agenix: migrate falkenstein

This commit is contained in:
Rouven Seifert 2023-11-16 15:08:13 +01:00
parent 3c5095f144
commit dcaa017e5d
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
13 changed files with 48 additions and 63 deletions

View file

@ -109,9 +109,9 @@
nixos-hardware.nixosModules.common-pc-ssd
nix-index-database.nixosModules.nix-index
impermanence.nixosModules.impermanence
agenix.nixosModules.default
./hosts/nuc
./shared
agenix.nixosModules.default
{
nixpkgs.overlays = [ self.overlays.default ];
}
@ -123,12 +123,11 @@
modules = [
./hosts/falkenstein-1
./shared
./shared/sops.nix
{
nixpkgs.overlays = [ self.overlays.default ];
}
nix-index-database.nixosModules.nix-index
sops-nix.nixosModules.sops
agenix.nixosModules.default
purge.nixosModules.default
trucksimulatorbot.nixosModules.default
pfersel.nixosModules.default

View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
sops.secrets."borg/passphrase" = { };
age.secrets."borg/passphrase" = {
file = ../../../../secrets/falkenstein/borg/passphrase.age;
};
environment.systemPackages = [ pkgs.borgbackup ];
services.borgmatic = {
enable = true;
@ -17,7 +19,7 @@
label = "nuc";
}
];
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
compression = "lz4";
keep_daily = 7;
keep_weekly = 4;

View file

@ -1,12 +1,15 @@
{ config, lib, ... }:
{
sops.secrets = {
age.secrets = {
"wireguard/dorm/private" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/private.age;
owner = config.users.users.systemd-network.name;
};
"wireguard/dorm/preshared" = {
file = ../../../../secrets/falkenstein/wireguard/dorm/preshared.age;
owner = config.users.users.systemd-network.name;
};
};
networking = {
hostName = "falkenstein-1";
@ -46,14 +49,14 @@
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path;
PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
ListenPort = 51820;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path;
PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
Endpoint = "dorm.vpn.rfive.de:51820";
AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
};

View file

@ -1,10 +1,13 @@
{ config, ... }:
{
sops.secrets."pfersel/token".owner = "pfersel";
age.secrets.pfersel = {
file = ../../../../secrets/falkenstein/pfersel.age;
owner = "pfersel";
};
services.pfersel = {
enable = true;
discord = {
tokenFile = config.sops.secrets."pfersel/token".path;
tokenFile = config.age.secrets.pfersel.path;
};
};
}

View file

@ -3,13 +3,15 @@ let
domain = "purge.${config.networking.domain}";
in
{
sops.secrets."purge/token" = { };
age.secrets.purge = {
file = ../../../../secrets/falkenstein/purge.age;
};
services.purge = {
enable = true;
discord = {
clientId = "941041925216157746";
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
tokenFile = config.sops.secrets."purge/token".path;
tokenFile = config.age.secrets.purge.path;
};
};
services.nginx.virtualHosts."${domain}" = {

View file

@ -20,4 +20,12 @@ in
"secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
# falkenstein
"secrets/falkenstein/purge.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/pfersel.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/wireguard/dorm/private.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
"secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
}

View file

@ -1,51 +0,0 @@
purge:
token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str]
pfersel:
token: ENC[AES256_GCM,data:MFxzpT6sqzhDpZya4/eI77LbHXekzfTQWZrjd/aot2MzRXicaCUabEUqnR40QnW9HujOTW0+A+9Be5mDX6OqVDt2ioKVxg==,iv:UTTWL7uSVgpkLnXTkvojC/fotkDISdyBrGDiegXqMuQ=,tag:+8+Th/M9U9mJX6i2YCPBbg==,type:str]
wireguard:
dorm:
private: ENC[AES256_GCM,data:Wk6g0UW6onEQYh2Sjoh8pXtaxzQehbYzulS32LHENombOdM3xT6fLBRuI3o=,iv:i5HqTr/WV8tiBud1BApPWC2z1Ck5LiTRJ1MP8/1AH5U=,tag:ISAHSJCNzS/MCiPkPh6CXQ==,type:str]
preshared: ENC[AES256_GCM,data:8n4LJb9EeGfYp3VV4iL9O+IadsGok9EWZESXdkGDk/LwYUvKRxkFsfIUmA0=,iv:dAY3h8U+/+Ac4t7HIjTj2LvX2g6LUT9s8U4GU4tvPV0=,tag:UI7mOiQGWVnmIYJe8C1gpw==,type:str]
borg:
passphrase: ENC[AES256_GCM,data:54KCMu574Uj01sqnfBX9BqFc5+dx1Se7,iv:NgodekAUw0pNddA36oIranISkvUQIxZRmZW4s1UIHdU=,tag:frep/WspsozTL1V/OfuTxw==,type:str]
key: ENC[AES256_GCM,data:TGwOAKLEF/zy0PTMcdfkgypGR4/HlZ1By8cMT+sUbMQUfcw2HzvZBwbvfchx/abO9JXmbeSC1E7w6yEMIEg5bPAgGkylRdud/X5Ol/fRKZNdc61JyCWO/UT+qiI/vkikRKQxK/cpfB76+8TuTk0dElGOgJ0NTqklwjap200VdS/l5SBOpY50l338V0p4PQAJ50ry7qWlvN5+GKcHypVBTVabmvRUQCBmzK4N9yiW3zBpmA8e1MctmRiwqIBafeZVJ8YzVqC8cKLtFh4sVDd2fkrIEI4TMcGNS+E0VyHD7ZbTY8KBrNjmZPaTZz186g9PhB3rlHv6a6wAHJx3wZgijzxuXeX7yvyfM0NRz4DQaIANm1ggLdddUf6oS5i2kjKuENa2xL4ADpiO/d3U86HC9ldA8u0mHItjGlqZEL5/cBme1qKf70WsrGqN4gWLzMHZM2WkpssaIU3Ws6YksQHGP7iu5gXLIRB7/DqoY5kl2kS7vlyBVfv+G03nVO1981LVMbAWmNrstr0sOpOtGUYcxlCdGRDVOJIuUTfbRuvvuLy8NgVjL3eFHgkMi/r61iNh0e4C5rkbQVzlmwBqobDfizKJ49d4uBPbynDFYsDJwDK+W/BVtDkK4iEYYvfSbpaoKuNpBeibgZ7YOLUR7onxTCI/V5NczTjS1dezFNaF+l+XNLj6EjVWSdhd/ScRdniU0Q1lJU5hsOYPDiwHUPU9WMmaQeo9VezWYYJ2RroALnnw22XdRzfwNHICyGvUkzNqQnvDyUwZU6J2qMy8JnB6ViLWXE0VhsNZSQXFOLrKBMX+YwRm3n8jkeLN7sOnP8ejHYGxcXdKk0NLSdyNChTf9AzVvBGI2k9ky8bZPC5iB9zm2EkFvgtGgrRDpR7OpYJ4u71Xho96chGQ7B9MhnIDdKW2NYFE3ROdDQzfK2yrq18BjPxCaHXTk34JV8bf5LNellr2A80aA3TVmvYC/k2nHied4vW5RK+ngR0ev8b35+wl0HxJ1DnlYl4lSlDzzJwkS7ZlPWL4N2/205Ju8sjN7anp5KDb1jzGB3PTawDXbthiG8xLf2Dyf4ssbe1I,iv:8yl4F9+g+SfjvHVJKCTFXS9JU0Kzy7TqIX3HtQQt/n0=,tag:4r6A1K0zHSycglcZYGnkWw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1de938w6hzpv4cuzss7v3pt0chv4d0t220ue5n9d93ffuak7u949sumnhz3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbVdnVDQzbFAvWTNkNVdX
T1JIcXlkVEdiV3FiVlowWFllc2ZmTHZQbmpjCis1bmU1cC9TUGJSWHB2MGtER3h6
SVAvTE5ORElPV3ByUHBmL3ZiN2xMemsKLS0tIEpmSmZ1cE8zZXZhd3Z6Wm94c0M0
NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam
20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-19T09:45:38Z"
mac: ENC[AES256_GCM,data:b4KtXV64oYJu1VO63NQFJ16O9q509YThkJZXTbqnhgLlxmoZ3HEwQRYnsg3MgBOxj3Im9RhIj341f8p3JFnz/WM56ii9gJHPP+uaYJit4Pln6qqwa69rd+OLVUShz0NESNFCHuTYzPyREZOz5Y2N+QPIbhSE8L+2uleIsB9Lv78=,iv:qSs2R569Vp4BPuYpGedDxo19Ua4bhHzP1fFUdMtlvkk=,tag:BlWL5Dyh+AqDYDZHNglyHA==,type:str]
pgp:
- created_at: "2023-04-12T15:47:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAzUXo8ZPJwGLARAAl3zDxzwqZFW6P9/ZtKPqby5wiXYXro/LQd1UivAuTTLD
FFMCZNufGTGsEgatYCiljgFao7grpZxnPPMhX7q9fbVxM+DKT2D0Zs3zeAHlwXAi
VxZh34AOKXMQR1s7Xo2KbiT1zikQqvSp/EHbNQOG+Ivi1rMCw5/woobNmfEidmp2
TRlM5EK3hxYmcfXqOQFPo5/E+B87qsfD2BdK/2+TMp6eCvHnESeSPXfB/3Fwqv13
t8HI6RRm3Iz71aFW/AQxVYaPm+NiFLYFZqWDCeYjXw/90DcsJ2MkRHSn3sc2pCAL
7uip2qvEopUTNoMTmFiLo71/uuof0PBZH9IDmmIGzxH79eri11uoTm4CtN90Up+d
pcijNgbtwQXkxZmmhvitJG3rcncMkvMUZk6tOI0WmBkfxSWtVZcrieTdeBixnDOH
MRTzpVejz/5bMRybjvWtEj/z7GpYnfWX8auCdqCTz6C6RK3XEBz4/o1z17VA3Rjc
Ixs8otpEzKXUBsUY7MSgokr6+YveBmOnCto7r447elKLmlBDL0NB5yKbQZJjaniG
4BSxhGNxB3wJgMv01XOVBkciJ05qIGIZhprA+oyBS5jBzRJyYfOoiDtxp9S8rCar
OmF9RqdaiXfBNY+VGz+1kIzuU+5UT8wOSOKIzXMtqD0/QEmXTySg9JAiCF+U483S
UQHXKfb1LnOhV430IRANtlpaPSwoNR4/UVynaQvg+OIQmLDqNKRVd30ZgMp5hujq
w/osV7AXq987ayqexjfIKyqiNZJBuPB5XaMwenHaSD04kQ==
=CmnW
-----END PGP MESSAGE-----
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
unencrypted_suffix: _unencrypted
version: 3.8.1

Binary file not shown.

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ /f7KCfInXMZTdiOfqdjhUNESlLE8E5I33tQXWZEW1UU
WFOxiMW2ejkS8+Xd+7AgtrNQ2OwT1eADcJ/ksXxWNaI
-> ssh-ed25519 slrRig yYjvDl6lr2JtQRC3AvwSg0j9iBdl64i1V5vdD7bAhQ0
vUbfUbVV8iVAsWzyzbXNOhgiZVM716i1T3o+CnHY7MM
-> d7x4-grease AKG{#;x! s^5 bs-I$3<
HBnmeOkncFXRxxgxsIRiov0wTfmpEN4xJjPL7YwGtu9EQ8g2uPtMpX9g63KqdQ
--- SJNRQFMTquAWvFtmQYivrb79m0pLapCzIdcKCGkoQzg
Ò1ÚiÙÿ4Ý>Ï<>c&…nk_½®TÅÖ]°§d³™U ì<C3AC>z¾Zÿ><3E>€T¯æŽ}3ŒÝ—ñ®%.<2E>>“ZŒ½À\™ßcw˜ö<CB9C>ú íjù(í{+Œ<>I…MtîâIç"“

Binary file not shown.

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ A/s5+yPiVZuHo/Xv12T32m/besBeYxvmpv3xm02DhzA
98fj+vaNvWrldQQlDCnggwopkYp3Bkk02/cQ7UzKSfw
-> ssh-ed25519 slrRig BGDI83NERkziioPPySGZXXLK1mErLfXhHbgABhq5KTg
/ofrSvbO3FGaq5O4OlKwbzz6M8J/auJ5xlRtYLSf6AE
-> a.%y-grease =mU^
8B7GCear7tUUXTjo4quSeeDnD/8rkr3/39p9RZ6qnH+rWmQAZE+d/9NZ9BheuCD4
BOmsbsc2DEHf1mVi/QMF285c/5WujllNnQ
--- 2cThrg9xymCyM+uA69iNtGGIJoMBj+/Oc2ZjXqX6QQQ
ϯT H÷_R'¥ñ“<»ÃZà±H4X<34>ÈŠssInáWfQeâ£<C3A2>MþÕ¿¸¸ÐÃìŸHèZ<C3A8>S°“ ØÔÙŦFÒó"S¸ KqDÇ¿š†…