mirror of
https://github.com/JulienMalka/snowfield.git
synced 2025-07-01 15:27:18 +02:00
chore: move secrets to private repo
This commit is contained in:
parent
5c0182d087
commit
114abc4c0a
20 changed files with 37 additions and 33 deletions
3
.gitmodules
vendored
Normal file
3
.gitmodules
vendored
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
[submodule "private"]
|
||||||
|
path = private
|
||||||
|
url = ssh://forgejo@git.luj.fr/luj/snowfield-private.git
|
||||||
|
|
@ -16,19 +16,19 @@ with lib;
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
age.secrets.work-mail-pw = {
|
age.secrets.work-mail-pw = {
|
||||||
file = ../../secrets/work-mail-pw.age;
|
file = ../../private/secrets/work-mail-pw.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.dgnum-mail-pw = {
|
age.secrets.dgnum-mail-pw = {
|
||||||
file = ../../secrets/dgnum-mail-pw.age;
|
file = ../../private/secrets/dgnum-mail-pw.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.telecom-mail-pw = {
|
age.secrets.telecom-mail-pw = {
|
||||||
file = ../../secrets/telecom-mail-pw.age;
|
file = ../../private/secrets/telecom-mail-pw.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.ens-mail-pw = {
|
age.secrets.ens-mail-pw = {
|
||||||
file = ../../secrets/ens-mail-pw.age;
|
file = ../../private/secrets/ens-mail-pw.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.mbsync = {
|
programs.mbsync = {
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@
|
||||||
services.backup.includes = [ "/var/lib/stalwart-mail/db" ];
|
services.backup.includes = [ "/var/lib/stalwart-mail/db" ];
|
||||||
|
|
||||||
age.secrets.stalwart-admin-hash = {
|
age.secrets.stalwart-admin-hash = {
|
||||||
file = ../../secrets/stalwart-admin.age;
|
file = ../../private/secrets/stalwart-admin.age;
|
||||||
path = "/var/lib/stalwart-mail/admin-hash";
|
path = "/var/lib/stalwart-mail/admin-hash";
|
||||||
owner = "stalwart-mail";
|
owner = "stalwart-mail";
|
||||||
group = "stalwart-mail";
|
group = "stalwart-mail";
|
||||||
|
|
|
||||||
|
|
@ -36,17 +36,17 @@ in
|
||||||
environmentFile = config.age.secrets."garage-env-file".path;
|
environmentFile = config.age.secrets."garage-env-file".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets."garage-env-file".file = ../../secrets/garage-env-file.age;
|
age.secrets."garage-env-file".file = ../../private/secrets/garage-env-file.age;
|
||||||
age.secrets."book-auth" = {
|
age.secrets."book-auth" = {
|
||||||
file = ../../secrets/book-auth.age;
|
file = ../../private/secrets/book-auth.age;
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
};
|
};
|
||||||
age.secrets."notes-phd-auth" = {
|
age.secrets."notes-phd-auth" = {
|
||||||
file = ../../secrets/notes-phd-auth.age;
|
file = ../../private/secrets/notes-phd-auth.age;
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
};
|
};
|
||||||
age.secrets."notes-perso-auth" = {
|
age.secrets."notes-perso-auth" = {
|
||||||
file = ../../secrets/notes-perso-auth.age;
|
file = ../../private/secrets/notes-perso-auth.age;
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -90,7 +90,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age;
|
age.secrets.keycloak-db.file = ../../private/secrets/keycloak-db.age;
|
||||||
|
|
||||||
services.openssh.extraConfig = ''
|
services.openssh.extraConfig = ''
|
||||||
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
{
|
{
|
||||||
|
|
||||||
age.secrets."artiflakery-auth" = {
|
age.secrets."artiflakery-auth" = {
|
||||||
file = ../../secrets/artiflakery-auth.age;
|
file = ../../private/secrets/artiflakery-auth.age;
|
||||||
owner = "artiflakery";
|
owner = "artiflakery";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,13 +5,13 @@
|
||||||
environment.systemPackages = [ config.services.nextcloud.occ ];
|
environment.systemPackages = [ config.services.nextcloud.occ ];
|
||||||
|
|
||||||
age.secrets."nextcloud-admin-password" = {
|
age.secrets."nextcloud-admin-password" = {
|
||||||
file = ../../secrets/nextcloud-admin-password.age;
|
file = ../../private/secrets/nextcloud-admin-password.age;
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets."nextcloud-s3-token" = {
|
age.secrets."nextcloud-s3-token" = {
|
||||||
file = ../../secrets/nextcloud-s3-token.age;
|
file = ../../private/secrets/nextcloud-s3-token.age;
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ let
|
||||||
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
|
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;
|
age.secrets."pages-settings-file".file = ../../private/secrets/pages-settings-file.age;
|
||||||
|
|
||||||
services.codeberg-pages = {
|
services.codeberg-pages = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -97,7 +97,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
# Listen to ipv6 packets coming from the internet, check the SNI
|
# Listen to ipv6 packets coming from the internet, check the SNI
|
||||||
# If they are one of the declared virtualHosts, forward them to the proxy protocol listener
|
# If they are one of the declared virtualHosts, forward them to the proxy protocol listener
|
||||||
# for that virtualHost, else forward them to the page server
|
# for that virtualHost, else forward them to the page server
|
||||||
streamConfig = ''
|
streamConfig = ''
|
||||||
map $ssl_preread_server_name $sni_upstream {
|
map $ssl_preread_server_name $sni_upstream {
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
plausible-admin-password.file = ../../secrets/plausible-password.age;
|
plausible-admin-password.file = ../../private/secrets/plausible-password.age;
|
||||||
plausible-secret-key-base.file = ../../secrets/plausible-keybase-secret.age;
|
plausible-secret-key-base.file = ../../private/secrets/plausible-keybase-secret.age;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
|
age.secrets."readeck-config".file = ../../private/secrets/readeck-config.age;
|
||||||
|
|
||||||
services.nginx.virtualHosts."read.luj" = {
|
services.nginx.virtualHosts."read.luj" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets."stateless-uptime-kuma-password".file =
|
age.secrets."stateless-uptime-kuma-password".file =
|
||||||
../../secrets/stateless-uptime-kuma-password.age;
|
../../private/secrets/stateless-uptime-kuma-password.age;
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
age.secrets.forgejo_runners-token_file.file = ../../secrets/forgejo_runners-token_file.age;
|
age.secrets.forgejo_runners-token_file.file = ../../private/secrets/forgejo_runners-token_file.age;
|
||||||
nix.settings.allowed-users = [ "gitea-runner" ];
|
nix.settings.allowed-users = [ "gitea-runner" ];
|
||||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -72,12 +72,12 @@ in
|
||||||
config = lib.mkIf (cfg.includes != [ ]) {
|
config = lib.mkIf (cfg.includes != [ ]) {
|
||||||
|
|
||||||
age.secrets."borg-ssh-key" = {
|
age.secrets."borg-ssh-key" = {
|
||||||
file = ../../secrets/borg-ssh-priv.age;
|
file = ../../private/secrets/borg-ssh-priv.age;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "0600";
|
mode = "0600";
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets."borg-encryption-secret".file = ../../secrets/borg-encryption-secret.age;
|
age.secrets."borg-encryption-secret".file = ../../private/secrets/borg-encryption-secret.age;
|
||||||
|
|
||||||
programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = {
|
programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = {
|
||||||
publicKey = "${hostPublicKey}";
|
publicKey = "${hostPublicKey}";
|
||||||
|
|
|
||||||
|
|
@ -55,12 +55,12 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
github-token.file = ../../secrets/github-token-secret.age;
|
github-token.file = ../../private/secrets/github-token-secret.age;
|
||||||
github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
|
github-webhook-secret.file = ../../private/secrets/github-webhook-secret.age;
|
||||||
github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
|
github-oauth-secret.file = ../../private/secrets/github-oauth-secret.age;
|
||||||
buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
|
buildbot-nix-workers.file = ../../private/secrets/buildbot-nix-workers.age;
|
||||||
buildbot-nix-worker-password = {
|
buildbot-nix-worker-password = {
|
||||||
file = ../../secrets/buildbot-nix-worker-password.age;
|
file = ../../private/secrets/buildbot-nix-worker-password.age;
|
||||||
owner = "buildbot-worker";
|
owner = "buildbot-worker";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ in
|
||||||
|
|
||||||
age.secrets.deluge-webui-password = {
|
age.secrets.deluge-webui-password = {
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
file = ../../secrets/deluge-webui-password.age;
|
file = ../../private/secrets/deluge-webui-password.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.deluge = {
|
services.deluge = {
|
||||||
|
|
|
||||||
|
|
@ -147,7 +147,7 @@ in
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
age.secrets.nginx-cert = {
|
age.secrets.nginx-cert = {
|
||||||
file = ../../secrets/404-ssl-certificate-cert.age;
|
file = ../../private/secrets/404-ssl-certificate-cert.age;
|
||||||
path = "/var/lib/acme/default/cert.pem";
|
path = "/var/lib/acme/default/cert.pem";
|
||||||
owner = "acme";
|
owner = "acme";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
|
@ -156,7 +156,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.nginx-key = {
|
age.secrets.nginx-key = {
|
||||||
file = ../../secrets/404-ssl-certificate-key.age;
|
file = ../../private/secrets/404-ssl-certificate-key.age;
|
||||||
path = "/var/lib/acme/default/key.pem";
|
path = "/var/lib/acme/default/key.pem";
|
||||||
owner = "acme";
|
owner = "acme";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ with lib;
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
age.secrets.git-gpg-private-key = {
|
age.secrets.git-gpg-private-key = {
|
||||||
file = ../../secrets/git-gpg-private-key.age;
|
file = ../../private/secrets/git-gpg-private-key.age;
|
||||||
owner = "julien";
|
owner = "julien";
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
group = config.users.groups.keys.name;
|
group = config.users.groups.keys.name;
|
||||||
|
|
|
||||||
1
private
Submodule
1
private
Submodule
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 8dca9c5539ce520591101b9e5f0a2ec131b8ec4c
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
programs.fish.enable = true;
|
programs.fish.enable = true;
|
||||||
|
|
||||||
age.secrets.user-root-password.file = ../secrets/user-root-password.age;
|
age.secrets.user-root-password.file = ../private/secrets/user-root-password.age;
|
||||||
|
|
||||||
users.users.root = {
|
users.users.root = {
|
||||||
uid = config.ids.uids.root;
|
uid = config.ids.uids.root;
|
||||||
|
|
|
||||||
|
|
@ -29,5 +29,5 @@
|
||||||
nix.settings.allowed-users = [ "julien" ];
|
nix.settings.allowed-users = [ "julien" ];
|
||||||
nix.settings.trusted-users = [ "julien" ];
|
nix.settings.trusted-users = [ "julien" ];
|
||||||
|
|
||||||
age.secrets.julien-password.file = ../secrets/user-julien-password.age;
|
age.secrets.julien-password.file = ../private/secrets/user-julien-password.age;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue