overhauling secrets: part 1

hosts/servers/alexandria/paperless.nix

@@ -6,7 +6,7 @@
       enable = true;
       dataDir = "/data/paperless/data";
       mediaDir = "/data/paperless/media";
-      passwordFile = config.age.secrets.paperless-pass.path;
+      passwordFile = config.age.secrets.paperless.path;
       port = lib.toInt "${config.ports.paperless}";
       consumptionDirIsPublic = true;
       extraConfig = { PAPERLESS_OCR_LANGUAGE = "eng+por+deu"; };
@@ -20,8 +20,8 @@
     };
   };
 
-  age.secrets.paperless-pass = {
+  age.secrets.paperless = {
-    file = ../../../secrets/paperless-pass.age;
+    file = ../../../secrets/paperless.age;
     owner = "paperless";
     group = "hosted";
   };

hosts/servers/alexandria/security.nix

@@ -1,19 +1,13 @@
 { inputs, config, pkgs, lib, ... }:
 
 {
-  age.secrets.cloudflare-creds = {
-    file = ../../../secrets/cloudflare-creds.age;
-    owner = "nginx";
-    group = "hosted";
-  };
-
   security.acme = {
     acceptTerms = true;
     defaults = {
       email = "baduhai@proton.me";
       dnsResolver = "1.1.1.1:53";
       dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets.cloudflare-creds.path;
+      credentialsFile = config.age.secrets.cloudflare.path;
     };
     certs."baduhai.me" = { extraDomainNames = [ "*.baduhai.me" ]; };
   };
@@ -22,4 +16,10 @@
     "net.ipv4.ip_forward" = 1;
     "net.ipv6.conf.all.forwarding" = 1;
   };
+
+  age.secrets.cloudflare = {
+    file = ../../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "hosted";
+  };
 }

secrets/secrets.nix

@@ -1,16 +1,24 @@
 let
-  io =
+  io-user =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE";
+  io-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA";
-  rotterdam =
+  io = [ io-user io-host ];
+  rotterdam-user =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL";
+  rotterdam-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7zAxgU8LNi5/O5XgoOcLKjbNMmO2S7jAuCI9Nr/V4v";
-  desktops = [ io rotterdam ];
+  rotterdam = [ rotterdam-user rotterdam-host ];
+  desktops = io ++ rotterdam;
 
-  alexandria =
+  alexandria-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
-  servers = [ alexandria ];
+  alexandria = [ alexandria-host ];
+  servers = alexandria;
 
   all-hosts = desktops ++ servers;
 in {
-  "cloudflare-creds.age".publicKeys = all-hosts;
+  "nextcloud.json.age".publicKeys = all-hosts;
-  "paperless-pass.age".publicKeys = all-hosts;
+  "cloudflare.age".publicKeys = all-hosts;
+  "paperless.age".publicKeys = all-hosts;
 }