From 8664781da7c447a415d2d441f98313910e2de8b8 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 24 Sep 2021 18:52:26 +0200 Subject: [PATCH] secrets: migrate to agenix It is finally time to graduate to an actually secure, stateless solution. --- secrets/.gitattributes | 2 + secrets/acme/dns-key.age | 10 ++++ secrets/backup/credentials.age | 9 ++++ secrets/backup/password.age | 8 ++++ secrets/drone/gitea.age | 10 ++++ secrets/drone/secret.age | 9 ++++ secrets/drone/ssh/key.pub | Bin 765 -> 0 bytes secrets/drone/ssh/private-key.age | Bin 0 -> 3799 bytes secrets/lohr/secret.age | 9 ++++ secrets/matrix/mail.age | 9 ++++ secrets/matrix/secret.age | 9 ++++ secrets/miniflux/credentials.age | Bin 0 -> 477 bytes secrets/monitoring/password.age | 10 ++++ secrets/nextcloud/password.age | Bin 0 -> 440 bytes secrets/paperless/password.age | 10 ++++ secrets/paperless/secret-key.age | 10 ++++ secrets/podgrab/password.age | 9 ++++ secrets/secrets.nix | 49 ++++++++++++++++++++ secrets/sso/ambroisie/password-hash.age | Bin 0 -> 459 bytes secrets/sso/ambroisie/totp-secret.age | Bin 0 -> 442 bytes secrets/sso/auth-key.age | Bin 0 -> 483 bytes secrets/transmission/credentials.age | 10 ++++ secrets/users/ambroisie/hashed-password.age | 9 ++++ secrets/users/root/hashed-password.age | Bin 0 -> 581 bytes secrets/wireguard/.gitattributes | 1 + secrets/wireguard/aramis/private-key.age | Bin 0 -> 417 bytes secrets/wireguard/porthos/private-key.age | 10 ++++ secrets/wireguard/richelieu/private-key.age | 10 ++++ 28 files changed, 203 insertions(+) create mode 100644 secrets/acme/dns-key.age create mode 100644 secrets/backup/credentials.age create mode 100644 secrets/backup/password.age create mode 100644 secrets/drone/gitea.age create mode 100644 secrets/drone/secret.age delete mode 100644 secrets/drone/ssh/key.pub create mode 100644 secrets/drone/ssh/private-key.age create mode 100644 secrets/lohr/secret.age create mode 100644 secrets/matrix/mail.age create mode 100644 secrets/matrix/secret.age create mode 100644 secrets/miniflux/credentials.age create mode 100644 secrets/monitoring/password.age create mode 100644 secrets/nextcloud/password.age create mode 100644 secrets/paperless/password.age create mode 100644 secrets/paperless/secret-key.age create mode 100644 secrets/podgrab/password.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/sso/ambroisie/password-hash.age create mode 100644 secrets/sso/ambroisie/totp-secret.age create mode 100644 secrets/sso/auth-key.age create mode 100644 secrets/transmission/credentials.age create mode 100644 secrets/users/ambroisie/hashed-password.age create mode 100644 secrets/users/root/hashed-password.age create mode 100644 secrets/wireguard/aramis/private-key.age create mode 100644 secrets/wireguard/porthos/private-key.age create mode 100644 secrets/wireguard/richelieu/private-key.age diff --git a/secrets/.gitattributes b/secrets/.gitattributes index a741d4d..7ca9979 100644 --- a/secrets/.gitattributes +++ b/secrets/.gitattributes @@ -1,3 +1,5 @@ * filter=git-crypt diff=git-crypt .gitattributes !filter !diff /default.nix !filter !diff +/secrets.nix !filter !diff +*.age !filter !diff diff --git a/secrets/acme/dns-key.age b/secrets/acme/dns-key.age new file mode 100644 index 0000000..97d397c --- /dev/null +++ b/secrets/acme/dns-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg 0bz3W8QcGaulxy+kDmM717jTthQpFOCwV9HkenFJEyo +NKeh1/JkX4WAWbOjUeKLMbsyCevnDf3a70FfYUav26c +-> ssh-ed25519 jPowng Q59ybJMMteOSB6hZ5m6UPP0N2p8jrDSu5vBYwPgGcRw +j420on2jSsfMsv4MDtiOTMIFjaXV7sIsrS+g4iab+68 +-> z}.q-grease s2W ssh-ed25519 cKojmg YlDuj9wwBKSHHvQOhfti1ah95vxDV3bLE+GElBkyTB0 +KsMyd3L4GaQa0eDQps+bJXj+cpy0zUNvFXU8NAmtThI +-> ssh-ed25519 jPowng JB4UtNyZab4ab4Pep3acyMjwCbluuEPuI6YOQ/045Fo +P9qnrPDGpHJL1TyNqYdNfqkd21Yjn/5mlovorWy60j4 +-> _6l|s-grease M ]2qMsa'w P] j0EE +W3CToUTg +--- 8aWYUi33mEIKFcFbphlDZumnBu9Xbj+j18dQbElx1v8 +3$m(TKeAZ>dn:-킥h.(U!rx D3493~Ȼf{L ƣ>^vl-=䣐U'(,#;H@M%|ʦ \ No newline at end of file diff --git a/secrets/backup/password.age b/secrets/backup/password.age new file mode 100644 index 0000000..3af9fbe --- /dev/null +++ b/secrets/backup/password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg dgS4bezgtDi44R1A8am+J6zh80kUVYTo1heaxJCtzX4 +F3w/62xwtqYa40NU7OvF9pnZzYz/5hACAGJfMA4e2zw +-> ssh-ed25519 jPowng lx81CK3yeNp9RjHCUFJeKYZlRzxBmXuADVBvRc13zCI +P7e75t8xU+ZkYmeQ8mmMfyZZsRdG1J8yrvSUkiWzkFQ +-> *z4/`-grease S/)a{e sFd";= +--- 15FVhqRTkoPFEeETRRyFQhsv4Fn19Ozlax0u8Zy9mNA +#+vS4}R%ίF4fnDJZA,_ \ No newline at end of file diff --git a/secrets/drone/gitea.age b/secrets/drone/gitea.age new file mode 100644 index 0000000..d1c14e7 --- /dev/null +++ b/secrets/drone/gitea.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg vLLu1kbzyGxr5sU/Dl4xf0uGO+gVsvODiqEJU21lwyI +LbJO4Go+8G7/UtFWjv+x7Nqhn7n+kge/oHP8dGCBnM8 +-> ssh-ed25519 jPowng obxX4ojPwp/DaerFzVbK5hUnshebh/chriT3a7uqYEw +x9jpbBefJZHz8o1lEkr48XhT7sVAM5tq3tZ8M91CDDo +-> eZ.G`B3W-grease 6k|.\v +D0u3P4oCpPNnueqZAAYn71xEUGWlavwLTrEXJ+2tdYOX6BwwFReOlMZWIA+FikmZ +8Pg7dHnbYPWc33jMjv3UnNsxCGUsDw9C9NkI5vfZSLvUxQ +--- Cea09ivsGZeoWif7xbdrvfoGsoiD+tRh7HQsOL75cqE +tFa|G,o6$U"wi߹Swgh6^*=[g1%Vup-{`P(?&QV#KeX4dK:xt0LsbÆ6ޜ [ #E[>)|cwq+cw1$^I(wG9>jI(y!@OƉkEz]Pk \ No newline at end of file diff --git a/secrets/drone/secret.age b/secrets/drone/secret.age new file mode 100644 index 0000000..c529200 --- /dev/null +++ b/secrets/drone/secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg 1+cLlzctgcM0FnVDwMPOAqBkvMcDBRg8SvCw4djI93Y +oV2XI4f1AvM9P591kZZ6NgJXa+SDtqGzCSgc4psOmxM +-> ssh-ed25519 jPowng Ufjfh1p350XxRPg95+/DHdmnl4lC0bbzUUlaxd1Bmxc +/RHwFDSn2ov+60r1uHUigrsn99+GmmKmlk4h4T2gbA0 +-> *Lc$@-grease +pzVJAHy1qRq3jUrnFV0DDO7/hwV1US4Ogf0RsrVfX0xzbr73uJ003YjieVB25LqN +--- ME7/iVevyiguyhXugbkVFGzJV0yDccyKNlWbEZa/FmY +YXjb2und;i0X]0jLPT~^kc$DrufreOո+p&wϨ \ No newline at end of file diff --git a/secrets/drone/ssh/key.pub b/secrets/drone/ssh/key.pub deleted file mode 100644 index ca1b5e82b9728bd52f282384f892bd32fbc69e84..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 765 zcmVu zrUiZsAtl+ z4$opvzyxlqLmcZMIDvFHhwyV4%6k!yUJ8>ksPWc&WdH^Pip9{#pa)7zv(U)B;a^%a zQoOEUc{VW;U+Msh|Iw(B#p3kE5en89`?VMUsj#gLya=QirqOFBR=L5pPSFQijne-O zg8B4|LT6+MtsVwt$2Y@#TdrG+YAZXM&6+tzT<+V>yS5ue@Zn~4LMMmm2nw^XljZ8k z{PVqgQOh4rA`e*(zOFVlt0$0aLfbK!4HyFUis<@3c#|B7GWPo6Z9B;!qyUc5kI#=d zXv)_bIBiJwc;nTAhR*4VI8E~u#tIYRZDL5O>i*swsAo}lci*;$!@d4VCMS=~=GG?F z=vw1g-pm>lV{NRjz$0g@3_S_DNl7}?$9?${pU$a|Tpdj?+TQi(gnGno22-O#hZ$qI zN?&pwH)fG`pIN&h7U~Ch-|lqwlbmD^>iEJ(RPQI zP(wQVH|L~)QPDKF0K9JntmHJd96mC6*cafWW;5lm*o&EnZ<6$~_-AM?FmeVv?$Zze zUJO0!Sk?$WI%=NT+QN3|>Vv|4$vfn1${uQ|VPinak|$R5sl=N%>-@(^KO7lceL;7G z7*`V#5JqAfixC~wbH{LmHY`SCxzA-3p8vLUWxTt7hLg?Id6rCKdz$VzSaCkHEJ+;cQ9}`SZzvZN>fXEc}HnEPB02BJ|J^*Xf0)AGBq_ZIUs6K zZ+C8IAag`HLoab|c0)*Hcwu5SVMS6`P-9~@YNNr?GZDem*Xkv43T1YWLPBwZ> zGj?okK~iQ*c5F>+G{tS9V2HMmckHFiJO33c$wr&?wC}%yY0qAIhM!#js01?N13~ z%zVx0tNk^2Meju(%L(+D{t6v+QSV-lbrg1(?ZYI4sGVRz!ur}<%N$XQz`G!}`(1R& z=B~BgEdS7JAx~mJM&JKhG+9QgTZfdzr%DbO)d+1iLcox|(JmQb00Hz>u2-!8@J_81K4KQ5}{I-)2gj6g{A;q=0;>F(9-Bs|I zwb4*w@P8dyA@&O~5U3d{1^BP9^<_YIm-fmVW*vq~?Qda#384dr*n#VQZ0)-xS*U!* zAn+1hCj>~_`iXsLQ>^PE{#`>JOorr~Z#u4*188O;eVXDM78^%CjWFDo|?A?UcUZGSIzKt8j@2Z}cDOWMBmpFdWO3 zwhpu=^?eUxQ^L1HhB({zrgd8n94Epr@I3LLno|%7g1H%2JIP4<2d25wqc`18bF6NC zh~JG)-n06$Rz7*Wm)IY9E|mnNtf5z~qyY^FZ626Wtp&Cb3i&Z$1emx8q6aZyJ0T8R zKeuo4-ps18L>EamIgvqTxnJ~8Bzb^eQAMBpW2ap}Rpyjm32PBo%HQAShw_?^WjSOb z06DKUuvy-;P^Hu+r9JMKs=2y^X}Djc_eEQ2n=)F-$=PrPTbG+5a4Yp$-p~%98xY8T z@w~|kFRmy>j_ekZT>9?+s%Rc^GtjNwF&dhP>L#rPFlkYpm0aA}$F9l-QQi+4k2Dum z>uuZ!t31-{WlvC3V#SkR##BF-$>;g$<&rx@Rw$)L{PRQ6+{B3FwH{DlkUvW9;!_|G zGH#wUsqV7%&n!5$A(jR-rHBQl1d`iXFZAytKk8PRKg1FHQM`9%163UtJ3j?H@gW0Y zfS;eY;#0?(pvHoev#_cfPObY>WY-_U>epNg1=x1wu`)PDR5bSkbbWW1?(_|f&+}C@ zA0^^ZpZ46H%vISFln)|L6hz!oZ=t=$`x=h_sjRHIK~uiC$y1`lEHq( zx=y5q<*{7fmoE1)H>c`Ku0MI{c_7<2Il$RF;WM;Lp`OsV9@fQT{~u{BBDE3jxB;{B zOhb|!K4A0pz?>1XK(>5p!$_K_t(^++{4-Kh#4$r`Uhr%-H4RW>c&+rs}5)E+q6)z~`sU$g0 z?v-F4dIC1rKj}OEgq5$}mu?e2nsUk!nTYa4Md9r^Xa?^pjes7bSO2)G6R@e{()!gY zSuLP2n_ecB2(t0dXc0Y*hyHB1Bziq0MQGgJV9fs0q_S9ssZIHOs4cZDXdKr^>9ggw z6A(njaeeH^T+4g!P zs1zuU@2YryQPL#e6#0RgtTSIwCQ?Lm?;McTM2Gn)AOU;xoaH&3Pj6T%YsYyIz6as< zt9-|c{*&yQ5=tMvve?3-s(K=6<2n_9a|hAqLSWu^oNCpKvW71!fWK%^RsW{Iwho|4eSupF(TeC?2d{#zJM0WlW(zvhQMk{!C?^@bO3zpnOWjuQ;Ab~`qy`;Vu<~Mj~iKqV$&+LA!si(>UnZq zr<*!hVy{0|mHtzLukWR(NBhaI8|!XY#D!;$J#N~2I=H%frOL4+wbu^dfU9|}ms+4t zPGKjeoX#U)MI!5)jB`=veNKm}7F;!e<($)3h?1bKhripBs90HGf9m~^>hXIqDGQi; ze%m~#wn3&{+~gP!Dw$*?R=NO?^z@iL8m>asPpH1BwAGrS17Fk@9Od0CiX(&~<6{QA zpIEYmsqt1jw!DNq^e_%10g74FCZ`ROAW67BjK*c+NkjV?xod6&5C-#)$p&)jF2S#T zM}VV{#xjf%Q?9>QJ+gd}1g50#MI-VWnapJk_m9Y2_K_jAwz`v1(#mhjt}*`tg%vYk z%5jW`xU^`WzwCpK+!Gc|@p_Rcy7|RH_2%6>AWAoHrW2q$WrcB`yO@oNosSPahjrIp zN%>@NTT{?J3fUAZsMC-=oUK^lp{ul9rTiV)2qR=+SyW2^M*erQm~`%cuE7Th`(WbX zZo`ho9w~>_H{T@ki4=x%fx_T_W@DZZ8gu(&!GFD@Tvqbp1W?13K5$L%48XSvM&tR6YDla~kc1{>wmxVslPC z2my8n21^`Bb+Mf}|L6(A@ZUD3Xj8Xag_55_>Nf@j zm`VneYe^M8f`Fg7-i^tJ3?!u{xgetp+HAX@x~_^R@&U49_i(ug>N~+v?bdh%m~uO- z%vCWZxDTFr^LkJoFHUO=q9~fTsDg z`Hmy8SsSucdRQ$V9oKJ#oLOeDS4pFd-VV&RWK)H9go|FB2+4|?SiznJqam-T2&gJ) zBdtEy#!wzFYq)I8#&)9X5i*JW;_Y}Xr)1C`Yts|>O6=Ki(yQ5*pohxb(IO1TtT`2* zvh05m0Y76elpv6}+)t02qpCto8&jYwKSVsq{URpde-#5(tvpjTOK|t9D_lQOWcw+3 z?)P9coeWePj&A*d%S?>bFf*7epPGmz_mo$3%9;BPp<%p8^Jn6a@fqrvi+`ABR^wZ~ zn0uJ!Z5vp1gbuWUqjp)^MMyh-rDKct1F|poa%SRAxU7yAj!b9YJ!@qJnGfe?)#k~r z*+|k_u^+}tR8%)PcSZ`#^$sy@N;OH2*)gL+mynr^*T!V*=@p!ak`sl8652fBlxVK z+m+09*9b6(ucA(buC*`wZSftVzs0bfxhw0~vg#}vOX0zg1R;m-eGOZN<@DF=6!t1yPayv*$#*w1j6tZT;!(Th4rjmP#fkg=#7+$J$R(!K z#4gB3T}-+penD{P^v0GWc(`9oA?IN$T4EJMgAK>#nJ@3Xafs{n9H7fMaHfaeZh-3- zY80lJ1;KZFaE$inq~Sx|?;0*rVRKN_%~%=q7-;;bVv9tUge4FD8RfO85#p-LP)oP8 z*PbQ{H^k!8W3a<%G*qRNPd>CwDuUNBok8oueNRikY4}?Pw-6TDPi_$CnxgWB?ar#a z&gXgq=?j>Gh;4lfSE8lpO;Gmz?a-qMXk&$!%;nXYNws2~dD>H*@62=Gyp=VyPoot#WSH){X@ literal 0 HcmV?d00001 diff --git a/secrets/lohr/secret.age b/secrets/lohr/secret.age new file mode 100644 index 0000000..fa310b4 --- /dev/null +++ b/secrets/lohr/secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg HCVbkI26JjkBgm1L2cpunVui0PfHLNfnx6VczErF3A4 +3jEHfT6wUqNNFZFaVeiNBUhSKZmuKclPmubDMsda5O8 +-> ssh-ed25519 jPowng SyClv9kGtjRKSXdig27tiqp66wD1T8QsHeOD2JQl4QA +8zdtfSJEh5/bfu5tb6M8Jgy5CZPiWD8TLQDpzp6cTr0 +-> 3r2-grease +Lg/G911eZjeZTw5xhqje26vDfJkcSro+gKQ5SUboxLMnaibNi1qTeRLR +--- Q5/fikhVPoK+NFujTso5V7cty4k/dQlzFlz5z9DkzYk + t/WAMu"-!@ E1 R[eh3 ScoBt1Tb3mPTcfeP \ No newline at end of file diff --git a/secrets/matrix/mail.age b/secrets/matrix/mail.age new file mode 100644 index 0000000..1fe3a71 --- /dev/null +++ b/secrets/matrix/mail.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg lmu3MinmydRHD0A/YVRRtopermfoBC8M8cTHfVanY1s +ygrtpZZJ7aeQTblNazpoP7DdifmDxHsE3DFJsIrWX5M +-> ssh-ed25519 jPowng X0cihOc+fBtmtrkEivIHQngdYIobezXEF1x+pHqNzAw +/+sw9x1NWY0anZhDMpAywBPrR0F4XCHaF9e8j/Yo/kI +-> 32;%1s-grease +JafjuSZty6a4NSO/y4y5wHWL8Mw +--- dwCl66vdpsL0MR5NWWvg3JUnQ2QZQBeW0Dj0l5tvOKY +oi,`#uwW%Poubڭcy8 ><FqKÂk0k/h5势F+u eb>1Q2wnWb֖Bi^xur- /ll-=7;j0I%FiA;YUd]KI0( Ag^uG:pkJ:qWSaLw!M4L/ZD-XUbvbP0f9 J`XO!s{QAcc;4Mچݹ lxH&{}zZ9ûXܓg]V0gtw \ No newline at end of file diff --git a/secrets/matrix/secret.age b/secrets/matrix/secret.age new file mode 100644 index 0000000..a287435 --- /dev/null +++ b/secrets/matrix/secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg ociW6AZww4nfW0Dw0DB0WNgQbJ3MNkHPPZlA0z+o/mI +THAz89pjyrkxJB9tPQGgEwZrZX9OudWMnyzr0JiwzTA +-> ssh-ed25519 jPowng 1werbtuWK0DUFxq9mAWp/QzMHC1B8UfadutvK6+j9XE +YmAwYo3X00gMB9AyQfOsR82CUPAtxfuzCzP4OyYFxjc +-> 8g-grease N9DR4 .U< +--- Cwh2hPrM2RzRroJRw3XrP1khcpL0leTXfJ+T7WG57To +±jϰLDF xux1 +U/oGgo)*/d"L#RhWP \ No newline at end of file diff --git a/secrets/miniflux/credentials.age b/secrets/miniflux/credentials.age new file mode 100644 index 0000000000000000000000000000000000000000..979015965f433e63c6451fefcfa5511c614dc814 GIT binary patch literal 477 zcmZ9_yN{D_003Ye93*ivw_}WhL5^2xA!odlmO@)-dq7)?gZC??aFhZq$fHfYMB{8? zH1QUlj1DF`XyRjZQWN8Pm)zuFoNl_|hBL<1?;rSpZK0NL&hs$d3Hj*g0GjEDo-F^rxt$>OZCFto1}%DJx~>>QhX-64 z&s1)b1_G1ml%&!vFa-#gjdUEsoVxCIXLzbCVzt5>TU4E>BRW;>*&UPCMXT0gGeUEa zlKpS1I3s<@qW0VZkp*`*7c274C75gZOSrHJQL`;V ssh-ed25519 cKojmg OdLtFHbHbc28rUn47vgsVvXxFNg9nF+9y9R6XOK390Y +yQQYUPQGjN2+xrSqqBYa7/zS618KrVjX5Amw2MFuSLg +-> ssh-ed25519 jPowng NwUjiLtiXVi6XFmht5l1CxEs3gm0oN4vHYwDZyda7Q4 +di6znVjNRO6QdqteVNkeot5Ko2NwWLe6v+zVR3f+o10 +-> 4Vx%\(-grease ^^Z>EC91 R 2BJ d48Wip*s +yPiBgChRF31XgxccQFLO3MzRL7+5s29sfRoF3W1yUX6Bu59MpxD4D+n/jhLcxSH/ +CxW7KaiOctNmPm5tWh6qjmgQ+V4bcAji5vo4FKs40l56cfyueEJj+Q +--- WUGF28zqK9E1AlOeeCtSHxFg6ikRy85gOoLtBd4m0y0 +.|rr>12Sɞ.hww q%i *U^)'qO2ӜmQ7m` \ No newline at end of file diff --git a/secrets/nextcloud/password.age b/secrets/nextcloud/password.age new file mode 100644 index 0000000000000000000000000000000000000000..9fd3c53f866f5e1785e63ec681d2c37ca7762d10 GIT binary patch literal 440 zcmZ9`O>5I&003Yw9t{2fkGVL8A0NwYLf+a=A~q%ET4tI5(fZ%opBvD3T= zV|W<|8~zA!HxWUPo<#8K$IXjJQBUgCU+_G3;FEsrrgf4ZqIe6X0aXBu+{LpjBz=!& zSk@;c5PbC9B7%dVM@YyEjVlN!mR_ZRu4;-%GH1=)W5(F`Pp`<= z_fN9T^ZM=jOaEx|;>GWyC(q=skA5C&cRsq;^k2Kud$p1;FR%RgJiLDP{OrT&yO-bI Nw70G@PbW7X{{d5(m_Yyl literal 0 HcmV?d00001 diff --git a/secrets/paperless/password.age b/secrets/paperless/password.age new file mode 100644 index 0000000..3fe76cb --- /dev/null +++ b/secrets/paperless/password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg zhpo89xef68JoeOFWzhdFshrj2BXXUCFPMLVJzv6EyE +fmJxJi5rmyai9qGwDo7iHg4BrObGre96KCpl+g91O6I +-> ssh-ed25519 jPowng INA6EZdy4J1p3QY5mfVOQXiLdOjIDaZR+CZMP+GfkXM +8Nf5soaxY5SEzeJca5kaJkx7ByOvc4NkJVetB7wpEmo +-> xjK'w-grease +f5v0cvlt4JbHlAwDOob86qOInWdlN/oohTg +--- NTGv4rr+MhJ/YeZhVHOjoS1V+zCHFf2itJYfK36R+wE +חJ d o'YFU@ +r7_N$>]hq-F۰qX?| ? \ No newline at end of file diff --git a/secrets/paperless/secret-key.age b/secrets/paperless/secret-key.age new file mode 100644 index 0000000..eae5c56 --- /dev/null +++ b/secrets/paperless/secret-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg tZwn2usN6K62oS4vBa6boh9zEp/+cS4chP8boXG6SH4 +Fr3kV8gUDoiDqMxPYWsHyww8umYhQEKhqbVBiVw5NeI +-> ssh-ed25519 jPowng wRbJl4G85obH/GluQBBsXE7MOvooEui65eqHfurvuQs +KqVZMBSyHhkayEdwI6ocmA4qhHY9zYJvg1CEKM1SOa0 +-> 2E"/OFW-grease o Qp3HFe^ +bGhCNicPqt7txqxUiEWXCFs1OuQLqOqHmjHSqYQv919dqYep/xBXzi/aRf3dsdvh +TCJCTvZG31Qxvikp +--- xKJGbdVp+Z5h0vCBleSF2zYYYd2S5i0y4szNqjRwrDY +T /Ni7m4#MhiPޛ-gI%@E(i7Ygk"+㸠(]o@bާ+[Y"BCR[ >-.4db9v \ No newline at end of file diff --git a/secrets/podgrab/password.age b/secrets/podgrab/password.age new file mode 100644 index 0000000..90e2501 --- /dev/null +++ b/secrets/podgrab/password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg 8rcBI7fYHuA3jO6EzJNFaAj2niIApKDt1HQEv61AKTs +ANxkIX/CeI7t7Zqp6wmjt/D194Z+xpeiidb+qvYzoQU +-> ssh-ed25519 jPowng oruewwTM9X/HjjcmOPcQVdp02rQBlgJPdzvlAffs3T0 +MrO0kaNhjgOkNHuz3NrIMWXNrXOHH9dT/Fk6hoQNKyY +-> COK%H7-grease +6yfI90QurOKlM+kgpW8KZ/iBzDYD9yhNmjG1LQ +--- uArz8eHg8sLO0sdlkM6cELFh+FHiI5BrM0+iXJxxiDo +vvNb@FMMY&/%mt֓dh|ߩ8 ڽ9C/ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..dcaa6d6 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,49 @@ +let + # FIXME: read them from directories + ambroisie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix"; + users = [ ambroisie ]; + + porthos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos"; + machines = [ porthos ]; + + all = users ++ machines; +in +{ + "acme/dns-key.age".publicKeys = all; + + "backup/password.age".publicKeys = all; + "backup/credentials.age".publicKeys = all; + + "drone/gitea.age".publicKeys = all; + "drone/secret.age".publicKeys = all; + "drone/ssh/private-key.age".publicKeys = all; + + "lohr/secret.age".publicKeys = all; + + "matrix/mail.age".publicKeys = all; + "matrix/secret.age".publicKeys = all; + + "miniflux/credentials.age".publicKeys = all; + + "monitoring/password.age".publicKeys = all; + + "nextcloud/password.age".publicKeys = all; + + "paperless/password.age".publicKeys = all; + "paperless/secret-key.age".publicKeys = all; + + "podgrab/password.age".publicKeys = all; + + "sso/auth-key.age".publicKeys = all; + "sso/ambroisie/password-hash.age".publicKeys = all; + "sso/ambroisie/totp-secret.age".publicKeys = all; + + "transmission/credentials.age".publicKeys = all; + + "users/ambroisie/hashed-password.age".publicKeys = all; + "users/root/hashed-password.age".publicKeys = all; + + "wireguard/aramis/private-key.age".publicKeys = all; + "wireguard/porthos/private-key.age".publicKeys = all; + "wireguard/richelieu/private-key.age".publicKeys = all; +} diff --git a/secrets/sso/ambroisie/password-hash.age b/secrets/sso/ambroisie/password-hash.age new file mode 100644 index 0000000000000000000000000000000000000000..10d9eaa37c8cc1c8795083db6f5b34d20a30b9db GIT binary patch literal 459 zcmZ9_y^GUO003}D$*3Z@NCr_b#wM*VO%XquCbem6FPE1z^r3J`ntN%Q=B3R?)8ZgF zJ19^o!G`oF=5|_$6lPbn;1CGXLKKjm#rVgZ?Rt#K zVz=8) zZ>uia0~XIbJMn0SLH3CneR}=KF-U_rISLG_q}$LN3*lNc)Yr{T*@mr5538Bws{+i3 z+wUo(DW`}O%d)iQD5)W1wSQsJK?^8{wX7QOiqvlBS_ox0_PRl?b%tV1p>`h4?_Ql> zI{)w&e7?7EUN7F9N&PR}aR#wNKYIYipz^`&W>r1>3{gBxxT z90Vspa5$YsP>>UD5OGq_MT7%q!C4Vp#MSQ~_{JEKD0GuL&Sp_~IZAM&XcFW#kfuI~ zJepye9B_M4u*5*5+O8-JyEhCW;Y!Qmd~Gz%)mYjcSyg~p4lcxaHC4EFNyu2qQBpBl z3+jw{C4ta{86WzBKwoyp)>nOCP zni6uqnRT4jwC4=My|ytYT#GHNZeEGO+>zz=l$P>1GqEm)>E3WzFBG>*#fX#Hb&ju(qu3} zk|gj7zCSSs3kped6RMI5S=(@{RtPQD=?qNai({^qXFOICI-ge#jS>A$gF8yJ? z8o`%S>h%5bclFnkbI%?K-yCrA7Na8a?Vhj00_k2fzQ T`XllD%d&O#>vLH-w>Sv literal 0 HcmV?d00001 diff --git a/secrets/sso/auth-key.age b/secrets/sso/auth-key.age new file mode 100644 index 0000000000000000000000000000000000000000..4e05b15362db0aa4da54df2c747e5d4bd86d001e GIT binary patch literal 483 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;<2UO-}Sr zOVrQzk2KIX_H-*sGxH59FN?@^3X2L3u{8Jduq;XQ2+s2}cI3*>bgS|-G)nO`^35tw zG^{dDD#*ymGz<%JO?7j3)y|Eqbgj&Fi*$E(G(op5D9 z%d)6EDKk5uFf^mW%fmZ8+&4QZ$4}qQG|?;4&6CThuqxQZ$=@g>#LvAjuPC`VBFE1> zC)6t=!ztC(q%74fsw6WwCEL`{B@|?vo>O*`NtJGTQEFmwDpy%RP ssh-ed25519 cKojmg mP2H3PWJN6Pv3q6C2wci3KnXjtFAIiuGy0YH0sGIy2g +f43QqyUQfTYznszub47kgc2Mz95zVScTDkwnG3INi9U +-> ssh-ed25519 jPowng fENbu7+FZ1mnQQHQCLm1spLHmsQGlRoJResUJtGzYkY +hX+AqCkLCca6m/aKtGCThi7/mCCz/TZQNJNOlOmlqyA +-> J<-grease +n7+CPRr4oazWnE7yzpJN2ZAI4QrGsAerloP4wNeebjQDx8+IxJq1JE0g3Yi0RxzN +chDccuSPLYk45Ov+SD/qqqFZlQ +--- p81HYw3LFj+qz2kiZsDcevM4ZBfvN743P9Jdi7J9XkM +۱S7VBOlEtq_D,PVFp\"AM}g?/\;y Ӛ(SK \ No newline at end of file diff --git a/secrets/users/ambroisie/hashed-password.age b/secrets/users/ambroisie/hashed-password.age new file mode 100644 index 0000000..09a80f4 --- /dev/null +++ b/secrets/users/ambroisie/hashed-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg vOaL2ZKsFEjX9mzQvw8Je7x2Dq8cMhrZEyBTXpH4QnE +HXO4fbWdJsbsRmGq0IYzq8/szObxzpsGfQNNTJ4vNzg +-> ssh-ed25519 jPowng WPxg0pP6O3ZS4dPc1WcDvzig22Fylk3mR/W9STaWbW4 +GuhFwt7M5Lc38q2LC/0eul0yP60UxmWwi9I8ToHv7bE +-> :;V8\-grease ZC#7~eR# P<'e?vI3 9R +lZlb44QiAaIxd0SYiRNT/QRnxxUt7npbksg +--- 9xv4lt8IcGR8jP0UcKYYnTuh1Ix/pqXgDmevkTH9j1A +]c3x w' ` h=XǑg3]~q.Xna*W:,zvyzI }DO=`w7:Rx5$6:",HM"_MMBJeF \ No newline at end of file diff --git a/secrets/users/root/hashed-password.age b/secrets/users/root/hashed-password.age new file mode 100644 index 0000000000000000000000000000000000000000..14986f1b48c218872964e33632da91cd5e7cc931 GIT binary patch literal 581 zcmZ9_O>5I&003Y`9FmJ5iZ{s=aTsFK&omRAZPPVv(llwCr42ev)AUW!=A%iPv>g^j zK@k-d1y8$*_z#3BUd7!CV~iaJ3VM>E9z2NR)#nd93eZr^R=u$s7><3x@c9LVRBYfG^Xk1bkG?M zwXkI*%3~ntjR0e^O`XcerKD&BDCs3YmnpU^n(PHtzANyRN!s$bWH;Mck;#eF0-{=O zTUDv`Z_8i|3Or5mHJD$^N3iU`=SNehP-^tX;sCe$4Q+*rjR^9hJHDuWao4wJzq{}1 zmD@{?fc)`l49UUD(-Xng_WHs7x!@>!a_h#@F8Y((J#}T_w6NL!#L)MSE&TXU*#EV* s_u$*c8EIzY&!;=-MR+kfJfHFQ{;b}A@iH;HNgug&oqhA{`;+PGzZ?C}+W-In literal 0 HcmV?d00001 diff --git a/secrets/wireguard/.gitattributes b/secrets/wireguard/.gitattributes index d4bba55..714f3f9 100644 --- a/secrets/wireguard/.gitattributes +++ b/secrets/wireguard/.gitattributes @@ -1 +1,2 @@ /default.nix filter diff +public-key.txt filter diff diff --git a/secrets/wireguard/aramis/private-key.age b/secrets/wireguard/aramis/private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..d790b642aef0f5b3948e889d3d12ac24f252bcc4 GIT binary patch literal 417 zcmZ9_y=&A^003|)xC9DLf{Q)`2Px0w?wU3k{K$QAxx40?T<-Eg5$?Ube7x%=_mVW1 zWNR03byB+Y59r|H;2;RaRd6Yy;NZU?-Nn`4Kk!=w1dv%{D)F>=5*XkGLJVU-DYD(qjd2KGNk%ehjNUfcNN?Q#}mRhr%kCcBK zhCxae837QaN8F6cy1OT?C%m9y!Jtc9j7O1Dy2>#su!cAYA;75HTb=Ozd_O~c!(F20 zpkTX(*`RS?9JXw7;OlI%S1E?X{V;CszCL|;uOEccqYvCS^BQtLZ-06RUS6C(uYtQ= v)9bGf-n_p&dwlf!qPHczdP{Cz44>ZrbLaC__~rYr5uTje5@H{vTUUPpC$f>a literal 0 HcmV?d00001 diff --git a/secrets/wireguard/porthos/private-key.age b/secrets/wireguard/porthos/private-key.age new file mode 100644 index 0000000..4abe1e5 --- /dev/null +++ b/secrets/wireguard/porthos/private-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg +WwRpd2MzycutQFXyLsr2+GzSgF67Z6UuvyqYZaLd3w +sppt8HzaZP3yxnvnhzjl18Trnz8g3VyXJ6CaVBWd7jA +-> ssh-ed25519 jPowng wanoqGB7T8bim/WZ4IAYViFQoGzaIZSgeoTr3YKpeTY +ihDAdGa1XVW/qQz40V1v7a7iK7tu0EHMa7ayIogpcRw +-> l-grease |PIcZ NIr >0;* +4o8o0bevQZ6uDSx1WxxlDCURbFCM+yK1XPdrb9aztCSvG2a+ne78E42l5rBcoH7I +m51A8uWS4nSj36N/76v6K4kelxKzWUg +--- O6cGbTAVbDcdmPHf7UzfZiyiRtu1yfL4sBI+CkJA1qw +q$`w'SX]?6/N(BNa.H7Ioz/4:sK",7J \ No newline at end of file diff --git a/secrets/wireguard/richelieu/private-key.age b/secrets/wireguard/richelieu/private-key.age new file mode 100644 index 0000000..e796688 --- /dev/null +++ b/secrets/wireguard/richelieu/private-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg rYhrpoTaFjLBGtbCXxEK7jZa+KnriEV/kWViIEjmuQs +jHMSjxKIIqjUnpAcEo3JgsieI1iiA5/gKEx8+QFhDgY +-> ssh-ed25519 jPowng 6sQQFvSbWdjgDYSKmJ/CBG+BTzxFghX4SaJ4GyACKWc +OABJuh+Ta8q+G0onF/9bz3xxv4zTlHYlF4AjC5P6Y6I +-> xwW|#D`-grease $xYH C m8lBk9 +OBqgvLNIurE0qNaSB7dO2/6dQkVXeLgf/3l9gGlRJ6ynhqwmbXOUa0vyj+OBz27O +uI97+0y1TFAs3HN0Y8nj8LrwsafbDENu99JuVow2OuLKeSqc7sxOQQ +--- 9filSHStPTJJGDLY7AWzIXu/6tK4X0okT522sc4OJTc +M{$:N[ݶ2xy8&J_{RLX`Wͻx*Pr`UpJɔF#YXPS s \ No newline at end of file