diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index f0bd4f3..0000000 --- a/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -secrets.nix filter=git-crypt diff=git-crypt diff --git a/nixos/machines/pennyworth/hetznercloud.nix b/nixos/machines/pennyworth/hetznercloud.nix index be46f96..af776ca 100644 --- a/nixos/machines/pennyworth/hetznercloud.nix +++ b/nixos/machines/pennyworth/hetznercloud.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, modulesPath, ... }: -let ipconf = (import ../../secrets.nix).ipconf.${config.networking.hostName}; -in { +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index f0e41a9..af1e4f0 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,5 +1,4 @@ -let secrets = import ../secrets.nix; -in { config, pkgs, lib, name, inputs, ... }: +{ config, pkgs, lib, name, inputs, ... }: let machine = name; vpn = import ../vpn.nix; @@ -14,6 +13,10 @@ in { ../modules/muflax-blog.nix ../services ]; + age.secrets = { + root-user-pass.file = ../../secrets/root-user-pass.age; + yorick-user-pass.file = ../../secrets/yorick-user-pass.age; + }; nix.nixPath = [];# "nixpkgs=${pkgs.path}" ]; nix.registry.nixpkgs.flake = inputs.nixpkgs; @@ -26,7 +29,7 @@ in { openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys; # root password is useful from console, ssh has password logins disabled - hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + passwordFile = config.age.secrets.root-user-pass.path; # TODO: generate own }; services.timesyncd.enable = true; @@ -36,7 +39,7 @@ in { extraGroups = [ "wheel" ]; group = "users"; openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick; - hashedPassword = secrets.yorick_hashedPassword; + passwordFile = config.age.secrets.yorick-user-pass.path; createHome = true; }; diff --git a/nixos/secrets.nix b/nixos/secrets.nix deleted file mode 100644 index 0fa5e74..0000000 Binary files a/nixos/secrets.nix and /dev/null differ diff --git a/nixos/services/email.nix b/nixos/services/email.nix index a153f1a..e41a1dd 100644 --- a/nixos/services/email.nix +++ b/nixos/services/email.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, inputs, ... }: { imports = [ inputs.nixos-mailserver.nixosModule ]; + age.secrets.yorick-mail-pass.file = ../../secrets/yorick-mail-pass.age; mailserver = rec { enable = true; @@ -8,7 +9,7 @@ domains = [ "yori.cc" "yorickvanpelt.nl" ]; loginAccounts = { "yorick@yori.cc" = { - hashedPassword = (import ../secrets.nix).yorick_mailPassword; + hashedPasswordFile = config.age.secrets.yorick-mail-pass.path; catchAll = domains; aliases = [ "@yori.cc" "@yorickvanpelt.nl" ]; }; diff --git a/secrets/root-user-pass.age b/secrets/root-user-pass.age new file mode 100644 index 0000000..721f40f --- /dev/null +++ b/secrets/root-user-pass.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> X25519 gPpu3IUM4XCFLGCw0g01q4SLCR8Y06X0RUKcxw3qCWY +tif176GtYNaHhKRTcA/5mWJtagrXnKjB+aWB3RhkDy4 +-> ssh-ed25519 4Ui0LA Z8AR/i/rCXoHsgCcA+qJ7OUCIljG9u9s1AvHeosCziI +l/kblqmAyuZuofz2csDaLIOjsc9qGDZW4zbC54lgJnE +-> ssh-ed25519 ZzuO9Q Ae1zb6275GCkj2y3eZDO/R35OaH/AYGpZN9jY7BCT2o +ULdKtq4v4H7C3/h1/GN1ZobLtgiXnepjIRUk/AeQD04 +-> ssh-ed25519 n7yA6g BRIx6Nvp9S6XLKWOok4UM06LxFSP9aSXDtfyECncYGY +lL0sEX9hQ3spt12KA5ubQu1zzbaMrY1XqlWPfB2Sv+s +-> ssh-ed25519 dY0yIg oG+tsYKk9TrcMzy0P1571mvS8J8UspfutBo7int0uF0 +suWCupM+FkKeKVDRd3ptHybUAVqnYMwXch4C0pwCYak +-> ssh-ed25519 6AxuSw oWDbYV22o2ygCa5k7KgweCOiPCpAITlz7+1x3nNmwno +TDFCdFLEGtyCEJBZnEniwbDQeEr/Vk+MjwYuILFO/OY +-> pdIe+-grease s7,&$< 8t"N$R! &y~Q( ? +GM8wkE42tIdCNDsc7pnPVhVnXqckaAQE5jF8qM2zug +--- 4mXrKFGwxnRIfetWC8pOPEiQEOImCfD2/Mox+Mz7OkU +AöÛER¸Ù8è½`Ó«¼0{<¢D÷»4³nÈ«ß6uí+Â?!ÉŒŠörQî^} ¨ª‡õ AbÝ<©s•A‚èªäz¸+yÖÁj¹ÕAIæ†q|ìÁšë‚û×Xå—#úËuV6cOm]ô_M]ªœê•h”ªÌ?…, \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b81407f..82e5c59 100644 Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ diff --git a/secrets/yorick-mail-pass.age b/secrets/yorick-mail-pass.age new file mode 100644 index 0000000..90a358a Binary files /dev/null and b/secrets/yorick-mail-pass.age differ diff --git a/secrets/yorick-user-pass.age b/secrets/yorick-user-pass.age new file mode 100644 index 0000000..ebba97c --- /dev/null +++ b/secrets/yorick-user-pass.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> X25519 igjeVk7K5wMss9d8iN2VMGKzfyA8YGbw/ivdRre+mlc +PyTIOfIsw/lMTWE7boTfhcU3ptMyc/YEMNC4gc9VXwc +-> ssh-ed25519 4Ui0LA tAap3xK2PMYD/l63tSCr8RAuMgEhn27ttvLD6rOwLhk +3KHv27a82wBlFkBxjGpoRnSl6AlAVp3l5aigHLzYFv8 +-> ssh-ed25519 ZzuO9Q P3oDE31Cr5ql9D1qQIL8uJfPVz8Z34nI1WRR+r3eSFs +a+vYQu6gia+k5MsVBVhfAXNdK/Pt4IxKmL+sTamq0Ls +-> ssh-ed25519 n7yA6g HdhF4DdyYUxRRzRBiafAiDal6WrP7DKlzg3t2IaL8z4 +6GacnfLEbzlea8kreVbuLT+Tb14gNWhcp1mY6RUvkM4 +-> ssh-ed25519 dY0yIg 6/yte4riBsTStcfe6dC/rsHDDt9FkYo3dGDXfNTN6mc +243hlNW1NMytmUaqIdFxKVbGCE9OE+Z52xmXAY7Gw+c +-> ssh-ed25519 6AxuSw sgXEUYw26qprK1UqqmSSCH3d6wSTx36tXchnvHyKsQs +kBr7+RpIvcpiLcdu+dev9JIud5fR20TEKH+DsTh+wgY +-> esWzRZ6-grease ?.lfCo <`o0)Ty Z]mJ +SvD8QrEVlF4Npprb6An3L0QBUOqb8RACypF4EcYFweoHY6JG2Y+aDnl3ua0t+0Ax +wFFo3nOCoyXiXckyo/53PNl+jp7JwS3BqHowihtn3TO9ZcLHch9vIbQVpTAezw +--- XRCsY00QWQn6g6+wP1QSL8in7DIaks72mgA3awvmPEc +¸mntÊ1¨ÒÌD±*_÷Ò, /¢Ã+”Ï«âÜ—t8Åq¯lÝ3˜zïg I3¼¯WD$uaòŒ’GIR0b ºu<ÒßwJ‚]±«²¨m‘»ó°Ærÿ ¹oCbݳ蘬iMפf  (Ô~Ä@Nêð)&·íö‡ŸwÛ¯gç3XN \ No newline at end of file