From 738d1760c33fb1fd72e18a4230bc715ba93f6c52 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sat, 25 Sep 2021 16:36:57 +0200 Subject: [PATCH] secrets: remove git-crypt secrets --- secrets/.gitattributes | 5 -- secrets/acme/key.env | Bin 63 -> 0 bytes secrets/backup/credentials.env | Bin 109 -> 0 bytes secrets/backup/password.txt | Bin 33 -> 0 bytes secrets/canary | Bin 32 -> 0 bytes secrets/default.nix | 75 +----------------------- secrets/drone/gitea.env | Bin 196 -> 0 bytes secrets/drone/secret.env | Bin 72 -> 0 bytes secrets/drone/ssh/key | Bin 3403 -> 0 bytes secrets/lohr/secret.txt | Bin 55 -> 0 bytes secrets/matrix/mail.nix | Bin 179 -> 0 bytes secrets/matrix/secret.txt | Bin 55 -> 0 bytes secrets/miniflux/password.txt | Bin 55 -> 0 bytes secrets/monitoring/password.txt | Bin 55 -> 0 bytes secrets/nextcloud/password.txt | Bin 55 -> 0 bytes secrets/paperless/password.txt | Bin 55 -> 0 bytes secrets/paperless/secretKey.txt | Bin 87 -> 0 bytes secrets/podgrab/password.txt | Bin 55 -> 0 bytes secrets/sso/.gitattributes | 1 - secrets/sso/ambroisie/password-hash.txt | Bin 83 -> 0 bytes secrets/sso/ambroisie/totp-secret.txt | Bin 75 -> 0 bytes secrets/sso/auth-key.txt | Bin 151 -> 0 bytes secrets/transmission/password.txt | Bin 55 -> 0 bytes secrets/users/ambroisie/password.txt | Bin 124 -> 0 bytes secrets/users/root/password.txt | Bin 126 -> 0 bytes secrets/wireguard/.gitattributes | 2 - secrets/wireguard/aramis/public.key | Bin 67 -> 0 bytes secrets/wireguard/aramis/secret.key | Bin 67 -> 0 bytes secrets/wireguard/porthos/public.key | Bin 67 -> 0 bytes secrets/wireguard/porthos/secret.key | Bin 67 -> 0 bytes secrets/wireguard/richelieu/public.key | Bin 67 -> 0 bytes secrets/wireguard/richelieu/secret.key | Bin 67 -> 0 bytes 32 files changed, 1 insertion(+), 82 deletions(-) delete mode 100644 secrets/.gitattributes delete mode 100644 secrets/acme/key.env delete mode 100644 secrets/backup/credentials.env delete mode 100644 secrets/backup/password.txt delete mode 100644 secrets/canary delete mode 100644 secrets/drone/gitea.env delete mode 100644 secrets/drone/secret.env delete mode 100644 secrets/drone/ssh/key delete mode 100644 secrets/lohr/secret.txt delete mode 100644 secrets/matrix/mail.nix delete mode 100644 secrets/matrix/secret.txt delete mode 100644 secrets/miniflux/password.txt delete mode 100644 secrets/monitoring/password.txt delete mode 100644 secrets/nextcloud/password.txt delete mode 100644 secrets/paperless/password.txt delete mode 100644 secrets/paperless/secretKey.txt delete mode 100644 secrets/podgrab/password.txt delete mode 100644 secrets/sso/.gitattributes delete mode 100644 secrets/sso/ambroisie/password-hash.txt delete mode 100644 secrets/sso/ambroisie/totp-secret.txt delete mode 100644 secrets/sso/auth-key.txt delete mode 100644 secrets/transmission/password.txt delete mode 100644 secrets/users/ambroisie/password.txt delete mode 100644 secrets/users/root/password.txt delete mode 100644 secrets/wireguard/.gitattributes delete mode 100644 secrets/wireguard/aramis/public.key delete mode 100644 secrets/wireguard/aramis/secret.key delete mode 100644 secrets/wireguard/porthos/public.key delete mode 100644 secrets/wireguard/porthos/secret.key delete mode 100644 secrets/wireguard/richelieu/public.key delete mode 100644 secrets/wireguard/richelieu/secret.key diff --git a/secrets/.gitattributes b/secrets/.gitattributes deleted file mode 100644 index 7ca9979..0000000 --- a/secrets/.gitattributes +++ /dev/null @@ -1,5 +0,0 @@ -* filter=git-crypt diff=git-crypt -.gitattributes !filter !diff -/default.nix !filter !diff -/secrets.nix !filter !diff -*.age !filter !diff diff --git a/secrets/acme/key.env b/secrets/acme/key.env deleted file mode 100644 index 061d6c1a28d951665652cbe732117438e6b119c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 63 zcmV-F0KoqMM@dveQdv+`0NJ>iVOsuIl_9U$KrWCB5or1A-&~=C Vu=8B!q(tVU(&t9+ved6DJsmgBoNPv87j#HqYCqGs6~0N0cb+yDRo diff --git a/secrets/default.nix b/secrets/default.nix index ed7cae5..3d13588 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,35 +1,11 @@ { inputs, lib, options, ... }: with lib; -let - throwOnCanary = - let - canaryHash = builtins.hashFile "sha256" ./canary; - expectedHash = - "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab"; - in - if canaryHash != expectedHash - then throw "Secrets are not readable. Have you run `git-crypt unlock`?" - else id; -in -throwOnCanary { +{ imports = [ inputs.agenix.nixosModules.age ]; - options.my.secrets = mkOption { - type = - let - valueType = with types; oneOf [ - int - str - (attrsOf valueType) - (listOf valueType) - ]; - in - valueType; - }; - config.age = { secrets = let @@ -48,53 +24,4 @@ throwOnCanary { "/home/ambroisie/.ssh/id_ed25519" ]; }; - - config.my.secrets = { - acme.key = fileContents ./acme/key.env; - - backup = { - password = fileContents ./backup/password.txt; - credentials = readFile ./backup/credentials.env; - }; - - drone = { - gitea = readFile ./drone/gitea.env; - secret = readFile ./drone/secret.env; - ssh = { - publicKey = readFile ./drone/ssh/key.pub; - privateKey = readFile ./drone/ssh/key; - }; - }; - - lohr.secret = fileContents ./lohr/secret.txt; - - matrix = { - mail = import ./matrix/mail.nix; - secret = fileContents ./matrix/secret.txt; - }; - - miniflux.password = fileContents ./miniflux/password.txt; - - monitoring.password = fileContents ./monitoring/password.txt; - - nextcloud.password = fileContents ./nextcloud/password.txt; - - paperless = { - password = fileContents ./paperless/password.txt; - secretKey = fileContents ./paperless/secretKey.txt; - }; - - podgrab.password = fileContents ./podgrab/password.txt; - - sso = import ./sso { inherit lib; }; - - transmission.password = fileContents ./transmission/password.txt; - - users = { - ambroisie.hashedPassword = fileContents ./users/ambroisie/password.txt; - root.hashedPassword = fileContents ./users/root/password.txt; - }; - - wireguard = import ./wireguard { inherit lib; }; - }; } diff --git a/secrets/drone/gitea.env b/secrets/drone/gitea.env deleted file mode 100644 index 82b190c91a7f090594286b2f85ee047bc4833ff9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 196 zcmV;#06YHxM@dveQdv+`00I%G+(SbmW`_9c`t9wj-asA_9!$7z0~Hp(qRBf_#*J`* z>x-oPAqyg-Z%ACrJe&Vu5%{QZ$J(6Pah%eCm=|KV%2=LL{z|lNWP)U#6_T z_~^RE;ke}be7jMj;Zcq9E14-D(J7%CtB5Vt{pO2hqzljcI0`f(kk;Ns>pep9(XRl$ y$q&PqAeVjcH2c8DcblPZh9_gEipZz{JGdUqCp$gB&PCDuyAY*-Wpb*oMA_li17s}# diff --git a/secrets/drone/secret.env b/secrets/drone/secret.env deleted file mode 100644 index 647d161341e74453881d47e0435e73c556ea0ca5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 72 zcmZQ@_Y83kiVO&0(9O?xEl>R_P+BWg`6S`+mWZlL@$+JtT8>3cw|Zk}rB>C?>!Z)G cGLpZ)r0-z9RZCZf;ELIqIvV~)+HL`-0PedS0ssI2 diff --git a/secrets/drone/ssh/key b/secrets/drone/ssh/key deleted file mode 100644 index 1b70a143467e0ec4b458a5ec2696ae7f5ee66575..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3403 zcmV-R4YcwAM@dveQdv+`02e666%VvNe3!L_JN!)=?pKDU_^Gjf{X&%qOb&Fwg|R*v zJh?vF9LKrEzrUnqnvqONe=__Fhw-z(h5U}5DK=N)CeX4bF!<+It_(n5!1L|bTaM28 zZSYu}0z2kv`*q9tlb)vhgGo3(iGi?h-Y82zzJ&7?5PSNBhvy?45gE|R1c?1SA6c8T zUrbl;bQE2p5t{wm9#X>|365$k(vYF}mIkBteRRakIq`(Ic;?mL)<$9d*5)Al4^p5# zT0&SAW&K0J&^(Wtu|h6XkM&RL8&|Yd(h{ZM`wuAnAKOwT@N6k)dY?eW-96JBOcCS;$;VxrdyYd-dtb@_U8A6J{K-4kBk<;% z-CB)GhxJ%xZ=#h*o_~e?B1c*Fo>lr!5#Tzk#7oP4S<&5z(UJ$le%gq&W*;oioDUsV zU8Mu0a<**4&iSV1faxFGHraEhAXHH4oY+*ib-IF!r|M??^Hn($%YmSU3W7V1HoT zzZpKbYMH30u&u-c#6G}>rs@iF+lovR5!)J|&NK0mTXM$5VtdzNOK$}0EsTq>vB&3A zfnZBB5@}EvP_IcJexoFlY^3m!tvFh{)XYB-~PFFz%-D`z^AHtQ4jE5p7nQjHvPEt*g!nWZt zG79OY$(&4LfGn8NaFD3|%eWfl$&w3Yz!xGS$p)jeMwB)s=??hWCA-~bKBx_f)LqymqzPm%0pq~{iJ!_u8oGtCSuRS6Z)l> z)>|;W+5w|lh8eIx^&Pq6xiYx{46!X~VDDhb-m>a#?878&ylkQA^E_xyK$3@*=2#vK zn?{D(>oYp% zG0iB>PuKih3A1euuX{nG5}StI6_=lgv_ERsW=UH1kbiI5SAF z{;=3KL1pnXaeo@t|LXWhZCZt%tb8W)9){v4-;^# zxPpWRp+0c+^4}U-Om!gAv@rpyN#1ul6y>WsEY($lSPndX;cp3zC*?5A_w@LGCog5J zC6aim!^!$#WaG&kWIH436Agy)-Rhx>8M2ImqIMo*U1)Ws7w}Pfj`in70P-q1i;*L058^D zXRy`77gC#Bv}r-Bptt%pbKjZcZ1II+kd0%`z1KMlKST&AOxMoN6B5E8U)^LdKfL?G zM^XU22FTDuhCnEL40j|WsRZ9XfuvIoG#ib&e#eUeYEY;Ha{{hD@bNf7-=o^UOUa#9 zZcc*x!|F3_VAsaM#v7sBlWujV9kwxHAKG5aTxa-^E{tgCr5$hKy@&UJILaum!(NISfumckJqrE7WE;$m`~7%z zR?GBcRB>YS%wRsll!LYI@;KX2tw%lR6WE!4qGM`yG=vB6;mp{+k830bm(i7m7nUqyUc}PrWj9(;G}`sg`>6R@UTq+5T3(x0{CH z_Kc?)&kc3SD+-L#hG=Ksb(HW{FQGK3K75kRf9UU|Br0Oykk^?p$`A`C(V7j%!F$Zj zo}pxDw9eQEg=7JMUC7s^lCZ%G^R#A#Sot((R|WXf)ObQWnHPHSeh^iO?1$uK+x(0@ zkVWOztt((F6?ww#KR;q+8Zu%Z3v${_4(O#!%-6Q&yVfx+-HNK@>4(X1o`mx3q3Ds; zZ)>;0@lWn~K~~K4hG7Jv>3Vvp?WB3SW^#6T4x#)Z7eVmP@)w50IO>HfIkxTEHTSKl zLY9Do_-A7XM>FoFt;yg@@sq=t8vv~q^-y}onu3;(E8~oP%qFue!IXmVV(X*~lf5Bm zkI))2uVA03P0{T~I)+ml^!+<%!2UJxwU7X_;JD8i?OaDi#g;~e`%+e7vGNtc4x~}9 zv+=l6^x0McPbm#$wVpeO&pAhlw<Sg>roF(RO{`*K;EE{d)o@dr<&??C+xxd0kK&TOJ^MDamMvzlah8^&YFucB# zcAz_&V&qRPuau`|DvT;_yc#Mh!Gy0J0NsM$hrXpj_<)dQc?dFP9forn+<*V|dNxJr zUSP&)oe85QKOJkPpqLbUEqXU$7fdK{iK?3E*x&;HL3tP$6pC_77ca_80$o`KpQ)kt z)!Y2{FK?`-8fG3U2J`0{Au~t|!8}S(NQ59R)UEh?%z2`=pqR*?4^m8=y>d|>7~eJt z(M_gV(Fnr8#f4CJY=KH#cxQ#-I{|r7?+8?`pX;u8_nSCt3fjbr$Q-zC=np6pp*3xB zICDFEP4tVxy54Rhh4H`qV%VycXR9$e>0L-;*=)eCxxbYGc2h*oR*Fx`r4b#hK!vFR zrn0a=5-~z06rUPyH(2I(#!FOL1#2-dnFbh@Jh-We zP35qC*fpw(ty?n-tobJIs=DQI>C2?Z9@oDBOZ>6MKSGht z{k)cX1{a?;Y<3Qroxr>$?gZRQHoB@YpeRR zoIh$7nYlxtVIRyyP-NwbcE&tNtPIdr;WA;z;qkwNDyf~kBLc{%s4QFHPfMewthyK< zLgFYz=dzq3hOJzZh}$5kD=GbQmNyC8b9MG)#{pp_{>4MJj?W#Bue{R&ca%XS1Ch=% zCZfNNTlsO%>QjLQuimJGmo3{#KxC`N&q1C=(Ba)Oz%S`*%VX3uW|hzBSmDEwr?f23 z&Zy7~8fl}jTX}O)ockT|wR|w{=hwJ^He>mF?8C6`+Z7mT!!CTR&$*Wv>&7LE>Ma0l zNc*!&NL#fEs92=0kH4-87x!%TDpmjP8bopLB7=NQ&LjGtVDS1ij&Xvt@#(x{P(cN} zxB7OIkdJ;x$EM<%D|d;1QThAiLnY5?j$AJBO$g!|wN`0j(xQ_q; diff --git a/secrets/lohr/secret.txt b/secrets/lohr/secret.txt deleted file mode 100644 index cbc3a26bff029c14b36638ae38659c561efb0c4e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`09gSX{OBV(AV(MsV{Em^D0=WB*lVo`7+L^#c$^uCYxG~m NE8_RMob_ diff --git a/secrets/miniflux/password.txt b/secrets/miniflux/password.txt deleted file mode 100644 index 482d1b77424776545ed2c59d4bdea45581ec306c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`0PdCqL3pLxp=?x_2QMfZ<<0weh1#GC@nNMzv>VbCv8wYx NJx9uNH*SdlzT$tp7~=o{ diff --git a/secrets/monitoring/password.txt b/secrets/monitoring/password.txt deleted file mode 100644 index 98d0972e616531b77412a557d98029f6ea66be2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`07}=ASIy3+tp9cf)S~D9YP@H|3Ix|h@6UNY5*yk!0#tLA Nl)5o%a{<^45N)`17>)n{ diff --git a/secrets/nextcloud/password.txt b/secrets/nextcloud/password.txt deleted file mode 100644 index c2e458cbdcb1820d0a23c29f73e63a6a408d96cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`0CAW%BE?+fP2mj)q>W{1yCA4DDjxeGfu-N%JVwsIwMbZk NSlBa7OlI-(qVX N_TAt88a;CctVW+}8d4^?f7Z{7@i2iwW=?*bl5gNiCW t0tz$1F63Hlxuc6JN8))_(MHX)Ij%5dbE2T-`Ry#s{}6`O07*1^P2kr@DZl^# diff --git a/secrets/podgrab/password.txt b/secrets/podgrab/password.txt deleted file mode 100644 index 81da33c1bea8ab01906ece8ce22b628ad992514b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`0AC?{=wH=od2rL9@s1Fv3q~uH#oDbz4uQB33CXrSth5|i NdF_7lg{D3ozLI*m7{~ws diff --git a/secrets/sso/.gitattributes b/secrets/sso/.gitattributes deleted file mode 100644 index d4bba55..0000000 --- a/secrets/sso/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -/default.nix filter diff diff --git a/secrets/sso/ambroisie/password-hash.txt b/secrets/sso/ambroisie/password-hash.txt deleted file mode 100644 index 9b2c759b3116766d1b2f9ca81a6cf31c5e1dbb1b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 83 zcmV-Z0IdH2M@dveQdv+`0QO7Jb4IU#&fimU=1__SruRsHjtFV=&@?F9WZfM@*={LN!s_o-%^D|Q(uV8 z=`o0~0JI=#JIGi~$?t8w_AE{6K&2#=LdB$IhLY5)KL diff --git a/secrets/wireguard/.gitattributes b/secrets/wireguard/.gitattributes deleted file mode 100644 index 714f3f9..0000000 --- a/secrets/wireguard/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -/default.nix filter diff -public-key.txt filter diff diff --git a/secrets/wireguard/aramis/public.key b/secrets/wireguard/aramis/public.key deleted file mode 100644 index 892536e4f0622789432144051f670bbf845863a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`03#i7OFIK4T9ao8#5lKsd2yOv08(u1j9rrjHZfkUTIfXM ZHOPVNqjfutl=mvw={V)3$eY11jv+W59Mb>* diff --git a/secrets/wireguard/aramis/secret.key b/secrets/wireguard/aramis/secret.key deleted file mode 100644 index 5f858e4718c71b2ba580dc1fe476905bbeda9473..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`0OhIq8b0xevWeR#xYfUvL)Lx diff --git a/secrets/wireguard/porthos/public.key b/secrets/wireguard/porthos/public.key deleted file mode 100644 index d89e768ff898ea673775ff0576b9df2d74be3a66..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`00Ilp{wQvM99-n1u#)bdARu6~AAVDgqr<}>QzRkNxS+TM ZnNvY|iX)=%pc=B%9RGuLTEe2G(E+3q9y7Ai|u ZC8sU@VYQ#mtNijiF@wauF0DMO?)R`KAMF4D diff --git a/secrets/wireguard/richelieu/public.key b/secrets/wireguard/richelieu/public.key deleted file mode 100644 index 2ad8bbcb12a80a9ff44598fe70522a5439d0f6ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`0F-)vlej0r8zB$i*vQNR*}WZra)@@#s?Tw|h@&O#57l98 ZL`HOs5X56HqRzCUm9LmZi-B_