modules: secrets: move host-specific secrets

hosts/nixos/porthos/secrets/acme/dns-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 0bz3W8QcGaulxy+kDmM717jTthQpFOCwV9HkenFJEyo
+NKeh1/JkX4WAWbOjUeKLMbsyCevnDf3a70FfYUav26c
+-> ssh-ed25519 jPowng Q59ybJMMteOSB6hZ5m6UPP0N2p8jrDSu5vBYwPgGcRw
+j420on2jSsfMsv4MDtiOTMIFjaXV7sIsrS+g4iab+68
+-> z}.q-grease s2W<qM_Z t
+n1Yfs/gmNsl/n9HtuKBIIT8iwIjYca2yxlh7Q1XAT1B+RZ8oGjW8yCPj1unbDGZL
+e5BfLO3zgkEZnQ
+--- FSgNKEdDeeTjCx9jN9UtOFl58mC/Lbu1PAYRGK0CZW4
+U€¿+æ©jïÝ{gø`GŽ›ÆàˆR¾Qk]šóïdÐ6å˜ú‚y5T²$Äñs~Ùh‰Ä£òÔ<C3B2>Fº¢ç%°vöÌm<C38C>

hosts/nixos/porthos/secrets/backup/credentials.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg YlDuj9wwBKSHHvQOhfti1ah95vxDV3bLE+GElBkyTB0
+KsMyd3L4GaQa0eDQps+bJXj+cpy0zUNvFXU8NAmtThI
+-> ssh-ed25519 jPowng JB4UtNyZab4ab4Pep3acyMjwCbluuEPuI6YOQ/045Fo
+P9qnrPDGpHJL1TyNqYdNfqkd21Yjn/5mlovorWy60j4
+-> _6l|s-grease M ]2qMsa'w P] j0EE
+W3CToUTg
+--- 8aWYUi33mEIKFcFbphlDZumnBu9Xbj+j18dQbElx1v8
+3$m(ø<>äÂTK±î·”eAZâ>dn:-­Òí‚¥ˆÅh.›(<28>¶U²!rìx	D3ô‡4Ø93~È»f{üƒšL¸ÎþÆ£ÃØ>Þß^v›l—¡Î-=„í¯ä£<C3A4>ÉU'â»(,µ#;¤ªHñÆ@M%|ʦ

hosts/nixos/porthos/secrets/backup/password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg dgS4bezgtDi44R1A8am+J6zh80kUVYTo1heaxJCtzX4
+F3w/62xwtqYa40NU7OvF9pnZzYz/5hACAGJfMA4e2zw
+-> ssh-ed25519 jPowng lx81CK3yeNp9RjHCUFJeKYZlRzxBmXuADVBvRc13zCI
+P7e75t8xU+ZkYmeQ8mmMfyZZsRdG1J8yrvSUkiWzkFQ
+-> *z4/`-grease S/)a{e sFd";=
+--- 15FVhqRTkoPFEeETRRyFQhsv4Fn19Ozlax0u8Zy9mNA
+õ#+¥àÎvøSÈ4èá}<7D>§Rì%‹Î¯F4fnDœ˜J¹¤Z‹¸A¥Û™,_

hosts/nixos/porthos/secrets/drone/gitea.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 jPowng 3HjtINU02yfyvpaoTtCG/G3cgymFvKWf3qf/grw/+24
+G+KnHtrt5A3U1ICTpSceoE+FJSj6hAb4mjp2DkfDWr0
+-> ssh-ed25519 cKojmg CXrsCxJxWNIhvvwYjZ1rrSYTwLNMR3kWdPk5ExHEfFA
+OJi3tFcnpdGvxc8ETcGt4lbFJiUU+lR3AqN4Y8PItDk
+-> p-grease 7 AQO{DHzj j$B&+ dc
+Q7zhy6hOfkEh6XgYNHQrH3zma1BLxnEKDopPAOnBoPFRfi7c
+--- ZsL5zf7/jJ6yPor9j1V0iV/bXxgAsxlXsxDYwCqrLSk
+AO&âz€?‹;\1¥f*='ë³!.óVí·”VÀÜ=ιªø÷<C3B8>vzÛY"P	<09>²Ê;°ò)¾òK0ëÞBs}h<>R=öOŠ¼ç<wõ(Œj@çÆó.¸5àÉt¶¢<C2B6>èÇþÈzl«“i‹±DàïI{u9…(¨ö¦lYH	weE\²ŠF_”³1ý½÷Ið4¹Ñ;Ñþy©9˜
ŸÜ%RÕd¡&õ²p <70>iÆ0›m㿳ÐB‡ºÌ2Ì
+£>*îMÿ2oœý

hosts/nixos/porthos/secrets/drone/secret.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 1+cLlzctgcM0FnVDwMPOAqBkvMcDBRg8SvCw4djI93Y
+oV2XI4f1AvM9P591kZZ6NgJXa+SDtqGzCSgc4psOmxM
+-> ssh-ed25519 jPowng Ufjfh1p350XxRPg95+/DHdmnl4lC0bbzUUlaxd1Bmxc
+/RHwFDSn2ov+60r1uHUigrsn99+GmmKmlk4h4T2gbA0
+-> *Lc$@-grease
+pzVJAHy1qRq3jUrnFV0DDO7/hwV1US4Ogf0RsrVfX0xzbr73uJ003YjieVB25LqN
+--- ME7/iVevyiguyhXugbkVFGzJV0yDccyKNlWbEZa/FmY
+YžŠXjb2uþnd;i0íýX]…§é0–þjé’L„PÔT~óú ƒÙ^kc”$D×ÚÛr¹úu³¶fr€e¸OÕ¸þ<C2B8>+p•¨<E280A2><C2A8>&ãw®öϨ

hosts/nixos/porthos/secrets/gitea/mail-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 jPowng BkIjie2KrwDLaZYYIguCs7TPA/wQy+YPguikuhfye0M
+7viTA/EGYB/jRKQm6fFd86DMd4j+Jxsaw/xQ1T8ZKNo
+-> ssh-ed25519 cKojmg t1Y8bZvPccNAX8vWQLTfCyOJIBXN515vyfFrEI2EVww
+bJEjpIWrKeQrA/JfY7FRdB6hpHwR/aG4Vya1ChFNBKs
+-> jK/-grease Oz.R ?;)G ],
+AuHk9TcC9kl0dg8/L6UfHIk3e9fgGwSTJAJpVgInhok
+--- 47z9lol5MtpX0IsO/0ggLDMcNVfl4lNNvoHUSwOU/18
+)gЪeuÞ!œš-
ÞTì¥YAðM+ˆãGbMe@­|A,è&ãÆE!܆p=P²=û9¹ÙP¹!Üö’Q|Ðä r

hosts/nixos/porthos/secrets/lohr/secret.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg HCVbkI26JjkBgm1L2cpunVui0PfHLNfnx6VczErF3A4
+3jEHfT6wUqNNFZFaVeiNBUhSKZmuKclPmubDMsda5O8
+-> ssh-ed25519 jPowng SyClv9kGtjRKSXdig27tiqp66wD1T8QsHeOD2JQl4QA
+8zdtfSJEh5/bfu5tb6M8Jgy5CZPiWD8TLQDpzp6cTr0
+-> 3r2-grease
+Lg/G911eZjeZTw5xhqje26vDfJkcSro+gKQ5SUboxLMnaibNi1qTeRLR
+--- Q5/fikhVPoK+NFujTso5V7cty4k/dQlzFlz5z9DkzYk
+øt/ŒW‹AMuˆ"Þêð´—<>ó-!@›¨E1¯”<C2AF> äR[eŽ’hÖû3
ëŒÉÐScoÝBt1TýØb¨äÀ3möP×Tc¤feP

hosts/nixos/porthos/secrets/matrix/mail.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg lmu3MinmydRHD0A/YVRRtopermfoBC8M8cTHfVanY1s
+ygrtpZZJ7aeQTblNazpoP7DdifmDxHsE3DFJsIrWX5M
+-> ssh-ed25519 jPowng X0cihOc+fBtmtrkEivIHQngdYIobezXEF1x+pHqNzAw
+/+sw9x1NWY0anZhDMpAywBPrR0F4XCHaF9e8j/Yo/kI
+-> 32;%1s-grease
+JafjuSZty6a4NSO/y4y5wHWL8Mw
+--- dwCl66vdpsL0MR5NWWvg3JUnQ2QZQBeW0Dj0l5tvOKY
+oi,`ÓÜ#uÄwW%PoubÚ­cy8<79>ó
ƒÃÉ><¿F‰Ååq…ÂKÂÇk0Çk/<2F>hÀ¥Ÿ5势ÝF+ýu‡ •e€<06>¾Ÿ²óôbãè>1QŠ2®ñwn˜WbÖ–B˜âî<C3A2>iŸ^xurâ†-/llùÒÀÀ-ã=°7;jã0»I×%Fi¼<69>í€ø‹™A;Y†ìUd]KÅI0(½ ”øAg£Ðóž^†uG:äpkJ’Ÿ:q<>¢šWSaLw¯¿Ô!ïM
³4ã L/ùZŇ®¢D¶-XéUb»‘vÊbP‚ó›0ÇÅfÂ9êú<08> †âJ`ÃX°ôÐOÅ!s›{ÙÄQAšc€c;ÏÃÑ‹4öMíچݹlxH&ïéöé{é}ÁäÛzZ¦œ‚9ûÊXžÜ“g‰]Vϱ•0gt¡¿…žw·

hosts/nixos/porthos/secrets/monitoring/password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg OdLtFHbHbc28rUn47vgsVvXxFNg9nF+9y9R6XOK390Y
+yQQYUPQGjN2+xrSqqBYa7/zS618KrVjX5Amw2MFuSLg
+-> ssh-ed25519 jPowng NwUjiLtiXVi6XFmht5l1CxEs3gm0oN4vHYwDZyda7Q4
+di6znVjNRO6QdqteVNkeot5Ko2NwWLe6v+zVR3f+o10
+-> 4Vx%\(-grease ^^Z>EC91 R 2BJ d48Wip*s
+yPiBgChRF31XgxccQFLO3MzRL7+5s29sfRoF3W1yUX6Bu59MpxD4D+n/jhLcxSH/
+CxW7KaiOctNmPm5tWh6qjmgQ+V4bcAji5vo4FKs40l56cfyueEJj+Q
+--- WUGF28zqK9E1AlOeeCtSHxFg6ikRy85gOoLtBd4m0y0
+.|…rr>©†ðìì1ÅÆ2SÉž.×hw<12>wqºš%i˜øé	‚*U^­)Öè'qžµ›O2ÓœümòQÝ7˜¯m`

hosts/nixos/porthos/secrets/paperless/password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg zhpo89xef68JoeOFWzhdFshrj2BXXUCFPMLVJzv6EyE
+fmJxJi5rmyai9qGwDo7iHg4BrObGre96KCpl+g91O6I
+-> ssh-ed25519 jPowng INA6EZdy4J1p3QY5mfVOQXiLdOjIDaZR+CZMP+GfkXM
+8Nf5soaxY5SEzeJca5kaJkx7ByOvc4NkJVetB7wpEmo
+-> xjK'w-grease
+f5v0cvlt4JbHlAwDOob86qOInWdlN/oohTg
+--- NTGv4rr+MhJ/YeZhVHOjoS1V+zCHFf2itJYfK36R+wE
+š×—®JÚ dő– oŞę'YFUź@
+r7”ă“_N$‰˙Ź–č‡>‚ˇę]hq»-¨FŰ°qX˙?Î|?µĘ

hosts/nixos/porthos/secrets/paperless/secret-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg tZwn2usN6K62oS4vBa6boh9zEp/+cS4chP8boXG6SH4
+Fr3kV8gUDoiDqMxPYWsHyww8umYhQEKhqbVBiVw5NeI
+-> ssh-ed25519 jPowng wRbJl4G85obH/GluQBBsXE7MOvooEui65eqHfurvuQs
+KqVZMBSyHhkayEdwI6ocmA4qhHY9zYJvg1CEKM1SOa0
+-> 2E"/OFW-grease o Qp3HFe^
+bGhCNicPqt7txqxUiEWXCFs1OuQLqOqHmjHSqYQv919dqYep/xBXzi/aRf3dsdvh
+TCJCTvZG31Qxvikp
+--- xKJGbdVp+Z5h0vCBleSF2zYYYd2S5i0y4szNqjRwrDY
+Tª
/N¯<4E>¨¹i7m4‚#³MhiñP¹šÒÞ›Á¥-ÏgI÷ñ±%@E†(›i
ÿ7·ý©ýYg¦k±´"+㸠Àª(þ]o¨¸–ý†ð<E280A0>@báÊÞ§+Ï[‚Y"ÿ‘ÌBóóCR[ >-Ë.4d…¤b9v

hosts/nixos/porthos/secrets/podgrab/password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 8rcBI7fYHuA3jO6EzJNFaAj2niIApKDt1HQEv61AKTs
+ANxkIX/CeI7t7Zqp6wmjt/D194Z+xpeiidb+qvYzoQU
+-> ssh-ed25519 jPowng oruewwTM9X/HjjcmOPcQVdp02rQBlgJPdzvlAffs3T0
+MrO0kaNhjgOkNHuz3NrIMWXNrXOHH9dT/Fk6hoQNKyY
+-> COK%H7-grease
+6yfI90QurOKlM+kgpW8KZ/iBzDYD9yhNmjG1LQ
+--- uArz8eHg8sLO0sdlkM6cELFh+FHiI5BrM0+iXJxxiDo
+¿vývû´ÊNÊbæ@Ÿ¡Â<C2A1>FÛMMíYËÆíÌ&‰’/%¤¹Ñm¨®ØtÁÖ“ªd†h„­|¡ðŒß©8¼Ž Ú½¨9‚®<11>Cã¯/Å

hosts/nixos/porthos/secrets/secrets.nix

@@ -10,5 +10,56 @@ let
   ];
 in
 {
-  # Add secrets here
+  "acme/dns-key.age".publicKeys = all;
+
+  "backup/password.age".publicKeys = all;
+  "backup/credentials.age".publicKeys = all;
+
+  "drone/gitea.age".publicKeys = all;
+  "drone/secret.age".publicKeys = all;
+  "drone/ssh/private-key.age".publicKeys = all;
+
+  "gitea/mail-password.age" = {
+    owner = "git";
+    publicKeys = all;
+  };
+
+  "lohr/secret.age".publicKeys = all;
+  "lohr/ssh-key.age".publicKeys = all;
+
+  "matrix/mail.age" = {
+    owner = "matrix-synapse";
+    publicKeys = all;
+  };
+  "matrix/secret.age" = {
+    owner = "matrix-synapse";
+    publicKeys = all;
+  };
+
+  "miniflux/credentials.age".publicKeys = all;
+
+  "monitoring/password.age" = {
+    owner = "grafana";
+    publicKeys = all;
+  };
+
+  "nextcloud/password.age" = {
+    owner = "nextcloud";
+    publicKeys = all;
+  };
+
+  "paperless/password.age".publicKeys = all;
+  "paperless/secret-key.age".publicKeys = all;
+
+  "podgrab/password.age".publicKeys = all;
+
+  "sso/auth-key.age".publicKeys = all;
+  "sso/ambroisie/password-hash.age".publicKeys = all;
+  "sso/ambroisie/totp-secret.age".publicKeys = all;
+
+  "transmission/credentials.age".publicKeys = all;
+
+  "woodpecker/gitea.age".publicKeys = all;
+  "woodpecker/secret.age".publicKeys = all;
+  "woodpecker/ssh/private-key.age".publicKeys = all;
 }

hosts/nixos/porthos/secrets/sso/default.nix

@@ -0,0 +1,21 @@
+{ lib }:
+let
+  inherit (lib) fileContents;
+  importUser = (user: {
+    # bcrypt hashed: `htpasswd -BnC 10 ""`
+    passwordHash = fileContents (./. + "/${user}/password-hash.txt");
+    # base32 encoded: `printf '<secret>' | base32  | tr -d =`
+    totpSecret = fileContents (./. + "/${user}/totp-secret.txt");
+  });
+in
+{
+  auth_key = fileContents ./auth-key.txt;
+
+  users = lib.flip lib.genAttrs importUser [
+    "ambroisie"
+  ];
+
+  groups = {
+    root = [ "ambroisie" ];
+  };
+}

hosts/nixos/porthos/secrets/transmission/credentials.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg mP2H3PWJN6Pv3q6C2wci3KnXjtFAIiuGy0YH0sGIy2g
+f43QqyUQfTYznszub47kgc2Mz95zVScTDkwnG3INi9U
+-> ssh-ed25519 jPowng fENbu7+FZ1mnQQHQCLm1spLHmsQGlRoJResUJtGzYkY
+hX+AqCkLCca6m/aKtGCThi7/mCCz/TZQNJNOlOmlqyA
+-> J<-grease
+n7+CPRr4oazWnE7yzpJN2ZAI4QrGsAerloP4wNeebjQDx8+IxJq1JE0g3Yi0RxzN
+chDccuSPLYk45Ov+SD/qqqFZlQ
+--- p81HYw3LFj+qz2kiZsDcevM4ZBfvN743P9Jdi7J9XkM
+‚¢ìÛ±S·7 <EFBFBD>‘ý£÷ÜãV»»Bðßâø±³ˆ¶ïO‰lEt˜‹Á…šqý</Ç—Ø©9²ã(ØP†$Wƒ0h;÷‰±àJy¯feø‚ >·_D,PºVFp\æ"AM}èg?<3F>ÿ<EFBFBD>Ý/\²Ä;ùy’¬Óš(<28>ÑSñKË

hosts/nixos/porthos/secrets/woodpecker/secret.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 jPowng yz0I+AazPmamF7NOnwYNrPE/ArarU01jd2mVDJUPSTY
+6Y/YQ7gb8cAZf3zT9SKOorvfUnU7kYff+gHh8fG2mY8
+-> ssh-ed25519 cKojmg 0FZU9v8eHsVeE+EoX9Y4IgfIj/8+45waPaSnSDb961I
+L6SzJoh5xqai45scoVAa6v9zslBGFYNnZY044d470uQ
+-> I[G-grease p
+AMRQY1alSzHi/PLL80kcvnM1Z9YNfoUo9u5alWXYMyzrRsg+vXjMuBvAXg3fmnzr
+wdOowTYMRV+jEG8vzkcQTsv+f7JIyo4DvOOaPyGfWMl1
+--- ih3IAFPcN1JP3FP1vcRGnPrfk91yrnIX0m/Szkbcf7Q
+ÑmW„r‚µœ_\)Í°]QŠ¦xMÃs/݃Îݪäœó‚Í6óº“k±äÅY§xïMy¶ J¿¸‹GßÃ)i2_'ÖœHF€þ.âg_Îe5³#uätñØÕ 7j„ŽPñ²'TÞ¥8´•\IàW«UùäK­°1Úº9½è