPE5+Wpw
+--- Rvpkl3gKIXx96JuQEJZYvKm/ZkXDMl/7TCDECeTBa+o
+î@<40><>üÿnöº©Uej
˜tšÜHbuæ’»KžÌ<C5BE>(ƒÇÕ¹Œr_lmDZ(6•ô¤ãš“h†Æ˜æm¥;–Îk`“³ R´uö:[÷¥›x['*iŽij
y‘sÊ¶Ç~`wkÓ¥ˆ}28õ‘’º
--- a/hosts/Infini-DL360/secrets/ovpn.age
+++ b/hosts/Infini-DL360/secrets/ovpn.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0NnbNjIggIuH4ZTAs8YyN3zn3V6OAsKrC04WaTveFAD
+fiS6e/cndp7XPg6N9FoFDYJVHzQA1R64QNWyDjrmVJs
+-> piv-p256 5utyxg A1EojHMF4AIcObYpGSRE/8Z2gOmtf9l5d9ZV36RC9jHy
+WbYaIRWeSUbeaZDqQK4rqOTXy0kWQsG3gbC4dWsUNa4
+-> LJP-grease ,)
+qNMbqpxba5Q8KRzrglBoMGsTZdWFTc6wTIFeX74MIDVqE2yPVUVNXcCzM6U3b+/y
+XqtVvPgkILD6
+--- 66jeuKk3OHoA9g4muxmythBRKRc/zq4937NDiLC0cM0
+…¤‰	l1a*¾:©×IÒƒÄö‚%gUcbp ¡Ìr¼Ç5“¼,"‚Dn%H|ß<>Š
--- a/hosts/Infini-DL360/secrets/radicale-ldap.age
+++ b/hosts/Infini-DL360/secrets/radicale-ldap.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q ApL+8SFBLjq2WTsInFVio8n4RN/U7Cy1I2hvFxNBA2Vu
+IUk5Vd0iqcqPVG8JKmEoTmPePeRpO/+e/mA2MWWatVI
+-> piv-p256 5utyxg A2ndIHeH3WUg1D6Og35thBxlL8Oji+vc2Ru7B6aSZwMd
+loQZbjmAoS1hhiRKkr6wgGmE9Olzstw4zfGCkd0IK7Y
+-> AQvw>-grease `Pf
+PpONBRKybtkIwA3qrv0X0WaHlHcTd3VeDNOF0MUu4M+qrO1bI71sDL1+sPz/Hm/2
+bkOFCT1xxYFwBQYaRrWY5/3qSKWi
+--- zp9aNIrYy+Z55Fp+bQ4D0BhLkOAwx5gb5vH4+qkXJmY
+<EFBFBD>Þˆ7òé=1uF‡`Òdþ	b–Õ×ò‘<C3B2>©åÿëdgN°M¤q^ðb<C3B0>E¬Ûhå ÌI¸O…{:ú!FWÜŒjyßcÇ²ñk§§)c<08>ƒ¢íópÝ¶dµƒ
--- a/hosts/Infini-DL360/secrets/searx.age
+++ b/hosts/Infini-DL360/secrets/searx.age
--- a/hosts/Infini-DL360/secrets/vaultwarden.age
+++ b/hosts/Infini-DL360/secrets/vaultwarden.age