nix-config/modules/secrets/secrets.nix

let
  # FIXME: read them from directories
  ambroisie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix";
  users = [ ambroisie ];

  porthos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos";
  machines = [ porthos ];

  all = users ++ machines;
in
{
  "acme/dns-key.age".publicKeys = all;

  "backup/password.age".publicKeys = all;
  "backup/credentials.age".publicKeys = all;

  "drone/gitea.age".publicKeys = all;
  "drone/secret.age".publicKeys = all;
  "drone/ssh/private-key.age".publicKeys = all;

  "lohr/secret.age".publicKeys = all;
  "lohr/ssh-key.age".publicKeys = all;

  "matrix/mail.age" = {
    owner = "matrix-synapse";
    publicKeys = all;
  };
  "matrix/secret.age".publicKeys = all;

  "miniflux/credentials.age".publicKeys = all;

  "monitoring/password.age" = {
    owner = "grafana";
    publicKeys = all;
  };

  "nextcloud/password.age" = {
    # Must be readable by the service
    owner = "nextcloud";
    publicKeys = all;
  };

  "paperless/password.age".publicKeys = all;
  "paperless/secret-key.age".publicKeys = all;

  "podgrab/password.age".publicKeys = all;

  "sso/auth-key.age".publicKeys = all;
  "sso/ambroisie/password-hash.age".publicKeys = all;
  "sso/ambroisie/totp-secret.age".publicKeys = all;

  "transmission/credentials.age".publicKeys = all;

  "users/ambroisie/hashed-password.age".publicKeys = all;
  "users/root/hashed-password.age".publicKeys = all;

  "wireguard/aramis/private-key.age".publicKeys = all;
  "wireguard/milady/private-key.age".publicKeys = all;
  "wireguard/porthos/private-key.age".publicKeys = all;
  "wireguard/richelieu/private-key.age".publicKeys = all;
}
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00			`let`
			`# FIXME: read them from directories`
			`ambroisie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix";`
			`users = [ ambroisie ];`

			`porthos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos";`
			`machines = [ porthos ];`

			`all = users ++ machines;`
			`in`
			`{`
			`"acme/dns-key.age".publicKeys = all;`

			`"backup/password.age".publicKeys = all;`
			`"backup/credentials.age".publicKeys = all;`

			`"drone/gitea.age".publicKeys = all;`
			`"drone/secret.age".publicKeys = all;`
			`"drone/ssh/private-key.age".publicKeys = all;`

			`"lohr/secret.age".publicKeys = all;`
modules: secrets: lohr: add 'ssh-key' 2021-11-05 15:31:59 +01:00			`"lohr/ssh-key.age".publicKeys = all;`
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00
modules: secrets: fix permission of 'matrix/mail' 2021-09-26 22:50:18 +02:00			`"matrix/mail.age" = {`
			`owner = "matrix-synapse";`
			`publicKeys = all;`
			`};`
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00			`"matrix/secret.age".publicKeys = all;`

			`"miniflux/credentials.age".publicKeys = all;`

modules: secrets: fix permission for grafana 2021-09-26 22:51:13 +02:00			`"monitoring/password.age" = {`
			`owner = "grafana";`
			`publicKeys = all;`
			`};`
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00
modules: secrets: add 'owner' logic 2021-09-26 19:19:35 +02:00			`"nextcloud/password.age" = {`
			`# Must be readable by the service`
			`owner = "nextcloud";`
			`publicKeys = all;`
			`};`
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00
			`"paperless/password.age".publicKeys = all;`
			`"paperless/secret-key.age".publicKeys = all;`

			`"podgrab/password.age".publicKeys = all;`

			`"sso/auth-key.age".publicKeys = all;`
			`"sso/ambroisie/password-hash.age".publicKeys = all;`
			`"sso/ambroisie/totp-secret.age".publicKeys = all;`

			`"transmission/credentials.age".publicKeys = all;`

			`"users/ambroisie/hashed-password.age".publicKeys = all;`
			`"users/root/hashed-password.age".publicKeys = all;`

			`"wireguard/aramis/private-key.age".publicKeys = all;`
modules: secrets: wireguard: add 'milady' 2021-10-10 17:14:58 +02:00			`"wireguard/milady/private-key.age".publicKeys = all;`
secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. 2021-09-24 18:52:26 +02:00			`"wireguard/porthos/private-key.age".publicKeys = all;`
			`"wireguard/richelieu/private-key.age".publicKeys = all;`
			`}`