karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganize secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-08-15 09:58:03 +03:00
parent 2da836953b
commit 0665ded197
40 changed files with 88 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@@ -388,11 +388,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1754897748, "lastModified": 1755240913,
"narHash": "sha256-835Ez+LG0vYZhSuVUreVwoL6qBk7EVtCGuPcluimlBE=", "narHash": "sha256-SSDNNnOjeON7DtoWL+8lDTordE6xqMgDOG2efoN2AaQ=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "148402e92b624b350a600cba8324a54ab014941d", "rev": "0cc52a34f20cd4de6d647986e1df1018aa8dbf82",
"revCount": 30, "revCount": 31,
"type": "git", "type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git" "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
}, },

14
hosts/common/configs/system/nix-install/install.sh
View File

@@ -95,13 +95,13 @@ copy_secure_boot_keys() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['guid']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID" sops --decrypt --extract "['guid']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key" sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem" sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key" sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem" sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key" sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem" sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/* chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*

6
hosts/common/configs/system/nix/default.nix
View File

@@ -2,8 +2,10 @@
{ {
sops = { sops = {
secrets = { secrets = {
"git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "git/credentials/github.com/public/username".sopsFile =
"git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/github.com/public/password".sopsFile =
"${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates.nix-access-tokens = { templates.nix-access-tokens = {

2
hosts/common/configs/user/gui/darktable/default.nix
View File

@@ -82,6 +82,6 @@ in
}; };
sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile = sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile =
"${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
} }

3
hosts/common/configs/user/gui/obsidian/default.nix
View File

@@ -608,6 +608,7 @@ in
} }
) hmConfig.programs.obsidian.vaults; ) hmConfig.programs.obsidian.vaults;
sops.secrets."google/cloud/obsidian/geocoding".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sops.secrets."google/cloud/obsidian/geocoding".sopsFile =
"${inputs.secrets}/domains/personal/secrets.yaml";
}; };
} }

2
hosts/common/configs/user/gui/spicetify/default.nix
View File

@@ -64,7 +64,7 @@ in
]; ];
}; };
sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
xdg.configFile = { xdg.configFile = {
"spotify/prefs.init" = { "spotify/prefs.init" = {

4
hosts/elara/configs/ssh/default.nix
View File

@@ -11,13 +11,13 @@ in
{ {
sops.secrets = { sops.secrets = {
"ssh/personal/key" = { "ssh/personal/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "ssh/key"; key = "ssh/key";
path = "/root/.ssh/ssh_personal_ed25519_key"; path = "/root/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/sas/ed25519/key" = { "ssh/sas/ed25519/key" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "ssh/ed25519/key"; key = "ssh/ed25519/key";
path = "/root/.ssh/ssh_sas_ed25519_key"; path = "/root/.ssh/ssh_sas_ed25519_key";
}; };

8
hosts/elara/users/nikara/configs/console/gpg/default.nix
View File

@@ -7,22 +7,22 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"gpg/personal/key" = { "gpg/personal/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "gpg/key"; key = "gpg/key";
}; };
"gpg/personal/pass" = { "gpg/personal/pass" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "gpg/pass"; key = "gpg/pass";
}; };
"gpg/sas/key" = { "gpg/sas/key" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "gpg/key"; key = "gpg/key";
}; };
"gpg/sas/pass" = { "gpg/sas/pass" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "gpg/pass"; key = "gpg/pass";
}; };
}; };

6
hosts/elara/users/nikara/configs/console/podman/default.nix
View File

@@ -13,17 +13,17 @@ in
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets = { secrets = {
"registry/personal/git.karaolidis.com" = { "registry/personal/git.karaolidis.com" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "registry/git.karaolidis.com"; key = "registry/git.karaolidis.com";
}; };
"registry/personal/docker.io" = { "registry/personal/docker.io" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "registry/docker.io"; key = "registry/docker.io";
}; };
"registry/sas/cr.sas.com" = { "registry/sas/cr.sas.com" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "registry/cr.sas.com"; key = "registry/cr.sas.com";
}; };
}; };

4
hosts/elara/users/nikara/configs/console/sas/default.nix
View File

@@ -2,7 +2,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
home-manager.users.${user}.sops.secrets = { home-manager.users.${user}.sops.secrets = {
"artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; "artifactory/cdp/user".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
"artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; "artifactory/cdp/password".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
}; };
} }

20
hosts/elara/users/nikara/configs/console/ssh/default.nix
View File

@@ -15,55 +15,55 @@ in
sops = { sops = {
secrets = { secrets = {
"ssh/personal/key" = { "ssh/personal/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "ssh/key"; key = "ssh/key";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/personal/pass" = { "ssh/personal/pass" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "ssh/pass"; key = "ssh/pass";
}; };
"ssh/sas/ed25519/key" = { "ssh/sas/ed25519/key" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "ssh/ed25519/key"; key = "ssh/ed25519/key";
path = "${home}/.ssh/ssh_sas_ed25519_key"; path = "${home}/.ssh/ssh_sas_ed25519_key";
}; };
"ssh/sas/ed25519/pass" = { "ssh/sas/ed25519/pass" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "ssh/ed25519/pass"; key = "ssh/ed25519/pass";
}; };
"ssh/sas/rsa/key" = { "ssh/sas/rsa/key" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "ssh/rsa/key"; key = "ssh/rsa/key";
path = "${home}/.ssh/ssh_sas_rsa_key"; path = "${home}/.ssh/ssh_sas_rsa_key";
}; };
"ssh/sas/rsa/pass" = { "ssh/sas/rsa/pass" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "ssh/rsa/pass"; key = "ssh/rsa/pass";
}; };
"git/credentials/personal/git.karaolidis.com/admin/username" = { "git/credentials/personal/git.karaolidis.com/admin/username" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "git/credentials/git.karaolidis.com/admin/username"; key = "git/credentials/git.karaolidis.com/admin/username";
}; };
"git/credentials/personal/git.karaolidis.com/admin/password" = { "git/credentials/personal/git.karaolidis.com/admin/password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "git/credentials/git.karaolidis.com/admin/password"; key = "git/credentials/git.karaolidis.com/admin/password";
}; };
"git/credentials/sas/github.com/admin/username" = { "git/credentials/sas/github.com/admin/username" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "git/credentials/github.com/admin/username"; key = "git/credentials/github.com/admin/username";
}; };
"git/credentials/sas/github.com/admin/password" = { "git/credentials/sas/github.com/admin/password" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "git/credentials/github.com/admin/password"; key = "git/credentials/github.com/admin/password";
}; };
}; };

4
hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
View File

@@ -13,8 +13,8 @@ in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; "viya/orders-api/key".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
"viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; "viya/orders-api/secret".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
}; };
home.packages = [ selfPkgs.viya4-orders-cli ]; home.packages = [ selfPkgs.viya4-orders-cli ];

2
hosts/elara/users/nikara/default.nix
View File

@@ -102,7 +102,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/sas/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

2
hosts/himalia/configs/ssh/default.nix
View File

@@ -1,7 +1,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
sops.secrets."ssh/key" = { sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key"; path = "/root/.ssh/ssh_personal_ed25519_key";
}; };

4
hosts/himalia/users/nick/configs/console/gpg/default.nix
View File

@@ -6,8 +6,8 @@ in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "gpg/key".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "gpg/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path; programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;

4
hosts/himalia/users/nick/configs/console/podman/default.nix
View File

@@ -11,8 +11,8 @@ in
{ {
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets = { secrets = {
"registry/git.karaolidis.com".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "registry/git.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates."containers-auth.json" = { templates."containers-auth.json" = {

8
hosts/himalia/users/nick/configs/console/ssh/default.nix
View File

@@ -14,17 +14,17 @@ in
sops = { sops = {
secrets = { secrets = {
"ssh/key" = { "ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/username".sopsFile = "git/credentials/git.karaolidis.com/admin/username".sopsFile =
"${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/password".sopsFile = "git/credentials/git.karaolidis.com/admin/password".sopsFile =
"${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates."git/credentials" = { templates."git/credentials" = {

2
hosts/himalia/users/nick/default.nix
View File

@@ -105,7 +105,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

2
hosts/installer/configs/ssh/default.nix
View File

@@ -1,7 +1,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
sops.secrets."ssh/key" = { sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key"; path = "/root/.ssh/ssh_personal_ed25519_key";
}; };

4
hosts/installer/users/nick/configs/console/gpg/default.nix
View File

@@ -2,7 +2,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
home-manager.users.${user}.sops.secrets = { home-manager.users.${user}.sops.secrets = {
"gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "gpg/key".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "gpg/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
} }

8
hosts/installer/users/nick/configs/console/ssh/default.nix
View File

@@ -14,17 +14,17 @@ in
sops = { sops = {
secrets = { secrets = {
"ssh/key" = { "ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/username".sopsFile = "git/credentials/git.karaolidis.com/admin/username".sopsFile =
"${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/password".sopsFile = "git/credentials/git.karaolidis.com/admin/password".sopsFile =
"${inputs.secrets}/personal/secrets.yaml"; "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates."git/credentials" = { templates."git/credentials" = {

2
hosts/installer/users/nick/default.nix
View File

@@ -45,7 +45,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

2
hosts/jupiter-vps/configs/ssh/default.nix
View File

@@ -1,7 +1,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
sops.secrets."ssh/key" = { sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key"; path = "/root/.ssh/ssh_personal_ed25519_key";
}; };

4
hosts/jupiter-vps/default.nix
View File

@@ -31,5 +31,7 @@
environment.impermanence.enable = lib.mkForce false; environment.impermanence.enable = lib.mkForce false;
users.users.root.openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ]; users.users.root.openssh.authorizedKeys.keyFiles = [
"${inputs.secrets}/domains/personal/id_ed25519.pub"
];
} }

2
hosts/jupiter/configs/ssh/default.nix
View File

@@ -1,7 +1,7 @@
{ inputs, ... }: { inputs, ... }:
{ {
sops.secrets."ssh/key" = { sops.secrets."ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "/root/.ssh/ssh_personal_ed25519_key"; path = "/root/.ssh/ssh_personal_ed25519_key";
}; };

4
hosts/jupiter/default.nix
View File

@@ -64,5 +64,7 @@
"v /mnt/storage/private 0755 root root - -" "v /mnt/storage/private 0755 root root - -"
]; ];
users.users.root.openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ]; users.users.root.openssh.authorizedKeys.keyFiles = [
"${inputs.secrets}/domains/personal/id_ed25519.pub"
];
} }

2
hosts/jupiter/users/nick/configs/console/podman/default.nix
View File

@@ -10,7 +10,7 @@ let
in in
{ {
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; secrets."registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.containers-auth = { templates.containers-auth = {
content = builtins.readFile ( content = builtins.readFile (

4
hosts/jupiter/users/nick/configs/console/ssh/default.nix
View File

@@ -4,11 +4,11 @@
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"ssh/key" = { "ssh/key" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
}; };
} }

4
hosts/jupiter/users/nick/default.nix
View File

@@ -44,7 +44,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };
@@ -63,7 +63,7 @@ in
]; ];
linger = true; linger = true;
uid = lib.strings.toInt (builtins.readFile ./uid); uid = lib.strings.toInt (builtins.readFile ./uid);
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ]; openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
}; };
home-manager.users.${user}.home = { home-manager.users.${user}.home = {

2
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -40,7 +40,7 @@ in
]; ];
sops = { sops = {
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; secrets."registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.containers-auth = { templates.containers-auth = {
content = builtins.readFile ( content = builtins.readFile (

4
hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix
View File

@@ -20,8 +20,8 @@ in
"jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "opensubtitles/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
"opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "opensubtitles/password".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates = { templates = {

2
hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
View File

@@ -17,7 +17,7 @@ in
secrets = { secrets = {
"shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; "maxmind/licenseKey".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
}; };
templates = { templates = {

4
hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
View File

@@ -33,8 +33,8 @@ in
authorizedKeys = pkgs.writeTextFile { authorizedKeys = pkgs.writeTextFile {
name = "authorized_keys"; name = "authorized_keys";
text = lib.strings.concatStringsSep "\n" [ text = lib.strings.concatStringsSep "\n" [
(builtins.readFile "${inputs.secrets}/personal/id_ed25519.pub") (builtins.readFile "${inputs.secrets}/domains/personal/id_ed25519.pub")
(builtins.readFile "${inputs.secrets}/sas/id_globalprotect_ed25519.pub") (builtins.readFile "${inputs.secrets}/domains/sas/id_globalprotect_ed25519.pub")
]; ];
}; };
in in

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -25,7 +25,7 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
templates.traefik-env.content = '' templates.traefik-env.content = ''
CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"} CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
''; '';

4
hosts/jupiter/users/storm/default.nix
View File

@@ -31,7 +31,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = "${inputs.secrets}/personal/secrets.yaml"; sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };
@@ -53,7 +53,7 @@ in
group = user; group = user;
autoSubUidGidRange = true; autoSubUidGidRange = true;
useDefaultShell = true; useDefaultShell = true;
openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/personal/id_ed25519.pub" ]; openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
}; };
groups.${user}.gid = lib.strings.toInt (builtins.readFile ./uid); groups.${user}.gid = lib.strings.toInt (builtins.readFile ./uid);

2
lib/scripts/add-host.sh
View File

@@ -20,7 +20,7 @@ keys:
- hosts: - hosts:
- &$host $age_key - &$host $age_key
- namespaces: - namespaces:
- &personal $(age-keygen -y ./secrets/personal/key.txt | tr -d '\n') - &personal $(age-keygen -y ./secrets/domains/personal/key.txt | tr -d '\n')
creation_rules: creation_rules:
- path_regex: .+\.(yaml|yml|json|env|ini|bin) - path_regex: .+\.(yaml|yml|json|env|ini|bin)

2
packages/comentario/default.nix
View File

@@ -69,7 +69,7 @@ pkgs.buildGoModule (finalAttrs: {
installPhase = '' installPhase = ''
mkdir -p $out/bin $out/lib/${finalAttrs.pname} mkdir -p $out/bin $out/lib/${finalAttrs.pname}
cp -r "$GOPATH/bin/${finalAttrs.pname}" $out/bin/${finalAttrs.pname} cp -r $GOPATH/bin/comentario $out/bin/${finalAttrs.pname}
cp -r db templates $out/lib/${finalAttrs.pname} cp -r db templates $out/lib/${finalAttrs.pname}
wrapProgram $out/bin/${finalAttrs.pname} \ wrapProgram $out/bin/${finalAttrs.pname} \

2
packages/prometheus-fail2ban-exporter/default.nix
View File

@@ -26,6 +26,6 @@ pkgs.buildGoModule (finalAttrs: {
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin
cp -r "$GOPATH/bin/fail2ban-prometheus-exporter" $out/bin/prometheus-fail2ban-exporter cp -r $GOPATH/bin/fail2ban-prometheus-exporter $out/bin/prometheus-fail2ban-exporter
''; '';
}) })

2
packages/sas/viya4-orders-cli/default.nix
View File

@@ -23,7 +23,7 @@ pkgs.buildGoModule (finalAttrs: {
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin
cp "$GOPATH/bin/viya4-orders-cli" $out/bin/viya4-orders-cli cp $GOPATH/bin/viya4-orders-cli $out/bin/viya4-orders-cli
''; '';
meta.mainProgram = finalAttrs.pname; meta.mainProgram = finalAttrs.pname;

2
secrets

Submodule secrets updated: 148402e92b...0cc52a34f2