From 55dcb2fca7d70624069174509cdb9c3e6c8009a2 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Mon, 28 Oct 2024 23:24:12 -0400 Subject: [PATCH] Agenix secrets overhaul --- .gitattributes | 1 - flake.lock | 130 +++++++++++++++--- flake.nix | 4 + hosts/bomberman/system/default.nix | 9 +- hosts/cyberspark/system/default.nix | 9 +- hosts/detritus/system/default.nix | 9 +- hosts/firefly/system/default.nix | 7 +- hosts/lacros/system/default.nix | 9 +- hosts/redmond/system/default.nix | 9 +- hosts/shuttle/system/default.nix | 8 +- hosts/treefruit/system/default.nix | 7 +- .../system/accounts/users/jimbo/default.nix | 4 +- .../networking/firewall/server/default.nix | 6 +- .../networking/wireguard/pc/default.nix | 6 +- .../networking/wireguard/server/default.nix | 12 +- modules/system/programs/agenix/default.nix | 7 + .../services/server/ddclient/default.nix | 2 +- .../fileserver/public/nextcloud/default.nix | 6 +- .../public/nextcloud/nginx/default.nix | 18 +++ .../fileserver/public/photoprism/default.nix | 44 +++--- .../public/photoprism/nginx/default.nix | 11 ++ .../services/server/forgejo/default.nix | 2 +- .../services/server/icecast/default.nix | 82 ++++------- .../server/icecast/liquidsoap/default.nix | 30 ++++ .../server/mailserver/simplenix/default.nix | 10 +- .../services/server/social/lemmy/default.nix | 2 +- .../server/social/mastodon/default.nix | 2 +- .../server/social/matrix/synapse/default.nix | 2 +- .../matrix/synapse/slidingsync/default.nix | 2 +- .../server/social/pixelfed/default.nix | 4 +- .../services/server/transmission/default.nix | 2 +- variables/default.nix | 1 - variables/secrets/agenix/cloudflareKey.age | 7 + variables/secrets/agenix/cornIP.age | 7 + variables/secrets/agenix/cornMailHash.age | Bin 0 -> 383 bytes variables/secrets/agenix/icecastAdminPass.age | 8 ++ .../secrets/agenix/icecastSourcePass.age | 7 + variables/secrets/agenix/jimboAccPass.age | Bin 0 -> 1089 bytes variables/secrets/agenix/jimboMailHash.age | 7 + variables/secrets/agenix/lunaMailHash.age | 7 + variables/secrets/agenix/matrixSecret.age | Bin 0 -> 387 bytes variables/secrets/agenix/noreplyMailHash.age | 7 + variables/secrets/agenix/noreplyMailPass.age | 7 + variables/secrets/agenix/pixelfedKey.age | 7 + variables/secrets/agenix/prismAdminPass.age | 7 + variables/secrets/agenix/secrets.nix | 44 ++++++ variables/secrets/agenix/tinyMailHash.age | 7 + variables/secrets/agenix/transmissionPass.age | 8 ++ variables/secrets/agenix/wgClientPriv.age | 16 +++ variables/secrets/agenix/wgClientPub.age | 7 + variables/secrets/agenix/wgServerPriv.age | Bin 0 -> 367 bytes variables/secrets/agenix/wgServerPub.age | 16 +++ variables/secrets/common/default.nix | 7 + variables/secrets/default.nix | Bin 2237 -> 0 bytes variables/secrets/pc/default.nix | 7 + variables/secrets/server/default.nix | 27 ++++ 56 files changed, 530 insertions(+), 137 deletions(-) delete mode 100644 .gitattributes create mode 100644 modules/system/programs/agenix/default.nix create mode 100644 modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix create mode 100644 modules/system/services/server/fileserver/public/photoprism/nginx/default.nix create mode 100644 modules/system/services/server/icecast/liquidsoap/default.nix create mode 100644 variables/secrets/agenix/cloudflareKey.age create mode 100644 variables/secrets/agenix/cornIP.age create mode 100644 variables/secrets/agenix/cornMailHash.age create mode 100644 variables/secrets/agenix/icecastAdminPass.age create mode 100644 variables/secrets/agenix/icecastSourcePass.age create mode 100644 variables/secrets/agenix/jimboAccPass.age create mode 100644 variables/secrets/agenix/jimboMailHash.age create mode 100644 variables/secrets/agenix/lunaMailHash.age create mode 100644 variables/secrets/agenix/matrixSecret.age create mode 100644 variables/secrets/agenix/noreplyMailHash.age create mode 100644 variables/secrets/agenix/noreplyMailPass.age create mode 100644 variables/secrets/agenix/pixelfedKey.age create mode 100644 variables/secrets/agenix/prismAdminPass.age create mode 100644 variables/secrets/agenix/secrets.nix create mode 100644 variables/secrets/agenix/tinyMailHash.age create mode 100644 variables/secrets/agenix/transmissionPass.age create mode 100644 variables/secrets/agenix/wgClientPriv.age create mode 100644 variables/secrets/agenix/wgClientPub.age create mode 100644 variables/secrets/agenix/wgServerPriv.age create mode 100644 variables/secrets/agenix/wgServerPub.age create mode 100644 variables/secrets/common/default.nix delete mode 100644 variables/secrets/default.nix create mode 100644 variables/secrets/pc/default.nix create mode 100644 variables/secrets/server/default.nix diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index c028012..0000000 --- a/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -variables/secrets/** filter=git-crypt diff=git-crypt diff --git a/flake.lock b/flake.lock index 5f4ee5f..4db0589 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,29 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "blender-bin": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1727370305, @@ -36,7 +57,7 @@ "chaotic": { "inputs": { "flake-schemas": "flake-schemas", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "jovian": "jovian", "nixpkgs": [ "unstable" @@ -78,6 +99,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -163,7 +206,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, @@ -181,7 +224,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1681202837, @@ -236,6 +279,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "chaotic", @@ -256,7 +320,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -330,7 +394,7 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils" }, @@ -353,7 +417,7 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1729993975, @@ -394,16 +458,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722221733, + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-24.05", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-24_05": { @@ -438,6 +504,20 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1722221733, + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1717602782, "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", @@ -452,7 +532,7 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1715266358, "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", @@ -468,7 +548,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1729973466, "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", @@ -527,14 +607,15 @@ }, "root": { "inputs": { + "agenix": "agenix", "blender-bin": "blender-bin", "chaotic": "chaotic", "hardware": "hardware", - "home-manager": "home-manager_2", + "home-manager": "home-manager_3", "lanzaboote": "lanzaboote", "mailserver": "mailserver", "minecraft": "minecraft", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nur": "nur", "unstable": "unstable" } @@ -609,6 +690,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1729880355, @@ -626,7 +722,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index 68673c6..f00e2bd 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,8 @@ mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; minecraft.url = "github:Infinidoge/nix-minecraft"; + + agenix.url = "github:ryantm/agenix"; }; outputs = { @@ -37,6 +39,7 @@ lanzaboote, mailserver, minecraft, + agenix, ... }: let @@ -50,6 +53,7 @@ lanzaboote mailserver minecraft + agenix ; }; }; diff --git a/hosts/bomberman/system/default.nix b/hosts/bomberman/system/default.nix index fbe62ad..0a153d4 100644 --- a/hosts/bomberman/system/default.nix +++ b/hosts/bomberman/system/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, agenix, ... }: { imports = [ ./hardware @@ -21,6 +21,13 @@ # Misc ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/server + + # Imports + agenix.nixosModules.default ]; networking.hostName = "bomberman"; diff --git a/hosts/cyberspark/system/default.nix b/hosts/cyberspark/system/default.nix index 5979d3b..49a4d8b 100644 --- a/hosts/cyberspark/system/default.nix +++ b/hosts/cyberspark/system/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ agenix, ... }: { imports = [ ./hardware @@ -19,6 +19,13 @@ # Misc ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/server + + # Imports + agenix.nixosModules.default ]; networking.hostName = "cyberspark"; diff --git a/hosts/detritus/system/default.nix b/hosts/detritus/system/default.nix index f5cad98..02d17c1 100644 --- a/hosts/detritus/system/default.nix +++ b/hosts/detritus/system/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ agenix, ... }: { imports = [ ./hardware @@ -20,6 +20,13 @@ # Extras ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + + # Imports + agenix.nixosModules.default ]; networking.hostName = "detritus"; diff --git a/hosts/firefly/system/default.nix b/hosts/firefly/system/default.nix index 6511ff1..a4b01d2 100644 --- a/hosts/firefly/system/default.nix +++ b/hosts/firefly/system/default.nix @@ -1,4 +1,4 @@ -{ chaotic, pkgs, ... }: +{ pkgs, agenix, chaotic, ... }: { imports = [ ./hardware @@ -24,7 +24,12 @@ ../../../overlays ../../../variables + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + # Imports + agenix.nixosModules.default chaotic.homeManagerModules.default ]; diff --git a/hosts/lacros/system/default.nix b/hosts/lacros/system/default.nix index 5e8628f..56b0114 100644 --- a/hosts/lacros/system/default.nix +++ b/hosts/lacros/system/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, agenix, ... }: { imports = [ ./hardware @@ -21,6 +21,13 @@ # Extras ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + + # Imports + agenix.nixosModules.default ]; services.keyd.keyboards.default.settings.main = { diff --git a/hosts/redmond/system/default.nix b/hosts/redmond/system/default.nix index d1a1cd8..501ef9f 100644 --- a/hosts/redmond/system/default.nix +++ b/hosts/redmond/system/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, agenix, ... }: { imports = [ ./hardware @@ -21,6 +21,13 @@ # Extras ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + + # Imports + agenix.nixosModules.default ]; networking.hostName = "redmond"; diff --git a/hosts/shuttle/system/default.nix b/hosts/shuttle/system/default.nix index 29a3ed1..1b06a3e 100644 --- a/hosts/shuttle/system/default.nix +++ b/hosts/shuttle/system/default.nix @@ -1,4 +1,4 @@ -{ config, lib, hardware, ... }: +{ config, lib, agenix, hardware, ... }: { imports = [ ./hardware @@ -22,7 +22,13 @@ ../../../overlays ../../../variables + + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + # Imports + agenix.nixosModules.default hardware.nixosModules.pine64-pinebook-pro ]; diff --git a/hosts/treefruit/system/default.nix b/hosts/treefruit/system/default.nix index db774c6..0f90255 100644 --- a/hosts/treefruit/system/default.nix +++ b/hosts/treefruit/system/default.nix @@ -1,4 +1,4 @@ -{ config, lib, hardware, ... }: +{ config, lib, agenix, hardware, ... }: { imports = [ ./hardware @@ -22,7 +22,12 @@ ../../../overlays ../../../variables + # Secrets + ../../../variables/secrets/common + ../../../variables/secrets/pc + # Imports + agenix.nixosModules.default hardware.nixosModules.apple-macbook-pro-14-1 ]; diff --git a/modules/system/accounts/users/jimbo/default.nix b/modules/system/accounts/users/jimbo/default.nix index dbf7f8f..92ce0c2 100644 --- a/modules/system/accounts/users/jimbo/default.nix +++ b/modules/system/accounts/users/jimbo/default.nix @@ -3,7 +3,7 @@ users.users = { jimbo = { description = "Jimbo"; - hashedPassword = config.secrets.jimboAccPass; + hashedPasswordFile = config.age.secrets.jimboAccPass.path; isNormalUser = true; openssh.authorizedKeys.keys = [ (builtins.readFile ../../../../../hosts/firefly/id_ed25519.pub) @@ -17,7 +17,7 @@ (builtins.readFile ../../../../../hosts/cyberspark/id_ed25519.pub) (builtins.readFile ../../../../../hosts/bomberman/id_ed25519.pub) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9 Pixel9" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9" ]; extraGroups = [ "wheel" diff --git a/modules/system/devices/networking/firewall/server/default.nix b/modules/system/devices/networking/firewall/server/default.nix index 8c0a376..647fcfe 100644 --- a/modules/system/devices/networking/firewall/server/default.nix +++ b/modules/system/devices/networking/firewall/server/default.nix @@ -9,7 +9,7 @@ allowPing = false; extraInputRules = '' ip saddr { ${config.ips.localSpan}.0/24, ${config.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS" - ip saddr { ${config.ips.pc}, ${config.secrets.lunaIP}, ${config.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" + ip saddr ${config.ips.pc} tcp dport { 1935, 1945 } accept comment "Accept RTMP" ''; }; @@ -34,8 +34,8 @@ udp dport { 7790, 7791, 7792 } dnat to ${config.ips.hx} comment "Deus Ex" - ip saddr ${config.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP" - ip saddr ${config.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP" + ip saddr ${builtins.readFile config.age.secrets.cornIP.path} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP" + ip saddr ${builtins.readFile config.age.secrets.cornIP.path} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP" } chain POSTROUTING { diff --git a/modules/system/devices/networking/wireguard/pc/default.nix b/modules/system/devices/networking/wireguard/pc/default.nix index 5a4e531..c9f44d6 100644 --- a/modules/system/devices/networking/wireguard/pc/default.nix +++ b/modules/system/devices/networking/wireguard/pc/default.nix @@ -8,12 +8,12 @@ "${config.ips.wgInt}" = { # Define IP of client in per device config listenPort = 51820; - privateKey = config.secrets.wgClientPriv; + privateKeyFile = config.age.secrets.wgClientPriv.path; peers = [ { - publicKey = config.secrets.wgServerPub; + publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; allowedIPs = [ "${config.ips.wgSpan}.0/24" ]; - endpoint = "sv.${config.secrets.jimDomain}:51820"; + endpoint = "sv.${config.domains.jim1}:51820"; persistentKeepalive = 25; } ]; diff --git a/modules/system/devices/networking/wireguard/server/default.nix b/modules/system/devices/networking/wireguard/server/default.nix index 89ac746..26c5a40 100644 --- a/modules/system/devices/networking/wireguard/server/default.nix +++ b/modules/system/devices/networking/wireguard/server/default.nix @@ -15,16 +15,16 @@ "${config.ips.wgInt}" = { ips = [ "${config.ips.wgSpan}.1/24" ]; listenPort = 51820; - privateKey = config.secrets.wgServerPriv; + privateKeyFile = config.age.secrets.wgServerPriv.path; peers = [ - { # Jimbo Pixel 9 - publicKey = config.secrets.wgPixel9Pub; - allowedIPs = [ "${config.ips.wgSpan}.2/32" ]; - } { # General Nix - publicKey = config.secrets.wgClientPub; + publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0="; allowedIPs = [ "${config.ips.wgSpan}.16/28" ]; } + { # Jimbo Pixel 9 + publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4="; + allowedIPs = [ "${config.ips.wgSpan}.2/32" ]; + } ]; }; }; diff --git a/modules/system/programs/agenix/default.nix b/modules/system/programs/agenix/default.nix new file mode 100644 index 0000000..a890a25 --- /dev/null +++ b/modules/system/programs/agenix/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + programs.appimage = { + enable = true; + binfmt = true; + }; +} diff --git a/modules/system/services/server/ddclient/default.nix b/modules/system/services/server/ddclient/default.nix index ab66c91..763c43b 100644 --- a/modules/system/services/server/ddclient/default.nix +++ b/modules/system/services/server/ddclient/default.nix @@ -6,7 +6,7 @@ use = "web, web=https://ipinfo.io/ip"; zone = "${config.domains.jim1}"; username = "token"; - passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}"; + passwordFile = config.age.secrets.cloudflareKey.path; domains = [ "${config.domains.jim1}" "*.${config.domains.jim1}" diff --git a/modules/system/services/server/fileserver/public/nextcloud/default.nix b/modules/system/services/server/fileserver/public/nextcloud/default.nix index 7c2129e..d5300b5 100644 --- a/modules/system/services/server/fileserver/public/nextcloud/default.nix +++ b/modules/system/services/server/fileserver/public/nextcloud/default.nix @@ -1,5 +1,9 @@ { pkgs, config, ... }: { + imports = [ + ./nginx + ]; + services = { nextcloud = { enable = true; @@ -20,7 +24,7 @@ mail_from_address = "noreply"; mail_smtpauth = "true"; mail_smtpname = "noreply@${config.domains.jim1}"; - mail_smtppassword = config.secrets.noreplyPassword; + mail_smtppassword = "${builtins.readFile config.age.secrets.noreplyMailPass.path}"; mail_smtpmode = "smtp"; mail_smtpport = 587; }; diff --git a/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix b/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix new file mode 100644 index 0000000..4350dfd --- /dev/null +++ b/modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix @@ -0,0 +1,18 @@ +{ pkgs, config, ... }: +{ + services.nginx.virtualHosts."cloud.${config.domains.jim1}" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + extraConfig = " + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + "; + }; + }; +} diff --git a/modules/system/services/server/fileserver/public/photoprism/default.nix b/modules/system/services/server/fileserver/public/photoprism/default.nix index 59b01ef..765170f 100644 --- a/modules/system/services/server/fileserver/public/photoprism/default.nix +++ b/modules/system/services/server/fileserver/public/photoprism/default.nix @@ -1,30 +1,24 @@ { config, ... }: { - services = { - photoprism = { - enable = true; - port = 2342; - originalsPath = "/var/lib/private/photoprism/originals"; - address = "0.0.0.0"; - settings = { - PHOTOPRISM_ADMIN_USER = "jimbo"; - PHOTOPRISM_ADMIN_PASSWORD = "${config.secrets.prismAdminPass}"; - PHOTOPRISM_DEFAULT_LOCALE = "en"; - PHOTOPRISM_DATABASE_DRIVER = "mysql"; - PHOTOPRISM_DATABASE_NAME = "photoprism"; - PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; - PHOTOPRISM_DATABASE_USER = "photoprism"; - PHOTOPRISM_SITE_URL = "https://gallery.${config.domains.jim1}"; - PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism"; - }; - }; - nginx.virtualHosts."gallery.${config.domains.jim1}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:2342"; - proxyWebsockets = true; - }; + imports = [ + ./nginx + ]; + + services.photoprism = { + enable = true; + port = 2342; + originalsPath = "/var/lib/private/photoprism/originals"; + address = "0.0.0.0"; + settings = { + PHOTOPRISM_ADMIN_USER = "jimbo"; + PHOTOPRISM_ADMIN_PASSWORD = "${builtins.readFile config.age.secrets.prismAdminPass.path}"; + PHOTOPRISM_DEFAULT_LOCALE = "en"; + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + PHOTOPRISM_SITE_URL = "https://gallery.${config.domains.jim1}"; + PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism"; }; }; } diff --git a/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix b/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix new file mode 100644 index 0000000..169d953 --- /dev/null +++ b/modules/system/services/server/fileserver/public/photoprism/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + services.nginx.virtualHosts."gallery.${config.domains.jim1}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2342"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/forgejo/default.nix b/modules/system/services/server/forgejo/default.nix index e03ca36..b67f419 100644 --- a/modules/system/services/server/forgejo/default.nix +++ b/modules/system/services/server/forgejo/default.nix @@ -23,7 +23,7 @@ SMTP_ADDR = "mx.${config.domains.jim1}"; FROM = "Jimbo's Git "; USER = "noreply@${config.domains.jim1}"; - PASSWD = config.secrets.noreplyPassword; + PASSWD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}"; PROTOCOL = "smtps"; }; service = { diff --git a/modules/system/services/server/icecast/default.nix b/modules/system/services/server/icecast/default.nix index f2aff00..826887c 100644 --- a/modules/system/services/server/icecast/default.nix +++ b/modules/system/services/server/icecast/default.nix @@ -2,64 +2,34 @@ { imports = [ ./nginx + ./liquidsoap ]; - services = { - icecast = { - enable = true; - listen.port = 265; - hostname = "icecast.${config.domains.jim1}"; - admin = { - user = "jimbo"; - password = "${config.secrets.castAdminPass}"; - }; - extraConf = '' - - ${config.secrets.castSourcePass} - - - Canada - jimbo@${config.domains.jim2} - - - /jimbops.opus - JimBops Radio - Music gathered by me, Jimbo. - https://icecast.jimbosfiles.com/jimbops.opus - Anything - application/ogg - vorbis - - ''; - }; - - # The audio stream - liquidsoap.streams = { - jimbops = pkgs.writeText "liquidjim" '' - settings.log.stdout.set(true) - settings.init.allow_root.set(true) - settings.scheduler.fast_queues.set(2) - settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"]) - - # Define the source with random playlist - jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/")) - - # Ensure the stream never stops - jimbops_fallback = fallback([jimbops, jimbops]) - - # Output configuration to Icecast - output.icecast( - %ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)), - host="127.0.0.1", - port=265, - password="${config.secrets.castSourcePass}", - public=true, - icy_metadata=["artist", "title"], - mount="jimbops.opus", - encoding = "UTF-8", - jimbops_fallback - ) - ''; + services.icecast = { + enable = true; + listen.port = 265; + hostname = "icecast.${config.domains.jim1}"; + admin = { + user = "jimbo"; + password = "${builtins.readFile config.age.secrets.icecastAdminPass.path}"; }; + extraConf = '' + + "${builtins.readFile config.age.secrets.icecastSourcePass.path}" + + + Canada + jimbo@${config.domains.jim2} + + + /jimbops.opus + JimBops Radio + Music gathered by me, Jimbo. + https://icecast.jimbosfiles.com/jimbops.opus + Anything + application/ogg + vorbis + + ''; }; } diff --git a/modules/system/services/server/icecast/liquidsoap/default.nix b/modules/system/services/server/icecast/liquidsoap/default.nix new file mode 100644 index 0000000..843f95e --- /dev/null +++ b/modules/system/services/server/icecast/liquidsoap/default.nix @@ -0,0 +1,30 @@ +{ pkgs, config, ... }: +{ + services.liquidsoap.streams = { + jimbops = pkgs.writeText "liquidjim" '' + settings.log.stdout.set(true) + settings.init.allow_root.set(true) + settings.scheduler.fast_queues.set(2) + settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"]) + + # Define the source with random playlist + jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/Synced")) + + # Ensure the stream never stops + jimbops_fallback = fallback([jimbops, jimbops]) + + # Output configuration to Icecast + output.icecast( + %ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)), + host="127.0.0.1", + port=265, + password="${builtins.readFile config.age.secrets.icecastSourcePass.path}", + public=true, + icy_metadata=["artist", "title"], + mount="jimbops.opus", + encoding = "UTF-8", + jimbops_fallback + ) + ''; + }; +} diff --git a/modules/system/services/server/mailserver/simplenix/default.nix b/modules/system/services/server/mailserver/simplenix/default.nix index 69c425b..ce122f0 100644 --- a/modules/system/services/server/mailserver/simplenix/default.nix +++ b/modules/system/services/server/mailserver/simplenix/default.nix @@ -28,11 +28,11 @@ # A list of accounts, passwords generated with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { "noreply@${config.domains.jim1}" = { - hashedPasswordFile = pkgs.writeText "noreply" config.secrets.noreplyMailHash; + hashedPasswordFile = config.age.secrets.noreplyMailHash.path; sendOnly = true; }; "jimbo@${config.domains.jim2}" = { - hashedPasswordFile = pkgs.writeText "jimbo" config.secrets.jimboMailHash; + hashedPasswordFile = config.age.secrets.jimboMailHash.path; aliases = [ "jimbo@${config.domains.jim1}" "james@${config.domains.jim1}" @@ -42,13 +42,13 @@ ]; }; "luna@${config.domains.luna}" = { - hashedPasswordFile = pkgs.writeText "luna" config.secrets.lunaMailHash; + hashedPasswordFile = config.age.secrets.lunaMailHash.path; }; "corn@${config.domains.corn}" = { - hashedPasswordFile = pkgs.writeText "corn" config.secrets.cornMailHash; + hashedPasswordFile = config.age.secrets.cornMailHash.path; }; "tiny@${config.domains.corn}" = { - hashedPasswordFile = pkgs.writeText "tiny" config.secrets.tinyMailHash; + hashedPasswordFile = config.age.secrets.tinyMailHash.path; }; }; }; diff --git a/modules/system/services/server/social/lemmy/default.nix b/modules/system/services/server/social/lemmy/default.nix index 1704165..d0349fc 100644 --- a/modules/system/services/server/social/lemmy/default.nix +++ b/modules/system/services/server/social/lemmy/default.nix @@ -14,7 +14,7 @@ smtp_server = "mx.${config.domains.jim1}:587"; smtp_login = "noreply@${config.domains.jim1}"; smtp_from_address = "Jimbo's Lemmy "; - smtp_password = config.secrets.noreplyPassword; + smtp_password = "${builtins.readFile config.age.secrets.noreplyMailPass.path}"; tls_type = "starttls"; }; }; diff --git a/modules/system/services/server/social/mastodon/default.nix b/modules/system/services/server/social/mastodon/default.nix index eedc290..5245f63 100644 --- a/modules/system/services/server/social/mastodon/default.nix +++ b/modules/system/services/server/social/mastodon/default.nix @@ -12,7 +12,7 @@ authenticate = true; fromAddress = "Jimbo's Mastodon "; user = "noreply@${config.domains.jim1}"; - passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword; + passwordFile = config.age.secrets.noreplyMailPass.path; }; }; } diff --git a/modules/system/services/server/social/matrix/synapse/default.nix b/modules/system/services/server/social/matrix/synapse/default.nix index d889c86..b8f46ff 100644 --- a/modules/system/services/server/social/matrix/synapse/default.nix +++ b/modules/system/services/server/social/matrix/synapse/default.nix @@ -26,7 +26,7 @@ notif_from = "Jimbo's Matrix "; smtp_host = "mx.${config.domains.jim1}"; smtp_user = "noreply@${config.domains.jim1}"; - smtp_pass = config.secrets.noreplyPassword; + smtp_pass = "${builtins.readFile config.age.secrets.noreplyMailPass.path}"; enable_tls = true; smtp_port = 587; require_transport_security = true; diff --git a/modules/system/services/server/social/matrix/synapse/slidingsync/default.nix b/modules/system/services/server/social/matrix/synapse/slidingsync/default.nix index bad4f59..6ac7b61 100644 --- a/modules/system/services/server/social/matrix/synapse/slidingsync/default.nix +++ b/modules/system/services/server/social/matrix/synapse/slidingsync/default.nix @@ -7,7 +7,7 @@ SYNCV3_BINDADDR = "0.0.0.0:8009"; }; environmentFile = "${pkgs.writeText "matrixsecret" '' - SYNCV3_SECRET=${config.secrets.matrixSecret} + SYNCV3_SECRET="${builtins.readFile config.age.secrets.matrixSecret.path}" ''}"; }; } diff --git a/modules/system/services/server/social/pixelfed/default.nix b/modules/system/services/server/social/pixelfed/default.nix index 742fb37..23c5bf6 100644 --- a/modules/system/services/server/social/pixelfed/default.nix +++ b/modules/system/services/server/social/pixelfed/default.nix @@ -3,7 +3,7 @@ services.pixelfed = { enable = true; domain = "pics.${config.domains.jim1}"; - secretFile = pkgs.writeText "appkey" config.secrets.pixelfedKey; + secretFile = config.age.secrets.pixelfedKey.path; settings = { APP_NAME = ''"Jimbo's Pixelfed"''; INSTANCE_DESCRIPTION = ''"The Jimbosfiles Pixelfed Instance"''; @@ -22,7 +22,7 @@ MAIL_HOST = "mx.${config.domains.jim1}"; MAIL_PORT = 587; MAIL_USERNAME = "noreply@${config.domains.jim1}"; - MAIL_PASSWORD = "${config.secrets.noreplyPassword}"; + MAIL_PASSWORD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}"; }; nginx = { enableACME = true; diff --git a/modules/system/services/server/transmission/default.nix b/modules/system/services/server/transmission/default.nix index b8d7b05..82951ef 100644 --- a/modules/system/services/server/transmission/default.nix +++ b/modules/system/services/server/transmission/default.nix @@ -6,7 +6,7 @@ services.transmission = { enable = true; - credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile; + credentialsFile = config.age.secrets.transmissionPass.path; openPeerPorts = true; settings = { rpc-authentication-required = true; diff --git a/variables/default.nix b/variables/default.nix index 0c75a33..65bd9c9 100644 --- a/variables/default.nix +++ b/variables/default.nix @@ -5,7 +5,6 @@ ./domains ./ips ./look - ./secrets ./workspaces ]; } diff --git a/variables/secrets/agenix/cloudflareKey.age b/variables/secrets/agenix/cloudflareKey.age new file mode 100644 index 0000000..fc9f4a7 --- /dev/null +++ b/variables/secrets/agenix/cloudflareKey.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA khyW35trVIvCZHYB5J5vAdzNParttdbTb+Ycl6SaW2s +0W7fSM1qoI2BbnbOuN9OHk3hcXwWZ2cgi6sme0TBx9Y +-> ssh-ed25519 JvNkLw wdflnJ12VIbRRNbEGFW0LE6WaB/D5/G2pTEs3AGhgQU +N6KU0GMf1wIGRBJLVU5e1WcLvUEWk63Lr3GzpaojNgs +--- 6u2vl9lBq+MGbFb39wRyoeMyBOxCPGyO0iXeV0wwaJw +@oYپbIw8ܭԳ?- }RT/Z3ѸkZR=ˮ+z*Xf0b \ No newline at end of file diff --git a/variables/secrets/agenix/cornIP.age b/variables/secrets/agenix/cornIP.age new file mode 100644 index 0000000..9574019 --- /dev/null +++ b/variables/secrets/agenix/cornIP.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA CDmBLx1/+kPZXI3LqmJvAQOXskG/t40avr+hiqyQzhA +Q/5PDnyjxUQbCxHjluTETYTAi/zO7G0NvfSF3XEYinA +-> ssh-ed25519 JvNkLw V5FGN/1W9CEf3RT/nsnGiiJdOTsvDexEef+72f+Z0Ug +u1hSg+t4qO/N1Sw4t85/9qGt2TqlPDmujZoGOyMgUxY +--- 9NdLKkW30o1WRVCA0dI0vU1kNnvO2uEC36rOIbJ0wlI +FSRR}<"w{p@IvJ|v}1 \ No newline at end of file diff --git a/variables/secrets/agenix/cornMailHash.age b/variables/secrets/agenix/cornMailHash.age new file mode 100644 index 0000000000000000000000000000000000000000..26b43ee8a50e7b2ef78d0dafbbc069ce27111e4f GIT binary patch literal 383 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnH7?GLbW|`k3(pG* zwa8B@OUZWEPc+ReaV*U=Nb=21&dg3UNDV7D(#}gSsHn=yEavia$|%zJ_BSeUEKbUI zG4#ka&kFO+Nb#!5jwmqmaxX~Fit_O($j^)nNk+HLtIRLkr(7W@z$npAKe!?-%hRN) z$ji)B-#g9SxgaVy+uS9@JTJ`4&EGG`C^gbO*q5s)E2PNW!qPE2xYR%2$)qeJxXQ)A zDKXvOBg4=nJuoQHt18er1x=z2yANZ@=ly=ktfAP1?1b!SeY_6_;hgLG}frd-s0-_~^*} SAPr~p?Oy9%UA?*O$xi@V3y)I( literal 0 HcmV?d00001 diff --git a/variables/secrets/agenix/icecastAdminPass.age b/variables/secrets/agenix/icecastAdminPass.age new file mode 100644 index 0000000..8db8378 --- /dev/null +++ b/variables/secrets/agenix/icecastAdminPass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA fPD79NPMvwiL+hHk82IieajJa9yvH649bDMGmYREExM +Ju4a1ciZS7J/OSW9puFKnLX/oXjkOg+PwJoEjRLKlYA +-> ssh-ed25519 JvNkLw Pd7sCRAL6tmDvqEmuEcu0ciduOWqgD4/Ov3EwEneWxc +9/w5dGjJOMeT624ppz8UPX74McDNuOrr1siu5DR8S/g +--- b/FkQytFLY9xK+oyqe1Cw60y24oL9Z9w7F1OusI52o0 +D+v rh| +vk(yw+BSݞLkAF3y$Tlp$ \ No newline at end of file diff --git a/variables/secrets/agenix/icecastSourcePass.age b/variables/secrets/agenix/icecastSourcePass.age new file mode 100644 index 0000000..c6ad2c0 --- /dev/null +++ b/variables/secrets/agenix/icecastSourcePass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA PBcCxs6ilNvC/GpVaduXRioMk/XaZtvwkTtBhILLhH0 +k7LzI2vYBumEKSQ4D08nNv254ffhsJv5bp491ViWN3o +-> ssh-ed25519 JvNkLw M3al6LP872JEtRZABFRUDAq2lVsGjjRueDSchC0s1ms +01N62bVOVqq5YHQSsBO0bCcaBgN155AZ05vp+19Hrvc +--- CVPFAJml7cINyE9tisp0eHsZgCSfHbMVpQV49knXiRs +zHRZ՜734&u 5r>}jh=Ak=CkBil(`+, \ No newline at end of file diff --git a/variables/secrets/agenix/jimboAccPass.age b/variables/secrets/agenix/jimboAccPass.age new file mode 100644 index 0000000000000000000000000000000000000000..cdfd114a0a30fa1a66efcbaf2f3cd0c1a6de2222 GIT binary patch literal 1089 zcmZY7$*bc80LO7XIEM@(s0ed#tOpe>HEEJ2=|xGJrEStIZId)b(d^CICTWu&3)282oN5vSW@TPHl6>3UJ+9i`pmg#Bc_Rtj7vB9=h zh1$qgKEP0IO@az2&4>+HER1j|ghOjhHarK*t7S9KN83Us6oK%MYaBnA50w@a)sE=% z9J!y`xf0W}FlP9aT!3RXpNRw;&oI&&vyn*oK;{L|(7~`kx3x0y`M8Ls{nYVx5?+U* zuf(c8ji-7DM$mDMvbT+&D2pI3Fu{$B@G13 z0^2hZzhuNMtf?xgOcvt`WGAL%IIEr1rb@iFB&i>g>T%86!eQpO!~q*Papcfw&rsFI z>elqKqCz}KbBJwE;e0b6SFA|T(-9Dxi?stPyMZfLF-J}CT;v%t>35yHEJ6^@5F^3^ zZrG^kaV^30B}ulZ47a9XG#F>86b@H*SFEXlSdgBI zVP`-M>8UB;V^h$H0wXE{$o8D1VL{)cFmTRq*g^&|HWMS9pG^>Xvg1U}>h+)+H?GlK zq(}_1r4C)*TTp12FWnfL&dSv2OEnW|3mh4iD~Vk}4hE|mB_aS62OZoF{yzj(=|t=o zb}?ssh_J)}-RaG82Uc3lcx}F49WOa9#Ym`H7_=QhVmRVrkk;F~)UK4qfcq5ZQ4L6h zOdm}^F;T*LpaO_$LAXDnhG{UEBwmDMW{t>#42F~lJ1!L1Fl_nwT470`)9JMMGK;`i zf%hngqZXPebhO}wIk>7*9s=c<4)^7#>PF0(0lxq7uy^J;;^ybkcTatO@ut_#|N7EH z*M0iPgWtS}-e%wZ=wl~NzwpJuU9Ug<<&l3x|MKTE@;{gEefhWH)pvTia(Ku5_MhMU z_QT#SpIy1{;E6xZUOxHk)r)T&e6UVmz2}v4NA4kW{YSy2w|}_x ssh-ed25519 e3smYA nIhCitDd4goQvfnvggVnnP4bPrnxgEMVhwJNPd3hZnw +hCLbjL4kL+f1TobXASLRAPsHweXy+6vBvpUyP7RnURw +-> ssh-ed25519 JvNkLw HFjvkJMgtN6ul3N4bIfNwWC6PeNFgeNHILSpDzbF/ig +Z5EdHAr46sF4bSR5S4HmQZz/hHX84qxnxYRr7cO7dog +--- F7kG/ZHu+w9Gnnp8Nw6g49+LI4/2tvt8BKXO/mzQcWY +N,ilZ1˾g`eL%e-%?G4ȺdK3e>d}t*)$Fz \ No newline at end of file diff --git a/variables/secrets/agenix/lunaMailHash.age b/variables/secrets/agenix/lunaMailHash.age new file mode 100644 index 0000000..6e74515 --- /dev/null +++ b/variables/secrets/agenix/lunaMailHash.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA 4s2R+OGOvJpMnquk2lWYOwLM4lyfyjKKfBMAR/DQWUM +l/ZbXrLnMy76ReqFdgbXb4UyGmPTf1zK5yHccFabTqs +-> ssh-ed25519 JvNkLw gNXQz/QABqMnaHrgSqqzhxZ73TSpzBXkPRyuvWjVN18 +XVx2GT7wrE4yclT8Ana9fBMT1dd1eMCVAZB8e8ibX74 +--- Y9piO/cFEvSLbO4ZaRrNLP7R9Ep5pRAfP/fUSgTqrRs +7BGi8e'̋ڜ)6+jb] Tb0ʕ AV͡)Xw=Sgv^[/ Śa8ʡg \ No newline at end of file diff --git a/variables/secrets/agenix/matrixSecret.age b/variables/secrets/agenix/matrixSecret.age new file mode 100644 index 0000000000000000000000000000000000000000..35a75bbcfa1829e4331e24a28b80c19a8c1fd75d GIT binary patch literal 387 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnH7?GLbW|vGwa5#~ zj0`C*_RB~z%nWq$ajD2OEDP4o&CIECNz5rrwlogN%r$b$Eaoyvbj~s_)6PoCu?Y6{ zD~^mvG>k|I@GkN$PAf~v4$n__sx&Ne@klmH%|^G)tIRLkr(7W-)iu{I#3az!Ji{o$ zs3gC{CCoB8+&n70#H+N>DX=Wq$UWI3Gu$UVC!NdL-O<~i(4Z)^Agrj;(cdiHyCBNT zHPz5KsXQXmD9t(BGcVV`urR7J-<3;OS689DAm5_UwZJ5-$~7y;GDtro)W0Oy+a%T3 ztTNd(-#p#YG%zgPGB_f@%#o}0Z|q0b&IYfmFSEVe4eoqdW*jVacI}q^zh1cO{E1z# z=&gqDv;RMM9tG}a$gDl|Vvn<(wTSfb!=@jE_xnv)dMof_lzB*T{c3UN_wgy|``zsM VO?Ui~*_*m(uc||Up2O|n^#IP&k8uD1 literal 0 HcmV?d00001 diff --git a/variables/secrets/agenix/noreplyMailHash.age b/variables/secrets/agenix/noreplyMailHash.age new file mode 100644 index 0000000..3c8d0e8 --- /dev/null +++ b/variables/secrets/agenix/noreplyMailHash.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA 83WwnK1TjVZv5/YQfvHBZk6nZIGA+m1U078+Y+MKUGw +Oq7LOdyHnUdYb6P/9PI/D2q9XrEaYTBNPfaAS3xK9jw +-> ssh-ed25519 JvNkLw b/lUmtQXSBYgMc6YHHD7vwBdAHnLcv/WRdZudxmhrzw +1rxu0ZZ5lqPUd7acjPv8z0cxJOPSgVp9PaC5w25MRoE +--- RVHHph3SEe1dlHCHDVnjmnuBEqNeQXuXA82TAikh1AQ +/ d~wg~8"ZwWlV+ꎨ3(Kg%?#Q$=H GH:(|_s7L0٤(_{qv& \ No newline at end of file diff --git a/variables/secrets/agenix/noreplyMailPass.age b/variables/secrets/agenix/noreplyMailPass.age new file mode 100644 index 0000000..99ff42c --- /dev/null +++ b/variables/secrets/agenix/noreplyMailPass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA 8Hp6x3Kv9dAdm8xoYfg2J2EVrZcUMZth2Db+OCOHrW0 +byOSmkKkT2204RfTNVAzv70ojTmU2nhsDRYCl6dGpuw +-> ssh-ed25519 JvNkLw oTZ7j76JP6WjEUMFqXTY4SaELWIT7CgrToebhuoLUAA +0SY4EH9UpxRAWDEHVoGcIux//t6K6CrW/Y/jp+T1xHE +--- 7YjhlVqRia++HUg7tRcGjMGMvAY3b26ygh5DgGjTR/w +eé=_`RUNjVHUgnkMƄ)JS@iv \ No newline at end of file diff --git a/variables/secrets/agenix/pixelfedKey.age b/variables/secrets/agenix/pixelfedKey.age new file mode 100644 index 0000000..84e3c17 --- /dev/null +++ b/variables/secrets/agenix/pixelfedKey.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA NdClQEJBUiVogrX42OHzaM1Mb4rUS0MKfUvYoG4Y7Rk +LY1AQc18I2jYRBGDD27M6OBVswYbdozYl0EIQ+R7r6E +-> ssh-ed25519 JvNkLw xVrNR1PmTJZqmZEUeb1pF9rAaeIz6ZTB6PeSNk6yA2Q +cbMa7O7HlGNa6//6D1Mk/2g0nIJlAzi04fR8CfgFX/g +--- +KZYx3ghNsfMKJf+UiHrzWwDJnUXJ0bas3bVtN23Vm4 +U(ˑ٩zZjVM~2^ M;lIuΨ\7eB[Rn58? (7Rj \ No newline at end of file diff --git a/variables/secrets/agenix/prismAdminPass.age b/variables/secrets/agenix/prismAdminPass.age new file mode 100644 index 0000000..f618634 --- /dev/null +++ b/variables/secrets/agenix/prismAdminPass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA vRsXOqDJKLJnJ1PDFKUmW1x4GSj5ATHsNpondJgb6lY +l6hkimymlfKDo5GEXcqtWaUAPN0nNwZP/SBJ7Pqq4aA +-> ssh-ed25519 JvNkLw CmwQ9XCLaBqRTrUxkUsVb/j0anoA20DJAfyjhWhbuW8 +u4C+LxF9hLBUdMBmBexk9jbNrFM7c9kjg5jxh45ARco +--- z7DgZANbdh8CM7HWb4mNnLNnkDFIpPrR60rf5vTtTZc +y'pMI6܇ʣ9f:V IMV>9X;}ݹK" \ No newline at end of file diff --git a/variables/secrets/agenix/secrets.nix b/variables/secrets/agenix/secrets.nix new file mode 100644 index 0000000..e2f9412 --- /dev/null +++ b/variables/secrets/agenix/secrets.nix @@ -0,0 +1,44 @@ +let + pcs = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5gkx+aHESLl7w2LOR/LgzhC/WnXv/mz499LADnZ8/Q" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnWS8gkno+ZIDNDfvux7eXWhtfnz4fqpf6PNLyrITOW" + + (builtins.readFile ../../../hosts/shuttle/id_ed25519.pub) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7Pnts6n70XTNp6qHxQg5KID6LcUEsz48gOMgPoBe/t" + (builtins.readFile ../../../hosts/redmond/id_ed25519.pub) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9HJATd+rgl0GD4/lZeidqIpQkZ6ED+03MkSKAlaDDv" + ]; + + servers = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwQhs/J6d2U8ZhwdGEV6Cj59u0Wpi4Bek98R2t1PyJf" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqszkKZQ2GsvTM0R7DSUEehm4G12K6OsZrcRE0vysJ3" + ]; +in +{ + # User passwords 'mkpasswd -m sha-512' + "jimboAccPass.age".publicKeys = pcs ++ servers; + + # Wireguard + "wgServerPriv.age".publicKeys = servers; + "wgClientPriv.age".publicKeys = pcs; + + # Passwords and keys + "matrixSecret.age".publicKeys = servers; + "pixelfedKey.age".publicKeys = servers; + "prismAdminPass.age".publicKeys = servers; + "icecastAdminPass.age".publicKeys = servers; + "icecastSourcePass.age".publicKeys = servers; + "cloudflareKey.age".publicKeys = servers; + "transmissionPass.age".publicKeys = servers; + + # Email, 'mkpasswd -m bcrypt' + "noreplyMailPass.age".publicKeys = servers; + "noreplyMailHash.age".publicKeys = servers; + "jimboMailHash.age".publicKeys = servers; + "lunaMailHash.age".publicKeys = servers; + "cornMailHash.age".publicKeys = servers; + "tinyMailHash.age".publicKeys = servers; + + # IPs + "cornIP.age".publicKeys = servers; +} diff --git a/variables/secrets/agenix/tinyMailHash.age b/variables/secrets/agenix/tinyMailHash.age new file mode 100644 index 0000000..5c9d8c0 --- /dev/null +++ b/variables/secrets/agenix/tinyMailHash.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA 1Jq7nzdZPvhw6McGTrOOZOtQ/LjOpdXTfxPHwxvoW1k +PmyyuWtzXOAVsZoZzx+s3s9PuN86b/NZx/SLO9Cu+iw +-> ssh-ed25519 JvNkLw 6C5UjHQPGJuwn63IOX5YmIuHwGU3n/Cs9BPqzgzykmw +xE9TsPfuRH4Xvd2uyhDyuJY9ajNq9FbYmCTWzTddFE8 +--- G9oWTI+bBQf/Bn95G3C4CEV2bAO/S4fZGyGYnaDaEEM +3FQ,<H$}rkԸ6:ii4T0Z1Cw 4G8g-ieY2?;KJOd|3OI+w) \ No newline at end of file diff --git a/variables/secrets/agenix/transmissionPass.age b/variables/secrets/agenix/transmissionPass.age new file mode 100644 index 0000000..783a396 --- /dev/null +++ b/variables/secrets/agenix/transmissionPass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA DjFkxMzBbXups07bIJzK4ODIsAk/bfP8DEV2mFgQEkI +6i2ofona2MwxuCKozsX48X8Ea+Yd/kaIJCJEYdXSvj8 +-> ssh-ed25519 JvNkLw NmD7NAzm67c5Ads+nA8n7aNeWBhSppmTG+iTMdQ/4Wc +1XV+cdFOhGkhM9iz6eK2unElDCMz63SCDkG0thN150E +--- OXUzxk3bvjEQpdIQNbf4oPrPUbY7KQBs9K8QdMvpRhU + = $j7GgI_54c4ZcymF"y%K!~c|ufX$Gv ++ּUJ P7-%s \ No newline at end of file diff --git a/variables/secrets/agenix/wgClientPriv.age b/variables/secrets/agenix/wgClientPriv.age new file mode 100644 index 0000000..666a91e --- /dev/null +++ b/variables/secrets/agenix/wgClientPriv.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-ed25519 /ZcDag zl9Hh/03ChyHbNPUg5Ggn7LWvG2QVQmigSdBiAHdrxw +i9LUKzWmkdBn0VD5tq7lNg2GPVbvV1LMHOqDeBijS/I +-> ssh-ed25519 GKCTHQ wShLKgnCwo3+jmjqDX1u4bAbTP3AJVSm4P0SrVsSsUI +ufAyoYVnzNka44tww/6Miqk+9LwqwLT8GP2m8VLHpxY +-> ssh-ed25519 BctzVQ sIlr4byLpFH9Qo96gxOKqhhXp8A0wP5WPjMJXTFeYFE +HSX5mL4+PeSvXX+LwxC3WvSw1EfZFCWazwq4QSKOcYY +-> ssh-ed25519 ft2jqg Y0SiMwU2T2WhwD8EBLQNHhbWp3ltYKZOgpSwyMbDtF0 +Yjfu+/CtJ+ybyoq+pueoY5Np/SiD7lJHJoBLmTnsAUI +-> ssh-ed25519 m6WZAA 01h6eDQ6lrpZnaof4DbxMEde8aDEbDkIV86I2cyzQGc +dv401nIANBXWzEA2/MgMZpbagAys5nJPxJqdbv98v10 +-> ssh-ed25519 ZUFK4A J0C4YC9eXtMh/wnUY/OfNlyhIi6oMltBWkaMP2ECT3k +a4SL4cbI3oJpmILt1vN2E7yy8PBhvk88pYuhsHRx9b4 +--- 1uXOqr769IAt4zPnAWiy6r1oh9bf/MKwZUJn0Mfzb/I +|S4ci< +>v@~,+w[Y>,QfR/e| OL\+q \ No newline at end of file diff --git a/variables/secrets/agenix/wgClientPub.age b/variables/secrets/agenix/wgClientPub.age new file mode 100644 index 0000000..d4035b7 --- /dev/null +++ b/variables/secrets/agenix/wgClientPub.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 e3smYA mRlVqaa50qM+f9Nhoy4wRumpweW/YnTXm1Q4T//ELVI +EmH08n178gsOdur6TwLnwx+YAYfq1zesGrI3/tQut70 +-> ssh-ed25519 JvNkLw r7bS24QCTg+QN8mDEc+fBkH5G19eYYaHQzNZLekM3U8 ++imhQJJdwJmEIDABvkazDT/khxmADfmuDaz6zi4SxJw +--- ZDa/qnfp6naVMNo+xCNQgeVT4te78T6dkYPUVTacvpc +ƙٔ%^Z澩`E~-!FҊ fǀ͠Iuh9CZ\^|ѶOOD*ak.[ \ No newline at end of file diff --git a/variables/secrets/agenix/wgServerPriv.age b/variables/secrets/agenix/wgServerPriv.age new file mode 100644 index 0000000000000000000000000000000000000000..9e4a347fc21dcde0922c173cd32798fe0e7f0cd2 GIT binary patch literal 367 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnH7?GLbX4$m%r`1? zi8QK;@b?bz_qFg1DK0WG$ka}*FbOa%*LDkc(Jze*OD;%r$>(x33N!HVHmq>WF*9@u zjP%dS_lvafOUVmQj*3dGC~~)`@^cT-uPSs33PrcgtIRLkr(7Yb$T_T(J(PH z#mUvc-_pA(sw5||!ZgP(*et>|Jef;ZS63k~pe!n_$kfdvtuQ3p$HK3~*rdSMG_|bC z)hNo+&@Is*G|wfnGONw&c1es;WmjEp%7tE4U{_UE{VlOcxW>}qt?B0P zTNAX*HCyA?bw_70EV*#o^Ma@U-stTUf{Ww?{xxf ssh-ed25519 /ZcDag 7KYEycha4k8XapsUdObvvuDRJ0NFhuQD9mIStgcGUmU +CVBQlNhrviAUVZbLQdFwTgX/kw28P4kic1hbfGTNGHs +-> ssh-ed25519 GKCTHQ ZFT60A8kpAGl97DOHvEDpe50eLlL4POSuGD+Rjjma2w +VMG0fmwRecJTRnKo6DIrAiXheHPonDeX1upsehtf9y4 +-> ssh-ed25519 BctzVQ WlxIEZPFAKi1nD2wxyZ0i2uuMOqFQStDaA/qPsRabHc +rkU3dmMyMQXbDfrmUimCVSFRWTtgfsq6GlCOzzE5q4U +-> ssh-ed25519 ft2jqg EnTAY36wZTE5CYMS/O9KZB7QL2r444F2a+KZ70CEJXc +U54qJTJMNFd70qPO/YRcB/I+LqiFYnv7qJ3DujH6xwk +-> ssh-ed25519 m6WZAA t11cOv2J2xPYCiFuwS/WAAR9sq/K9Yj6+I8eRyQM6g4 +o3382vvwCnrIWyXFFaNDnFtEpbYJ7k6myfrM+aoyUnU +-> ssh-ed25519 ZUFK4A SBejT9+GAMNaps+Q7Bupo0FehBAsRDAGz5nimJ6QvxA +WqZvPqm1+TgKK8Mrbh9w9I4RUyyy5l36AKGPeQXaBlo +--- wekIr1ZsI+b61xeK+ueUfs9e+D2wF0ewltiHJWaLKzA +A^uJ+-P/e +|/K'"87tn9|V Kw֦ċjjZWR \ No newline at end of file diff --git a/variables/secrets/common/default.nix b/variables/secrets/common/default.nix new file mode 100644 index 0000000..12a2a51 --- /dev/null +++ b/variables/secrets/common/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + age.secrets = { + # User passwords + jimboAccPass.file = ../agenix/jimboAccPass.age; + }; +} diff --git a/variables/secrets/default.nix b/variables/secrets/default.nix deleted file mode 100644 index 7452a13fe40fa6f183e408f23ad2c563cc59859e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2237 zcmV;u2txM&M@dveQdv+`0JxSES9EB}ZzPXwM&_n8BFnjEEJcQJW{7<#q1&6eU@ws$ zoDiXMAZH%=@f@T4`mmo0bWIW3UahrQ&ikMY>NjAzW^rh8tv@vRQHj^wy1=rERF2ME`b)>I=QZ$=xCCLWE|`&w{;Yh z{G>JENjdw11O|{B=Ir24zo(dQvSM03hvw+osP>ZIJG5FE?`evO0NCQx?YH5!vhb4h zg4!Wf-*F~97O_#9H0!L!mufxWA^i(7EHs^>Cy1Va*@jHSStC2RNqVl7 z<|5BHK6h^M_=J^ytp<+&*N^SFjd)vOs*hgFhVhrzE7^GOwv3fRX00#~+O z2^5^nA7b39tqHT4`Tu?e-BE4|)On}ljOeA?-FX+ma|{qaWXhyin}%NHc~zm;hi5gN z@3_D3YBDMZ_766nB_NG2oX9V=AmH-&#TVsgQdwbakp(?gSJyK@JW_=VT8g6y*w0o3 zb8Rn1H_w+*xXC84-kJ*8EZI-druGU4B}*XHFSIkHdecqF!xR-$U(^I5>DOId^WUHj-MO*~^*dkT^7fjI-}u3e3>?HcCmW6)qtb*|K+psSsg*I3}tWYAj9oOM}9{ z*EZrfd!+5^)nE`o2F6}J4bWH1_ZMt+eztJp2U!h?aNn^FRZ*YHv+l;9lYNOd9Omf9k|=MdJrZ5Sy7k3S{?Rou(k6}=$K3RSaj$5R zF(a5npeF`TFG?4k{R>@9NQvqfoVWcbYA1AizYD7W7OXuHWOg$Z=e;~CTBr5ru$9k zKpoFv)N|JbdNYO+s=WR#o&5`NLL#*CG@KvcoTz6$w@C8p)hRBy|o^iCTvZ` zFOX$-NlYquZLCUHClFV@GpaAE`}sNqn!eXqII*hnbIP9_cdq1uK2#%&bz3DTOi}fc zJWyh$=`G0jeA+uNc+^J@{V6*9%@#Gd>d|@l97o>lQx6KHkGtR0` zoJPOVYzZ5ZsIl~0Oc#=l< zoN3<;*qVFpwDw?V41;wfzBys#0bIy2w7l6bmX}}izA||*L}k^>N0ru_FLjdoag~WS zt*?~?chw}q0#qt~LWu41BrtR;XSJ3UK~`VpeL{Ttx1gs3^dS5={{r6doc^&K zO8AV|3eT4j-Wgup$dr$D3u#>@+t1c!5#iU=T7U8pv0uqo0Wfk@^MQHPs|D2LZTrrA zvi6GL1yUvTK5xj|uf3;iDobYLC6@^=xGv0tY-zjf?VNPmH?5W$M_d_aoW5v&*X^rK z5aNp}4HmPepTg9GMAEgl)rB#|+bU|R5f;xKv6w3kRK1vujCvs{SvEGZkp=u6U!Oon zrVZmLU9oU@HnqfE06yl}Vm>=?hY+8^*&6~v%*Nwak~(SAXYv0fZIdo}p-6yV2ba^( z%7qJ@n;V@o9~^qSdC9~I}tEH{%e4Lo_+i}tJ z;;fh=Lkfw@xrk6VRq&Y=AawXKYBXcjgfY`%4R&6Yo);?+@<6|4L;PH2C4fP#C$HRHI@x4~i zqA<$jB1)CIMaAO9yNOm(4SL-wi4oo1zB)i^fT{z582bUMIWtLiQYoi)z!H=%cQKGd zou3iOD@BTvBqh&-Dx@iW*7eElk??@`GGEs=)!C+I?!|4x`y{6aAsCy&ILF_Q(sZPc zU^~qxK#A&KY{#LCp98`cH{{bHck-KFl0XV_kakj-cc#Eru{vQ-mN|VrXl&|80$evC zOvS_8g4r*Yb<>hfq68bH37?2Z=SR}boL-LNP04J Lf9QgZF9o4aMl(x0 diff --git a/variables/secrets/pc/default.nix b/variables/secrets/pc/default.nix new file mode 100644 index 0000000..8f6daf3 --- /dev/null +++ b/variables/secrets/pc/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + age.secrets = { + # Wireguard + wgClientPriv.file = ../agenix/wgClientPriv.age; + }; +} diff --git a/variables/secrets/server/default.nix b/variables/secrets/server/default.nix new file mode 100644 index 0000000..2a3fc05 --- /dev/null +++ b/variables/secrets/server/default.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + age.secrets = { + # Wireguard + wgServerPriv.file = ../agenix/wgServerPriv.age; + + # Passwords and keys + matrixSecret.file = ../agenix/matrixSecret.age; + pixelfedKey.file = ../agenix/pixelfedKey.age; + prismAdminPass.file = ../agenix/prismAdminPass.age; + icecastAdminPass.file = ../agenix/icecastAdminPass.age; + icecastSourcePass.file = ../agenix/icecastSourcePass.age; + cloudflareKey.file = ../agenix/cloudflareKey.age; + transmissionPass.file = ../agenix/transmissionPass.age; + + # Email + noreplyMailPass.file = ../agenix/noreplyMailPass.age; + noreplyMailHash.file = ../agenix/noreplyMailHash.age; + jimboMailHash.file = ../agenix/jimboMailHash.age; + lunaMailHash.file = ../agenix/lunaMailHash.age; + cornMailHash.file = ../agenix/cornMailHash.age; + tinyMailHash.file = ../agenix/tinyMailHash.age; + + # IPs + cornIP.file = ../agenix/cornIP.age; + }; +}