Agenix secrets overhaul

2024-10-28 23:24:12 -04:00 · 2024-10-28 23:24:12 -04:00 · 55dcb2fca7
commit 55dcb2fca7
parent 83796f7cb2
56 changed files with 530 additions and 137 deletions
--- a/variables/secrets/agenix/cloudflareKey.age
+++ b/variables/secrets/agenix/cloudflareKey.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA khyW35trVIvCZHYB5J5vAdzNParttdbTb+Ycl6SaW2s
+0W7fSM1qoI2BbnbOuN9OHk3hcXwWZ2cgi6sme0TBx9Y
+-> ssh-ed25519 JvNkLw wdflnJ12VIbRRNbEGFW0LE6WaB/D5/G2pTEs3AGhgQU
+N6KU0GMf1wIGRBJLVU5e1WcLvUEWk63Lr3GzpaojNgs
+--- 6u2vl9lBq+MGbFb39wRyoeMyBOxCPGyO0iXeV0wwaJw
+@oŒ³¬µYÙ¾bëIw8ÜŠÔ³?-
Ÿ‰}½R›T¼ô/ŸÈZ3ÎÓøÑ¸kZR=Ë®º¢Ú+z†*XøÀ¸f0Ób
--- a/variables/secrets/agenix/cornIP.age
+++ b/variables/secrets/agenix/cornIP.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA CDmBLx1/+kPZXI3LqmJvAQOXskG/t40avr+hiqyQzhA
+Q/5PDnyjxUQbCxHjluTETYTAi/zO7G0NvfSF3XEYinA
+-> ssh-ed25519 JvNkLw V5FGN/1W9CEf3RT/nsnGiiJdOTsvDexEef+72f+Z0Ug
+u1hSg+t4qO/N1Sw4t85/9qGt2TqlPDmujZoGOyMgUxY
+--- 9NdLKkW30o1WRVCA0dI0vU1kNnvO2uEC36rOIbJ0wlI
+ì¥ÙFè£SRR}–Æ<þ"w«{Ÿ°p@·I¿vJ|vÉ}œç1ü«Û
--- a/variables/secrets/agenix/cornMailHash.age
+++ b/variables/secrets/agenix/cornMailHash.age
--- a/variables/secrets/agenix/icecastAdminPass.age
+++ b/variables/secrets/agenix/icecastAdminPass.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA fPD79NPMvwiL+hHk82IieajJa9yvH649bDMGmYREExM
+Ju4a1ciZS7J/OSW9puFKnLX/oXjkOg+PwJoEjRLKlYA
+-> ssh-ed25519 JvNkLw Pd7sCRAL6tmDvqEmuEcu0ciduOWqgD4/Ov3EwEneWxc
+9/w5dGjJOMeT624ppz8UPX74McDNuOrr1siu5DR8S/g
+--- b/FkQytFLY9xK+oyqe1Cw60y24oL9Z9w7F1OusI52o0
+D+ÀvÝ	¨†rhÉê|
+«vkò(”ëyâw+ÁBSÝžý<C5BE>„²L«ˆkAF3¾‚yúÞ$T›l±p$ù
--- a/variables/secrets/agenix/icecastSourcePass.age
+++ b/variables/secrets/agenix/icecastSourcePass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA PBcCxs6ilNvC/GpVaduXRioMk/XaZtvwkTtBhILLhH0
+k7LzI2vYBumEKSQ4D08nNv254ffhsJv5bp491ViWN3o
+-> ssh-ed25519 JvNkLw M3al6LP872JEtRZABFRUDAq2lVsGjjRueDSchC0s1ms
+01N62bVOVqq5YHQSsBO0bCcaBgN155AZ05vp+19Hrvc
+--- CVPFAJml7cINyE9tisp0eHsZgCSfHbMVpQV49knXiRs
+zHRðîÅöÐZÏßóÕœ73õÙÑ4Ž‚&ìu	5r÷Þ>}jhÛ=Ak=C’kº³B¬iæÚl(`+ß,
--- a/variables/secrets/agenix/jimboAccPass.age
+++ b/variables/secrets/agenix/jimboAccPass.age
--- a/variables/secrets/agenix/jimboMailHash.age
+++ b/variables/secrets/agenix/jimboMailHash.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA nIhCitDd4goQvfnvggVnnP4bPrnxgEMVhwJNPd3hZnw
+hCLbjL4kL+f1TobXASLRAPsHweXy+6vBvpUyP7RnURw
+-> ssh-ed25519 JvNkLw HFjvkJMgtN6ul3N4bIfNwWC6PeNFgeNHILSpDzbF/ig
+Z5EdHAr46sF4bSR5S4HmQZz/hHX84qxnxYRr7cO7dog
+--- F7kG/ZHu+w9Gnnp8Nw6g49+LI4/2tvt8BKXO/mzQcWY
+éN,Œi¼l±²ÐZã1Ë¾g`ž§Úe<‚›×d+Yr[
4ÃŒo>ŒãÞßL…%eÅ-ëò%£æ?Gø±£Å4ÈºdšK3e<>ìñ>ŒÎd›}t²*±)“$Fî¨z
--- a/variables/secrets/agenix/lunaMailHash.age
+++ b/variables/secrets/agenix/lunaMailHash.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA 4s2R+OGOvJpMnquk2lWYOwLM4lyfyjKKfBMAR/DQWUM
+l/ZbXrLnMy76ReqFdgbXb4UyGmPTf1zK5yHccFabTqs
+-> ssh-ed25519 JvNkLw gNXQz/QABqMnaHrgSqqzhxZ73TSpzBXkPRyuvWjVN18
+XVx2GT7wrE4yclT8Ana9fBMT1dd1eMCVAZB8e8ibX74
+--- Y9piO/cFEvSLbO4ZaRrNLP7R9Ep5pRAfP/fUSgTqrRs
+é¤7B¾û©Gi8êÄe'ËãÌ‹Úœ)“‚6ÏàÜ¸°´+j<>¾b]»
Tbâ0ÉÞÊ•£ AØVÍ¡)Xùw‹Ê=<3D>æSgËv^û[/å Åš’a8Ê¡gïÁã<C381>
--- a/variables/secrets/agenix/matrixSecret.age
+++ b/variables/secrets/agenix/matrixSecret.age
--- a/variables/secrets/agenix/noreplyMailHash.age
+++ b/variables/secrets/agenix/noreplyMailHash.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA 83WwnK1TjVZv5/YQfvHBZk6nZIGA+m1U078+Y+MKUGw
+Oq7LOdyHnUdYb6P/9PI/D2q9XrEaYTBNPfaAS3xK9jw
+-> ssh-ed25519 JvNkLw b/lUmtQXSBYgMc6YHHD7vwBdAHnLcv/WRdZudxmhrzw
+1rxu0ZZ5lqPUd7acjPv8z0cxJOPSgVp9PaC5w25MRoE
+--- RVHHph3SEe1dlHCHDVnjmnuBEqNeQXuXA82TAikh1AQ
+/ ïÆød~šwöÈÙÃg~¾8"Zw<5A>äÓWèlVŸ+ø´êŽ¨3(Kg³%ö?#õ‡QÁ<51>Ñ$¤=H	GªH:(|_ä¨s7¨L0Ù¤èÛ(›¡_{ßúqv&
--- a/variables/secrets/agenix/noreplyMailPass.age
+++ b/variables/secrets/agenix/noreplyMailPass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA 8Hp6x3Kv9dAdm8xoYfg2J2EVrZcUMZth2Db+OCOHrW0
+byOSmkKkT2204RfTNVAzv70ojTmU2nhsDRYCl6dGpuw
+-> ssh-ed25519 JvNkLw oTZ7j76JP6WjEUMFqXTY4SaELWIT7CgrToebhuoLUAA
+0SY4EH9UpxRAWDEHVoGcIux//t6K6CrW/Y/jp+T1xHE
+--- 7YjhlVqRia++HUg7tRcGjMGMvAY3b26ygh5DgGjTR/w
+eÃ©=¾_`RUNØjÀVH¬ó‹äU¡„‚š›Çg¿nÝÛû‹k“M÷Æ„)J¨‚ S@iv
--- a/variables/secrets/agenix/pixelfedKey.age
+++ b/variables/secrets/agenix/pixelfedKey.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA NdClQEJBUiVogrX42OHzaM1Mb4rUS0MKfUvYoG4Y7Rk
+LY1AQc18I2jYRBGDD27M6OBVswYbdozYl0EIQ+R7r6E
+-> ssh-ed25519 JvNkLw xVrNR1PmTJZqmZEUeb1pF9rAaeIz6ZTB6PeSNk6yA2Q
+cbMa7O7HlGNa6//6D1Mk/2g0nIJlAzi04fR8CfgFX/g
+--- +KZYx3ghNsfMKJf+UiHrzWwDJnUXJ0bas3bVtN23Vm4
+U(•Ë‘šƒ·Ù©ŽzZjVÿœM~2^
æM;lIšuÙÿÏÎ¨šÍü\7ñeBŒªæ–[ÇR¹nî®…î5Š8Ú?¦(°7RÄj
--- a/variables/secrets/agenix/prismAdminPass.age
+++ b/variables/secrets/agenix/prismAdminPass.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA vRsXOqDJKLJnJ1PDFKUmW1x4GSj5ATHsNpondJgb6lY
+l6hkimymlfKDo5GEXcqtWaUAPN0nNwZP/SBJ7Pqq4aA
+-> ssh-ed25519 JvNkLw CmwQ9XCLaBqRTrUxkUsVb/j0anoA20DJAfyjhWhbuW8
+u4C+LxF9hLBUdMBmBexk9jbNrFM7c9kjg5jxh45ARco
+--- z7DgZANbdh8CM7HWb4mNnLNnkDFIpPrR60rf5vTtTZc
+ùy'pMéI›æ6Ü‡Ê£9ÎfÂ:V ÃèIMV>9ÚýÏøX;}”ŒÝ¹õ“ Kã—ÓÕê†Ô"
--- a/variables/secrets/agenix/secrets.nix
+++ b/variables/secrets/agenix/secrets.nix
@ -0,0 +1,44 @@
+let
+  pcs = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5gkx+aHESLl7w2LOR/LgzhC/WnXv/mz499LADnZ8/Q"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnWS8gkno+ZIDNDfvux7eXWhtfnz4fqpf6PNLyrITOW"
+
+    (builtins.readFile ../../../hosts/shuttle/id_ed25519.pub)
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7Pnts6n70XTNp6qHxQg5KID6LcUEsz48gOMgPoBe/t"
+    (builtins.readFile ../../../hosts/redmond/id_ed25519.pub)
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9HJATd+rgl0GD4/lZeidqIpQkZ6ED+03MkSKAlaDDv"
+  ];
+
+  servers = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwQhs/J6d2U8ZhwdGEV6Cj59u0Wpi4Bek98R2t1PyJf"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqszkKZQ2GsvTM0R7DSUEehm4G12K6OsZrcRE0vysJ3"
+  ];
+in
+{
+  # User passwords 'mkpasswd -m sha-512'
+  "jimboAccPass.age".publicKeys = pcs ++ servers;
+
+  # Wireguard
+  "wgServerPriv.age".publicKeys = servers;
+  "wgClientPriv.age".publicKeys = pcs;
+
+  # Passwords and keys
+  "matrixSecret.age".publicKeys = servers;
+  "pixelfedKey.age".publicKeys = servers;
+  "prismAdminPass.age".publicKeys = servers;
+  "icecastAdminPass.age".publicKeys = servers;
+  "icecastSourcePass.age".publicKeys = servers;
+  "cloudflareKey.age".publicKeys = servers;
+  "transmissionPass.age".publicKeys = servers;
+
+  # Email, 'mkpasswd -m bcrypt'
+  "noreplyMailPass.age".publicKeys = servers;
+  "noreplyMailHash.age".publicKeys = servers;
+  "jimboMailHash.age".publicKeys = servers;
+  "lunaMailHash.age".publicKeys = servers;
+  "cornMailHash.age".publicKeys = servers;
+  "tinyMailHash.age".publicKeys = servers;
+
+  # IPs
+  "cornIP.age".publicKeys = servers;
+}
--- a/variables/secrets/agenix/tinyMailHash.age
+++ b/variables/secrets/agenix/tinyMailHash.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA 1Jq7nzdZPvhw6McGTrOOZOtQ/LjOpdXTfxPHwxvoW1k
+PmyyuWtzXOAVsZoZzx+s3s9PuN86b/NZx/SLO9Cu+iw
+-> ssh-ed25519 JvNkLw 6C5UjHQPGJuwn63IOX5YmIuHwGU3n/Cs9BPqzgzykmw
+xE9TsPfuRH4Xvd2uyhDyuJY9ajNq9FbYmCTWzTddFE8
+--- G9oWTI+bBQf/Bn95G3C4CEV2bAO/S4fZGyGYnaDaEEM
+°ë3FQÅÂ,<ÈHª<48>$}rkÔ¸•6:i‘øi©²4¡áT0’Z1ØCÝw¨<77> 4G8ëgð-iž‹eYß2?‘<>;ÖK®©JO<4A>ç¹d|ò»3ÞOI+Ëw)
--- a/variables/secrets/agenix/transmissionPass.age
+++ b/variables/secrets/agenix/transmissionPass.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA DjFkxMzBbXups07bIJzK4ODIsAk/bfP8DEV2mFgQEkI
+6i2ofona2MwxuCKozsX48X8Ea+Yd/kaIJCJEYdXSvj8
+-> ssh-ed25519 JvNkLw NmD7NAzm67c5Ads+nA8n7aNeWBhSppmTG+iTMdQ/4Wc
+1XV+cdFOhGkhM9iz6eK2unElDCMz63SCDkG0thN150E
+--- OXUzxk3bvjEQpdIQNbf4oPrPUbY7KQBs9K8QdMvpRhU
+	=ûý¬$j7äóï¨GgI¬Ç_5—4Ýcª…€Âû4Zcy¿mF"y¶%Kž!~âc|ÙufÝXøŽ„$GþÖv¡
+Â+î‰‹ÊÖ¼íÏUƒJÐPÅæ7…½‹ëä- %í©ˆ‚s
--- a/variables/secrets/agenix/wgClientPriv.age
+++ b/variables/secrets/agenix/wgClientPriv.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 /ZcDag zl9Hh/03ChyHbNPUg5Ggn7LWvG2QVQmigSdBiAHdrxw
+i9LUKzWmkdBn0VD5tq7lNg2GPVbvV1LMHOqDeBijS/I
+-> ssh-ed25519 GKCTHQ wShLKgnCwo3+jmjqDX1u4bAbTP3AJVSm4P0SrVsSsUI
+ufAyoYVnzNka44tww/6Miqk+9LwqwLT8GP2m8VLHpxY
+-> ssh-ed25519 BctzVQ sIlr4byLpFH9Qo96gxOKqhhXp8A0wP5WPjMJXTFeYFE
+HSX5mL4+PeSvXX+LwxC3WvSw1EfZFCWazwq4QSKOcYY
+-> ssh-ed25519 ft2jqg Y0SiMwU2T2WhwD8EBLQNHhbWp3ltYKZOgpSwyMbDtF0
+Yjfu+/CtJ+ybyoq+pueoY5Np/SiD7lJHJoBLmTnsAUI
+-> ssh-ed25519 m6WZAA 01h6eDQ6lrpZnaof4DbxMEde8aDEbDkIV86I2cyzQGc
+dv401nIANBXWzEA2/MgMZpbagAys5nJPxJqdbv98v10
+-> ssh-ed25519 ZUFK4A J0C4YC9eXtMh/wnUY/OfNlyhIi6oMltBWkaMP2ECT3k
+a4SL4cbI3oJpmILt1vN2E7yy8PBhvk88pYuhsHRx9b4
+--- 1uXOqr769IAt4zPnAWiy6r1oh9bf/MKwZUJn0Mfzb/I
+’|S÷¥à4èŽcií<
+ë¸ƒ<15>€å>§vÄ@ÁÿŠ´~Ä,+<2B>£×w[Y>¯,’—Qf›ó»RÀ/²±e|
OñLËøç¼\+¡q
--- a/variables/secrets/agenix/wgClientPub.age
+++ b/variables/secrets/agenix/wgClientPub.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 e3smYA mRlVqaa50qM+f9Nhoy4wRumpweW/YnTXm1Q4T//ELVI
+EmH08n178gsOdur6TwLnwx+YAYfq1zesGrI3/tQut70
+-> ssh-ed25519 JvNkLw r7bS24QCTg+QN8mDEc+fBkH5G19eYYaHQzNZLekM3U8
+imhQJJdwJmEIDABvkazDT/khxmADfmuDaz6zi4SxJw
+--- ZDa/qnfp6naVMNo+xCNQgeVT4te78T6dkYPUVTacvpc
+Æ™Ù”ï%ý•Ÿ^Z€æ¾©`E²´ý~Ü-Ê!FÊÒŠ¯œ¤¿ fÇ€ïšØÍ ¾Iu<49>hó²Æ9¶CZ\…^œ»ë|Ñ¶OñOD*èak.[
--- a/variables/secrets/agenix/wgServerPriv.age
+++ b/variables/secrets/agenix/wgServerPriv.age
--- a/variables/secrets/agenix/wgServerPub.age
+++ b/variables/secrets/agenix/wgServerPub.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 /ZcDag 7KYEycha4k8XapsUdObvvuDRJ0NFhuQD9mIStgcGUmU
+CVBQlNhrviAUVZbLQdFwTgX/kw28P4kic1hbfGTNGHs
+-> ssh-ed25519 GKCTHQ ZFT60A8kpAGl97DOHvEDpe50eLlL4POSuGD+Rjjma2w
+VMG0fmwRecJTRnKo6DIrAiXheHPonDeX1upsehtf9y4
+-> ssh-ed25519 BctzVQ WlxIEZPFAKi1nD2wxyZ0i2uuMOqFQStDaA/qPsRabHc
+rkU3dmMyMQXbDfrmUimCVSFRWTtgfsq6GlCOzzE5q4U
+-> ssh-ed25519 ft2jqg EnTAY36wZTE5CYMS/O9KZB7QL2r444F2a+KZ70CEJXc
+U54qJTJMNFd70qPO/YRcB/I+LqiFYnv7qJ3DujH6xwk
+-> ssh-ed25519 m6WZAA t11cOv2J2xPYCiFuwS/WAAR9sq/K9Yj6+I8eRyQM6g4
+o3382vvwCnrIWyXFFaNDnFtEpbYJ7k6myfrM+aoyUnU
+-> ssh-ed25519 ZUFK4A SBejT9+GAMNaps+Q7Bupo0FehBAsRDAGz5nimJ6QvxA
+WqZvPqm1+TgKK8Mrbh9w9I4RUyyy5l36AKGPeQXaBlo
+--- wekIr1ZsI+b61xeK+ueUfs9e+D2wF0ewltiHJWaLKzA
+äïA^uJ+¹Ž-èPëõÝ/³eÖå¨
+Ÿ|éË/œŽ<1C>ÃK'"87ËýtÔnä¢â9|“â½VKwÖ¦Ä‹j–jð´ŠZ·á¼W¥²ñR
--- a/variables/secrets/common/default.nix
+++ b/variables/secrets/common/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  age.secrets = {
+    # User passwords
+    jimboAccPass.file = ../agenix/jimboAccPass.age;
+  };
+}
--- a/variables/secrets/default.nix
+++ b/variables/secrets/default.nix
--- a/variables/secrets/pc/default.nix
+++ b/variables/secrets/pc/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  age.secrets = {
+    # Wireguard
+    wgClientPriv.file = ../agenix/wgClientPriv.age;
+  };
+}
--- a/variables/secrets/server/default.nix
+++ b/variables/secrets/server/default.nix
@ -0,0 +1,27 @@
+{ ... }:
+{
+  age.secrets = {
+    # Wireguard
+    wgServerPriv.file = ../agenix/wgServerPriv.age;
+
+    # Passwords and keys
+    matrixSecret.file = ../agenix/matrixSecret.age;
+    pixelfedKey.file = ../agenix/pixelfedKey.age;
+    prismAdminPass.file = ../agenix/prismAdminPass.age;
+    icecastAdminPass.file = ../agenix/icecastAdminPass.age;
+    icecastSourcePass.file = ../agenix/icecastSourcePass.age;
+    cloudflareKey.file = ../agenix/cloudflareKey.age;
+    transmissionPass.file = ../agenix/transmissionPass.age;
+
+    # Email
+    noreplyMailPass.file = ../agenix/noreplyMailPass.age;
+    noreplyMailHash.file = ../agenix/noreplyMailHash.age;
+    jimboMailHash.file = ../agenix/jimboMailHash.age;
+    lunaMailHash.file = ../agenix/lunaMailHash.age;
+    cornMailHash.file = ../agenix/cornMailHash.age;
+    tinyMailHash.file = ../agenix/tinyMailHash.age;
+
+    # IPs
+    cornIP.file = ../agenix/cornIP.age;
+  };
+}