refactor flake for stupid reasons

change age-secrets folder
move wireguard keys and add to age
2025-05-22 04:16:05 -07:00 · 2024-07-21 16:53:06 -07:00 · 2024-07-21 16:37:12 -07:00 · 2024-07-21 13:07:07 -07:00 · 2024-07-21 12:58:25 -07:00 · 2024-07-21 12:47:13 -07:00
19 changed files with 270 additions and 223 deletions
--- a/home/private_dot_ssh/config
+++ b/home/private_dot_ssh/config
@ -1,3 +1,3 @@
 Host github.com
  AddKeysToAgent yes
-  IdentityFile ~/.ssh/keys/github_personal 
+  IdentityFile /run/agenix/git/github_personal 
--- a/home/private_dot_ssh/keys/.placeholder
+++ b/home/private_dot_ssh/keys/.placeholder
--- a/provision/.sops.yaml
+++ b/provision/.sops.yaml
@ -1,9 +0,0 @@
-# .sops.yaml 
-
-keys:
-  - &primary age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
-creation_rules:
-  - path_regex: secrets/secrets.yaml$
-    key_groups:
-    - age:
-      - *primary
--- a/provision/flake.lock
+++ b/provision/flake.lock
@ -1,6 +1,70 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1720546205,
+        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -55,8 +119,8 @@
        "hyprlang": "hyprlang",
        "hyprutils": "hyprutils",
        "hyprwayland-scanner": "hyprwayland-scanner",
-        "nixpkgs": "nixpkgs",
-        "systems": "systems",
+        "nixpkgs": "nixpkgs_2",
+        "systems": "systems_2",
        "xdph": "xdph"
      },
      "locked": {
@ -217,6 +281,22 @@
      }
    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1719075281,
        "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=",
@ -232,23 +312,7 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1719720450,
-        "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1720031269,
        "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
@ -264,52 +328,32 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1719468428,
-        "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
        "hyprland": "hyprland",
        "hyprland-contrib": "hyprland-contrib",
        "jovian-nixos": "jovian-nixos",
-        "nixpkgs": "nixpkgs_2",
-        "sops-nix": "sops-nix"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_3",
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1720187017,
-        "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "1b11e208cee97c47677439625dc22e5289dcdead",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
+        "nixpkgs": "nixpkgs_3"
      }
    },
    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
--- a/provision/flake.nix
+++ b/provision/flake.nix
@ -1,8 +1,9 @@
 {
-  description = "Flake for nixos configurations";
+  description = "Flake to manage my nixos machines";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    agenix.url = "github:ryantm/agenix";
    home-manager = {
      url = github:nix-community/home-manager;
      inputs.nixpkgs.follows = "nixpkgs";
@ -11,7 +12,6 @@
      url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development";
      flake = false;
    };
-    sops-nix.url = "github:Mic92/sops-nix";
    hyprland.url = "github:hyprwm/Hyprland";
    hyprland-contrib = {
        url = "github:hyprwm/contrib";
@ -19,103 +19,103 @@
    };
  };

-  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, hyprland, ... }:
-    let
-      system = "x86_64-linux";
-      pkgs = import nixpkgs {
+  outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, agenix, hyprland, ... }:
+  let
+    system = "x86_64-linux";
+    user = "tstarr";
+    lib = nixpkgs.lib;
+    pkgs = import nixpkgs {
+      inherit system;
+    };
+  in {
+    nixosConfigurations = {
+      kestrel = lib.nixosSystem {
        inherit system;
+        specialArgs = { inherit user; inherit inputs; };
+        modules = [
+          ./modules
+          ./hosts/kestrel/configuration.nix
+          ./hosts/kestrel/hardware.nix
+          agenix.nixosModules.default
+          home-manager.nixosModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = { inherit user; };
+            home-manager.users.${user} = {
+              imports = [ 
+                ./home-modules
+                ./hosts/kestrel/home-configuration.nix 
+              ];
+            };
+          }
+        ];
      };
-      lib = nixpkgs.lib;
-      user = "tstarr";
-    in {
-      nixosConfigurations = {
-        kestrel = lib.nixosSystem {
-          inherit system;
-          specialArgs = { inherit user; inherit inputs; };
-          modules = [
-            ./modules
-            ./hosts/kestrel/configuration.nix
-            ./hosts/kestrel/hardware.nix
-            sops-nix.nixosModules.sops
-            home-manager.nixosModules.home-manager {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.extraSpecialArgs = { inherit user; };
-              home-manager.users.${user} = {
-                imports = [ 
-                  ./home-modules
-                  ./hosts/kestrel/home-configuration.nix 
-                ];
-              };
-            }
-          ];
-        };

-        shivan = lib.nixosSystem {
-          inherit system;
-          specialArgs = { inherit user; inherit inputs; };
-          modules = [
-            ./modules
-            ./hosts/shivan/configuration.nix
-            ./hosts/shivan/hardware.nix
-            sops-nix.nixosModules.sops
-            home-manager.nixosModules.home-manager {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.extraSpecialArgs = { inherit user; };
-              home-manager.users.${user} = {
-                imports = [ 
-                  ./home-modules
-                  ./hosts/shivan/home-configuration.nix 
-                ];
-              };
-            }
-          ];
-        };
+      shivan = lib.nixosSystem {
+        inherit system;
+        specialArgs = { inherit user; inherit inputs; };
+        modules = [
+          ./modules
+          ./hosts/shivan/configuration.nix
+          ./hosts/shivan/hardware.nix
+          agenix.nixosModules.default
+          home-manager.nixosModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = { inherit user; };
+            home-manager.users.${user} = {
+              imports = [ 
+                ./home-modules
+                ./hosts/shivan/home-configuration.nix 
+              ];
+            };
+          }
+        ];
+      };

-        torus = lib.nixosSystem {
-          inherit system;
-          specialArgs = { inherit user; inherit inputs; };
-          modules = [
-            ./modules
-            ./hosts/torus/configuration.nix
-            ./hosts/torus/hardware.nix
-            sops-nix.nixosModules.sops
-            home-manager.nixosModules.home-manager {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.extraSpecialArgs = { inherit user; };
-              home-manager.users.${user} = {
-                imports = [ 
-                  ./home-modules
-                  ./hosts/torus/home-configuration.nix 
-                ];
-              };
-            }
-          ];
-        };
+      torus = lib.nixosSystem {
+        inherit system;
+        specialArgs = { inherit user; inherit inputs; };
+        modules = [
+          ./modules
+          ./hosts/torus/configuration.nix
+          ./hosts/torus/hardware.nix
+          agenix.nixosModules.default
+          home-manager.nixosModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = { inherit user; };
+            home-manager.users.${user} = {
+              imports = [ 
+                ./home-modules
+                ./hosts/torus/home-configuration.nix 
+              ];
+            };
+          }
+        ];
+      };

-        bulwark = lib.nixosSystem {
-          inherit system;
-          specialArgs = { inherit user; inherit inputs; inherit jovian-nixos; inherit home-manager; };
-          modules = [
-            ./modules
-            ./hosts/bulwark/configuration.nix
-            ./hosts/bulwark/hardware.nix
-            sops-nix.nixosModules.sops
-            home-manager.nixosModules.home-manager {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.extraSpecialArgs = { inherit user; };
-              home-manager.users.${user} = {
-                imports = [ 
-                  ./home-modules
-                  ./hosts/bulwark/home-configuration.nix 
-                ];
-              };
-            }
-          ];
-        };
+      bulwark = lib.nixosSystem {
+        inherit system;
+        specialArgs = { inherit user; inherit inputs; inherit jovian-nixos; inherit home-manager; };
+        modules = [
+          ./modules
+          ./hosts/bulwark/configuration.nix
+          ./hosts/bulwark/hardware.nix
+          agenix.nixosModules.default
+          home-manager.nixosModules.home-manager {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.extraSpecialArgs = { inherit user; };
+            home-manager.users.${user} = {
+              imports = [ 
+                ./home-modules
+                ./hosts/bulwark/home-configuration.nix 
+              ];
+            };
+          }
+        ];
      };
    };
+  };
 }
--- a/provision/hosts/bulwark/configuration.nix
+++ b/provision/hosts/bulwark/configuration.nix
@ -64,6 +64,9 @@
  environment.systemPackages = with pkgs; [
  ];

+  # host secrets
+  age.secrets."wireguard/bulwark".file = ../../secrets/wireguard/bulwark.age;
+
  # Enable modules
  modules = {
    desktop = {
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@ -71,6 +71,9 @@
      distrobox # Platform for creating and managing Linux distribution images.
  ];

+  # host secrets
+  age.secrets."wireguard/kestrel".file = ../../secrets/wireguard/kestrel.age;
+
  # Enable modules
  modules = {
    desktop = {
@ -105,7 +108,7 @@
      terminal.enable = true;
      wireguard-client = {
        enable = true;
-        privateKeyFile = "/run/secrets/wireguard/kestrel";
+        privateKeyFile = "/run/agenix/wireguard/kestrel";
        address = [ "192.168.3.3/24" ];
        publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=";
        endpoint = "66.218.43.87";
--- a/provision/hosts/torus/gitea.nix
+++ b/provision/hosts/torus/gitea.nix
@ -17,19 +17,18 @@
    };
  };

-  sops.secrets = {
-    "gitea-runner1" = {
-      sopsFile = ../../secrets/secrets.yaml;
-      owner = "gitea-runner";
-    };
+  # gitea runner secrets
+  age.secrets."git/gitea-runner-1" = {
+    file = ../../secrets/git/gitea-runner-1.age;
+    owner = "gitea-runner";
+    group = "gitea-runner";
  };
+
  services.gitea-actions-runner.instances = {
    runner1 = {
      enable = true;
      url = "https://git.tstarr.us";
-#      tokenFile = config.sops.secrets."gitea-runner1".path;
-
-      token = "kZ8YMUInzUYkvFK7bia5191QzLPF2xh9dAtxDI8d";
+      tokenFile = "/run/agenix/git/gitea-runner-1";
      name = "runner1";
      labels = [
        "native:host"
--- a/provision/hosts/torus/nextcloud.nix
+++ b/provision/hosts/torus/nextcloud.nix
@ -4,6 +4,13 @@
    cron
  ];
  
+  # nextcloud secrets
+  age.secrets."nextcloud/password" = {
+    file = ../../secrets/nextcloud/password.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
  services = {
    nginx.virtualHosts = {
      "cloud.tstarr.us" = {
@ -37,7 +44,7 @@
      config = {
        dbtype = "mysql";
        adminuser = "admin";
-        adminpassFile = "/run/secrets/nextcloud/password";
+        adminpassFile = "/run/agenix/nextcloud/password";
      };
    };
  };
--- a/provision/hosts/torus/wireguard-server.nix
+++ b/provision/hosts/torus/wireguard-server.nix
@ -14,6 +14,8 @@
    allowedUDPPorts = [ 53 51820 ];
  };
    
+  age.secrets."wireguard/torus".file = ../../secrets/wireguard/torus.age;
+
  networking.wg-quick.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
@ -22,7 +24,7 @@
      # The port that WireGuard listens to - recommended that this be changed from default
      listenPort = 51820;
      # Path to the server's private key
-      privateKeyFile = "/run/secrets/wireguard/torus";
+      privateKeyFile = "/run/agenix/wireguard/torus";
  
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      postUp = ''
--- a/provision/modules/system/secrets.nix
+++ b/provision/modules/system/secrets.nix
@ -1,29 +1,19 @@
-{ config, lib, pkgs, user, ... }:
+{ config, lib, pkgs, user, inputs, ... }:

 let cfg = config.modules.system.secrets;
 in {
  options.modules.system.secrets.enable = lib.mkEnableOption "secrets";
  config = lib.mkIf cfg.enable {
     
+    environment.systemPackages = [
+      inputs.agenix.packages.x86_64-linux.default 
+    ];
   
-    sops = let
-      ncHost = (if config.networking.hostName == "torus" then "nextcloud" else "${user}");
-    in {
-      defaultSopsFile = ../../secrets/secrets.yaml;
-      defaultSopsFormat = "yaml";
-      age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
-
-      # Keys
-      secrets."keys/github_personal" = { owner = "${user}"; };
-
-      # Nextcloud password
-      secrets."nextcloud/password" = { owner = "${ncHost}"; };
-
-      # Wireguard secrets
-      secrets."wireguard/kestrel" = { owner = "${user}"; };
-      secrets."wireguard/bulwark" = { owner = "${user}"; };
-      secrets."wireguard/adjudicator" = { owner = "${user}"; };
-      secrets."wireguard/torus" = { owner = "${user}"; };
+    # git secrets
+    age.secrets."git/github_personal" = {
+      file = ../../secrets/git/github_personal.age;
+      owner = "${user}";
+      group = "users";
    };
  };
 }
--- a/provision/secrets/git/gitea-runner-1.age
+++ b/provision/secrets/git/gitea-runner-1.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw hvHsR44+V3YpK7Rm4hUPsuJ0BgRQu3GB/L8/puQJAVI
+G2MNa0yIrTn4dgABWDQZDvA7bS/zFF07mUruP5yr35w
+-> ssh-ed25519 47GzQA VlqsqYyfllD+uiW46WOI+ZA7PPap5/QsHYS+t8SLTSQ
+5BxE11l40oVHP8lb2ILCea1vN0LBVIWyinNP5Ov5riU
+--- idBM4gYeyBEy5uoX33NwipFOSkKoP+jpy5t1jYGV+bY
+ń‡8˘gđ˙ó_ˇdöÚŁ`]śštÖůÎ,÷PçĂíM_cÄĹÍ±^8l§Doö
ę(#«‰Ö2BŰiÉý&hŢ81/ć’í
--- a/provision/secrets/git/github_personal.age
+++ b/provision/secrets/git/github_personal.age
--- a/provision/secrets/nextcloud/password.age
+++ b/provision/secrets/nextcloud/password.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw 4alz0z4ZLSV7YnPzooE4J46uR0uqMzVw6Zv6VrcdZgI
+mP7+pv3U1kO1x8m66hXDWO3LBiXINRZMdmc4uzLYA1o
+-> ssh-ed25519 47GzQA cEtVXHBLa2CWcbOa7TqCPy9LfU5bJTYRy/mnlxahyw4
+ku+ajoKkH7DppbX2Wgq5fgHBD/sgi1wvhuo/8vhf34I
+--- tVG4sJ8qiYQzI7ag/C1d3/CFEa/+N1vUihl/Um0/baA
+?‰±‰®8?{³4ø¬PÊsp‘rlôÏ½TÌF*×‘§8’Ê|çÆ]ä»0 õ
--- a/provision/secrets/secrets.nix
+++ b/provision/secrets/secrets.nix
@ -0,0 +1,17 @@
+let
+  kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2iE16XVkriD0x6GhnqmvGDA1qNBibvHVIi5xY+c7Iu";
+  torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN71z5g6QyCn5Go0Wm+NOSF4f22xOOCvtIA3IM4KzSpG";
+  systems = [ kestrel torus ];
+
+  tstarr_kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr2BUUToMswbAbxZMXarl2pQEomM+jADyZbEK31VGu/";
+  tstarr_torus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhxsVgd8DH8c0zckjMUxSJrTimU709JLCgDGBMFoNxQ";
+  users = [ tstarr_kestrel tstarr_torus ];
+in
+{
+  "git/github_personal.age".publicKeys = users ++ systems;
+  "wireguard/kestrel.age".publicKeys = users ++ systems;
+  "wireguard/torus.age".publicKeys = systems;
+  "wireguard/bulwark.age".publicKeys = systems;
+  "git/gitea-runner-1.age".publicKeys = systems;
+  "nextcloud/password.age".publicKeys = systems;
+}
--- a/provision/secrets/secrets.yaml
+++ b/provision/secrets/secrets.yaml
@ -1,30 +0,0 @@
-gitea-runner1: ENC[AES256_GCM,data:mS41F7iAiITBrlOsrU+r3KCXBek5maoBtrVoTLwc2xGvyyiuyt6lDQ==,iv:YqctzGA3AjCJa9kl6eJ5ILzmfQcSMeNYx1t6UiD3T00=,tag:cyyN3Orsx0qTojOdQdM4Eg==,type:str]
-nextcloud:
-    password: ENC[AES256_GCM,data:qI3PV8ybqKQ=,iv:aXQyTUQ9twlmMx3j01cfk6gy/1fAfUxjYXs5QXPUTjU=,tag:kY+lM1qGm+8OCKgDnXZwSw==,type:str]
-keys:
-    github_personal: ENC[AES256_GCM,data:JQ0l0VNKjgf2yq7nZSED+6gf27ILfkvkdJkcsBLcX0K5isogtlF8Y8zI28dqLsSmriHf7L52fy3LjXDVkxXl8XupyPxJF3roeAxtj2rwXhVxMkAAEcWCaFUpa1UI5I2LIV2Ne32Ug6I5CKLlEzWXs7AImYJmmw0B6cn1hPyHJKc0I0My5A2b6LJq5J7mrJJ+PnybDNPW7QvZ0hIcqjNIXv1gcf9XMo6RU0dYnnRJaf6w/D5Nvrj15OG6oCe2C7e7O+JjgjQahUOOTlp1/5bbTW5ZDWEUxIn4llCsrkjjdKkYrCmYhQ45NLk+ZpWgXJZLgbfgc25nUOiLOoGbxO7kXienrY1y+t7/UA5AqKHj6575Iy5wN+P/XqzQ6ARkBh5Jy5gvrGFBtxcHml5J/j8ROJ9CoHmiT0jNycEll2yFcnIqAIbPqPuuu341sErFT33SMRzxKmlmyCCjaJrZB423NHqLiTA8oQ+mmkvOaE3cmuEU5oCT7OhL+RELbMNWjNOz7weNNgbt+fyy/U+VmtobLCllhRFDo0I/OFuFZ/UUqqEAAjv/NPk5V+7yCtBb9CmFROD9cG9xxx0mdkt8GHXYML7mIrCe/8ILKm3oWSVEA5w=,iv:0my7Q3Uog/nu3A3IprXuRAMTYmSv9YV1bo3BSAk2wlk=,tag:u41VgXeMBb2righhXUrPUA==,type:str]
-wireguard:
-    kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str]
-    bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str]
-    adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str]
-    torus: ENC[AES256_GCM,data:BPID5S71fSlwwu5HaYr25n1N7dznKCWx4CZ3VqppsC7Sc5envnGDm2nnqHU=,iv:8sYeuwxd4typ2n5xq0laQEwc1vc3cFbBx9B38q92/Z4=,tag:t7f8z/Jq3/fTNQasOOpgsA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age12g0gtcnhyaghs9vc5528yrstq4spe8p36fflhpwj79yz8jq9qg2s4v6mms
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTFNMDd5K3Vza0plMFJr
-            ZFdpZ2VWV2JEdE1yOUdtS1FLbFp3alpIR25NCkN0dVhYaFZkY1pUQWRhaEY0SjYx
-            MFlaTjlYWFVLSnY1UmtJcmZobUZUUWcKLS0tIHBJb1lPRkJvcHNiVXhZeStuN2c1
-            ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
-            3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-01T06:24:06Z"
-    mac: ENC[AES256_GCM,data:Y1YgnChiZb7168RqY1jP1LTMXanOhBz9LK72/ZbKZTRf50pNIsbOyfsk377sSQ7eemvROT3gTeFtWaLlgtY2bujegPiMiHDoDoVwJGzw4uBynr6/YSjOsO1TBLcTraJUfUBebF++5DsEcOD1jql1EHZ5hL+hwaAZYo5IXuLjlw0=,iv:WHep872Z0lQTZ2gx2fz6zHWpVCniDmJ9yueUDi9I0AQ=,tag:FuSSpg0EUylWhNR7sMjwVg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/provision/secrets/wireguard/bulwark.age
+++ b/provision/secrets/wireguard/bulwark.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw yxwMTsp4T8/0jQd/epX7CixYs0lU1UsGZovNr5hlWhM
+XzKWVFgT131qf2jXfG3VP7n78vf7wySkj4ds6JZNguo
+-> ssh-ed25519 47GzQA rbcR3Scal1cbF5jkIvEVp0BnChrgrD6QTRVwAbKRv0o
+cUlM7OtA9TpiNOoM7LjMaiQIddHC6+bROBq9B7qGR64
+--- TxdiaR51NWXpRxklcJ2eIDJn/kDS7LqduNbB3Og6N+0
+eZ¹°æ¸€x<EFBFBD>wùNh<18>±_ŒüÇSÚ¯t°xÀ7ìä'L»›aÇbŽqÃÔ‘¾*MPÀWOÊ¾òÓ+Ýè%G¶r;Í7¢5bé¿k
--- a/provision/secrets/wireguard/kestrel.age
+++ b/provision/secrets/wireguard/kestrel.age
--- a/provision/secrets/wireguard/torus.age
+++ b/provision/secrets/wireguard/torus.age
Author	SHA1	Message	Date
Tyler Starr	93c349d5bd	refactor flake for stupid reasons	2024-07-21 16:53:06 -07:00
Tyler Starr	ddad828ab0	change age-secrets folder	2024-07-21 16:37:12 -07:00
Tyler Starr	45d46be928	move wireguard keys and add to age	2024-07-21 13:07:07 -07:00
Tyler Starr	5d13a7aa05	fix keys for agenix	2024-07-21 12:58:25 -07:00
Tyler Starr	cb60c1dbe7	updates for torus before rekey	2024-07-21 12:47:13 -07:00
Tyler Starr	017dc9f6e1	finish migration from sops to agenix for kestrel	2024-07-21 12:23:33 -07:00
Tyler Starr	92bbe4d059	first agenix key setup	2024-07-21 11:52:02 -07:00