From 632d80837c9edf7bc98ce7a8948885fff5323c6a Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 19 Dec 2024 10:42:30 +1000
Subject: [PATCH] web02: move secrets to sops
---
hosts/web02/secrets.yaml | 68 +++++++++++++++++++++
modules/nixos/monitoring/grafana.nix | 7 +--
modules/nixos/monitoring/matrix-hook.nix | 7 +--
modules/nixos/monitoring/oauth2-proxy.nix | 7 +--
secrets/grafana-client-secret.age | Bin 1059 -> 0 bytes
secrets/nix-community-matrix-bot-token.age | Bin 1094 -> 0 bytes
secrets/oauth2-proxy-key-file.age | 20 ------
secrets/secrets.nix | 5 --
8 files changed, 76 insertions(+), 38 deletions(-)
create mode 100644 hosts/web02/secrets.yaml
delete mode 100644 secrets/grafana-client-secret.age
delete mode 100644 secrets/nix-community-matrix-bot-token.age
delete mode 100644 secrets/oauth2-proxy-key-file.age
diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml
new file mode 100644
index 0000000..844d6ce
--- /dev/null
+++ b/hosts/web02/secrets.yaml
@@ -0,0 +1,68 @@
+grafana-client-secret: ENC[AES256_GCM,data:GRuUZDMzzCD+iB/r4fCLG4hkWzLGrKqokm2hpMerV1X6Dn4e2PzVcQ==,iv:X7f+hLCo/cLUBRH2Yilgn5PwzN//RmIfBaVcL6US6Mg=,tag:CdUB4mXMnTBwVM7I38mfrA==,type:str]
+nix-community-matrix-bot-token: ENC[AES256_GCM,data:rUi+deMQLcD0LnzpZqeezdbtwZNhHwUWMv5KlEBfWcWqJ3cZIV66G6L5MJ7v4b0r7OKrVSpQDinb+UXALO975OMr9L6EvO4Lx1RMxA==,iv:7ljmHi+P9cVVyJhpqyVvaAVy4ledqYFuqjX71J8fCk8=,tag:dAX+cJZbZ+1T9OHT57wxhA==,type:str]
+oauth2-proxy-key-file: ENC[AES256_GCM,data:HaW/nIfUdrilacO9JzsEvOA+pxZ4RKxJUN8jHSEyy50g8//RRpflR+fLXZoaAOV9hE7ztWa39EqTxGAi0AKWUCrS0v72NfI+WVfsdEOifQrkPFh67fRlD7xTDDVB6hmP4JczIpu+3kGJhZm5KuQ7bNeaf6PJF1QKQ+gXYeXR3NAszfoObRq+SYR4CmA=,iv:HELIcLH/2+ve5xT3VDXClVwGHMSyLmVfJcZ/RWD/x64=,tag:5NiDA1vketWZjE5NlaQE+A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMjkyZFF3SHFxOVhuUHlB
+ MzYrSy82V3Z2TlZWNUZSMEJQbk1FVkFraXk4Cjh3ZmxjMk9XMGVCZlh3amYyUWZJ
+ WjZnZk9LdE1uUzh4dml4KzVUWktJWjQKLS0tIG1LdkJUUmFpc0tFaUw0ZGgzSjVa
+ YkZ2bEpZM1dlS1hWWHNtbVFBRjI4T28KnLVBnL8NK3IarERY01q6bxX7uDcxfirO
+ UjRStFHeAHmVXYZpIQn0I+gB7Tf/Rul4lyP5qrTHwU1YynOlEFFuig==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeDdXSXB4RnV1emIwVVRt
+ SC9lNjhCNG9ON1JJN2poT3AzeXRpOE5aYVEwCnVORHZnMWN5ZHZrbUxPUEtXYWgw
+ MHhKeGFYTzRBUWZoNFRoMGRHNENLZk0KLS0tIFRVUUNEZUFPNk5UQThqLzdFQzJT
+ VkVGd0dIdVJiSWVYN2E5Tzh3Z1NKMzQK0TQJNbq19fy3WcluPwuk83Fl1IkvqkDh
+ 132Tom3aVDMcbVs9Z+/AW+iYUe9R3/i0i7+GQo+sIYwzc/tONMz+5g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1FMeXJkYk05bFpZdksw
+ bTJ5MjFweGdLOGRUS2pQSWJINVU0cHZKRmtzCkdhM0dzYjJDcGNzNjZkaklqK0dy
+ Zk51QlBUQVIrNjZTTlZDTTdIOU9aWTQKLS0tIGR1UzFTV0lMZU5MSENjVDA2VnZz
+ MThoSzVTaFYxUi9jRVA3N0N0N2pKMm8K2nT7ShmWPKDNDpYUSJCK5LvOsCN5N0Ht
+ 6VWHXROl7Tr4vW5+IozS5VoZXCHshtw2ebaJDTK0o+TrrZ5mlgtMuw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTXBqd1hneEdGVnlxTXA4
+ bnlPNzdqWkY5Mm1pZzdmZ0M0WThhQzhBdTFJCm4xSDFjRWIvNGtnSUxid0N4ak1i
+ cHdEQVhTTGdYMndsMHBKYWk3cTdyRXcKLS0tIG4yckhCRnNiR0U4MjJSVUIvd0xa
+ UHV6UkdjcUl3OTVBaFdIRVJqZmtvKzgK7KijVgw/VVW+yhxBkanxle0589trZwXE
+ H9lEPXq9mga2b6Rb0ASEQxjNI7XvePdr/vsHeoBYpg6yo1jcWK5b0A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTWtrQXEzYnNZVnFQR29W
+ WFc4S084VnppNjEwbVpZUXlkTTBPOEZmZUVnCm1DNDl6c0lJSFFTRmp6YlBYZG5Y
+ ZWtaYllhYjdYbUdVcmhUZjFnajc0MlkKLS0tIEY4dGhLWFVVdTNhQ05wYU1nSjEw
+ MHNlb0lhVXMxY0pjYThiak16UmZBZkkKAXgH37v3YTtDbuC53EaTLMSS2i4d3BnD
+ VnD03Spq8/9FRVKp8XDN1GCW6M6D01lx7P4RK0PdEPMH+l/DvTetIw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTnZPdlE5Umt3TUxFUjA0
+ d09jWWtSVEJnaEVtcWxLcWJRRzJYeDZNT1ZrCldRUldwd0RmeEFleXBvczBsNVZo
+ V04xQ0wzcU1lcXFPNjl6dU9uQWRWQWsKLS0tIFcyTWE4QS9sMmNoVmJ1WHAwNGVo
+ WWJIQnJVMVBoTkloL2UvY1AzcDNoSEkKiio0jhLaWW3SEkw9w9eYAVtA7BuyZcVd
+ qkvuzeNejKmoUatQctNI2dOhH0uMySIcodKVsPksHJhZ/xloYO+mjg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-12-19T00:50:17Z"
+ mac: ENC[AES256_GCM,data:SAoTmNYsrFjyu/z2I75WIHtSv4KSA3OMBaw8CwmW+vpUbLx9chHiJlO4j4XRD50iddDu3LLtXDtSWq3ESiUVlpmOXLnhiIpMGptZjYJmLqT4D4B4pMcjOixUG/At/nkuY/3qaVhqan5f/mX6lwsJJAswNpVe8OeEw7NNUW9BQVA=,iv:SdX2bp7cyIQ+rhLIexeK6SzbyDnuQXrjBai5gFW8qMw=,tag:yn6mi65mbXBnza1NgZSx1w==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.2
diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix
index e9f0f81..ed919cf 100644
--- a/modules/nixos/monitoring/grafana.nix
+++ b/modules/nixos/monitoring/grafana.nix
@@ -1,9 +1,8 @@
-{ config, inputs, ... }:
+{ config, ... }:
{
systemd.services.grafana.after = [ config.systemd.services.prometheus.name ];
- age.secrets.grafana-client-secret = {
- file = "${inputs.self}/secrets/grafana-client-secret.age";
+ sops.secrets.grafana-client-secret = {
owner = "grafana";
};
@@ -19,7 +18,7 @@
"auth.github" = {
enabled = true;
client_id = "ea6aa36488df8b2dede6";
- client_secret = "$__file{${config.age.secrets.grafana-client-secret.path}}";
+ client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}";
auth_url = "https://github.com/login/oauth/authorize";
token_url = "https://github.com/login/oauth/access_token";
api_url = "https://api.github.com/user";
diff --git a/modules/nixos/monitoring/matrix-hook.nix b/modules/nixos/monitoring/matrix-hook.nix
index 55b875b..7acece0 100644
--- a/modules/nixos/monitoring/matrix-hook.nix
+++ b/modules/nixos/monitoring/matrix-hook.nix
@@ -1,6 +1,5 @@
{
config,
- inputs,
pkgs,
...
}:
@@ -8,9 +7,7 @@ let
matrixHook = pkgs.matrix-hook;
in
{
- age.secrets.nix-community-matrix-bot-token = {
- file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age";
- };
+ sops.secrets.nix-community-matrix-bot-token = { };
users.users.matrix-hook = {
isSystemUser = true;
@@ -34,7 +31,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
- EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ];
+ EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";
diff --git a/modules/nixos/monitoring/oauth2-proxy.nix b/modules/nixos/monitoring/oauth2-proxy.nix
index 09a98fb..2be5005 100644
--- a/modules/nixos/monitoring/oauth2-proxy.nix
+++ b/modules/nixos/monitoring/oauth2-proxy.nix
@@ -1,7 +1,6 @@
-{ config, inputs, ... }:
+{ config, ... }:
{
- age.secrets.oauth2-proxy-key-file = {
- file = "${inputs.self}/secrets/oauth2-proxy-key-file.age";
+ sops.secrets.oauth2-proxy-key-file = {
owner = "oauth2-proxy";
};
@@ -14,7 +13,7 @@
team = "admin";
};
clientID = "Ov23liKOQPREko8sCk6F";
- keyFile = config.age.secrets.oauth2-proxy-key-file.path;
+ keyFile = config.sops.secrets.oauth2-proxy-key-file.path;
nginx.domain = "alertmanager.nix-community.org";
nginx.virtualHosts = {
"alertmanager.nix-community.org" = { };
diff --git a/secrets/grafana-client-secret.age b/secrets/grafana-client-secret.age
deleted file mode 100644
index b92b402b67c9175aa079800c5a3cf42174a65af4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1059
zcmZ9Lxvt}607j=BOH;B4QCOlv(H-w`(p==&PMmm;<M@vo<mHd|HSrP`Q%!}?ZK#nD
z;srn&i2~8U0{|5b&p?Ba=(x>o?h_oH@6+)jcn8a%z17#GDqmM^g!Ke+caL5!@f{3F
zh9Q<{0Vj`)&>hSMx-1BqKelq$>ab0MtTzp=S&lm$sJFJO&cXl>qKG)sG6Ob2P(_*_
zMtQs$`eJvE%yN-*0_p6ovNBngq)I0JL~Ab|$|;)V3<#te@5HFkRaU*Fs+Cd-@?dUT
zee3%4u@{b^r4mMx)>ySW>p)_xx)|(!-pzZjFarWPY_yTmFSCN-vbnq$4|5}%V-4kQ
z$e66QW_r-!wgC*FSgap{#ptV%t(qX+i=a=P9--lWFdeP%A3fGKpsKV3P%6N}++I&(
z7mwD=a^>K}7cRfP5pto+o3!Bs!AX271rfs9PA&E^mNwN??3s05aNTk+FngD-Trm!-
z8C_TwC$D6?Kkl+Uui@hHR!Gu`Z!ukV5ZIS^Q^@B-yEr5!D=Tf6I!rsnm4DPHgYJ0O
zq&Mb7t%NM(;7S-=c1;DzRcS@JS6pP#NcJH3^g=oBtgQ|=@wk{rPisGYYbI>34d~ip
zTE`!-l4^URC32z*=+iQpm1%WdA8K&evYmQ^M3#uiL>g5fG=4Cpn2c4%+EaXZ=7i&J
zIc1|Tm^Ii)p?9ma>^V(!@G~EwYY$`jD(;Fv$=PCTNG`eI%a{*?wo7zMTLFnJayTzn
z0RoFP=q}0?HyM_Sv@yi0kUpxClj(lgKqVF&ds9tiC9BVAOVS4khej8xV(^^b9!Ff1
zdeOylBjuZE&z}rJd(?#)Hy`oJ6>-GinF*`+J$q)vc554&-QP%1FTBg%1$f!DAx;-y
zBi=IZIV~n~SaRst^BX|b9cWnUYHpM?Y$y`!>V{p>d9V3%AAltlbe>fqvx~%LH9rlG
zo?rKIw8>f3Yq3R{UM&VILg1-U!JoNR`B=%_9lBlPkD0CMeNUuL)^?_NnECW}srtMp
z_@%5nS-m`xUM`=IH=nQUuYW;5!Cr{SSMuL)K5Xwl`h$G&um8<E^XG@Zh=0CxKK|*?
qSby)c?_R$D61{&{|8|2v_TPW{g*yEA`@^rV?jOE=t^V-A+y4O?xnQLL
diff --git a/secrets/nix-community-matrix-bot-token.age b/secrets/nix-community-matrix-bot-token.age
deleted file mode 100644
index 080c7efe7cb216fd8486ebf6241d055fcca5e0ec..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1094
zcmZY6z3bz20LO7h2?#p4=u+jthuBM#G)?0mB+WycCTSkqrs$C8=ArpE56#mg4hlM`
z+#rIJleajD!|5P`xae{y2tFLh4Z^t`IH-d<{g(4Dc=7&xoG2IvxmWh*ItKZ5P)10D
zLgSZ4RdpN(K1L8IH97@@gGHk?YFKg`iymRmgUcFNVFp?=u!OKg<W=O8erA&Cso3-u
zM3L>O5jH(PrxI%&U8)9)H;Xh(8n@eRb*)mwE?`tY7UV0fteg=oDaNja7~)9zuu#SP
zzAm_cL*YZW?EGkOf`poL8bT_9aPVSnQqOup3+ssM9chZL4&AVUMFt|k8tn0YOYdSW
zSppdbtWLs}T%1;hevXLA(3Vmt)qB4h0+<r_<?bvBn2yc~+362F#8JVppk+r|tT}T#
z@RTECY1)T#xXh55617QzsI<=MouwNqu{}6@-UiZSI;{yk2R=le&T1{<LY%k$x$*6Q
zE2P8J;4^c#2t&h$)j{!hm!$40P^6x`a~-C1=SzM=hTG`OK^DKs>QpYBLRu8U8hC!E
zL|T&ZlB5H<N2>;zh(WTAVN*4Wfv~s4K9*;Vcqt=VHFAgnS~_<{nmjbViS$4tQUZyt
z*1q~yi^)c5N4738gt*iL6tI)rSC^iuSjN6QPdzr9;I0*LYHOQ7oY2rIJ|YEO)`u15
zBlNJg4kbBdXMu>MG0H43d=qr1vUM}weo&KllW-A@T*`H0I-V6qI0!S`<5;4Vax|$?
zokw7rPXMNFazYI!06NYSyO~9^L7QvlB9XGhOJ%<4_fb_%SHh*xb2wVEE6md#)F{l|
z$Mi^&kDP<^ZcMaFSe=*@8&)|DHt5hx^>Ul>ZZ|ApI1f7uatYMzLN~-!jp<PQL~yCK
z5+w^!E}9u|-LarDBgI1?{;%zbW<gGmG8~VLe6~7F7%keWJJHt}E@j<?c)1*@j9g9l
zmT4O<P9~7C=xu>r42eOw)Lur3rX$#@nBsN79ZiH+B-^P5R^vPXjmP6r5K}~EY}g?;
z0AI}#!p@Mu5VpQ>T;i43iWn943JHfn1-<d^_<iHvN7Q#We!GA3k&FD#pLg#*{`x~N
z9>2ILfB4?*-@hM!=6?Rnt*4%T#eMt9JCA;F?b`6|Uo86YzmL5zzy21u!+ren{nZao
sG_QdlHRneE&9-~)tI?}JJ%8_)+xjP8|BAi&^E;n<&9h&^f86@}KO3EQ>Hq)$
diff --git a/secrets/oauth2-proxy-key-file.age b/secrets/oauth2-proxy-key-file.age
deleted file mode 100644
index a92ec43..0000000
--- a/secrets/oauth2-proxy-key-file.age
+++ /dev/null
@@ -1,20 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 meza2g fzLc8IHnc4PPrzITLwBg+VOlLQvDwsJrZhOsRliZ/jc
-7GCGfgEtInqaAGISBCIBOjDGkDXbpZYXpOV3HyMt3r8
--> ssh-rsa ALNSWw
-m3hoX1WRsEQ0M3oyavPldhx0q1VTOVCdNNgk8E6wNijHfPe4ClujH/McAaX3hDs1
-f2tnO9OH4t02p03j3cTQsEFMCorDT8qd7er0Ago2NcpVK5FOvOdnShkDAf4RGqLM
-v2CXsdoClsZoQJf59MfgGnAYQh9KzXs1mTKb+2Rv4eza4gcFucmVRuuyOpwkkwha
-iCbKJKMpJ/zymxf2InrHMkrvFoRho5DmV9X82PeXjspEMoYryVStAPlrrUjYrddV
-wXmdazvj/K/Kj7xjhakgvxQTCZbGxG5WbvPMFr2wK3FK2KJr0X0ZzigLGwfWzp+u
-ak5IV9ake9jlicFS/mUdYg
--> ssh-ed25519 Qi7vNw sRlOqwFcfIZsyIGtBWSeAFZBb8uv/PJye57nxVVjzUs
-B+jZMYeoNNr5fn2AjUtLWB7u2EXgTZpm3F5JmNRGiTc
--> ssh-ed25519 MW0fCg CfEoiC6q23tNDYBc/Fe64ous4qz2Nv+p/U4oM+PLFzE
-7Cca1MFSHqt/NDMQrj4w2mtLV6oUvfknLaRFk2fzYLo
--> ssh-ed25519 92bXiA jCV9d+0AiLupdV6OqmsiocUcdmDK4Cqhxz/CsHzORww
-heBzRcZle76rd3R/fMxrLvo9di/9u/JQukmbIWK8s28
--> ssh-ed25519 h1lenA fxkWlT1SKm3V+qSlS8XZ00llsILy3y8dvBwj9S3vtUQ
-IU8aWp4hqmxDanS1q10vVp8ve2IDOaJfiwy8MpnT7AM
---- 3UYeJjdcLXxJiCdP/MF59YAvPMJp415A4MaHQIoaZzk
-�_�M�^�{fT�(C�U�F�����8�]�:V�G��~�~����5I���6���9���jW�0 �础�3,�͢�Eݕ��zG��wO��rg�kޖ�_�@穰Lu'�RՉ��ޠ+�B�@�����dm���,��d}�\��|�wdx���6�p~-rHڱ�(��3��3j�M���p�I�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e6b023b..02cbb51 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,12 +11,7 @@ let
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
- web02 = knownHosts.web02.publicKey;
-
secrets = {
- grafana-client-secret = [ web02 ];
- nix-community-matrix-bot-token = [ web02 ];
- oauth2-proxy-key-file = [ web02 ];
};
in
builtins.listToAttrs (