karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-07-24 11:01:47 +01:00
parent ba55a766ec
commit 15bf209e8c
62 changed files with 214 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/common/configs/system/nix-install/install.sh
View File

@@ -51,7 +51,7 @@ check_key() {
set_password_file() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/keyfile
sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
unset SOPS_AGE_KEY_FILE
}
@@ -64,7 +64,7 @@ prepare_disk() {
copy_keys() {
mkdir -p "$root/persist/state/etc/ssh"
cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
for path in "$flake/hosts/$host/users"/*; do
if [[ -z "$key" ]]; then

6
hosts/common/configs/system/nix/default.nix
View File

@@ -2,10 +2,8 @@
{
sops = {
secrets = {
"git/credentials/github.com/public/username".sopsFile =
../../../../../secrets/personal/secrets.yaml;
"git/credentials/github.com/public/password".sopsFile =
../../../../../secrets/personal/secrets.yaml;
"git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
};
templates.nix-access-tokens = {

2
hosts/common/configs/system/sops/default.nix
View File

@@ -18,7 +18,7 @@
};
sops = {
defaultSopsFile = ../../../../. + "/${config.networking.hostName}/secrets/secrets.yaml";
defaultSopsFile = "${inputs.secrets}/hosts/${config.networking.hostName}/secrets.yaml";
age = {
generateKey = true;

14
hosts/common/configs/system/ssh/default.nix
View File

@@ -1,22 +1,22 @@
{ ... }:
{ inputs, ... }:
{
programs.ssh.knownHosts = {
installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub;
installer.publicKeyFile = "${inputs.secrets}/hosts/installer/ssh_host_ed25519_key.pub";
elara.publicKeyFile = "${inputs.secrets}/hosts/elara/ssh_host_ed25519_key.pub";
himalia.publicKeyFile = "${inputs.secrets}/hosts/himalia/ssh_host_ed25519_key.pub";
jupiter = {
publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub;
publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_host_ed25519_key.pub";
extraHostNames = [ "karaolidis.com" ];
};
jupiter-sish = {
publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub;
publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
extraHostNames = [ "karaolidis.com" ];
};
jupiter-vps = {
publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub;
publicKeyFile = "${inputs.secrets}/hosts/jupiter-vps/ssh_host_ed25519_key.pub";
extraHostNames = [ "vps.karaolidis.com" ];
};
};