sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

web02: move secrets to sops

Browse source
This commit is contained in:
zowoq 2024-12-19 10:42:30 +10:00
parent bcdbe40580
commit 632d80837c
8 changed files with 76 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
hosts/web02/secrets.yaml Normal file
View file

@ -0,0 +1,68 @@
grafana-client-secret: ENC[AES256_GCM,data:GRuUZDMzzCD+iB/r4fCLG4hkWzLGrKqokm2hpMerV1X6Dn4e2PzVcQ==,iv:X7f+hLCo/cLUBRH2Yilgn5PwzN//RmIfBaVcL6US6Mg=,tag:CdUB4mXMnTBwVM7I38mfrA==,type:str]
nix-community-matrix-bot-token: ENC[AES256_GCM,data:rUi+deMQLcD0LnzpZqeezdbtwZNhHwUWMv5KlEBfWcWqJ3cZIV66G6L5MJ7v4b0r7OKrVSpQDinb+UXALO975OMr9L6EvO4Lx1RMxA==,iv:7ljmHi+P9cVVyJhpqyVvaAVy4ledqYFuqjX71J8fCk8=,tag:dAX+cJZbZ+1T9OHT57wxhA==,type:str]
oauth2-proxy-key-file: ENC[AES256_GCM,data:HaW/nIfUdrilacO9JzsEvOA+pxZ4RKxJUN8jHSEyy50g8//RRpflR+fLXZoaAOV9hE7ztWa39EqTxGAi0AKWUCrS0v72NfI+WVfsdEOifQrkPFh67fRlD7xTDDVB6hmP4JczIpu+3kGJhZm5KuQ7bNeaf6PJF1QKQ+gXYeXR3NAszfoObRq+SYR4CmA=,iv:HELIcLH/2+ve5xT3VDXClVwGHMSyLmVfJcZ/RWD/x64=,tag:5NiDA1vketWZjE5NlaQE+A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMjkyZFF3SHFxOVhuUHlB
MzYrSy82V3Z2TlZWNUZSMEJQbk1FVkFraXk4Cjh3ZmxjMk9XMGVCZlh3amYyUWZJ
WjZnZk9LdE1uUzh4dml4KzVUWktJWjQKLS0tIG1LdkJUUmFpc0tFaUw0ZGgzSjVa
YkZ2bEpZM1dlS1hWWHNtbVFBRjI4T28KnLVBnL8NK3IarERY01q6bxX7uDcxfirO
UjRStFHeAHmVXYZpIQn0I+gB7Tf/Rul4lyP5qrTHwU1YynOlEFFuig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeDdXSXB4RnV1emIwVVRt
SC9lNjhCNG9ON1JJN2poT3AzeXRpOE5aYVEwCnVORHZnMWN5ZHZrbUxPUEtXYWgw
MHhKeGFYTzRBUWZoNFRoMGRHNENLZk0KLS0tIFRVUUNEZUFPNk5UQThqLzdFQzJT
VkVGd0dIdVJiSWVYN2E5Tzh3Z1NKMzQK0TQJNbq19fy3WcluPwuk83Fl1IkvqkDh
132Tom3aVDMcbVs9Z+/AW+iYUe9R3/i0i7+GQo+sIYwzc/tONMz+5g==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1FMeXJkYk05bFpZdksw
bTJ5MjFweGdLOGRUS2pQSWJINVU0cHZKRmtzCkdhM0dzYjJDcGNzNjZkaklqK0dy
Zk51QlBUQVIrNjZTTlZDTTdIOU9aWTQKLS0tIGR1UzFTV0lMZU5MSENjVDA2VnZz
MThoSzVTaFYxUi9jRVA3N0N0N2pKMm8K2nT7ShmWPKDNDpYUSJCK5LvOsCN5N0Ht
6VWHXROl7Tr4vW5+IozS5VoZXCHshtw2ebaJDTK0o+TrrZ5mlgtMuw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTXBqd1hneEdGVnlxTXA4
bnlPNzdqWkY5Mm1pZzdmZ0M0WThhQzhBdTFJCm4xSDFjRWIvNGtnSUxid0N4ak1i
cHdEQVhTTGdYMndsMHBKYWk3cTdyRXcKLS0tIG4yckhCRnNiR0U4MjJSVUIvd0xa
UHV6UkdjcUl3OTVBaFdIRVJqZmtvKzgK7KijVgw/VVW+yhxBkanxle0589trZwXE
H9lEPXq9mga2b6Rb0ASEQxjNI7XvePdr/vsHeoBYpg6yo1jcWK5b0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTWtrQXEzYnNZVnFQR29W
WFc4S084VnppNjEwbVpZUXlkTTBPOEZmZUVnCm1DNDl6c0lJSFFTRmp6YlBYZG5Y
ZWtaYllhYjdYbUdVcmhUZjFnajc0MlkKLS0tIEY4dGhLWFVVdTNhQ05wYU1nSjEw
MHNlb0lhVXMxY0pjYThiak16UmZBZkkKAXgH37v3YTtDbuC53EaTLMSS2i4d3BnD
VnD03Spq8/9FRVKp8XDN1GCW6M6D01lx7P4RK0PdEPMH+l/DvTetIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTnZPdlE5Umt3TUxFUjA0
d09jWWtSVEJnaEVtcWxLcWJRRzJYeDZNT1ZrCldRUldwd0RmeEFleXBvczBsNVZo
V04xQ0wzcU1lcXFPNjl6dU9uQWRWQWsKLS0tIFcyTWE4QS9sMmNoVmJ1WHAwNGVo
WWJIQnJVMVBoTkloL2UvY1AzcDNoSEkKiio0jhLaWW3SEkw9w9eYAVtA7BuyZcVd
qkvuzeNejKmoUatQctNI2dOhH0uMySIcodKVsPksHJhZ/xloYO+mjg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-19T00:50:17Z"
mac: ENC[AES256_GCM,data:SAoTmNYsrFjyu/z2I75WIHtSv4KSA3OMBaw8CwmW+vpUbLx9chHiJlO4j4XRD50iddDu3LLtXDtSWq3ESiUVlpmOXLnhiIpMGptZjYJmLqT4D4B4pMcjOixUG/At/nkuY/3qaVhqan5f/mX6lwsJJAswNpVe8OeEw7NNUW9BQVA=,iv:SdX2bp7cyIQ+rhLIexeK6SzbyDnuQXrjBai5gFW8qMw=,tag:yn6mi65mbXBnza1NgZSx1w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

7
modules/nixos/monitoring/grafana.nix
View file

@ -1,9 +1,8 @@
{ config, inputs, ... }:
{ config, ... }:
{
systemd.services.grafana.after = [ config.systemd.services.prometheus.name ];
age.secrets.grafana-client-secret = {
file = "${inputs.self}/secrets/grafana-client-secret.age";
sops.secrets.grafana-client-secret = {
owner = "grafana";
};
@ -19,7 +18,7 @@
"auth.github" = {
enabled = true;
client_id = "ea6aa36488df8b2dede6";
client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}";
auth_url = "https://github.com/login/oauth/authorize";
token_url = "https://github.com/login/oauth/access_token";
api_url = "https://api.github.com/user";

7
modules/nixos/monitoring/matrix-hook.nix
View file

@ -1,6 +1,5 @@
{
config,
inputs,
pkgs,
...
}:
@ -8,9 +7,7 @@ let
matrixHook = pkgs.matrix-hook;
in
{
age.secrets.nix-community-matrix-bot-token = {
file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
};
sops.secrets.nix-community-matrix-bot-token = { };
users.users.matrix-hook = {
isSystemUser = true;
@ -34,7 +31,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";

7
modules/nixos/monitoring/oauth2-proxy.nix
View file

@ -1,7 +1,6 @@
{ config, inputs, ... }:
{ config, ... }:
{
age.secrets.oauth2-proxy-key-file = {
file = "${inputs.self}/secrets/oauth2-proxy-key-file.age";
sops.secrets.oauth2-proxy-key-file = {
owner = "oauth2-proxy";
};
@ -14,7 +13,7 @@
team = "admin";
};
clientID = "Ov23liKOQPREko8sCk6F";
keyFile = config.age.secrets.oauth2-proxy-key-file.path;
keyFile = config.sops.secrets.oauth2-proxy-key-file.path;
nginx.domain = "alertmanager.nix-community.org";
nginx.virtualHosts = {
"alertmanager.nix-community.org" = { };

BIN
secrets/grafana-client-secret.age
View file

Binary file not shown.

BIN
secrets/nix-community-matrix-bot-token.age
View file

Binary file not shown.

20
secrets/oauth2-proxy-key-file.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 meza2g fzLc8IHnc4PPrzITLwBg+VOlLQvDwsJrZhOsRliZ/jc
7GCGfgEtInqaAGISBCIBOjDGkDXbpZYXpOV3HyMt3r8
-> ssh-rsa ALNSWw
m3hoX1WRsEQ0M3oyavPldhx0q1VTOVCdNNgk8E6wNijHfPe4ClujH/McAaX3hDs1
f2tnO9OH4t02p03j3cTQsEFMCorDT8qd7er0Ago2NcpVK5FOvOdnShkDAf4RGqLM
v2CXsdoClsZoQJf59MfgGnAYQh9KzXs1mTKb+2Rv4eza4gcFucmVRuuyOpwkkwha
iCbKJKMpJ/zymxf2InrHMkrvFoRho5DmV9X82PeXjspEMoYryVStAPlrrUjYrddV
wXmdazvj/K/Kj7xjhakgvxQTCZbGxG5WbvPMFr2wK3FK2KJr0X0ZzigLGwfWzp+u
ak5IV9ake9jlicFS/mUdYg
-> ssh-ed25519 Qi7vNw sRlOqwFcfIZsyIGtBWSeAFZBb8uv/PJye57nxVVjzUs
B+jZMYeoNNr5fn2AjUtLWB7u2EXgTZpm3F5JmNRGiTc
-> ssh-ed25519 MW0fCg CfEoiC6q23tNDYBc/Fe64ous4qz2Nv+p/U4oM+PLFzE
7Cca1MFSHqt/NDMQrj4w2mtLV6oUvfknLaRFk2fzYLo
-> ssh-ed25519 92bXiA jCV9d+0AiLupdV6OqmsiocUcdmDK4Cqhxz/CsHzORww
heBzRcZle76rd3R/fMxrLvo9di/9u/JQukmbIWK8s28
-> ssh-ed25519 h1lenA fxkWlT1SKm3V+qSlS8XZ00llsILy3y8dvBwj9S3vtUQ
IU8aWp4hqmxDanS1q10vVp8ve2IDOaJfiwy8MpnT7AM
--- 3UYeJjdcLXxJiCdP/MF59YAvPMJp415A4MaHQIoaZzk
_€M²^¯{fTè(CUÿFÁ ¦”8Ý]†:VŠGŸÿ~Ü~¦ýÌ5I³Åþ6¶þ»9µ˜·jW0 Êç¡€•3,†Í¢ÇEÝ•¶zGÈÄwO„ürgÖkÞž_…@ç©°Lu'°RÕ‰ªÏ‮ޠ+å¤B®@ÿ¢£ò„dmÁª·,ÿ÷d}´\ |âwdx»äè6÷p~-rHÚ±È(¹<>3Âê3j²Mùå˜pîIŸ

5
secrets/secrets.nix
View file

@ -11,12 +11,7 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
web02 = knownHosts.web02.publicKey;
secrets = {
grafana-client-secret = [ web02 ];
nix-community-matrix-bot-token = [ web02 ];
oauth2-proxy-key-file = [ web02 ];
};
in
builtins.listToAttrs (