restructure

2023-11-05 11:09:24 +01:00
parent 64d8c7a494
commit 7c302c94a8
49 changed files with 37 additions and 10 deletions
--- a/secrets/coturn-secret.age
+++ b/secrets/coturn-secret.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw 4ZpkTSszkAJIbBs211PZAuWyYlsbYGx+kh+fIa/X8Q4
+zlDBNm+2ykfiugTcPWGgLKsBBCVRDiLkp/GSX8stVnQ
+-> ssh-ed25519 IV3DkQ jvo0WmLvaOpAHASPs5Qb4HblklPs7l+wuiZIIapbm2c
+KiPkiZMwPF4q5s2Ity1DBiPxDrEpMNEW6p9P7DOBVIY
+-> NJJFW+-grease
+vUz0h2kED8aYuu4hT4AJw89LzscD0jiKUVlkrhO0IN7n5do6dUkXm5h7wNwnybTl
+FoV3HBxV3xAr6tD++Uv8/ej/XqG0jBhd
+--- h2fQyC4ajeEOyuzxzt7gf23wJMBoLQSXcc8uKewGyuY
+Õ¨ßUD6j==(ž¹>8ôÅ"#Êdþ`‚Ô†bmUù·ßkk&ä›¦”çžDÌùè€Ã`1m?W¡Ó¨°¥¹L¢jÖ°ûà5{ý÷ÛLäÏ©©’.çÔÊîD½²:vÞÆtQ<74>K
--- a/secrets/create_secrets.md
+++ b/secrets/create_secrets.md
@@ -0,0 +1,31 @@
+agenix -e secret1.age
+
+
+example secrets.nix file
+```
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  users = [ user1 ];
+
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+  systems = [ system1 ];
+in
+{
+  "secret1.age".publicKeys = [ user1 system1 ];
+}
+```
+
+use secret in config
+```
+age.secrets.nextcloud = {
+  file = ./secrets/secret1.age;
+  owner = "nextcloud";
+  group = "nextcloud";
+};
+services.nextcloud = {
+  enable = true;
+  package = pkgs.nextcloud25;
+  hostName = "localhost";
+  config.adminpassFile = config.age.secrets.nextcloud.path;
+};
+```
--- a/secrets/duckdns.age
+++ b/secrets/duckdns.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw qWHcQHXaRWumJlWydl0VLTNR2y4j5uVb3Sbjb0iO9Hk
+LrQOKE3+nYVEM9cg3gT+nInpdTBocmVXSBSD7EBb1MQ
+-> ssh-ed25519 IV3DkQ QR2R+mQSrk0UBV4GSATs0NQkkgbQzFai7ms5xQX3RTc
+sndWMq89BmXeoyE+le7tHJQ6oSjzfhCbas5EpcJIzdc
+-> 2/3Ux/5c-grease k;>AI5|g &JI / .{c
+kY1TBMB2l6gMU+1aHPbBTCad537N1aa8d0Wi8bYGMmeC9+8PV18a
+--- eKaZ9bddh3SF6hitwAHBldIFpUh3s2R6pI9eDstHdk8
+·E¦·g˜v:½ô¦ü!µàÆOGy½ïg›%Ó‚Ä¬
--- a/secrets/github-runner-pw.age
+++ b/secrets/github-runner-pw.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw wQOSX5WnvkxmKl4xtbD62v312Sj9/g7SoMfQVdS1Q0o
+Vv0byaVj1ptj08mDoEI6Go6h55gPVj1Gb0YJc+KhzuM
+-> ssh-ed25519 IV3DkQ cAZHkdeXW2UyjIamz0Ab/NQhWhlxwFrj951KIVIRjyw
+AV4rahLaZVem+nQDMIv6kMeIhjUAc7/F1wO20g89Eyk
+-> e'`r-grease 5rS.MW
+/smMPjLrxnS0QF2hU6axJMQlD0m8t9L15JK2CilAElDNVwMf35aynhvQqvCiQ3Sv
+ueSLjeLVmEc8QZLORIFUabQAh59QqK3NCm/FVYSLwVZimytMH4/QksjN
+--- mSjoAgLw84jJjQYlOf9ZfAvjw8b/2LFA55pM2uYEl2U
+‘Ïåðc“Ø³:I<>ø‰¢:Z{ŠòE@ŽH‡äß~á±Omaê
+ñúÄa”A´°<yR]& Í_$|€6Rq“88Ê‘Yí¹µ&¢ Ö<5–]BD/‹6™í°¿môÉ!‚4n
--- a/secrets/github-runner-token.age
+++ b/secrets/github-runner-token.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw rvIxniIy9V9MEusfISoYDZACLPHWIXlpeTDCsXhbxQ4
+Fh5jIyimXuB1xwfsYS5TeTI5yXPxF9K/M7YlBW9DSMw
+-> ssh-ed25519 IV3DkQ XzdSfWvjKSu6RiUV5BWvOasK6QFB2uOHybtYEYnDnwg
+BhtquDcngJfnGhfb4kHgfuQAZyXLKzm8518zXvwki0o
+-> 'Xd:O-grease sG
+Z4FSpQUYvPvA3YAf9NoXPQ30KwLYEL0XNJLXtbGESfllNc7cM5tOTn+szfotRwVI
+3wGBWkTzE5g0rfLhVGUybFJIlMguXvZVl2EQ
+--- xu2w56OhLGufb9mMXZQ/8Y/xTD0Ke8Yvf8h6zVE0p7g
+ØJô$‹ÇC7<43>
+¼Í¥ïF˜ç‹ßE
+I+’
--- a/secrets/matrix-registration.age
+++ b/secrets/matrix-registration.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw cm1Rv6pG2jv5YL2a3jejL3oHyp3w5AdOOkPUuC1RiTQ
+OPfb5CCkGwV1wBjxSM63i7YSWzwZrwh2GbIaIMgbnLo
+-> ssh-ed25519 IV3DkQ mqIItqMdUx2rypN38qZc2MluanXzEyW82BoRvJRnmgE
+FiODCU94Dv0MRhhMjcRxtM8vSzcfWbCiQza6P3iRFK0
+-> .H0wQ-grease /9 WqdeDrv> )IMX{vvR >^?
+AY2rOa0e0RS1
+--- rQj2qpVKjSI/ptv2PUp2kMoAtko06QQw64Fgx46/10s
+öfÅ_¬A¤hÂêfþÄÝØ®ÞŠ<C39E>úfg~sv‘ˆ³£&L²IpÑ,Cy-9ÏªªRÄi
+D%Yì™€N3Y!Ã><3E>©Ž˜ÿ	¯4òU<C3B2>Š#ìIi(å¬`Êc.ä¯U×ÿº.óáôT#ÛÃwNžªÀô‡øl^x§$œÅƒ€×É-_¶L[6†ÛÍÊB ƒ—å2ã&”vqáX<C3A1>’ç¦ö|woìê˜BéP„'ýíRhOD>Å·éÎÄ¾IóËW
--- a/secrets/nextcloud-admin.age
+++ b/secrets/nextcloud-admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw mo8zrkfdjLd7ojLCZZ8XL0fDQwr4Z5t8pqnbmXykXxQ
+bpPiBgz/w14vqnvS8YuXJTo1pDuqdbHEfqXEgdHXs0Q
+-> ssh-ed25519 IV3DkQ 3IzYm/7tlIH4hQs2M1fqkeoz7mKw5idUHm6z5TaHTxw
+BHnYTqatni/UzwBJSghGiXqWUwuPpHW4HBVjjP1UXjI
+-> 9/q5f-grease 3j `{O $R )*.
+NPSQgfHqIJIHr8herACNiV+BwRf03K8G8RBDb5/6oZym
+--- QTd5uVu6AZspmxpuZ7w32gyICcrKQKkP1www6qnjoDw
+Áô;ÞªÍ’ÌOãPàÍ@!éÝò!Â½Þb
--- a/secrets/nextcloud-cert.age
+++ b/secrets/nextcloud-cert.age
--- a/secrets/nextcloud-key.age
+++ b/secrets/nextcloud-key.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
--- a/secrets/restic-gdrive.age
+++ b/secrets/restic-gdrive.age
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw fr9bTdi5DqM3+gHEZLQeYv22HJTnafbicFi8kQxLU1I
+THTt5YssgKZyqTukphvhT/XLCp9EnWUoh2LLi1sv25E
+-> ssh-ed25519 IV3DkQ 7m6HtNWFwXuVUPBr7GRbk+UopzQ8wdXOSyXL23B0xTE
+gXvUsoDrmB9tKRyFIX/ATOCej8hIvwHSuun9A9Q+i+8
+-> nuYl73-grease nU#N,Cb8 jdR=c0` eKcsi
+G+zZUpeeSiaE8wkzK9tv80hj7wbZScXMbOVHaSYZeFhEfXhEJliFP60X2ZNQTkUG
+ArOKaDwOY/zByBc+Jf1P5JLZinVeTLBQRnBN+RrZE20
+--- wL204i5S+VYFP+C7JwZsSWSXRC+a4FejQoxFGEnV5Io
+tí~õ—ÕˆÃ?nô6f©Y@‚<>$D½óB¦Ô‡–Â<E28093>îNGØá^…â\mÚ6cƒAóãhÑ^˜lh;CŸŒÊ!^>tœS¨ì9Ö
--- a/secrets/restic-s3.age
+++ b/secrets/restic-s3.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw kIAiiVGrxQLT8tNcIehkSwAl0RIR8yCblKcJutHKfio
+LlI57U6z2Rmzau3yGP7GwgE7axUSHazMZB87CUuvZIo
+-> ssh-ed25519 IV3DkQ Lig+2cAx34B1GK28qm8dxfcdjezyjHgusJW4i1JiLFM
+FPjcmohS8mLlNLhZsXXlYJB10nnUYZOJonnIQoxcfuY
+-> T$pF-grease vM&|GOOo k"jB.( '3~O-3rS
+sxTmNCBIo/fFeSCisPlgGYrIJNZVh/ykKig7UonRDBNYCIq9GoC8MViYEtTOcfF
+o13P+1O2apmVg84VclReTiEZOy96TgjUe8A6uc9+
+--- ah7cAYBdupOvrBoaJx1m8fTmSceC5Cq/2PPQOvZRTGA
+µÞ£	?4Ðîb®h<C2AE>×>m ö;‡"û”üeµGŸ¦ËNÚÄî¤¹ÍäèéåLD¼¯I{eþ™\”W¸-îÓ™`éSºÌ;¥2¹½VywÀNW_º<5F>Éó<C389>éU<7F>FžÌS2CðXS<d¹dèëðÑ§xDˆjôìÛ—T™.œ¹ŽK@<40>›E"ö
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -0,0 +1,20 @@
+let
+  nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server";
+  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
+  systems = [ nix-test-vm server ];
+in
+{
+  "github-runner-token.age".publicKeys = [ nix-test-vm server ];
+  "github-runner-pw.age".publicKeys = [ nix-test-vm server ];
+  "duckdns.age".publicKeys = [ nix-test-vm server ];
+  "nextcloud-admin.age".publicKeys = [ nix-test-vm server ];
+  "nextcloud-cert.age".publicKeys = [ nix-test-vm server ];
+  "nextcloud-key.age".publicKeys = [ nix-test-vm server ];
+  "restic-pw.age".publicKeys = [ nix-test-vm server ];
+  "restic-s3.age".publicKeys = [ nix-test-vm server ];
+  "restic-gdrive.age".publicKeys = [ nix-test-vm server ];
+  "wireguard-private.age".publicKeys = [ nix-test-vm server ];
+  "coturn-secret.age".publicKeys = [ nix-test-vm server ];
+  "matrix-registration.age".publicKeys = [ nix-test-vm server ];
+  "paperless.age".publicKeys = [ nix-test-vm server ];
+}
--- a/secrets/selfsigned-cert.sh
+++ b/secrets/selfsigned-cert.sh
@@ -0,0 +1,2 @@
+#! /usr/bin/env bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./nc-selfsigned.key -out ./nc-selfsigned.crt
--- a/secrets/wireguard-private.age
+++ b/secrets/wireguard-private.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw 8R//RguE7Om0PFjixliXpwEchVwPcm9COYTz7TIZxTE
+81yMA9B/T6tbZfw6mU4TlYfCd6BEUC3UlBz1hNUXZ30
+-> ssh-ed25519 IV3DkQ 0kS9JOiAPfLi8Zoj6BM0pVwSmDr+BnWvIh7rGwZ21G0
+jbMIkFk8DEQ2tWgOWho1JrZkwKWW93GW9dzS3fTKMF4
+-> $ByN}E,-grease O$8`|NT 17d} %u)^D-
+x6SEG984W9vUAb0FCiZP0R4kQkYFOr3BGLpHP8HF8fj9LHWwxNb3PrntcOPJuvf7
+oep4FMyBFHchh6RhyrdRlOf6hCLnmybNKzs
+--- fCozYj+thQdIGXzdVLgLpLup9CI0QIEdgoMxfFVHGgs
+<EFBFBD>WV”ožE›il3õ—ñz`¡†´ø<C2B4>®ð¤	, oØ³e-ÿºZüAto‹Ok¬@1åb¢.U<>NrB¢«zrZY…ëÚý