finish migration from sops to agenix for kestrel

2025-02-19 19:27:31 -08:00 · 2024-07-21 12:23:19 -07:00 · 2024-07-21 12:23:19 -07:00 · 017dc9f6e1
commit 017dc9f6e1
parent 92bbe4d059
8 changed files with 26 additions and 111 deletions
--- a/provision/age-secrets/secrets.nix
+++ b/provision/age-secrets/secrets.nix
@ -7,4 +7,5 @@ let
 in
 {
  "git/github_personal.age".publicKeys = users ++ systems;
  "wireguard/kestrel.age".publicKeys = users ++ systems;
 }
--- a/provision/age-secrets/wireguard/kestrel.age
+++ b/provision/age-secrets/wireguard/kestrel.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 c/r/0Q KriaXwwwYpEr689PVJe0qCiK1WDblJD/boDwH+uTHCY
 gHKQjeASR+ZPAKa7Ph1PplSHBoeyXMI2Ag/hUkFyNvo
 -> ssh-ed25519 Fz/sQw dZH3A+0pULWs0Div+YLaQN/wjozElJn5dhotvYV98DQ
 XU0mv/c5/jx5h9vQ6D+SuJVX5wasv8OPvhMy4NLHSF8
 --- 8Bz5sfpZmMuEYmUkGmfZ6ZhDRfEBbSrPnWUuVqzLZxU
 ?I1<49>c‹lC-ÉÄ}’÷…énÁ¹‚’œ~]m±AK1LsM „¤K˜èoœÂ;r›ÈE¹hôÖÖÊ4UUW¶…à·…¿wbá*.
--- a/provision/flake.lock
+++ b/provision/flake.lock
@ -296,22 +296,6 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1719720450,
        "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1719075281,
@ -344,22 +328,6 @@
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1719468428,
        "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@ -367,27 +335,7 @@
        "hyprland": "hyprland",
        "hyprland-contrib": "hyprland-contrib",
        "jovian-nixos": "jovian-nixos",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_3"
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": "nixpkgs_4",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1720187017,
        "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "1b11e208cee97c47677439625dc22e5289dcdead",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
--- a/provision/flake.nix
+++ b/provision/flake.nix
@ -11,7 +11,6 @@
      url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development";
      flake = false;
    };
    sops-nix.url = "github:Mic92/sops-nix";
    agenix.url = "github:ryantm/agenix";
    hyprland.url = "github:hyprwm/Hyprland";
    hyprland-contrib = {
@ -20,7 +19,7 @@
    };
  };
-  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, agenix,hyprland, ... }:
+  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, agenix, hyprland, ... }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs {
@ -37,7 +36,6 @@
            ./modules
            ./hosts/kestrel/configuration.nix
            ./hosts/kestrel/hardware.nix
            sops-nix.nixosModules.sops
            agenix.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
@ -60,7 +58,6 @@
            ./modules
            ./hosts/shivan/configuration.nix
            ./hosts/shivan/hardware.nix
            sops-nix.nixosModules.sops
            agenix.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
@ -83,7 +80,6 @@
            ./modules
            ./hosts/torus/configuration.nix
            ./hosts/torus/hardware.nix
            sops-nix.nixosModules.sops
            agenix.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
@ -106,7 +102,6 @@
            ./modules
            ./hosts/bulwark/configuration.nix
            ./hosts/bulwark/hardware.nix
            sops-nix.nixosModules.sops
            agenix.nixosModules.default
            home-manager.nixosModules.home-manager {
              home-manager.useGlobalPkgs = true;
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@ -105,7 +105,7 @@
      terminal.enable = true;
      wireguard-client = {
        enable = true;
-        privateKeyFile = "/run/secrets/wireguard/kestrel";
+        privateKeyFile = "/run/agenix/wireguard/kestrel";
        address = [ "192.168.3.3/24" ];
        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
        endpoint = "66.218.43.87";
--- a/provision/hosts/torus/nextcloud.nix
+++ b/provision/hosts/torus/nextcloud.nix
@ -4,6 +4,13 @@
    cron
  ];
  # nextcloud secrets
  age.secrets."nextcloud/password" = {
    file = ../../age-secrets/nextcloud/password.age;
    owner = "nextcloud";
    group = "nextcloud";
  };
  services = {
    nginx.virtualHosts = {
      "cloud.tstarr.us" = {
@ -37,7 +44,7 @@
      config = {
        dbtype = "mysql";
        adminuser = "admin";
-        adminpassFile = "/run/secrets/nextcloud/password";
+        adminpassFile = "/run/agenix/nextcloud/password";
      };
    };
  };
--- a/provision/modules/system/secrets.nix
+++ b/provision/modules/system/secrets.nix
@ -9,30 +9,17 @@ in {
      inputs.agenix.packages.x86_64-linux.default 
    ];
    # git secrets
    age.secrets."git/github_personal" = {
      file = ../../age-secrets/git/github_personal.age;
      owner = "${user}";
      group = "users";
    };
-    sops = let
+    # wireguard secrets
-      ncHost = (if config.networking.hostName == "torus" then "nextcloud" else "${user}");
+    age.secrets."wireguard/kestrel".file = ../../age-secrets/wireguard/kestrel.age;
-    in {
+    #age.secrets."wireguard/bulwark".file = ../../age-secrets/wireguard/bulwark.age;
-      defaultSopsFile = ../../secrets/secrets.yaml;
+    #age.secrets."wireguard/adjudicator".file = ../../age-secrets/wireguard/adjudicator.age;
-      defaultSopsFormat = "yaml";
+    #age.secrets."wireguard/torus".file = ../../age-secrets/wireguard/torus.age;
      age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
      # Keys
      secrets."keys/github_personal" = { owner = "${user}"; };
      # Nextcloud password
      secrets."nextcloud/password" = { owner = "${ncHost}"; };
      # Wireguard secrets
      secrets."wireguard/kestrel" = { owner = "${user}"; };
      secrets."wireguard/bulwark" = { owner = "${user}"; };
      secrets."wireguard/adjudicator" = { owner = "${user}"; };
      secrets."wireguard/torus" = { owner = "${user}"; };
    };
  };
 }
--- a/provision/secrets/secrets.yaml
+++ b/provision/secrets/secrets.yaml
@ -1,30 +0,0 @@
 gitea-runner1: ENC[AES256_GCM,data:mS41F7iAiITBrlOsrU+r3KCXBek5maoBtrVoTLwc2xGvyyiuyt6lDQ==,iv:YqctzGA3AjCJa9kl6eJ5ILzmfQcSMeNYx1t6UiD3T00=,tag:cyyN3Orsx0qTojOdQdM4Eg==,type:str]
 nextcloud:
    password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str]
 keys:
    github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str]
 wireguard:
    kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str]
    bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str]
    adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str]
    torus: ENC[AES256_GCM,data:BPID5S71fSlwwu5HaYr25n1N7dznKCWx4CZ3VqppsC7Sc5envnGDm2nnqHU=,iv:8sYeuwxd4typ2n5xq0laQEwc1vc3cFbBx9B38q92/Z4=,tag:t7f8z/Jq3/fTNQasOOpgsA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTFNMDd5K3Vza0plMFJr
            ZFdpZ2VWV2JEdE1yOUdtS1FLbFp3alpIR25NCkN0dVhYaFZkY1pUQWRhaEY0SjYx
            MFlaTjlYWFVLSnY1UmtJcmZobUZUUWcKLS0tIHBJb1lPRkJvcHNiVXhZeStuN2c1
            ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
            3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-01T06:24:06Z"
    mac: ENC[AES256_GCM,data:Y1YgnChiZb7168RqY1jP1LTMXanOhBz9LK72/ZbKZTRf50pNIsbOyfsk377sSQ7eemvROT3gTeFtWaLlgtY2bujegPiMiHDoDoVwJGzw4uBynr6/YSjOsO1TBLcTraJUfUBebF++5DsEcOD1jql1EHZ5hL+hwaAZYo5IXuLjlw0=,iv:WHep872Z0lQTZ2gx2fz6zHWpVCniDmJ9yueUDi9I0AQ=,tag:FuSSpg0EUylWhNR7sMjwVg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1