Utilise Agenix for secret management

2025-11-22 11:31:36 +01:00 · 2023-11-01 00:09:25 +01:00
parent 45c6fbcea4
commit 358f84a1d1
6 changed files with 37 additions and 13 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -112,11 +112,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1698250431,
-        "narHash": "sha256-qs2gTeH4wpnWPO6Oi6sOhp2IhG0i0DzcnrJxIY3/CP8=",
+        "lastModified": 1698670511,
+        "narHash": "sha256-jQIu3UhBMPHXzVkHQO1O2gg8SVo5lqAVoC6mOaLQcLQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "09587fbbc6a669f7725613e044c2577dc5d43ab5",
+        "rev": "8e5416b478e465985eec274bc3a018024435c106",
        "type": "github"
      },
      "original": {
@@ -143,11 +143,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1698134075,
-        "narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
+        "lastModified": 1698611440,
+        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
+        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
        "type": "github"
      },
      "original": {
--- a/nixos-configurations/server/default.nix
+++ b/nixos-configurations/server/default.nix
@@ -1,4 +1,4 @@
-{ inputs, pkgs, ... }:
+{ inputs, pkgs, config, ... }:

 {
  imports = [
@@ -9,6 +9,8 @@

  nix.settings.trusted-users = [ "thiloho" ];

+  age.secrets.hedgedoc-environment-file.file = ../../secrets/hedgedoc-environment-file.age;
+
  environment.systemPackages = with pkgs; [
    nodejs_20
  ];
@@ -93,7 +95,7 @@
        allowEmailRegister = false;
        email = false;
      };
-      environmentFile = "/var/lib/hedgedoc/hedgedoc.env";
+      environmentFile = config.age.secrets.hedgedoc-environment-file.path;
    };
    postgresql = {
      enable = true;
@@ -147,7 +149,6 @@
  home-manager.users.thiloho = { pkgs, lib, ... }: {
    home = {
      stateVersion = "23.05";
-      packages = [ inputs.agenix.packages."x86_64-linux".default ];
    };
  };
  system.stateVersion = "23.05";
--- a/nixos-configurations/shared.nix
+++ b/nixos-configurations/shared.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ inputs, pkgs, ... }:

 {
  boot = {
@@ -41,5 +41,6 @@
        settings.theme = "ayu_dark";
      };
    };
+    home.packages = [ inputs.agenix.packages."x86_64-linux".default ];
  };
 }
--- a/secrets/discord-bot-token.age
+++ b/secrets/discord-bot-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 owVgDA GIWZXYxMprQgnKyf6eHbmdAbm2BQ8qmXcNOCx6xACAM
+KxoFMCq6BqOW0ZL+mPz084AsrJiYwd65TQbT3lm5C7Q
+-> ssh-ed25519 dRl0SQ 0lwzyhATdftLsGB+9yk3MWIjROdVDNiXUZ3zlSGMtXQ
+C1PQpcq6mftSr9nWP7wteHQnK4/jNEzWBDPrVdlYg5Q
+-> H\-grease ika_t} ('9'r F[ z6"b$
+FjkIPhH4Cd1a
+--- ERGBSp2uqfpO5fYXK8QfCmM6MOb2oGJ/PchtAV4INdA
+7<EFBFBD><EFBFBD><1E>扷><3E>q<EFBFBD><02>bk<><6B><EFBFBD>q>$<24><>[<5B><<<+뺣w<0B><><18>rt<72>;u<>_R<08><>(<28><>0za.<2E>ɼ<7F><C9BC><EFBFBD>4f<34>,<2C>y<EFBFBD>kk<6B>7<EFBFBD><37><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD>5<EFBFBD>ߋޮW<DEAE>7!
--- a/secrets/hedgedoc-environment-file.age
+++ b/secrets/hedgedoc-environment-file.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 owVgDA DHtVqT+j5nA9m0rjCHkipHlwubKbpJT67M+01uoUwjw
+3wYaa6cLvxMLtOEnplSQKUhG17NJc/okijfjfAjSDoo
+-> ssh-ed25519 dRl0SQ LnEnUGEQcjePdVdnERB77IFCmVXiio1G21/PStdOz38
+kutyH8M+aDP+FbLvspsq253b8CmjMNGf4IjS8Wn3oIM
+-> ,v2y-grease w_I$#z,I
+dUd0PGzi1W34mBbAeuTssZkrTzdLUMDuk/N1OeDNitZkwpphJ999ZSgRRAgU7+nX
+teshu7G0l5dAv8L/1Orso1zFj14DeDGWlQa/MOsFKO1cEntb1SIUHcQBWN0jpICE
+qJ+y
+--- /p24yOUx4CNTSq/1sdYPbFo5/knQeVk37A6fZva0n3c
+<EFBFBD>|J9*<2A>vb<62><7F>hFU@<40><>0<EFBFBD><30><EFBFBD>6<EFBFBD><36>]}j<><6A><EFBFBD><05>[Ǘn<C797>i=5Zi<5A>@<40>V
+<EFBFBD>z<EFBFBD><EFBFBD><EFBFBD>;k<05><17><>Q<EFBFBD>F<>ԗ8<D497><38><EFBFBD><EFBFBD><EFBFBD><11>"<22>Dj<44>dGFs n><3E><>z<EFBFBD><7A>Ē<><C492><EFBFBD>MT<4D><0F><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD><57><1E>,l<05><16>#<23><><15><>b<EFBFBD>ti#<23><>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,7 +1,8 @@
 let
-  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzBBw5pNpuCg1e9cJcQfcxKuTFZ0cleMkEiRZDxE+qQ thiloho@server";
+  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN82ukcaWQZcihgh+n0h+ihwTafm64SO1wngibOA6Vro root@server";
+  pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkvr+vT7Ik0fjquxb9xQBfVVWJPgrfC+vJZsyG2V+/G thiloho@pc";
 in
 {
-  "hedgedoc-environment-file.age".publicKeys = [ server ];
-  "discord-bot-token.age".publicKeys = [ server ];
+  "hedgedoc-environment-file.age".publicKeys = [ server pc ];
+  "discord-bot-token.age".publicKeys = [ server pc ];
 }