Refactor secrets
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
@@ -62,8 +62,8 @@ in
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
"tv/network/password".sopsFile = ../../secrets/secrets.yaml;
|
||||
"tv/adguard/admin".sopsFile = ../../secrets/secrets.yaml;
|
||||
"tv/network/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"tv/adguard/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates.adguard-env.content = ''
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter
|
||||
@@ -1,11 +1,16 @@
|
||||
{ user, home }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hmConfig = config.home-manager.users.${user};
|
||||
in
|
||||
{
|
||||
home-manager.users.${user}.sops = {
|
||||
secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
|
||||
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
|
||||
templates.containers-auth = {
|
||||
content = builtins.readFile (
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570
|
||||
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643
|
||||
@@ -38,7 +43,7 @@ in
|
||||
|
||||
# mkpasswd -s
|
||||
sops.secrets."${user}-password" = {
|
||||
sopsFile = ../../../../secrets/personal/secrets.yaml;
|
||||
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
key = "password";
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
@@ -16,14 +16,14 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"authelia/session".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/resetPasswordJwt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/oidcHmac".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/oidcKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/storage".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"authelia/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
{ user, home }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hmConfig = config.home-manager.users.${user};
|
||||
in
|
||||
@@ -35,7 +40,7 @@ in
|
||||
];
|
||||
|
||||
sops = {
|
||||
secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
|
||||
secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
|
||||
templates.containers-auth = {
|
||||
content = builtins.readFile (
|
||||
|
||||
@@ -68,14 +68,14 @@ in
|
||||
{
|
||||
sops = {
|
||||
secrets = {
|
||||
"gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"gitea/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -17,9 +17,9 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"grafana/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"grafana/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"grafana/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"grafana/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"grafana/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"grafana/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -17,11 +17,11 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"jellyfin/admin".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"jellyfin/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"jellyfin/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"opensubtitles/username".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml;
|
||||
"opensubtitles/password".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml;
|
||||
"jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
"opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -24,9 +24,9 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"jellyseerr/smtp".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"jellyseerr/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"jellyseerr/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
"jellyseerr/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"jellyseerr/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"jellyseerr/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -20,7 +20,7 @@ in
|
||||
{
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets."prowlarr/apiKey".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
secrets."prowlarr/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
|
||||
templates = {
|
||||
prowlarr-env.content = ''
|
||||
|
||||
@@ -21,7 +21,7 @@ in
|
||||
secrets = builtins.listToAttrs (
|
||||
builtins.map (radarr: {
|
||||
name = "${radarr.hostName}/apiKey";
|
||||
value.sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
}) radarrs
|
||||
);
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ in
|
||||
secrets = builtins.listToAttrs (
|
||||
builtins.map (sonarr: {
|
||||
name = "${sonarr.hostName}/apiKey";
|
||||
value.sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
}) sonarrs
|
||||
);
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ let
|
||||
in
|
||||
{
|
||||
home-manager.users.${user} = {
|
||||
sops.secrets."transmission/protonvpn".sopsFile = ../../../../../../../secrets/secrets.yaml;
|
||||
sops.secrets."transmission/protonvpn".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
|
||||
systemd.user.tmpfiles.rules = [
|
||||
"d /mnt/storage/private/storm/containers/storage/volumes/media/_data/downloads/transmission 755 storm storm"
|
||||
|
||||
@@ -16,12 +16,12 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"nextcloud/salt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"nextcloud/secret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"nextcloud/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"nextcloud/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"nextcloud/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"nextcloud/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -15,10 +15,10 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"ntfy/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"ntfy/webPush/publicKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"ntfy/webPush/privateKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"ntfy/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -16,12 +16,12 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"outline/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/utilsSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"outline/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"outline/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"outline/utilsSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"outline/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"outline/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"outline/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -15,9 +15,9 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"shlink/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"shlink/apiKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"maxmind/licenseKey".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
|
||||
"shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -15,7 +15,7 @@ in
|
||||
networking.firewall.allowedTCPPorts = [ 2222 ];
|
||||
|
||||
home-manager.users.${user} = {
|
||||
sops.secrets."sish/ssh/key".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
|
||||
virtualisation.quadlet = {
|
||||
networks.sish = { };
|
||||
|
||||
@@ -25,7 +25,7 @@ in
|
||||
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets."cloudflare/letsencrypt".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
|
||||
secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
templates.traefik-env.content = ''
|
||||
CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
|
||||
'';
|
||||
|
||||
@@ -17,13 +17,13 @@ in
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||
"vaultwarden/adminToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/push/installationId".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/push/installationKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"vaultwarden/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570
|
||||
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643
|
||||
@@ -26,7 +31,7 @@ in
|
||||
|
||||
# mkpasswd -s
|
||||
sops.secrets."${user}-password" = {
|
||||
sopsFile = ../../../../secrets/personal/secrets.yaml;
|
||||
sopsFile = "${inputs.secrets}/personal/secrets.yaml";
|
||||
key = "password";
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user