From d01f3cb86fcbe678ab96a1ab4fd4c7fc7d6eb74d Mon Sep 17 00:00:00 2001 From: William Date: Thu, 13 Jul 2023 14:31:43 -0300 Subject: [PATCH] overhauling secrets: part 1 --- hosts/servers/alexandria/paperless.nix | 6 +++--- hosts/servers/alexandria/security.nix | 14 +++++++------- secrets/secrets.nix | 22 +++++++++++++++------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/hosts/servers/alexandria/paperless.nix b/hosts/servers/alexandria/paperless.nix index 7569e59..756c1ac 100644 --- a/hosts/servers/alexandria/paperless.nix +++ b/hosts/servers/alexandria/paperless.nix @@ -6,7 +6,7 @@ enable = true; dataDir = "/data/paperless/data"; mediaDir = "/data/paperless/media"; - passwordFile = config.age.secrets.paperless-pass.path; + passwordFile = config.age.secrets.paperless.path; port = lib.toInt "${config.ports.paperless}"; consumptionDirIsPublic = true; extraConfig = { PAPERLESS_OCR_LANGUAGE = "eng+por+deu"; }; @@ -20,8 +20,8 @@ }; }; - age.secrets.paperless-pass = { - file = ../../../secrets/paperless-pass.age; + age.secrets.paperless = { + file = ../../../secrets/paperless.age; owner = "paperless"; group = "hosted"; }; diff --git a/hosts/servers/alexandria/security.nix b/hosts/servers/alexandria/security.nix index d6d1ab2..9c5a4a3 100644 --- a/hosts/servers/alexandria/security.nix +++ b/hosts/servers/alexandria/security.nix @@ -1,19 +1,13 @@ { inputs, config, pkgs, lib, ... }: { - age.secrets.cloudflare-creds = { - file = ../../../secrets/cloudflare-creds.age; - owner = "nginx"; - group = "hosted"; - }; - security.acme = { acceptTerms = true; defaults = { email = "baduhai@proton.me"; dnsResolver = "1.1.1.1:53"; dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflare-creds.path; + credentialsFile = config.age.secrets.cloudflare.path; }; certs."baduhai.me" = { extraDomainNames = [ "*.baduhai.me" ]; }; }; @@ -22,4 +16,10 @@ "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; }; + + age.secrets.cloudflare = { + file = ../../../secrets/cloudflare.age; + owner = "nginx"; + group = "hosted"; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d9a98e2..914a4a3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,16 +1,24 @@ let - io = + io-user = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE"; + io-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA"; - rotterdam = + io = [ io-user io-host ]; + rotterdam-user = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL"; + rotterdam-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7zAxgU8LNi5/O5XgoOcLKjbNMmO2S7jAuCI9Nr/V4v"; - desktops = [ io rotterdam ]; + rotterdam = [ rotterdam-user rotterdam-host ]; + desktops = io ++ rotterdam; - alexandria = + alexandria-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA"; - servers = [ alexandria ]; + alexandria = [ alexandria-host ]; + servers = alexandria; all-hosts = desktops ++ servers; in { - "cloudflare-creds.age".publicKeys = all-hosts; - "paperless-pass.age".publicKeys = all-hosts; + "nextcloud.json.age".publicKeys = all-hosts; + "cloudflare.age".publicKeys = all-hosts; + "paperless.age".publicKeys = all-hosts; }