Replace agenix with sops-nix
This commit is contained in:
parent
bb1f091fbb
commit
726beabb9c
33 changed files with 296 additions and 332 deletions
23
.sops.yaml
23
.sops.yaml
|
@ -1,2 +1,23 @@
|
|||
keys:
|
||||
- &admin_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
- &admin_niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
- &server_atlas age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
|
||||
- &server_jefke age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
|
||||
- &server_lewis age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
|
||||
- &server_warwick age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
|
||||
|
||||
creation_rules:
|
||||
- age: "age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw,age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga"
|
||||
- path_regex: secrets/(kubernetes|serverKeys).yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_pim
|
||||
- *admin_niels
|
||||
- path_regex: secrets/nixos.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_pim
|
||||
- *admin_niels
|
||||
- *server_atlas
|
||||
- *server_jefke
|
||||
- *server_lewis
|
||||
- *server_warwick
|
||||
|
|
|
@ -6,12 +6,12 @@ Nix definitions to configure our servers at home.
|
|||
|
||||
- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality
|
||||
- [disko](https://github.com/nix-community/disko): declarative disk partitioning
|
||||
- [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines
|
||||
- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
|
||||
- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
|
||||
- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
|
||||
- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix
|
||||
- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts
|
||||
- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix
|
||||
|
||||
## Installation
|
||||
|
||||
|
|
|
@ -3,13 +3,12 @@
|
|||
"${self}/nixos-modules"
|
||||
machine.nixosModule
|
||||
inputs.disko.nixosModules.disko
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
] ++ lib.lists.optional (machine.isRaspberryPi) inputs.nixos-hardware.nixosModules.raspberry-pi-4;
|
||||
|
||||
config = {
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware;
|
||||
age.identityPaths = [ "/etc/age_ed25519" ];
|
||||
|
||||
nixpkgs = {
|
||||
config.allowUnfree = true;
|
||||
|
@ -129,5 +128,10 @@
|
|||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
sops = {
|
||||
age.keyFile = "/root/.config/sops/age/keys.txt";
|
||||
defaultSopsFile = ./secrets/nixos.yaml;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -34,13 +34,14 @@ cleanup() {
|
|||
trap cleanup EXIT
|
||||
|
||||
# Create directory where age key will go.
|
||||
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
|
||||
mkdir "$temp/etc"
|
||||
# Nixos-anywhere creates a kind of overlay and retains this structure on the final file system.
|
||||
mkdir -p "$temp/root/.config/sops/age"
|
||||
|
||||
secret-tool lookup age-identity "$servername" > "$temp/etc/age_ed25519"
|
||||
# Extract and copy server's age key.
|
||||
sops -d --extract "[\"${servername}\"]" secrets/serverKeys.yaml > "$temp/root/.config/sops/age/keys.txt"
|
||||
|
||||
# Set the correct permissions
|
||||
chmod 600 "$temp/etc/age_ed25519"
|
||||
chmod 600 "$temp/root/.config/sops/age/keys.txt"
|
||||
|
||||
# Install NixOS to the host system with our age identity
|
||||
nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${hostname}"
|
||||
|
|
|
@ -16,7 +16,7 @@ in
|
|||
{
|
||||
packages.bootstrap = createScript {
|
||||
name = "bootstrap";
|
||||
runtimeInputs = with pkgs; [ libsecret coreutils nixos-anywhere ];
|
||||
runtimeInputs = with pkgs; [ sops coreutils nixos-anywhere ];
|
||||
scriptPath = ./bootstrap.sh;
|
||||
};
|
||||
|
||||
|
|
146
flake.lock
146
flake.lock
|
@ -1,28 +1,5 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716561646,
|
||||
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"blog-pim": {
|
||||
"inputs": {
|
||||
"flutils": "flutils",
|
||||
|
@ -45,28 +22,6 @@
|
|||
"url": "https://git.kun.is/home/blog-pim"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1700795494,
|
||||
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -177,7 +132,7 @@
|
|||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
|
@ -195,7 +150,7 @@
|
|||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_6"
|
||||
"systems": "systems_5"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
|
@ -212,7 +167,7 @@
|
|||
},
|
||||
"flake-utils_4": {
|
||||
"inputs": {
|
||||
"systems": "systems_7"
|
||||
"systems": "systems_6"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
|
@ -230,7 +185,7 @@
|
|||
},
|
||||
"flutils": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
|
@ -246,34 +201,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703113217,
|
||||
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"kubenix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
],
|
||||
"systems": "systems_5",
|
||||
"systems": "systems_4",
|
||||
"treefmt": "treefmt"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -398,6 +332,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1717880976,
|
||||
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1717646450,
|
||||
|
@ -438,7 +388,7 @@
|
|||
"nixhelm",
|
||||
"nixpkgs"
|
||||
],
|
||||
"systems": "systems_8",
|
||||
"systems": "systems_7",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -457,7 +407,6 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"blog-pim": "blog-pim",
|
||||
"deploy-rs": "deploy-rs",
|
||||
"disko": "disko",
|
||||
|
@ -467,7 +416,29 @@
|
|||
"nixhelm": "nixhelm",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718137936,
|
||||
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
@ -525,9 +496,8 @@
|
|||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
"id": "systems",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"systems_5": {
|
||||
|
@ -540,8 +510,9 @@
|
|||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "systems",
|
||||
"type": "indirect"
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_6": {
|
||||
|
@ -560,21 +531,6 @@
|
|||
}
|
||||
},
|
||||
"systems_7": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_8": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
|
@ -633,7 +589,7 @@
|
|||
},
|
||||
"utils": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -7,16 +7,12 @@
|
|||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
agenix = {
|
||||
url = "github:ryantm/agenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
dns = {
|
||||
url = "github:kirelagin/dns.nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -36,6 +32,11 @@
|
|||
url = "github:pizzapim/kubenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs =
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
kubernetes.resources =
|
||||
let
|
||||
atticSettings = {
|
||||
database.url = "ref+sops://secrets/sops.yaml#attic/databaseURL";
|
||||
database.url = "ref+sops://secrets/kubernetes.yaml#attic/databaseURL";
|
||||
|
||||
storage = {
|
||||
type = "local";
|
||||
|
@ -38,13 +38,13 @@
|
|||
in
|
||||
{
|
||||
configMaps = {
|
||||
attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#attic/jwtToken";
|
||||
attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken";
|
||||
attic-config.data.config = builtins.readFile generatedConfig;
|
||||
|
||||
attic-db-env.data = {
|
||||
POSTGRES_DB = "attic";
|
||||
POSTGRES_USER = "attic";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/attic/databasePassword";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword";
|
||||
PGDATA = "/pgdata/data";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
kubernetes.resources = {
|
||||
secrets.atuin.stringData = {
|
||||
databasePassword = "ref+sops://secrets/sops.yaml#/atuin/databasePassword";
|
||||
databaseURL = "ref+sops://secrets/sops.yaml#/atuin/databaseURL";
|
||||
databasePassword = "ref+sops://secrets/kubernetes.yaml#/atuin/databasePassword";
|
||||
databaseURL = "ref+sops://secrets/kubernetes.yaml#/atuin/databaseURL";
|
||||
};
|
||||
|
||||
deployments.atuin = {
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
SSH_PORT = 56287;
|
||||
SSH_LISTEN_PORT = 22;
|
||||
LFS_START_SERVER = true;
|
||||
LFS_JWT_SECRET = "ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret";
|
||||
LFS_JWT_SECRET = "ref+sops://secrets/kubernetes.yaml#/forgejo/lfsJwtSecret";
|
||||
OFFLINE_MODE = false;
|
||||
};
|
||||
|
||||
|
@ -77,7 +77,7 @@
|
|||
SECRET_KEY = "";
|
||||
REVERSE_PROXY_LIMIT = 1;
|
||||
REVERSE_PROXY_TRUSTED_PROXIES = "*";
|
||||
INTERNAL_TOKEN = "ref+sops://secrets/sops.yaml#/forgejo/internalToken";
|
||||
INTERNAL_TOKEN = "ref+sops://secrets/kubernetes.yaml#/forgejo/internalToken";
|
||||
PASSWORD_HASH_ALGO = "pbkdf2";
|
||||
};
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
PUBLISHED_PORT = "443";
|
||||
};
|
||||
|
||||
secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";
|
||||
secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/kubernetes.yaml#/freshrss/password";
|
||||
|
||||
deployments.freshrss = {
|
||||
metadata.labels.app = "freshrss";
|
||||
|
|
|
@ -18,14 +18,14 @@
|
|||
hedgedoc-db-env.data = {
|
||||
POSTGRES_DB = "hedgedoc";
|
||||
POSTGRES_USER = "hedgedoc";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/hedgedoc/databasePassword";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword";
|
||||
PGDATA = "/pgdata/data";
|
||||
};
|
||||
};
|
||||
|
||||
secrets.hedgedoc.stringData = {
|
||||
databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
|
||||
sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
|
||||
databaseURL = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databaseURL";
|
||||
sessionSecret = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/sessionSecret";
|
||||
};
|
||||
|
||||
deployments = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
kubernetes.resources = {
|
||||
secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";
|
||||
secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/kubernetes.yaml#/kitchenowl/jwtSecretKey";
|
||||
|
||||
deployments.kitchenowl = {
|
||||
metadata.labels.app = "kitchenowl";
|
||||
|
|
|
@ -10,12 +10,12 @@
|
|||
nextcloud-db-env.data = {
|
||||
POSTGRES_DB = "nextcloud";
|
||||
POSTGRES_USER = "nextcloud";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";
|
||||
PGDATA = "/pgdata/data";
|
||||
};
|
||||
};
|
||||
|
||||
secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";
|
||||
secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/kubernetes.yaml#/nextcloud/databasePassword";
|
||||
|
||||
deployments = {
|
||||
nextcloud = {
|
||||
|
|
|
@ -20,14 +20,14 @@
|
|||
paperless-db-env.data = {
|
||||
POSTGRES_DB = "paperless";
|
||||
POSTGRES_USER = "paperless";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/paperless/databasePassword";
|
||||
POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword";
|
||||
PGDATA = "/pgdata/data";
|
||||
};
|
||||
};
|
||||
|
||||
secrets.paperless.stringData = {
|
||||
databasePassword = "ref+sops://secrets/sops.yaml#/paperless/databasePassword";
|
||||
secretKey = "ref+sops://secrets/sops.yaml#/paperless/secretKey";
|
||||
databasePassword = "ref+sops://secrets/kubernetes.yaml#/paperless/databasePassword";
|
||||
secretKey = "ref+sops://secrets/kubernetes.yaml#/paperless/secretKey";
|
||||
};
|
||||
|
||||
deployments = {
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
PIHOLE_DNS_ = "192.168.30.1";
|
||||
};
|
||||
|
||||
secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password";
|
||||
secrets.pihole.stringData.webPassword = "ref+sops://secrets/kubernetes.yaml#/pihole/password";
|
||||
|
||||
deployments.pihole = {
|
||||
metadata.labels.app = "pihole";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ self, pkgs, lib, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.lab.backups;
|
||||
|
||||
|
@ -19,12 +19,12 @@ let
|
|||
}
|
||||
];
|
||||
|
||||
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."borgbase.pem".path} -o StrictHostKeychecking=no";
|
||||
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
|
||||
keep_daily = 7;
|
||||
keep_weekly = 4;
|
||||
keep_monthly = 12;
|
||||
keep_yearly = -1;
|
||||
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg_passphrase".path}";
|
||||
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
|
||||
};
|
||||
};
|
||||
in
|
||||
|
@ -67,7 +67,7 @@ in
|
|||
IOWeight = 100;
|
||||
Restart = "no";
|
||||
LogRateLimitIntervalSec = 0;
|
||||
Environment = "BORG_PASSPHRASE_FILE=${config.age.secrets."borg_passphrase".path}";
|
||||
Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
|
||||
};
|
||||
|
||||
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
|
||||
|
@ -83,9 +83,9 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets = {
|
||||
"borg_passphrase".file = "${self}/secrets/borg_passphrase.age";
|
||||
"borgbase.pem".file = "${self}/secrets/borgbase.pem.age";
|
||||
sops.secrets = {
|
||||
"borg/borgPassphrase" = { };
|
||||
"borg/borgbasePrivateKey" = { };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ self, inputs, pkgs, lib, config, ... }:
|
||||
{ inputs, pkgs, lib, config, ... }:
|
||||
let cfg = config.lab.k3s;
|
||||
in {
|
||||
options.lab.k3s = {
|
||||
|
@ -56,7 +56,7 @@ in {
|
|||
{
|
||||
enable = true;
|
||||
role = cfg.role;
|
||||
tokenFile = config.age.secrets.k3s-server-token.path;
|
||||
tokenFile = config.sops.secrets."k3s/serverToken".path;
|
||||
extraFlags = lib.mkIf (cfg.role == "server") serverFlags;
|
||||
clusterInit = cfg.clusterInit;
|
||||
serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
|
||||
|
@ -101,38 +101,18 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets = {
|
||||
k3s-server-token.file = "${self}/secrets/k3s-server-token.age";
|
||||
|
||||
k3s-server-ca-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/server-ca.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/server-ca.key";
|
||||
};
|
||||
|
||||
k3s-client-ca-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/client-ca.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/client-ca.key";
|
||||
};
|
||||
|
||||
k3s-request-header-ca-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/request-header-ca.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/request-header-ca.key";
|
||||
};
|
||||
|
||||
k3s-etcd-peer-ca-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/etcd/peer-ca.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.key";
|
||||
};
|
||||
|
||||
k3s-etcd-server-ca-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/etcd/server-ca.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/etcd/server-ca.key";
|
||||
};
|
||||
|
||||
k3s-service-key = lib.mkIf (cfg.role == "server") {
|
||||
file = "${self}/secrets/k3s-ca/service.key.age";
|
||||
path = "/var/lib/rancher/k3s/server/tls/service.key";
|
||||
};
|
||||
sops.secrets =
|
||||
let
|
||||
keyPathBase = "/var/lib/rancher/k3s/server/tls";
|
||||
in
|
||||
{
|
||||
"k3s/serverToken" = { };
|
||||
"k3s/keys/clientCAKey".path = "${keyPathBase}/client-ca.key";
|
||||
"k3s/keys/requestHeaderCAKey".path = "${keyPathBase}/request-header-ca.key";
|
||||
"k3s/keys/serverCAKey".path = "${keyPathBase}/server-ca.key";
|
||||
"k3s/keys/serviceKey".path = "${keyPathBase}/service.key";
|
||||
"k3s/keys/etcd/peerCAKey".path = "${keyPathBase}/etcd/peer-ca.key";
|
||||
"k3s/keys/etcd/serverCAKey".path = "${keyPathBase}/etcd/server-ca.key";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
To create a secret:
|
||||
|
||||
```bash
|
||||
nix run github:ryantm/agenix# -- -e secret.age
|
||||
``
|
|
@ -1,15 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
|
||||
8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
|
||||
-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
|
||||
9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
|
||||
-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
|
||||
adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
|
||||
-> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
|
||||
/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
|
||||
-> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
|
||||
iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
|
||||
-> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
|
||||
NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
|
||||
--- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
|
||||
â噧òQú²à¡)Š„Åçä¿7bt¡íu+Õ<>=¼¯M£ÁlìMúzsÕÚ8ð… aÿ
|
Binary file not shown.
Binary file not shown.
|
@ -1,17 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 UwNSRQ 7VPm9hUzbKELjQBUfKKinUdOAUbNzY2pZp9ihry9sFU
|
||||
ZPkr54gFnXE9b80OKX9NPk4DWmyRTKkcJH0C+6lLJZE
|
||||
-> ssh-ed25519 JJ7S4A 2TVdz1v5NBqCfPD3LzUdQsQ3ubsdJGSHwVKjj7NNpxE
|
||||
uO4sRxj8RVqUQXRDlT0ZI4LxFx9MHaAWMrf9WYOZIas
|
||||
-> ssh-ed25519 aqswPA V+3scofJU1OnxJI9+ryPixGiD3Z1srePETEzUZ4zfAY
|
||||
QoKHxyKr5XXxgJJeoJycShOqHowt/OkaYJOm8nXXeM8
|
||||
-> ssh-ed25519 LAPUww V919z6/H/pC5smjiq1d8/7Q+QvbXcbfRKAfjiBugoSw
|
||||
9urrVRscuLY6cKsfZKBdVcDdpPfex8sDHuEdH/EtujU
|
||||
-> ssh-ed25519 vBZj5g v7Pkzi9F2fc9++OsVfou2j60R2iq1ZfOCr/SfFVIvkQ
|
||||
bknegfUOmc1G8PDcskOCS88OGa60B3t4R2ty7Rdt/mM
|
||||
-> ssh-ed25519 QP0PgA psOkHWvCkdQOpPHYJ/dpDZ/TlZhArARHT9PzsXLV9WU
|
||||
EHfX0VdHJdm/0iqRfkYxmqmSqrwwgb3irBhDZPvjl3M
|
||||
--- ekq08T+kFXk/v4//f8xSvqdumAFxd0jMnzUqMn180hs
|
||||
¬Í‹»ô¬ó‘Ø*€}²`0ÿà"¿,¶[‰Ýv“·buG_pý†\˜ºa—#$gçÞVqüÎöµ3¤/ÍÅò¹PÊ3“nô±û’…øŒÔ@¢÷…¾Bo;CmKp³<70>Α-ñÛ#,¦òÇI2_c”ݲÊ<C2B2>TᇀŽŒ¹Îdéƒ-`çáíç!“úýpƒÆÇ!“}Þ_a³Øe¤"?Tùjºèj<C3A8>Ü©]¶É”"´“Ú&¶"L3~=ùèc8º½C
í,1ܽm B²Üùt
|
||||
+DÎ÷ŽFà\Ã}I>÷"=Þal£Ör
|
||||
C<1F>ø÷ŒUÏ+døÞÀÁvó•
|
|
@ -1,16 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 UwNSRQ W6uEvGJIdlkC0or4dyFcK+ytKeEiwIJB1bebPLTERDA
|
||||
uzMxRth4KMhqsQYhw2tWyqBeQdCbTgbBegHrkcuHI9o
|
||||
-> ssh-ed25519 JJ7S4A bw+MlxnWLuLecMuqMTrJl2TMXyXhqEWCpKFwsPgkgnw
|
||||
zwWm3Fq9Q+mR+9rVaSzVO3i7qgPgWsv25ClCW1c0G8M
|
||||
-> ssh-ed25519 aqswPA ZIgGWu33QpKdUfPtlIHs9BeCurnk6pm+2XLi53RBFwc
|
||||
wN8Qmo9CCqVTa+y6zcYiZYbslgTOtVMUjCCUVT0W7WA
|
||||
-> ssh-ed25519 LAPUww npNhPTPq8kfN2vgouVJZ5NXARHBD02L1CJHmas4ilAI
|
||||
nTpXsq5BgfikRJUglFGjP9GoRIswyHZp6R7KxZhH/uc
|
||||
-> ssh-ed25519 vBZj5g JOUeBxwM5Qcz/YoeYCPM9dmkWp130Ze0E2n8qdsQzzo
|
||||
1SL0HH+u48cDojytjSxRHXKo1sgil7EZYBLpQAOuzPI
|
||||
-> ssh-ed25519 QP0PgA /bQtDDcVg8DzFdgFkEDPzBTD02OYTC2Pe+WuEmP9j2A
|
||||
IRUPa8tityX/FVKJKpcKWMtVvwRzFWueuvBIhlqcSv0
|
||||
--- DltN2dAJoEDuU6Ub6J7BZY84TjZfHGVN9P2SnoHrE7Q
|
||||
Ñq–\þê!j>ƒ ›Ï â3ŒÓ÷ô+Ã4<—Ç
|
||||
¡·7„aÈdb¥†äÑ‚ ®î_ŸÒ.ä±cë(>5ª-þð3ŒjwE¬ô½xHh;µšê,hK*ȼ›Æßmì‚bôÁ*ª¨ª»€]MmÏw½~Îg{ʼn¸û°Œß€ZrVk²fRXðGÆ%Œ‚Õê1^?ƒÃY@1Ú<31>šÇ<ãv°ïZ_`ø›1ÖðscÙ/d½ž‘ÃÍ$óÕ\wR…±ñ}éÈSÓ>ƒ¨Ô7Ë*0«Ý߈d¸é”Â…¥2߯šURô«G~:^X㎋5¬òc8\¹t÷çÌ!ò”ƒ,Óª•Ò
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,15 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 UwNSRQ /B3zuCTP4RhYNPfmErYcFxkL4PrUWs92Q0KGTFTe33g
|
||||
ar6/o3O1AQFYHBbvs7U9wm5JBXG8suk29Ul56uC39Ok
|
||||
-> ssh-ed25519 JJ7S4A hJpjR4TFVOHCASfRosTa0oQSr4Q2HjD54Pv1LLY8u1Y
|
||||
ughx4kBl8IwoEnrpC1Q1P1VZVDxb7BwX32F5JULBz78
|
||||
-> ssh-ed25519 aqswPA Kyen24puaGTH9Qx11QtZrJrpIiRLh3GR89u8DOxHhTQ
|
||||
n+RSyHbWLLA6YxWwtsBkwxZePCGZtd0k1DTlXy0rOt8
|
||||
-> ssh-ed25519 LAPUww 9WvReHxes3jeagSidtztlb06gEKzWbXaSm/wxdcVWGc
|
||||
4hOVE30jlFUjzXZngJMlyOvW4rK6kAFTZgceyw49DsE
|
||||
-> ssh-ed25519 vBZj5g Iy2k/NumAyRy2lgv8NFVd7PW1kAgY/HtUAA0DpbY/Xw
|
||||
jfNr7QiXqTE/jfEOZFEhct7qfKbLYxIAnzPupIfxnnY
|
||||
-> ssh-ed25519 QP0PgA dFlkBqcgmXd7GnpoI1X4ezDDYuqKtSG8VbUB08As2k8
|
||||
+KlOiHi+vi0RntHTbdOWzp2lRWdd4SpTU/4dCs51qBU
|
||||
--- BapxmCnFven9QR0bZDuYWk+lM/2U4AVWQYZsGKRI/W0
|
||||
°ëDÓF¢y{¥Ýjñƒ2Ñö<C391>h4þ<34>ôrŽyʼ9¦Å…²åo‘"VJˆN§ÈÛ3ÓOÍ¡´€a s°ö0ùïÁ
|
54
secrets/kubernetes.yaml
Normal file
54
secrets/kubernetes.yaml
Normal file
|
@ -0,0 +1,54 @@
|
|||
freshrss:
|
||||
password: ENC[AES256_GCM,data:LDLp7cEToWA7zpd5UK+eBUHDaSEtNpFjI7C0LRE+72n0Vu1saPOdSQ==,iv:OEJDcFZwxGJ9vVD1lH7QY5Ue4Kfmx37v9kSEbI0YvRI=,tag:gIyquRc9t+GOOre8MKWxHQ==,type:str]
|
||||
pihole:
|
||||
password: ENC[AES256_GCM,data:yqPpovQKmP7NgUMI3w1p8t7RjbxNsMMHZbsNEaleyLJTqnDzNqONsQ==,iv:i+ys/EZelT4a4Sr0RpDto8udk/9yYC6pzl3FiUZQxrQ=,tag:FlvbMN6fuo+VV50YyuMeGg==,type:str]
|
||||
hedgedoc:
|
||||
databaseURL: ENC[AES256_GCM,data:dmaXh8wnECBOeEtM00Nc6kpVc3NiJbP5gepToAxLrpmpEEH1vs5SdE90Z3+T3qeXrsTQVr/Q6EOocNKMsTe1pcZoEirECk0dwZ3k6s/bUmUJdZgOf0ir6Iy5J8RZYvJz3AnwuFIsIJ79x0+WfEfACQ==,iv:C7D1zY/vu4zc687XA2mwuYEOFtSFDV+/po4tyNw3ks8=,tag:GQGj4TbP7Mcrm+auuaplnw==,type:str]
|
||||
sessionSecret: ENC[AES256_GCM,data:FhYr4rFNHmtk9jUcjM4UthepS/5Z4x7WPAE5lTB94WmHrALbzZl2M3JcmibR6/z1FtAJhCsaPZ7Xeg8nOZtU2g==,iv:7soqcd8A+yNfXEZg0qDjOZgfsUIFHfflxByuf7nZk3Y=,tag:x/rmaXo4nTdA080Zl/0MiQ==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:Fv1qeGvXZ93KvdFCCz9t9Dzhe7wKGOfR0lj64lzRM3s48E5FYdrH0w==,iv:cqhIOUKiSSkBpf95Eza9C9l8PX6YmTBpvBAR4+ibgeA=,tag:r8ZvF6l8oNeOt3d5UCA7Ww==,type:str]
|
||||
nextcloud:
|
||||
databasePassword: ENC[AES256_GCM,data:Xz0zUpu/W12Io1LSh5CLvGkq1X6yQErz4kdCdTyNZTw=,iv:OkY1fGzHmmbO9u+e9yNlLjJf8dqQtePTj9ifaDBFJ4g=,tag:S8/z9HJTPCZo43wAB5fWpA==,type:str]
|
||||
paperless:
|
||||
databasePassword: ENC[AES256_GCM,data:eF4+lxuTnvm+NYwZiU1VFp8Y2JQ=,iv:c36Rk2pEkiqXkLngpyZNulObxek+evvfeugYiBYJrBo=,tag:T0uArgOkJYCvCgmdJauhIg==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:ByJpX/tIyzb4fewUOI9MwFBVHkc=,iv:08GvsSOI1OkckH01nzmsyhGoQYl82vyWIDEjrNUQUgk=,tag:YgVY0C7XmlQYw+Aup5LIPw==,type:str]
|
||||
kitchenowl:
|
||||
jwtSecretKey: ENC[AES256_GCM,data:9TyqeYlfhvhVg4WOn++/wrqguTM=,iv:+EgGaZxeI+npq5VAX7MHRDYQm8uRcKa8+u2wkn/dwr4=,tag:ATIuPdZQwuDQ+R8nVWWWIA==,type:str]
|
||||
forgejo:
|
||||
lfsJwtSecret: ENC[AES256_GCM,data:VWyUDUKZ6km0YPZLejnISBI3wkmOi26CS55NZm+eWbiymGDN9Z9xUQ4FTA==,iv:gGhNGtEEOJnsmq9GMIAImkVOPWMwYq+kDQeWoHVU860=,tag:63z/7PJKI0ePXbJ94radpw==,type:str]
|
||||
internalToken: ENC[AES256_GCM,data:nKLE/Ir8Ewm3GuRzUNZZTShnMMx6avxYu40PvMEti14Be0YmQhJ0IZruRdpktyW1Jj4n5ksXhk+qsO/vEIzQaJmPU1RxN6vsGGk6EBIwMP0kuUNmp25lPefafoJvxoQpXdJvkLy8f8MC,iv:dUki8hCTOF1O5fmwDqZAkaE1OCH3IL/SFPBDSJ/GMiU=,tag:HUpkVqJg53H8uEmHFqJ7+w==,type:str]
|
||||
attic:
|
||||
jwtToken: ENC[AES256_GCM,data:nAuryLY1xD9ur3qDcsJXPJPLFcPwssPKv+/BoivZ4aO6ec6rmOaYAkSRsBjgANyKhssbn0fhGsdyhMBwdHTXDnnIo67amFdxxSe+jJlGtcBXcekaOfD0Ug==,iv:h+h7CD8oI8u2ItzD/KKM16FKaG2xuVqIKh4r1TGjYtw=,tag:Er141FCK8usfzRRtrawHOw==,type:str]
|
||||
databaseURL: ENC[AES256_GCM,data:F2XyCgXRuebQgvkHGz8DVM2z53sC0/8GzVN6P6iJjrVxB522BJnGlw0YdFBg5K9xMWRhuzxRgDJ+ySfIb8HTtFvlF8Ifx41vFZV1zSpmDMzo4/0=,iv:wp3sg+Y9kgGH5GZZDxAE2CpzDvJeV1mH8mfHRPB17Ys=,tag:IhGRIq/qPT0vSbv/L1ODYg==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:Zwv5DKkihOUU/yL1tvbZl1+bPtI=,iv:C+6n6RHo1zTUJ/g0DWCWNxtLbusoYmDHMySsea5Jpz0=,tag:+pyw0WqnX5rMQxSl/48L5A==,type:str]
|
||||
atuin:
|
||||
databaseURL: ENC[AES256_GCM,data:IBmND/J2Pzz+CDCeNBRtErxSQIi8PeUuLGN4rIXKSLwZ6TGJKcNmbuxQDvWkCnI1crx3oak=,iv:wc3G/00oIuaiGF4mA2vIm35wFGxT0a3Ox3k1C9YBAx4=,tag:MQPcsR+vrD85DttYYi6jUw==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYnNhbmtEQlpEYUV6Vklo
|
||||
S1NKZkJ0ZGhOdHA3Y1lmUUUzTzh2Q1IxSUNnClZLdnJtUGNZTVUxZ0ozd1FDT0tL
|
||||
VVhhcVJEaThjNWlUMGlxcG5VOVMwYjQKLS0tIGhJdHBVdnpZNzE0QmdRQzViVGpM
|
||||
UGI4V2U1Ri9md3RHUVpvbFdtQ0NCNDQKl5QEg2FTMz6oTPF5s8pItduVJLPyLben
|
||||
B/7KYQd6blJfM7mhF6eUQ61AWehvtzUhIPf57ZhFjpKj+Vzho4Bumw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ckF3dzArMTBrYnNjZmJo
|
||||
MzV5NDJoNWpEQmo2TXFzUmdQUUlpa1dIblNZCkhGSklTYVdCa1hJOUoyeDUyc29L
|
||||
Q05DVEY4M2QxOThXNTJjcTBWNkRQVHMKLS0tIHdyVS9zR1VzQzdTUXJFSlFObWpT
|
||||
aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
|
||||
Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-15T18:55:03Z"
|
||||
mac: ENC[AES256_GCM,data:THDaTY91n6nTZoDFzSOL+6m0gi+jthNJsjr8sqDO9dRyuezuMj2cJcmfZQZrhxsXIeyr+yHkCxNuqvhpVkH1k/rfQQXbOLXAfdioJepTqr/6zjMy7lr/AoBgzNlcwicE8YVevO34BNE83QqfN3GfPdDfNlE0sku9k2Eda3W61SU=,iv:VI+7Kvf3p6J3l+XAFaadplNWl6t0Xqxoy5q/1zbvp0A=,tag:JeVv8d1GXxPKfdJZ4nbGRQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
78
secrets/nixos.yaml
Normal file
78
secrets/nixos.yaml
Normal file
|
@ -0,0 +1,78 @@
|
|||
borg:
|
||||
borgPassphrase: ENC[AES256_GCM,data:2E2xAc8jXPFigFW1WBh3HT1GNGk=,iv:5V05CIk5XRui7jBJ+taNl1I7tnL4y70CgZqm4ZnvF0E=,tag:MfM0uFHnrmwR+H42JGvYRA==,type:str]
|
||||
borgbasePrivateKey: ENC[AES256_GCM,data:ckr2EgJXXOJAWqk8nqx8KwEJzKMOqastyyH47F7evU/Qjh94qUPej8vWHDUQQDp/WenY2LqZgqUm6jKPRsfMJK3jeCRHSo34dTpnSJd86fiTUDfd2zEJGzAy6aGGf/hVZnn0qVE/ZAq4Bom5RAgU9SQnBNnQQXj42eYRm6dfwC+80GhgdAtH9zCqitmrbhXoioJLVEKo3oup0Jxv5+n2zdFE8xcw6Yl4imjB3jZ43PV4MxRfswRfsnw/yBeIqLFGAxIXzWlHNYxtAQwJ6fqKncScTP6zt7gt+dkTlxk9YwE3I8A07gvRt51fosIZOWMgZcUC+LxZgoUCrZKbuZLqY7Pjw8l8OPuzE62QOd58TT+1yASuvG38XCfxsKWo1gtio3U9z0gOdwwsbuIJHpAmKBHHckAQufVJX17MddoG1GAHt5McRdTobMpE6gau1Ng1xhVJPv9cnOLK2hsA8F4XhoVLauw/WBz16WPxwVJQLKgqKPRBIBd/77kCu69tnO4/guHO,iv:SjtP3Wr1Gjou2PyqDQTVYmSY1/Za5P5Cv8/vjVg5JA0=,tag:UiE/oN2PZv7d/ZXeTjHsPg==,type:str]
|
||||
k3s:
|
||||
serverToken: ENC[AES256_GCM,data:1mPpDIldl1sIklhBW8SAUZr8an/+mwgf9sMUHR/4878=,iv:DFmDtZd1P/uVOEcb68d02nAGUHdKG3vqCYr/1OTP5/8=,tag:HhPmAoHTGdWcNKhJ4/BVMA==,type:str]
|
||||
keys:
|
||||
clientCAKey: ENC[AES256_GCM,data:YY7aj/JrsHApgKFUNJuxfjj5VzrArPp4X81csyyQn0ludjodYepGlcP6Ib5sCQFU82IZiVjKjmZM5i+CgoimlHESbbtcl0Na5jHOU9LINLTHbzOiXLYAkZtYEWBAY3cemJWjRAo+yhCZWo5tigGlkTaA9C77tUIsiwjgQNbXub47ldBLJctT9wKVZRnzkrvlqzA2W0OD9+zxIgq3gggiHQ/UT1Fl22NHArsz2/IiivQnpr0yLbM8OLHeeNY6lJHWkGFXFQBSLV//6uZUUpJROjt4on5F8PgtACD0yiRdRhM9ZjU=,iv:7uUgkXMm5K9440lYcDvZubtABiO7LHUU5xGyw+lzKGA=,tag:r+h6siwma6uKAqPgQ2iyBQ==,type:str]
|
||||
requestHeaderCAKey: ENC[AES256_GCM,data:sMh5HsC9ufcZUF0WyVxMM3Q6iOK9wS4jqA8xXWYquFMOMtb0KS3SBVG3lehtO+I+VO+Gc+uX5eMue3bHTS4o4TreUGk4huKJHxfLpEu/4nzYim4lk+CzVGxIze8mC589JUmruAjsqkexeJWAoxvmfdMSi9mCxMk+giHrQktgtI9kZG99cIPfvbOz9GQdmnGpCdxD+030xY4o8tXS/d3AtvhmNFhpUV9IIe0r45UV5mm0gdZpamtCjvnvJsplhFvy1A/M0t4D0ivA5vYjAWUmbF1564fN/ht8GIMRWL3AE7k1ZA8=,iv:WqGFtIbpXsz5p9xdA534qQph6FEv9CZUV2jzSPE62qI=,tag:H7gbGmhr9kekkO+pNHwiaA==,type:str]
|
||||
serverCAKey: ENC[AES256_GCM,data:peD8JY2dx/RBq+YgR2AomIdXj3MNoQKoZ0rUEKQU7DUEkVBWgEcz8tflTMsk9kqfhb0ZIqLYbmTBux161QSbSOZGelv17ZT5CzVIRWSHAVw2SoDkD1m3GhRJS4JcKhVObiaJZ4JAbDsdnk5YdSGgQqq2vzfYvKrXtvZfmq36YvLhbSJkf97Pe1GRVmJx7pP0jd+sz0+iKYwKsnIfYC5QnwK0NtXxIS+G3ewoxh3t9m6OFgLwJ1Xxl6e+Bsh51OEqybwDX2UnhzTsayMJoito5iiUfEpSaNj1jdbwueZA6bLBti4=,iv:wy2mITK5CCqjrjQl+rOo2OPCR5RCpbuME79WYGDROMg=,tag:DFhx2FArTBxDN4BSRM/+NA==,type:str]
|
||||
serviceKey: ENC[AES256_GCM,data:ycEIVjeyRw0EQBQhMZQJQHdmwZgTTv6x2PzUv6RYCaANlNlWff/RkCLj8lXncDvY5JJrNXRtJ/gmZFPZvMQqtaE9vDLsnN/QpHN6CVe08oeRSKGyn8fz2RB7faEq0AM4NBmo17G6faG67sjWFkT7+nxkpn6Vw0waC0QDNaw/dUmDVmR2zRxrsg0JgBc8DJ50b5yZVQpM2r1alm2/4oL/jyst9Kig0WpD0JmpkBPor/fVb7xCHqb0Yr2pw6Ue1E19ngCqHr3xcjKschXmj5fCnYbDjA9BbTzOcsOGIOeGmb6R/4k4z1VwVAvzdmyRQhjCoSEb8o3YIOOJDTYM8KeFavF8SxXiVpF5Cgc9jK8SDwglc4whlekPV7Z7tQbV15R4s5vQ5oHJRS6J8yBIhkvIx5gxvgL+H0fiqMGlmJHvAvKCpz1KyDiazznNkmnFgXYxk48x5VAROrmTRNrSQROhRd2aREUOYtVudxYBRc+sWeDr0rd5ZT3pWlwp3YV9pyjJc0QQa43jREIe3D2rE1FVMdEJMo1NRZetaSb4/bo8Q2n5piaGppS+bwFn7RkcKZPAxy0JzmrYCV7wfjU8kTeX1JRFPuNsIwuaimAtv3hQ5sSmBUsX2Ot8zdVJXZaZc1vp6JeY4AW8BGFNnOuWBX5dElfkrmf1MxXpc6qT6jowJ/PdaMD2EMzD9rUz3tpTEZgEr1QwAzuiurA7lZp4B8vaIJeRhi8x7Y8BvWXz97d8j6Jxfnjkcgg9ub0Db4Qm2plhGn4LcCwaWEAcmvFs0MC5WBXDfKB/LCglshUTFBxBAmLkAl0B8pHaoZeIsn/OGoN3iieL16PjriudvjmFTY6l3GOquV/X3+L+mq+swFYpxJjub7cEWGvZwDA0Mvz+5f9WMyoJOuD4Mj+QBe+GgyK/8Ujk0Dqg9AoldN5DOvhqEjcnl80XaxgSNWVv7/cPTTrKBN+pY7A+Cpi0vnGbqIcp1NAelp8RJSnTeYEckokJjKvSFZPPxgdJOMHajBdm56SX/4LHl/ZS5AVaJaaBxnYWbkylJzQ0hcMCoxbvs0WDTAMdo1YqU9E03UG5G+Z2KzcE4+XINWMqfAECehwiJk77fUqMzdb7/UxGr9k71Y7aWlZGP3qJAq8UDa6eZ9jnD2zWirkfdGAo9c341Ul55yrdFufKkL215zPFkhvZaA0+0XvcFk6V2nnpzNgXCklnP1okz8M1jASuX1To+uQ4AzYUAWGJp87lITCm7RzTGvMDe8SMEmWfU2JF7GoErY7nvdmKiyK/lCX2WCrSuW1z4jzFfSYEhYCwTt4uSSrbWjedILt8W9Yt/HFubkHsJh5q1SXnOG9hCy0dXL1ch1oIZXPX0+s+4215m2cYljvq+kwGnYrlYyhXoJzS1VOVyS4mM6mCr9+SyffZxTS5SmEuIh4EEcWKFazsWZxAZXzum5167EQ4pKPGc71jZNN+mksjHKuayTtqZPycNBwzWpx3SGSfLgPjFMMMJCgcYjKCLdxk6g8VHaww8TESxux0XgXwVIHb76KU9OYv/crqZ6Gk/2RPOnImNDjOcaKHTQEyTDwO7P9NPYWl3KqG/pPk4pF0Acq2B4NuQRPzsnJTG0azs4JXCGc6FFYKK2wwl9eOGQy70owL95d/MU37CI6sFKuIxh2fdfsO0cJmAAcsL2RVylMlvbHIq0xggZrkYpfZklSifyGEcVkuiAJa91HEaFvARX6Zt6WJXUdiT4TDdo8xC8Yy8y0zlIEQ83NPK3iPsq7bDkgDff8UJHo0sBuH5Y/7DaX09c3CmavOF/Ca+xdd7hokc4GzaxOWbqtECA6DWoQoJb2VvJiXdk4/kRwJsCZIMXX2HLXdBOkd7PnPv7p5xqsbVfzm2CuVr0Fl9O+mpQ4Ng2oyLrKgEELV/+hh8E1qoBmfxCBMLPrWuNc6Jp7ujamoKTNO7i6M1HsUoll7elhfNq8MqoVDBK8QXeO0GTF8vxAlJJ0QOJBWxggan80PJrW1c/WHpW1tD+nMZREwh2B4a4O/Kp5NJMnHNmp/pUNv+ppIKi1yJiAOcVEpFfeSNjonFp5JJ/jAsyN15E523ca170kH5MsDtZ+zQn0R82HqPAo0/nLUWsMdVo56pjmlDXscOpHtMYVFFgv9+GgcPeBpA5DZoc3sRzgb0c78Ywbn7GyADmKS7HinbH/IKRxJPkE/AfckVjeVr4yaXuZLyLi/Yzbh+YARpchMeoyTN2VeSiI=,iv:MBDrQGZzl2VS7WqDe+QzTAIXq68KRTSk/8LzaOCd1PE=,tag:WNmxFqsvmjPILaKoBiqIfA==,type:str]
|
||||
etcd:
|
||||
peerCAKey: ENC[AES256_GCM,data:hr/Q9UqzA5IKK4o+mxyYQyXjTl1/guRLcjeBBaErxlvtQ0QarNWBMV0SuekCTiv0aGEUiXrY4u/39n6/VdVsxCdCDFDSuEJE5iEklpReKkW0gIvW3wIk98PC8xhNKjwRNnPwgE6TmOi8RSR9jdL9A3VKUXXo4XDkKPWrK6yHOJHKWgGOKX8+TP8HHwGGG6JvcMgOfbLJIvstsB9C17bOHt0KNaPKIpGN3gRkY7rJE/ORIJaOFxQB9WrcmweB2B7K3tlnVyLsY/wZsturZDJtK4CtVPEba7jXlpI4xnr0EANhRxs=,iv:gy8/RAxOxMrzFbPynQw1iDbXYEM4iYXJ+OfvQE9MAfU=,tag:vlnfHLzOm9ztsnaSIbL14w==,type:str]
|
||||
serverCAKey: ENC[AES256_GCM,data:bn4BLlUSOHBOzjxO7oCmnWY3+yc/+J149QFfHOxrrFFblCkY3MEtXg9ogFsU+CYhZg6HZtOiecbo3V1fTe6dbSdWlUW7mHVoFP75aRuLjeEwX9Crgu/BVce7tcL0nFXvaBfaPngz3irzE2t2Dt+p1rVFWsMa2Ms2Wfzx9ZfVUbD0mOBgKmR+fGCHQBuUk4F9kzXA//J6iuk2VNh0+6YXBfTWCEsBllg8CvLgD9aU3DE7nS/xcbZcbpR3nWp8nQvezA5/cAEVTyuQfUO2u/tnYAoEE7t1Qo4RJrWlY30xTvXdq44=,iv:kXjH9JPjix64b+nWWIF/TBlZH9DsOYGTq5okQB3HKYs=,tag:MYM0xdi8AjaR0I/ZcpELAQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOVluY3hiZXVNNnlINHRG
|
||||
K2Fwa0VIWDlETmZwUzNFbkNHZSttNHhUbnlVCjVVdWZHVzJCTkQyS3VlSXA0WFhY
|
||||
TnR0TEZBQWwzNlVVdVl2K1RnUzE0UG8KLS0tIHhoU0xGM0xJR3ZwbHJNaTlPUHBQ
|
||||
VzJCQjQ0NG5sbWFLK2phM2lEdlpuMG8Kw8ftkoEbYrA++cJSfUZRthK2cU+iIzNy
|
||||
oYxlHm5va6JVZ/Sg05mxBB8kWX410/yCW9nH6ZkLrJ5YmpugePzr2g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bXZMZlVRNWIydFdUcE9T
|
||||
c0FMN3AvWXUyTUQ4U0VJL3IzcVpXTnVGOTBNCk5rWFlWeVA4b0JRZXY3NHhSbEVp
|
||||
RlA5cGs0SVg1Rk4xZXBVdWtUcHFURjgKLS0tIHlwTWJQR09DZnBUTWY2NWdFZWZN
|
||||
RkxTQ1p4VG9sZ0UrWW9ZWnZLNjZtQW8Kax+WCtGOaNYdkmV/Ty2pP9JFgRaHe/Xn
|
||||
C1o5W2hMBSoLcC14mlokdVKp81dPDQuuxLtDcCgCQU7aOzvWO3CqKg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMkNqQnY2TkZRaUJaTjAz
|
||||
TUxVSUhyMzRsMm1OYVllM001UmpvL2lNcXhNCkRxQlMxZHBrNlNlNnIrQUY1NHpn
|
||||
dzNFeGhlbE1wMlBwN3RxWUZyT1kyYUkKLS0tIGhpRGN5WFRCT1I5eGlhdUhWc3FR
|
||||
WHZKWTlmN2llUndzeEdGV0xDSGZqZ2sKlZ0CGVfCtDdRl2vW7BxVkrBMFOZ5Fdk6
|
||||
9Z9oqBOde0Mp9FGEwnt+IC79FKIknIyYfMf9tpo9Is85/IvyDHTMwA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIT1VNTTVjcy9rakUwVFBY
|
||||
UGh6L2l0Q2I1bFlWcG1XYVJiMkhYMnA4YlFzCnRXVmZDWnY4Zi9TK3NCc3huaC9W
|
||||
dDQ5ek5EY2FQeTVhUWpHVkV3TXhxbncKLS0tIDNKN0hYNjVUdHNaMXYzdUE5Mm85
|
||||
NSt2OGp4VENRS1pLWHNQVFdhRU9STXMKXfcamWoU/bz39wstSEEuIJZknZpoOPzE
|
||||
W/kDJ5xytfydUkYqoIiGH7s1JyHyCpqbRplPrjQZCmNDvXtcq3L/uQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZS1hHTTJudnUrQzJDYUh6
|
||||
ZEhjYTFaeXRwQXRrL3g1b05LaXdWMit6M2t3Ck81NVZyTUE0RVo5ZmdRcUZ0ZTBx
|
||||
MkdUVDRyZ3Bmd21FZkdzckp3eGp1bmMKLS0tIFk5blFPMUlPdXJ2NThYME8reGxv
|
||||
cXlZMTMvcFhScVBObXZRQXQ4WkI2d1EKFYLSfJlDx2BlBWUebBOy/PV0gu0KyhY8
|
||||
WSYL992HR043ENrbmkfbpVHaOZi8imyNKa7FWpLaj/Nuwv/Kfvy7uQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZU9Wb0JLTG1kOWZ1YjJQ
|
||||
SUh1NWxqS0ZGa0xEOHFUOWpYR3hTM2dQRWdZCklBb25LajV6RnZhOUVKLzJjY3lz
|
||||
MTYvNmRPTEgrc0dJK0g5N2RkdEt0RUUKLS0tIHdxcFJCaTg4ZE5TQVVKS3k5K3Bo
|
||||
Q0VudEFzRUFGWlNJcHc0VzZJUVRwbHMKjTMUFFbHhDeP7QLmR64yqDEh4naazL9f
|
||||
etbOvYUkgj4IaB9UgDerG4MjyyHiVVY9Md8Jqe3dOQN0rqXRxNOW1g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-15T19:11:54Z"
|
||||
mac: ENC[AES256_GCM,data:OR2ibRtOtUwIuQ27c5PHRzdvKoTGMl4Ll7/hmuIB40amBqs54Cku/SEOqw2kHG31ii3cK5XbyaR6tC8Lvu07tn1iutbU8WjN8Ww+txr0FgdbeTYRIWr9aClAKmR3Ek1Ky2NsA2OaTm02Um6W0xX78Ran04Gjuf8vpaXSRYVsPbA=,iv:w9M3O5DHlm7Jq9vjfxaq34petJtgMeEUHZ0fZKycOjs=,tag:ShLvjfZJV3FARa4An+YfQA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,42 +0,0 @@
|
|||
let
|
||||
pkgs = import <nixpkgs> { };
|
||||
lib = pkgs.lib;
|
||||
|
||||
publicKeyURLs = [
|
||||
"https://github.com/pizzapim.keys"
|
||||
"https://github.com/pizzaniels.keys"
|
||||
];
|
||||
|
||||
encryptedFileNames = [
|
||||
"borg_passphrase.age"
|
||||
"borgbase.pem.age"
|
||||
"k3s-server-token.age"
|
||||
"k3s-ca/server-ca.key.age"
|
||||
"k3s-ca/client-ca.key.age"
|
||||
"k3s-ca/request-header-ca.key.age"
|
||||
"k3s-ca/etcd/peer-ca.key.age"
|
||||
"k3s-ca/etcd/server-ca.key.age"
|
||||
"k3s-ca/service.key.age"
|
||||
];
|
||||
|
||||
machinePublicKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
|
||||
];
|
||||
|
||||
fetchPublicKeys = url:
|
||||
let
|
||||
publicKeysFile = builtins.fetchurl { inherit url; };
|
||||
publicKeysFileContents = lib.strings.fileContents publicKeysFile;
|
||||
in
|
||||
lib.strings.splitString "\n" publicKeysFileContents;
|
||||
|
||||
adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
|
||||
|
||||
allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
|
||||
|
||||
publicKeysForEncryptedFileName = encryptedFileName:
|
||||
{ "${encryptedFileName}".publicKeys = allPublicKeys; };
|
||||
in
|
||||
lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)
|
33
secrets/serverKeys.yaml
Normal file
33
secrets/serverKeys.yaml
Normal file
|
@ -0,0 +1,33 @@
|
|||
atlas: ENC[AES256_GCM,data:TgYf6Jck5L2feQyvyUb2FcLm2M3aSwN0W0xdH6qLU3L4q7LSeB0yB1xAuXX211ZRYo1b2IgC61/40GXhfTKEKoCE76dvu5ocoyA=,iv:11j2XiDoLB+AuXUjC7Ir7R1BDgXLJvoOQq0nFJYHyUU=,tag:2+tfRyFzSrovoQZFxRLLUw==,type:str]
|
||||
jefke: ENC[AES256_GCM,data:PH+4rNhATssck8cmKZrhw4VoyHtkqKlRt1wH+BlOvxdhw5GNDsiT4DOf0cveJ090XcOpkAxEf2yqnpIiZhallKVMJS3aFxpNpNw=,iv:QJQZo6x4PE3mNIK8KaQ16BlJeZsdorX683lpf2FjAJk=,tag:rljZMJ/xv7kbkPKP/pqZ9A==,type:str]
|
||||
lewis: ENC[AES256_GCM,data:rdm5YMnWkg2MpY2ZGYi11HHGJzY/ssKA5DCv/wbcf8qIXRhRt5heA1un1zCJdYBKlxsVGOuQEtHMKuA/vLYqNnIXxr5NxDxhgIo=,iv:y+fyLns2B/JDuumHIuk4p9PybXf8isd7Ve+1gcX0mp8=,tag:VoAORxiU+6WbhAgkm9lAgQ==,type:str]
|
||||
warwick: ENC[AES256_GCM,data:8ABH+BMdKjLaVG1FkLWksJRtIO8Vu/j1USLGaAAFi6KA/o/S2X936doUl3/D6MKz71i8FwEH410K4JcGJXVboY45Dfp2g1/6bog=,iv:pvXBQcWs/dFSEVe807bpQQKI9n0A/IUxSG0Z1Sl00/Y=,tag:l/sTOe6sNJ34Z2UmmBBBNw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRalF1TGplU28yMWg3OVBo
|
||||
aXlRRHBRZGlHWUNaRngyRm15SUR3cDNnOGp3CnZMdFMzTEZSNkdRdUNaQ3EwbGw1
|
||||
NXgrUEE3Q0wwS2JjL1MvRzhtSk4wdzQKLS0tIGxISXhScFdEY0Fzdk1tNjR4TFdP
|
||||
L3Znck9zbDdTdk9Cclc3aWtaNjVVUTQK0ikUL3NDPpgCvMiT9PElV27zwk66liW6
|
||||
udiuDAiyxLT1QcG90mLMF5wQYbbqlNFOtpKD/RyP63YFveRGSmKsxg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQmQzNkRlQ3RseTh3eFZK
|
||||
bmFnMCt4ell2QlQyZTZBWnRKcXpMdXA1ZWdrClhYUENHS1V6Q0RBSUZzWW5LSzR6
|
||||
SE1lQzJsSUU5ci94UnFJZ0UyWk8vZUkKLS0tIDVjRm11N1R1UksydlM3SG5KZjdv
|
||||
eDdFZERVZUJ2QmYvTUlGMlFFNTlna00KLil0QQySKHDAdFxIZAlWvkCRT2v8RNL7
|
||||
CWIs/HhjmGk0BEoXIVlmbnAVNATABCCWnUTHFKvvW/8KIDhwgu72Eg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-15T19:19:59Z"
|
||||
mac: ENC[AES256_GCM,data:Y+aBXyowjQTXgteYLU2j1I5cv9UFU/ylrVy9QQub3NLzBbpW4pb+oI2wVcZI0K40jwSX7xOEjgGOtjdLRGTG8/xHm/yf+R0Wgs7fyIxOzcZv8XBadR6f2jUnAPA74ZDQ9ngwh1xyJteQPLwr+XPuGNlylYn/mj/EcwFs1SCok5A=,iv:/7XR2P/nfEicarsCALXhKIbvzsqUYhg9SgT2Z7P3W20=,tag:+uHRHU+WVfWefjHcH/C4fA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,54 +0,0 @@
|
|||
freshrss:
|
||||
password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str]
|
||||
pihole:
|
||||
password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str]
|
||||
hedgedoc:
|
||||
databaseURL: ENC[AES256_GCM,data:hFJIu3Jan1XknGDl5v//kpwafIz05gdH9n8S9BduWq18tPhwdl3ZPzGuQpCAmbLmZj9TVnTySmb9hVP2j9XEc8czH8J1Kvi5WyR4l58+DZO6XM44l8ttO/EMmx/d2oO0UNMrG3piVPAbpL5iMMIypw==,iv:85XDeM8VEGi3nDsU6TxJZJt5yH8R9UWUJOf2uebf9gQ=,tag:1N6B/JQnqOOAt9VCkLcIRQ==,type:str]
|
||||
sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:h3xt+libyQVvG51ttyYF6Lhq3QmYptu7Vx7/lZBytw5I8I1/zLMB6g==,iv:DuWMA82HyuupALguemWJmZ0hUA9oPyXB6tTcy3VFGKk=,tag:4ExOslyo8Kjyn7STpjqYAg==,type:str]
|
||||
nextcloud:
|
||||
databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str]
|
||||
paperless:
|
||||
databasePassword: ENC[AES256_GCM,data:K1cBEqSnccLriGWjj5CTkggZbo0=,iv:NFOZvPuzE8vdP2BzHR7iUrvnMRqvbtcwkKAWk4ckEws=,tag:5SL+nnJSuVaceGMCAAf5nQ==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:g2tDbmy8SdkYrwrF/pkzmr5cG1A=,iv:Zzg/oUvJfPku66TWf0TgmQRERRegVxtJdFDShxb56ng=,tag:f4LIe74n4m/SlmDOntkLQg==,type:str]
|
||||
kitchenowl:
|
||||
jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str]
|
||||
forgejo:
|
||||
lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
|
||||
internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
|
||||
attic:
|
||||
jwtToken: ENC[AES256_GCM,data:bEf5v8KhIgyKqyjYOzBmJrZ71GagXqOTH+I3J0Iu+Q3X6XUbGxjwW5/RT3AuJAJ+Owp1Uyk26FmEuurYChG13rBWZ0R85MeMBb2sZ/Q22TXeBxRwzq4Izg==,iv:VlIhxGE8I8W+UFyDLnhUxDzf/us95H86V2FLbsKMSGw=,tag:ynz5eNuxkAl35qzcDNzoAw==,type:str]
|
||||
databaseURL: ENC[AES256_GCM,data:GZcr8hRVIDwhKKwzHygydXAuJpQjKjN95GK+oqb33QgS5HW647+J5wGXxYan9II6iC0N3oSi36cJIkwIjLr9SJhRcjCkdsCZfNrGmT+F9SqUIi8=,iv:HerbEz1oPCE1F1etWHpFkSvulGRU97KPTcrZauIZQNM=,tag:/UXgWvnmCexvxwQONnmATg==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:AZXZyNJ6tGG3OU9CgC+bj43471Q=,iv:DoTSTIMLFi1+U7lvkix+QM8tP1tR0TtxuZRKlBneYek=,tag:+zk8TJRUzk9tNYXGLWIN2w==,type:str]
|
||||
atuin:
|
||||
databaseURL: ENC[AES256_GCM,data:sE9zT6iwrsZB42nGd3fQtdIJqW/QE1qqgBtqHRsNfqm1+0Pvhc9VwIP9wchHlL7n030iRE8=,iv:pAXhb+W5FrWZabgULdMtosdvA7KAQJ2D5nqLUzLax9M=,tag:l8C8yj+m8Ic97qbHAsA2vg==,type:str]
|
||||
databasePassword: ENC[AES256_GCM,data:Xyrn5LYgQ0/XvoHwAqKe9EPQxNk=,iv:wN5msdAPuVxMCkGYKag+Ppj65rQCHHjNwDH17+HTPVs=,tag:M1rjzLsEqJ9qe24RQs+FMA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WFRZQlFnNW1xWHlDNnpi
|
||||
MG9aZmZMYmF3WjljWXVKcHY1dml1bzdQQVFNCi9uRCtCS2tSRTBnRzJ1ZE1EM0d4
|
||||
NjNzR0ZkZ2dCZFlHMzlGZ2NEbzRidnMKLS0tIFBUbjdwdy9TaU8vaVA5bEFIbnU3
|
||||
clE1YnhsNlBrby9tRHNSN2V6c05hdXMKU5Ta/hfdIh3GiDfwVhP96cU64P04S0I1
|
||||
VdKYSeKVAI3h95E5yxWGX9O0p1GYCS4aQpMGsG+hat6BozYTVRdzxw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZER2ckh2SGRheUxRcmlJ
|
||||
cTA0UmtwMHlUMFBGODcxTzJsZjhNU2hVbVRZCnlpWXAzTWdFQ01RL1AzYmRJSC9U
|
||||
MTZMVzRnM1UwVnpyajhJUWpVRDhOZ00KLS0tIDdGRW5LekZnL3V4OFhzb0M1K1JO
|
||||
cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI
|
||||
zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-12T20:30:18Z"
|
||||
mac: ENC[AES256_GCM,data:isinf4VigAI6UMTbaTxD/OxQSftK+EC5sJ4Kx8S1yOAmi1RPaKwpHLlrTq4Ah1beF91Q6BonObYyx3viJ0wq0KWnL+U064RBmFiQlHR7XeIzGv/YJA1jrqWI0VKMpG8cQkHtQf1LI1HsHI3SUw53reHAMX+5m+YkIz+mRNYWxoE=,iv:gCG0Ww2Fm/C4HOKYUqTCm9plt+DscWQWwvnpMAg614Q=,tag:a6s1pl5voaONf507XpGZbQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in a new issue