diff --git a/flake.nix b/flake.nix index dbcce7c..f9ef297 100644 --- a/flake.nix +++ b/flake.nix @@ -109,9 +109,9 @@ nixos-hardware.nixosModules.common-pc-ssd nix-index-database.nixosModules.nix-index impermanence.nixosModules.impermanence + agenix.nixosModules.default ./hosts/nuc ./shared - agenix.nixosModules.default { nixpkgs.overlays = [ self.overlays.default ]; } @@ -123,12 +123,11 @@ modules = [ ./hosts/falkenstein-1 ./shared - ./shared/sops.nix { nixpkgs.overlays = [ self.overlays.default ]; } nix-index-database.nixosModules.nix-index - sops-nix.nixosModules.sops + agenix.nixosModules.default purge.nixosModules.default trucksimulatorbot.nixosModules.default pfersel.nixosModules.default diff --git a/hosts/falkenstein-1/modules/backup/default.nix b/hosts/falkenstein-1/modules/backup/default.nix index 2fee9c8..db55135 100644 --- a/hosts/falkenstein-1/modules/backup/default.nix +++ b/hosts/falkenstein-1/modules/backup/default.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: { - sops.secrets."borg/passphrase" = { }; + age.secrets."borg/passphrase" = { + file = ../../../../secrets/falkenstein/borg/passphrase.age; + }; environment.systemPackages = [ pkgs.borgbackup ]; services.borgmatic = { enable = true; @@ -17,7 +19,7 @@ label = "nuc"; } ]; - encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}"; compression = "lz4"; keep_daily = 7; keep_weekly = 4; diff --git a/hosts/falkenstein-1/modules/networks/default.nix b/hosts/falkenstein-1/modules/networks/default.nix index 0fa3e18..d2e4c02 100644 --- a/hosts/falkenstein-1/modules/networks/default.nix +++ b/hosts/falkenstein-1/modules/networks/default.nix @@ -1,12 +1,15 @@ { config, lib, ... }: { - sops.secrets = { + age.secrets = { "wireguard/dorm/private" = { + file = ../../../../secrets/falkenstein/wireguard/dorm/private.age; owner = config.users.users.systemd-network.name; }; "wireguard/dorm/preshared" = { + file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age; owner = config.users.users.systemd-network.name; }; + }; networking = { hostName = "falkenstein-1"; @@ -46,14 +49,14 @@ Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path; + PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path; ListenPort = 51820; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ="; - PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path; + PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path; Endpoint = "dorm.vpn.rfive.de:51820"; AllowedIPs = "192.168.42.0/24, 192.168.43.0/24"; }; diff --git a/hosts/falkenstein-1/modules/pfersel/default.nix b/hosts/falkenstein-1/modules/pfersel/default.nix index ed013c2..1c6dc0d 100644 --- a/hosts/falkenstein-1/modules/pfersel/default.nix +++ b/hosts/falkenstein-1/modules/pfersel/default.nix @@ -1,10 +1,13 @@ { config, ... }: { - sops.secrets."pfersel/token".owner = "pfersel"; + age.secrets.pfersel = { + file = ../../../../secrets/falkenstein/pfersel.age; + owner = "pfersel"; + }; services.pfersel = { enable = true; discord = { - tokenFile = config.sops.secrets."pfersel/token".path; + tokenFile = config.age.secrets.pfersel.path; }; }; } diff --git a/hosts/falkenstein-1/modules/purge/default.nix b/hosts/falkenstein-1/modules/purge/default.nix index 92c5abc..5650a65 100644 --- a/hosts/falkenstein-1/modules/purge/default.nix +++ b/hosts/falkenstein-1/modules/purge/default.nix @@ -3,13 +3,15 @@ let domain = "purge.${config.networking.domain}"; in { - sops.secrets."purge/token" = { }; + age.secrets.purge = { + file = ../../../../secrets/falkenstein/purge.age; + }; services.purge = { enable = true; discord = { clientId = "941041925216157746"; publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402"; - tokenFile = config.sops.secrets."purge/token".path; + tokenFile = config.age.secrets.purge.path; }; }; services.nginx.virtualHosts."${domain}" = { diff --git a/secrets.nix b/secrets.nix index 2f313e1..ac3354d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -20,4 +20,12 @@ in "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; + + # falkenstein + "secrets/falkenstein/purge.age".publicKeys = [ rouven falkenstein ]; + "secrets/falkenstein/pfersel.age".publicKeys = [ rouven falkenstein ]; + "secrets/falkenstein/wireguard/dorm/private.age".publicKeys = [ rouven falkenstein ]; + "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ]; + "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ]; + "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ]; } diff --git a/secrets/falkenstein-1.yaml b/secrets/falkenstein-1.yaml deleted file mode 100644 index ad6fb68..0000000 --- a/secrets/falkenstein-1.yaml +++ /dev/null @@ -1,51 +0,0 @@ -purge: - token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str] -pfersel: - token: ENC[AES256_GCM,data:MFxzpT6sqzhDpZya4/eI77LbHXekzfTQWZrjd/aot2MzRXicaCUabEUqnR40QnW9HujOTW0+A+9Be5mDX6OqVDt2ioKVxg==,iv:UTTWL7uSVgpkLnXTkvojC/fotkDISdyBrGDiegXqMuQ=,tag:+8+Th/M9U9mJX6i2YCPBbg==,type:str] -wireguard: - dorm: - private: ENC[AES256_GCM,data:Wk6g0UW6onEQYh2Sjoh8pXtaxzQehbYzulS32LHENombOdM3xT6fLBRuI3o=,iv:i5HqTr/WV8tiBud1BApPWC2z1Ck5LiTRJ1MP8/1AH5U=,tag:ISAHSJCNzS/MCiPkPh6CXQ==,type:str] - preshared: ENC[AES256_GCM,data:8n4LJb9EeGfYp3VV4iL9O+IadsGok9EWZESXdkGDk/LwYUvKRxkFsfIUmA0=,iv:dAY3h8U+/+Ac4t7HIjTj2LvX2g6LUT9s8U4GU4tvPV0=,tag:UI7mOiQGWVnmIYJe8C1gpw==,type:str] -borg: - passphrase: ENC[AES256_GCM,data:54KCMu574Uj01sqnfBX9BqFc5+dx1Se7,iv:NgodekAUw0pNddA36oIranISkvUQIxZRmZW4s1UIHdU=,tag:frep/WspsozTL1V/OfuTxw==,type:str] - key: ENC[AES256_GCM,data:TGwOAKLEF/zy0PTMcdfkgypGR4/HlZ1By8cMT+sUbMQUfcw2HzvZBwbvfchx/abO9JXmbeSC1E7w6yEMIEg5bPAgGkylRdud/X5Ol/fRKZNdc61JyCWO/UT+qiI/vkikRKQxK/cpfB76+8TuTk0dElGOgJ0NTqklwjap200VdS/l5SBOpY50l338V0p4PQAJ50ry7qWlvN5+GKcHypVBTVabmvRUQCBmzK4N9yiW3zBpmA8e1MctmRiwqIBafeZVJ8YzVqC8cKLtFh4sVDd2fkrIEI4TMcGNS+E0VyHD7ZbTY8KBrNjmZPaTZz186g9PhB3rlHv6a6wAHJx3wZgijzxuXeX7yvyfM0NRz4DQaIANm1ggLdddUf6oS5i2kjKuENa2xL4ADpiO/d3U86HC9ldA8u0mHItjGlqZEL5/cBme1qKf70WsrGqN4gWLzMHZM2WkpssaIU3Ws6YksQHGP7iu5gXLIRB7/DqoY5kl2kS7vlyBVfv+G03nVO1981LVMbAWmNrstr0sOpOtGUYcxlCdGRDVOJIuUTfbRuvvuLy8NgVjL3eFHgkMi/r61iNh0e4C5rkbQVzlmwBqobDfizKJ49d4uBPbynDFYsDJwDK+W/BVtDkK4iEYYvfSbpaoKuNpBeibgZ7YOLUR7onxTCI/V5NczTjS1dezFNaF+l+XNLj6EjVWSdhd/ScRdniU0Q1lJU5hsOYPDiwHUPU9WMmaQeo9VezWYYJ2RroALnnw22XdRzfwNHICyGvUkzNqQnvDyUwZU6J2qMy8JnB6ViLWXE0VhsNZSQXFOLrKBMX+YwRm3n8jkeLN7sOnP8ejHYGxcXdKk0NLSdyNChTf9AzVvBGI2k9ky8bZPC5iB9zm2EkFvgtGgrRDpR7OpYJ4u71Xho96chGQ7B9MhnIDdKW2NYFE3ROdDQzfK2yrq18BjPxCaHXTk34JV8bf5LNellr2A80aA3TVmvYC/k2nHied4vW5RK+ngR0ev8b35+wl0HxJ1DnlYl4lSlDzzJwkS7ZlPWL4N2/205Ju8sjN7anp5KDb1jzGB3PTawDXbthiG8xLf2Dyf4ssbe1I,iv:8yl4F9+g+SfjvHVJKCTFXS9JU0Kzy7TqIX3HtQQt/n0=,tag:4r6A1K0zHSycglcZYGnkWw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1de938w6hzpv4cuzss7v3pt0chv4d0t220ue5n9d93ffuak7u949sumnhz3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbVdnVDQzbFAvWTNkNVdX - T1JIcXlkVEdiV3FiVlowWFllc2ZmTHZQbmpjCis1bmU1cC9TUGJSWHB2MGtER3h6 - SVAvTE5ORElPV3ByUHBmL3ZiN2xMemsKLS0tIEpmSmZ1cE8zZXZhd3Z6Wm94c0M0 - NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam - 20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-19T09:45:38Z" - mac: ENC[AES256_GCM,data:b4KtXV64oYJu1VO63NQFJ16O9q509YThkJZXTbqnhgLlxmoZ3HEwQRYnsg3MgBOxj3Im9RhIj341f8p3JFnz/WM56ii9gJHPP+uaYJit4Pln6qqwa69rd+OLVUShz0NESNFCHuTYzPyREZOz5Y2N+QPIbhSE8L+2uleIsB9Lv78=,iv:qSs2R569Vp4BPuYpGedDxo19Ua4bhHzP1fFUdMtlvkk=,tag:BlWL5Dyh+AqDYDZHNglyHA==,type:str] - pgp: - - created_at: "2023-04-12T15:47:07Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - wcFMAzUXo8ZPJwGLARAAl3zDxzwqZFW6P9/ZtKPqby5wiXYXro/LQd1UivAuTTLD - FFMCZNufGTGsEgatYCiljgFao7grpZxnPPMhX7q9fbVxM+DKT2D0Zs3zeAHlwXAi - VxZh34AOKXMQR1s7Xo2KbiT1zikQqvSp/EHbNQOG+Ivi1rMCw5/woobNmfEidmp2 - TRlM5EK3hxYmcfXqOQFPo5/E+B87qsfD2BdK/2+TMp6eCvHnESeSPXfB/3Fwqv13 - t8HI6RRm3Iz71aFW/AQxVYaPm+NiFLYFZqWDCeYjXw/90DcsJ2MkRHSn3sc2pCAL - 7uip2qvEopUTNoMTmFiLo71/uuof0PBZH9IDmmIGzxH79eri11uoTm4CtN90Up+d - pcijNgbtwQXkxZmmhvitJG3rcncMkvMUZk6tOI0WmBkfxSWtVZcrieTdeBixnDOH - MRTzpVejz/5bMRybjvWtEj/z7GpYnfWX8auCdqCTz6C6RK3XEBz4/o1z17VA3Rjc - Ixs8otpEzKXUBsUY7MSgokr6+YveBmOnCto7r447elKLmlBDL0NB5yKbQZJjaniG - 4BSxhGNxB3wJgMv01XOVBkciJ05qIGIZhprA+oyBS5jBzRJyYfOoiDtxp9S8rCar - OmF9RqdaiXfBNY+VGz+1kIzuU+5UT8wOSOKIzXMtqD0/QEmXTySg9JAiCF+U483S - UQHXKfb1LnOhV430IRANtlpaPSwoNR4/UVynaQvg+OIQmLDqNKRVd30ZgMp5hujq - w/osV7AXq987ayqexjfIKyqiNZJBuPB5XaMwenHaSD04kQ== - =CmnW - -----END PGP MESSAGE----- - fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/falkenstein/borg/key.age b/secrets/falkenstein/borg/key.age new file mode 100644 index 0000000..dc9f514 Binary files /dev/null and b/secrets/falkenstein/borg/key.age differ diff --git a/secrets/falkenstein/borg/passphrase.age b/secrets/falkenstein/borg/passphrase.age new file mode 100644 index 0000000..04ed831 Binary files /dev/null and b/secrets/falkenstein/borg/passphrase.age differ diff --git a/secrets/falkenstein/pfersel.age b/secrets/falkenstein/pfersel.age new file mode 100644 index 0000000..3240fc2 Binary files /dev/null and b/secrets/falkenstein/pfersel.age differ diff --git a/secrets/falkenstein/purge.age b/secrets/falkenstein/purge.age new file mode 100644 index 0000000..79d5035 --- /dev/null +++ b/secrets/falkenstein/purge.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ /f7KCfInXMZTdiOfqdjhUNESlLE8E5I33tQXWZEW1UU +WFOxiMW2ejkS8+Xd+7AgtrNQ2OwT1eADcJ/ksXxWNaI +-> ssh-ed25519 slrRig yYjvDl6lr2JtQRC3AvwSg0j9iBdl64i1V5vdD7bAhQ0 +vUbfUbVV8iVAsWzyzbXNOhgiZVM716i1T3o+CnHY7MM +-> d7x4-grease AKG{#;x! s^5 bs-I$3< +HBnmeOkncFXRxxgxsIRiov0wTfmpEN4xJjPL7YwGtu9EQ8g2uPtMpX9g63KqdQ +--- SJNRQFMTquAWvFtmQYivrb79m0pLapCzIdcKCGkoQzg +1i4>ύc&nk_T]dU 쑁zZ>T}3ݗ%.>_Z\cw 킂j({+IMtI" \ No newline at end of file diff --git a/secrets/falkenstein/wireguard/dorm/preshared.age b/secrets/falkenstein/wireguard/dorm/preshared.age new file mode 100644 index 0000000..505f09f Binary files /dev/null and b/secrets/falkenstein/wireguard/dorm/preshared.age differ diff --git a/secrets/falkenstein/wireguard/dorm/private.age b/secrets/falkenstein/wireguard/dorm/private.age new file mode 100644 index 0000000..b0e0df6 --- /dev/null +++ b/secrets/falkenstein/wireguard/dorm/private.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ A/s5+yPiVZuHo/Xv12T32m/besBeYxvmpv3xm02DhzA +98fj+vaNvWrldQQlDCnggwopkYp3Bkk02/cQ7UzKSfw +-> ssh-ed25519 slrRig BGDI83NERkziioPPySGZXXLK1mErLfXhHbgABhq5KTg +/ofrSvbO3FGaq5O4OlKwbzz6M8J/auJ5xlRtYLSf6AE +-> a.%y-grease =mU^ +8B7GCear7tUUXTjo4quSeeDnD/8rkr3/39p9RZ6qnH+rWmQAZE+d/9NZ9BheuCD4 +BOmsbsc2DEHf1mVi/QMF285c/5WujllNnQ +--- 2cThrg9xymCyM+uA69iNtGGIJoMBj+/Oc2ZjXqX6QQQ +ϯT H_R'