89 lines
3.3 KiB
Nix
89 lines
3.3 KiB
Nix
let
|
|
# https://wiki.nixos.org/wiki/Agenix
|
|
# https://github.com/ryantm/agenix
|
|
#?? cd secrets/
|
|
#?? agenix --edit file.age
|
|
#?? agenix --rekey
|
|
# Users that imperatively encrypt age files
|
|
#!! Imperative client key generation
|
|
#?? ssh-keygen -f ~/.ssh/id_ed25519 -N ''
|
|
users = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcKnHQnd75sTQa8EchKbanEb8w26g53TY9QAp5NZxUa myned@mynix"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ekzJc0RvrxIVAanfqkns7DpRdG2+UGPE5prx4h11a myned@myork"
|
|
];
|
|
|
|
# Profiles that decrypt age files during activation
|
|
#!! Imperative host key generation without sshd service
|
|
#?? sudo ssh-keygen -f /etc/ssh/id_ed25519 -N ''
|
|
consoles = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh8nTTOUsmKQa7zIftN2k8BgbQbXENc98KSJIyorMON root@myeck"
|
|
];
|
|
|
|
desktops = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKKqfRtKZ+8Qm9DjurAJ8Ob4IZjAWZQjNGQXgQVRr8M root@mynix"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoIYRj59beHz2S1NNQaC34SteLHbhG7BZAeQ8bmUp0g root@myork"
|
|
];
|
|
|
|
sbcs = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUu7C0uj4Ia5Xzttbeq3em1DbhEdMDrm9MOoFcw+BLU root@mypi3"
|
|
];
|
|
|
|
servers = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgrWvzp14Vj+aMd3b9w6e3/xbkHfNZoswsAg9QtUcDc root@myne"
|
|
];
|
|
|
|
common = users ++ consoles ++ desktops ++ sbcs ++ servers;
|
|
console = users ++ consoles;
|
|
desktop = users ++ desktops;
|
|
sbc = users ++ sbcs;
|
|
server = users ++ servers;
|
|
in {
|
|
# TODO: Move secrets into each profile
|
|
#?? config.age.secrets."PROFILE/SECRET".path
|
|
|
|
### Common
|
|
"common/nix/access-tokens.conf".publicKeys = common;
|
|
"common/geoclue2/geolocation".publicKeys = common;
|
|
"common/tailscale/tailnet".publicKeys = common;
|
|
|
|
### Console
|
|
"console/users/myned.pass".publicKeys = console;
|
|
"console/users/root.pass".publicKeys = console;
|
|
|
|
### Desktop
|
|
"desktop/bitwarden/client_id".publicKeys = desktop;
|
|
"desktop/bitwarden/client_secret".publicKeys = desktop;
|
|
"desktop/users/myned.pass".publicKeys = desktop;
|
|
"desktop/users/root.pass".publicKeys = desktop;
|
|
"desktop/vm/myndows.pass".publicKeys = desktop;
|
|
|
|
### SBC
|
|
"sbc/borgmatic/borgbase.mypi3".publicKeys = sbc;
|
|
"sbc/create_ap/passphrase".publicKeys = sbc;
|
|
"sbc/create_ap/ssid".publicKeys = sbc;
|
|
"sbc/netdata/child.conf".publicKeys = sbc;
|
|
"sbc/users/myned.pass".publicKeys = sbc;
|
|
"sbc/users/root.pass".publicKeys = sbc;
|
|
|
|
### Server
|
|
"server/borgmatic/borgbase".publicKeys = server;
|
|
"server/caddy/Caddyfile".publicKeys = server;
|
|
"server/conduwuit/conduwuit.toml".publicKeys = server;
|
|
"server/coturn/coturn.conf".publicKeys = server;
|
|
"server/forgejo/.env".publicKeys = server;
|
|
"server/forgejo/db.env".publicKeys = server;
|
|
"server/foundryvtt/.env".publicKeys = server;
|
|
"server/headscale/.env".publicKeys = server;
|
|
"server/mastodon/.env".publicKeys = server;
|
|
"server/mastodon/db.env".publicKeys = server;
|
|
"server/matrix-conduit/conduwuit.toml".publicKeys = server;
|
|
"server/netbox/.env".publicKeys = server;
|
|
"server/netbox/cache.env".publicKeys = server;
|
|
"server/netbox/db.env".publicKeys = server;
|
|
"server/netdata/parent.conf".publicKeys = server;
|
|
"server/nextcloud/.env".publicKeys = server;
|
|
"server/nextcloud/db.env".publicKeys = server;
|
|
"server/searxng/.env".publicKeys = server;
|
|
"server/users/myned.pass".publicKeys = server;
|
|
"server/users/root.pass".publicKeys = server;
|
|
}
|