secrets: remove git-crypt secrets
This commit is contained in:
parent
e962d4c574
commit
738d1760c3
5
secrets/.gitattributes
vendored
5
secrets/.gitattributes
vendored
|
@ -1,5 +0,0 @@
|
||||||
* filter=git-crypt diff=git-crypt
|
|
||||||
.gitattributes !filter !diff
|
|
||||||
/default.nix !filter !diff
|
|
||||||
/secrets.nix !filter !diff
|
|
||||||
*.age !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
secrets/canary
BIN
secrets/canary
Binary file not shown.
|
@ -1,35 +1,11 @@
|
||||||
{ inputs, lib, options, ... }:
|
{ inputs, lib, options, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
{
|
||||||
throwOnCanary =
|
|
||||||
let
|
|
||||||
canaryHash = builtins.hashFile "sha256" ./canary;
|
|
||||||
expectedHash =
|
|
||||||
"9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
|
|
||||||
in
|
|
||||||
if canaryHash != expectedHash
|
|
||||||
then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
|
|
||||||
else id;
|
|
||||||
in
|
|
||||||
throwOnCanary {
|
|
||||||
imports = [
|
imports = [
|
||||||
inputs.agenix.nixosModules.age
|
inputs.agenix.nixosModules.age
|
||||||
];
|
];
|
||||||
|
|
||||||
options.my.secrets = mkOption {
|
|
||||||
type =
|
|
||||||
let
|
|
||||||
valueType = with types; oneOf [
|
|
||||||
int
|
|
||||||
str
|
|
||||||
(attrsOf valueType)
|
|
||||||
(listOf valueType)
|
|
||||||
];
|
|
||||||
in
|
|
||||||
valueType;
|
|
||||||
};
|
|
||||||
|
|
||||||
config.age = {
|
config.age = {
|
||||||
secrets =
|
secrets =
|
||||||
let
|
let
|
||||||
|
@ -48,53 +24,4 @@ throwOnCanary {
|
||||||
"/home/ambroisie/.ssh/id_ed25519"
|
"/home/ambroisie/.ssh/id_ed25519"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
config.my.secrets = {
|
|
||||||
acme.key = fileContents ./acme/key.env;
|
|
||||||
|
|
||||||
backup = {
|
|
||||||
password = fileContents ./backup/password.txt;
|
|
||||||
credentials = readFile ./backup/credentials.env;
|
|
||||||
};
|
|
||||||
|
|
||||||
drone = {
|
|
||||||
gitea = readFile ./drone/gitea.env;
|
|
||||||
secret = readFile ./drone/secret.env;
|
|
||||||
ssh = {
|
|
||||||
publicKey = readFile ./drone/ssh/key.pub;
|
|
||||||
privateKey = readFile ./drone/ssh/key;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
lohr.secret = fileContents ./lohr/secret.txt;
|
|
||||||
|
|
||||||
matrix = {
|
|
||||||
mail = import ./matrix/mail.nix;
|
|
||||||
secret = fileContents ./matrix/secret.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
miniflux.password = fileContents ./miniflux/password.txt;
|
|
||||||
|
|
||||||
monitoring.password = fileContents ./monitoring/password.txt;
|
|
||||||
|
|
||||||
nextcloud.password = fileContents ./nextcloud/password.txt;
|
|
||||||
|
|
||||||
paperless = {
|
|
||||||
password = fileContents ./paperless/password.txt;
|
|
||||||
secretKey = fileContents ./paperless/secretKey.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
podgrab.password = fileContents ./podgrab/password.txt;
|
|
||||||
|
|
||||||
sso = import ./sso { inherit lib; };
|
|
||||||
|
|
||||||
transmission.password = fileContents ./transmission/password.txt;
|
|
||||||
|
|
||||||
users = {
|
|
||||||
ambroisie.hashedPassword = fileContents ./users/ambroisie/password.txt;
|
|
||||||
root.hashedPassword = fileContents ./users/root/password.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
wireguard = import ./wireguard { inherit lib; };
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
1
secrets/sso/.gitattributes
vendored
1
secrets/sso/.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
/default.nix filter diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
2
secrets/wireguard/.gitattributes
vendored
2
secrets/wireguard/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
||||||
/default.nix filter diff
|
|
||||||
public-key.txt filter diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue