diff --git a/.sops.yaml b/.sops.yaml index e30d6d7..17a442c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,2 +1,23 @@ +keys: + - &admin_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + - &admin_niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga + - &server_atlas age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf + - &server_jefke age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02 + - &server_lewis age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq + - &server_warwick age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu + creation_rules: - - age: "age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw,age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga" + - path_regex: secrets/(kubernetes|serverKeys).yaml$ + key_groups: + - age: + - *admin_pim + - *admin_niels + - path_regex: secrets/nixos.yaml$ + key_groups: + - age: + - *admin_pim + - *admin_niels + - *server_atlas + - *server_jefke + - *server_lewis + - *server_warwick diff --git a/README.md b/README.md index 95b11bc..72bde6c 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,12 @@ Nix definitions to configure our servers at home. - [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality - [disko](https://github.com/nix-community/disko): declarative disk partitioning -- [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines - [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones - [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes - [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi - [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix - [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts +- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix ## Installation diff --git a/configuration.nix b/configuration.nix index df03f85..d5072f3 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,13 +3,12 @@ "${self}/nixos-modules" machine.nixosModule inputs.disko.nixosModules.disko - inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.sops ] ++ lib.lists.optional (machine.isRaspberryPi) inputs.nixos-hardware.nixosModules.raspberry-pi-4; config = { time.timeZone = "Europe/Amsterdam"; hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware; - age.identityPaths = [ "/etc/age_ed25519" ]; nixpkgs = { config.allowUnfree = true; @@ -129,5 +128,10 @@ fi ''; }; + + sops = { + age.keyFile = "/root/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets/nixos.yaml; + }; }; } diff --git a/flake-parts/scripts/bootstrap.sh b/flake-parts/scripts/bootstrap.sh index daccc3e..96ea78d 100755 --- a/flake-parts/scripts/bootstrap.sh +++ b/flake-parts/scripts/bootstrap.sh @@ -34,13 +34,14 @@ cleanup() { trap cleanup EXIT # Create directory where age key will go. -# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system. -mkdir "$temp/etc" +# Nixos-anywhere creates a kind of overlay and retains this structure on the final file system. +mkdir -p "$temp/root/.config/sops/age" -secret-tool lookup age-identity "$servername" > "$temp/etc/age_ed25519" +# Extract and copy server's age key. +sops -d --extract "[\"${servername}\"]" secrets/serverKeys.yaml > "$temp/root/.config/sops/age/keys.txt" # Set the correct permissions -chmod 600 "$temp/etc/age_ed25519" +chmod 600 "$temp/root/.config/sops/age/keys.txt" # Install NixOS to the host system with our age identity nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${hostname}" diff --git a/flake-parts/scripts/default.nix b/flake-parts/scripts/default.nix index 642e592..1148cb7 100644 --- a/flake-parts/scripts/default.nix +++ b/flake-parts/scripts/default.nix @@ -16,7 +16,7 @@ in { packages.bootstrap = createScript { name = "bootstrap"; - runtimeInputs = with pkgs; [ libsecret coreutils nixos-anywhere ]; + runtimeInputs = with pkgs; [ sops coreutils nixos-anywhere ]; scriptPath = ./bootstrap.sh; }; diff --git a/flake.lock b/flake.lock index 1a221c4..591cb37 100644 --- a/flake.lock +++ b/flake.lock @@ -1,28 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1716561646, - "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", - "owner": "ryantm", - "repo": "agenix", - "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "blog-pim": { "inputs": { "flutils": "flutils", @@ -45,28 +22,6 @@ "url": "https://git.kun.is/home/blog-pim" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -177,7 +132,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -195,7 +150,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_6" + "systems": "systems_5" }, "locked": { "lastModified": 1701680307, @@ -212,7 +167,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_7" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -230,7 +185,7 @@ }, "flutils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1710146030, @@ -246,34 +201,13 @@ "type": "github" } }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "kubenix": { "inputs": { "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs-unstable" ], - "systems": "systems_5", + "systems": "systems_4", "treefmt": "treefmt" }, "locked": { @@ -398,6 +332,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1717646450, @@ -438,7 +388,7 @@ "nixhelm", "nixpkgs" ], - "systems": "systems_8", + "systems": "systems_7", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -457,7 +407,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "blog-pim": "blog-pim", "deploy-rs": "deploy-rs", "disko": "disko", @@ -467,7 +416,29 @@ "nixhelm": "nixhelm", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { @@ -525,9 +496,8 @@ "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "id": "systems", + "type": "indirect" } }, "systems_5": { @@ -540,8 +510,9 @@ "type": "github" }, "original": { - "id": "systems", - "type": "indirect" + "owner": "nix-systems", + "repo": "default", + "type": "github" } }, "systems_6": { @@ -560,21 +531,6 @@ } }, "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_8": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -633,7 +589,7 @@ }, "utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 4278528..022af5d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,16 +7,12 @@ deploy-rs.url = "github:serokell/deploy-rs"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; flake-utils.url = "github:numtide/flake-utils"; + disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - agenix = { - url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - dns = { url = "github:kirelagin/dns.nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -36,6 +32,11 @@ url = "github:pizzapim/kubenix"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = diff --git a/kubenix-modules/attic.nix b/kubenix-modules/attic.nix index 9ea123f..ea74001 100644 --- a/kubenix-modules/attic.nix +++ b/kubenix-modules/attic.nix @@ -2,7 +2,7 @@ kubernetes.resources = let atticSettings = { - database.url = "ref+sops://secrets/sops.yaml#attic/databaseURL"; + database.url = "ref+sops://secrets/kubernetes.yaml#attic/databaseURL"; storage = { type = "local"; @@ -38,13 +38,13 @@ in { configMaps = { - attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#attic/jwtToken"; + attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken"; attic-config.data.config = builtins.readFile generatedConfig; attic-db-env.data = { POSTGRES_DB = "attic"; POSTGRES_USER = "attic"; - POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/attic/databasePassword"; + POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword"; PGDATA = "/pgdata/data"; }; }; diff --git a/kubenix-modules/atuin.nix b/kubenix-modules/atuin.nix index 75a630a..ccbaea8 100644 --- a/kubenix-modules/atuin.nix +++ b/kubenix-modules/atuin.nix @@ -1,8 +1,8 @@ { kubernetes.resources = { secrets.atuin.stringData = { - databasePassword = "ref+sops://secrets/sops.yaml#/atuin/databasePassword"; - databaseURL = "ref+sops://secrets/sops.yaml#/atuin/databaseURL"; + databasePassword = "ref+sops://secrets/kubernetes.yaml#/atuin/databasePassword"; + databaseURL = "ref+sops://secrets/kubernetes.yaml#/atuin/databaseURL"; }; deployments.atuin = { diff --git a/kubenix-modules/forgejo/config.nix b/kubenix-modules/forgejo/config.nix index 9ca82e8..8bebdba 100644 --- a/kubenix-modules/forgejo/config.nix +++ b/kubenix-modules/forgejo/config.nix @@ -31,7 +31,7 @@ SSH_PORT = 56287; SSH_LISTEN_PORT = 22; LFS_START_SERVER = true; - LFS_JWT_SECRET = "ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret"; + LFS_JWT_SECRET = "ref+sops://secrets/kubernetes.yaml#/forgejo/lfsJwtSecret"; OFFLINE_MODE = false; }; @@ -77,7 +77,7 @@ SECRET_KEY = ""; REVERSE_PROXY_LIMIT = 1; REVERSE_PROXY_TRUSTED_PROXIES = "*"; - INTERNAL_TOKEN = "ref+sops://secrets/sops.yaml#/forgejo/internalToken"; + INTERNAL_TOKEN = "ref+sops://secrets/kubernetes.yaml#/forgejo/internalToken"; PASSWORD_HASH_ALGO = "pbkdf2"; }; diff --git a/kubenix-modules/freshrss.nix b/kubenix-modules/freshrss.nix index 93e00d4..6567b36 100644 --- a/kubenix-modules/freshrss.nix +++ b/kubenix-modules/freshrss.nix @@ -7,7 +7,7 @@ PUBLISHED_PORT = "443"; }; - secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password"; + secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/kubernetes.yaml#/freshrss/password"; deployments.freshrss = { metadata.labels.app = "freshrss"; diff --git a/kubenix-modules/hedgedoc.nix b/kubenix-modules/hedgedoc.nix index b2dd4a9..2ee7e30 100644 --- a/kubenix-modules/hedgedoc.nix +++ b/kubenix-modules/hedgedoc.nix @@ -18,14 +18,14 @@ hedgedoc-db-env.data = { POSTGRES_DB = "hedgedoc"; POSTGRES_USER = "hedgedoc"; - POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/hedgedoc/databasePassword"; + POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword"; PGDATA = "/pgdata/data"; }; }; secrets.hedgedoc.stringData = { - databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL"; - sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret"; + databaseURL = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databaseURL"; + sessionSecret = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/sessionSecret"; }; deployments = { diff --git a/kubenix-modules/kitchenowl.nix b/kubenix-modules/kitchenowl.nix index 76e0549..c65ae29 100644 --- a/kubenix-modules/kitchenowl.nix +++ b/kubenix-modules/kitchenowl.nix @@ -1,6 +1,6 @@ { kubernetes.resources = { - secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey"; + secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/kubernetes.yaml#/kitchenowl/jwtSecretKey"; deployments.kitchenowl = { metadata.labels.app = "kitchenowl"; diff --git a/kubenix-modules/nextcloud.nix b/kubenix-modules/nextcloud.nix index 5ebc81d..13fbe2b 100644 --- a/kubenix-modules/nextcloud.nix +++ b/kubenix-modules/nextcloud.nix @@ -10,12 +10,12 @@ nextcloud-db-env.data = { POSTGRES_DB = "nextcloud"; POSTGRES_USER = "nextcloud"; - POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword"; + POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword"; PGDATA = "/pgdata/data"; }; }; - secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword"; + secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword"; deployments = { nextcloud = { diff --git a/kubenix-modules/paperless.nix b/kubenix-modules/paperless.nix index edaf0eb..52f3989 100644 --- a/kubenix-modules/paperless.nix +++ b/kubenix-modules/paperless.nix @@ -20,14 +20,14 @@ paperless-db-env.data = { POSTGRES_DB = "paperless"; POSTGRES_USER = "paperless"; - POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/paperless/databasePassword"; + POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword"; PGDATA = "/pgdata/data"; }; }; secrets.paperless.stringData = { - databasePassword = "ref+sops://secrets/sops.yaml#/paperless/databasePassword"; - secretKey = "ref+sops://secrets/sops.yaml#/paperless/secretKey"; + databasePassword = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword"; + secretKey = "ref+sops://secrets/kubernetes.yaml#/paperless/secretKey"; }; deployments = { diff --git a/kubenix-modules/pihole.nix b/kubenix-modules/pihole.nix index 51031b1..3a61246 100644 --- a/kubenix-modules/pihole.nix +++ b/kubenix-modules/pihole.nix @@ -5,7 +5,7 @@ PIHOLE_DNS_ = "192.168.30.1"; }; - secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password"; + secrets.pihole.stringData.webPassword = "ref+sops://secrets/kubernetes.yaml#/pihole/password"; deployments.pihole = { metadata.labels.app = "pihole"; diff --git a/nixos-modules/backups.nix b/nixos-modules/backups.nix index 447cb43..bf1c9a5 100644 --- a/nixos-modules/backups.nix +++ b/nixos-modules/backups.nix @@ -1,4 +1,4 @@ -{ self, pkgs, lib, config, ... }: +{ pkgs, lib, config, ... }: let cfg = config.lab.backups; @@ -19,12 +19,12 @@ let } ]; - ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."borgbase.pem".path} -o StrictHostKeychecking=no"; + ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no"; keep_daily = 7; keep_weekly = 4; keep_monthly = 12; keep_yearly = -1; - encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg_passphrase".path}"; + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}"; }; }; in @@ -67,7 +67,7 @@ in IOWeight = 100; Restart = "no"; LogRateLimitIntervalSec = 0; - Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}"; + Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}"; }; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; @@ -83,9 +83,9 @@ in }; }; - age.secrets = { - "borg_passphrase".file = "${self}/secrets/borg_passphrase.age"; - "borgbase.pem".file = "${self}/secrets/borgbase.pem.age"; + sops.secrets = { + "borg/borgPassphrase" = { }; + "borg/borgbasePrivateKey" = { }; }; }; } diff --git a/nixos-modules/k3s/default.nix b/nixos-modules/k3s/default.nix index c014a02..91ed160 100644 --- a/nixos-modules/k3s/default.nix +++ b/nixos-modules/k3s/default.nix @@ -1,4 +1,4 @@ -{ self, inputs, pkgs, lib, config, ... }: +{ inputs, pkgs, lib, config, ... }: let cfg = config.lab.k3s; in { options.lab.k3s = { @@ -56,7 +56,7 @@ in { { enable = true; role = cfg.role; - tokenFile = config.age.secrets.k3s-server-token.path; + tokenFile = config.sops.secrets."k3s/serverToken".path; extraFlags = lib.mkIf (cfg.role == "server") serverFlags; clusterInit = cfg.clusterInit; serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr; @@ -101,38 +101,18 @@ in { }; }; - age.secrets = { - k3s-server-token.file = "${self}/secrets/k3s-server-token.age"; - - k3s-server-ca-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/server-ca.key.age"; - path = "/var/lib/rancher/k3s/server/tls/server-ca.key"; + sops.secrets = + let + keyPathBase = "/var/lib/rancher/k3s/server/tls"; + in + { + "k3s/serverToken" = { }; + "k3s/keys/clientCAKey".path = "${keyPathBase}/client-ca.key"; + "k3s/keys/requestHeaderCAKey".path = "${keyPathBase}/request-header-ca.key"; + "k3s/keys/serverCAKey".path = "${keyPathBase}/server-ca.key"; + "k3s/keys/serviceKey".path = "${keyPathBase}/service.key"; + "k3s/keys/etcd/peerCAKey".path = "${keyPathBase}/etcd/peer-ca.key"; + "k3s/keys/etcd/serverCAKey".path = "${keyPathBase}/etcd/server-ca.key"; }; - - k3s-client-ca-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/client-ca.key.age"; - path = "/var/lib/rancher/k3s/server/tls/client-ca.key"; - }; - - k3s-request-header-ca-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/request-header-ca.key.age"; - path = "/var/lib/rancher/k3s/server/tls/request-header-ca.key"; - }; - - k3s-etcd-peer-ca-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/etcd/peer-ca.key.age"; - path = "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.key"; - }; - - k3s-etcd-server-ca-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/etcd/server-ca.key.age"; - path = "/var/lib/rancher/k3s/server/tls/etcd/server-ca.key"; - }; - - k3s-service-key = lib.mkIf (cfg.role == "server") { - file = "${self}/secrets/k3s-ca/service.key.age"; - path = "/var/lib/rancher/k3s/server/tls/service.key"; - }; - }; }; } diff --git a/secrets/README.md b/secrets/README.md deleted file mode 100644 index ef3c05b..0000000 --- a/secrets/README.md +++ /dev/null @@ -1,5 +0,0 @@ -To create a secret: - -```bash -nix run github:ryantm/agenix# -- -e secret.age -`` diff --git a/secrets/borg_passphrase.age b/secrets/borg_passphrase.age deleted file mode 100644 index 62a547f..0000000 --- a/secrets/borg_passphrase.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU -8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk --> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac -9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g --> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE -adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU --> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0 -/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM --> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw -iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno --> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA -NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY ---- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE -噧Q )7btu+Ձ=MlMzs8 a \ No newline at end of file diff --git a/secrets/borgbase.pem.age b/secrets/borgbase.pem.age deleted file mode 100644 index 9aa5f82..0000000 Binary files a/secrets/borgbase.pem.age and /dev/null differ diff --git a/secrets/k3s-ca/client-ca.key.age b/secrets/k3s-ca/client-ca.key.age deleted file mode 100644 index 4c672ca..0000000 Binary files a/secrets/k3s-ca/client-ca.key.age and /dev/null differ diff --git a/secrets/k3s-ca/etcd/peer-ca.key.age b/secrets/k3s-ca/etcd/peer-ca.key.age deleted file mode 100644 index d67f9bf..0000000 --- a/secrets/k3s-ca/etcd/peer-ca.key.age +++ /dev/null @@ -1,17 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UwNSRQ 7VPm9hUzbKELjQBUfKKinUdOAUbNzY2pZp9ihry9sFU -ZPkr54gFnXE9b80OKX9NPk4DWmyRTKkcJH0C+6lLJZE --> ssh-ed25519 JJ7S4A 2TVdz1v5NBqCfPD3LzUdQsQ3ubsdJGSHwVKjj7NNpxE -uO4sRxj8RVqUQXRDlT0ZI4LxFx9MHaAWMrf9WYOZIas --> ssh-ed25519 aqswPA V+3scofJU1OnxJI9+ryPixGiD3Z1srePETEzUZ4zfAY -QoKHxyKr5XXxgJJeoJycShOqHowt/OkaYJOm8nXXeM8 --> ssh-ed25519 LAPUww V919z6/H/pC5smjiq1d8/7Q+QvbXcbfRKAfjiBugoSw -9urrVRscuLY6cKsfZKBdVcDdpPfex8sDHuEdH/EtujU --> ssh-ed25519 vBZj5g v7Pkzi9F2fc9++OsVfou2j60R2iq1ZfOCr/SfFVIvkQ -bknegfUOmc1G8PDcskOCS88OGa60B3t4R2ty7Rdt/mM --> ssh-ed25519 QP0PgA psOkHWvCkdQOpPHYJ/dpDZ/TlZhArARHT9PzsXLV9WU -EHfX0VdHJdm/0iqRfkYxmqmSqrwwgb3irBhDZPvjl3M ---- ekq08T+kFXk/v4//f8xSvqdumAFxd0jMnzUqMn180hs -͋*}`0",[vbuG_p\a#$gVq3/P3n @Bo;CmKp -#,I2_cݲʁTᇀd-`!p!}_ae"?Tjjܩ]ɔ"&"L3~= c8C ,1ܽm Bt -+D F \}I>"=alr -CU +d v \ No newline at end of file diff --git a/secrets/k3s-ca/etcd/server-ca.key.age b/secrets/k3s-ca/etcd/server-ca.key.age deleted file mode 100644 index 8684d17..0000000 --- a/secrets/k3s-ca/etcd/server-ca.key.age +++ /dev/null @@ -1,16 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UwNSRQ W6uEvGJIdlkC0or4dyFcK+ytKeEiwIJB1bebPLTERDA -uzMxRth4KMhqsQYhw2tWyqBeQdCbTgbBegHrkcuHI9o --> ssh-ed25519 JJ7S4A bw+MlxnWLuLecMuqMTrJl2TMXyXhqEWCpKFwsPgkgnw -zwWm3Fq9Q+mR+9rVaSzVO3i7qgPgWsv25ClCW1c0G8M --> ssh-ed25519 aqswPA ZIgGWu33QpKdUfPtlIHs9BeCurnk6pm+2XLi53RBFwc -wN8Qmo9CCqVTa+y6zcYiZYbslgTOtVMUjCCUVT0W7WA --> ssh-ed25519 LAPUww npNhPTPq8kfN2vgouVJZ5NXARHBD02L1CJHmas4ilAI -nTpXsq5BgfikRJUglFGjP9GoRIswyHZp6R7KxZhH/uc --> ssh-ed25519 vBZj5g JOUeBxwM5Qcz/YoeYCPM9dmkWp130Ze0E2n8qdsQzzo -1SL0HH+u48cDojytjSxRHXKo1sgil7EZYBLpQAOuzPI --> ssh-ed25519 QP0PgA /bQtDDcVg8DzFdgFkEDPzBTD02OYTC2Pe+WuEmP9j2A -IRUPa8tityX/FVKJKpcKWMtVvwRzFWueuvBIhlqcSv0 ---- DltN2dAJoEDuU6Ub6J7BZY84TjZfHGVN9P2SnoHrE7Q -q\!j> 3+4< -7adbт _.c(>5-3jwExHh;,hK*ȼmb*]Mmw~g{ʼn߀ZrVkfRXG% 1^?Y@1ڍ7*0߈d¸…2߯URG~:^X㎋5c8\t!,Ӫ \ No newline at end of file diff --git a/secrets/k3s-ca/request-header-ca.key.age b/secrets/k3s-ca/request-header-ca.key.age deleted file mode 100644 index 5740717..0000000 Binary files a/secrets/k3s-ca/request-header-ca.key.age and /dev/null differ diff --git a/secrets/k3s-ca/server-ca.key.age b/secrets/k3s-ca/server-ca.key.age deleted file mode 100644 index e4ed332..0000000 Binary files a/secrets/k3s-ca/server-ca.key.age and /dev/null differ diff --git a/secrets/k3s-ca/service.key.age b/secrets/k3s-ca/service.key.age deleted file mode 100644 index 190851b..0000000 Binary files a/secrets/k3s-ca/service.key.age and /dev/null differ diff --git a/secrets/k3s-server-token.age b/secrets/k3s-server-token.age deleted file mode 100644 index 823c720..0000000 --- a/secrets/k3s-server-token.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UwNSRQ /B3zuCTP4RhYNPfmErYcFxkL4PrUWs92Q0KGTFTe33g -ar6/o3O1AQFYHBbvs7U9wm5JBXG8suk29Ul56uC39Ok --> ssh-ed25519 JJ7S4A hJpjR4TFVOHCASfRosTa0oQSr4Q2HjD54Pv1LLY8u1Y -ughx4kBl8IwoEnrpC1Q1P1VZVDxb7BwX32F5JULBz78 --> ssh-ed25519 aqswPA Kyen24puaGTH9Qx11QtZrJrpIiRLh3GR89u8DOxHhTQ -n+RSyHbWLLA6YxWwtsBkwxZePCGZtd0k1DTlXy0rOt8 --> ssh-ed25519 LAPUww 9WvReHxes3jeagSidtztlb06gEKzWbXaSm/wxdcVWGc -4hOVE30jlFUjzXZngJMlyOvW4rK6kAFTZgceyw49DsE --> ssh-ed25519 vBZj5g Iy2k/NumAyRy2lgv8NFVd7PW1kAgY/HtUAA0DpbY/Xw -jfNr7QiXqTE/jfEOZFEhct7qfKbLYxIAnzPupIfxnnY --> ssh-ed25519 QP0PgA dFlkBqcgmXd7GnpoI1X4ezDDYuqKtSG8VbUB08As2k8 -+KlOiHi+vi0RntHTbdOWzp2lRWdd4SpTU/4dCs51qBU ---- BapxmCnFven9QR0bZDuYWk+lM/2U4AVWQYZsGKRI/W0 -DFy{j2h4ryʼ9Ņo"VJN3ÓO͡a s0 \ No newline at end of file diff --git a/secrets/kubernetes.yaml b/secrets/kubernetes.yaml new file mode 100644 index 0000000..1b4449b --- /dev/null +++ b/secrets/kubernetes.yaml @@ -0,0 +1,54 @@ +freshrss: + password: ENC[AES256_GCM,data:LDLp7cEToWA7zpd5UK+eBUHDaSEtNpFjI7C0LRE+72n0Vu1saPOdSQ==,iv:OEJDcFZwxGJ9vVD1lH7QY5Ue4Kfmx37v9kSEbI0YvRI=,tag:gIyquRc9t+GOOre8MKWxHQ==,type:str] +pihole: + password: ENC[AES256_GCM,data:yqPpovQKmP7NgUMI3w1p8t7RjbxNsMMHZbsNEaleyLJTqnDzNqONsQ==,iv:i+ys/EZelT4a4Sr0RpDto8udk/9yYC6pzl3FiUZQxrQ=,tag:FlvbMN6fuo+VV50YyuMeGg==,type:str] +hedgedoc: + databaseURL: ENC[AES256_GCM,data:dmaXh8wnECBOeEtM00Nc6kpVc3NiJbP5gepToAxLrpmpEEH1vs5SdE90Z3+T3qeXrsTQVr/Q6EOocNKMsTe1pcZoEirECk0dwZ3k6s/bUmUJdZgOf0ir6Iy5J8RZYvJz3AnwuFIsIJ79x0+WfEfACQ==,iv:C7D1zY/vu4zc687XA2mwuYEOFtSFDV+/po4tyNw3ks8=,tag:GQGj4TbP7Mcrm+auuaplnw==,type:str] + sessionSecret: ENC[AES256_GCM,data:FhYr4rFNHmtk9jUcjM4UthepS/5Z4x7WPAE5lTB94WmHrALbzZl2M3JcmibR6/z1FtAJhCsaPZ7Xeg8nOZtU2g==,iv:7soqcd8A+yNfXEZg0qDjOZgfsUIFHfflxByuf7nZk3Y=,tag:x/rmaXo4nTdA080Zl/0MiQ==,type:str] + databasePassword: ENC[AES256_GCM,data:Fv1qeGvXZ93KvdFCCz9t9Dzhe7wKGOfR0lj64lzRM3s48E5FYdrH0w==,iv:cqhIOUKiSSkBpf95Eza9C9l8PX6YmTBpvBAR4+ibgeA=,tag:r8ZvF6l8oNeOt3d5UCA7Ww==,type:str] +nextcloud: + databasePassword: ENC[AES256_GCM,data:Xz0zUpu/W12Io1LSh5CLvGkq1X6yQErz4kdCdTyNZTw=,iv:OkY1fGzHmmbO9u+e9yNlLjJf8dqQtePTj9ifaDBFJ4g=,tag:S8/z9HJTPCZo43wAB5fWpA==,type:str] +paperless: + databasePassword: ENC[AES256_GCM,data:eF4+lxuTnvm+NYwZiU1VFp8Y2JQ=,iv:c36Rk2pEkiqXkLngpyZNulObxek+evvfeugYiBYJrBo=,tag:T0uArgOkJYCvCgmdJauhIg==,type:str] + secretKey: ENC[AES256_GCM,data:ByJpX/tIyzb4fewUOI9MwFBVHkc=,iv:08GvsSOI1OkckH01nzmsyhGoQYl82vyWIDEjrNUQUgk=,tag:YgVY0C7XmlQYw+Aup5LIPw==,type:str] +kitchenowl: + jwtSecretKey: ENC[AES256_GCM,data:9TyqeYlfhvhVg4WOn++/wrqguTM=,iv:+EgGaZxeI+npq5VAX7MHRDYQm8uRcKa8+u2wkn/dwr4=,tag:ATIuPdZQwuDQ+R8nVWWWIA==,type:str] +forgejo: + lfsJwtSecret: ENC[AES256_GCM,data:VWyUDUKZ6km0YPZLejnISBI3wkmOi26CS55NZm+eWbiymGDN9Z9xUQ4FTA==,iv:gGhNGtEEOJnsmq9GMIAImkVOPWMwYq+kDQeWoHVU860=,tag:63z/7PJKI0ePXbJ94radpw==,type:str] + internalToken: ENC[AES256_GCM,data:nKLE/Ir8Ewm3GuRzUNZZTShnMMx6avxYu40PvMEti14Be0YmQhJ0IZruRdpktyW1Jj4n5ksXhk+qsO/vEIzQaJmPU1RxN6vsGGk6EBIwMP0kuUNmp25lPefafoJvxoQpXdJvkLy8f8MC,iv:dUki8hCTOF1O5fmwDqZAkaE1OCH3IL/SFPBDSJ/GMiU=,tag:HUpkVqJg53H8uEmHFqJ7+w==,type:str] +attic: + jwtToken: ENC[AES256_GCM,data:nAuryLY1xD9ur3qDcsJXPJPLFcPwssPKv+/BoivZ4aO6ec6rmOaYAkSRsBjgANyKhssbn0fhGsdyhMBwdHTXDnnIo67amFdxxSe+jJlGtcBXcekaOfD0Ug==,iv:h+h7CD8oI8u2ItzD/KKM16FKaG2xuVqIKh4r1TGjYtw=,tag:Er141FCK8usfzRRtrawHOw==,type:str] + databaseURL: ENC[AES256_GCM,data:F2XyCgXRuebQgvkHGz8DVM2z53sC0/8GzVN6P6iJjrVxB522BJnGlw0YdFBg5K9xMWRhuzxRgDJ+ySfIb8HTtFvlF8Ifx41vFZV1zSpmDMzo4/0=,iv:wp3sg+Y9kgGH5GZZDxAE2CpzDvJeV1mH8mfHRPB17Ys=,tag:IhGRIq/qPT0vSbv/L1ODYg==,type:str] + databasePassword: ENC[AES256_GCM,data:Zwv5DKkihOUU/yL1tvbZl1+bPtI=,iv:C+6n6RHo1zTUJ/g0DWCWNxtLbusoYmDHMySsea5Jpz0=,tag:+pyw0WqnX5rMQxSl/48L5A==,type:str] +atuin: + databaseURL: ENC[AES256_GCM,data:IBmND/J2Pzz+CDCeNBRtErxSQIi8PeUuLGN4rIXKSLwZ6TGJKcNmbuxQDvWkCnI1crx3oak=,iv:wc3G/00oIuaiGF4mA2vIm35wFGxT0a3Ox3k1C9YBAx4=,tag:MQPcsR+vrD85DttYYi6jUw==,type:str] + databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYnNhbmtEQlpEYUV6Vklo + S1NKZkJ0ZGhOdHA3Y1lmUUUzTzh2Q1IxSUNnClZLdnJtUGNZTVUxZ0ozd1FDT0tL + VVhhcVJEaThjNWlUMGlxcG5VOVMwYjQKLS0tIGhJdHBVdnpZNzE0QmdRQzViVGpM + UGI4V2U1Ri9md3RHUVpvbFdtQ0NCNDQKl5QEg2FTMz6oTPF5s8pItduVJLPyLben + B/7KYQd6blJfM7mhF6eUQ61AWehvtzUhIPf57ZhFjpKj+Vzho4Bumw== + -----END AGE ENCRYPTED FILE----- + - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ckF3dzArMTBrYnNjZmJo + MzV5NDJoNWpEQmo2TXFzUmdQUUlpa1dIblNZCkhGSklTYVdCa1hJOUoyeDUyc29L + Q05DVEY4M2QxOThXNTJjcTBWNkRQVHMKLS0tIHdyVS9zR1VzQzdTUXJFSlFObWpT + aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP + Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T18:55:03Z" + mac: ENC[AES256_GCM,data:THDaTY91n6nTZoDFzSOL+6m0gi+jthNJsjr8sqDO9dRyuezuMj2cJcmfZQZrhxsXIeyr+yHkCxNuqvhpVkH1k/rfQQXbOLXAfdioJepTqr/6zjMy7lr/AoBgzNlcwicE8YVevO34BNE83QqfN3GfPdDfNlE0sku9k2Eda3W61SU=,iv:VI+7Kvf3p6J3l+XAFaadplNWl6t0Xqxoy5q/1zbvp0A=,tag:JeVv8d1GXxPKfdJZ4nbGRQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/nixos.yaml b/secrets/nixos.yaml new file mode 100644 index 0000000..6386cd8 --- /dev/null +++ b/secrets/nixos.yaml @@ -0,0 +1,78 @@ +borg: + borgPassphrase: ENC[AES256_GCM,data:2E2xAc8jXPFigFW1WBh3HT1GNGk=,iv:5V05CIk5XRui7jBJ+taNl1I7tnL4y70CgZqm4ZnvF0E=,tag:MfM0uFHnrmwR+H42JGvYRA==,type:str] + borgbasePrivateKey: ENC[AES256_GCM,data:ckr2EgJXXOJAWqk8nqx8KwEJzKMOqastyyH47F7evU/Qjh94qUPej8vWHDUQQDp/WenY2LqZgqUm6jKPRsfMJK3jeCRHSo34dTpnSJd86fiTUDfd2zEJGzAy6aGGf/hVZnn0qVE/ZAq4Bom5RAgU9SQnBNnQQXj42eYRm6dfwC+80GhgdAtH9zCqitmrbhXoioJLVEKo3oup0Jxv5+n2zdFE8xcw6Yl4imjB3jZ43PV4MxRfswRfsnw/yBeIqLFGAxIXzWlHNYxtAQwJ6fqKncScTP6zt7gt+dkTlxk9YwE3I8A07gvRt51fosIZOWMgZcUC+LxZgoUCrZKbuZLqY7Pjw8l8OPuzE62QOd58TT+1yASuvG38XCfxsKWo1gtio3U9z0gOdwwsbuIJHpAmKBHHckAQufVJX17MddoG1GAHt5McRdTobMpE6gau1Ng1xhVJPv9cnOLK2hsA8F4XhoVLauw/WBz16WPxwVJQLKgqKPRBIBd/77kCu69tnO4/guHO,iv:SjtP3Wr1Gjou2PyqDQTVYmSY1/Za5P5Cv8/vjVg5JA0=,tag:UiE/oN2PZv7d/ZXeTjHsPg==,type:str] +k3s: + serverToken: ENC[AES256_GCM,data:1mPpDIldl1sIklhBW8SAUZr8an/+mwgf9sMUHR/4878=,iv:DFmDtZd1P/uVOEcb68d02nAGUHdKG3vqCYr/1OTP5/8=,tag:HhPmAoHTGdWcNKhJ4/BVMA==,type:str] + keys: + clientCAKey: ENC[AES256_GCM,data:YY7aj/JrsHApgKFUNJuxfjj5VzrArPp4X81csyyQn0ludjodYepGlcP6Ib5sCQFU82IZiVjKjmZM5i+CgoimlHESbbtcl0Na5jHOU9LINLTHbzOiXLYAkZtYEWBAY3cemJWjRAo+yhCZWo5tigGlkTaA9C77tUIsiwjgQNbXub47ldBLJctT9wKVZRnzkrvlqzA2W0OD9+zxIgq3gggiHQ/UT1Fl22NHArsz2/IiivQnpr0yLbM8OLHeeNY6lJHWkGFXFQBSLV//6uZUUpJROjt4on5F8PgtACD0yiRdRhM9ZjU=,iv:7uUgkXMm5K9440lYcDvZubtABiO7LHUU5xGyw+lzKGA=,tag:r+h6siwma6uKAqPgQ2iyBQ==,type:str] + requestHeaderCAKey: ENC[AES256_GCM,data:sMh5HsC9ufcZUF0WyVxMM3Q6iOK9wS4jqA8xXWYquFMOMtb0KS3SBVG3lehtO+I+VO+Gc+uX5eMue3bHTS4o4TreUGk4huKJHxfLpEu/4nzYim4lk+CzVGxIze8mC589JUmruAjsqkexeJWAoxvmfdMSi9mCxMk+giHrQktgtI9kZG99cIPfvbOz9GQdmnGpCdxD+030xY4o8tXS/d3AtvhmNFhpUV9IIe0r45UV5mm0gdZpamtCjvnvJsplhFvy1A/M0t4D0ivA5vYjAWUmbF1564fN/ht8GIMRWL3AE7k1ZA8=,iv:WqGFtIbpXsz5p9xdA534qQph6FEv9CZUV2jzSPE62qI=,tag:H7gbGmhr9kekkO+pNHwiaA==,type:str] + serverCAKey: ENC[AES256_GCM,data:peD8JY2dx/RBq+YgR2AomIdXj3MNoQKoZ0rUEKQU7DUEkVBWgEcz8tflTMsk9kqfhb0ZIqLYbmTBux161QSbSOZGelv17ZT5CzVIRWSHAVw2SoDkD1m3GhRJS4JcKhVObiaJZ4JAbDsdnk5YdSGgQqq2vzfYvKrXtvZfmq36YvLhbSJkf97Pe1GRVmJx7pP0jd+sz0+iKYwKsnIfYC5QnwK0NtXxIS+G3ewoxh3t9m6OFgLwJ1Xxl6e+Bsh51OEqybwDX2UnhzTsayMJoito5iiUfEpSaNj1jdbwueZA6bLBti4=,iv:wy2mITK5CCqjrjQl+rOo2OPCR5RCpbuME79WYGDROMg=,tag:DFhx2FArTBxDN4BSRM/+NA==,type:str] + serviceKey: ENC[AES256_GCM,data:ycEIVjeyRw0EQBQhMZQJQHdmwZgTTv6x2PzUv6RYCaANlNlWff/RkCLj8lXncDvY5JJrNXRtJ/gmZFPZvMQqtaE9vDLsnN/QpHN6CVe08oeRSKGyn8fz2RB7faEq0AM4NBmo17G6faG67sjWFkT7+nxkpn6Vw0waC0QDNaw/dUmDVmR2zRxrsg0JgBc8DJ50b5yZVQpM2r1alm2/4oL/jyst9Kig0WpD0JmpkBPor/fVb7xCHqb0Yr2pw6Ue1E19ngCqHr3xcjKschXmj5fCnYbDjA9BbTzOcsOGIOeGmb6R/4k4z1VwVAvzdmyRQhjCoSEb8o3YIOOJDTYM8KeFavF8SxXiVpF5Cgc9jK8SDwglc4whlekPV7Z7tQbV15R4s5vQ5oHJRS6J8yBIhkvIx5gxvgL+H0fiqMGlmJHvAvKCpz1KyDiazznNkmnFgXYxk48x5VAROrmTRNrSQROhRd2aREUOYtVudxYBRc+sWeDr0rd5ZT3pWlwp3YV9pyjJc0QQa43jREIe3D2rE1FVMdEJMo1NRZetaSb4/bo8Q2n5piaGppS+bwFn7RkcKZPAxy0JzmrYCV7wfjU8kTeX1JRFPuNsIwuaimAtv3hQ5sSmBUsX2Ot8zdVJXZaZc1vp6JeY4AW8BGFNnOuWBX5dElfkrmf1MxXpc6qT6jowJ/PdaMD2EMzD9rUz3tpTEZgEr1QwAzuiurA7lZp4B8vaIJeRhi8x7Y8BvWXz97d8j6Jxfnjkcgg9ub0Db4Qm2plhGn4LcCwaWEAcmvFs0MC5WBXDfKB/LCglshUTFBxBAmLkAl0B8pHaoZeIsn/OGoN3iieL16PjriudvjmFTY6l3GOquV/X3+L+mq+swFYpxJjub7cEWGvZwDA0Mvz+5f9WMyoJOuD4Mj+QBe+GgyK/8Ujk0Dqg9AoldN5DOvhqEjcnl80XaxgSNWVv7/cPTTrKBN+pY7A+Cpi0vnGbqIcp1NAelp8RJSnTeYEckokJjKvSFZPPxgdJOMHajBdm56SX/4LHl/ZS5AVaJaaBxnYWbkylJzQ0hcMCoxbvs0WDTAMdo1YqU9E03UG5G+Z2KzcE4+XINWMqfAECehwiJk77fUqMzdb7/UxGr9k71Y7aWlZGP3qJAq8UDa6eZ9jnD2zWirkfdGAo9c341Ul55yrdFufKkL215zPFkhvZaA0+0XvcFk6V2nnpzNgXCklnP1okz8M1jASuX1To+uQ4AzYUAWGJp87lITCm7RzTGvMDe8SMEmWfU2JF7GoErY7nvdmKiyK/lCX2WCrSuW1z4jzFfSYEhYCwTt4uSSrbWjedILt8W9Yt/HFubkHsJh5q1SXnOG9hCy0dXL1ch1oIZXPX0+s+4215m2cYljvq+kwGnYrlYyhXoJzS1VOVyS4mM6mCr9+SyffZxTS5SmEuIh4EEcWKFazsWZxAZXzum5167EQ4pKPGc71jZNN+mksjHKuayTtqZPycNBwzWpx3SGSfLgPjFMMMJCgcYjKCLdxk6g8VHaww8TESxux0XgXwVIHb76KU9OYv/crqZ6Gk/2RPOnImNDjOcaKHTQEyTDwO7P9NPYWl3KqG/pPk4pF0Acq2B4NuQRPzsnJTG0azs4JXCGc6FFYKK2wwl9eOGQy70owL95d/MU37CI6sFKuIxh2fdfsO0cJmAAcsL2RVylMlvbHIq0xggZrkYpfZklSifyGEcVkuiAJa91HEaFvARX6Zt6WJXUdiT4TDdo8xC8Yy8y0zlIEQ83NPK3iPsq7bDkgDff8UJHo0sBuH5Y/7DaX09c3CmavOF/Ca+xdd7hokc4GzaxOWbqtECA6DWoQoJb2VvJiXdk4/kRwJsCZIMXX2HLXdBOkd7PnPv7p5xqsbVfzm2CuVr0Fl9O+mpQ4Ng2oyLrKgEELV/+hh8E1qoBmfxCBMLPrWuNc6Jp7ujamoKTNO7i6M1HsUoll7elhfNq8MqoVDBK8QXeO0GTF8vxAlJJ0QOJBWxggan80PJrW1c/WHpW1tD+nMZREwh2B4a4O/Kp5NJMnHNmp/pUNv+ppIKi1yJiAOcVEpFfeSNjonFp5JJ/jAsyN15E523ca170kH5MsDtZ+zQn0R82HqPAo0/nLUWsMdVo56pjmlDXscOpHtMYVFFgv9+GgcPeBpA5DZoc3sRzgb0c78Ywbn7GyADmKS7HinbH/IKRxJPkE/AfckVjeVr4yaXuZLyLi/Yzbh+YARpchMeoyTN2VeSiI=,iv:MBDrQGZzl2VS7WqDe+QzTAIXq68KRTSk/8LzaOCd1PE=,tag:WNmxFqsvmjPILaKoBiqIfA==,type:str] + etcd: + peerCAKey: ENC[AES256_GCM,data:hr/Q9UqzA5IKK4o+mxyYQyXjTl1/guRLcjeBBaErxlvtQ0QarNWBMV0SuekCTiv0aGEUiXrY4u/39n6/VdVsxCdCDFDSuEJE5iEklpReKkW0gIvW3wIk98PC8xhNKjwRNnPwgE6TmOi8RSR9jdL9A3VKUXXo4XDkKPWrK6yHOJHKWgGOKX8+TP8HHwGGG6JvcMgOfbLJIvstsB9C17bOHt0KNaPKIpGN3gRkY7rJE/ORIJaOFxQB9WrcmweB2B7K3tlnVyLsY/wZsturZDJtK4CtVPEba7jXlpI4xnr0EANhRxs=,iv:gy8/RAxOxMrzFbPynQw1iDbXYEM4iYXJ+OfvQE9MAfU=,tag:vlnfHLzOm9ztsnaSIbL14w==,type:str] + serverCAKey: ENC[AES256_GCM,data:bn4BLlUSOHBOzjxO7oCmnWY3+yc/+J149QFfHOxrrFFblCkY3MEtXg9ogFsU+CYhZg6HZtOiecbo3V1fTe6dbSdWlUW7mHVoFP75aRuLjeEwX9Crgu/BVce7tcL0nFXvaBfaPngz3irzE2t2Dt+p1rVFWsMa2Ms2Wfzx9ZfVUbD0mOBgKmR+fGCHQBuUk4F9kzXA//J6iuk2VNh0+6YXBfTWCEsBllg8CvLgD9aU3DE7nS/xcbZcbpR3nWp8nQvezA5/cAEVTyuQfUO2u/tnYAoEE7t1Qo4RJrWlY30xTvXdq44=,iv:kXjH9JPjix64b+nWWIF/TBlZH9DsOYGTq5okQB3HKYs=,tag:MYM0xdi8AjaR0I/ZcpELAQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOVluY3hiZXVNNnlINHRG + K2Fwa0VIWDlETmZwUzNFbkNHZSttNHhUbnlVCjVVdWZHVzJCTkQyS3VlSXA0WFhY + TnR0TEZBQWwzNlVVdVl2K1RnUzE0UG8KLS0tIHhoU0xGM0xJR3ZwbHJNaTlPUHBQ + VzJCQjQ0NG5sbWFLK2phM2lEdlpuMG8Kw8ftkoEbYrA++cJSfUZRthK2cU+iIzNy + oYxlHm5va6JVZ/Sg05mxBB8kWX410/yCW9nH6ZkLrJ5YmpugePzr2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bXZMZlVRNWIydFdUcE9T + c0FMN3AvWXUyTUQ4U0VJL3IzcVpXTnVGOTBNCk5rWFlWeVA4b0JRZXY3NHhSbEVp + RlA5cGs0SVg1Rk4xZXBVdWtUcHFURjgKLS0tIHlwTWJQR09DZnBUTWY2NWdFZWZN + RkxTQ1p4VG9sZ0UrWW9ZWnZLNjZtQW8Kax+WCtGOaNYdkmV/Ty2pP9JFgRaHe/Xn + C1o5W2hMBSoLcC14mlokdVKp81dPDQuuxLtDcCgCQU7aOzvWO3CqKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMkNqQnY2TkZRaUJaTjAz + TUxVSUhyMzRsMm1OYVllM001UmpvL2lNcXhNCkRxQlMxZHBrNlNlNnIrQUY1NHpn + dzNFeGhlbE1wMlBwN3RxWUZyT1kyYUkKLS0tIGhpRGN5WFRCT1I5eGlhdUhWc3FR + WHZKWTlmN2llUndzeEdGV0xDSGZqZ2sKlZ0CGVfCtDdRl2vW7BxVkrBMFOZ5Fdk6 + 9Z9oqBOde0Mp9FGEwnt+IC79FKIknIyYfMf9tpo9Is85/IvyDHTMwA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIT1VNTTVjcy9rakUwVFBY + UGh6L2l0Q2I1bFlWcG1XYVJiMkhYMnA4YlFzCnRXVmZDWnY4Zi9TK3NCc3huaC9W + dDQ5ek5EY2FQeTVhUWpHVkV3TXhxbncKLS0tIDNKN0hYNjVUdHNaMXYzdUE5Mm85 + NSt2OGp4VENRS1pLWHNQVFdhRU9STXMKXfcamWoU/bz39wstSEEuIJZknZpoOPzE + W/kDJ5xytfydUkYqoIiGH7s1JyHyCpqbRplPrjQZCmNDvXtcq3L/uQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZS1hHTTJudnUrQzJDYUh6 + ZEhjYTFaeXRwQXRrL3g1b05LaXdWMit6M2t3Ck81NVZyTUE0RVo5ZmdRcUZ0ZTBx + MkdUVDRyZ3Bmd21FZkdzckp3eGp1bmMKLS0tIFk5blFPMUlPdXJ2NThYME8reGxv + cXlZMTMvcFhScVBObXZRQXQ4WkI2d1EKFYLSfJlDx2BlBWUebBOy/PV0gu0KyhY8 + WSYL992HR043ENrbmkfbpVHaOZi8imyNKa7FWpLaj/Nuwv/Kfvy7uQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZU9Wb0JLTG1kOWZ1YjJQ + SUh1NWxqS0ZGa0xEOHFUOWpYR3hTM2dQRWdZCklBb25LajV6RnZhOUVKLzJjY3lz + MTYvNmRPTEgrc0dJK0g5N2RkdEt0RUUKLS0tIHdxcFJCaTg4ZE5TQVVKS3k5K3Bo + Q0VudEFzRUFGWlNJcHc0VzZJUVRwbHMKjTMUFFbHhDeP7QLmR64yqDEh4naazL9f + etbOvYUkgj4IaB9UgDerG4MjyyHiVVY9Md8Jqe3dOQN0rqXRxNOW1g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T19:11:54Z" + mac: ENC[AES256_GCM,data:OR2ibRtOtUwIuQ27c5PHRzdvKoTGMl4Ll7/hmuIB40amBqs54Cku/SEOqw2kHG31ii3cK5XbyaR6tC8Lvu07tn1iutbU8WjN8Ww+txr0FgdbeTYRIWr9aClAKmR3Ek1Ky2NsA2OaTm02Um6W0xX78Ran04Gjuf8vpaXSRYVsPbA=,iv:w9M3O5DHlm7Jq9vjfxaq34petJtgMeEUHZ0fZKycOjs=,tag:ShLvjfZJV3FARa4An+YfQA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index a236427..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,42 +0,0 @@ -let - pkgs = import { }; - lib = pkgs.lib; - - publicKeyURLs = [ - "https://github.com/pizzapim.keys" - "https://github.com/pizzaniels.keys" - ]; - - encryptedFileNames = [ - "borg_passphrase.age" - "borgbase.pem.age" - "k3s-server-token.age" - "k3s-ca/server-ca.key.age" - "k3s-ca/client-ca.key.age" - "k3s-ca/request-header-ca.key.age" - "k3s-ca/etcd/peer-ca.key.age" - "k3s-ca/etcd/server-ca.key.age" - "k3s-ca/service.key.age" - ]; - - machinePublicKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis" - ]; - - fetchPublicKeys = url: - let - publicKeysFile = builtins.fetchurl { inherit url; }; - publicKeysFileContents = lib.strings.fileContents publicKeysFile; - in - lib.strings.splitString "\n" publicKeysFileContents; - - adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs); - - allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ]; - - publicKeysForEncryptedFileName = encryptedFileName: - { "${encryptedFileName}".publicKeys = allPublicKeys; }; -in -lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames) diff --git a/secrets/serverKeys.yaml b/secrets/serverKeys.yaml new file mode 100644 index 0000000..8db5fe9 --- /dev/null +++ b/secrets/serverKeys.yaml @@ -0,0 +1,33 @@ +atlas: ENC[AES256_GCM,data:TgYf6Jck5L2feQyvyUb2FcLm2M3aSwN0W0xdH6qLU3L4q7LSeB0yB1xAuXX211ZRYo1b2IgC61/40GXhfTKEKoCE76dvu5ocoyA=,iv:11j2XiDoLB+AuXUjC7Ir7R1BDgXLJvoOQq0nFJYHyUU=,tag:2+tfRyFzSrovoQZFxRLLUw==,type:str] +jefke: ENC[AES256_GCM,data:PH+4rNhATssck8cmKZrhw4VoyHtkqKlRt1wH+BlOvxdhw5GNDsiT4DOf0cveJ090XcOpkAxEf2yqnpIiZhallKVMJS3aFxpNpNw=,iv:QJQZo6x4PE3mNIK8KaQ16BlJeZsdorX683lpf2FjAJk=,tag:rljZMJ/xv7kbkPKP/pqZ9A==,type:str] +lewis: ENC[AES256_GCM,data:rdm5YMnWkg2MpY2ZGYi11HHGJzY/ssKA5DCv/wbcf8qIXRhRt5heA1un1zCJdYBKlxsVGOuQEtHMKuA/vLYqNnIXxr5NxDxhgIo=,iv:y+fyLns2B/JDuumHIuk4p9PybXf8isd7Ve+1gcX0mp8=,tag:VoAORxiU+6WbhAgkm9lAgQ==,type:str] +warwick: ENC[AES256_GCM,data:8ABH+BMdKjLaVG1FkLWksJRtIO8Vu/j1USLGaAAFi6KA/o/S2X936doUl3/D6MKz71i8FwEH410K4JcGJXVboY45Dfp2g1/6bog=,iv:pvXBQcWs/dFSEVe807bpQQKI9n0A/IUxSG0Z1Sl00/Y=,tag:l/sTOe6sNJ34Z2UmmBBBNw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRalF1TGplU28yMWg3OVBo + aXlRRHBRZGlHWUNaRngyRm15SUR3cDNnOGp3CnZMdFMzTEZSNkdRdUNaQ3EwbGw1 + NXgrUEE3Q0wwS2JjL1MvRzhtSk4wdzQKLS0tIGxISXhScFdEY0Fzdk1tNjR4TFdP + L3Znck9zbDdTdk9Cclc3aWtaNjVVUTQK0ikUL3NDPpgCvMiT9PElV27zwk66liW6 + udiuDAiyxLT1QcG90mLMF5wQYbbqlNFOtpKD/RyP63YFveRGSmKsxg== + -----END AGE ENCRYPTED FILE----- + - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQmQzNkRlQ3RseTh3eFZK + bmFnMCt4ell2QlQyZTZBWnRKcXpMdXA1ZWdrClhYUENHS1V6Q0RBSUZzWW5LSzR6 + SE1lQzJsSUU5ci94UnFJZ0UyWk8vZUkKLS0tIDVjRm11N1R1UksydlM3SG5KZjdv + eDdFZERVZUJ2QmYvTUlGMlFFNTlna00KLil0QQySKHDAdFxIZAlWvkCRT2v8RNL7 + CWIs/HhjmGk0BEoXIVlmbnAVNATABCCWnUTHFKvvW/8KIDhwgu72Eg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T19:19:59Z" + mac: ENC[AES256_GCM,data:Y+aBXyowjQTXgteYLU2j1I5cv9UFU/ylrVy9QQub3NLzBbpW4pb+oI2wVcZI0K40jwSX7xOEjgGOtjdLRGTG8/xHm/yf+R0Wgs7fyIxOzcZv8XBadR6f2jUnAPA74ZDQ9ngwh1xyJteQPLwr+XPuGNlylYn/mj/EcwFs1SCok5A=,iv:/7XR2P/nfEicarsCALXhKIbvzsqUYhg9SgT2Z7P3W20=,tag:+uHRHU+WVfWefjHcH/C4fA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops.yaml b/secrets/sops.yaml deleted file mode 100644 index cfa011b..0000000 --- a/secrets/sops.yaml +++ /dev/null @@ -1,54 +0,0 @@ -freshrss: - password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str] -pihole: - password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str] -hedgedoc: - databaseURL: ENC[AES256_GCM,data:hFJIu3Jan1XknGDl5v//kpwafIz05gdH9n8S9BduWq18tPhwdl3ZPzGuQpCAmbLmZj9TVnTySmb9hVP2j9XEc8czH8J1Kvi5WyR4l58+DZO6XM44l8ttO/EMmx/d2oO0UNMrG3piVPAbpL5iMMIypw==,iv:85XDeM8VEGi3nDsU6TxJZJt5yH8R9UWUJOf2uebf9gQ=,tag:1N6B/JQnqOOAt9VCkLcIRQ==,type:str] - sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str] - databasePassword: ENC[AES256_GCM,data:h3xt+libyQVvG51ttyYF6Lhq3QmYptu7Vx7/lZBytw5I8I1/zLMB6g==,iv:DuWMA82HyuupALguemWJmZ0hUA9oPyXB6tTcy3VFGKk=,tag:4ExOslyo8Kjyn7STpjqYAg==,type:str] -nextcloud: - databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str] -paperless: - databasePassword: ENC[AES256_GCM,data:K1cBEqSnccLriGWjj5CTkggZbo0=,iv:NFOZvPuzE8vdP2BzHR7iUrvnMRqvbtcwkKAWk4ckEws=,tag:5SL+nnJSuVaceGMCAAf5nQ==,type:str] - secretKey: ENC[AES256_GCM,data:g2tDbmy8SdkYrwrF/pkzmr5cG1A=,iv:Zzg/oUvJfPku66TWf0TgmQRERRegVxtJdFDShxb56ng=,tag:f4LIe74n4m/SlmDOntkLQg==,type:str] -kitchenowl: - jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str] -forgejo: - lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str] - internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str] -attic: - jwtToken: ENC[AES256_GCM,data:bEf5v8KhIgyKqyjYOzBmJrZ71GagXqOTH+I3J0Iu+Q3X6XUbGxjwW5/RT3AuJAJ+Owp1Uyk26FmEuurYChG13rBWZ0R85MeMBb2sZ/Q22TXeBxRwzq4Izg==,iv:VlIhxGE8I8W+UFyDLnhUxDzf/us95H86V2FLbsKMSGw=,tag:ynz5eNuxkAl35qzcDNzoAw==,type:str] - databaseURL: ENC[AES256_GCM,data:GZcr8hRVIDwhKKwzHygydXAuJpQjKjN95GK+oqb33QgS5HW647+J5wGXxYan9II6iC0N3oSi36cJIkwIjLr9SJhRcjCkdsCZfNrGmT+F9SqUIi8=,iv:HerbEz1oPCE1F1etWHpFkSvulGRU97KPTcrZauIZQNM=,tag:/UXgWvnmCexvxwQONnmATg==,type:str] - databasePassword: ENC[AES256_GCM,data:AZXZyNJ6tGG3OU9CgC+bj43471Q=,iv:DoTSTIMLFi1+U7lvkix+QM8tP1tR0TtxuZRKlBneYek=,tag:+zk8TJRUzk9tNYXGLWIN2w==,type:str] -atuin: - databaseURL: ENC[AES256_GCM,data:sE9zT6iwrsZB42nGd3fQtdIJqW/QE1qqgBtqHRsNfqm1+0Pvhc9VwIP9wchHlL7n030iRE8=,iv:pAXhb+W5FrWZabgULdMtosdvA7KAQJ2D5nqLUzLax9M=,tag:l8C8yj+m8Ic97qbHAsA2vg==,type:str] - databasePassword: ENC[AES256_GCM,data:Xyrn5LYgQ0/XvoHwAqKe9EPQxNk=,iv:wN5msdAPuVxMCkGYKag+Ppj65rQCHHjNwDH17+HTPVs=,tag:M1rjzLsEqJ9qe24RQs+FMA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WFRZQlFnNW1xWHlDNnpi - MG9aZmZMYmF3WjljWXVKcHY1dml1bzdQQVFNCi9uRCtCS2tSRTBnRzJ1ZE1EM0d4 - NjNzR0ZkZ2dCZFlHMzlGZ2NEbzRidnMKLS0tIFBUbjdwdy9TaU8vaVA5bEFIbnU3 - clE1YnhsNlBrby9tRHNSN2V6c05hdXMKU5Ta/hfdIh3GiDfwVhP96cU64P04S0I1 - VdKYSeKVAI3h95E5yxWGX9O0p1GYCS4aQpMGsG+hat6BozYTVRdzxw== - -----END AGE ENCRYPTED FILE----- - - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZER2ckh2SGRheUxRcmlJ - cTA0UmtwMHlUMFBGODcxTzJsZjhNU2hVbVRZCnlpWXAzTWdFQ01RL1AzYmRJSC9U - MTZMVzRnM1UwVnpyajhJUWpVRDhOZ00KLS0tIDdGRW5LekZnL3V4OFhzb0M1K1JO - cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI - zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-12T20:30:18Z" - mac: ENC[AES256_GCM,data:isinf4VigAI6UMTbaTxD/OxQSftK+EC5sJ4Kx8S1yOAmi1RPaKwpHLlrTq4Ah1beF91Q6BonObYyx3viJ0wq0KWnL+U064RBmFiQlHR7XeIzGv/YJA1jrqWI0VKMpG8cQkHtQf1LI1HsHI3SUw53reHAMX+5m+YkIz+mRNYWxoE=,iv:gCG0Ww2Fm/C4HOKYUqTCm9plt+DscWQWwvnpMAg614Q=,tag:a6s1pl5voaONf507XpGZbQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1