commit 86b5c74a036ae2d3b7d8aea2ef4044400eea3a8e
parent 849c14355f85325df4af67d835e4af1ee7d8b706
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 10 Mar 2025 20:19:26 +0100
parent 849c14355f85325df4af67d835e4af1ee7d8b706
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 10 Mar 2025 20:19:26 +0100
secrets: load with haumea (and CamelCase for filenames!)
58 files changed, 128 insertions(+), 131 deletions(-)
diff --git a/configurations/darwin/services/syncthing.nix b/configurations/darwin/services/syncthing.nix @@ -1,4 +1,4 @@ -{ ctucxConfig, pkgs, config, lib, ... }: +{ secrets, ctucxConfig, pkgs, config, lib, ... }: let syncthingConfig = import ctucxConfig.syncthing { inherit pkgs config lib; }; @@ -7,12 +7,12 @@ in { age.identityPaths = [ "/Users/katja/.ssh/id_ed25519" ]; age.secrets = { - syncthing-key = { - file = ../../../secrets + "/${config.networking.hostName}/syncthing/key.age"; + syncthingKey = { + file = secrets."${config.networking.hostName}".syncthing.key; owner = "katja"; }; - syncthing-cert = { - file = ../../../secrets + "/${config.networking.hostName}/syncthing/cert.age"; + syncthingCert = { + file = secrets."${config.networking.hostName}".syncthing.cert; owner = "katja"; }; }; @@ -24,8 +24,8 @@ in { user = "katja"; group = "staff"; - key = config.age.secrets.syncthing-key.path; - cert = config.age.secrets.syncthing-cert.path; + key = config.age.secrets.syncthingKey.path; + cert = config.age.secrets.syncthingCert.path; dataDir = "/Users/katja"; devices = syncthingConfig.devices;
diff --git a/configurations/nixos/configure/router/ppp.nix b/configurations/nixos/configure/router/ppp.nix @@ -1,8 +1,8 @@ -{ config, utils, pkgs, ... }: +{ secrets, config, utils, pkgs, ... }: { - age.secrets.pppd-env.file = ./. + "/../../../../secrets/${config.networking.hostName}/pppd-env.age"; + age.secrets.pppdEnv.file = secrets."${config.networking.hostName}".pppdEnv; services.pppd = { enable = true; @@ -52,7 +52,7 @@ preStartFile = utils.systemdUtils.lib.makeJobScript { name = "pppd-dtagdsl-pre-start"; text = preStart; enableStrictShellChecks = true; }; in { - EnvironmentFile = config.age.secrets.pppd-env.path; + EnvironmentFile = config.age.secrets.pppdEnv.path; ExecStartPre = [ # "+" marks script to be executed without priviledge restrictions "+${preStartFile}"
diff --git a/configurations/nixos/configure/router/systemd-networkd.nix b/configurations/nixos/configure/router/systemd-networkd.nix @@ -1,11 +1,11 @@ -{ node, config, lib, ... }: +{ secrets, node, config, lib, ... }: { # systemd.services."systemd-networkd".serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; - age.secrets.wireguard-privkey = { - file = ./. + "../../../../../secrets/${config.networking.hostName}/wireguard-privkey.age"; + age.secrets.wireguardPrivKey = { + file = secrets."${config.networking.hostName}".wireguardPrivKey; mode = "640"; owner = "root"; group = "systemd-network"; @@ -43,7 +43,7 @@ }; wireguardConfig = { - PrivateKeyFile = config.age.secrets.wireguard-privkey.path; + PrivateKeyFile = config.age.secrets.wireguardPrivKey.path; ListenPort = 51820; FirewallMark = 51820; };
diff --git a/configurations/nixos/configure/smarthome/influxdb2.nix b/configurations/nixos/configure/smarthome/influxdb2.nix @@ -1,17 +1,17 @@ -{ node, config, pkgs, lib, ... }: +{ node, secrets, config, pkgs, lib, ... }: { dns.zones."ctu.cx".subdomains."influx.home".AAAA = [ node.ip6Address ]; - age.secrets.restic-influxdb.file = ./. + "/../../../../secrets/${config.networking.hostName}/restic/influxdb.age"; - age.secrets.influx-backup-env.file = ./. + "/../../../../secrets/${config.networking.hostName}/influx/backup_env.age"; + age.secrets.resticInfluxDB.file = secrets."${config.networking.hostName}".restic.influxdb; + age.secrets.influxBackupEnv.file = secrets."${config.networking.hostName}".influx.backupEnv; - systemd.services.restic-backup-influxdb.serviceConfig.EnvironmentFile = config.age.secrets.influx-backup-env.path; + systemd.services.restic-backup-influxdb.serviceConfig.EnvironmentFile = config.age.secrets.influxBackupEnv.path; restic-backups.influxdb = { user = "influxdb2"; - passwordFile = config.age.secrets.restic-influxdb.path; + passwordFile = config.age.secrets.resticInfluxDB.path; influxBuckets = [ "mqttData" ]; }; @@ -23,14 +23,12 @@ services.influxdb2.enable = true; services.influxdb2.settings.http-bind-address = "[::1]:8086"; - services.nginx = { - enable = true; - virtualHosts."influx.${config.networking.domain}" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations."/".proxyPass = "http://${toString config.services.influxdb2.settings.http-bind-address}/"; - }; + services.nginx.enable = true; + services.nginx.virtualHosts."influx.${config.networking.domain}" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://${toString config.services.influxdb2.settings.http-bind-address}/"; }; }
diff --git a/configurations/nixos/configure/smarthome/telegraf.nix b/configurations/nixos/configure/smarthome/telegraf.nix @@ -1,15 +1,15 @@ -{ inputs, config, ... }: +{ inputs, secrets, config, ... }: { - age.secrets.telegraf-env = { - file = ./. + "/../../../../secrets/${config.networking.hostName}/telegraf/secrets.env.age"; + age.secrets.telegrafEnv = { + file = secrets."${config.networking.hostName}".telegraf.secretsEnv; owner = "telegraf"; }; services.telegraf = { enable = true; - environmentFiles = [ config.age.secrets.telegraf-env.path ]; + environmentFiles = [ config.age.secrets.telegrafEnv.path ]; extraConfig = { inputs = { mqtt_consumer = {
diff --git a/configurations/nixos/configure/smarthome/zigbee2mqtt.nix b/configurations/nixos/configure/smarthome/zigbee2mqtt.nix @@ -1,11 +1,11 @@ -{ inputs, node, pkgs, lib, config, ... }: +{ inputs, node, secrets, pkgs, lib, config, ... }: { dns.zones."ctu.cx".subdomains."zigbee2mqtt.home".AAAA = [ node.ip6Address ]; - age.secrets."zigbee2mqtt-secrets.yaml" = { - file = ./. + "/../../../../secrets/${config.networking.hostName}/zigbee2mqtt/secrets.age"; + age.secrets."zigbee2mqttSecrets.yaml" = { + file = secrets."${config.networking.hostName}".zigbee2mqtt.secrets; owner = "zigbee2mqtt"; }; @@ -69,7 +69,7 @@ log_level = "info"; log_output = [ "console" ]; channel = 26; - network_key = "!${config.age.secrets."zigbee2mqtt-secrets.yaml".path} network_key"; + network_key = "!${config.age.secrets."zigbee2mqttSecrets.yaml".path} network_key"; }; device_options.retain = true;
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -1,4 +1,4 @@ -{ inputs, nodeName, config, ctucxConfig, lib, pkgs, ... }: +{ inputs, secrets, nodeName, config, ctucxConfig, lib, pkgs, ... }: let katja-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIHFm/bePR+HT5MAuMslUHt68nTrEhlqcKIS+9Rfi9FzRKAia/DdLbwpfC1iXuM+iQd8fIMp4Ir+kBMqoZaVzyCtqKH6QHbhwBiWIdMA7FndMbfDcO9BzUcqCAVt8HxcGd1Z4bE9ZgZZuIsJiPbqJ+QbK1rkY8uJLDVR2MXI5jpU/m+9RJzrwVZ6JxwjdY4cNaIYwoOW6ZxL+ukLRwy+spBWmWdcHeq6zeLsl/OjUV6WIh2pM9O0o9nsiDekhOBf2MJLlM+e8rWICwYsfLqGAeRAuDe03BFBXsbDg/lqTYB5G8XSaT2R8ty2RyeEBySS32pUyErdKVXnyHNBEvxC6+cJiZtL8rhkpU1qRg/MIUjprMVUWisMlYnai2K0VpNpc5w09YXQl7aXSge8L/5+IzugPj17+FK4FVwRptXxynnYeKiwWEsOiiFe3IVaQ6vyRN66fbMjx/d0JSfadbwV7L++aT85bsb05zhNDpaqK1I5sGs3uV3CglkmhxBmky67Eq/qkMlJZMVtgE7i88H8+XzTiofJaKYTeyq+XQnK6a6OVGyca2dEorBFmBTEtz70nQnSrhPqQrS4zgr4OTSFtUtdFVDzgHaxRC+y4/SP5zCA8Xfwp0q1M0jVE9XpVpGydXtGGV08uXOsDPv5E4euxq6qgv8d2azDeBHXp+kEHm4w== (none)"; @@ -20,8 +20,8 @@ in { i18n.defaultLocale = "en_US.UTF-8"; i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" ]; - age.secrets.katja-systempassword.file = ../../secrets/passwords/katja.age; - age.secrets.acmeTSIGKey.file = ./. + "/../../secrets/${config.networking.hostName}/acme-tsig-key.age"; + age.secrets.katjaPassword.file = secrets.global.passwords.katja; + age.secrets.acmeTSIGKey.file = secrets."${config.networking.hostName}".acmeTSigKey; system = { nixos.revision = lib.mkIf (inputs.nixpkgs.sourceInfo ? rev) inputs.nixpkgs.sourceInfo.rev; @@ -138,7 +138,7 @@ in { users.users.root.openssh.authorizedKeys.keys = [ katja-pubkey ]; users.users.katja = { isNormalUser = true; - hashedPasswordFile = config.age.secrets.katja-systempassword.path; + hashedPasswordFile = config.age.secrets.katjaPassword.path; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ katja-pubkey ]; };
diff --git a/configurations/nixos/services/ca/default.nix b/configurations/nixos/services/ca/default.nix @@ -1,10 +1,10 @@ -{ node, config, ctucxLib, ... }: +{ node, secrets, config, ctucxLib, ... }: { dns.zones."ctu.cx".subdomains."ca".AAAA = [ node.ip6Address ]; - age.secrets.caPassword.file = ./. + "/../../../../secrets/${config.networking.hostName}/caPassword.age"; + age.secrets.caPassword.file = secrets."${config.networking.hostName}".caPassword; services.pcscd.enable = true;
diff --git a/configurations/nixos/services/dns-server.nix b/configurations/nixos/services/dns-server.nix @@ -1,4 +1,4 @@ -{ inputs, node, config, dnsNix, ctucxLib, lib, pkgs, ...}: +{ inputs, node, secrets, config, dnsNix, ctucxLib, lib, pkgs, ...}: let acmeZone = "acme.ctu.cx"; @@ -42,7 +42,7 @@ in { age.secrets = lib.mkIf config.dns.primary { knotKeys = { - file = ./. + "/../../../secrets/${config.networking.hostName}/knot-keys.age"; + file = secrets."${config.networking.hostName}".knotKeys; owner = "knot"; group = "knot"; };
diff --git a/configurations/nixos/services/gotosocial.nix b/configurations/nixos/services/gotosocial.nix @@ -1,14 +1,14 @@ -{ pkgs, lib, config, ... }: +{ secrets, pkgs, lib, config, ... }: { - age.secrets.restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; + age.secrets.resticGotosocial.file = secrets."${config.networking.hostName}".restic.gotosocial; systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ config.services.gotosocial.stateDir ]; restic-backups.gotosocial = { user = config.services.gotosocial.user; - passwordFile = config.age.secrets.restic-gotosocial.path; + passwordFile = config.age.secrets.resticGotosocial.path; sqliteDatabases = [ (lib.mkIf (config.services.gotosocial.settings.db-type == "sqlite") config.services.gotosocial.settings.db-address) ]; paths = [ (lib.mkIf (config.services.gotosocial.settings.storage-backend == "local") config.services.gotosocial.settings.storage-local-base-path)
diff --git a/configurations/nixos/services/mailserver/default.nix b/configurations/nixos/services/mailserver/default.nix @@ -1,4 +1,4 @@ -{ dnsNix, node, pkgs, config, ... }: +{ secrets, dnsNix, node, pkgs, config, ... }: let mailAutoConfig = '' @@ -28,12 +28,12 @@ let in { - age.secrets.restic-mail.file = ./. + "/../../../../secrets/${config.networking.hostName}/restic/mail.age"; - age.secrets.mail-password-katja.file = ./. + "/../../../../secrets/${config.networking.hostName}/mail/password-katja-ctu.cx.age"; - age.secrets.mail-password-gts.file = ./. + "/../../../../secrets/${config.networking.hostName}/mail/password-gts-ctu.cx.age"; - age.secrets.mail-password-gts-zug.file = ./. + "/../../../../secrets/${config.networking.hostName}/mail/password-gts-zuggeschmack.de.age"; - age.secrets.mail-password-info-zug.file = ./. + "/../../../../secrets/${config.networking.hostName}/mail/password-info-zuggeschmack.de.age"; - age.secrets.mail-password-vaultwarden.file = ./. + "/../../../../secrets/${config.networking.hostName}/mail/password-vaultwarden-ctu.cx.age"; + age.secrets.resticMail.file = secrets."${config.networking.hostName}".restic.mail; + age.secrets.mailPasswordKatja.file = secrets."${config.networking.hostName}".mail."password-katja-ctu.cx"; + age.secrets.mailPasswordGTS.file = secrets."${config.networking.hostName}".mail."password-gts-ctu.cx"; + age.secrets.mailPasswordGtsZug.file = secrets."${config.networking.hostName}".mail."password-gts-zuggeschmack.de"; + age.secrets.mailPasswordInfoZug.file = secrets."${config.networking.hostName}".mail."password-info-zuggeschmack.de"; + age.secrets.mailPasswordVaultwarden.file = secrets."${config.networking.hostName}".mail."password-vaultwarden-ctu.cx"; dns.zones = with dnsNix.combinators; let TXT = [ "v=spf1 a mx ip4:${node.ip4Address} +ip6:${node.ip6Address} ~all" ]; @@ -156,7 +156,7 @@ in { loginAccounts = { "katja@ctu.cx" = { - hashedPasswordFile = config.age.secrets.mail-password-katja.path; + hashedPasswordFile = config.age.secrets.mailPasswordKatja.path; sieveScript = builtins.readFile ./rules-katja.sieve; aliases = [ "@ctu.cx" @@ -167,19 +167,19 @@ in { }; "vaultwarden@ctu.cx" = { - hashedPasswordFile = config.age.secrets.mail-password-vaultwarden.path; + hashedPasswordFile = config.age.secrets.mailPasswordVaultwarden.path; }; "gts@ctu.cx" = { - hashedPasswordFile = config.age.secrets.mail-password-gts.path; + hashedPasswordFile = config.age.secrets.mailPasswordGTS.path; }; "gts@zuggeschmack.de" = { - hashedPasswordFile = config.age.secrets.mail-password-gts-zug.path; + hashedPasswordFile = config.age.secrets.mailPasswordGtsZug.path; }; "info@zuggeschmack.de" = { - hashedPasswordFile = config.age.secrets.mail-password-info-zug.path; + hashedPasswordFile = config.age.secrets.mailPasswordInfoZug.path; aliases = [ "@zuggeschmack.de" ]; @@ -188,7 +188,7 @@ in { }; restic-backups.mail = { - passwordFile = config.age.secrets.restic-mail.path; + passwordFile = config.age.secrets.resticMail.path; paths = [ "/var/lib/mailboxes" "/var/lib/dkimKeys"
diff --git a/configurations/nixos/services/matrix-synapse.nix b/configurations/nixos/services/matrix-synapse.nix @@ -1,20 +1,20 @@ -{ config, lib, pkgs, ... }: +{ secrets, config, lib, pkgs, ... }: { dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ]; age.secrets = { - restic-matrix-synapse.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age"; - matrix-registration_shared_secret = { - file = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age"; + resticMatrixSynapse.file = secrets."${config.networking.hostName}".restic.matrixSynapse; + matrixRegistrationSharedSecret = { + file = secrets."${config.networking.hostName}".matrixSynapse.registrationSharedSecret; owner = "matrix-synapse"; }; }; restic-backups.matrix-synapse = { user = "matrix-synapse"; - passwordFile = config.age.secrets.restic-matrix-synapse.path; + passwordFile = config.age.secrets.resticMatrixSynapse.path; postgresDatabases = [ "matrix-synapse" ]; paths = [ "/var/lib/matrix-synapse" ]; }; @@ -45,7 +45,7 @@ dynamic_thumbnails = true; enable_registration = false; enable_registration_without_verification = false; - registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path; + registration_shared_secret_file = config.age.secrets.matrixRegistrationSharedSecret.path; listeners = [{ bind_addresses = [ "::1" ]; port = 8008;
diff --git a/configurations/nixos/services/restic-server.nix b/configurations/nixos/services/restic-server.nix @@ -1,9 +1,9 @@ -{ config, lib, pkgs, ...}: +{ secrets, config, lib, pkgs, ...}: { - age.secrets.restic-server-htpasswd = { - file = ./. + "/../../../secrets/${config.networking.hostName}/restic-server-htpasswd.age"; + age.secrets.resticServerHtpasswd = { + file = secrets."${config.networking.hostName}".resticServerHtpasswd; owner = "nginx"; }; @@ -31,7 +31,7 @@ extraConfig = '' client_max_body_size 10G; auth_basic Auth; - auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path}; + auth_basic_user_file ${config.age.secrets.resticServerHtpasswd.path}; ''; }; };
diff --git a/configurations/nixos/services/syncthing.nix b/configurations/nixos/services/syncthing.nix @@ -1,4 +1,4 @@ -{ ctucxConfig, config, pkgs, lib, ... }: +{ ctucxConfig, secrets, config, pkgs, lib, ... }: let syncthingConfig = import ctucxConfig.syncthing { inherit pkgs config lib; }; @@ -7,11 +7,11 @@ in { age.secrets = { syncthing-key = { - file = ../../../secrets + "/${config.networking.hostName}/syncthing/key.age"; + file = secrets."${config.networking.hostName}".syncthing.key; owner = lib.mkDefault "katja"; }; syncthing-cert = { - file = ../../../secrets + "/${config.networking.hostName}/syncthing/cert.age"; + file = secrets."${config.networking.hostName}".syncthing.cert; owner = lib.mkDefault "katja"; }; };
diff --git a/configurations/nixos/websites/dav.ctu.cx.nix b/configurations/nixos/websites/dav.ctu.cx.nix @@ -1,20 +1,20 @@ -{ config, lib, pkgs, ... }: +{ secrets, config, lib, pkgs, ... }: { dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ]; age.secrets = { - restic-radicale.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/radicale.age"; - radicale-users = { - file = ./. + "/../../../secrets/${config.networking.hostName}/radicale-users.age"; + resticRadicale.file = secrets."${config.networking.hostName}".restic.radicale; + radicaleUsers = { + file = secrets."${config.networking.hostName}".radicaleUsers; owner = "radicale"; }; }; restic-backups.radicale = { user = "radicale"; - passwordFile = config.age.secrets.restic-radicale.path; + passwordFile = config.age.secrets.resticRadicale.path; paths = [ "/var/lib/radicale" ]; }; @@ -28,7 +28,7 @@ storage.filesystem_folder = "/var/lib/radicale/collections"; headers.Access-Control-Allow-Origin = "*"; auth.type = "htpasswd"; - auth.htpasswd_filename = config.age.secrets.radicale-users.path; + auth.htpasswd_filename = config.age.secrets.radicaleUsers.path; auth.htpasswd_encryption = "plain"; };
diff --git a/configurations/nixos/websites/fedi.ctu.cx.nix b/configurations/nixos/websites/fedi.ctu.cx.nix @@ -1,4 +1,4 @@ -{ ctucxConfig, config, ... }: +{ secrets, ctucxConfig, config, ... }: { @@ -13,10 +13,10 @@ dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; - age.secrets.gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; + age.secrets.gotosocialEnv.file = secrets."${config.networking.hostName}".gotosocialEnv; services.gotosocial = { - environmentFile = config.age.secrets.gotosocial-env.path; + environmentFile = config.age.secrets.gotosocialEnv.path; settings = { application-name = "ctucx.fedi";
diff --git a/configurations/nixos/websites/git.ctu.cx.nix b/configurations/nixos/websites/git.ctu.cx.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ secrets, config, lib, pkgs, ... }: let stagitFunctions = pkgs.writeShellScript "stagitFunctions" '' @@ -122,11 +122,11 @@ in { git.CNAME = [ "${config.networking.fqdn}." ]; }; - age.secrets.restic-gitolite.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gitolite.age"; + age.secrets.resticGitolite.file = secrets."${config.networking.hostName}".restic.gitolite; restic-backups.gitolite = { user = "git"; - passwordFile = config.age.secrets.restic-gitolite.path; + passwordFile = config.age.secrets.resticGitolite.path; paths = [ "/var/lib/gitolite" ]; };
diff --git a/configurations/nixos/websites/grafana.ctu.cx/default.nix b/configurations/nixos/websites/grafana.ctu.cx/default.nix @@ -1,9 +1,9 @@ -{ inputs, config, lib, pkgs, ... }: +{ inputs, secrets, config, lib, pkgs, ... }: { - age.secrets.grafana-influx-token-mqttData = { - file = ../../../../secrets/briefkasten/influx/grafana_token_mqttData.age; + age.secrets.grafanaInfluxTokenMqttData = { + file = secrets.briefkasten.influx.grafanaTokenMqttData; owner = "grafana"; }; @@ -54,7 +54,7 @@ jsonData.version = "Flux"; jsonData.organization = "katja"; jsonData.defaultBucket = "mqttData"; - secureJsonData.token = "$__file{${config.age.secrets.grafana-influx-token-mqttData.path}}"; + secureJsonData.token = "$__file{${config.age.secrets.grafanaInfluxTokenMqttData.path}}"; } ];
diff --git a/configurations/nixos/websites/things.ctu.cx.nix b/configurations/nixos/websites/things.ctu.cx.nix @@ -1,14 +1,14 @@ -{ inputs, config, pkgs, lib, ... }: +{ inputs, secrets, config, pkgs, lib, ... }: { dns.zones."ctu.cx".subdomains."things".CNAME = [ "${config.networking.fqdn}." ]; - age.secrets.restic-ctucx-things.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/ctucx-things.age"; + age.secrets.resticCtucxThings.file = secrets."${config.networking.hostName}".restic.ctucxThings; restic-backups.ctucx-things = { user = "ctucx-things"; - passwordFile = config.age.secrets.restic-ctucx-things.path; + passwordFile = config.age.secrets.resticCtucxThings.path; paths = [ "/var/lib/ctucx-things" ]; };
diff --git a/configurations/nixos/websites/vault.ctu.cx.nix b/configurations/nixos/websites/vault.ctu.cx.nix @@ -1,13 +1,13 @@ -{ pkgs, config, ... }: +{ secrets, pkgs, config, ... }: { dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; age.secrets = { - restic-vaultwarden.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/vaultwarden.age"; - vaultwarden-secrets = { - file = ./. + "/../../../secrets/${config.networking.hostName}/vaultwarden-secrets.age"; + resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden; + vaultwardenSecrets = { + file = secrets."${config.networking.hostName}".vaultwardenSecrets; owner = "vaultwarden"; group = "vaultwarden"; }; @@ -15,7 +15,7 @@ restic-backups.vaultwarden = { user = "vaultwarden"; - passwordFile = config.age.secrets.restic-vaultwarden.path; + passwordFile = config.age.secrets.resticVaultwarden.path; paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"]; }; @@ -26,7 +26,7 @@ enable = true; dbBackend = "sqlite"; backupDir = "/var/backups/vaultwarden"; - environmentFile = config.age.secrets.vaultwarden-secrets.path; + environmentFile = config.age.secrets.vaultwardenSecrets.path; config = { DOMAIN = "https://vault.ctu.cx"; SIGNUPS_ALLOWED = false;
diff --git a/configurations/nixos/websites/zuggeschmack.de.nix b/configurations/nixos/websites/zuggeschmack.de.nix @@ -1,4 +1,4 @@ -{ ctucxConfig, dnsNix, node, pkgs, config, ... }: +{ secrets, ctucxConfig, dnsNix, node, pkgs, config, ... }: { @@ -15,10 +15,10 @@ subdomains."client".CNAME = [ "${config.networking.fqdn}." ]; }; - age.secrets.gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; + age.secrets.gotosocialEnv.file = secrets."${config.networking.hostName}".gotosocialEnv; services.gotosocial = { - environmentFile = config.age.secrets.gotosocial-env.path; + environmentFile = config.age.secrets.gotosocialEnv.path; settings = { application-name = "ZugGeschmack.de";
diff --git a/flake.nix b/flake.nix @@ -41,6 +41,9 @@ nodes = loadDir importLoader ./machines; lib = loadDir (path: path: import path inputs) ./lib; + + secrets = loadDir [(inputs.haumea.lib.matchers.extension "age" pathLoader)] ./secrets; + ctucxConfig = rec { homeManager = loadDir pathLoader ./configurations/homeManager; common = (loadDir pathLoader ./configurations/common ) // { inherit homeManager; }; @@ -64,6 +67,7 @@ specialArgs = { inherit inputs nodeName node; + secrets = inputs.self.secrets; ctucxConfig = inputs.self.ctucxConfig.nixos; ctucxLib = inputs.self.lib; dnsNix = inputs.dnsNix.lib; @@ -108,6 +112,7 @@ inputs = inputs; ctucxConfig = inputs.self.ctucxConfig.darwin; ctucxLib = inputs.self.lib; + secrets = inputs.self.secrets; nixStd = inputs.nixStd.lib; }; @@ -227,4 +232,4 @@ firefoxGnomeTheme.url = "github:rafaelmardojai/firefox-gnome-theme/v135"; }; -}- \ No newline at end of file +}
diff --git a/machines/briefkasten/default.nix b/machines/briefkasten/default.nix @@ -11,7 +11,7 @@ ip6Address = "2a03:4000:4d:5e:acab::1"; ip6PrefixLength = 112; - configuration = { node, config, ctucxConfig, lib, pkgs, ... }: { + configuration = { node, secrets, config, ctucxConfig, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -41,10 +41,8 @@ ctucxConfig.homeManager.programs.ocrmypdf ]; - age.secrets = { - restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; - restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; - }; + age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten; + age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene; dns.zones."ctu.cx".subdomains = { briefkasten.AAAA = [ node.ip6Address ];
diff --git a/machines/briefkasten/syncthing.nix b/machines/briefkasten/syncthing.nix @@ -1,4 +1,4 @@ -{ config, ctucxConfig, lib, ...}: +{ secrets, config, ctucxConfig, lib, ...}: let backups = { @@ -22,7 +22,7 @@ in { age.secrets = lib.mapAttrs' ( name: path: lib.nameValuePair "restic-syncthing-${name}" { - file = ./. + "/../../secrets/${config.networking.hostName}/restic/syncthing-${name}.age"; + file = secrets."${config.networking.hostName}".restic."syncthing-${name}"; } ) backups;
diff --git a/machines/hector/default.nix b/machines/hector/default.nix @@ -14,8 +14,7 @@ ip6PrefixLength = 64; defaultGateway6 = "fe80::1"; - - configuration = { node, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { + configuration = { node, secrets, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -57,8 +56,8 @@ dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = dnsNix.combinators.host node.ip4Address node.ip6Address; - age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; - age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; + age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten; + age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene; boot.initrd.network = { enable = true;
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix @@ -14,8 +14,7 @@ ip6PrefixLength = 64; defaultGateway6 = "fe80::1"; - - configuration = { node, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { + configuration = { node, secrets, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -28,8 +27,8 @@ dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (dnsNix.combinators.host node.ip4Address node.ip6Address); - age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; - age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; + age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten; + age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene; boot.initrd.network = { enable = true;
diff --git a/machines/wanderduene/default.nix b/machines/wanderduene/default.nix @@ -14,8 +14,7 @@ ip6PrefixLength = 64; defaultGateway6 = "fe80::1"; - - configuration = { node, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { + configuration = { node, secrets, config, dnsNix, ctucxConfig, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -34,8 +33,8 @@ dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (dnsNix.combinators.host node.ip4Address node.ip6Address); - age.secrets.wireguard-privkey = { - file = ../../secrets/wanderduene/wireguard-privkey.age; + age.secrets.wireguardPrivKey = { + file = secrets.wanderduene.wireguardPrivKey; owner = "systemd-network"; group = "systemd-network"; }; @@ -104,7 +103,7 @@ }; wireguardConfig = { - PrivateKeyFile = config.age.secrets.wireguard-privkey.path; + PrivateKeyFile = config.age.secrets.wireguardPrivKey.path; ListenPort = 51820; FirewallMark = 51820; };
diff --git a/machines/wanderduene/rclone-restic-server.nix b/machines/wanderduene/rclone-restic-server.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, ... }: +{ secrets, pkgs, lib, config, ... }: { @@ -12,13 +12,13 @@ }; age.secrets = { - rclone-config = { - file = ./. + "/../../secrets/${config.networking.hostName}/rclone-config.age"; + rcloneConfig = { + file = secrets."${config.networking.hostName}".rcloneConfig; owner = "rclone-restic-server"; }; - restic-server-htpasswd = { - file = ./. + "/../../secrets/${config.networking.hostName}/restic-server-htpasswd.age"; + resticServerHtpasswd = { + file = secrets."${config.networking.hostName}".resticServerHtpasswd; owner = "nginx"; }; }; @@ -39,7 +39,7 @@ TimeoutStopSec = "5s"; ExecReload = "/bin/kill -USR1 $MAINPID"; - ExecStart = "${pkgs.rclone}/bin/rclone --config ${config.age.secrets.rclone-config.path} serve restic --append-only --addr [::1]:8000 hetzner-storage:"; + ExecStart = "${pkgs.rclone}/bin/rclone --config ${config.age.secrets.rcloneConfig.path} serve restic --append-only --addr [::1]:8000 hetzner-storage:"; PrivateTmp = true; PrivateDevices = true; @@ -63,7 +63,7 @@ extraConfig = '' client_max_body_size 10G; auth_basic Auth; - auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path}; + auth_basic_user_file ${config.age.secrets.resticServerHtpasswd.path}; ''; }; };
diff --git a/modules/nixos/email-notify.nix b/modules/nixos/email-notify.nix @@ -1,11 +1,11 @@ -{ pkgs, lib, config, ... }: +{ secrets, pkgs, lib, config, ... }: { options.services.email-notify.enable = lib.mkEnableOption "Enable a service which can be used to send emails"; # config = lib.mkIf config.services.email-notify.enable { -# age.secrets.password-leah-at-f2k1-de.file = ../../secrets/passwords/leah-at-f2k1-de.age; +# age.secrets.password-leah-at-f2k1-de.file = secrets.passwords.leah-at-f2k1-de; # # programs.msmtp = { # enable = true;