cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

secrets: migrate ytnix to new structure

Browse source
This commit is contained in:
cy 2024-12-16 21:45:58 -05:00
parent 59fc4229a0
commit ed8a15bfea
3 changed files with 16 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
hosts/ytnix/.sops.yaml
View file

@ -1,7 +0,0 @@
keys:
- &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *primary

28
hosts/ytnix/default.nix
View file

@ -11,15 +11,19 @@
../common.nix ../common.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = { sops.secrets = {
"borg/yt" = {}; "services/borg/yt" = {
"azure" = {}; sopsFile = ../../secrets/services/borg/yt.yaml;
"ntfy" = {}; };
"wireguard/private" = {}; "services/ntfy" = {
"wireguard/psk" = {}; sopsFile = ../../secrets/services/ntfy.yaml;
};
"wireguard/yt/private" = {
sopsFile = ../../secrets/wireguard/yt.yaml;
};
"wireguard/yt/psk" = {
sopsFile = ../../secrets/wireguard/yt.yaml;
};
}; };
boot = { boot = {
@ -183,7 +187,7 @@
repo = "de3911@de3911.rsync.net:borg/yt"; repo = "de3911@de3911.rsync.net:borg/yt";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/yt"; passCommand = ''cat ${config.sops.secrets."borg/yt/rsyncnet".path}"'';
}; };
environment = { environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@ -195,7 +199,7 @@
# warnings are often not that serious # warnings are often not that serious
failOnWarnings = false; failOnWarnings = false;
postHook = '' postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy/ntfy".path}) -d "ytnixRsync: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \ $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk https://ntfy.cything.io/chunk
''; '';
@ -284,14 +288,14 @@
# wireguard setup # wireguard setup
networking.wg-quick.interfaces.wg0 = { networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
privateKeyFile = "/run/secrets/wireguard/private"; privateKeyFile = config.sops.secrets."wireguard/yt/private".path;
peers = [ peers = [
{ {
publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0="; publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
allowedIPs = ["0.0.0.0/0" "::/0"]; allowedIPs = ["0.0.0.0/0" "::/0"];
endpoint = "31.59.129.225:51820"; endpoint = "31.59.129.225:51820";
persistentKeepalive = 25; persistentKeepalive = 25;
presharedKeyFile = "/run/secrets/wireguard/psk"; presharedKeyFile = config.sops.secrets."wireguard/yt/psk".path;
} }
]; ];
}; };

29
hosts/ytnix/secrets.yaml
View file

@ -1,29 +0,0 @@
borg:
yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
restic:
azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
wireguard:
private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-14T23:07:47Z"
mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2