finish migration from sops to agenix for kestrel

provision/age-secrets/secrets.nix

@@ -7,4 +7,5 @@ let
 in
 {
   "git/github_personal.age".publicKeys = users ++ systems;
+  "wireguard/kestrel.age".publicKeys = users ++ systems;
 }

provision/age-secrets/wireguard/kestrel.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 c/r/0Q KriaXwwwYpEr689PVJe0qCiK1WDblJD/boDwH+uTHCY
+gHKQjeASR+ZPAKa7Ph1PplSHBoeyXMI2Ag/hUkFyNvo
+-> ssh-ed25519 Fz/sQw dZH3A+0pULWs0Div+YLaQN/wjozElJn5dhotvYV98DQ
+XU0mv/c5/jx5h9vQ6D+SuJVX5wasv8OPvhMy4NLHSF8
+--- 8Bz5sfpZmMuEYmUkGmfZ6ZhDRfEBbSrPnWUuVqzLZxU
+?I1<49>c‹lC-ÉÄ}’÷…énÁ¹‚’œ~]m±
AK1LsM „¤K˜èoœÂ
;r›ÈE¹hôÖÖÊ­4UUW¶…à·…¿wbá*.

provision/flake.lock

@@ -296,22 +296,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1719720450,
-        "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1719075281,
@@ -344,22 +328,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1719468428,
-        "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -367,27 +335,7 @@
         "hyprland": "hyprland",
         "hyprland-contrib": "hyprland-contrib",
         "jovian-nixos": "jovian-nixos",
-        "nixpkgs": "nixpkgs_3",
-        "sops-nix": "sops-nix"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_4",
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1720187017,
-        "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "1b11e208cee97c47677439625dc22e5289dcdead",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "systems": {

provision/flake.nix

@@ -11,7 +11,6 @@
       url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development";
       flake = false;
     };
-    sops-nix.url = "github:Mic92/sops-nix";
     agenix.url = "github:ryantm/agenix";
     hyprland.url = "github:hyprwm/Hyprland";
     hyprland-contrib = {
@@ -20,7 +19,7 @@
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, agenix,hyprland, ... }:
+  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, agenix, hyprland, ... }:
     let
       system = "x86_64-linux";
       pkgs = import nixpkgs {
@@ -37,7 +36,6 @@
             ./modules
             ./hosts/kestrel/configuration.nix
             ./hosts/kestrel/hardware.nix
-            sops-nix.nixosModules.sops
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager {
               home-manager.useGlobalPkgs = true;
@@ -60,7 +58,6 @@
             ./modules
             ./hosts/shivan/configuration.nix
             ./hosts/shivan/hardware.nix
-            sops-nix.nixosModules.sops
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager {
               home-manager.useGlobalPkgs = true;
@@ -83,7 +80,6 @@
             ./modules
             ./hosts/torus/configuration.nix
             ./hosts/torus/hardware.nix
-            sops-nix.nixosModules.sops
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager {
               home-manager.useGlobalPkgs = true;
@@ -106,7 +102,6 @@
             ./modules
             ./hosts/bulwark/configuration.nix
             ./hosts/bulwark/hardware.nix
-            sops-nix.nixosModules.sops
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager {
               home-manager.useGlobalPkgs = true;

provision/hosts/kestrel/configuration.nix

@@ -105,7 +105,7 @@
       terminal.enable = true;
       wireguard-client = {
         enable = true;
-        privateKeyFile = "/run/secrets/wireguard/kestrel";
+        privateKeyFile = "/run/agenix/wireguard/kestrel";
         address = [ "192.168.3.3/24" ];
         publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
         endpoint = "66.218.43.87";

provision/hosts/torus/nextcloud.nix

@@ -4,6 +4,13 @@
     cron
   ];
   
+  # nextcloud secrets
+  age.secrets."nextcloud/password" = {
+    file = ../../age-secrets/nextcloud/password.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
   services = {
     nginx.virtualHosts = {
       "cloud.tstarr.us" = {
@@ -37,7 +44,7 @@
       config = {
         dbtype = "mysql";
         adminuser = "admin";
-        adminpassFile = "/run/secrets/nextcloud/password";
+        adminpassFile = "/run/agenix/nextcloud/password";
       };
     };
   };

provision/modules/system/secrets.nix

@@ -8,31 +8,18 @@ in {
     environment.systemPackages = [
       inputs.agenix.packages.x86_64-linux.default 
     ];
-    
+   
+    # git secrets
     age.secrets."git/github_personal" = {
       file = ../../age-secrets/git/github_personal.age;
       owner = "${user}";
       group = "users";
     };
 
-    sops = let
-      ncHost = (if config.networking.hostName == "torus" then "nextcloud" else "${user}");
-    in {
-      defaultSopsFile = ../../secrets/secrets.yaml;
-      defaultSopsFormat = "yaml";
-      age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
-
-      # Keys
-      secrets."keys/github_personal" = { owner = "${user}"; };
-
-      # Nextcloud password
-      secrets."nextcloud/password" = { owner = "${ncHost}"; };
-
-      # Wireguard secrets
-      secrets."wireguard/kestrel" = { owner = "${user}"; };
-      secrets."wireguard/bulwark" = { owner = "${user}"; };
-      secrets."wireguard/adjudicator" = { owner = "${user}"; };
-      secrets."wireguard/torus" = { owner = "${user}"; };
-    };
+    # wireguard secrets
+    age.secrets."wireguard/kestrel".file = ../../age-secrets/wireguard/kestrel.age;
+    #age.secrets."wireguard/bulwark".file = ../../age-secrets/wireguard/bulwark.age;
+    #age.secrets."wireguard/adjudicator".file = ../../age-secrets/wireguard/adjudicator.age;
+    #age.secrets."wireguard/torus".file = ../../age-secrets/wireguard/torus.age;
   };
 }

provision/secrets/secrets.yaml

@@ -1,30 +0,0 @@
-gitea-runner1: ENC[AES256_GCM,data:mS41F7iAiITBrlOsrU+r3KCXBek5maoBtrVoTLwc2xGvyyiuyt6lDQ==,iv:YqctzGA3AjCJa9kl6eJ5ILzmfQcSMeNYx1t6UiD3T00=,tag:cyyN3Orsx0qTojOdQdM4Eg==,type:str]
-nextcloud:
-    password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str]
-keys:
-    github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str]
-wireguard:
-    kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str]
-    bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str]
-    adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str]
-    torus: ENC[AES256_GCM,data:BPID5S71fSlwwu5HaYr25n1N7dznKCWx4CZ3VqppsC7Sc5envnGDm2nnqHU=,iv:8sYeuwxd4typ2n5xq0laQEwc1vc3cFbBx9B38q92/Z4=,tag:t7f8z/Jq3/fTNQasOOpgsA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTFNMDd5K3Vza0plMFJr
-            ZFdpZ2VWV2JEdE1yOUdtS1FLbFp3alpIR25NCkN0dVhYaFZkY1pUQWRhaEY0SjYx
-            MFlaTjlYWFVLSnY1UmtJcmZobUZUUWcKLS0tIHBJb1lPRkJvcHNiVXhZeStuN2c1
-            ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
-            3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-01T06:24:06Z"
-    mac: ENC[AES256_GCM,data:Y1YgnChiZb7168RqY1jP1LTMXanOhBz9LK72/ZbKZTRf50pNIsbOyfsk377sSQ7eemvROT3gTeFtWaLlgtY2bujegPiMiHDoDoVwJGzw4uBynr6/YSjOsO1TBLcTraJUfUBebF++5DsEcOD1jql1EHZ5hL+hwaAZYo5IXuLjlw0=,iv:WHep872Z0lQTZ2gx2fz6zHWpVCniDmJ9yueUDi9I0AQ=,tag:FuSSpg0EUylWhNR7sMjwVg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1