karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-07-24 11:01:47 +01:00
parent ba55a766ec
commit 15bf209e8c
62 changed files with 214 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = https://git.karaolidis.com/karaolidis/nix-secrets.git

2
README.md
View File

@@ -19,8 +19,6 @@ NixOS dotfiles and configuration for various hosts and users.
- [`packages/`](./packages/): Custom packages. - [`packages/`](./packages/): Custom packages.
- `secrets/<namespace>/`: Global secrets for individual namespaces that apply across all hosts.
- [`lib/`](./lib): Nix library function definitions and utilities. - [`lib/`](./lib): Nix library function definitions and utilities.
- [`scripts/`](./lib/scripts): Utility scripts for managing the repository. - [`scripts/`](./lib/scripts): Utility scripts for managing the repository.

17
flake.lock generated
View File

@@ -252,12 +252,29 @@
"nur": "nur", "nur": "nur",
"nvidia-patch": "nvidia-patch", "nvidia-patch": "nvidia-patch",
"quadlet-nix": "quadlet-nix", "quadlet-nix": "quadlet-nix",
"secrets": "secrets",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix", "spicetify-nix": "spicetify-nix",
"systems": "systems", "systems": "systems",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
} }
}, },
"secrets": {
"flake": false,
"locked": {
"lastModified": 1753348217,
"narHash": "sha256-0WC1OduTSV52LHWvOBH5jJ/CjSnQG+k1c0xWP9jAMJM=",
"ref": "refs/heads/main",
"rev": "63c7032ad90dbafa555b02450e146dbb8be4b89c",
"revCount": 11,
"type": "git",
"url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
},
"original": {
"type": "git",
"url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

5
flake.nix
View File

@@ -17,6 +17,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
secrets = {
url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git";
flake = false;
};
systems.url = "github:nix-systems/default"; systems.url = "github:nix-systems/default";
nur = { nur = {

4
hosts/common/configs/system/nix-install/install.sh
View File

@@ -51,7 +51,7 @@ check_key() {
set_password_file() { set_password_file() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
export SOPS_AGE_KEY_FILE export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/keyfile sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
unset SOPS_AGE_KEY_FILE unset SOPS_AGE_KEY_FILE
} }
@@ -64,7 +64,7 @@ prepare_disk() {
copy_keys() { copy_keys() {
mkdir -p "$root/persist/state/etc/ssh" mkdir -p "$root/persist/state/etc/ssh"
cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key" cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
for path in "$flake/hosts/$host/users"/*; do for path in "$flake/hosts/$host/users"/*; do
if [[ -z "$key" ]]; then if [[ -z "$key" ]]; then

6
hosts/common/configs/system/nix/default.nix
View File

@@ -2,10 +2,8 @@
{ {
sops = { sops = {
secrets = { secrets = {
"git/credentials/github.com/public/username".sopsFile = "git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
../../../../../secrets/personal/secrets.yaml; "git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/github.com/public/password".sopsFile =
../../../../../secrets/personal/secrets.yaml;
}; };
templates.nix-access-tokens = { templates.nix-access-tokens = {

2
hosts/common/configs/system/sops/default.nix
View File

@@ -18,7 +18,7 @@
}; };
sops = { sops = {
defaultSopsFile = ../../../../. + "/${config.networking.hostName}/secrets/secrets.yaml"; defaultSopsFile = "${inputs.secrets}/hosts/${config.networking.hostName}/secrets.yaml";
age = { age = {
generateKey = true; generateKey = true;

14
hosts/common/configs/system/ssh/default.nix
View File

@@ -1,22 +1,22 @@
{ ... }: { inputs, ... }:
{ {
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub; installer.publicKeyFile = "${inputs.secrets}/hosts/installer/ssh_host_ed25519_key.pub";
elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub; elara.publicKeyFile = "${inputs.secrets}/hosts/elara/ssh_host_ed25519_key.pub";
himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub; himalia.publicKeyFile = "${inputs.secrets}/hosts/himalia/ssh_host_ed25519_key.pub";
jupiter = { jupiter = {
publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub; publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_host_ed25519_key.pub";
extraHostNames = [ "karaolidis.com" ]; extraHostNames = [ "karaolidis.com" ];
}; };
jupiter-sish = { jupiter-sish = {
publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub; publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
extraHostNames = [ "karaolidis.com" ]; extraHostNames = [ "karaolidis.com" ];
}; };
jupiter-vps = { jupiter-vps = {
publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub; publicKeyFile = "${inputs.secrets}/hosts/jupiter-vps/ssh_host_ed25519_key.pub";
extraHostNames = [ "vps.karaolidis.com" ]; extraHostNames = [ "vps.karaolidis.com" ];
}; };
}; };

2
hosts/common/configs/user/gui/darktable/default.nix
View File

@@ -82,6 +82,6 @@ in
}; };
sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile = sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile =
../../../../../../secrets/personal/secrets.yaml; "${inputs.secrets}/personal/secrets.yaml";
}; };
} }

4
hosts/common/configs/user/gui/obsidian/default.nix
View File

@@ -380,7 +380,7 @@ in
]; ];
searchProvider = "google"; searchProvider = "google";
geocodingApiMethod = "path"; geocodingApiMethod = "path";
geocodingApiPath = hmConfig.sops.secrets."google/geocoding".path; geocodingApiPath = hmConfig.sops.secrets."google/cloud/obsidian/geocoding".path;
useGooglePlaces = true; useGooglePlaces = true;
letZoomBeyondMax = true; letZoomBeyondMax = true;
showGeolinkPreview = true; showGeolinkPreview = true;
@@ -608,6 +608,6 @@ in
} }
) hmConfig.programs.obsidian.vaults; ) hmConfig.programs.obsidian.vaults;
sops.secrets."google/geocoding".sopsFile = ../../../../../../secrets/personal/secrets.yaml; sops.secrets."google/cloud/obsidian/geocoding".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
} }

2
hosts/common/configs/user/gui/spicetify/default.nix
View File

@@ -64,7 +64,7 @@ in
]; ];
}; };
sops.secrets."spotify/username".sopsFile = ../../../../../../secrets/personal/secrets.yaml; sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
xdg.configFile = { xdg.configFile = {
"spotify/prefs.init" = { "spotify/prefs.init" = {

2
hosts/elara/configs/git/default.nix
View File

@@ -10,7 +10,7 @@ let
in in
{ {
sops.secrets."ssh/sas/ed25519/key" = { sops.secrets."ssh/sas/ed25519/key" = {
sopsFile = ../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/ed25519/key"; key = "ssh/ed25519/key";
path = "/root/.ssh/ssh_sas_ed25519_key"; path = "/root/.ssh/ssh_sas_ed25519_key";
}; };

1
hosts/elara/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara

8
hosts/elara/users/nikara/configs/console/git/default.nix
View File

@@ -16,22 +16,22 @@ in
sops = { sops = {
secrets = { secrets = {
"git/credentials/personal/git.karaolidis.com/admin/username" = { "git/credentials/personal/git.karaolidis.com/admin/username" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "git/credentials/git.karaolidis.com/admin/username"; key = "git/credentials/git.karaolidis.com/admin/username";
}; };
"git/credentials/personal/git.karaolidis.com/admin/password" = { "git/credentials/personal/git.karaolidis.com/admin/password" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "git/credentials/git.karaolidis.com/admin/password"; key = "git/credentials/git.karaolidis.com/admin/password";
}; };
"git/credentials/sas/github.com/admin/username" = { "git/credentials/sas/github.com/admin/username" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "git/credentials/github.com/admin/username"; key = "git/credentials/github.com/admin/username";
}; };
"git/credentials/sas/github.com/admin/password" = { "git/credentials/sas/github.com/admin/password" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "git/credentials/github.com/admin/password"; key = "git/credentials/github.com/admin/password";
}; };
}; };

10
hosts/elara/users/nikara/configs/console/gpg/default.nix
View File

@@ -1,5 +1,5 @@
{ user, home }: { user, home }:
{ config, ... }: { config, inputs, ... }:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
@@ -7,22 +7,22 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"gpg/personal/key" = { "gpg/personal/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "gpg/key"; key = "gpg/key";
}; };
"gpg/personal/pass" = { "gpg/personal/pass" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "gpg/pass"; key = "gpg/pass";
}; };
"gpg/sas/key" = { "gpg/sas/key" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "gpg/key"; key = "gpg/key";
}; };
"gpg/sas/pass" = { "gpg/sas/pass" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "gpg/pass"; key = "gpg/pass";
}; };
}; };

7
hosts/elara/users/nikara/configs/console/podman/default.nix
View File

@@ -3,6 +3,7 @@
config, config,
lib, lib,
pkgs, pkgs,
inputs,
... ...
}: }:
let let
@@ -12,17 +13,17 @@ in
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets = { secrets = {
"registry/personal/docker.io" = { "registry/personal/docker.io" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "registry/docker.io"; key = "registry/docker.io";
}; };
"registry/personal/registry.karaolidis.com" = { "registry/personal/registry.karaolidis.com" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "registry/registry.karaolidis.com"; key = "registry/registry.karaolidis.com";
}; };
"registry/sas/cr.sas.com" = { "registry/sas/cr.sas.com" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "registry/cr.sas.com"; key = "registry/cr.sas.com";
}; };
}; };

6
hosts/elara/users/nikara/configs/console/sas/default.nix
View File

@@ -1,8 +1,8 @@
{ user, home }: { user, home }:
{ ... }: { inputs, ... }:
{ {
home-manager.users.${user}.sops.secrets = { home-manager.users.${user}.sops.secrets = {
"artifactory/cdp/user".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; "artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
"artifactory/cdp/password".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; "artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
}; };
} }

12
hosts/elara/users/nikara/configs/console/ssh/default.nix
View File

@@ -14,35 +14,35 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"ssh/personal/key" = { "ssh/personal/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "ssh/key"; key = "ssh/key";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/personal/pass" = { "ssh/personal/pass" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "ssh/pass"; key = "ssh/pass";
}; };
"ssh/sas/ed25519/key" = { "ssh/sas/ed25519/key" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/ed25519/key"; key = "ssh/ed25519/key";
path = "${home}/.ssh/ssh_sas_ed25519_key"; path = "${home}/.ssh/ssh_sas_ed25519_key";
}; };
"ssh/sas/ed25519/pass" = { "ssh/sas/ed25519/pass" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/ed25519/pass"; key = "ssh/ed25519/pass";
}; };
"ssh/sas/rsa/key" = { "ssh/sas/rsa/key" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/rsa/key"; key = "ssh/rsa/key";
path = "${home}/.ssh/ssh_sas_rsa_key"; path = "${home}/.ssh/ssh_sas_rsa_key";
}; };
"ssh/sas/rsa/pass" = { "ssh/sas/rsa/pass" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "ssh/rsa/pass"; key = "ssh/rsa/pass";
}; };
}; };

4
hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
View File

@@ -13,8 +13,8 @@ in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"viya/orders-api/key".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; "viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
"viya/orders-api/secret".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; "viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
}; };
home.packages = [ selfPkgs.viya4-orders-cli ]; home.packages = [ selfPkgs.viya4-orders-cli ];

9
hosts/elara/users/nikara/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
lib,
inputs,
...
}:
let let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -97,7 +102,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/sas/secrets.yaml; sopsFile = "${inputs.secrets}/sas/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

1
hosts/himalia/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgGmzh23q/ucuZRRkS4LdPfBdTDWJk0UrlUYVnC7j2b root@himalia

4
hosts/himalia/users/nick/configs/console/git/default.nix
View File

@@ -15,9 +15,9 @@ in
sops = { sops = {
secrets = { secrets = {
"git/credentials/git.karaolidis.com/admin/username".sopsFile = "git/credentials/git.karaolidis.com/admin/username".sopsFile =
../../../../../../../secrets/personal/secrets.yaml; "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/password".sopsFile = "git/credentials/git.karaolidis.com/admin/password".sopsFile =
../../../../../../../secrets/personal/secrets.yaml; "${inputs.secrets}/personal/secrets.yaml";
}; };
templates."git/credentials" = { templates."git/credentials" = {

6
hosts/himalia/users/nick/configs/console/gpg/default.nix
View File

@@ -1,13 +1,13 @@
{ user, home }: { user, home }:
{ config, ... }: { config, inputs, ... }:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path; programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;

11
hosts/himalia/users/nick/configs/console/podman/default.nix
View File

@@ -1,13 +1,18 @@
{ user, home }: { user, home }:
{ config, pkgs, ... }: {
config,
pkgs,
inputs,
...
}:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
{ {
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets = { secrets = {
"registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"registry/registry.karaolidis.com".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "registry/registry.karaolidis.com".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
templates."containers-auth.json" = { templates."containers-auth.json" = {

6
hosts/himalia/users/nick/configs/console/ssh/default.nix
View File

@@ -1,5 +1,5 @@
{ user, home }: { user, home }:
{ config, ... }: { config, inputs, ... }:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
@@ -7,11 +7,11 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"ssh/key" = { "ssh/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path; programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;

9
hosts/himalia/users/nick/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
lib,
inputs,
...
}:
let let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -94,7 +99,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

1
hosts/installer/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI root@installer

4
hosts/installer/users/nick/configs/console/git/default.nix
View File

@@ -15,9 +15,9 @@ in
sops = { sops = {
secrets = { secrets = {
"git/credentials/git.karaolidis.com/admin/username".sopsFile = "git/credentials/git.karaolidis.com/admin/username".sopsFile =
../../../../../../../secrets/personal/secrets.yaml; "${inputs.secrets}/personal/secrets.yaml";
"git/credentials/git.karaolidis.com/admin/password".sopsFile = "git/credentials/git.karaolidis.com/admin/password".sopsFile =
../../../../../../../secrets/personal/secrets.yaml; "${inputs.secrets}/personal/secrets.yaml";
}; };
templates."git/credentials" = { templates."git/credentials" = {

6
hosts/installer/users/nick/configs/console/gpg/default.nix
View File

@@ -1,8 +1,8 @@
{ user, home }: { user, home }:
{ ... }: { inputs, ... }:
{ {
home-manager.users.${user}.sops.secrets = { home-manager.users.${user}.sops.secrets = {
"gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
} }

6
hosts/installer/users/nick/configs/console/ssh/default.nix
View File

@@ -1,14 +1,14 @@
{ user, home }: { user, home }:
{ ... }: { inputs, ... }:
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets = { sops.secrets = {
"ssh/key" = { "ssh/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
path = "${home}/.ssh/ssh_personal_ed25519_key"; path = "${home}/.ssh/ssh_personal_ed25519_key";
}; };
"ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
programs.ssh.matchBlocks = { programs.ssh.matchBlocks = {

9
hosts/installer/users/nick/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
lib,
inputs,
...
}:
let let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -41,7 +46,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

1
hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps

4
hosts/jupiter/configs/tv/default.nix
View File

@@ -62,8 +62,8 @@ in
sops = { sops = {
secrets = { secrets = {
"tv/network/password".sopsFile = ../../secrets/secrets.yaml; "tv/network/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"tv/adguard/admin".sopsFile = ../../secrets/secrets.yaml; "tv/adguard/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates.adguard-env.content = '' templates.adguard-env.content = ''

1
hosts/jupiter/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter

9
hosts/jupiter/users/nick/configs/console/podman/default.nix
View File

@@ -1,11 +1,16 @@
{ user, home }: { user, home }:
{ config, pkgs, ... }: {
config,
pkgs,
inputs,
...
}:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
{ {
home-manager.users.${user}.sops = { home-manager.users.${user}.sops = {
secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
templates.containers-auth = { templates.containers-auth = {
content = builtins.readFile ( content = builtins.readFile (

9
hosts/jupiter/users/nick/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
lib,
inputs,
...
}:
let let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -38,7 +43,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

16
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -16,14 +16,14 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/session".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/resetPasswordJwt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/oidcHmac".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/oidcKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/storage".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"authelia/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

9
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -1,5 +1,10 @@
{ user, home }: { user, home }:
{ config, pkgs, ... }: {
config,
pkgs,
inputs,
...
}:
let let
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
in in
@@ -35,7 +40,7 @@ in
]; ];
sops = { sops = {
secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
templates.containers-auth = { templates.containers-auth = {
content = builtins.readFile ( content = builtins.readFile (

16
hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
View File

@@ -68,14 +68,14 @@ in
{ {
sops = { sops = {
secrets = { secrets = {
"gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

6
hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix
View File

@@ -17,9 +17,9 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"grafana/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "grafana/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"grafana/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "grafana/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"grafana/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "grafana/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

10
hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix
View File

@@ -17,11 +17,11 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"jellyfin/admin".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyfin/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"opensubtitles/username".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml; "opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
"opensubtitles/password".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml; "opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
templates = { templates = {

6
hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix
View File

@@ -24,9 +24,9 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"jellyseerr/smtp".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyseerr/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyseerr/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyseerr/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"jellyseerr/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml; "jellyseerr/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

2
hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix
View File

@@ -20,7 +20,7 @@ in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets."prowlarr/apiKey".sopsFile = ../../../../../../../secrets/secrets.yaml; secrets."prowlarr/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
templates = { templates = {
prowlarr-env.content = '' prowlarr-env.content = ''

2
hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix
View File

@@ -21,7 +21,7 @@ in
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
builtins.map (radarr: { builtins.map (radarr: {
name = "${radarr.hostName}/apiKey"; name = "${radarr.hostName}/apiKey";
value.sopsFile = ../../../../../../../secrets/secrets.yaml; value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}) radarrs }) radarrs
); );

2
hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix
View File

@@ -21,7 +21,7 @@ in
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
builtins.map (sonarr: { builtins.map (sonarr: {
name = "${sonarr.hostName}/apiKey"; name = "${sonarr.hostName}/apiKey";
value.sopsFile = ../../../../../../../secrets/secrets.yaml; value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}) sonarrs }) sonarrs
); );

2
hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix
View File

@@ -13,7 +13,7 @@ let
in in
{ {
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets."transmission/protonvpn".sopsFile = ../../../../../../../secrets/secrets.yaml; sops.secrets."transmission/protonvpn".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
systemd.user.tmpfiles.rules = [ systemd.user.tmpfiles.rules = [
"d /mnt/storage/private/storm/containers/storage/volumes/media/_data/downloads/transmission 755 storm storm" "d /mnt/storage/private/storm/containers/storage/volumes/media/_data/downloads/transmission 755 storm storm"

12
hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix
View File

@@ -16,12 +16,12 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/salt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/secret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "nextcloud/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

8
hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
View File

@@ -15,10 +15,10 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "ntfy/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml; "ntfy/webPush/publicKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml; "ntfy/webPush/privateKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml; "ntfy/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

12
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -16,12 +16,12 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"outline/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"outline/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"outline/utilsSecret".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/utilsSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"outline/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"outline/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"outline/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "outline/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

6
hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
View File

@@ -15,9 +15,9 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"shlink/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"shlink/apiKey".sopsFile = ../../../../../../secrets/secrets.yaml; "shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"maxmind/licenseKey".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml; "maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
}; };
templates = { templates = {

2
hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
View File

@@ -15,7 +15,7 @@ in
networking.firewall.allowedTCPPorts = [ 2222 ]; networking.firewall.allowedTCPPorts = [ 2222 ];
home-manager.users.${user} = { home-manager.users.${user} = {
sops.secrets."sish/ssh/key".sopsFile = ../../../../../../secrets/secrets.yaml; sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
virtualisation.quadlet = { virtualisation.quadlet = {
networks.sish = { }; networks.sish = { };

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -25,7 +25,7 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets."cloudflare/letsencrypt".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml; secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
templates.traefik-env.content = '' templates.traefik-env.content = ''
CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"} CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
''; '';

14
hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix
View File

@@ -17,13 +17,13 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/adminToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/push/installationId".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/push/installationKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; "vaultwarden/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
}; };
templates = { templates = {

9
hosts/jupiter/users/storm/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
lib,
inputs,
...
}:
let let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -26,7 +31,7 @@ in
# mkpasswd -s # mkpasswd -s
sops.secrets."${user}-password" = { sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml; sopsFile = "${inputs.secrets}/personal/secrets.yaml";
key = "password"; key = "password";
neededForUsers = true; neededForUsers = true;
}; };

16
lib/scripts/add-host.sh
View File

@@ -11,11 +11,11 @@ fi
host="$1" host="$1"
mkdir -p "./hosts/$host/secrets" mkdir -p "./secrets/hosts/$host"
ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -C "root@$host" -N "" ssh-keygen -t ed25519 -f "./secrets/hosts/$host/ssh_host_ed25519_key" -C "root@$host" -N ""
age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub") age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
cat <<EOF > "./hosts/$host/secrets/sops.yaml" cat <<EOF > "./secrets/hosts/$host/sops.yaml"
keys: keys:
- hosts: - hosts:
- &$host $age_key - &$host $age_key
@@ -46,7 +46,7 @@ done
machine_id=$(uuidgen -r | tr -d -) machine_id=$(uuidgen -r | tr -d -)
cat <<EOF > "./hosts/$host/secrets/.decrypted~secrets.yaml" cat <<EOF > "./secrets/hosts/$host/.decrypted~secrets.yaml"
luks: '$luks' luks: '$luks'
machineId: $machine_id machineId: $machine_id
EOF EOF
@@ -55,11 +55,11 @@ tmp_age_key="$(mktemp)"
echo "$age_key" > "$tmp_age_key" echo "$age_key" > "$tmp_age_key"
export SOPS_AGE_KEY_FILE="$tmp_age_key" export SOPS_AGE_KEY_FILE="$tmp_age_key"
sops --config "./hosts/$host/secrets/sops.yaml" --encrypt "./hosts/$host/secrets/.decrypted~secrets.yaml" > "./hosts/$host/secrets/secrets.yaml" sops --config "./secrets/hosts/$host/sops.yaml" --encrypt "./secrets/hosts/$host/.decrypted~secrets.yaml" > "./secrets/hosts/$host/secrets.yaml"
unset SOPS_AGE_KEY_FILE unset SOPS_AGE_KEY_FILE
rm -f "$tmp_age_key" rm -f "$tmp_age_key"
rm -f "./hosts/$host/secrets/.decrypted~secrets.yaml" rm -f "./secrets/hosts/$host/.decrypted~secrets.yaml"
mkdir -p "./hosts/$host/hardware" mkdir -p "./hosts/$host/hardware"
@@ -194,7 +194,7 @@ EOF
sed -i "/nixosConfigurations = {/a\\ sed -i "/nixosConfigurations = {/a\\
$host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix $host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix
sed -i "/knownHosts = {/a\\ $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix sed -i "/knownHosts = {/a\\ $host.publicKeyFile = \"${inputs.secrets}/$host/ssh_host_ed25519_key.pub\";" ./hosts/common/configs/system/ssh/default.nix
new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |" new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1) last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)

2
lib/scripts/remove-host.sh
View File

@@ -11,7 +11,7 @@ fi
host="$1" host="$1"
age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub") age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
sed -i "/ - &$host $age_key/d" "$sops_file" sed -i "/ - &$host $age_key/d" "$sops_file"

2
packages/docker/mariadb/entrypoint.sh
View File

@@ -6,7 +6,7 @@ set -o nounset
MYSQL_USER="${MYSQL_USER:-mariadb}" MYSQL_USER="${MYSQL_USER:-mariadb}"
MYSQL_PASSWORD="${MYSQL_PASSWORD:-mariadb}" MYSQL_PASSWORD="${MYSQL_PASSWORD:-mariadb}"
MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}" MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}"
MYSQL_DB="${MYSQL_DB}" MYSQL_DB="${MYSQL_DB:-main}"
DATADIR="${DATADIR:-/var/lib/mysql}" DATADIR="${DATADIR:-/var/lib/mysql}"
if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then

2
packages/docker/mysql/entrypoint.sh
View File

@@ -6,7 +6,7 @@ set -o nounset
MYSQL_USER="${MYSQL_USER:-mysql}" MYSQL_USER="${MYSQL_USER:-mysql}"
MYSQL_PASSWORD="${MYSQL_PASSWORD:-mysql}" MYSQL_PASSWORD="${MYSQL_PASSWORD:-mysql}"
MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}" MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}"
MYSQL_DB="${MYSQL_DB}" MYSQL_DB="${MYSQL_D:-main}"
DATADIR="${DATADIR:-/var/lib/mysql}" DATADIR="${DATADIR:-/var/lib/mysql}"
if [ ! -f "$DATADIR/mysql_upgrade_history" ]; then if [ ! -f "$DATADIR/mysql_upgrade_history" ]; then

2
packages/docker/nextcloud/entrypoint.sh
View File

@@ -8,7 +8,7 @@ if [ ! -f "/var/www/nextcloud/config/config.php" ]; then
POSTGRES_PORT="${POSTGRES_PORT:-5432}" POSTGRES_PORT="${POSTGRES_PORT:-5432}"
POSTGRES_USER="${POSTGRES_USER:-nextcloud}" POSTGRES_USER="${POSTGRES_USER:-nextcloud}"
POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-nextcloud}" POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-nextcloud}"
POSTGRES_DB="${POSTGRES_DB}" POSTGRES_DB="${POSTGRES_DB:-nextcloud}"
ADMIN_USER="admin" ADMIN_USER="admin"
ADMIN_PASS="$(head -c 128 /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 64)" ADMIN_PASS="$(head -c 128 /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 64)"

2
packages/docker/postgresql/entrypoint.sh
View File

@@ -5,7 +5,7 @@ set -o nounset
POSTGRES_USER="${POSTGRES_USER:-postgres}" POSTGRES_USER="${POSTGRES_USER:-postgres}"
POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}" POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}"
POSTGRES_DB="${POSTGRES_DB}" POSTGRES_DB="${POSTGRES_DB:-main}"
export PGDATA="${PGDATA:-/var/lib/postgresql/data}" export PGDATA="${PGDATA:-/var/lib/postgresql/data}"
LOG_PIPE="$(mktemp -u)" LOG_PIPE="$(mktemp -u)"

1
secrets Submodule

Submodule secrets added at 63c7032ad9

2
secrets/.gitignore vendored
View File

@@ -1,2 +0,0 @@
*/key.txt
*/.decrypted~*