mirror of
https://git.sr.ht/~rouven/nixos-config
synced 2024-11-15 05:13:10 +01:00
agenix: migrate falkenstein
This commit is contained in:
parent
3c5095f144
commit
dcaa017e5d
|
@ -109,9 +109,9 @@
|
||||||
nixos-hardware.nixosModules.common-pc-ssd
|
nixos-hardware.nixosModules.common-pc-ssd
|
||||||
nix-index-database.nixosModules.nix-index
|
nix-index-database.nixosModules.nix-index
|
||||||
impermanence.nixosModules.impermanence
|
impermanence.nixosModules.impermanence
|
||||||
|
agenix.nixosModules.default
|
||||||
./hosts/nuc
|
./hosts/nuc
|
||||||
./shared
|
./shared
|
||||||
agenix.nixosModules.default
|
|
||||||
{
|
{
|
||||||
nixpkgs.overlays = [ self.overlays.default ];
|
nixpkgs.overlays = [ self.overlays.default ];
|
||||||
}
|
}
|
||||||
|
@ -123,12 +123,11 @@
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/falkenstein-1
|
./hosts/falkenstein-1
|
||||||
./shared
|
./shared
|
||||||
./shared/sops.nix
|
|
||||||
{
|
{
|
||||||
nixpkgs.overlays = [ self.overlays.default ];
|
nixpkgs.overlays = [ self.overlays.default ];
|
||||||
}
|
}
|
||||||
nix-index-database.nixosModules.nix-index
|
nix-index-database.nixosModules.nix-index
|
||||||
sops-nix.nixosModules.sops
|
agenix.nixosModules.default
|
||||||
purge.nixosModules.default
|
purge.nixosModules.default
|
||||||
trucksimulatorbot.nixosModules.default
|
trucksimulatorbot.nixosModules.default
|
||||||
pfersel.nixosModules.default
|
pfersel.nixosModules.default
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets."borg/passphrase" = { };
|
age.secrets."borg/passphrase" = {
|
||||||
|
file = ../../../../secrets/falkenstein/borg/passphrase.age;
|
||||||
|
};
|
||||||
environment.systemPackages = [ pkgs.borgbackup ];
|
environment.systemPackages = [ pkgs.borgbackup ];
|
||||||
services.borgmatic = {
|
services.borgmatic = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -17,7 +19,7 @@
|
||||||
label = "nuc";
|
label = "nuc";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
|
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
|
||||||
compression = "lz4";
|
compression = "lz4";
|
||||||
keep_daily = 7;
|
keep_daily = 7;
|
||||||
keep_weekly = 4;
|
keep_weekly = 4;
|
||||||
|
|
|
@ -1,12 +1,15 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets = {
|
age.secrets = {
|
||||||
"wireguard/dorm/private" = {
|
"wireguard/dorm/private" = {
|
||||||
|
file = ../../../../secrets/falkenstein/wireguard/dorm/private.age;
|
||||||
owner = config.users.users.systemd-network.name;
|
owner = config.users.users.systemd-network.name;
|
||||||
};
|
};
|
||||||
"wireguard/dorm/preshared" = {
|
"wireguard/dorm/preshared" = {
|
||||||
|
file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age;
|
||||||
owner = config.users.users.systemd-network.name;
|
owner = config.users.users.systemd-network.name;
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "falkenstein-1";
|
hostName = "falkenstein-1";
|
||||||
|
@ -46,14 +49,14 @@
|
||||||
Name = "wg0";
|
Name = "wg0";
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path;
|
PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
|
||||||
ListenPort = 51820;
|
ListenPort = 51820;
|
||||||
};
|
};
|
||||||
wireguardPeers = [
|
wireguardPeers = [
|
||||||
{
|
{
|
||||||
wireguardPeerConfig = {
|
wireguardPeerConfig = {
|
||||||
PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
|
PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
|
||||||
PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path;
|
PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
|
||||||
Endpoint = "dorm.vpn.rfive.de:51820";
|
Endpoint = "dorm.vpn.rfive.de:51820";
|
||||||
AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
|
AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,10 +1,13 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets."pfersel/token".owner = "pfersel";
|
age.secrets.pfersel = {
|
||||||
|
file = ../../../../secrets/falkenstein/pfersel.age;
|
||||||
|
owner = "pfersel";
|
||||||
|
};
|
||||||
services.pfersel = {
|
services.pfersel = {
|
||||||
enable = true;
|
enable = true;
|
||||||
discord = {
|
discord = {
|
||||||
tokenFile = config.sops.secrets."pfersel/token".path;
|
tokenFile = config.age.secrets.pfersel.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,13 +3,15 @@ let
|
||||||
domain = "purge.${config.networking.domain}";
|
domain = "purge.${config.networking.domain}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."purge/token" = { };
|
age.secrets.purge = {
|
||||||
|
file = ../../../../secrets/falkenstein/purge.age;
|
||||||
|
};
|
||||||
services.purge = {
|
services.purge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
discord = {
|
discord = {
|
||||||
clientId = "941041925216157746";
|
clientId = "941041925216157746";
|
||||||
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
|
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
|
||||||
tokenFile = config.sops.secrets."purge/token".path;
|
tokenFile = config.age.secrets.purge.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
|
|
@ -20,4 +20,12 @@ in
|
||||||
"secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
|
"secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
|
||||||
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
|
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
|
||||||
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
|
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
|
||||||
|
|
||||||
|
# falkenstein
|
||||||
|
"secrets/falkenstein/purge.age".publicKeys = [ rouven falkenstein ];
|
||||||
|
"secrets/falkenstein/pfersel.age".publicKeys = [ rouven falkenstein ];
|
||||||
|
"secrets/falkenstein/wireguard/dorm/private.age".publicKeys = [ rouven falkenstein ];
|
||||||
|
"secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
|
||||||
|
"secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
|
||||||
|
"secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,51 +0,0 @@
|
||||||
purge:
|
|
||||||
token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str]
|
|
||||||
pfersel:
|
|
||||||
token: ENC[AES256_GCM,data:MFxzpT6sqzhDpZya4/eI77LbHXekzfTQWZrjd/aot2MzRXicaCUabEUqnR40QnW9HujOTW0+A+9Be5mDX6OqVDt2ioKVxg==,iv:UTTWL7uSVgpkLnXTkvojC/fotkDISdyBrGDiegXqMuQ=,tag:+8+Th/M9U9mJX6i2YCPBbg==,type:str]
|
|
||||||
wireguard:
|
|
||||||
dorm:
|
|
||||||
private: ENC[AES256_GCM,data:Wk6g0UW6onEQYh2Sjoh8pXtaxzQehbYzulS32LHENombOdM3xT6fLBRuI3o=,iv:i5HqTr/WV8tiBud1BApPWC2z1Ck5LiTRJ1MP8/1AH5U=,tag:ISAHSJCNzS/MCiPkPh6CXQ==,type:str]
|
|
||||||
preshared: ENC[AES256_GCM,data:8n4LJb9EeGfYp3VV4iL9O+IadsGok9EWZESXdkGDk/LwYUvKRxkFsfIUmA0=,iv:dAY3h8U+/+Ac4t7HIjTj2LvX2g6LUT9s8U4GU4tvPV0=,tag:UI7mOiQGWVnmIYJe8C1gpw==,type:str]
|
|
||||||
borg:
|
|
||||||
passphrase: ENC[AES256_GCM,data:54KCMu574Uj01sqnfBX9BqFc5+dx1Se7,iv:NgodekAUw0pNddA36oIranISkvUQIxZRmZW4s1UIHdU=,tag:frep/WspsozTL1V/OfuTxw==,type:str]
|
|
||||||
key: ENC[AES256_GCM,data:TGwOAKLEF/zy0PTMcdfkgypGR4/HlZ1By8cMT+sUbMQUfcw2HzvZBwbvfchx/abO9JXmbeSC1E7w6yEMIEg5bPAgGkylRdud/X5Ol/fRKZNdc61JyCWO/UT+qiI/vkikRKQxK/cpfB76+8TuTk0dElGOgJ0NTqklwjap200VdS/l5SBOpY50l338V0p4PQAJ50ry7qWlvN5+GKcHypVBTVabmvRUQCBmzK4N9yiW3zBpmA8e1MctmRiwqIBafeZVJ8YzVqC8cKLtFh4sVDd2fkrIEI4TMcGNS+E0VyHD7ZbTY8KBrNjmZPaTZz186g9PhB3rlHv6a6wAHJx3wZgijzxuXeX7yvyfM0NRz4DQaIANm1ggLdddUf6oS5i2kjKuENa2xL4ADpiO/d3U86HC9ldA8u0mHItjGlqZEL5/cBme1qKf70WsrGqN4gWLzMHZM2WkpssaIU3Ws6YksQHGP7iu5gXLIRB7/DqoY5kl2kS7vlyBVfv+G03nVO1981LVMbAWmNrstr0sOpOtGUYcxlCdGRDVOJIuUTfbRuvvuLy8NgVjL3eFHgkMi/r61iNh0e4C5rkbQVzlmwBqobDfizKJ49d4uBPbynDFYsDJwDK+W/BVtDkK4iEYYvfSbpaoKuNpBeibgZ7YOLUR7onxTCI/V5NczTjS1dezFNaF+l+XNLj6EjVWSdhd/ScRdniU0Q1lJU5hsOYPDiwHUPU9WMmaQeo9VezWYYJ2RroALnnw22XdRzfwNHICyGvUkzNqQnvDyUwZU6J2qMy8JnB6ViLWXE0VhsNZSQXFOLrKBMX+YwRm3n8jkeLN7sOnP8ejHYGxcXdKk0NLSdyNChTf9AzVvBGI2k9ky8bZPC5iB9zm2EkFvgtGgrRDpR7OpYJ4u71Xho96chGQ7B9MhnIDdKW2NYFE3ROdDQzfK2yrq18BjPxCaHXTk34JV8bf5LNellr2A80aA3TVmvYC/k2nHied4vW5RK+ngR0ev8b35+wl0HxJ1DnlYl4lSlDzzJwkS7ZlPWL4N2/205Ju8sjN7anp5KDb1jzGB3PTawDXbthiG8xLf2Dyf4ssbe1I,iv:8yl4F9+g+SfjvHVJKCTFXS9JU0Kzy7TqIX3HtQQt/n0=,tag:4r6A1K0zHSycglcZYGnkWw==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1de938w6hzpv4cuzss7v3pt0chv4d0t220ue5n9d93ffuak7u949sumnhz3
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbVdnVDQzbFAvWTNkNVdX
|
|
||||||
T1JIcXlkVEdiV3FiVlowWFllc2ZmTHZQbmpjCis1bmU1cC9TUGJSWHB2MGtER3h6
|
|
||||||
SVAvTE5ORElPV3ByUHBmL3ZiN2xMemsKLS0tIEpmSmZ1cE8zZXZhd3Z6Wm94c0M0
|
|
||||||
NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam
|
|
||||||
20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2023-10-19T09:45:38Z"
|
|
||||||
mac: ENC[AES256_GCM,data:b4KtXV64oYJu1VO63NQFJ16O9q509YThkJZXTbqnhgLlxmoZ3HEwQRYnsg3MgBOxj3Im9RhIj341f8p3JFnz/WM56ii9gJHPP+uaYJit4Pln6qqwa69rd+OLVUShz0NESNFCHuTYzPyREZOz5Y2N+QPIbhSE8L+2uleIsB9Lv78=,iv:qSs2R569Vp4BPuYpGedDxo19Ua4bhHzP1fFUdMtlvkk=,tag:BlWL5Dyh+AqDYDZHNglyHA==,type:str]
|
|
||||||
pgp:
|
|
||||||
- created_at: "2023-04-12T15:47:07Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
wcFMAzUXo8ZPJwGLARAAl3zDxzwqZFW6P9/ZtKPqby5wiXYXro/LQd1UivAuTTLD
|
|
||||||
FFMCZNufGTGsEgatYCiljgFao7grpZxnPPMhX7q9fbVxM+DKT2D0Zs3zeAHlwXAi
|
|
||||||
VxZh34AOKXMQR1s7Xo2KbiT1zikQqvSp/EHbNQOG+Ivi1rMCw5/woobNmfEidmp2
|
|
||||||
TRlM5EK3hxYmcfXqOQFPo5/E+B87qsfD2BdK/2+TMp6eCvHnESeSPXfB/3Fwqv13
|
|
||||||
t8HI6RRm3Iz71aFW/AQxVYaPm+NiFLYFZqWDCeYjXw/90DcsJ2MkRHSn3sc2pCAL
|
|
||||||
7uip2qvEopUTNoMTmFiLo71/uuof0PBZH9IDmmIGzxH79eri11uoTm4CtN90Up+d
|
|
||||||
pcijNgbtwQXkxZmmhvitJG3rcncMkvMUZk6tOI0WmBkfxSWtVZcrieTdeBixnDOH
|
|
||||||
MRTzpVejz/5bMRybjvWtEj/z7GpYnfWX8auCdqCTz6C6RK3XEBz4/o1z17VA3Rjc
|
|
||||||
Ixs8otpEzKXUBsUY7MSgokr6+YveBmOnCto7r447elKLmlBDL0NB5yKbQZJjaniG
|
|
||||||
4BSxhGNxB3wJgMv01XOVBkciJ05qIGIZhprA+oyBS5jBzRJyYfOoiDtxp9S8rCar
|
|
||||||
OmF9RqdaiXfBNY+VGz+1kIzuU+5UT8wOSOKIzXMtqD0/QEmXTySg9JAiCF+U483S
|
|
||||||
UQHXKfb1LnOhV430IRANtlpaPSwoNR4/UVynaQvg+OIQmLDqNKRVd30ZgMp5hujq
|
|
||||||
w/osV7AXq987ayqexjfIKyqiNZJBuPB5XaMwenHaSD04kQ==
|
|
||||||
=CmnW
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
BIN
secrets/falkenstein/borg/key.age
Normal file
BIN
secrets/falkenstein/borg/key.age
Normal file
Binary file not shown.
BIN
secrets/falkenstein/borg/passphrase.age
Normal file
BIN
secrets/falkenstein/borg/passphrase.age
Normal file
Binary file not shown.
BIN
secrets/falkenstein/pfersel.age
Normal file
BIN
secrets/falkenstein/pfersel.age
Normal file
Binary file not shown.
9
secrets/falkenstein/purge.age
Normal file
9
secrets/falkenstein/purge.age
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 uWbAHQ /f7KCfInXMZTdiOfqdjhUNESlLE8E5I33tQXWZEW1UU
|
||||||
|
WFOxiMW2ejkS8+Xd+7AgtrNQ2OwT1eADcJ/ksXxWNaI
|
||||||
|
-> ssh-ed25519 slrRig yYjvDl6lr2JtQRC3AvwSg0j9iBdl64i1V5vdD7bAhQ0
|
||||||
|
vUbfUbVV8iVAsWzyzbXNOhgiZVM716i1T3o+CnHY7MM
|
||||||
|
-> d7x4-grease AKG{#;x! s^5 bs-I$3<
|
||||||
|
HBnmeOkncFXRxxgxsIRiov0wTfmpEN4xJjPL7YwGtu9EQ8g2uPtMpX9g63KqdQ
|
||||||
|
--- SJNRQFMTquAWvFtmQYivrb79m0pLapCzIdcKCGkoQzg
|
||||||
|
Ò1ÚiÙÿ4Ý>Ï<>c&…nk_½®TÅÖ]°§d³™U ì‘<C3AC>z¾Zÿ><3E>€T¯æŽ}3ŒÝ—’ñ®%.<2E>>‚_Û“ZŒ½À\™ßcw˜ö<CB9C>úí‚‚jù(í{+Œ<>I…MtîâIç"“
|
BIN
secrets/falkenstein/wireguard/dorm/preshared.age
Normal file
BIN
secrets/falkenstein/wireguard/dorm/preshared.age
Normal file
Binary file not shown.
10
secrets/falkenstein/wireguard/dorm/private.age
Normal file
10
secrets/falkenstein/wireguard/dorm/private.age
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 uWbAHQ A/s5+yPiVZuHo/Xv12T32m/besBeYxvmpv3xm02DhzA
|
||||||
|
98fj+vaNvWrldQQlDCnggwopkYp3Bkk02/cQ7UzKSfw
|
||||||
|
-> ssh-ed25519 slrRig BGDI83NERkziioPPySGZXXLK1mErLfXhHbgABhq5KTg
|
||||||
|
/ofrSvbO3FGaq5O4OlKwbzz6M8J/auJ5xlRtYLSf6AE
|
||||||
|
-> a.%y-grease =mU^
|
||||||
|
8B7GCear7tUUXTjo4quSeeDnD/8rkr3/39p9RZ6qnH+rWmQAZE+d/9NZ9BheuCD4
|
||||||
|
BOmsbsc2DEHf1mVi/QMF285c/5WujllNnQ
|
||||||
|
--- 2cThrg9xymCyM+uA69iNtGGIJoMBj+/Oc2ZjXqX6QQQ
|
||||||
|
ϯT H÷_R'¥ñ“<»ÃZà±H4X<34>ÈŠssInáWfQeâ£<C3A2>MþÕ¿¸¸ÐÃìŸHèZ<C3A8>S°“ ØÔÙŦFÒó"S¸ KqDÇ¿š†…
|
Loading…
Reference in a new issue