modules: secrets: fix permission for grafana

Now that I am using agenix, secrets stays encrypted at rest.

.drone.yml

@@ -4,9 +4,9 @@ type: exec
 name: NixOS config check
 
 steps:
-- name: format check
+- name: nix flake check
   commands:
-  - nix develop -c nixpkgs-fmt .
+  - nix flake check
 
 - name: notifiy
   commands:

.git-crypt/.gitattributes

@@ -1,4 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary

bootstrap.sh

@@ -58,6 +58,8 @@ get_ssh() {
 
     get_doc "SysAdmin/SSH" "shared-key-public" "$HOME/.ssh/shared_rsa.pub" 644
     get_doc "SysAdmin/SSH" "shared-key-private" "$HOME/.ssh/shared_rsa" 600
+    get_doc "SysAdmin/SSH" "agenix-public" "$HOME/.ssh/id_ed25519.pub" 644
+    get_doc "SysAdmin/SSH" "agenix-private" "$HOME/.ssh/id_ed25519" 600
 }
 
 get_pgp() {

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1631896269,
+        "narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "ref": "master",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "futils": {
       "locked": {
         "lastModified": 1629481132,
@@ -95,6 +116,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "futils": "futils",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",

flake.nix

@@ -1,6 +1,16 @@
 {
   description = "NixOS configuration with flakes";
   inputs = {
+    agenix = {
+      type = "github";
+      owner = "ryantm";
+      repo = "agenix";
+      ref = "master";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+
     futils = {
       type = "github";
       owner = "numtide";
@@ -47,6 +57,7 @@
   outputs =
     inputs @
     { self
+    , agenix
     , futils
     , home-manager
     , nixpkgs
@@ -74,8 +85,6 @@
         ./modules
         # Include bundles of settings
         ./profiles
-        # Include my secrets
-        ./secrets
       ];
 
       buildHost = name: system: lib.nixosSystem {
@@ -119,7 +128,6 @@
           name = "NixOS-config";
 
           nativeBuildInputs = with pkgs; [
-            git-crypt
             gitAndTools.pre-commit
             gnupg
             nixpkgs-fmt

home/default.nix

@@ -1,38 +1,37 @@
 { ... }:
 {
   imports = [
-    ./bat.nix
-    ./bluetooth.nix
-    ./comma.nix
-    ./direnv.nix
-    ./documentation.nix
-    ./feh.nix
+    ./bat
+    ./bluetooth
+    ./comma
+    ./direnv
+    ./documentation
+    ./feh
     ./firefox
-    ./flameshot.nix
-    ./gammastep.nix
+    ./flameshot
+    ./gammastep
     ./gdb
     ./git
-    ./gpg.nix
-    ./gtk.nix
-    ./htop.nix
-    ./jq.nix
+    ./gpg
+    ./gtk
+    ./htop
+    ./jq
     ./mail
-    ./mpv.nix
-    ./nix-index.nix
-    ./nm-applet.nix
-    ./packages.nix
-    ./pager.nix
-    ./power-alert.nix
-    ./secrets # Home-manager specific secrets
-    ./ssh.nix
+    ./mpv
+    ./nix-index
+    ./nm-applet
+    ./packages
+    ./pager
+    ./power-alert
+    ./ssh
     ./terminal
-    ./tmux.nix
-    ./udiskie.nix
+    ./tmux
+    ./udiskie
     ./vim
     ./wm
     ./x
-    ./xdg.nix
-    ./zathura.nix
+    ./xdg
+    ./zathura
     ./zsh
   ];
 

home/firefox/default.nix

@@ -23,7 +23,7 @@
   };
 
   imports = [
-    ./firefox.nix
-    ./tridactyl.nix
+    ./firefox
+    ./tridactyl
   ];
 }

home/mail/default.nix

@@ -6,9 +6,9 @@ let
 in
 {
   imports = [
-    ./accounts.nix
-    ./himalaya.nix
-    ./msmtp.nix
+    ./accounts
+    ./himalaya
+    ./msmtp
   ];
 
   options.my.home.mail = with lib; {

home/secrets/.gitattributes

@@ -1,3 +0,0 @@
-* filter=git-crypt diff=git-crypt
-.gitattributes !filter !diff
-/default.nix !filter !diff

home/secrets/default.nix

@@ -1,31 +0,0 @@
-{ lib, ... }:
-
-with lib;
-let
-  throwOnCanary =
-    let
-      canaryHash = builtins.hashFile "sha256" ./canary;
-      expectedHash =
-        "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
-    in
-    if canaryHash != expectedHash
-    then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
-    else id;
-in
-throwOnCanary {
-  options.my.secrets = mkOption {
-    type =
-      let
-        valueType = with types; oneOf [
-          int
-          str
-          (attrsOf valueType)
-        ];
-      in
-      valueType;
-  };
-
-  config.my.secrets = {
-    # Home-manager secrets go here
-  };
-}

home/terminal/default.nix

@@ -10,7 +10,7 @@ let
 in
 {
   imports = [
-    ./termite.nix
+    ./termite
   ];
 
   options.my.home = with lib; {

home/wm/default.nix

@@ -10,11 +10,11 @@ let
 in
 {
   imports = [
-    ./dunst.nix
-    ./i3.nix
-    ./i3bar.nix
-    ./rofi.nix
-    ./screen-lock.nix
+    ./dunst
+    ./i3
+    ./i3bar
+    ./rofi
+    ./screen-lock
   ];
 
   options.my.home.wm = with lib; {

home/x/default.nix

@@ -4,8 +4,8 @@ let
 in
 {
   imports = [
-    ./cursor.nix
-    ./keyboard.nix
+    ./cursor
+    ./keyboard
   ];
 
   options.my.home.x = with lib; {

machines/porthos/services.nix

@@ -1,7 +1,7 @@
 # Deployed services
 { config, ... }:
 let
-  my = config.my;
+  secrets = config.age.secrets;
 in
 {
   # List services that you want to enable:
@@ -19,11 +19,8 @@ in
         OnActiveSec = "6h";
         OnUnitActiveSec = "6h";
       };
-      # Insecure, I don't care.
-      passwordFile =
-        builtins.toFile "password.txt" my.secrets.backup.password;
-      credentialsFile =
-        builtins.toFile "creds.env" my.secrets.backup.credentials;
+      passwordFile = secrets."backup/password".path;
+      credentialsFile = secrets."backup/credentials".path;
     };
     # My blog and related hosts
     blog.enable = true;
@@ -34,11 +31,8 @@ in
     drone = {
       enable = true;
       runners = [ "docker" "exec" ];
-      # Insecure, I don't care.
-      secretFile =
-        builtins.toFile "gitea.env" my.secrets.drone.gitea;
-      sharedSecretFile =
-        builtins.toFile "rpc.env" my.secrets.drone.secret;
+      secretFile = secrets."drone/gitea".path;
+      sharedSecretFile = secrets."drone/secret".path;
     };
     # Flood UI for transmission
     flood = {
@@ -56,28 +50,24 @@ in
     # Gitea mirrorig service
     lohr = {
       enable = true;
-      sharedSecretFile =
-        let
-          content = "LOHR_SECRET=${my.secrets.lohr.secret}";
-        in
-        builtins.toFile "lohr-secret.env" content;
+      sharedSecretFile = secrets."lohr/secret".path;
     };
     # Matrix backend and Element chat front-end
     matrix = {
       enable = true;
-      mail = my.secrets.matrix.mail;
-      secret = my.secrets.matrix.secret;
+      mailConfigFile = secrets."matrix/mail".path;
+      # Only necessary when doing the initial registration
+      # secret = "change-me";
     };
     miniflux = {
       enable = true;
-      password = my.secrets.miniflux.password;
+      credentialsFiles = secrets."miniflux/credentials".path;
     };
     # Various monitoring dashboards
     monitoring = {
       enable = true;
       grafana = {
-        passwordFile =
-          builtins.toFile "grafana.txt" my.secrets.monitoring.password; # Insecure, I don't care
+        passwordFile = secrets."monitoring/password".path;
       };
     };
     # FLOSS music streaming server
@@ -88,29 +78,38 @@ in
     # Nextcloud self-hosted cloud
     nextcloud = {
       enable = true;
-      password = my.secrets.nextcloud.password;
+      passwordFile = secrets."nextcloud/password".path;
     };
     nginx = {
       enable = true;
+      acme = {
+        credentialsFile = secrets."acme/dns-key".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          ambroisie = {
+            passwordHashFile = secrets."sso/ambroisie/password-hash".path;
+            totpSecretFile = secrets."sso/ambroisie/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "ambroisie" ];
+        };
+      };
     };
     paperless = {
       enable = true;
       documentPath = "/data/media/paperless";
-      # Insecure, I don't care
-      passwordFile =
-        builtins.toFile "paperless.env" my.secrets.paperless.password;
-      secretKey = my.secrets.paperless.secretKey;
+      passwordFile = secrets."paperless/password".path;
+      secretKeyFile = secrets."paperless/secret-key".path;
     };
     # The whole *arr software suite
     pirate.enable = true;
     # Podcast automatic downloader
     podgrab = {
       enable = true;
-      passwordFile =
-        let
-          contents = "PASSWORD=${my.secrets.podgrab.password}";
-        in
-        builtins.toFile "podgrab.env" contents;
+      passwordFile = secrets."podgrab/password".path;
       port = 9598;
     };
     # Regular backups
@@ -126,8 +125,7 @@ in
     # Torrent client and webui
     transmission = {
       enable = true;
-      username = "Ambroisie";
-      password = my.secrets.transmission.password;
+      credentialsFile = secrets."transmission/credentials".path;
     };
     # Simple, in-kernel VPN
     wireguard = {

machines/porthos/ssh/drone.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWVUvOT1/triPcj7wiLAmiVkPZ71crySbReetHaGxMYYdKNFurJQsP6BqsdCAwrGbduLUDJovLtjOM7SxghjkGqh2RZucj/zqpja8YoFqYTcLutlqa1NwUqQTq21azKBDSdvkBPWWyZhOKssnag+0bZRN3vVajoDrwAU6zJLhHh9eNESTEytAnZnllXsHB1dKF1p7FWVwYTGAc1PdHHSQNMkjg9aCM+VBzTHhp8nF+GOtGzt0A0XnoZGdhn6KqhKyH7KxwPMmeD3RNeCEmQY/TXjthOx/mBkgTEa8LWOBxdy/Rs6edUenvPcQ5tK5nX0GSxxqtbORlhT+tGiqq1UHeIUhXirBUaS7pnDo+Edc0m8ruLcwHwyQ5yVn2ts3daKxb87+PyjYiRxxeQXvbF84ef7ZOkLTEn0tnftFHLqszBfOjoV1DmMNSWPDULD3krObzNbr1I0xHE7bDRXw2t8L1cwHOLHTL9KwsTCw1d25JSxINp2wAZxlGVZLXoXVMKTjfx1xSGbUuRzA1Q6+1IH9WDvSSixDzvc2Dqnj91/xardivApK+T+OxTBurwWsxzEezIAbTCpoKW9ulzu06xWGWhxATkzUmVh/qhFUHAVlmhEvn0KqlYbWteEcUxgKS1uSAoA6+pZh5NMG1u1hLEktBQbDnS0VdyKYBUHZidLuR4w== ambroisie@porthos

machines/porthos/users.nix

@@ -10,6 +10,6 @@ in
     group = "nginx";
     createHome = false; # Messes with permissions
     home = "/var/www/";
-    openssh.authorizedKeys.keys = [ my.secrets.drone.ssh.publicKey ];
+    openssh.authorizedKeys.keyFiles = [ ./ssh/drone.pub ];
   };
 }

modules/default.nix

@@ -4,8 +4,9 @@
 {
   imports = [
     ./hardware
-    ./home.nix
+    ./home
     ./programs
+    ./secrets
     ./services
     ./system
   ];

modules/hardware/default.nix

@@ -3,11 +3,11 @@
 
 {
   imports = [
-    ./bluetooth.nix
-    ./ergodox.nix
-    ./mx-ergo.nix
-    ./networking.nix
-    ./sound.nix
-    ./upower.nix
+    ./bluetooth
+    ./ergodox
+    ./mx-ergo
+    ./networking
+    ./sound
+    ./upower
   ];
 }

modules/home/default.nix

@@ -14,7 +14,7 @@ in
   config = lib.mkIf cfg.enable {
     home-manager = {
       # Not a fan of out-of-directory imports, but this is a good exception
-      users.${config.my.user.name} = import ../home;
+      users.${config.my.user.name} = import ../../home;
 
       # Nix Flakes compatibility
       useGlobalPkgs = true;

modules/programs/default.nix

@@ -3,6 +3,6 @@
 
 {
   imports = [
-    ./steam.nix
+    ./steam
   ];
 }

modules/secrets/acme/dns-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 0bz3W8QcGaulxy+kDmM717jTthQpFOCwV9HkenFJEyo
+NKeh1/JkX4WAWbOjUeKLMbsyCevnDf3a70FfYUav26c
+-> ssh-ed25519 jPowng Q59ybJMMteOSB6hZ5m6UPP0N2p8jrDSu5vBYwPgGcRw
+j420on2jSsfMsv4MDtiOTMIFjaXV7sIsrS+g4iab+68
+-> z}.q-grease s2W<qM_Z t
+n1Yfs/gmNsl/n9HtuKBIIT8iwIjYca2yxlh7Q1XAT1B+RZ8oGjW8yCPj1unbDGZL
+e5BfLO3zgkEZnQ
+--- FSgNKEdDeeTjCx9jN9UtOFl58mC/Lbu1PAYRGK0CZW4
+U€¿+æ©jïÝ{gø`GŽ›ÆàˆR¾Qk]šóïdÐ6å˜ú‚y5T²$Äñs~Ùh‰Ä£òÔ<C3B2>Fº¢ç%°vöÌm<C38C>

modules/secrets/backup/credentials.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg YlDuj9wwBKSHHvQOhfti1ah95vxDV3bLE+GElBkyTB0
+KsMyd3L4GaQa0eDQps+bJXj+cpy0zUNvFXU8NAmtThI
+-> ssh-ed25519 jPowng JB4UtNyZab4ab4Pep3acyMjwCbluuEPuI6YOQ/045Fo
+P9qnrPDGpHJL1TyNqYdNfqkd21Yjn/5mlovorWy60j4
+-> _6l|s-grease M ]2qMsa'w P] j0EE
+W3CToUTg
+--- 8aWYUi33mEIKFcFbphlDZumnBu9Xbj+j18dQbElx1v8
+3$m(ø<>äÂTK±î·”eAZâ>dn:-­Òí‚¥ˆÅh.›(<28>¶U²!rìx	D3ô‡4Ø93~È»f{üƒšL¸ÎþÆ£ÃØ>Þß^v›l—¡Î-=„í¯ä£<C3A4>ÉU'â»(,µ#;¤ªHñÆ@M%|ʦ

modules/secrets/backup/password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg dgS4bezgtDi44R1A8am+J6zh80kUVYTo1heaxJCtzX4
+F3w/62xwtqYa40NU7OvF9pnZzYz/5hACAGJfMA4e2zw
+-> ssh-ed25519 jPowng lx81CK3yeNp9RjHCUFJeKYZlRzxBmXuADVBvRc13zCI
+P7e75t8xU+ZkYmeQ8mmMfyZZsRdG1J8yrvSUkiWzkFQ
+-> *z4/`-grease S/)a{e sFd";=
+--- 15FVhqRTkoPFEeETRRyFQhsv4Fn19Ozlax0u8Zy9mNA
+õ#+¥àÎvøSÈ4èá}<7D>§Rì%‹Î¯F4fnDœ˜J¹¤Z‹¸A¥Û™,_

modules/secrets/default.nix

@@ -0,0 +1,29 @@
+{ config, inputs, lib, options, ... }:
+
+{
+  imports = [
+    inputs.agenix.nixosModules.age
+  ];
+
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+
+    sshKeyPaths = options.age.sshKeyPaths.default ++ [
+      # FIXME: hard-coded path, could be inexistent
+      "/home/ambroisie/.ssh/id_ed25519"
+    ];
+  };
+}

modules/secrets/drone/gitea.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg vLLu1kbzyGxr5sU/Dl4xf0uGO+gVsvODiqEJU21lwyI
+LbJO4Go+8G7/UtFWjv+x7Nqhn7n+kge/oHP8dGCBnM8
+-> ssh-ed25519 jPowng obxX4ojPwp/DaerFzVbK5hUnshebh/chriT3a7uqYEw
+x9jpbBefJZHz8o1lEkr48XhT7sVAM5tq3tZ8M91CDDo
+-> eZ.G`B3W-grease 6k|.\v
+D0u3P4oCpPNnueqZAAYn71xEUGWlavwLTrEXJ+2tdYOX6BwwFReOlMZWIA+FikmZ
+8Pg7dHnbYPWc33jMjv3UnNsxCGUsDw9C9NkI5vfZSLvUxQ
+--- Cea09ivsGZeoWif7xbdrvfoGsoiD+tRh7HQsOL75cqE
+t‘Fa˜|GÐ, ìoå6Öù$ë×ý…U«"âwiß¹ªÈS½Ó¿î›wà×ghµ6^Ð*=¬¦©[¬g1%çVuäápû©-›™ï{›`ÑPÅ(?&¼QV#îKeåX•4dß÷KÞ:šxt‰0LsbÆ6Þœßü Ð[¡ #E[¬í•¹ì>Ë)|cwÅëÑqŸÊö+cÄõ¶þÕw1$ÓÌý×Ò^I(wGÕ¡ç9>jIâ(yÌ!@O«ƉkE¼z]áí«Pk

modules/secrets/drone/secret.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 1+cLlzctgcM0FnVDwMPOAqBkvMcDBRg8SvCw4djI93Y
+oV2XI4f1AvM9P591kZZ6NgJXa+SDtqGzCSgc4psOmxM
+-> ssh-ed25519 jPowng Ufjfh1p350XxRPg95+/DHdmnl4lC0bbzUUlaxd1Bmxc
+/RHwFDSn2ov+60r1uHUigrsn99+GmmKmlk4h4T2gbA0
+-> *Lc$@-grease
+pzVJAHy1qRq3jUrnFV0DDO7/hwV1US4Ogf0RsrVfX0xzbr73uJ003YjieVB25LqN
+--- ME7/iVevyiguyhXugbkVFGzJV0yDccyKNlWbEZa/FmY
+YžŠXjb2uþnd;i0íýX]…§é0–þjé’L„PÔT~óú ƒÙ^kc”$D×ÚÛr¹úu³¶fr€e¸OÕ¸þ<C2B8>+p•¨<E280A2><C2A8>&ãw®öϨ

modules/secrets/lohr/secret.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg HCVbkI26JjkBgm1L2cpunVui0PfHLNfnx6VczErF3A4
+3jEHfT6wUqNNFZFaVeiNBUhSKZmuKclPmubDMsda5O8
+-> ssh-ed25519 jPowng SyClv9kGtjRKSXdig27tiqp66wD1T8QsHeOD2JQl4QA
+8zdtfSJEh5/bfu5tb6M8Jgy5CZPiWD8TLQDpzp6cTr0
+-> 3r2-grease
+Lg/G911eZjeZTw5xhqje26vDfJkcSro+gKQ5SUboxLMnaibNi1qTeRLR
+--- Q5/fikhVPoK+NFujTso5V7cty4k/dQlzFlz5z9DkzYk
+øt/ŒW‹AMuˆ"Þêð´—<>ó-!@›¨E1¯”<C2AF> äR[eŽ’hÖû3
ëŒÉÐScoÝBt1TýØb¨äÀ3möP×Tc¤feP

modules/secrets/matrix/mail.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg lmu3MinmydRHD0A/YVRRtopermfoBC8M8cTHfVanY1s
+ygrtpZZJ7aeQTblNazpoP7DdifmDxHsE3DFJsIrWX5M
+-> ssh-ed25519 jPowng X0cihOc+fBtmtrkEivIHQngdYIobezXEF1x+pHqNzAw
+/+sw9x1NWY0anZhDMpAywBPrR0F4XCHaF9e8j/Yo/kI
+-> 32;%1s-grease
+JafjuSZty6a4NSO/y4y5wHWL8Mw
+--- dwCl66vdpsL0MR5NWWvg3JUnQ2QZQBeW0Dj0l5tvOKY
+oi,`ÓÜ#uÄwW%PoubÚ­cy8<79>ó
ƒÃÉ><¿F‰Ååq…ÂKÂÇk0Çk/<2F>hÀ¥Ÿ5势ÝF+ýu‡ •e€<06>¾Ÿ²óôbãè>1QŠ2®ñwn˜WbÖ–B˜âî<C3A2>iŸ^xurâ†-/llùÒÀÀ-ã=°7;jã0»I×%Fi¼<69>í€ø‹™A;Y†ìUd]KÅI0(½ ”øAg£Ðóž^†uG:äpkJ’Ÿ:q<>¢šWSaLw¯¿Ô!ïM
³4ã L/ùZŇ®¢D¶-XéUb»‘vÊbP‚ó›0ÇÅfÂ9êú<08> †âJ`ÃX°ôÐOÅ!s›{ÙÄQAšc€c;ÏÃÑ‹4öMíچݹlxH&ïéöé{é}ÁäÛzZ¦œ‚9ûÊXžÜ“g‰]Vϱ•0gt¡¿…žw·

modules/secrets/matrix/secret.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg ociW6AZww4nfW0Dw0DB0WNgQbJ3MNkHPPZlA0z+o/mI
+THAz89pjyrkxJB9tPQGgEwZrZX9OudWMnyzr0JiwzTA
+-> ssh-ed25519 jPowng 1werbtuWK0DUFxq9mAWp/QzMHC1B8UfadutvK6+j9XE
+YmAwYo3X00gMB9AyQfOsR82CUPAtxfuzCzP4OyYFxjc
+-> 8g-grease N9DR4 .U<
+--- Cwh2hPrM2RzRroJRw3XrP1khcpL0leTXfJ+T7WG57To
+¡Â±jÏ°LæDFºðÔ xux<75>
ý1
+U/âàoÚGgoãË)Çê÷*Þï/Ç”dÈ"L#
RõÄhWPÛÍû«

modules/secrets/monitoring/password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg OdLtFHbHbc28rUn47vgsVvXxFNg9nF+9y9R6XOK390Y
+yQQYUPQGjN2+xrSqqBYa7/zS618KrVjX5Amw2MFuSLg
+-> ssh-ed25519 jPowng NwUjiLtiXVi6XFmht5l1CxEs3gm0oN4vHYwDZyda7Q4
+di6znVjNRO6QdqteVNkeot5Ko2NwWLe6v+zVR3f+o10
+-> 4Vx%\(-grease ^^Z>EC91 R 2BJ d48Wip*s
+yPiBgChRF31XgxccQFLO3MzRL7+5s29sfRoF3W1yUX6Bu59MpxD4D+n/jhLcxSH/
+CxW7KaiOctNmPm5tWh6qjmgQ+V4bcAji5vo4FKs40l56cfyueEJj+Q
+--- WUGF28zqK9E1AlOeeCtSHxFg6ikRy85gOoLtBd4m0y0
+.|…rr>©†ðìì1ÅÆ2SÉž.×hw<12>wqºš%i˜øé	‚*U^­)Öè'qžµ›O2ÓœümòQÝ7˜¯m`

modules/secrets/paperless/password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg zhpo89xef68JoeOFWzhdFshrj2BXXUCFPMLVJzv6EyE
+fmJxJi5rmyai9qGwDo7iHg4BrObGre96KCpl+g91O6I
+-> ssh-ed25519 jPowng INA6EZdy4J1p3QY5mfVOQXiLdOjIDaZR+CZMP+GfkXM
+8Nf5soaxY5SEzeJca5kaJkx7ByOvc4NkJVetB7wpEmo
+-> xjK'w-grease
+f5v0cvlt4JbHlAwDOob86qOInWdlN/oohTg
+--- NTGv4rr+MhJ/YeZhVHOjoS1V+zCHFf2itJYfK36R+wE
+š×—®JÚ dő– oŞę'YFUź@
+r7”ă“_N$‰˙Ź–č‡>‚ˇę]hq»-¨FŰ°qX˙?Î|?µĘ

modules/secrets/paperless/secret-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg tZwn2usN6K62oS4vBa6boh9zEp/+cS4chP8boXG6SH4
+Fr3kV8gUDoiDqMxPYWsHyww8umYhQEKhqbVBiVw5NeI
+-> ssh-ed25519 jPowng wRbJl4G85obH/GluQBBsXE7MOvooEui65eqHfurvuQs
+KqVZMBSyHhkayEdwI6ocmA4qhHY9zYJvg1CEKM1SOa0
+-> 2E"/OFW-grease o Qp3HFe^
+bGhCNicPqt7txqxUiEWXCFs1OuQLqOqHmjHSqYQv919dqYep/xBXzi/aRf3dsdvh
+TCJCTvZG31Qxvikp
+--- xKJGbdVp+Z5h0vCBleSF2zYYYd2S5i0y4szNqjRwrDY
+Tª
/N¯<4E>¨¹i7m4‚#³MhiñP¹šÒÞ›Á¥-ÏgI÷ñ±%@E†(›i
ÿ7·ý©ýYg¦k±´"+㸠Àª(þ]o¨¸–ý†ð<E280A0>@báÊÞ§+Ï[‚Y"ÿ‘ÌBóóCR[ >-Ë.4d…¤b9v

modules/secrets/podgrab/password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 8rcBI7fYHuA3jO6EzJNFaAj2niIApKDt1HQEv61AKTs
+ANxkIX/CeI7t7Zqp6wmjt/D194Z+xpeiidb+qvYzoQU
+-> ssh-ed25519 jPowng oruewwTM9X/HjjcmOPcQVdp02rQBlgJPdzvlAffs3T0
+MrO0kaNhjgOkNHuz3NrIMWXNrXOHH9dT/Fk6hoQNKyY
+-> COK%H7-grease
+6yfI90QurOKlM+kgpW8KZ/iBzDYD9yhNmjG1LQ
+--- uArz8eHg8sLO0sdlkM6cELFh+FHiI5BrM0+iXJxxiDo
+¿vývû´ÊNÊbæ@Ÿ¡Â<C2A1>FÛMMíYËÆíÌ&‰’/%¤¹Ñm¨®ØtÁÖ“ªd†h„­|¡ðŒß©8¼Ž Ú½¨9‚®<11>Cã¯/Å

modules/secrets/secrets.nix

@@ -0,0 +1,59 @@
+let
+  # FIXME: read them from directories
+  ambroisie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix";
+  users = [ ambroisie ];
+
+  porthos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos";
+  machines = [ porthos ];
+
+  all = users ++ machines;
+in
+{
+  "acme/dns-key.age".publicKeys = all;
+
+  "backup/password.age".publicKeys = all;
+  "backup/credentials.age".publicKeys = all;
+
+  "drone/gitea.age".publicKeys = all;
+  "drone/secret.age".publicKeys = all;
+  "drone/ssh/private-key.age".publicKeys = all;
+
+  "lohr/secret.age".publicKeys = all;
+
+  "matrix/mail.age" = {
+    owner = "matrix-synapse";
+    publicKeys = all;
+  };
+  "matrix/secret.age".publicKeys = all;
+
+  "miniflux/credentials.age".publicKeys = all;
+
+  "monitoring/password.age" = {
+    owner = "grafana";
+    publicKeys = all;
+  };
+
+  "nextcloud/password.age" = {
+    # Must be readable by the service
+    owner = "nextcloud";
+    publicKeys = all;
+  };
+
+  "paperless/password.age".publicKeys = all;
+  "paperless/secret-key.age".publicKeys = all;
+
+  "podgrab/password.age".publicKeys = all;
+
+  "sso/auth-key.age".publicKeys = all;
+  "sso/ambroisie/password-hash.age".publicKeys = all;
+  "sso/ambroisie/totp-secret.age".publicKeys = all;
+
+  "transmission/credentials.age".publicKeys = all;
+
+  "users/ambroisie/hashed-password.age".publicKeys = all;
+  "users/root/hashed-password.age".publicKeys = all;
+
+  "wireguard/aramis/private-key.age".publicKeys = all;
+  "wireguard/porthos/private-key.age".publicKeys = all;
+  "wireguard/richelieu/private-key.age".publicKeys = all;
+}

modules/secrets/transmission/credentials.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg mP2H3PWJN6Pv3q6C2wci3KnXjtFAIiuGy0YH0sGIy2g
+f43QqyUQfTYznszub47kgc2Mz95zVScTDkwnG3INi9U
+-> ssh-ed25519 jPowng fENbu7+FZ1mnQQHQCLm1spLHmsQGlRoJResUJtGzYkY
+hX+AqCkLCca6m/aKtGCThi7/mCCz/TZQNJNOlOmlqyA
+-> J<-grease
+n7+CPRr4oazWnE7yzpJN2ZAI4QrGsAerloP4wNeebjQDx8+IxJq1JE0g3Yi0RxzN
+chDccuSPLYk45Ov+SD/qqqFZlQ
+--- p81HYw3LFj+qz2kiZsDcevM4ZBfvN743P9Jdi7J9XkM
+‚¢ìÛ±S·7 <EFBFBD>‘ý£÷ÜãV»»Bðßâø±³ˆ¶ïO‰lEt˜‹Á…šqý</Ç—Ø©9²ã(ØP†$Wƒ0h;÷‰±àJy¯feø‚ >·_D,PºVFp\æ"AM}èg?<3F>ÿ<EFBFBD>Ý/\²Ä;ùy’¬Óš(<28>ÑSñKË

modules/secrets/users/ambroisie/hashed-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg vOaL2ZKsFEjX9mzQvw8Je7x2Dq8cMhrZEyBTXpH4QnE
+HXO4fbWdJsbsRmGq0IYzq8/szObxzpsGfQNNTJ4vNzg
+-> ssh-ed25519 jPowng WPxg0pP6O3ZS4dPc1WcDvzig22Fylk3mR/W9STaWbW4
+GuhFwt7M5Lc38q2LC/0eul0yP60UxmWwi9I8ToHv7bE
+-> :;V8\-grease ZC#7~eR# P<'e?vI3 9R
+lZlb44QiAaIxd0SYiRNT/QRnxxUt7npbksg
+--- 9xv4lt8IcGR8jP0UcKYYnTuh1Ix/pqXgDmevkTH9j1A
+Ï]ºcÓ3óxíwÿ'ã	`<0B>ùhçÒ=X¨í·¢Ç‘g3ÆÆÄ]~ËôÞqÙ.XnÄa*€±W:<3A>–¸±,â©z®vyzñI¦æ }ÂDO=`êw“ñõ¹ˆ7:™ù“ÐRx•5$¨Ö6:ö¨´"õ,HM„<4D>"
_ëÞòMÛMƒœˆBJe‰ùFá

modules/secrets/wireguard/porthos/private-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg +WwRpd2MzycutQFXyLsr2+GzSgF67Z6UuvyqYZaLd3w
+sppt8HzaZP3yxnvnhzjl18Trnz8g3VyXJ6CaVBWd7jA
+-> ssh-ed25519 jPowng wanoqGB7T8bim/WZ4IAYViFQoGzaIZSgeoTr3YKpeTY
+ihDAdGa1XVW/qQz40V1v7a7iK7tu0EHMa7ayIogpcRw
+-> l-grease |PIcZ NIr >0;*
+4o8o0bevQZ6uDSx1WxxlDCURbFCM+yK1XPdrb9aztCSvG2a+ne78E42l5rBcoH7I
+m51A8uWS4nSj36N/76v6K4kelxKzWUg
+--- O6cGbTAVbDcdmPHf7UzfZiyiRtu1yfL4sBI+CkJA1qw
+ý
qýŐ$ň`żw'čS“X¸]Ąá÷ř®úî…?¤6‹Đ/ĆN(Bžň N«a”.˙ HŽ7żí•I<E280A2>ú÷Ŕoz‡/4:sK",7J

modules/secrets/wireguard/richelieu/private-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg rYhrpoTaFjLBGtbCXxEK7jZa+KnriEV/kWViIEjmuQs
+jHMSjxKIIqjUnpAcEo3JgsieI1iiA5/gKEx8+QFhDgY
+-> ssh-ed25519 jPowng 6sQQFvSbWdjgDYSKmJ/CBG+BTzxFghX4SaJ4GyACKWc
+OABJuh+Ta8q+G0onF/9bz3xxv4zTlHYlF4AjC5P6Y6I
+-> xwW|#D`-grease $xYH C m8lBk9
+OBqgvLNIurE0qNaSB7dO2/6dQkVXeLgf/3l9gGlRJ6ynhqwmbXOUa0vyj+OBz27O
+uI97+0y1TFAs3HN0Y8nj8LrwsafbDENu99JuVow2OuLKeSqc7sxOQQ
+--- 9filSHStPTJJGDLY7AWzIXu/6tK4X0okT522sc4OJTc
+M{ｲ顗仭$ｹ:Nﾙ災[ﾝｶｬ2xy8&腴_{RﾜLX<4C>W√€<E2889A>ｻxﾑ*Pr`ｾUｲp<EFBDB2>Jﾉ枇鵲#藝ﾔ<E8979D>ﾗ<EFBFBD>覬粘	s

modules/services/default.nix

@@ -2,33 +2,33 @@
 
 {
   imports = [
-    ./adblock.nix
-    ./backup.nix
-    ./blog.nix
-    ./calibre-web.nix
-    ./drone.nix
-    ./flood.nix
-    ./gitea.nix
-    ./indexers.nix
-    ./jellyfin.nix
-    ./lohr.nix
-    ./matrix.nix
-    ./miniflux.nix
-    ./monitoring.nix
-    ./navidrome.nix
-    ./nextcloud.nix
-    ./nginx.nix
-    ./paperless.nix
-    ./pirate.nix
-    ./podgrab.nix
-    ./postgresql-backup.nix
-    ./postgresql.nix
-    ./quassel.nix
-    ./rss-bridge.nix
-    ./sabnzbd.nix
-    ./ssh-server.nix
-    ./tlp.nix
-    ./transmission.nix
-    ./wireguard.nix
+    ./adblock
+    ./backup
+    ./blog
+    ./calibre-web
+    ./drone
+    ./flood
+    ./gitea
+    ./indexers
+    ./jellyfin
+    ./lohr
+    ./matrix
+    ./miniflux
+    ./monitoring
+    ./navidrome
+    ./nextcloud
+    ./nginx
+    ./paperless
+    ./pirate
+    ./podgrab
+    ./postgresql-backup
+    ./postgresql
+    ./quassel
+    ./rss-bridge
+    ./sabnzbd
+    ./ssh-server
+    ./tlp
+    ./transmission
+    ./wireguard
   ];
 }

modules/services/drone.nix

@@ -1,194 +0,0 @@
-# A docker-based CI/CD system
-#
-# Inspired by [1]
-# [1]: https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone.nix
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.my.services.drone;
-
-  hasRunner = (name: builtins.elem name cfg.runners);
-
-  execPkg = pkgs.drone-runner-exec;
-
-  dockerPkg = pkgs.drone-runner-docker;
-in
-{
-  options.my.services.drone = with lib; {
-    enable = mkEnableOption "Drone CI";
-    runners = mkOption {
-      type = with types; listOf (enum [ "exec" "docker" ]);
-      default = [ ];
-      example = [ "exec" "docker" ];
-      description = "Types of runners to enable";
-    };
-    admin = mkOption {
-      type = types.str;
-      default = "ambroisie";
-      example = "admin";
-      description = "Name of the admin user";
-    };
-    port = mkOption {
-      type = types.port;
-      default = 3030;
-      example = 8080;
-      description = "Internal port of the Drone UI";
-    };
-    secretFile = mkOption {
-      type = types.str;
-      example = "/run/secrets/drone-gitea.env";
-      description = "Secrets to inject into Drone server";
-    };
-    sharedSecretFile = mkOption {
-      type = types.str;
-      example = "/run/secrets/drone-rpc.env";
-      description = "Shared RPC secret to inject into server and runners";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.drone-server = {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "postgresql.service" ];
-      serviceConfig = {
-        EnvironmentFile = [
-          cfg.secretFile
-          cfg.sharedSecretFile
-        ];
-        Environment = [
-          "DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
-          "DRONE_SERVER_HOST=drone.${config.networking.domain}"
-          "DRONE_SERVER_PROTO=https"
-          "DRONE_DATABASE_DRIVER=postgres"
-          "DRONE_SERVER_PORT=:${toString cfg.port}"
-          "DRONE_USER_CREATE=username:${cfg.admin},admin:true"
-          "DRONE_JSONNET_ENABLED=true"
-          "DRONE_STARLARK_ENABLED=true"
-        ];
-        ExecStart = "${pkgs.drone}/bin/drone-server";
-        User = "drone";
-        Group = "drone";
-      };
-    };
-
-    users.users.drone = {
-      isSystemUser = true;
-      createHome = true;
-      group = "drone";
-    };
-    users.groups.drone = { };
-
-    services.postgresql = {
-      enable = true;
-      ensureDatabases = [ "drone" ];
-      ensureUsers = [{
-        name = "drone";
-        ensurePermissions = {
-          "DATABASE drone" = "ALL PRIVILEGES";
-        };
-      }];
-    };
-
-    my.services.nginx.virtualHosts = [
-      {
-        subdomain = "drone";
-        inherit (cfg) port;
-      }
-    ];
-
-    # Docker runner
-    systemd.services.drone-runner-docker = lib.mkIf (hasRunner "docker") {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "docker.socket" ]; # Needs the socket to be available
-      # might break deployment
-      restartIfChanged = false;
-      confinement.enable = true;
-      serviceConfig = {
-        Environment = [
-          "DRONE_SERVER_HOST=drone.${config.networking.domain}"
-          "DRONE_SERVER_PROTO=https"
-          "DRONE_RUNNER_CAPACITY=10"
-          "CLIENT_DRONE_RPC_HOST=127.0.0.1:${toString cfg.port}"
-        ];
-        BindPaths = [
-          "/var/run/docker.sock"
-        ];
-        EnvironmentFile = [
-          cfg.sharedSecretFile
-        ];
-        ExecStart = "${dockerPkg}/bin/drone-runner-docker";
-        User = "drone-runner-docker";
-        Group = "drone-runner-docker";
-      };
-    };
-
-    # Make sure it is activated in that case
-    virtualisation.docker.enable = lib.mkIf (hasRunner "docker") true;
-
-    users.users.drone-runner-docker = lib.mkIf (hasRunner "docker") {
-      isSystemUser = true;
-      group = "drone-runner-docker";
-      extraGroups = [ "docker" ]; # Give access to the daemon
-    };
-    users.groups.drone-runner-docker = lib.mkIf (hasRunner "docker") { };
-
-    # Exec runner
-    systemd.services.drone-runner-exec = lib.mkIf (hasRunner "exec") {
-      wantedBy = [ "multi-user.target" ];
-      # might break deployment
-      restartIfChanged = false;
-      confinement.enable = true;
-      confinement.packages = with pkgs; [
-        git
-        gnutar
-        bash
-        nixUnstable
-        gzip
-      ];
-      path = with pkgs; [
-        git
-        gnutar
-        bash
-        nixUnstable
-        gzip
-      ];
-      serviceConfig = {
-        Environment = [
-          "DRONE_SERVER_HOST=drone.${config.networking.domain}"
-          "DRONE_SERVER_PROTO=https"
-          "DRONE_RUNNER_CAPACITY=10"
-          "CLIENT_DRONE_RPC_HOST=127.0.0.1:${toString cfg.port}"
-          "NIX_REMOTE=daemon"
-          "PAGER=cat"
-        ];
-        BindPaths = [
-          "/nix/var/nix/daemon-socket/socket"
-          "/run/nscd/socket"
-        ];
-        BindReadOnlyPaths = [
-          "/etc/resolv.conf:/etc/resolv.conf"
-          "/etc/resolvconf.conf:/etc/resolvconf.conf"
-          "/etc/passwd:/etc/passwd"
-          "/etc/group:/etc/group"
-          "/nix/var/nix/profiles/system/etc/nix:/etc/nix"
-          "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
-          "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
-          "/etc/machine-id"
-          # channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
-          "/nix/"
-        ];
-        EnvironmentFile = [
-          cfg.sharedSecretFile
-        ];
-        ExecStart = "${execPkg}/bin/drone-runner-exec";
-        User = "drone-runner-exec";
-        Group = "drone-runner-exec";
-      };
-    };
-
-    users.users.drone-runner-exec = lib.mkIf (hasRunner "exec") {
-      isSystemUser = true;
-      group = "drone-runner-exec";
-    };
-    users.groups.drone-runner-exec = lib.mkIf (hasRunner "exec") { };
-  };
-}