mirror of
https://github.com/JulienMalka/snowfield.git
synced 2025-07-01 15:27:18 +02:00
chore: move secrets to private repo
This commit is contained in:
parent
5c0182d087
commit
114abc4c0a
20 changed files with 37 additions and 33 deletions
3
.gitmodules
vendored
Normal file
3
.gitmodules
vendored
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
[submodule "private"]
|
||||
path = private
|
||||
url = ssh://forgejo@git.luj.fr/luj/snowfield-private.git
|
||||
|
|
@ -16,19 +16,19 @@ with lib;
|
|||
config = mkIf cfg.enable {
|
||||
|
||||
age.secrets.work-mail-pw = {
|
||||
file = ../../secrets/work-mail-pw.age;
|
||||
file = ../../private/secrets/work-mail-pw.age;
|
||||
};
|
||||
|
||||
age.secrets.dgnum-mail-pw = {
|
||||
file = ../../secrets/dgnum-mail-pw.age;
|
||||
file = ../../private/secrets/dgnum-mail-pw.age;
|
||||
};
|
||||
|
||||
age.secrets.telecom-mail-pw = {
|
||||
file = ../../secrets/telecom-mail-pw.age;
|
||||
file = ../../private/secrets/telecom-mail-pw.age;
|
||||
};
|
||||
|
||||
age.secrets.ens-mail-pw = {
|
||||
file = ../../secrets/ens-mail-pw.age;
|
||||
file = ../../private/secrets/ens-mail-pw.age;
|
||||
};
|
||||
|
||||
programs.mbsync = {
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@
|
|||
services.backup.includes = [ "/var/lib/stalwart-mail/db" ];
|
||||
|
||||
age.secrets.stalwart-admin-hash = {
|
||||
file = ../../secrets/stalwart-admin.age;
|
||||
file = ../../private/secrets/stalwart-admin.age;
|
||||
path = "/var/lib/stalwart-mail/admin-hash";
|
||||
owner = "stalwart-mail";
|
||||
group = "stalwart-mail";
|
||||
|
|
|
|||
|
|
@ -36,17 +36,17 @@ in
|
|||
environmentFile = config.age.secrets."garage-env-file".path;
|
||||
};
|
||||
|
||||
age.secrets."garage-env-file".file = ../../secrets/garage-env-file.age;
|
||||
age.secrets."garage-env-file".file = ../../private/secrets/garage-env-file.age;
|
||||
age.secrets."book-auth" = {
|
||||
file = ../../secrets/book-auth.age;
|
||||
file = ../../private/secrets/book-auth.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
age.secrets."notes-phd-auth" = {
|
||||
file = ../../secrets/notes-phd-auth.age;
|
||||
file = ../../private/secrets/notes-phd-auth.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
age.secrets."notes-perso-auth" = {
|
||||
file = ../../secrets/notes-perso-auth.age;
|
||||
file = ../../private/secrets/notes-perso-auth.age;
|
||||
owner = "nginx";
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age;
|
||||
age.secrets.keycloak-db.file = ../../private/secrets/keycloak-db.age;
|
||||
|
||||
services.openssh.extraConfig = ''
|
||||
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
{
|
||||
|
||||
age.secrets."artiflakery-auth" = {
|
||||
file = ../../secrets/artiflakery-auth.age;
|
||||
file = ../../private/secrets/artiflakery-auth.age;
|
||||
owner = "artiflakery";
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@
|
|||
environment.systemPackages = [ config.services.nextcloud.occ ];
|
||||
|
||||
age.secrets."nextcloud-admin-password" = {
|
||||
file = ../../secrets/nextcloud-admin-password.age;
|
||||
file = ../../private/secrets/nextcloud-admin-password.age;
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
|
||||
age.secrets."nextcloud-s3-token" = {
|
||||
file = ../../secrets/nextcloud-s3-token.age;
|
||||
file = ../../private/secrets/nextcloud-s3-token.age;
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ let
|
|||
allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
|
||||
in
|
||||
{
|
||||
age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;
|
||||
age.secrets."pages-settings-file".file = ../../private/secrets/pages-settings-file.age;
|
||||
|
||||
services.codeberg-pages = {
|
||||
enable = true;
|
||||
|
|
@ -97,7 +97,7 @@ in
|
|||
];
|
||||
|
||||
# Listen to ipv6 packets coming from the internet, check the SNI
|
||||
# If they are one of the declared virtualHosts, forward them to the proxy protocol listener
|
||||
# If they are one of the declared virtualHosts, forward them to the proxy protocol listener
|
||||
# for that virtualHost, else forward them to the page server
|
||||
streamConfig = ''
|
||||
map $ssl_preread_server_name $sni_upstream {
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
};
|
||||
|
||||
age.secrets = {
|
||||
plausible-admin-password.file = ../../secrets/plausible-password.age;
|
||||
plausible-secret-key-base.file = ../../secrets/plausible-keybase-secret.age;
|
||||
plausible-admin-password.file = ../../private/secrets/plausible-password.age;
|
||||
plausible-secret-key-base.file = ../../private/secrets/plausible-keybase-secret.age;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
|
||||
age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
|
||||
age.secrets."readeck-config".file = ../../private/secrets/readeck-config.age;
|
||||
|
||||
services.nginx.virtualHosts."read.luj" = {
|
||||
forceSSL = true;
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ in
|
|||
};
|
||||
|
||||
age.secrets."stateless-uptime-kuma-password".file =
|
||||
../../secrets/stateless-uptime-kuma-password.age;
|
||||
../../private/secrets/stateless-uptime-kuma-password.age;
|
||||
nixpkgs.overlays = [
|
||||
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
||||
];
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
age.secrets.forgejo_runners-token_file.file = ../../secrets/forgejo_runners-token_file.age;
|
||||
age.secrets.forgejo_runners-token_file.file = ../../private/secrets/forgejo_runners-token_file.age;
|
||||
nix.settings.allowed-users = [ "gitea-runner" ];
|
||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||
|
||||
|
|
|
|||
|
|
@ -72,12 +72,12 @@ in
|
|||
config = lib.mkIf (cfg.includes != [ ]) {
|
||||
|
||||
age.secrets."borg-ssh-key" = {
|
||||
file = ../../secrets/borg-ssh-priv.age;
|
||||
file = ../../private/secrets/borg-ssh-priv.age;
|
||||
owner = "root";
|
||||
mode = "0600";
|
||||
};
|
||||
|
||||
age.secrets."borg-encryption-secret".file = ../../secrets/borg-encryption-secret.age;
|
||||
age.secrets."borg-encryption-secret".file = ../../private/secrets/borg-encryption-secret.age;
|
||||
|
||||
programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = {
|
||||
publicKey = "${hostPublicKey}";
|
||||
|
|
|
|||
|
|
@ -55,12 +55,12 @@ in
|
|||
};
|
||||
|
||||
age.secrets = {
|
||||
github-token.file = ../../secrets/github-token-secret.age;
|
||||
github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
|
||||
github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
|
||||
buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
|
||||
github-token.file = ../../private/secrets/github-token-secret.age;
|
||||
github-webhook-secret.file = ../../private/secrets/github-webhook-secret.age;
|
||||
github-oauth-secret.file = ../../private/secrets/github-oauth-secret.age;
|
||||
buildbot-nix-workers.file = ../../private/secrets/buildbot-nix-workers.age;
|
||||
buildbot-nix-worker-password = {
|
||||
file = ../../secrets/buildbot-nix-worker-password.age;
|
||||
file = ../../private/secrets/buildbot-nix-worker-password.age;
|
||||
owner = "buildbot-worker";
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ in
|
|||
|
||||
age.secrets.deluge-webui-password = {
|
||||
owner = cfg.user;
|
||||
file = ../../secrets/deluge-webui-password.age;
|
||||
file = ../../private/secrets/deluge-webui-password.age;
|
||||
};
|
||||
|
||||
services.deluge = {
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ in
|
|||
security.acme.acceptTerms = true;
|
||||
|
||||
age.secrets.nginx-cert = {
|
||||
file = ../../secrets/404-ssl-certificate-cert.age;
|
||||
file = ../../private/secrets/404-ssl-certificate-cert.age;
|
||||
path = "/var/lib/acme/default/cert.pem";
|
||||
owner = "acme";
|
||||
group = "nginx";
|
||||
|
|
@ -156,7 +156,7 @@ in
|
|||
};
|
||||
|
||||
age.secrets.nginx-key = {
|
||||
file = ../../secrets/404-ssl-certificate-key.age;
|
||||
file = ../../private/secrets/404-ssl-certificate-key.age;
|
||||
path = "/var/lib/acme/default/key.pem";
|
||||
owner = "acme";
|
||||
group = "nginx";
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ with lib;
|
|||
config = mkIf cfg.enable {
|
||||
|
||||
age.secrets.git-gpg-private-key = {
|
||||
file = ../../secrets/git-gpg-private-key.age;
|
||||
file = ../../private/secrets/git-gpg-private-key.age;
|
||||
owner = "julien";
|
||||
mode = "0440";
|
||||
group = config.users.groups.keys.name;
|
||||
|
|
|
|||
1
private
Submodule
1
private
Submodule
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 8dca9c5539ce520591101b9e5f0a2ec131b8ec4c
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
programs.fish.enable = true;
|
||||
|
||||
age.secrets.user-root-password.file = ../secrets/user-root-password.age;
|
||||
age.secrets.user-root-password.file = ../private/secrets/user-root-password.age;
|
||||
|
||||
users.users.root = {
|
||||
uid = config.ids.uids.root;
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@
|
|||
nix.settings.allowed-users = [ "julien" ];
|
||||
nix.settings.trusted-users = [ "julien" ];
|
||||
|
||||
age.secrets.julien-password.file = ../secrets/user-julien-password.age;
|
||||
age.secrets.julien-password.file = ../private/secrets/user-julien-password.age;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue