secrets: remove git-crypt secrets
This commit is contained in:
parent
414c27ee63
commit
e64fdcf38b
5
secrets/.gitattributes
vendored
5
secrets/.gitattributes
vendored
|
@ -1,5 +0,0 @@
|
||||||
* filter=git-crypt diff=git-crypt
|
|
||||||
.gitattributes !filter !diff
|
|
||||||
/default.nix !filter !diff
|
|
||||||
/secrets.nix !filter !diff
|
|
||||||
*.age !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
secrets/canary
BIN
secrets/canary
Binary file not shown.
|
@ -1,35 +1,11 @@
|
||||||
{ inputs, lib, options, ... }:
|
{ inputs, lib, options, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
{
|
||||||
throwOnCanary =
|
|
||||||
let
|
|
||||||
canaryHash = builtins.hashFile "sha256" ./canary;
|
|
||||||
expectedHash =
|
|
||||||
"9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
|
|
||||||
in
|
|
||||||
if canaryHash != expectedHash
|
|
||||||
then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
|
|
||||||
else id;
|
|
||||||
in
|
|
||||||
throwOnCanary {
|
|
||||||
imports = [
|
imports = [
|
||||||
inputs.agenix.nixosModules.age
|
inputs.agenix.nixosModules.age
|
||||||
];
|
];
|
||||||
|
|
||||||
options.my.secrets = mkOption {
|
|
||||||
type =
|
|
||||||
let
|
|
||||||
valueType = with types; oneOf [
|
|
||||||
int
|
|
||||||
str
|
|
||||||
(attrsOf valueType)
|
|
||||||
(listOf valueType)
|
|
||||||
];
|
|
||||||
in
|
|
||||||
valueType;
|
|
||||||
};
|
|
||||||
|
|
||||||
config.age = {
|
config.age = {
|
||||||
secrets =
|
secrets =
|
||||||
let
|
let
|
||||||
|
@ -48,53 +24,4 @@ throwOnCanary {
|
||||||
"/home/ambroisie/.ssh/id_ed25519"
|
"/home/ambroisie/.ssh/id_ed25519"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
config.my.secrets = {
|
|
||||||
acme.key = fileContents ./acme/key.env;
|
|
||||||
|
|
||||||
backup = {
|
|
||||||
password = fileContents ./backup/password.txt;
|
|
||||||
credentials = readFile ./backup/credentials.env;
|
|
||||||
};
|
|
||||||
|
|
||||||
drone = {
|
|
||||||
gitea = readFile ./drone/gitea.env;
|
|
||||||
secret = readFile ./drone/secret.env;
|
|
||||||
ssh = {
|
|
||||||
publicKey = readFile ./drone/ssh/key.pub;
|
|
||||||
privateKey = readFile ./drone/ssh/key;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
lohr.secret = fileContents ./lohr/secret.txt;
|
|
||||||
|
|
||||||
matrix = {
|
|
||||||
mail = import ./matrix/mail.nix;
|
|
||||||
secret = fileContents ./matrix/secret.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
miniflux.password = fileContents ./miniflux/password.txt;
|
|
||||||
|
|
||||||
monitoring.password = fileContents ./monitoring/password.txt;
|
|
||||||
|
|
||||||
nextcloud.password = fileContents ./nextcloud/password.txt;
|
|
||||||
|
|
||||||
paperless = {
|
|
||||||
password = fileContents ./paperless/password.txt;
|
|
||||||
secretKey = fileContents ./paperless/secretKey.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
podgrab.password = fileContents ./podgrab/password.txt;
|
|
||||||
|
|
||||||
sso = import ./sso { inherit lib; };
|
|
||||||
|
|
||||||
transmission.password = fileContents ./transmission/password.txt;
|
|
||||||
|
|
||||||
users = {
|
|
||||||
ambroisie.hashedPassword = fileContents ./users/ambroisie/password.txt;
|
|
||||||
root.hashedPassword = fileContents ./users/root/password.txt;
|
|
||||||
};
|
|
||||||
|
|
||||||
wireguard = import ./wireguard { inherit lib; };
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
1
secrets/sso/.gitattributes
vendored
1
secrets/sso/.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
/default.nix filter diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
2
secrets/wireguard/.gitattributes
vendored
2
secrets/wireguard/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
||||||
/default.nix filter diff
|
|
||||||
public-key.txt filter diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue