diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
new file mode 100644
index 0000000..844d6ce
--- /dev/null
+++ b/hosts/web02/secrets.yaml
@@ -0,0 +1,68 @@
+grafana-client-secret: ENC[AES256_GCM,data:GRuUZDMzzCD+iB/r4fCLG4hkWzLGrKqokm2hpMerV1X6Dn4e2PzVcQ==,iv:X7f+hLCo/cLUBRH2Yilgn5PwzN//RmIfBaVcL6US6Mg=,tag:CdUB4mXMnTBwVM7I38mfrA==,type:str]
+nix-community-matrix-bot-token: ENC[AES256_GCM,data:rUi+deMQLcD0LnzpZqeezdbtwZNhHwUWMv5KlEBfWcWqJ3cZIV66G6L5MJ7v4b0r7OKrVSpQDinb+UXALO975OMr9L6EvO4Lx1RMxA==,iv:7ljmHi+P9cVVyJhpqyVvaAVy4ledqYFuqjX71J8fCk8=,tag:dAX+cJZbZ+1T9OHT57wxhA==,type:str]
+oauth2-proxy-key-file: ENC[AES256_GCM,data:HaW/nIfUdrilacO9JzsEvOA+pxZ4RKxJUN8jHSEyy50g8//RRpflR+fLXZoaAOV9hE7ztWa39EqTxGAi0AKWUCrS0v72NfI+WVfsdEOifQrkPFh67fRlD7xTDDVB6hmP4JczIpu+3kGJhZm5KuQ7bNeaf6PJF1QKQ+gXYeXR3NAszfoObRq+SYR4CmA=,iv:HELIcLH/2+ve5xT3VDXClVwGHMSyLmVfJcZ/RWD/x64=,tag:5NiDA1vketWZjE5NlaQE+A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMjkyZFF3SHFxOVhuUHlB
+ MzYrSy82V3Z2TlZWNUZSMEJQbk1FVkFraXk4Cjh3ZmxjMk9XMGVCZlh3amYyUWZJ
+ WjZnZk9LdE1uUzh4dml4KzVUWktJWjQKLS0tIG1LdkJUUmFpc0tFaUw0ZGgzSjVa
+ YkZ2bEpZM1dlS1hWWHNtbVFBRjI4T28KnLVBnL8NK3IarERY01q6bxX7uDcxfirO
+ UjRStFHeAHmVXYZpIQn0I+gB7Tf/Rul4lyP5qrTHwU1YynOlEFFuig==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeDdXSXB4RnV1emIwVVRt
+ SC9lNjhCNG9ON1JJN2poT3AzeXRpOE5aYVEwCnVORHZnMWN5ZHZrbUxPUEtXYWgw
+ MHhKeGFYTzRBUWZoNFRoMGRHNENLZk0KLS0tIFRVUUNEZUFPNk5UQThqLzdFQzJT
+ VkVGd0dIdVJiSWVYN2E5Tzh3Z1NKMzQK0TQJNbq19fy3WcluPwuk83Fl1IkvqkDh
+ 132Tom3aVDMcbVs9Z+/AW+iYUe9R3/i0i7+GQo+sIYwzc/tONMz+5g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1FMeXJkYk05bFpZdksw
+ bTJ5MjFweGdLOGRUS2pQSWJINVU0cHZKRmtzCkdhM0dzYjJDcGNzNjZkaklqK0dy
+ Zk51QlBUQVIrNjZTTlZDTTdIOU9aWTQKLS0tIGR1UzFTV0lMZU5MSENjVDA2VnZz
+ MThoSzVTaFYxUi9jRVA3N0N0N2pKMm8K2nT7ShmWPKDNDpYUSJCK5LvOsCN5N0Ht
+ 6VWHXROl7Tr4vW5+IozS5VoZXCHshtw2ebaJDTK0o+TrrZ5mlgtMuw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTXBqd1hneEdGVnlxTXA4
+ bnlPNzdqWkY5Mm1pZzdmZ0M0WThhQzhBdTFJCm4xSDFjRWIvNGtnSUxid0N4ak1i
+ cHdEQVhTTGdYMndsMHBKYWk3cTdyRXcKLS0tIG4yckhCRnNiR0U4MjJSVUIvd0xa
+ UHV6UkdjcUl3OTVBaFdIRVJqZmtvKzgK7KijVgw/VVW+yhxBkanxle0589trZwXE
+ H9lEPXq9mga2b6Rb0ASEQxjNI7XvePdr/vsHeoBYpg6yo1jcWK5b0A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTWtrQXEzYnNZVnFQR29W
+ WFc4S084VnppNjEwbVpZUXlkTTBPOEZmZUVnCm1DNDl6c0lJSFFTRmp6YlBYZG5Y
+ ZWtaYllhYjdYbUdVcmhUZjFnajc0MlkKLS0tIEY4dGhLWFVVdTNhQ05wYU1nSjEw
+ MHNlb0lhVXMxY0pjYThiak16UmZBZkkKAXgH37v3YTtDbuC53EaTLMSS2i4d3BnD
+ VnD03Spq8/9FRVKp8XDN1GCW6M6D01lx7P4RK0PdEPMH+l/DvTetIw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTnZPdlE5Umt3TUxFUjA0
+ d09jWWtSVEJnaEVtcWxLcWJRRzJYeDZNT1ZrCldRUldwd0RmeEFleXBvczBsNVZo
+ V04xQ0wzcU1lcXFPNjl6dU9uQWRWQWsKLS0tIFcyTWE4QS9sMmNoVmJ1WHAwNGVo
+ WWJIQnJVMVBoTkloL2UvY1AzcDNoSEkKiio0jhLaWW3SEkw9w9eYAVtA7BuyZcVd
+ qkvuzeNejKmoUatQctNI2dOhH0uMySIcodKVsPksHJhZ/xloYO+mjg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-19T00:50:17Z"
+ mac: ENC[AES256_GCM,data:SAoTmNYsrFjyu/z2I75WIHtSv4KSA3OMBaw8CwmW+vpUbLx9chHiJlO4j4XRD50iddDu3LLtXDtSWq3ESiUVlpmOXLnhiIpMGptZjYJmLqT4D4B4pMcjOixUG/At/nkuY/3qaVhqan5f/mX6lwsJJAswNpVe8OeEw7NNUW9BQVA=,iv:SdX2bp7cyIQ+rhLIexeK6SzbyDnuQXrjBai5gFW8qMw=,tag:yn6mi65mbXBnza1NgZSx1w==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
index e9f0f81..ed919cf 100644
--- a/modules/nixos/monitoring/grafana.nix
+++ b/modules/nixos/monitoring/grafana.nix
@@ -1,9 +1,8 @@
-{ config, inputs, ... }:
+{ config, ... }:
{
systemd.services.grafana.after = [ config.systemd.services.prometheus.name ];
- age.secrets.grafana-client-secret = {
- file = "${inputs.self}/secrets/grafana-client-secret.age";
+ sops.secrets.grafana-client-secret = {
owner = "grafana";
};
@@ -19,7 +18,7 @@
"auth.github" = {
enabled = true;
client_id = "ea6aa36488df8b2dede6";
- client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+ client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}";
auth_url = "https://github.com/login/oauth/authorize";
token_url = "https://github.com/login/oauth/access_token";
api_url = "https://api.github.com/user";
diff --git a/modules/nixos/monitoring/matrix-hook.nix b/modules/nixos/monitoring/matrix-hook.nix
index 55b875b..7acece0 100644
--- a/modules/nixos/monitoring/matrix-hook.nix
+++ b/modules/nixos/monitoring/matrix-hook.nix
@@ -1,6 +1,5 @@
{
config,
- inputs,
pkgs,
...
}:
@@ -8,9 +7,7 @@ let
matrixHook = pkgs.matrix-hook;
in
{
- age.secrets.nix-community-matrix-bot-token = {
- file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
- };
+ sops.secrets.nix-community-matrix-bot-token = { };
users.users.matrix-hook = {
isSystemUser = true;
@@ -34,7 +31,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
- EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
+ EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";
diff --git a/modules/nixos/monitoring/oauth2-proxy.nix b/modules/nixos/monitoring/oauth2-proxy.nix
index 09a98fb..2be5005 100644
--- a/modules/nixos/monitoring/oauth2-proxy.nix
+++ b/modules/nixos/monitoring/oauth2-proxy.nix
@@ -1,7 +1,6 @@
-{ config, inputs, ... }:
+{ config, ... }:
{
- age.secrets.oauth2-proxy-key-file = {
- file = "${inputs.self}/secrets/oauth2-proxy-key-file.age";
+ sops.secrets.oauth2-proxy-key-file = {
owner = "oauth2-proxy";
};
@@ -14,7 +13,7 @@
team = "admin";
};
clientID = "Ov23liKOQPREko8sCk6F";
- keyFile = config.age.secrets.oauth2-proxy-key-file.path;
+ keyFile = config.sops.secrets.oauth2-proxy-key-file.path;
nginx.domain = "alertmanager.nix-community.org";
nginx.virtualHosts = {
"alertmanager.nix-community.org" = { };
diff --git a/secrets/grafana-client-secret.age b/secrets/grafana-client-secret.age
deleted file mode 100644
index b92b402..0000000
Binary files a/secrets/grafana-client-secret.age and /dev/null differ
diff --git a/secrets/nix-community-matrix-bot-token.age b/secrets/nix-community-matrix-bot-token.age
deleted file mode 100644
index 080c7ef..0000000
Binary files a/secrets/nix-community-matrix-bot-token.age and /dev/null differ
diff --git a/secrets/oauth2-proxy-key-file.age b/secrets/oauth2-proxy-key-file.age
deleted file mode 100644
index a92ec43..0000000
--- a/secrets/oauth2-proxy-key-file.age
+++ /dev/null
@@ -1,20 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 meza2g fzLc8IHnc4PPrzITLwBg+VOlLQvDwsJrZhOsRliZ/jc
-7GCGfgEtInqaAGISBCIBOjDGkDXbpZYXpOV3HyMt3r8
--> ssh-rsa ALNSWw
-m3hoX1WRsEQ0M3oyavPldhx0q1VTOVCdNNgk8E6wNijHfPe4ClujH/McAaX3hDs1
-f2tnO9OH4t02p03j3cTQsEFMCorDT8qd7er0Ago2NcpVK5FOvOdnShkDAf4RGqLM
-v2CXsdoClsZoQJf59MfgGnAYQh9KzXs1mTKb+2Rv4eza4gcFucmVRuuyOpwkkwha
-iCbKJKMpJ/zymxf2InrHMkrvFoRho5DmV9X82PeXjspEMoYryVStAPlrrUjYrddV
-wXmdazvj/K/Kj7xjhakgvxQTCZbGxG5WbvPMFr2wK3FK2KJr0X0ZzigLGwfWzp+u
-ak5IV9ake9jlicFS/mUdYg
--> ssh-ed25519 Qi7vNw sRlOqwFcfIZsyIGtBWSeAFZBb8uv/PJye57nxVVjzUs
-B+jZMYeoNNr5fn2AjUtLWB7u2EXgTZpm3F5JmNRGiTc
--> ssh-ed25519 MW0fCg CfEoiC6q23tNDYBc/Fe64ous4qz2Nv+p/U4oM+PLFzE
-7Cca1MFSHqt/NDMQrj4w2mtLV6oUvfknLaRFk2fzYLo
--> ssh-ed25519 92bXiA jCV9d+0AiLupdV6OqmsiocUcdmDK4Cqhxz/CsHzORww
-heBzRcZle76rd3R/fMxrLvo9di/9u/JQukmbIWK8s28
--> ssh-ed25519 h1lenA fxkWlT1SKm3V+qSlS8XZ00llsILy3y8dvBwj9S3vtUQ
-IU8aWp4hqmxDanS1q10vVp8ve2IDOaJfiwy8MpnT7AM
---- 3UYeJjdcLXxJiCdP/MF59YAvPMJp415A4MaHQIoaZzk
-�_�M�^�{fT�(C�U�F�����8�]�:V�G��~�~����5I���6���9���jW�0 �础�3,�͢�Eݕ��zG��wO��rg�kޖ�_�@穰Lu'�RՉ��ޠ+�B�@�����dm���,��d}�\��|�wdx���6�p~-rHڱ�(��3��3j�M���p�I�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e6b023b..02cbb51 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,12 +11,7 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
- web02 = knownHosts.web02.publicKey;
-
secrets = {
- grafana-client-secret = [ web02 ];
- nix-community-matrix-bot-token = [ web02 ];
- oauth2-proxy-key-file = [ web02 ];
};
in
builtins.listToAttrs (