commit 5d82893f9beffb6289becee6d7219bfde7f261e1
parent da71d81d257a2c1809eb1be646cc66041012407e
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 1 Mar 2025 18:46:55 +0100
parent da71d81d257a2c1809eb1be646cc66041012407e
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 1 Mar 2025 18:46:55 +0100
secrets: finally some logic for secrets (and cleanup)
14 files changed, 184 insertions(+), 306 deletions(-)
M
|
250
++++++++++++++++++++++++++++++++++++++++++-------------------------------------
diff --git a/configurations/common/syncthing-config.nix b/configurations/common/syncthing-config.nix @@ -25,10 +25,6 @@ let }; enabledShares = { - blechkasten = [ - "Blechelse" - ]; - briefkasten = [ "ctucx-music-orig" "ctucx-media"
diff --git a/machines/briefkasten/syncthing.nix b/machines/briefkasten/syncthing.nix @@ -8,11 +8,7 @@ let music = "/nix/persist/home/katja/syncthing/Music"; pictures = "/nix/persist/home/katja/syncthing/Pictures"; media = "/nix/persist/home/katja/syncthing/Media (legacy)"; - bahn-richtlinien = "/nix/persist/home/katja/syncthing/Bahn-Richtlinien"; - blechelse = "/nix/persist/home/katja/syncthing/Bahn-Blechelse"; - cutieshare = "/nix/persist/home/katja/syncthing/Cutieshare"; - wiki = "/nix/persist/home/katja/syncthing/Wiki"; }; in {
diff --git a/secrets/agenix b/secrets/agenix @@ -3,10 +3,10 @@ set -eo pipefail tempfile=$(mktemp) -trap "rm -f $tempfile" SIGINT SIGTERM ERR EXIT +trap "rm -f ${tempfile}" SIGINT SIGTERM ERR EXIT -touch $tempfile -chmod 600 $tempfile +touch ${tempfile} +chmod 600 ${tempfile} if [ -x "$(which bw)" ]; then privkey=$(bw get notes ea70a317-7cac-455e-bee0-7c97d7505a7b) @@ -16,8 +16,8 @@ else if [ $? -ne 0 ]; then exit; fi; fi -echo "${privkey}" > $tempfile +echo "${privkey}" > ${tempfile} cd "`git rev-parse --show-toplevel`/secrets" -agenix -i $tempfile "$@" +agenix -i ${tempfile} "$@"
diff --git a/secrets/blechkaestchen/syncthing/cert.age b/secrets/blechkaestchen/syncthing/cert.age @@ -1,26 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTnRRYVE1T0w2ckIvY0RV -UGRlOEl1Sm5UenR5SFl3ZCtMcFZGOXhOMm1jCmQxa09UMjZHRGZSd2h4Um15SXRN -OFNMRTJwdCtEYTBZcjkydVBteG1Ia0UKLT4gc3NoLWVkMjU1MTkgOUllMkZBIHQ4 -ZytYbjJyMm1IV3BxemJzaEtYazRNMWtKNzhTNmxKMUlYWjI3amhjR28KRGJmMGUr -L01RZ3g2c1h3UUluaXRqN3RXRmhlQzhxTmdhQTRMbnVKK3orcwotPiBlOyFxVi1n -cmVhc2UgV1AKT0dEcGVZR2d0dWdSdElpbTlrWGJ0WW8KLS0tIFB4TkU2cTBHTWUw -dWxOVEY4NWg0WWprNGM5R2tmNm9WNDFQcGNtd0RoQzgKuBgQJpu3qSwVKG5c8avJ -1EVhwQfa2eSpngCfcjfv5HgcYlmyBn5qUT9RyHXTDGiyiRLsesRYWcS7kI3Xim2Y -4kxR/32OfeO6A0Mrlx0c5WA43CgMjG8rEDEdZVLkbyXHzmopEXcgq/USRjYdE5Y8 -j7izeyKgWhd/YC/XzsdO99sH1jyvvLsPD1um/fed5O29e6k46EgoP037KFcJWQ+E -Iz3k7th6n4QVF4A8RRAcfqb5dFZroXiODuZLlXNDHeokgHW/aQ6kVpQChhD3E/GB -I5fAyIl2er5pMUwCyxL5owoWkq+gCdbDj8J84o8Jy7dUj/AHCwDRz4AML091OPyQ -iT8FrY+U48XmJSAGVky49QXUBtr4x3kYy+fCo+aHqGn1xzz7BCkGj/R/iSY49u5F -VPx0QAynFPNYGdlIqsACE0K+XNxHCpvBoQeR2tpMrV+akv8299UGJiFpzA2Qy4nB -5zw+ekXx3gfz+C88IC4tuHtwP4DyTWXIOn9VdAkT5+SaO6Y3O0ab3Qp0PRbYYa/d -P6q+UeSnA9qmGFd3ZSbmVH4GmJfAuuYAP5OTeJ2mDBZlZJKqdNXqE9WGlM/3etFJ -GWMSkXu8J87NSOjej7BOO3QdqzourS4LriE+8/9etRn3g8d4QihO8md917RBG9aL -jawopfmSexRp4M0inEJqgehDQ+pGnWxfDUYovEMUy/u8gNoxIyW/DjZjZo0OBhPI -QfHV+TVnqCeW6IQaBc7x1ASg9pOykHNyOHoY2QyZRQiIJODnoj/knfOh9PXe+QAb -Avu3R+xvQUonNeb6TW28PV/ig+t6z91ehg04kP/lrYVeAuOpnSZGPJnJJCS6FJ0j -ImYKy7wpDaT8xfhENu/0g98bRP2UZojQferJ73jiL5YlEw8+0bqUezBTXwx7x8p+ -u7ZHpv3u6fgYLmpKmrWqjHSl5E2F/xXi/xZaXwqyyPb+5k7/pQBBD7kSdThASqtJ -O+9wO4CH/+kvX4rKRxHnCl5A+ZlXa3NlJBRw1aHqe1SngZXU8pwoaP+J90Xnvb/e -faSpFtEOhgE9pswfux3URlDK/a2CdIbbd4DMGfQzY650Bm/Tj4rZY+Nh ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/blechkaestchen/syncthing/key.age b/secrets/blechkaestchen/syncthing/key.age @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQW1zRkgwQ0tnV0ZpVWpi -MWJ0bStyZkhFb3labUwzUnNwbjlVZHV2QzJjClA3T0dNQURMUDkrOERaT3RxQ29p -Q3NPeUFSVGVMSUF2enlDdjVXUVZKZkUKLT4gc3NoLWVkMjU1MTkgOUllMkZBIDBo -MUFEbGhrc2N5c3ZpbjhDZTBDdXpOOUdoa01wRTZ6OGIycWZzV21DSEkKNkM2SSt2 -Q0FLNERoMEg3eU4rSW1PbTkzK3V4SW5mVnY5eXNrd29TcTJzYwotPiBkfC1ncmVh -c2UgdiBPWC1rbiBgVlFUeklsIFFqVVJlJ2NcCkRFaWgyVVFlZUZKSXh2TE5XN0JD -WUhyaDAxNlpCNjZ1M2JuWTZVMmg3akd3c0pRYzA5cUpkOG01eGI0RW1PQncKS2pz -Zkx3Ci0tLSBCQm1kRkwwVUFZelJqdnVTUDBrNC9TSWpCWGpLK0RhV3JLKytLMjV3 -akg0Co9kHvODM+jJ/7gP8FkMfGa90t8v2v9O82pK9qKkQqUfLzz09KNhQ9KmK2kj -skXdl7BNdwCy6/iht3akTgj3GekrqHyRkwFvyAOuBofTWGS8UO+Geng5FNLwEv9w -zGs1phBK92XdjkPU8/1rlqZPCRJfm26Te7s4iZLZFr5vL1H7F9bxuIpkRi1mbuX/ -a3ZF4WtKam+VBfM+dbXHxagJQFtNJkV0Buq7H1neDY49RxuR28KZTdh61b4GykBk -0Hg31iZu9vQDjCnaMY0ZRJ+nOklsh3lBAkLO6luJCeQdQHUYheD4KbI6NV6AkKuz -FO+KRy/5/b0CVXExNZDY2JaskZOxn79zNuOEA0Y7R8EXu0gyF+/4woX0+GHGZBig -vWCZ75wYyh01mQtD2HGrFn+eUoWK8HZiCLslq+eKeqy08xI= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/briefkasten/restic/syncthing-blechelse.age b/secrets/briefkasten/restic/syncthing-blechelse.age @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RHpYd0xIcUE0VngyNFFn -ZHBSS3JtYVdmc2psUmgxeE95SnRCUitEN3dVCkxRQm5IVThUVE9PMURvSlVHenRZ -ODJqd29YQ2xpVVltS0VkRzVyNHQ1eGMKLT4gc3NoLWVkMjU1MTkgNGhLQ013IGtC -L0UzSEluN3dyYTdOY0gxbkFUdkJFdHp4MVdwVXh0SU9KQktrTFY3UUkKdFA2aDA4 -VVdObUV6TzhKN3JLZzVuNnQ2aDNCclJuQkVVVHFpNmRrQVF6QQotPiBtUy1ncmVh -c2UgdEwgTjlJZ0VSdWsgIiBGCk9rOTZacWJtOHNhK2tHTUZZRmFJUDJnazMvMHQ1 -NzVISTJGenJDMWxjbkNXR2JueGxLdWlXRlMzQ2FhVndmV1gKbU5qVHZJWm9KOWlY -emhpaTN5R2ptenB1bVMwSHpSaU9Sc3JMRG42QzRIYXFIeGZjZml4aFlUMEQKLS0t -IDlxOUdJZFNMSTZvWVVCUkcvQ2Vlci9ETTFpRHlHbmliVXgwMk5FRHZPQ3cKhBVO -sYbWBGBd8T5nnjCGJwflsUUCV3ICgtFnydxOg67fp5s3X47UYRTWeE6jfYiwlK0N -9kqTkF10ufxhPgDeWqU= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/briefkasten/restic/syncthing-cutieshare.age b/secrets/briefkasten/restic/syncthing-cutieshare.age @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWENNQ3JtOEFYUnFoMUVV -ZEpGV2xyU2pvUHZHcFdMaVBtUUZrRXNQSFVBClBCcDNWNFhvdldhYW9WT2EyTzBi -STEzL09XY2Z5Q2g3UUJUZzN6cUVhYU0KLT4gc3NoLWVkMjU1MTkgNGhLQ013IERB -WlRGQm9lQ1hIVjZyN0wwNEZ3WWpmc0ZvQXdPL2NFU0tZUW1IWS9peDgKeTdmeEFN -c1FiZW1nNzNWMjY5aERtMlEzMVV4d0t1S0M1MzVNbnRpWjlVUQotPiAyfXt6Xz5l -Ii1ncmVhc2UgejY/VGRFL2MgcGJ1ISB3Z1RHKAprWCsvbkdGVHhpTEpiSXllb3lP -bVlTQnQvcVR4eCt4SFF2ak9wQ2JuTzQwRjVPRTlqT1pWM0xHTHdJcU9CRmtxClhC -Rk5kZDVRNXhkait4TUtyL1Z3NjF5emN0WWZRVVdKYkJUaFU1b0FJaEc1YlU0TWZt -WjlGaFlRcmM5cE5yZXQKCi0tLSBNdlZsQ1I1NnVYaS9DRWZ1UXc1WjNSK3liODdk -Q08zMnBURVB4ajlIamNnCgkHeS4lY4PxHb9+r1KYX0C9Z1W8d9fOcv36s+60VbMD -zUPNKWTVmBmVIB7F9Z+ekyaHqQ== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/briefkasten/restic/syncthing-wiki.age b/secrets/briefkasten/restic/syncthing-wiki.age @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ejdzSGxJZDFFZ09LNDVv -OEd1M3BQUzZrMS9uVzl3ZnUzdGdmcjZQWEgwCndaT091Vk1ETHJHL2NMNWtiVG1m -SFpwNHVTcGovemhxbklENUt4RWVPQVEKLT4gc3NoLWVkMjU1MTkgNGhLQ013IGcy -ZHBiYXkxOVh4cXBSeXBpQkdrcDV0R0oraUJseThHb2h3VGw0VTk1alUKdnVqYUQ0 -UEYyTFVtRlZNS29CVmFxcmhXWnVncGRHbDlwWmIyd0EySGM0NAotPiBZJ3NsKixs -Py1ncmVhc2UgTn1WfjAgaCBsYgpTQ01ySnVUTGIxcVl1bW5TQlozZWZDSTBuWm52 -aDQ4L2duMk9ndWgzTEtMYUc5Um03MFdySklocXBOaVk3QkJuCjhsbUlSZUNHcmFN -NjJLWk1aTGQ2eDdRelhNOG12bmFnMUUxdzN4R0hFdDFMbENtNitPV2hBZTdnTmQ2 -VnZ3Ci0tLSBMenZZSmtURGVOUXFaN0NHNEl4Q1VSblN4cHNGYXMzRjZIU0RPempF -c1BnCp6TM9e/ZBBpFHOzhIWdqH+skNQXlykxOTMV/l1YMb+eyjj2KtnenXElrZ+5 -7D17tN0= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/briefkasten/restic/syncthing-windoofs.age b/secrets/briefkasten/restic/syncthing-windoofs.age @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0YVdVSkEzZGVibTdzTXJV -ditLdXl5T3lUMDNBODBmZ2lSMXEybGwwZFVJCnR0SWZ6bm8xZEVVUHNmZTJtQ0Rh -YU00NzVmQkh4bXNNZFRZbXV2WVcvZlkKLT4gc3NoLWVkMjU1MTkgNGhLQ013IGFn -SHFaWHBYcmY0OVREZ2dCREFwWmcydUNBMUxrdVRiNGdHUkFIZG1id1kKY09KRGFL -cXQ2ZHpDY0ZuS0NqcThtdElFT1NxZ005NndDNERLVDJ0QlJHcwotPiBvKFZ+QGgt -Z3JlYXNlIHtPdCA8KlMjO30KTHB5S3RJWk9iRE9TUjFhbnZRMmp1bk9qekNvZEpj -MUVDTENTS2w2bnRnQVBKaGRvN0ErbEI3eC9XdnNOMk9lZQord3ROcmphOWhreHNC -VTgKLS0tIDc5TlR2Tk5hNGpzOUVuMThtQW12TXIxeHBXM2k0eXc2Z2s1WElCT3d2 -Tk0KHHLPtDzn2+wbne2+D2vffDioHYTz38KGwjLoJDCvXfIaS8nZfEdHjRkSGHRz -FGKKYg== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/coladose/syncthing/cert.age b/secrets/coladose/syncthing/cert.age @@ -1,27 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaUljdUVJWmpOdUNEc1ds -eXQyT05waDFsQVBmRlk1cFV5UjhwMVlFYWdVCnlNdGQwUkYrN3d3T0VzRzc3OWJh -UWJLR29yNHo3OE1HNzNhWkFabk9DTm8KLT4gc3NoLWVkMjU1MTkgVkVVRUNBIERk -NkFkdk9BbVpnQzN5TGtHRVc4STZTWUNUaGt6OFVNZUlOSnhLQlVlelUKUTBMY0dU -dVJ5amppbkYvY2hNTGRQMTcweFJST3kxajliT1V2bnNpZG52dwotPiAkL1dkaCte -LWdyZWFzZSAoR1BvRkByVAovMHJoQjRKQVVGRUQxdTRCNjhLM1haZVdDb1ZTQVZk -L3laTHUxWS9zamNTZmhHdwotLS0gQkNqN1dZNnlaakRWZVBvTGpjbUcvcDB6K2tK -MFg4MDZHYTlHMVRnN1Q0OApb5m9Z8KLkd0dAtxH+cG31bnzGnV6cNjiUuPXm8xdB -4/CHkHTkbTGnIyCMo8ykk3E5/J3yKHIKKM+hC4q7bj+qDc7MMYa1YtIVMhzpUSNi -Z4/mYJTS1uHou9P3P/nPc+oUVYQlTWJhFh7BYjW09RMIy+fsjD8RALuZst7pgNZJ -mcUaHvFl0oQH7KpFrRDB1fx1UiORyLy0oX6Q9hxxFST5tuIRTBeNoTBjOf+N4anF -i2mDt61L16mq2QowAgKMp2+h4fKnz6CobH2LWJoP5jWXKiERe98CNZXjKZeFgepf -DwPF7JzUeQc4L7U8S1F4oHIF9tC6hPxM7bLspKFjyK2IPhCdVbUzpWXI5FWPUE7j -pR2dka+mkChCqWaBSD3tdu34chW3EgFbpFJIAXuMPLUM+fGBr+rTI66cDS6zjktV -eVk2DMI2jdyWrkdNRuy/DkfyFYzHyxNha82gH1pL90kSKktOadyfMDwdgV/yY+P1 -VAvRa9sFFteHvmbHO7ypoUN4V6uu2fWLrkG47b+J1SKgE/7nM2clB77kbuIQ5VhU -ytVyhucS2t7HzShVeqhxQREFTZ5ur/kPfhI3raOkQoKK3kwRNLSIaLzWw0/yifRU -ssoSOzKwC/fZWpIZyof5oJGN8lY1hPy09qm8FMYSzNjyX+W8LRB8jL5bovQqh4Pu -xdjVk44YTPXYZuxS/pwpIbWYnG+alLSELe2m90fPMZJrFC00Mzkw/w3RWY6Aw/YJ -NnZ1QAoqJpuz45TgFG7Mc0uhYBs7fFBJpijjD5U7U+p7y2Mb9LjvlQdTdrc8+8g7 -Pzf+dPnxlQ11KGyuEJnYwqclHQXrBqKTD2KIu/6EpSBC7Hi+BypgRvq6IGKeUwrw -ZA+TOd0Jp3/bzbmeg5EPsvIfbxKJhePj0fCyQNBDRQBgBOJAQxdq40ImBBQFC7PR -hlmVVeqwoRfGQtMksEB85StXjFzRpq+VDUVwI1a60XrGwbGIXFibyLZUqTidOPIe -+oaoEqXuCcGYYVwPHMbQ2k0uLriBbVLDusO6slAxrrTAtwuLGtsNMVQ0LaD4haqB -CqMSwqVH5ZbdxoQHzW3hCyHmiKLt0Eo= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/coladose/syncthing/key.age b/secrets/coladose/syncthing/key.age @@ -1,18 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SmxVbkwwcEhqOTVxN3Bs -UXNHdE5nbkRFRWRKNEFqeFU3V1lHM0JQWXpjCjN6ZDlELzRYVmpNbUdwQXdBWGFW -Qjc2ZjJmZHlHRlQ3U2lsaW01em9hZTQKLT4gc3NoLWVkMjU1MTkgVkVVRUNBIGJm -cHpLRGZKVTNPb2ZlK1BSeXN4czNsZk0yclJ2ZzdSdlpNYXM4MmhWekEKVTFGWGFx -azdERjBoOWFpbHdTRFlhSHhOcGZsS3BaUEpRNjNtQXN3ajU0QQotPiBoSiJAWi1n -cmVhc2UKUVk0TmhlKzlZaVNOZWU3dzkvdW1BQ3hKR2JqK2NSYnBmS3ZoYm8zWXNL -U0lMaW9vTkxNMXBFclA2NVRSWk9yQgpucGtCNEFFNm9MVHVHZnhOZEc3Tkg3S3pj -eGhWOGNKQ0VOYUdMNy8wSzluV0R5T0tCYWxORHE4M0R5bzl4WWVPCmNpM2UKLS0t -IHlnNkt5MHZjcGR1RW1mSnF3OW5KQlUyUnpOYVhsdWNOeVBhVVFpeEtLbk0KVVMz -AoIfkm5c0p9XxJ1qPqCxPB2BGd2K6RT7arHd9QiwGs1BFGuK9xzvx5k0hRJFI9zU -c8M5KK9RAl7WouGxCouWbLvBdosJ4pun9lWblA5xyiCUb5wQC1mRh9hE5zSQSNY5 -BU6dfR1k04DZaPR9LKvQjDnCvItBXy+Pv6FOkcW3bI5OOJLWv/Ker8+R3vb4Wznp -a5GckAsVMvK0Wg08K+64/NWCzXButIi01JNtI5Hoae/of/T/z9VOFbFAloGZ6Pqf -WtGJinZiFuwP4Bx26Eg6rr5mGPQ8byGhX/FCrbt48dAXo5fjPGyVoQR+TIqvxnoO -8Ua8BIpY++57ogD8KDfb+zAZVaSkjhLC5GHXytIh0WA4J6OaY7DmlkHVGJgVOISh -/h9fjOs1QtygVZuuAwkd2jzH524nO+HcMDqTyHE= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/passwords/katja.age b/secrets/passwords/katja.age @@ -1,24 +1,26 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWOFJKVkRueUVGNkhXaGVt -TUFUNW13Unl3NGl4WFhydkFQZEFtTjZrY2cwCjUzRkRHTnpmSGRSbDZWa3E3OXE4 -akZKcWxnVzdJNk56R3d1bWVSRERrQVEKLT4gc3NoLWVkMjU1MTkgcThvY3pnIHVu -T3R3eHQrWm1ZbGU1Wks2d1FDckJESWdxOCtiRW5QbFRrb1NySkd6eGMKSlY5U0dT -Rlg1ZUx0OGRScmx1N2hES3Q1ekxKK3Q4NVVrSExseXlDQklJRQotPiBzc2gtZWQy -NTUxOSBPSlFWRFEgYk0xazI0NXUwQzJHOERwdSs1VkJaWEhvRUkzWERldGM3ZVVa -ajlhNXJCYwpLeUxFVjFtYWZLc3RwNkpPSnVYWC9RdTJ2L0FrK1lCUzZaOWNOckNU -ejF3Ci0+IHNzaC1lZDI1NTE5IHlhTEhTUSA5akJLeDQrakZGQ3U2TWdzNXN2M3RO -MU1aQjZCVkIzdFh5ODJkdHlyOFhFCk56cUwrekNUTlp5ZnV0U1kxaDFHOTdkVGhY -d2xYa3lTYTE2N0Y2MWRsYjQKLT4gc3NoLWVkMjU1MTkgNGhLQ013IFp1MytrZVpy -cSs0VUZIVXhwS0VkL0xsbkZBVTJLMmJLeHRwdjJQTmZ2R28KV1JabXhBclZleGds -RVFuREVlVDR3a0VSZkpNZVZrQSttZ3ptN3RpeVdoOAotPiBzc2gtZWQyNTUxOSBW -RVVFQ0EgK25EZlduZ2t2Zm9BZ3o0QW5pV3hDMDlqVWZ3UG01OFpTV3kxSXk5TzBE -Ywp3bkhhUFFManRtWGpRNXkwWnF2SUw1WDhOU2REWVV4ekxlK2xTbmNnS1RrCi0+ -IHNzaC1lZDI1NTE5IFNZajZJZyB3YksvbXNFM2hKcTI3YWN3UDdwZ0JpeVVSb0Z5 -MzdSRWp6K0c2UEFBZ2hrCi9DOUpKcW04UXhlYno2akw2OUVNVnpxZnJsRDJEam1K -T3NkUFlzMFJmbXcKLT4gXEBhTmtVLWdyZWFzZSAsU0FcWWUqUQpkakc1bjdkdnFh -ZzRGdFdBcnBVCi0tLSA1VUhGUXVQZkVYTzFQZGtLTHpOWXRiM1hIc0ZLbmJzYk9G -YzFlVTJzcmZFCpDrGYqNksnxW/YJ/TvPlg7IA+UVkdC11v5Lsn2awXmfhCeUnlBe -mdTy9376TI6wjtFx8lWiY4y/0ZqfVmfE4f638HKmujQzC9/wBFPqeZwxSj9aQjiT -t5mn/vANvfQeviGSlJVo0qlPclFL4Ts8HB0et3sebQaTytL4vEU4ApY6hokMkdIp -oRngFQ== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFlpZ1k1USBkZmJk +WC9tOXM4T0g3TklZcXZka0ZRR1kvYXlMTkdBYUtSSUZLaWhxc0VnCm45V1c5aWF3 +UHJVWGkxZnJaMVVuQ1JCdjJVV05jYzErMnhWZ2hhM2o1Y3MKLT4gc3NoLWVkMjU1 +MTkgNGhLQ013IHhZRnMzSVpFQ2ZZMXZrbTljQVlORmhwU2FSUnB4MnNJRUxDUUtV +SEo1U3MKcU9BMklYU3UwdUl6a2t3NmZwYkJxdTJZVVJ0VGtMNGRvK25zL2p6QVJo +OAotPiBzc2gtZWQyNTUxOSB5YUxIU1EgR2ZoamRqbDFVTmc4VjJqTTZxTTVMN3Ey +RW9IZHRXdTFJcmlwVTNaUDFpdwozcTlNcmY2blpXcXppaVBvMlpxRFBSdDNsS0Zi +OVk1MlJnTzh1cjJ5ejdJCi0+IFgyNTUxOSBvZWZRUFFqUEt1TDQvZVUwa0FNYnMv +M1lBdE1CNUxFQnE2SlNsYysyRm5RClMraTFhMWxIOE92NDFjQnZTaWM3WjU3anRL +clY3VVMyWE40aTN0SmVDOVUKLT4gc3NoLWVkMjU1MTkgU1lqNklnIGROd3VOZFVY +bFpLWC9Mai9mcHN4NnNzbjRWb0ZDc3BBV2UvQTRMRUpHbk0KQUFpdzRBcUs3UzBs +NHR4MXhFZExDRUFyUkpHTlZCT2RqTzNlTytCRk5LMAotPiBzc2gtZWQyNTUxOSBx +OG9jemcgbXlvRklVUFptNVBscVZFSWV3aUlaRUxTVjVlWDVpaXkwK1ppYVFGUTZX +MAp3b1NaOXFBeHd2NnVjTU4vSVVpZmZuZ2VueXlJWk9nQWI0VGlFbE8xQzRvCi0+ +IHNzaC1lZDI1NTE5IE9KUVZEUSA5eUxXRUxrTi9HcmhVWHhVOVVOcGFGYm1OVWsz +RTlCQW5TTkxuMFFWNURVCjZDUG03U1FEOWFwZHg1WWR0NDNZdEZrMUNKWGdPa2VV +REs0RlhyWUlyWGcKLT4gSltsQCstZ3JlYXNlIDRSQDpzJi5eIFNNZ3owYihkICl9 +CnJqUk14MEdEUVVYRVZCN0tGSnVUVTdmczJTbTFTQys4cGZodnV6Q1pDTUtBR0Rs +Z1k2K1VUKzlRZmlFVlpJYzYKNCtwVy9zUFVSNHBjcnZacGczVEZZU3VTdXpmVmkz +M1c5bGVQOGtPSkJmTmp6TERyeVRQMlJlOEErcHJZK3lxOApJQQotLS0gaVd3eTFy +MkJZZ2o1SXFybkxtL25mbGZyRUJYdGZGcERyamZIUWFIRDFuVQqqE+JBus3mP/Rb +ExDSWtmncGt4ZldyxV/shqBMkV7Pq5JNFR89bYzPyOU4yWKZnEzv+yRb+E6UMjuC +X6TN4oxX5d0imSaEnWZBJYsrO8bTNSuPE5RWbfTwCOwRxfeC05dZtVNNt3utzLnI +DqpFq+HtNlDadoHZrRalVTngy2w/QG5l5GtfxD2I6po= -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/passwords/leah-at-f2k1-de.age b/secrets/passwords/leah-at-f2k1-de.age @@ -1,18 +1,23 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5K2psUk4yUnpnQk52cFFQ -bjlqdnE1a3Y1d3lWdk92eGt6bUNiTzNhY3lFCllXampJU3hmZXpCV1hGYjh3NkpD -aEEyRDNheFNTRk92R3NDMkwxMC9WSWsKLT4gc3NoLWVkMjU1MTkgcThvY3pnIHNn -THYwTUxydzQzMk50WnUxYnlIR2Y5UjlkNTZ2dmg1dnJkTGhJdXZnbFEKQ3hPUlRQ -VDd6UXY2bWtMMG5qYkhnK2FxbVd4UzBGcU16SnVUZGdWMlkwNAotPiBzc2gtZWQy -NTUxOSBPSlFWRFEgcE5LdDhmbFpFcml0djZjOVhCZWpqemwrOTAxbGw2c3VJYXlk -NUplejhsSQpON0FtUW85QWJ3MGt0ejBUK0tJNGpDQWc0a1MwZHpjNDVvZDRSV2Fs -Y3pnCi0+IHNzaC1lZDI1NTE5IFpjeGI2ZyBZTFErYnlyS2ZJRWZFUktURHVPQXZ5 -U1owLzRRM2lUVzUvMUhZTUhvRXlzCjV2UnV1bnIrR2lqWFpPV1ZSd3ZKZzJmWHQy -Um5CU2g3UDJMU2pOSDNwZU0KLT4gc3NoLWVkMjU1MTkgNGhLQ013IHdxSUZSYm1j -VkJWUk5PZEY2a1ZpSzd1eDBmS1NhMHI5TVZJUE5rMUk3U2cKSVhCVTg2YnQxVFZB -YjlCRERUNDdvUzJvK1NTdzRkOFJFbHhEV3llN2pRWQotPiBiWV1dLWdyZWFzZQp4 -blZySnNnaGp5ekFYN1NiUUFKV0g2aUZGRjhFOGUwY2dLTXZoZ01hdVpmaWRSeXAz -c2N5NmprMmNnCi0tLSBrUEpTVzBLZUloMlNuZStrN205dWlqcFJteHVTYlJlZXlD -YzdhM1NlUEs0ClqlTiJm0VEqoqdXcDoBTsOAvwOuctTy+xI2OE/hJtgI+396VbWN -bGxuJpO2Fq+zXRA= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFlpZ1k1USBGWVFx +RStlbzBaaGMvakVxSkQ4VW93UmxkQ2RhcGdTQnRpcjM5Qmp2c1g4Ci9qdVVwZ0NS +bGxFTEVHSjJFaTRxeVZ4b0xGdjJYd0tFdGhlSUNUWXZxNzgKLT4gc3NoLWVkMjU1 +MTkgNGhLQ013IHNBOHJKQXlXQjNhdzBPcVd4cTJscURoMGJ0dFJzOWVGOFpsYnZB +a3B2QkEKc01zVTBIUWtiNVJZU1J3ZThkK09OV29FUGhZbVpnRmplN3VBMWcrR1p0 +awotPiBzc2gtZWQyNTUxOSB5YUxIU1Egcnp4OGhJNGRHbEV3OG5TTm1aRUU1aW1q +b28yUENOaXFmY1ZpYUpUay95QQo1RUpmakFDa0d0REdOMXI1bUgyQWJZNkxycXZR +ZDJsMzZ1dkcxSW55SkxNCi0+IFgyNTUxOSBwakluMGlHNStRRlZtdVZTd05Rb0xl +MDQwQnU5emtYQ1dTaEtBQ1VEekd3ClNuaURTNEpXd1VKaDZIL3lqZ1NWTVZMNEky +ZklOSUgwS0lGNi9aRjQ4SlUKLT4gc3NoLWVkMjU1MTkgU1lqNklnICt3VTVGWStQ +YmUrd2lZd1djeWIrTDZLaVVNNUpzeHdodXV1ZWlYS2haaFkKekJ3aGN0aWgxOVZx +UUJhTFRMNFNvaWcrdlppOXpoTVJmQ1E4UnpGWU1hOAotPiBzc2gtZWQyNTUxOSBx +OG9jemcgbGZVNFQ2TEhFY25zZi9CZjNlaHJ2RUc2aGF0YUZ3bmF4OW4vck5ETGd6 +RQpKRmtqTUJNdmRpNXN3ZEswRVZiQ09jMVl0RDArN1grU29BSVl1UllyalRBCi0+ +IHNzaC1lZDI1NTE5IE9KUVZEUSAyN01raTlBcldwbjlqR0JISEN0akE3ZzFxcVhJ +a2hNZDdHQ3ZGUVhML0djCmRIR2JaUmNtZ09KZEx2WXE2anE2aHhVcFp0eSt1bXRq +SFRpZm9rNVg1MEEKLT4gWy5UV2xbLS1ncmVhc2UgLnJoYQowT1MyTzdXL29Dd01K +NWFDVDkvZDBnb0FRS3J2OTAwVnpsT3QvRG1OVVJycHlHMmpxaDBhNjJ4eXhoUEFH +T3FQCmU2TDgwUEQwUFNJemhCeTUKLS0tIG44VGNCZXBaQ3NTQkd5SzNYZzNVNHhD +UVRGem9ZV2tDekJ2YXE0K1ROd0UK+wI/AD7o9LA6/ldR4jhyNwjnJWbhaM0dIgwe +LYBydR6YG7H1KXDjsyOvmbQLEWyRiQ== -----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -1,117 +1,135 @@ let - main-key = "age1mn57hntgx775kwcwx4jrrd7rfl7z4wl54kqtgq8w2kzg7agz7alsv5eesw"; - - blechkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMnLFWr1zTU8sEJr3XZaRoLxto0QAB9HOQRbyDphBS+"; - coladose = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/GoIIFuo54vAGA9QK2/HLjIlhNOpCGYu7xqhQaYd5u"; - seifenkiste = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMX8q2ux3YdAFGLRfD8/fCEAEalqxsRQwkOSp6gYedFt"; - - #servers - briefkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc"; - - hector = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILONdCJED/Lmd215tO8KBkJSl1E9ZdMyC+syxSqmo7o"; - trabbi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwzDl1dHpDIZxFfRBLQyFn85RVTsg7OgO3Eahdn3FTJ"; - wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8uAvUnwhg3pnCdaaoclWDKV275SyNSyrkJON+R5Boi"; - -in { - "passwords/leah-at-f2k1-de.age".publicKeys = [ main-key trabbi wanderduene briefkasten ]; - "passwords/katja.age".publicKeys = [ main-key trabbi wanderduene hector briefkasten coladose seifenkiste ]; - - "restic-server/briefkasten.age".publicKeys = [ main-key trabbi hector briefkasten ]; - "restic-server/wanderduene.age".publicKeys = [ main-key trabbi hector briefkasten ]; - - - "blechkasten/syncthing/key.age".publicKeys = [ main-key blechkasten ]; - "blechkasten/syncthing/cert.age".publicKeys = [ main-key blechkasten ]; - - - "coladose/syncthing/key.age".publicKeys = [ main-key coladose ]; - "coladose/syncthing/cert.age".publicKeys = [ main-key coladose ]; - - - "seifenkiste/acme-tsig-key.age".publicKeys = [ main-key seifenkiste ]; - - "seifenkiste/syncthing/key.age".publicKeys = [ main-key seifenkiste ]; - "seifenkiste/syncthing/cert.age".publicKeys = [ main-key seifenkiste ]; - - - "briefkasten/acme-tsig-key.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/wireguard-privkey.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic-server-htpasswd.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/pppd-env.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/restic/gotosocial.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/influxdb.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/influx/grafana_token_mqttData.age".publicKeys = [ main-key briefkasten hector ]; - "briefkasten/influx/telegraf_token_mqttData.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/influx/master_token.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/influx/backup_env.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/mosquitto/passwd-katja.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/telegraf/secrets.env.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/zigbee2mqtt/secrets.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/zigbee2mqtt/htpasswd.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/syncthing/key.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/syncthing/cert.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/syncthing/htpasswd.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/restic/syncthing-audiobooks-orig.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-audiobooks.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-documents.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-music-orig.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-music.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-pictures.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-media.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-windoofs.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/restic/syncthing-bahn-richtlinien.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-blechelse.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/syncthing-wiki.age".publicKeys = [ main-key briefkasten ]; - - - "hector/knot-keys.age".publicKeys = [ main-key hector ]; - "hector/acme-tsig-key.age".publicKeys = [ main-key hector ]; - "hector/radicale-users.age".publicKeys = [ main-key hector ]; - "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; - "hector/gotosocial-env.age".publicKeys = [ main-key hector ]; - - "hector/restic/radicale.age".publicKeys = [ main-key hector ]; - "hector/restic/vaultwarden.age".publicKeys = [ main-key hector ]; - "hector/restic/ctucx-things.age".publicKeys = [ main-key hector ]; - "hector/restic/gitolite.age".publicKeys = [ main-key hector ]; - "hector/restic/gotosocial.age".publicKeys = [ main-key hector ]; - "hector/restic/matrix-synapse.age".publicKeys = [ main-key hector ]; - "hector/restic/mail.age".publicKeys = [ main-key hector ]; - - "hector/syncthing/key.age".publicKeys = [ main-key hector ]; - "hector/syncthing/cert.age".publicKeys = [ main-key hector ]; - - "hector/mail/password-katja-ctu.cx.age".publicKeys = [ main-key hector ]; - "hector/mail/password-gts-ctu.cx.age".publicKeys = [ main-key hector ]; - "hector/mail/password-gts-zuggeschmack.de.age".publicKeys = [ main-key hector ]; - "hector/mail/password-info-zuggeschmack.de.age".publicKeys = [ main-key hector ]; - "hector/mail/password-vaultwarden-ctu.cx.age".publicKeys = [ main-key hector ]; - "hector/mail/password-mail-zug.network.age".publicKeys = [ main-key hector ]; - - "hector/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key hector ]; - - - "trabbi/acme-tsig-key.age".publicKeys = [ main-key trabbi ]; - "trabbi/gotosocial-env.age".publicKeys = [ main-key trabbi ]; - - "trabbi/restic/gotosocial.age".publicKeys = [ main-key trabbi]; - - - "wanderduene/acme-tsig-key.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/wireguard-privkey.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/restic-server-htpasswd.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/rclone-config.age".publicKeys = [ main-key wanderduene ]; - - "wanderduene/syncthing/key.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/syncthing/cert.age".publicKeys = [ main-key wanderduene ]; - - "wanderduene/matrix-dendrite/private-key.age".publicKeys = [ main-key wanderduene ]; -} + keys = { + main = "age1mn57hntgx775kwcwx4jrrd7rfl7z4wl54kqtgq8w2kzg7agz7alsv5eesw"; + + blechkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMnLFWr1zTU8sEJr3XZaRoLxto0QAB9HOQRbyDphBS+"; + seifenkiste = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMX8q2ux3YdAFGLRfD8/fCEAEalqxsRQwkOSp6gYedFt"; + + #servers + briefkasten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc"; + hector = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILONdCJED/Lmd215tO8KBkJSl1E9ZdMyC+syxSqmo7o"; + trabbi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwzDl1dHpDIZxFfRBLQyFn85RVTsg7OgO3Eahdn3FTJ"; + wanderduene = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8uAvUnwhg3pnCdaaoclWDKV275SyNSyrkJON+R5Boi"; + }; + + plainSecrets = { + "restic-server/briefkasten.age".publicKeys = with keys; [ main trabbi hector briefkasten ]; + "restic-server/wanderduene.age".publicKeys = with keys; [ main trabbi hector briefkasten ]; + "briefkasten/influx/grafana_token_mqttData.age".publicKeys = with keys; [ main briefkasten hector ]; + }; + + globalSecrets = [ + "passwords/leah-at-f2k1-de.age" + "passwords/katja.age" + ]; + + hostSecrets = { + blechkasten = [ + "syncthing/key.age" + "syncthing/cert.age" + ]; + + seifenkiste = [ + "acme-tsig-key.age" + + "syncthing/key.age" + "syncthing/cert.age" + ]; + + briefkasten = [ + "acme-tsig-key.age" + "wireguard-privkey.age" + "restic-server-htpasswd.age" + "pppd-env.age" + + "restic/gotosocial.age" + "restic/influxdb.age" + + "influx/telegraf_token_mqttData.age" + "influx/master_token.age" + "influx/backup_env.age" + + "mosquitto/passwd-katja.age" + + "telegraf/secrets.env.age" + + "zigbee2mqtt/secrets.age" + "zigbee2mqtt/htpasswd.age" + + "syncthing/key.age" + "syncthing/cert.age" + "syncthing/htpasswd.age" + + "restic/syncthing-audiobooks-orig.age" + "restic/syncthing-audiobooks.age" + "restic/syncthing-documents.age" + "restic/syncthing-music-orig.age" + "restic/syncthing-music.age" + "restic/syncthing-pictures.age" + "restic/syncthing-media.age" + "restic/syncthing-bahn-richtlinien.age" + ]; + + hector = [ + "knot-keys.age" + "acme-tsig-key.age" + "radicale-users.age" + "vaultwarden-secrets.age" + "gotosocial-env.age" + + "restic/radicale.age" + "restic/vaultwarden.age" + "restic/ctucx-things.age" + "restic/gitolite.age" + "restic/gotosocial.age" + "restic/matrix-synapse.age" + "restic/mail.age" + + "syncthing/key.age" + "syncthing/cert.age" + + "mail/password-katja-ctu.cx.age" + "mail/password-gts-ctu.cx.age" + "mail/password-gts-zuggeschmack.de.age" + "mail/password-info-zuggeschmack.de.age" + "mail/password-vaultwarden-ctu.cx.age" + + "matrix-synapse/registration_shared_secret.age" + ]; + + trabbi = [ + "acme-tsig-key.age" + "gotosocial-env.age" + + "restic/gotosocial.age" + ]; + + wanderduene = [ + "acme-tsig-key.age" + "wireguard-privkey.age" + "restic-server-htpasswd.age" + "rclone-config.age" + + "syncthing/key.age" + "syncthing/cert.age" + + "matrix-dendrite/private-key.age" + ]; + }; + +in plainSecrets // ( + globalSecrets + |> builtins.map (secret: { name = secret; value = { publicKeys = (builtins.attrValues keys); }; }) + |> builtins.listToAttrs +) // ( + hostSecrets + |> builtins.mapAttrs ( + hostName: secrets: ( + secrets + |> builtins.map (secret: { name = "${hostName}/${secret}"; value = { publicKeys = [ keys.main keys."${hostName}" ]; }; }) + ) + ) + |> builtins.attrValues + |> builtins.concatLists + |> builtins.listToAttrs +)