Replace agenix with sops-nix

This commit is contained in:
Pim Kunis 2024-06-15 22:27:07 +02:00
parent bb1f091fbb
commit 726beabb9c
33 changed files with 296 additions and 332 deletions

View file

@ -1,2 +1,23 @@
keys:
- &admin_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &admin_niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
- &server_atlas age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
- &server_jefke age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
- &server_lewis age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
- &server_warwick age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
creation_rules: creation_rules:
- age: "age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw,age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga" - path_regex: secrets/(kubernetes|serverKeys).yaml$
key_groups:
- age:
- *admin_pim
- *admin_niels
- path_regex: secrets/nixos.yaml$
key_groups:
- age:
- *admin_pim
- *admin_niels
- *server_atlas
- *server_jefke
- *server_lewis
- *server_warwick

View file

@ -6,12 +6,12 @@ Nix definitions to configure our servers at home.
- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality - [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality
- [disko](https://github.com/nix-community/disko): declarative disk partitioning - [disko](https://github.com/nix-community/disko): declarative disk partitioning
- [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines
- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones - [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes - [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi - [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix - [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix
- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts - [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts
- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix
## Installation ## Installation

View file

@ -3,13 +3,12 @@
"${self}/nixos-modules" "${self}/nixos-modules"
machine.nixosModule machine.nixosModule
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.agenix.nixosModules.default inputs.sops-nix.nixosModules.sops
] ++ lib.lists.optional (machine.isRaspberryPi) inputs.nixos-hardware.nixosModules.raspberry-pi-4; ] ++ lib.lists.optional (machine.isRaspberryPi) inputs.nixos-hardware.nixosModules.raspberry-pi-4;
config = { config = {
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware;
age.identityPaths = [ "/etc/age_ed25519" ];
nixpkgs = { nixpkgs = {
config.allowUnfree = true; config.allowUnfree = true;
@ -129,5 +128,10 @@
fi fi
''; '';
}; };
sops = {
age.keyFile = "/root/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets/nixos.yaml;
};
}; };
} }

View file

@ -34,13 +34,14 @@ cleanup() {
trap cleanup EXIT trap cleanup EXIT
# Create directory where age key will go. # Create directory where age key will go.
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system. # Nixos-anywhere creates a kind of overlay and retains this structure on the final file system.
mkdir "$temp/etc" mkdir -p "$temp/root/.config/sops/age"
secret-tool lookup age-identity "$servername" > "$temp/etc/age_ed25519" # Extract and copy server's age key.
sops -d --extract "[\"${servername}\"]" secrets/serverKeys.yaml > "$temp/root/.config/sops/age/keys.txt"
# Set the correct permissions # Set the correct permissions
chmod 600 "$temp/etc/age_ed25519" chmod 600 "$temp/root/.config/sops/age/keys.txt"
# Install NixOS to the host system with our age identity # Install NixOS to the host system with our age identity
nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${hostname}" nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${hostname}"

View file

@ -16,7 +16,7 @@ in
{ {
packages.bootstrap = createScript { packages.bootstrap = createScript {
name = "bootstrap"; name = "bootstrap";
runtimeInputs = with pkgs; [ libsecret coreutils nixos-anywhere ]; runtimeInputs = with pkgs; [ sops coreutils nixos-anywhere ];
scriptPath = ./bootstrap.sh; scriptPath = ./bootstrap.sh;
}; };

View file

@ -1,28 +1,5 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blog-pim": { "blog-pim": {
"inputs": { "inputs": {
"flutils": "flutils", "flutils": "flutils",
@ -45,28 +22,6 @@
"url": "https://git.kun.is/home/blog-pim" "url": "https://git.kun.is/home/blog-pim"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -177,7 +132,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_4" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@ -195,7 +150,7 @@
}, },
"flake-utils_3": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_6" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,
@ -212,7 +167,7 @@
}, },
"flake-utils_4": { "flake-utils_4": {
"inputs": { "inputs": {
"systems": "systems_7" "systems": "systems_6"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1694529238,
@ -230,7 +185,7 @@
}, },
"flutils": { "flutils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@ -246,34 +201,13 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"kubenix": { "kubenix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"systems": "systems_5", "systems": "systems_4",
"treefmt": "treefmt" "treefmt": "treefmt"
}, },
"locked": { "locked": {
@ -398,6 +332,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1717880976,
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1717646450, "lastModified": 1717646450,
@ -438,7 +388,7 @@
"nixhelm", "nixhelm",
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_8", "systems": "systems_7",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
@ -457,7 +407,6 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"blog-pim": "blog-pim", "blog-pim": "blog-pim",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"disko": "disko", "disko": "disko",
@ -467,7 +416,29 @@
"nixhelm": "nixhelm", "nixhelm": "nixhelm",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1718137936,
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {
@ -525,9 +496,8 @@
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "id": "systems",
"repo": "default", "type": "indirect"
"type": "github"
} }
}, },
"systems_5": { "systems_5": {
@ -540,8 +510,9 @@
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "systems", "owner": "nix-systems",
"type": "indirect" "repo": "default",
"type": "github"
} }
}, },
"systems_6": { "systems_6": {
@ -560,21 +531,6 @@
} }
}, },
"systems_7": { "systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_8": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -633,7 +589,7 @@
}, },
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,

View file

@ -7,16 +7,12 @@
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
dns = { dns = {
url = "github:kirelagin/dns.nix"; url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -36,6 +32,11 @@
url = "github:pizzapim/kubenix"; url = "github:pizzapim/kubenix";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =

View file

@ -2,7 +2,7 @@
kubernetes.resources = kubernetes.resources =
let let
atticSettings = { atticSettings = {
database.url = "ref+sops://secrets/sops.yaml#attic/databaseURL"; database.url = "ref+sops://secrets/kubernetes.yaml#attic/databaseURL";
storage = { storage = {
type = "local"; type = "local";
@ -38,13 +38,13 @@
in in
{ {
configMaps = { configMaps = {
attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#attic/jwtToken"; attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken";
attic-config.data.config = builtins.readFile generatedConfig; attic-config.data.config = builtins.readFile generatedConfig;
attic-db-env.data = { attic-db-env.data = {
POSTGRES_DB = "attic"; POSTGRES_DB = "attic";
POSTGRES_USER = "attic"; POSTGRES_USER = "attic";
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/attic/databasePassword"; POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword";
PGDATA = "/pgdata/data"; PGDATA = "/pgdata/data";
}; };
}; };

View file

@ -1,8 +1,8 @@
{ {
kubernetes.resources = { kubernetes.resources = {
secrets.atuin.stringData = { secrets.atuin.stringData = {
databasePassword = "ref+sops://secrets/sops.yaml#/atuin/databasePassword"; databasePassword = "ref+sops://secrets/kubernetes.yaml#/atuin/databasePassword";
databaseURL = "ref+sops://secrets/sops.yaml#/atuin/databaseURL"; databaseURL = "ref+sops://secrets/kubernetes.yaml#/atuin/databaseURL";
}; };
deployments.atuin = { deployments.atuin = {

View file

@ -31,7 +31,7 @@
SSH_PORT = 56287; SSH_PORT = 56287;
SSH_LISTEN_PORT = 22; SSH_LISTEN_PORT = 22;
LFS_START_SERVER = true; LFS_START_SERVER = true;
LFS_JWT_SECRET = "ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret"; LFS_JWT_SECRET = "ref+sops://secrets/kubernetes.yaml#/forgejo/lfsJwtSecret";
OFFLINE_MODE = false; OFFLINE_MODE = false;
}; };
@ -77,7 +77,7 @@
SECRET_KEY = ""; SECRET_KEY = "";
REVERSE_PROXY_LIMIT = 1; REVERSE_PROXY_LIMIT = 1;
REVERSE_PROXY_TRUSTED_PROXIES = "*"; REVERSE_PROXY_TRUSTED_PROXIES = "*";
INTERNAL_TOKEN = "ref+sops://secrets/sops.yaml#/forgejo/internalToken"; INTERNAL_TOKEN = "ref+sops://secrets/kubernetes.yaml#/forgejo/internalToken";
PASSWORD_HASH_ALGO = "pbkdf2"; PASSWORD_HASH_ALGO = "pbkdf2";
}; };

View file

@ -7,7 +7,7 @@
PUBLISHED_PORT = "443"; PUBLISHED_PORT = "443";
}; };
secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password"; secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/kubernetes.yaml#/freshrss/password";
deployments.freshrss = { deployments.freshrss = {
metadata.labels.app = "freshrss"; metadata.labels.app = "freshrss";

View file

@ -18,14 +18,14 @@
hedgedoc-db-env.data = { hedgedoc-db-env.data = {
POSTGRES_DB = "hedgedoc"; POSTGRES_DB = "hedgedoc";
POSTGRES_USER = "hedgedoc"; POSTGRES_USER = "hedgedoc";
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/hedgedoc/databasePassword"; POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword";
PGDATA = "/pgdata/data"; PGDATA = "/pgdata/data";
}; };
}; };
secrets.hedgedoc.stringData = { secrets.hedgedoc.stringData = {
databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL"; databaseURL = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databaseURL";
sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret"; sessionSecret = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/sessionSecret";
}; };
deployments = { deployments = {

View file

@ -1,6 +1,6 @@
{ {
kubernetes.resources = { kubernetes.resources = {
secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey"; secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/kubernetes.yaml#/kitchenowl/jwtSecretKey";
deployments.kitchenowl = { deployments.kitchenowl = {
metadata.labels.app = "kitchenowl"; metadata.labels.app = "kitchenowl";

View file

@ -10,12 +10,12 @@
nextcloud-db-env.data = { nextcloud-db-env.data = {
POSTGRES_DB = "nextcloud"; POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud"; POSTGRES_USER = "nextcloud";
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword"; POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";
PGDATA = "/pgdata/data"; PGDATA = "/pgdata/data";
}; };
}; };
secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword"; secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";
deployments = { deployments = {
nextcloud = { nextcloud = {

View file

@ -20,14 +20,14 @@
paperless-db-env.data = { paperless-db-env.data = {
POSTGRES_DB = "paperless"; POSTGRES_DB = "paperless";
POSTGRES_USER = "paperless"; POSTGRES_USER = "paperless";
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/paperless/databasePassword"; POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword";
PGDATA = "/pgdata/data"; PGDATA = "/pgdata/data";
}; };
}; };
secrets.paperless.stringData = { secrets.paperless.stringData = {
databasePassword = "ref+sops://secrets/sops.yaml#/paperless/databasePassword"; databasePassword = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword";
secretKey = "ref+sops://secrets/sops.yaml#/paperless/secretKey"; secretKey = "ref+sops://secrets/kubernetes.yaml#/paperless/secretKey";
}; };
deployments = { deployments = {

View file

@ -5,7 +5,7 @@
PIHOLE_DNS_ = "192.168.30.1"; PIHOLE_DNS_ = "192.168.30.1";
}; };
secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password"; secrets.pihole.stringData.webPassword = "ref+sops://secrets/kubernetes.yaml#/pihole/password";
deployments.pihole = { deployments.pihole = {
metadata.labels.app = "pihole"; metadata.labels.app = "pihole";

View file

@ -1,4 +1,4 @@
{ self, pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
cfg = config.lab.backups; cfg = config.lab.backups;
@ -19,12 +19,12 @@ let
} }
]; ];
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."borgbase.pem".path} -o StrictHostKeychecking=no"; ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
keep_daily = 7; keep_daily = 7;
keep_weekly = 4; keep_weekly = 4;
keep_monthly = 12; keep_monthly = 12;
keep_yearly = -1; keep_yearly = -1;
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg_passphrase".path}"; encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
}; };
}; };
in in
@ -67,7 +67,7 @@ in
IOWeight = 100; IOWeight = 100;
Restart = "no"; Restart = "no";
LogRateLimitIntervalSec = 0; LogRateLimitIntervalSec = 0;
Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}"; Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
}; };
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
@ -83,9 +83,9 @@ in
}; };
}; };
age.secrets = { sops.secrets = {
"borg_passphrase".file = "${self}/secrets/borg_passphrase.age"; "borg/borgPassphrase" = { };
"borgbase.pem".file = "${self}/secrets/borgbase.pem.age"; "borg/borgbasePrivateKey" = { };
}; };
}; };
} }

View file

@ -1,4 +1,4 @@
{ self, inputs, pkgs, lib, config, ... }: { inputs, pkgs, lib, config, ... }:
let cfg = config.lab.k3s; let cfg = config.lab.k3s;
in { in {
options.lab.k3s = { options.lab.k3s = {
@ -56,7 +56,7 @@ in {
{ {
enable = true; enable = true;
role = cfg.role; role = cfg.role;
tokenFile = config.age.secrets.k3s-server-token.path; tokenFile = config.sops.secrets."k3s/serverToken".path;
extraFlags = lib.mkIf (cfg.role == "server") serverFlags; extraFlags = lib.mkIf (cfg.role == "server") serverFlags;
clusterInit = cfg.clusterInit; clusterInit = cfg.clusterInit;
serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr; serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
@ -101,38 +101,18 @@ in {
}; };
}; };
age.secrets = { sops.secrets =
k3s-server-token.file = "${self}/secrets/k3s-server-token.age"; let
keyPathBase = "/var/lib/rancher/k3s/server/tls";
k3s-server-ca-key = lib.mkIf (cfg.role == "server") { in
file = "${self}/secrets/k3s-ca/server-ca.key.age"; {
path = "/var/lib/rancher/k3s/server/tls/server-ca.key"; "k3s/serverToken" = { };
}; "k3s/keys/clientCAKey".path = "${keyPathBase}/client-ca.key";
"k3s/keys/requestHeaderCAKey".path = "${keyPathBase}/request-header-ca.key";
k3s-client-ca-key = lib.mkIf (cfg.role == "server") { "k3s/keys/serverCAKey".path = "${keyPathBase}/server-ca.key";
file = "${self}/secrets/k3s-ca/client-ca.key.age"; "k3s/keys/serviceKey".path = "${keyPathBase}/service.key";
path = "/var/lib/rancher/k3s/server/tls/client-ca.key"; "k3s/keys/etcd/peerCAKey".path = "${keyPathBase}/etcd/peer-ca.key";
}; "k3s/keys/etcd/serverCAKey".path = "${keyPathBase}/etcd/server-ca.key";
k3s-request-header-ca-key = lib.mkIf (cfg.role == "server") {
file = "${self}/secrets/k3s-ca/request-header-ca.key.age";
path = "/var/lib/rancher/k3s/server/tls/request-header-ca.key";
};
k3s-etcd-peer-ca-key = lib.mkIf (cfg.role == "server") {
file = "${self}/secrets/k3s-ca/etcd/peer-ca.key.age";
path = "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.key";
};
k3s-etcd-server-ca-key = lib.mkIf (cfg.role == "server") {
file = "${self}/secrets/k3s-ca/etcd/server-ca.key.age";
path = "/var/lib/rancher/k3s/server/tls/etcd/server-ca.key";
};
k3s-service-key = lib.mkIf (cfg.role == "server") {
file = "${self}/secrets/k3s-ca/service.key.age";
path = "/var/lib/rancher/k3s/server/tls/service.key";
};
}; };
}; };
} }

View file

@ -1,5 +0,0 @@
To create a secret:
```bash
nix run github:ryantm/agenix# -- -e secret.age
``

View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
-> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
-> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
-> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
--- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
â噧òQú² à¡)Š„Åçä¿7bt¡­­íu+Õ<>=¼¯M£ÁlìMúzsÕÚ8ð… aÿ

Binary file not shown.

Binary file not shown.

View file

@ -1,17 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 UwNSRQ 7VPm9hUzbKELjQBUfKKinUdOAUbNzY2pZp9ihry9sFU
ZPkr54gFnXE9b80OKX9NPk4DWmyRTKkcJH0C+6lLJZE
-> ssh-ed25519 JJ7S4A 2TVdz1v5NBqCfPD3LzUdQsQ3ubsdJGSHwVKjj7NNpxE
uO4sRxj8RVqUQXRDlT0ZI4LxFx9MHaAWMrf9WYOZIas
-> ssh-ed25519 aqswPA V+3scofJU1OnxJI9+ryPixGiD3Z1srePETEzUZ4zfAY
QoKHxyKr5XXxgJJeoJycShOqHowt/OkaYJOm8nXXeM8
-> ssh-ed25519 LAPUww V919z6/H/pC5smjiq1d8/7Q+QvbXcbfRKAfjiBugoSw
9urrVRscuLY6cKsfZKBdVcDdpPfex8sDHuEdH/EtujU
-> ssh-ed25519 vBZj5g v7Pkzi9F2fc9++OsVfou2j60R2iq1ZfOCr/SfFVIvkQ
bknegfUOmc1G8PDcskOCS88OGa60B3t4R2ty7Rdt/mM
-> ssh-ed25519 QP0PgA psOkHWvCkdQOpPHYJ/dpDZ/TlZhArARHT9PzsXLV9WU
EHfX0VdHJdm/0iqRfkYxmqmSqrwwgb3irBhDZPvjl3M
--- ekq08T+kFXk/v4//f8xSvqdumAFxd0jMnzUqMn180hs
¬Í‹»ô¬ó‘Ø*€}²`0ÿà"¿,¶[‰Ýv“·buG_pý†\˜º­a—#$gçÞVqüÎöµ3¤/ÍÅò¹PÊ3“nô±û…øŒ Ô@¢÷…¾Bo;CmKp³<70>Î Û#,¦òÇI2_c”ݲÊ<C2B2>TᇀŽŒ¹Îdéƒ-`çáíç!“úýpƒÆÇ!“}Þ_a³Øe¤"?Tùjºèj<C3A8>Ü©]¶É”"´“Ú&¶"L3~= ùèc8º½C í,1ܽm B²Üùt
+DÎ ÷ŽFà \Ã}I>÷"=Þal£Ör
C<1F>ø÷ŒUÏ +døÞÀ Ávó•

View file

@ -1,16 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 UwNSRQ W6uEvGJIdlkC0or4dyFcK+ytKeEiwIJB1bebPLTERDA
uzMxRth4KMhqsQYhw2tWyqBeQdCbTgbBegHrkcuHI9o
-> ssh-ed25519 JJ7S4A bw+MlxnWLuLecMuqMTrJl2TMXyXhqEWCpKFwsPgkgnw
zwWm3Fq9Q+mR+9rVaSzVO3i7qgPgWsv25ClCW1c0G8M
-> ssh-ed25519 aqswPA ZIgGWu33QpKdUfPtlIHs9BeCurnk6pm+2XLi53RBFwc
wN8Qmo9CCqVTa+y6zcYiZYbslgTOtVMUjCCUVT0W7WA
-> ssh-ed25519 LAPUww npNhPTPq8kfN2vgouVJZ5NXARHBD02L1CJHmas4ilAI
nTpXsq5BgfikRJUglFGjP9GoRIswyHZp6R7KxZhH/uc
-> ssh-ed25519 vBZj5g JOUeBxwM5Qcz/YoeYCPM9dmkWp130Ze0E2n8qdsQzzo
1SL0HH+u48cDojytjSxRHXKo1sgil7EZYBLpQAOuzPI
-> ssh-ed25519 QP0PgA /bQtDDcVg8DzFdgFkEDPzBTD02OYTC2Pe+WuEmP9j2A
IRUPa8tityX/FVKJKpcKWMtVvwRzFWueuvBIhlqcSv0
--- DltN2dAJoEDuU6Ub6J7BZY84TjZfHGVN9P2SnoHrE7Q
 Ñq\þê!j>ƒ ›Ï â3ŒÓ÷ô+Ã4<—Ç
¡·7„aÈdb¥†äÑ‚ ®î_ŸÒ.ä±cë(>5ª-þð3ŒjwE¬ô½xHh;µšê,hK*ȼÆßmìbôÁ*ª¨ª»€]MmÏw½~Îg{ʼn¸û°Œß€ZrVk²fRXðGÆ%Œ‚Õ ê1^?ƒÃY@1Ú<31>šÇ<ãv°ïZ_`øðscÙ/d½žÃÍ$óÕ\wR…±ñ}éÈSÓ>ƒ¨Ô7Ë*0«Ý߈¸é”Â…¥2߯šURô«G~:^XãŽ5¬òc8\¹t÷çÌ!ò”ƒ,Óª•Ò

Binary file not shown.

Binary file not shown.

View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 UwNSRQ /B3zuCTP4RhYNPfmErYcFxkL4PrUWs92Q0KGTFTe33g
ar6/o3O1AQFYHBbvs7U9wm5JBXG8suk29Ul56uC39Ok
-> ssh-ed25519 JJ7S4A hJpjR4TFVOHCASfRosTa0oQSr4Q2HjD54Pv1LLY8u1Y
ughx4kBl8IwoEnrpC1Q1P1VZVDxb7BwX32F5JULBz78
-> ssh-ed25519 aqswPA Kyen24puaGTH9Qx11QtZrJrpIiRLh3GR89u8DOxHhTQ
n+RSyHbWLLA6YxWwtsBkwxZePCGZtd0k1DTlXy0rOt8
-> ssh-ed25519 LAPUww 9WvReHxes3jeagSidtztlb06gEKzWbXaSm/wxdcVWGc
4hOVE30jlFUjzXZngJMlyOvW4rK6kAFTZgceyw49DsE
-> ssh-ed25519 vBZj5g Iy2k/NumAyRy2lgv8NFVd7PW1kAgY/HtUAA0DpbY/Xw
jfNr7QiXqTE/jfEOZFEhct7qfKbLYxIAnzPupIfxnnY
-> ssh-ed25519 QP0PgA dFlkBqcgmXd7GnpoI1X4ezDDYuqKtSG8VbUB08As2k8
+KlOiHi+vi0RntHTbdOWzp2lRWdd4SpTU/4dCs51qBU
--- BapxmCnFven9QR0bZDuYWk+lM/2U4AVWQYZsGKRI/W0
°ëDÓy{¥Ýjñƒ2Ñö<C391>h4þ<34>ôrŽyʼ9¦Å…²åo"VJˆN§ÈÛ3ÓOÍ¡´€a s°ö0ùïÁ

54
secrets/kubernetes.yaml Normal file
View file

@ -0,0 +1,54 @@
freshrss:
password: ENC[AES256_GCM,data:LDLp7cEToWA7zpd5UK+eBUHDaSEtNpFjI7C0LRE+72n0Vu1saPOdSQ==,iv:OEJDcFZwxGJ9vVD1lH7QY5Ue4Kfmx37v9kSEbI0YvRI=,tag:gIyquRc9t+GOOre8MKWxHQ==,type:str]
pihole:
password: ENC[AES256_GCM,data:yqPpovQKmP7NgUMI3w1p8t7RjbxNsMMHZbsNEaleyLJTqnDzNqONsQ==,iv:i+ys/EZelT4a4Sr0RpDto8udk/9yYC6pzl3FiUZQxrQ=,tag:FlvbMN6fuo+VV50YyuMeGg==,type:str]
hedgedoc:
databaseURL: ENC[AES256_GCM,data:dmaXh8wnECBOeEtM00Nc6kpVc3NiJbP5gepToAxLrpmpEEH1vs5SdE90Z3+T3qeXrsTQVr/Q6EOocNKMsTe1pcZoEirECk0dwZ3k6s/bUmUJdZgOf0ir6Iy5J8RZYvJz3AnwuFIsIJ79x0+WfEfACQ==,iv:C7D1zY/vu4zc687XA2mwuYEOFtSFDV+/po4tyNw3ks8=,tag:GQGj4TbP7Mcrm+auuaplnw==,type:str]
sessionSecret: ENC[AES256_GCM,data:FhYr4rFNHmtk9jUcjM4UthepS/5Z4x7WPAE5lTB94WmHrALbzZl2M3JcmibR6/z1FtAJhCsaPZ7Xeg8nOZtU2g==,iv:7soqcd8A+yNfXEZg0qDjOZgfsUIFHfflxByuf7nZk3Y=,tag:x/rmaXo4nTdA080Zl/0MiQ==,type:str]
databasePassword: ENC[AES256_GCM,data:Fv1qeGvXZ93KvdFCCz9t9Dzhe7wKGOfR0lj64lzRM3s48E5FYdrH0w==,iv:cqhIOUKiSSkBpf95Eza9C9l8PX6YmTBpvBAR4+ibgeA=,tag:r8ZvF6l8oNeOt3d5UCA7Ww==,type:str]
nextcloud:
databasePassword: ENC[AES256_GCM,data:Xz0zUpu/W12Io1LSh5CLvGkq1X6yQErz4kdCdTyNZTw=,iv:OkY1fGzHmmbO9u+e9yNlLjJf8dqQtePTj9ifaDBFJ4g=,tag:S8/z9HJTPCZo43wAB5fWpA==,type:str]
paperless:
databasePassword: ENC[AES256_GCM,data:eF4+lxuTnvm+NYwZiU1VFp8Y2JQ=,iv:c36Rk2pEkiqXkLngpyZNulObxek+evvfeugYiBYJrBo=,tag:T0uArgOkJYCvCgmdJauhIg==,type:str]
secretKey: ENC[AES256_GCM,data:ByJpX/tIyzb4fewUOI9MwFBVHkc=,iv:08GvsSOI1OkckH01nzmsyhGoQYl82vyWIDEjrNUQUgk=,tag:YgVY0C7XmlQYw+Aup5LIPw==,type:str]
kitchenowl:
jwtSecretKey: ENC[AES256_GCM,data:9TyqeYlfhvhVg4WOn++/wrqguTM=,iv:+EgGaZxeI+npq5VAX7MHRDYQm8uRcKa8+u2wkn/dwr4=,tag:ATIuPdZQwuDQ+R8nVWWWIA==,type:str]
forgejo:
lfsJwtSecret: ENC[AES256_GCM,data:VWyUDUKZ6km0YPZLejnISBI3wkmOi26CS55NZm+eWbiymGDN9Z9xUQ4FTA==,iv:gGhNGtEEOJnsmq9GMIAImkVOPWMwYq+kDQeWoHVU860=,tag:63z/7PJKI0ePXbJ94radpw==,type:str]
internalToken: ENC[AES256_GCM,data:nKLE/Ir8Ewm3GuRzUNZZTShnMMx6avxYu40PvMEti14Be0YmQhJ0IZruRdpktyW1Jj4n5ksXhk+qsO/vEIzQaJmPU1RxN6vsGGk6EBIwMP0kuUNmp25lPefafoJvxoQpXdJvkLy8f8MC,iv:dUki8hCTOF1O5fmwDqZAkaE1OCH3IL/SFPBDSJ/GMiU=,tag:HUpkVqJg53H8uEmHFqJ7+w==,type:str]
attic:
jwtToken: ENC[AES256_GCM,data:nAuryLY1xD9ur3qDcsJXPJPLFcPwssPKv+/BoivZ4aO6ec6rmOaYAkSRsBjgANyKhssbn0fhGsdyhMBwdHTXDnnIo67amFdxxSe+jJlGtcBXcekaOfD0Ug==,iv:h+h7CD8oI8u2ItzD/KKM16FKaG2xuVqIKh4r1TGjYtw=,tag:Er141FCK8usfzRRtrawHOw==,type:str]
databaseURL: ENC[AES256_GCM,data:F2XyCgXRuebQgvkHGz8DVM2z53sC0/8GzVN6P6iJjrVxB522BJnGlw0YdFBg5K9xMWRhuzxRgDJ+ySfIb8HTtFvlF8Ifx41vFZV1zSpmDMzo4/0=,iv:wp3sg+Y9kgGH5GZZDxAE2CpzDvJeV1mH8mfHRPB17Ys=,tag:IhGRIq/qPT0vSbv/L1ODYg==,type:str]
databasePassword: ENC[AES256_GCM,data:Zwv5DKkihOUU/yL1tvbZl1+bPtI=,iv:C+6n6RHo1zTUJ/g0DWCWNxtLbusoYmDHMySsea5Jpz0=,tag:+pyw0WqnX5rMQxSl/48L5A==,type:str]
atuin:
databaseURL: ENC[AES256_GCM,data:IBmND/J2Pzz+CDCeNBRtErxSQIi8PeUuLGN4rIXKSLwZ6TGJKcNmbuxQDvWkCnI1crx3oak=,iv:wc3G/00oIuaiGF4mA2vIm35wFGxT0a3Ox3k1C9YBAx4=,tag:MQPcsR+vrD85DttYYi6jUw==,type:str]
databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYnNhbmtEQlpEYUV6Vklo
S1NKZkJ0ZGhOdHA3Y1lmUUUzTzh2Q1IxSUNnClZLdnJtUGNZTVUxZ0ozd1FDT0tL
VVhhcVJEaThjNWlUMGlxcG5VOVMwYjQKLS0tIGhJdHBVdnpZNzE0QmdRQzViVGpM
UGI4V2U1Ri9md3RHUVpvbFdtQ0NCNDQKl5QEg2FTMz6oTPF5s8pItduVJLPyLben
B/7KYQd6blJfM7mhF6eUQ61AWehvtzUhIPf57ZhFjpKj+Vzho4Bumw==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ckF3dzArMTBrYnNjZmJo
MzV5NDJoNWpEQmo2TXFzUmdQUUlpa1dIblNZCkhGSklTYVdCa1hJOUoyeDUyc29L
Q05DVEY4M2QxOThXNTJjcTBWNkRQVHMKLS0tIHdyVS9zR1VzQzdTUXJFSlFObWpT
aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T18:55:03Z"
mac: ENC[AES256_GCM,data:THDaTY91n6nTZoDFzSOL+6m0gi+jthNJsjr8sqDO9dRyuezuMj2cJcmfZQZrhxsXIeyr+yHkCxNuqvhpVkH1k/rfQQXbOLXAfdioJepTqr/6zjMy7lr/AoBgzNlcwicE8YVevO34BNE83QqfN3GfPdDfNlE0sku9k2Eda3W61SU=,iv:VI+7Kvf3p6J3l+XAFaadplNWl6t0Xqxoy5q/1zbvp0A=,tag:JeVv8d1GXxPKfdJZ4nbGRQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

78
secrets/nixos.yaml Normal file
View file

@ -0,0 +1,78 @@
borg:
borgPassphrase: ENC[AES256_GCM,data:2E2xAc8jXPFigFW1WBh3HT1GNGk=,iv:5V05CIk5XRui7jBJ+taNl1I7tnL4y70CgZqm4ZnvF0E=,tag:MfM0uFHnrmwR+H42JGvYRA==,type:str]
borgbasePrivateKey: ENC[AES256_GCM,data:ckr2EgJXXOJAWqk8nqx8KwEJzKMOqastyyH47F7evU/Qjh94qUPej8vWHDUQQDp/WenY2LqZgqUm6jKPRsfMJK3jeCRHSo34dTpnSJd86fiTUDfd2zEJGzAy6aGGf/hVZnn0qVE/ZAq4Bom5RAgU9SQnBNnQQXj42eYRm6dfwC+80GhgdAtH9zCqitmrbhXoioJLVEKo3oup0Jxv5+n2zdFE8xcw6Yl4imjB3jZ43PV4MxRfswRfsnw/yBeIqLFGAxIXzWlHNYxtAQwJ6fqKncScTP6zt7gt+dkTlxk9YwE3I8A07gvRt51fosIZOWMgZcUC+LxZgoUCrZKbuZLqY7Pjw8l8OPuzE62QOd58TT+1yASuvG38XCfxsKWo1gtio3U9z0gOdwwsbuIJHpAmKBHHckAQufVJX17MddoG1GAHt5McRdTobMpE6gau1Ng1xhVJPv9cnOLK2hsA8F4XhoVLauw/WBz16WPxwVJQLKgqKPRBIBd/77kCu69tnO4/guHO,iv:SjtP3Wr1Gjou2PyqDQTVYmSY1/Za5P5Cv8/vjVg5JA0=,tag:UiE/oN2PZv7d/ZXeTjHsPg==,type:str]
k3s:
serverToken: ENC[AES256_GCM,data:1mPpDIldl1sIklhBW8SAUZr8an/+mwgf9sMUHR/4878=,iv:DFmDtZd1P/uVOEcb68d02nAGUHdKG3vqCYr/1OTP5/8=,tag:HhPmAoHTGdWcNKhJ4/BVMA==,type:str]
keys:
clientCAKey: ENC[AES256_GCM,data:YY7aj/JrsHApgKFUNJuxfjj5VzrArPp4X81csyyQn0ludjodYepGlcP6Ib5sCQFU82IZiVjKjmZM5i+CgoimlHESbbtcl0Na5jHOU9LINLTHbzOiXLYAkZtYEWBAY3cemJWjRAo+yhCZWo5tigGlkTaA9C77tUIsiwjgQNbXub47ldBLJctT9wKVZRnzkrvlqzA2W0OD9+zxIgq3gggiHQ/UT1Fl22NHArsz2/IiivQnpr0yLbM8OLHeeNY6lJHWkGFXFQBSLV//6uZUUpJROjt4on5F8PgtACD0yiRdRhM9ZjU=,iv:7uUgkXMm5K9440lYcDvZubtABiO7LHUU5xGyw+lzKGA=,tag:r+h6siwma6uKAqPgQ2iyBQ==,type:str]
requestHeaderCAKey: ENC[AES256_GCM,data:sMh5HsC9ufcZUF0WyVxMM3Q6iOK9wS4jqA8xXWYquFMOMtb0KS3SBVG3lehtO+I+VO+Gc+uX5eMue3bHTS4o4TreUGk4huKJHxfLpEu/4nzYim4lk+CzVGxIze8mC589JUmruAjsqkexeJWAoxvmfdMSi9mCxMk+giHrQktgtI9kZG99cIPfvbOz9GQdmnGpCdxD+030xY4o8tXS/d3AtvhmNFhpUV9IIe0r45UV5mm0gdZpamtCjvnvJsplhFvy1A/M0t4D0ivA5vYjAWUmbF1564fN/ht8GIMRWL3AE7k1ZA8=,iv:WqGFtIbpXsz5p9xdA534qQph6FEv9CZUV2jzSPE62qI=,tag:H7gbGmhr9kekkO+pNHwiaA==,type:str]
serverCAKey: ENC[AES256_GCM,data:peD8JY2dx/RBq+YgR2AomIdXj3MNoQKoZ0rUEKQU7DUEkVBWgEcz8tflTMsk9kqfhb0ZIqLYbmTBux161QSbSOZGelv17ZT5CzVIRWSHAVw2SoDkD1m3GhRJS4JcKhVObiaJZ4JAbDsdnk5YdSGgQqq2vzfYvKrXtvZfmq36YvLhbSJkf97Pe1GRVmJx7pP0jd+sz0+iKYwKsnIfYC5QnwK0NtXxIS+G3ewoxh3t9m6OFgLwJ1Xxl6e+Bsh51OEqybwDX2UnhzTsayMJoito5iiUfEpSaNj1jdbwueZA6bLBti4=,iv:wy2mITK5CCqjrjQl+rOo2OPCR5RCpbuME79WYGDROMg=,tag:DFhx2FArTBxDN4BSRM/+NA==,type:str]
serviceKey: ENC[AES256_GCM,data:ycEIVjeyRw0EQBQhMZQJQHdmwZgTTv6x2PzUv6RYCaANlNlWff/RkCLj8lXncDvY5JJrNXRtJ/gmZFPZvMQqtaE9vDLsnN/QpHN6CVe08oeRSKGyn8fz2RB7faEq0AM4NBmo17G6faG67sjWFkT7+nxkpn6Vw0waC0QDNaw/dUmDVmR2zRxrsg0JgBc8DJ50b5yZVQpM2r1alm2/4oL/jyst9Kig0WpD0JmpkBPor/fVb7xCHqb0Yr2pw6Ue1E19ngCqHr3xcjKschXmj5fCnYbDjA9BbTzOcsOGIOeGmb6R/4k4z1VwVAvzdmyRQhjCoSEb8o3YIOOJDTYM8KeFavF8SxXiVpF5Cgc9jK8SDwglc4whlekPV7Z7tQbV15R4s5vQ5oHJRS6J8yBIhkvIx5gxvgL+H0fiqMGlmJHvAvKCpz1KyDiazznNkmnFgXYxk48x5VAROrmTRNrSQROhRd2aREUOYtVudxYBRc+sWeDr0rd5ZT3pWlwp3YV9pyjJc0QQa43jREIe3D2rE1FVMdEJMo1NRZetaSb4/bo8Q2n5piaGppS+bwFn7RkcKZPAxy0JzmrYCV7wfjU8kTeX1JRFPuNsIwuaimAtv3hQ5sSmBUsX2Ot8zdVJXZaZc1vp6JeY4AW8BGFNnOuWBX5dElfkrmf1MxXpc6qT6jowJ/PdaMD2EMzD9rUz3tpTEZgEr1QwAzuiurA7lZp4B8vaIJeRhi8x7Y8BvWXz97d8j6Jxfnjkcgg9ub0Db4Qm2plhGn4LcCwaWEAcmvFs0MC5WBXDfKB/LCglshUTFBxBAmLkAl0B8pHaoZeIsn/OGoN3iieL16PjriudvjmFTY6l3GOquV/X3+L+mq+swFYpxJjub7cEWGvZwDA0Mvz+5f9WMyoJOuD4Mj+QBe+GgyK/8Ujk0Dqg9AoldN5DOvhqEjcnl80XaxgSNWVv7/cPTTrKBN+pY7A+Cpi0vnGbqIcp1NAelp8RJSnTeYEckokJjKvSFZPPxgdJOMHajBdm56SX/4LHl/ZS5AVaJaaBxnYWbkylJzQ0hcMCoxbvs0WDTAMdo1YqU9E03UG5G+Z2KzcE4+XINWMqfAECehwiJk77fUqMzdb7/UxGr9k71Y7aWlZGP3qJAq8UDa6eZ9jnD2zWirkfdGAo9c341Ul55yrdFufKkL215zPFkhvZaA0+0XvcFk6V2nnpzNgXCklnP1okz8M1jASuX1To+uQ4AzYUAWGJp87lITCm7RzTGvMDe8SMEmWfU2JF7GoErY7nvdmKiyK/lCX2WCrSuW1z4jzFfSYEhYCwTt4uSSrbWjedILt8W9Yt/HFubkHsJh5q1SXnOG9hCy0dXL1ch1oIZXPX0+s+4215m2cYljvq+kwGnYrlYyhXoJzS1VOVyS4mM6mCr9+SyffZxTS5SmEuIh4EEcWKFazsWZxAZXzum5167EQ4pKPGc71jZNN+mksjHKuayTtqZPycNBwzWpx3SGSfLgPjFMMMJCgcYjKCLdxk6g8VHaww8TESxux0XgXwVIHb76KU9OYv/crqZ6Gk/2RPOnImNDjOcaKHTQEyTDwO7P9NPYWl3KqG/pPk4pF0Acq2B4NuQRPzsnJTG0azs4JXCGc6FFYKK2wwl9eOGQy70owL95d/MU37CI6sFKuIxh2fdfsO0cJmAAcsL2RVylMlvbHIq0xggZrkYpfZklSifyGEcVkuiAJa91HEaFvARX6Zt6WJXUdiT4TDdo8xC8Yy8y0zlIEQ83NPK3iPsq7bDkgDff8UJHo0sBuH5Y/7DaX09c3CmavOF/Ca+xdd7hokc4GzaxOWbqtECA6DWoQoJb2VvJiXdk4/kRwJsCZIMXX2HLXdBOkd7PnPv7p5xqsbVfzm2CuVr0Fl9O+mpQ4Ng2oyLrKgEELV/+hh8E1qoBmfxCBMLPrWuNc6Jp7ujamoKTNO7i6M1HsUoll7elhfNq8MqoVDBK8QXeO0GTF8vxAlJJ0QOJBWxggan80PJrW1c/WHpW1tD+nMZREwh2B4a4O/Kp5NJMnHNmp/pUNv+ppIKi1yJiAOcVEpFfeSNjonFp5JJ/jAsyN15E523ca170kH5MsDtZ+zQn0R82HqPAo0/nLUWsMdVo56pjmlDXscOpHtMYVFFgv9+GgcPeBpA5DZoc3sRzgb0c78Ywbn7GyADmKS7HinbH/IKRxJPkE/AfckVjeVr4yaXuZLyLi/Yzbh+YARpchMeoyTN2VeSiI=,iv:MBDrQGZzl2VS7WqDe+QzTAIXq68KRTSk/8LzaOCd1PE=,tag:WNmxFqsvmjPILaKoBiqIfA==,type:str]
etcd:
peerCAKey: ENC[AES256_GCM,data:hr/Q9UqzA5IKK4o+mxyYQyXjTl1/guRLcjeBBaErxlvtQ0QarNWBMV0SuekCTiv0aGEUiXrY4u/39n6/VdVsxCdCDFDSuEJE5iEklpReKkW0gIvW3wIk98PC8xhNKjwRNnPwgE6TmOi8RSR9jdL9A3VKUXXo4XDkKPWrK6yHOJHKWgGOKX8+TP8HHwGGG6JvcMgOfbLJIvstsB9C17bOHt0KNaPKIpGN3gRkY7rJE/ORIJaOFxQB9WrcmweB2B7K3tlnVyLsY/wZsturZDJtK4CtVPEba7jXlpI4xnr0EANhRxs=,iv:gy8/RAxOxMrzFbPynQw1iDbXYEM4iYXJ+OfvQE9MAfU=,tag:vlnfHLzOm9ztsnaSIbL14w==,type:str]
serverCAKey: ENC[AES256_GCM,data:bn4BLlUSOHBOzjxO7oCmnWY3+yc/+J149QFfHOxrrFFblCkY3MEtXg9ogFsU+CYhZg6HZtOiecbo3V1fTe6dbSdWlUW7mHVoFP75aRuLjeEwX9Crgu/BVce7tcL0nFXvaBfaPngz3irzE2t2Dt+p1rVFWsMa2Ms2Wfzx9ZfVUbD0mOBgKmR+fGCHQBuUk4F9kzXA//J6iuk2VNh0+6YXBfTWCEsBllg8CvLgD9aU3DE7nS/xcbZcbpR3nWp8nQvezA5/cAEVTyuQfUO2u/tnYAoEE7t1Qo4RJrWlY30xTvXdq44=,iv:kXjH9JPjix64b+nWWIF/TBlZH9DsOYGTq5okQB3HKYs=,tag:MYM0xdi8AjaR0I/ZcpELAQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOVluY3hiZXVNNnlINHRG
K2Fwa0VIWDlETmZwUzNFbkNHZSttNHhUbnlVCjVVdWZHVzJCTkQyS3VlSXA0WFhY
TnR0TEZBQWwzNlVVdVl2K1RnUzE0UG8KLS0tIHhoU0xGM0xJR3ZwbHJNaTlPUHBQ
VzJCQjQ0NG5sbWFLK2phM2lEdlpuMG8Kw8ftkoEbYrA++cJSfUZRthK2cU+iIzNy
oYxlHm5va6JVZ/Sg05mxBB8kWX410/yCW9nH6ZkLrJ5YmpugePzr2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bXZMZlVRNWIydFdUcE9T
c0FMN3AvWXUyTUQ4U0VJL3IzcVpXTnVGOTBNCk5rWFlWeVA4b0JRZXY3NHhSbEVp
RlA5cGs0SVg1Rk4xZXBVdWtUcHFURjgKLS0tIHlwTWJQR09DZnBUTWY2NWdFZWZN
RkxTQ1p4VG9sZ0UrWW9ZWnZLNjZtQW8Kax+WCtGOaNYdkmV/Ty2pP9JFgRaHe/Xn
C1o5W2hMBSoLcC14mlokdVKp81dPDQuuxLtDcCgCQU7aOzvWO3CqKg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMkNqQnY2TkZRaUJaTjAz
TUxVSUhyMzRsMm1OYVllM001UmpvL2lNcXhNCkRxQlMxZHBrNlNlNnIrQUY1NHpn
dzNFeGhlbE1wMlBwN3RxWUZyT1kyYUkKLS0tIGhpRGN5WFRCT1I5eGlhdUhWc3FR
WHZKWTlmN2llUndzeEdGV0xDSGZqZ2sKlZ0CGVfCtDdRl2vW7BxVkrBMFOZ5Fdk6
9Z9oqBOde0Mp9FGEwnt+IC79FKIknIyYfMf9tpo9Is85/IvyDHTMwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIT1VNTTVjcy9rakUwVFBY
UGh6L2l0Q2I1bFlWcG1XYVJiMkhYMnA4YlFzCnRXVmZDWnY4Zi9TK3NCc3huaC9W
dDQ5ek5EY2FQeTVhUWpHVkV3TXhxbncKLS0tIDNKN0hYNjVUdHNaMXYzdUE5Mm85
NSt2OGp4VENRS1pLWHNQVFdhRU9STXMKXfcamWoU/bz39wstSEEuIJZknZpoOPzE
W/kDJ5xytfydUkYqoIiGH7s1JyHyCpqbRplPrjQZCmNDvXtcq3L/uQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZS1hHTTJudnUrQzJDYUh6
ZEhjYTFaeXRwQXRrL3g1b05LaXdWMit6M2t3Ck81NVZyTUE0RVo5ZmdRcUZ0ZTBx
MkdUVDRyZ3Bmd21FZkdzckp3eGp1bmMKLS0tIFk5blFPMUlPdXJ2NThYME8reGxv
cXlZMTMvcFhScVBObXZRQXQ4WkI2d1EKFYLSfJlDx2BlBWUebBOy/PV0gu0KyhY8
WSYL992HR043ENrbmkfbpVHaOZi8imyNKa7FWpLaj/Nuwv/Kfvy7uQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZU9Wb0JLTG1kOWZ1YjJQ
SUh1NWxqS0ZGa0xEOHFUOWpYR3hTM2dQRWdZCklBb25LajV6RnZhOUVKLzJjY3lz
MTYvNmRPTEgrc0dJK0g5N2RkdEt0RUUKLS0tIHdxcFJCaTg4ZE5TQVVKS3k5K3Bo
Q0VudEFzRUFGWlNJcHc0VzZJUVRwbHMKjTMUFFbHhDeP7QLmR64yqDEh4naazL9f
etbOvYUkgj4IaB9UgDerG4MjyyHiVVY9Md8Jqe3dOQN0rqXRxNOW1g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T19:11:54Z"
mac: ENC[AES256_GCM,data:OR2ibRtOtUwIuQ27c5PHRzdvKoTGMl4Ll7/hmuIB40amBqs54Cku/SEOqw2kHG31ii3cK5XbyaR6tC8Lvu07tn1iutbU8WjN8Ww+txr0FgdbeTYRIWr9aClAKmR3Ek1Ky2NsA2OaTm02Um6W0xX78Ran04Gjuf8vpaXSRYVsPbA=,iv:w9M3O5DHlm7Jq9vjfxaq34petJtgMeEUHZ0fZKycOjs=,tag:ShLvjfZJV3FARa4An+YfQA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,42 +0,0 @@
let
pkgs = import <nixpkgs> { };
lib = pkgs.lib;
publicKeyURLs = [
"https://github.com/pizzapim.keys"
"https://github.com/pizzaniels.keys"
];
encryptedFileNames = [
"borg_passphrase.age"
"borgbase.pem.age"
"k3s-server-token.age"
"k3s-ca/server-ca.key.age"
"k3s-ca/client-ca.key.age"
"k3s-ca/request-header-ca.key.age"
"k3s-ca/etcd/peer-ca.key.age"
"k3s-ca/etcd/server-ca.key.age"
"k3s-ca/service.key.age"
];
machinePublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
];
fetchPublicKeys = url:
let
publicKeysFile = builtins.fetchurl { inherit url; };
publicKeysFileContents = lib.strings.fileContents publicKeysFile;
in
lib.strings.splitString "\n" publicKeysFileContents;
adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
publicKeysForEncryptedFileName = encryptedFileName:
{ "${encryptedFileName}".publicKeys = allPublicKeys; };
in
lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)

33
secrets/serverKeys.yaml Normal file
View file

@ -0,0 +1,33 @@
atlas: ENC[AES256_GCM,data:TgYf6Jck5L2feQyvyUb2FcLm2M3aSwN0W0xdH6qLU3L4q7LSeB0yB1xAuXX211ZRYo1b2IgC61/40GXhfTKEKoCE76dvu5ocoyA=,iv:11j2XiDoLB+AuXUjC7Ir7R1BDgXLJvoOQq0nFJYHyUU=,tag:2+tfRyFzSrovoQZFxRLLUw==,type:str]
jefke: ENC[AES256_GCM,data:PH+4rNhATssck8cmKZrhw4VoyHtkqKlRt1wH+BlOvxdhw5GNDsiT4DOf0cveJ090XcOpkAxEf2yqnpIiZhallKVMJS3aFxpNpNw=,iv:QJQZo6x4PE3mNIK8KaQ16BlJeZsdorX683lpf2FjAJk=,tag:rljZMJ/xv7kbkPKP/pqZ9A==,type:str]
lewis: ENC[AES256_GCM,data:rdm5YMnWkg2MpY2ZGYi11HHGJzY/ssKA5DCv/wbcf8qIXRhRt5heA1un1zCJdYBKlxsVGOuQEtHMKuA/vLYqNnIXxr5NxDxhgIo=,iv:y+fyLns2B/JDuumHIuk4p9PybXf8isd7Ve+1gcX0mp8=,tag:VoAORxiU+6WbhAgkm9lAgQ==,type:str]
warwick: ENC[AES256_GCM,data:8ABH+BMdKjLaVG1FkLWksJRtIO8Vu/j1USLGaAAFi6KA/o/S2X936doUl3/D6MKz71i8FwEH410K4JcGJXVboY45Dfp2g1/6bog=,iv:pvXBQcWs/dFSEVe807bpQQKI9n0A/IUxSG0Z1Sl00/Y=,tag:l/sTOe6sNJ34Z2UmmBBBNw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRalF1TGplU28yMWg3OVBo
aXlRRHBRZGlHWUNaRngyRm15SUR3cDNnOGp3CnZMdFMzTEZSNkdRdUNaQ3EwbGw1
NXgrUEE3Q0wwS2JjL1MvRzhtSk4wdzQKLS0tIGxISXhScFdEY0Fzdk1tNjR4TFdP
L3Znck9zbDdTdk9Cclc3aWtaNjVVUTQK0ikUL3NDPpgCvMiT9PElV27zwk66liW6
udiuDAiyxLT1QcG90mLMF5wQYbbqlNFOtpKD/RyP63YFveRGSmKsxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQmQzNkRlQ3RseTh3eFZK
bmFnMCt4ell2QlQyZTZBWnRKcXpMdXA1ZWdrClhYUENHS1V6Q0RBSUZzWW5LSzR6
SE1lQzJsSUU5ci94UnFJZ0UyWk8vZUkKLS0tIDVjRm11N1R1UksydlM3SG5KZjdv
eDdFZERVZUJ2QmYvTUlGMlFFNTlna00KLil0QQySKHDAdFxIZAlWvkCRT2v8RNL7
CWIs/HhjmGk0BEoXIVlmbnAVNATABCCWnUTHFKvvW/8KIDhwgu72Eg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T19:19:59Z"
mac: ENC[AES256_GCM,data:Y+aBXyowjQTXgteYLU2j1I5cv9UFU/ylrVy9QQub3NLzBbpW4pb+oI2wVcZI0K40jwSX7xOEjgGOtjdLRGTG8/xHm/yf+R0Wgs7fyIxOzcZv8XBadR6f2jUnAPA74ZDQ9ngwh1xyJteQPLwr+XPuGNlylYn/mj/EcwFs1SCok5A=,iv:/7XR2P/nfEicarsCALXhKIbvzsqUYhg9SgT2Z7P3W20=,tag:+uHRHU+WVfWefjHcH/C4fA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,54 +0,0 @@
freshrss:
password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str]
pihole:
password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str]
hedgedoc:
databaseURL: ENC[AES256_GCM,data:hFJIu3Jan1XknGDl5v//kpwafIz05gdH9n8S9BduWq18tPhwdl3ZPzGuQpCAmbLmZj9TVnTySmb9hVP2j9XEc8czH8J1Kvi5WyR4l58+DZO6XM44l8ttO/EMmx/d2oO0UNMrG3piVPAbpL5iMMIypw==,iv:85XDeM8VEGi3nDsU6TxJZJt5yH8R9UWUJOf2uebf9gQ=,tag:1N6B/JQnqOOAt9VCkLcIRQ==,type:str]
sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str]
databasePassword: ENC[AES256_GCM,data:h3xt+libyQVvG51ttyYF6Lhq3QmYptu7Vx7/lZBytw5I8I1/zLMB6g==,iv:DuWMA82HyuupALguemWJmZ0hUA9oPyXB6tTcy3VFGKk=,tag:4ExOslyo8Kjyn7STpjqYAg==,type:str]
nextcloud:
databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str]
paperless:
databasePassword: ENC[AES256_GCM,data:K1cBEqSnccLriGWjj5CTkggZbo0=,iv:NFOZvPuzE8vdP2BzHR7iUrvnMRqvbtcwkKAWk4ckEws=,tag:5SL+nnJSuVaceGMCAAf5nQ==,type:str]
secretKey: ENC[AES256_GCM,data:g2tDbmy8SdkYrwrF/pkzmr5cG1A=,iv:Zzg/oUvJfPku66TWf0TgmQRERRegVxtJdFDShxb56ng=,tag:f4LIe74n4m/SlmDOntkLQg==,type:str]
kitchenowl:
jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str]
forgejo:
lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
attic:
jwtToken: ENC[AES256_GCM,data:bEf5v8KhIgyKqyjYOzBmJrZ71GagXqOTH+I3J0Iu+Q3X6XUbGxjwW5/RT3AuJAJ+Owp1Uyk26FmEuurYChG13rBWZ0R85MeMBb2sZ/Q22TXeBxRwzq4Izg==,iv:VlIhxGE8I8W+UFyDLnhUxDzf/us95H86V2FLbsKMSGw=,tag:ynz5eNuxkAl35qzcDNzoAw==,type:str]
databaseURL: ENC[AES256_GCM,data:GZcr8hRVIDwhKKwzHygydXAuJpQjKjN95GK+oqb33QgS5HW647+J5wGXxYan9II6iC0N3oSi36cJIkwIjLr9SJhRcjCkdsCZfNrGmT+F9SqUIi8=,iv:HerbEz1oPCE1F1etWHpFkSvulGRU97KPTcrZauIZQNM=,tag:/UXgWvnmCexvxwQONnmATg==,type:str]
databasePassword: ENC[AES256_GCM,data:AZXZyNJ6tGG3OU9CgC+bj43471Q=,iv:DoTSTIMLFi1+U7lvkix+QM8tP1tR0TtxuZRKlBneYek=,tag:+zk8TJRUzk9tNYXGLWIN2w==,type:str]
atuin:
databaseURL: ENC[AES256_GCM,data:sE9zT6iwrsZB42nGd3fQtdIJqW/QE1qqgBtqHRsNfqm1+0Pvhc9VwIP9wchHlL7n030iRE8=,iv:pAXhb+W5FrWZabgULdMtosdvA7KAQJ2D5nqLUzLax9M=,tag:l8C8yj+m8Ic97qbHAsA2vg==,type:str]
databasePassword: ENC[AES256_GCM,data:Xyrn5LYgQ0/XvoHwAqKe9EPQxNk=,iv:wN5msdAPuVxMCkGYKag+Ppj65rQCHHjNwDH17+HTPVs=,tag:M1rjzLsEqJ9qe24RQs+FMA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WFRZQlFnNW1xWHlDNnpi
MG9aZmZMYmF3WjljWXVKcHY1dml1bzdQQVFNCi9uRCtCS2tSRTBnRzJ1ZE1EM0d4
NjNzR0ZkZ2dCZFlHMzlGZ2NEbzRidnMKLS0tIFBUbjdwdy9TaU8vaVA5bEFIbnU3
clE1YnhsNlBrby9tRHNSN2V6c05hdXMKU5Ta/hfdIh3GiDfwVhP96cU64P04S0I1
VdKYSeKVAI3h95E5yxWGX9O0p1GYCS4aQpMGsG+hat6BozYTVRdzxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZER2ckh2SGRheUxRcmlJ
cTA0UmtwMHlUMFBGODcxTzJsZjhNU2hVbVRZCnlpWXAzTWdFQ01RL1AzYmRJSC9U
MTZMVzRnM1UwVnpyajhJUWpVRDhOZ00KLS0tIDdGRW5LekZnL3V4OFhzb0M1K1JO
cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI
zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-12T20:30:18Z"
mac: ENC[AES256_GCM,data:isinf4VigAI6UMTbaTxD/OxQSftK+EC5sJ4Kx8S1yOAmi1RPaKwpHLlrTq4Ah1beF91Q6BonObYyx3viJ0wq0KWnL+U064RBmFiQlHR7XeIzGv/YJA1jrqWI0VKMpG8cQkHtQf1LI1HsHI3SUw53reHAMX+5m+YkIz+mRNYWxoE=,iv:gCG0Ww2Fm/C4HOKYUqTCm9plt+DscWQWwvnpMAg614Q=,tag:a6s1pl5voaONf507XpGZbQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1