From 065e31564794c062da2110b112864b9a6a34fee5 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 24 Oct 2024 14:54:16 +1000
Subject: [PATCH] modules/nixos/monitoring: move to agenix
---
hosts/web02/secrets.yaml | 68 ---------------------
modules/nixos/monitoring/default.nix | 7 ++-
modules/nixos/monitoring/matrix-hook.nix | 13 +++-
secrets.yaml | 7 ++-
secrets/nginx-basic-auth-file.age | 20 ++++++
secrets/nix-community-matrix-bot-token.age | Bin 0 -> 1094 bytes
secrets/secrets.nix | 3 +
7 files changed, 42 insertions(+), 76 deletions(-)
delete mode 100644 hosts/web02/secrets.yaml
create mode 100644 secrets/nginx-basic-auth-file.age
create mode 100644 secrets/nix-community-matrix-bot-token.age
diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
deleted file mode 100644
index bacd24b..0000000
--- a/hosts/web02/secrets.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-nix-community-matrix-bot-token: ENC[AES256_GCM,data:p9sQnsEIJEGi6AYLxemCN/zkf+lx6dEjrIVfFD28DWtOvCxIy7QKImWIMsbOjWHW/0sjHQYoGwDBrrBzpYed3+AK38J+WEnCi6MSGQ==,iv:BdV3bMjuXFLFTvcXLL/2l08qonIXHFtUvpj2QM0n3Ws=,tag:EhCwGinqZZuLa5CIpCaKeA==,type:str]
-nginx-basic-auth-file: ENC[AES256_GCM,data:andS+j0bOp4m7Xty1RuAmyNGz36rUChhl4dtY+mvguHzei2lYDfdZWilx2VUFT5mmsWCeyrT5otVVg==,iv:BuawT6dsaI6s/vXbfG2HijUBzHec2D47w8KRj6Bba2Y=,tag:PjkfdKhjWmP6+NKFGEPijg==,type:str]
-nginx-basic-auth-password: ENC[AES256_GCM,data:ne6h4KoBo7dNkrKhe4thFkgE/EmIOkfzDh0Bag==,iv:ZsHANsb6PI4a84K81fM1PHtPPa0mi8nYLfh1A9CbaqY=,tag:IYQyFasarwh/EPZ3iUNX3Q==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age:
- - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTHNIYkY2eE1rWnVDVlk1
- ZXg0ZFJEQ0JlNEYwOFZRNUh3K0I5L2lKNkFrCkl1c01YNDZobHM2djhSdGEyVklL
- V1I0UzRqY0hxUm1oajZNZXB0a2JyeGsKLS0tIDlPUU1XVStkZUppM09NclkyRDFu
- UC80VU01SS96dytmWkdHeHBkZzlsT2sKTbRmdfN5l3tFqi0bXQ5FQheunbabSBZ4
- bGpju602wejkNx9L3rmHQCVTkRncr4UqYVeezRLq8rdBsPePsssYnQ==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTHR5Zm0yR1crQi9ITjQx
- Zlh2SXpnN1pmSGRseHFRTzhKMFhNL0h5d0hBCm0vQWNmSVhaTm4yN3pVeHhZbk5r
- ZE9zM2VXSU9RV2IzMXlQNFFhNXZGeEkKLS0tIC9JNm9VVEFZM0FPSjJSS2VkbkVD
- THNidzhQempPdmQzdklKSUJlTThjaXMKJ1DzntjD0Zca0NVNUIcMj1gAErnFqcfi
- 1f7w5PLIJZ0zTR+c2ozAYj+O/lD6cxA9q3cgdkFJRDIG/UP0sHuQ+w==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbUJ4RGVKcFFHeUUwTC8x
- Sy9rUjg1elo2eW9kNmw4RklCbVRNUjdQQXpnCjBzQ1p3VDFxUkdyeXZLVUNta2l6
- dmtLYUE2L29ueFp1OWtHRHB6SCtvekkKLS0tIFc0a3EzengwR1cwekxqeEQ4YWhn
- T21CNzNCU2NqeWwzMEw4UkJjcnlSd0UKf+1tn7/+0+RDWU0PLk2zGqOaXNLnhqK9
- IhvbJrI+/dsY7fsPxR9c+p3z8TFltb3Q0jgUlmcujQ1VyTJB9qiu2Q==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybHRHZUU0dEFzdXIxQWtL
- RGRKZm9uWVRWd0tDTDVPdFJGT1liY01HbUI4CkY3SFFwS1Y2UGprUDhkdlFibXBT
- MWZUbDdEb2JBZ2x1VFJsWVVtZUY5NXcKLS0tIDdTY21jc2llM3ZoeUhpbzBnMTFQ
- am5LMVgyVGRhdnRVUjZ6QlFWbDVTWE0KF6gctt/6t9WGhNQMXdfk+KctwUYKnEGq
- ed+xCZ7flm2ifY3l8baaX1jVaYU56xsNnhNGyxVzfgbDOXnlPEcN+w==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ1dDQVZLN3RCYVo5bkFm
- ZkZYNlUwYU9adnZqck5kYjM4OHAwSWtta2c4CmltckJnRTZnR2VVSnZjYnZwQnFB
- OXJkZHpkSVdFN29qMkZ2c2JzcFB6OTgKLS0tIHY5SVB3TGp6L2txeU1YUmJBNitr
- dFIwN1BIb1dWc1hPZUYxWU9ob0xVR28KnsuH74n4c0beUwyAoN6j4BbUYUFRmJA2
- 6RFl032mjGu/k2eeGc5gV8CqBtyOTualqWt9P/+efWrVT4p1FMsbDg==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmxhWFZ1WE5adXhlaUpp
- cno1VDBtY0I4Q253UW9SaUc3UzZyc0tyamtVClprLzkvOCthanRha3JGWU85YmVh
- OTFLSldvREhiNFk0TU9ZTW5rd25oN0kKLS0tIEFMbXBlaWNQQWJqYUlJRi9ZcW84
- QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9
- LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-06-30T03:19:37Z"
- mac: ENC[AES256_GCM,data:TScUSdUv+SEG2MJ5MdCP7/zuCDG857erbLYG1Vp3/4d3Pvq//Jp5nVtnFSw9Y63Do/r1gzfmiU/B4HFbn40hVo7+/KjKOl8wb9qUheh2UaW+m+gd05mDjjQvrnTVjJJ8/Rj4/kFYvYzsPag8KY37CG0dBqiE7esyk9hUf7kv/4w=,iv:gCsM4oGq0zAR1r0E5xeKAGezXSyh9Eqho/rsU+3x3E8=,tag:A/0KP15zdJUpS3fc9z6/0A==,type:str]
- pgp: []
- unencrypted_suffix: _unencrypted
- version: 3.8.1
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index dd41c54..18592b7 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -8,12 +8,15 @@
./telegraf.nix
];
- sops.secrets.nginx-basic-auth-file.owner = "nginx";
+ age.secrets.nginx-basic-auth-file = {
+ file = "${inputs.self}/secrets/nginx-basic-auth-file.age";
+ owner = "nginx";
+ };
services.nginx.virtualHosts."monitoring.nix-community.org" = {
locations."/".return = "302 https://nix-community.org/monitoring";
locations."/alertmanager/" = {
- basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path;
+ basicAuthFile = config.age.secrets.nginx-basic-auth-file.path;
proxyPass = "http://localhost:9093/";
};
locations."/prometheus/".proxyPass = "http://localhost:9090/";
diff --git a/modules/nixos/monitoring/matrix-hook.nix b/modules/nixos/monitoring/matrix-hook.nix
index 28b93e3..cc3f5e2 100644
--- a/modules/nixos/monitoring/matrix-hook.nix
+++ b/modules/nixos/monitoring/matrix-hook.nix
@@ -1,9 +1,16 @@
-{ config, pkgs, ... }:
+{
+ config,
+ inputs,
+ pkgs,
+ ...
+}:
let
matrixHook = pkgs.matrix-hook;
in
{
- sops.secrets.nix-community-matrix-bot-token = { };
+ age.secrets.nix-community-matrix-bot-token = {
+ file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
+ };
users.users.matrix-hook = {
isSystemUser = true;
@@ -27,7 +34,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
- EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
+ EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";
diff --git a/secrets.yaml b/secrets.yaml
index 603bc16..a6a1e23 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -8,6 +8,7 @@ accounts:
- name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str]
totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str]
emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str]
+nginx-basic-auth-password: ENC[AES256_GCM,data:THXCfzuXXEsEARk1Hz4eEtzqqzzbf/IF0hHy,iv:mvOu8CSomzUYzpt1PkhSeBMgwHluUtTQZHozi6Am+RM=,tag:itQJu7Dp/N48BJMYTleuqw==,type:str]
ssh_host_ed25519_key:
build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str]
build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str]
@@ -111,8 +112,8 @@ sops:
MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-07-16T07:30:20Z"
- mac: ENC[AES256_GCM,data:nzK1E2M4gnsY/z6KG8uMsOau+Q96u/gRmXue9jA0BKEErEWA2AYg5p9Ig+pRWwhq1BdEN9PbjKBmuEmSTWdfFijbM7NaRSHelpUIccfoiMMW51/MHFiEMt7euCLE2i9O7q1Vx7br+NaHu+fqctrx1ikOXaWNhM6Q6NJ1NY0Z5dU=,iv:1S1NsVtILala9zBFMfEqxpokscpPW+Frq+T1qyrmVYI=,tag:87SYZkvSdqYldcVJnnw2/A==,type:str]
+ lastmodified: "2024-10-26T00:28:59Z"
+ mac: ENC[AES256_GCM,data:Ds3v0YTPxlpV+QTtRs1Lq3LyvnVXVU4Hp37mGOwrAgD76ek19dyMPVeJu1Q9QZwYcoSrq7GccQvo/GfTM+WVxW48B3aH+qeUye9RcdV6SYLmtQANhUyyBQurzyN7sJt2qyOWsE/VpF3NViUMkVYhLqwd/wYIiaEVmCaEpkjHp38=,iv:Vhoj+Vm8n8VcQZhmGOZU9OVZ0S+VxrZEZ178yx8aezk=,tag:D4p7Az+LqC7eQkI2QIyVfA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
- version: 3.9.0
+ version: 3.9.1
diff --git a/secrets/nginx-basic-auth-file.age b/secrets/nginx-basic-auth-file.age
new file mode 100644
index 0000000..83ac83a
--- /dev/null
+++ b/secrets/nginx-basic-auth-file.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 meza2g tOhoYzkG+lCD2ONeWe32iOT+qCOvFFM2MOSTMw86ck4
+N4xw2JWB0BvQy12lIb1CS4QifkiFCHHHYBep9XzhpFI
+-> ssh-rsa ALNSWw
+lzYsNzDw+FQRwcgk2ezjfw4fr5PundiR+As4Xa/OCsHFZa94QVhBVlFzgtB5nO8s
+wnoENRSQIkYqzJtGxAF8VGOvGpOsuIxNLNy/AvN4YeXYVvhPlpZjRmkCKpWG2r1w
+gprc+2VdUVjeUJiWYYhCZdn62yMXS0HI+aC8eLghtovl4dhWKh4sq8SMlNtzHLKZ
+D1nLY2rDNM+u00NEMMTOr879zfp4LHAsaol0HJrc3BnC1KmyYFd4dTivwVEU1X/r
+jw+mv8duQrbXJHckf8si7GuwQxsA0eDxKQb0y8F2hIMAkmAUMsvrJF0kyPS3UGyp
+qkby51wMLIOzzvcrgJ9KJQ
+-> ssh-ed25519 Qi7vNw hiomOFHJB1MuK7rf6x6lDr6CvTMo3CN9x4/rYov6lD4
+ILX7g5TugewxzJuHF3Og06135rohMLs+vhnrcGlTO6s
+-> ssh-ed25519 MW0fCg 5gofg/CnnH3aI7WnAMqHd5P7Gvyb9XV8M7v1FF8TdXU
+wwLUGvVGngz1rMZa0eIVSwf0TmUqQHTPjZDgubtoMgk
+-> ssh-ed25519 92bXiA OcbjXruCXI43g/mJC/I65m7I/p04OHNWUXZuFa2vUEM
+5+NimqArjB+cbSNMh53LUmmBlXiecjdjcilS9zYVE2w
+-> ssh-ed25519 h1lenA mtoPhHkVeGkSwirRAvcfHgwdZrmWalB8KEwBFfix2xE
+FyCMnN2MzQmuCjYF+cElRl1wAPumz8mAgJFzMcUXfk0
+--- u5BHJScdFfK3/JdJs5dLFGTGUmX0wPAo5jra3cmYI1c
+`�����2Λ� κ�w����̐b3f��6y�:���1q���iA�
��9G�w��W�eS�鯙���m��~��ף�,f����%=��Q�O6
\ No newline at end of file
diff --git a/secrets/nix-community-matrix-bot-token.age b/secrets/nix-community-matrix-bot-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..080c7efe7cb216fd8486ebf6241d055fcca5e0ec
GIT binary patch
literal 1094
zcmZY6z3bz20LO7h2?#p4=u+jthuBM#G)?0mB+WycCTSkqrs$C8=ArpE56#mg4hlM`
z+#rIJleajD!|5P`xae{y2tFLh4Z^t`IH-d<{g(4Dc=7&xoG2IvxmWh*ItKZ5P)10D
zLgSZ4RdpN(K1L8IH97@@gGHk?YFKg`iymRmgUcFNVFp?=u!OKg<W=O8erA&Cso3-u
zM3L>O5jH(PrxI%&U8)9)H;Xh(8n@eRb*)mwE?`tY7UV0fteg=oDaNja7~)9zuu#SP
zzAm_cL*YZW?EGkOf`poL8bT_9aPVSnQqOup3+ssM9chZL4&AVUMFt|k8tn0YOYdSW
zSppdbtWLs}T%1;hevXLA(3Vmt)qB4h0+<r_<?bvBn2yc~+362F#8JVppk+r|tT}T#
z@RTECY1)T#xXh55617QzsI<=MouwNqu{}6@-UiZSI;{yk2R=le&T1{<LY%k$x$*6Q
zE2P8J;4^c#2t&h$)j{!hm!$40P^6x`a~-C1=SzM=hTG`OK^DKs>QpYBLRu8U8hC!E
zL|T&ZlB5H<N2>;zh(WTAVN*4Wfv~s4K9*;Vcqt=VHFAgnS~_<{nmjbViS$4tQUZyt
z*1q~yi^)c5N4738gt*iL6tI)rSC^iuSjN6QPdzr9;I0*LYHOQ7oY2rIJ|YEO)`u15
zBlNJg4kbBdXMu>MG0H43d=qr1vUM}weo&KllW-A@T*`H0I-V6qI0!S`<5;4Vax|$?
zokw7rPXMNFazYI!06NYSyO~9^L7QvlB9XGhOJ%<4_fb_%SHh*xb2wVEE6md#)F{l|
z$Mi^&kDP<^ZcMaFSe=*@8&)|DHt5hx^>Ul>ZZ|ApI1f7uatYMzLN~-!jp<PQL~yCK
z5+w^!E}9u|-LarDBgI1?{;%zbW<gGmG8~VLe6~7F7%keWJJHt}E@j<?c)1*@j9g9l
zmT4O<P9~7C=xu>r42eOw)Lur3rX$#@nBsN79ZiH+B-^P5R^vPXjmP6r5K}~EY}g?;
z0AI}#!p@Mu5VpQ>T;i43iWn943JHfn1-<d^_<iHvN7Q#We!GA3k&FD#pLg#*{`x~N
z9>2ILfB4?*-@hM!=6?Rnt*4%T#eMt9JCA;F?b`6|Uo86YzmL5zzy21u!+ren{nZao
sG_QdlHRneE&9-~)tI?}JJ%8_)+xjP8|BAi&^E;n<&9h&^f86@}KO3EQ>Hq)$
literal 0
HcmV?d00001
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 807cc2a..f175de6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -15,6 +15,7 @@ let
build03 = knownHosts.build03.publicKey;
build04 = knownHosts.build04.publicKey;
darwin02 = knownHosts.darwin02.publicKey;
+ web02 = knownHosts.web02.publicKey;
secrets = {
hercules-binary-caches = [
@@ -36,6 +37,8 @@ let
build02
build03
];
+ nginx-basic-auth-file = [ web02 ];
+ nix-community-matrix-bot-token = [ web02 ];
};
in
builtins.listToAttrs (