karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganize secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-08-15 09:58:03 +03:00
parent 2da836953b
commit 0665ded197
40 changed files with 88 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/jupiter/configs/ssh/default.nix
View File

@@ -1,7 +1,7 @@
{ inputs, ... }:
{
sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key";
};

4
hosts/jupiter/default.nix
View File

@@ -64,5 +64,7 @@
"v /mnt/storage/private 0755 root root - -"
];
users.users.root.openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ];
users.users.root.openssh.authorizedKeys.keyFiles = [
"${inputs.secrets}/domains/personal/id_ed25519.pub"
];
}

2
hosts/jupiter/users/nick/configs/console/podman/default.nix
View File

@@ -10,7 +10,7 @@ let
in
{
home-manager.users.${user}.sops = {
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.containers-auth = {
content = builtins.readFile (

4
hosts/jupiter/users/nick/configs/console/ssh/default.nix
View File

@@ -4,11 +4,11 @@
home-manager.users.${user} = {
sops.secrets = {
"ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key";
};
"ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
};
};
}

4
hosts/jupiter/users/nick/default.nix
View File

@@ -44,7 +44,7 @@ in
# mkpasswd -s
sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password";
neededForUsers = true;
};
@@ -63,7 +63,7 @@ in
];
linger = true;
uid = lib.strings.toInt (builtins.readFile ./uid);
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ];
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
};
home-manager.users.${user}.home = {

2
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -40,7 +40,7 @@ in
];
sops = {
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.containers-auth = {
content = builtins.readFile (

4
hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix
View File

@@ -20,8 +20,8 @@ in
"jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"opensubtitles/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"opensubtitles/password".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
};
templates = {

2
hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
View File

@@ -17,7 +17,7 @@ in
secrets = {
"shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"maxmind/licenseKey".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
};
templates = {

4
hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
View File

@@ -33,8 +33,8 @@ in
authorizedKeys = pkgs.writeTextFile {
name = "authorized_keys";
text = lib.strings.concatStringsSep "\n" [
(builtins.readFile "${inputs.secrets}/personal/id_ed25519.pub")
(builtins.readFile "${inputs.secrets}/sas/id_globalprotect_ed25519.pub")
(builtins.readFile "${inputs.secrets}/domains/personal/id_ed25519.pub")
(builtins.readFile "${inputs.secrets}/domains/sas/id_globalprotect_ed25519.pub")
];
};
in

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -25,7 +25,7 @@ in
home-manager.users.${user} = {
sops = {
secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.traefik-env.content = ''
CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
'';

4
hosts/jupiter/users/storm/default.nix
View File

@@ -31,7 +31,7 @@ in
# mkpasswd -s
sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password";
neededForUsers = true;
};
@@ -53,7 +53,7 @@ in
group = user;
autoSubUidGidRange = true;
useDefaultShell = true;
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ];
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
};
groups.${user}.gid = lib.strings.toInt (builtins.readFile ./uid);