updates for torus before rekey

2025-05-19 02:46:06 -07:00 · 2024-07-21 12:47:13 -07:00 · 2024-07-21 12:47:13 -07:00 · cb60c1dbe7
commit cb60c1dbe7
parent 017dc9f6e1
5 changed files with 27 additions and 19 deletions
--- a/provision/.sops.yaml
+++ b/provision/.sops.yaml
@ -1,9 +0,0 @@
-# .sops.yaml 
-
-keys:
-  - &primary age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
-creation_rules:
-  - path_regex: secrets/secrets.yaml$
-    key_groups:
-    - age:
-      - *primary
--- a/provision/age-secrets/git/gitea-runner-1.age
+++ b/provision/age-secrets/git/gitea-runner-1.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 47GzQA r28lf9eone5jtdB3WLJfa5vszCTpVMLudLAnsIL2eEY
+5s7qyKaplHacc9HAQELdE8LJ7rfR0pPdHwAtodPkw4o
+-> ssh-ed25519 6UNP1Q Kzg5Jfo6se5cnfN5oY3DpRNTM8kvOVWLpZUeEE7GZTg
+kv76SZGEW5UZhZgXG2R46n6xfEsI/KTQwdti+MoPWSM
+--- 6GSLqjnqZy6/5kgucw/7O+AYgX0yxtZlrSEpfjDZJFs
+Œ6õ! TF³Šd´¨»£?o±oµ‘EÈt1ØpN“<4E>ùU%mC¥4‘º5³ìÂMLÂ‘[¡¤x›‰!¾d#ÍÕ<C38D>6tØD"¦Â”çc
--- a/provision/age-secrets/nextcloud/password.age
+++ b/provision/age-secrets/nextcloud/password.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 47GzQA MDM1Q/xLs24II9MATnzE4m+jjgdCaWxzxwR9wZFFdgU
+XdbCAUaq7exmR5atSi7XT8Z2pHw0bzTmzVwxd5VH/4Y
+-> ssh-ed25519 6UNP1Q JK3EgJyJlAAJ/f+I1ciEAuyrTAcBfEpClvxJ9R/qHWE
+c92Y4Bs3osc1OUuThoaVqIlXjiDzFJQBjYNA/0Sr9U8
+--- 3NG2ZxIstfL6QZnJwY9J7EEi+OZ86mVPqHcG4CzIc8I
+|·;á;Æ•ËÜÒëÎJê²ŽSàýçy’œB¨*~[Énä?ôßîÔÎ
--- a/provision/age-secrets/secrets.nix
+++ b/provision/age-secrets/secrets.nix
@ -1,11 +1,15 @@
 let
  kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2iE16XVkriD0x6GhnqmvGDA1qNBibvHVIi5xY+c7Iu";
-  systems = [ kestrel ];
+  torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN71z5g6QyCn5Go0Wm+NOSF4f22xOOCvtIA3IM4KzSpG";
+  systems = [ kestrel torus ];

  tstarr_kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr2BUUToMswbAbxZMXarl2pQEomM+jADyZbEK31VGu/";
-  users = [ tstarr_kestrel ];
+  tstarr_torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhxsVgd8DH8c0zckjMUxSJrTimU709JLCgDGBMFoNxQ";
+  users = [ tstarr_kestrel tstarr_torus ];
 in
 {
  "git/github_personal.age".publicKeys = users ++ systems;
  "wireguard/kestrel.age".publicKeys = users ++ systems;
+  "git/gitea-runner-1.age".publicKeys = [ torus tstarr_torus ];
+  "nextcloud/password.age".publicKeys = [ torus tstarr_torus ];
 }
--- a/provision/hosts/torus/gitea.nix
+++ b/provision/hosts/torus/gitea.nix
@ -17,19 +17,18 @@
    };
  };

-  sops.secrets = {
-    "gitea-runner1" = {
-      sopsFile = ../../secrets/secrets.yaml;
+  # gitea runner secrets
+  age.secrets."git/gitea-runner-1" = {
+    file = ../../age-secrets/git/gitea-runner-1.age;
    owner = "gitea-runner";
+    group = "gitea-runner";
  };
-  };
+
  services.gitea-actions-runner.instances = {
    runner1 = {
      enable = true;
      url = "https://git.tstarr.us";
-#      tokenFile = config.sops.secrets."gitea-runner1".path;
-
-      token = "kZ8YMUInzUYkvFK7bia5191QzLPF2xh9dAtxDI8d";
+      tokenFile = "/run/agenix/git/gitea-runner-1";
      name = "runner1";
      labels = [
        "native:host"