luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-07-01 23:27:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: move secrets to private repo

Browse source
This commit is contained in:
Luj 2025-06-18 13:57:51 +02:00
parent 5c0182d087
commit 114abc4c0a
20 changed files with 37 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored Normal file
View file

@ -0,0 +1,3 @@
[submodule "private"]
path = private
url = ssh://forgejo@git.luj.fr/luj/snowfield-private.git

8
home-manager-modules/mails/default.nix
View file

@ -16,19 +16,19 @@ with lib;
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets.work-mail-pw = { age.secrets.work-mail-pw = {
file = ../../secrets/work-mail-pw.age; file = ../../private/secrets/work-mail-pw.age;
}; };
age.secrets.dgnum-mail-pw = { age.secrets.dgnum-mail-pw = {
file = ../../secrets/dgnum-mail-pw.age; file = ../../private/secrets/dgnum-mail-pw.age;
}; };
age.secrets.telecom-mail-pw = { age.secrets.telecom-mail-pw = {
file = ../../secrets/telecom-mail-pw.age; file = ../../private/secrets/telecom-mail-pw.age;
}; };
age.secrets.ens-mail-pw = { age.secrets.ens-mail-pw = {
file = ../../secrets/ens-mail-pw.age; file = ../../private/secrets/ens-mail-pw.age;
}; };
programs.mbsync = { programs.mbsync = {

2
machines/akhaten/stalwart.nix
View file

@ -64,7 +64,7 @@
services.backup.includes = [ "/var/lib/stalwart-mail/db" ]; services.backup.includes = [ "/var/lib/stalwart-mail/db" ];
age.secrets.stalwart-admin-hash = { age.secrets.stalwart-admin-hash = {
file = ../../secrets/stalwart-admin.age; file = ../../private/secrets/stalwart-admin.age;
path = "/var/lib/stalwart-mail/admin-hash"; path = "/var/lib/stalwart-mail/admin-hash";
owner = "stalwart-mail"; owner = "stalwart-mail";
group = "stalwart-mail"; group = "stalwart-mail";

8
machines/biblios/garage.nix
View file

@ -36,17 +36,17 @@ in
environmentFile = config.age.secrets."garage-env-file".path; environmentFile = config.age.secrets."garage-env-file".path;
}; };
age.secrets."garage-env-file".file = ../../secrets/garage-env-file.age; age.secrets."garage-env-file".file = ../../private/secrets/garage-env-file.age;
age.secrets."book-auth" = { age.secrets."book-auth" = {
file = ../../secrets/book-auth.age; file = ../../private/secrets/book-auth.age;
owner = "nginx"; owner = "nginx";
}; };
age.secrets."notes-phd-auth" = { age.secrets."notes-phd-auth" = {
file = ../../secrets/notes-phd-auth.age; file = ../../private/secrets/notes-phd-auth.age;
owner = "nginx"; owner = "nginx";
}; };
age.secrets."notes-perso-auth" = { age.secrets."notes-perso-auth" = {
file = ../../secrets/notes-perso-auth.age; file = ../../private/secrets/notes-perso-auth.age;
owner = "nginx"; owner = "nginx";
}; };

2
machines/core-security/default.nix
View file

@ -90,7 +90,7 @@
}; };
}; };
age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age; age.secrets.keycloak-db.file = ../../private/secrets/keycloak-db.age;
services.openssh.extraConfig = '' services.openssh.extraConfig = ''
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

2
machines/gustave/artiflakery.nix
View file

@ -2,7 +2,7 @@
{ {
age.secrets."artiflakery-auth" = { age.secrets."artiflakery-auth" = {
file = ../../secrets/artiflakery-auth.age; file = ../../private/secrets/artiflakery-auth.age;
owner = "artiflakery"; owner = "artiflakery";
}; };

4
machines/gustave/nextcloud.nix
View file

@ -5,13 +5,13 @@
environment.systemPackages = [ config.services.nextcloud.occ ]; environment.systemPackages = [ config.services.nextcloud.occ ];
age.secrets."nextcloud-admin-password" = { age.secrets."nextcloud-admin-password" = {
file = ../../secrets/nextcloud-admin-password.age; file = ../../private/secrets/nextcloud-admin-password.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
}; };
age.secrets."nextcloud-s3-token" = { age.secrets."nextcloud-s3-token" = {
file = ../../secrets/nextcloud-s3-token.age; file = ../../private/secrets/nextcloud-s3-token.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
}; };

2
machines/gustave/pages.nix
View file

@ -8,7 +8,7 @@ let
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128"; allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
in in
{ {
age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age; age.secrets."pages-settings-file".file = ../../private/secrets/pages-settings-file.age;
services.codeberg-pages = { services.codeberg-pages = {
enable = true; enable = true;

4
machines/gustave/plausible.nix
View file

@ -21,7 +21,7 @@
}; };
age.secrets = { age.secrets = {
plausible-admin-password.file = ../../secrets/plausible-password.age; plausible-admin-password.file = ../../private/secrets/plausible-password.age;
plausible-secret-key-base.file = ../../secrets/plausible-keybase-secret.age; plausible-secret-key-base.file = ../../private/secrets/plausible-keybase-secret.age;
}; };
} }

2
machines/gustave/readeck.nix
View file

@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
{ {
age.secrets."readeck-config".file = ../../secrets/readeck-config.age; age.secrets."readeck-config".file = ../../private/secrets/readeck-config.age;
services.nginx.virtualHosts."read.luj" = { services.nginx.virtualHosts."read.luj" = {
forceSSL = true; forceSSL = true;

2
machines/lambda/uptime-kuma.nix
View file

@ -37,7 +37,7 @@ in
}; };
age.secrets."stateless-uptime-kuma-password".file = age.secrets."stateless-uptime-kuma-password".file =
../../secrets/stateless-uptime-kuma-password.age; ../../private/secrets/stateless-uptime-kuma-password.age;
nixpkgs.overlays = [ nixpkgs.overlays = [
(import "${inputs.stateless-uptime-kuma}/overlay.nix") (import "${inputs.stateless-uptime-kuma}/overlay.nix")
]; ];

2
machines/tower/forgejo-runner.nix
View file

@ -1,6 +1,6 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
age.secrets.forgejo_runners-token_file.file = ../../secrets/forgejo_runners-token_file.age; age.secrets.forgejo_runners-token_file.file = ../../private/secrets/forgejo_runners-token_file.age;
nix.settings.allowed-users = [ "gitea-runner" ]; nix.settings.allowed-users = [ "gitea-runner" ];
nix.settings.trusted-users = [ "gitea-runner" ]; nix.settings.trusted-users = [ "gitea-runner" ];

4
modules/backup/default.nix
View file

@ -72,12 +72,12 @@ in
config = lib.mkIf (cfg.includes != [ ]) { config = lib.mkIf (cfg.includes != [ ]) {
age.secrets."borg-ssh-key" = { age.secrets."borg-ssh-key" = {
file = ../../secrets/borg-ssh-priv.age; file = ../../private/secrets/borg-ssh-priv.age;
owner = "root"; owner = "root";
mode = "0600"; mode = "0600";
}; };
age.secrets."borg-encryption-secret".file = ../../secrets/borg-encryption-secret.age; age.secrets."borg-encryption-secret".file = ../../private/secrets/borg-encryption-secret.age;
programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = { programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = {
publicKey = "${hostPublicKey}"; publicKey = "${hostPublicKey}";

10
modules/buildbot/default.nix
View file

@ -55,12 +55,12 @@ in
}; };
age.secrets = { age.secrets = {
github-token.file = ../../secrets/github-token-secret.age; github-token.file = ../../private/secrets/github-token-secret.age;
github-webhook-secret.file = ../../secrets/github-webhook-secret.age; github-webhook-secret.file = ../../private/secrets/github-webhook-secret.age;
github-oauth-secret.file = ../../secrets/github-oauth-secret.age; github-oauth-secret.file = ../../private/secrets/github-oauth-secret.age;
buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age; buildbot-nix-workers.file = ../../private/secrets/buildbot-nix-workers.age;
buildbot-nix-worker-password = { buildbot-nix-worker-password = {
file = ../../secrets/buildbot-nix-worker-password.age; file = ../../private/secrets/buildbot-nix-worker-password.age;
owner = "buildbot-worker"; owner = "buildbot-worker";
}; };
}; };

2
modules/deluge/default.nix
View file

@ -35,7 +35,7 @@ in
age.secrets.deluge-webui-password = { age.secrets.deluge-webui-password = {
owner = cfg.user; owner = cfg.user;
file = ../../secrets/deluge-webui-password.age; file = ../../private/secrets/deluge-webui-password.age;
}; };
services.deluge = { services.deluge = {

4
modules/nginx/default.nix
View file

@ -147,7 +147,7 @@ in
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
age.secrets.nginx-cert = { age.secrets.nginx-cert = {
file = ../../secrets/404-ssl-certificate-cert.age; file = ../../private/secrets/404-ssl-certificate-cert.age;
path = "/var/lib/acme/default/cert.pem"; path = "/var/lib/acme/default/cert.pem";
owner = "acme"; owner = "acme";
group = "nginx"; group = "nginx";
@ -156,7 +156,7 @@ in
}; };
age.secrets.nginx-key = { age.secrets.nginx-key = {
file = ../../secrets/404-ssl-certificate-key.age; file = ../../private/secrets/404-ssl-certificate-key.age;
path = "/var/lib/acme/default/key.pem"; path = "/var/lib/acme/default/key.pem";
owner = "acme"; owner = "acme";
group = "nginx"; group = "nginx";

2
modules/secrets/default.nix
View file

@ -11,7 +11,7 @@ with lib;
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets.git-gpg-private-key = { age.secrets.git-gpg-private-key = {
file = ../../secrets/git-gpg-private-key.age; file = ../../private/secrets/git-gpg-private-key.age;
owner = "julien"; owner = "julien";
mode = "0440"; mode = "0440";
group = config.users.groups.keys.name; group = config.users.groups.keys.name;

1
private Submodule

@ -0,0 +1 @@
Subproject commit 8dca9c5539ce520591101b9e5f0a2ec131b8ec4c

2
users/default.nix
View file

@ -11,7 +11,7 @@
programs.fish.enable = true; programs.fish.enable = true;
age.secrets.user-root-password.file = ../secrets/user-root-password.age; age.secrets.user-root-password.file = ../private/secrets/user-root-password.age;
users.users.root = { users.users.root = {
uid = config.ids.uids.root; uid = config.ids.uids.root;

2
users/julien.nix
View file

@ -29,5 +29,5 @@
nix.settings.allowed-users = [ "julien" ]; nix.settings.allowed-users = [ "julien" ];
nix.settings.trusted-users = [ "julien" ]; nix.settings.trusted-users = [ "julien" ];
age.secrets.julien-password.file = ../secrets/user-julien-password.age; age.secrets.julien-password.file = ../private/secrets/user-julien-password.age;
} }