rpqt/flocon
rpqt/flocon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remove agenix and migrate secrets to clan vars

Browse source 
squash this
This commit is contained in:
Romain Paquet 2025-07-18 00:10:29 +02:00
parent b91a52da5e
commit 8b3841a87f
18 changed files with 96 additions and 165 deletions
Download patch file Download diff file Expand all files Collapse all files

1
devShells/flake-module.nix
View file

@ -8,7 +8,6 @@
{ {
devShells.default = pkgs.mkShellNoCC { devShells.default = pkgs.mkShellNoCC {
packages = [ packages = [
inputs'.agenix.packages.default
inputs'.clan-core.packages.clan-cli inputs'.clan-core.packages.clan-cli
pkgs.garage pkgs.garage
pkgs.nil # Nix language server pkgs.nil # Nix language server

102
flake.lock generated
View file

@ -1,28 +1,5 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"clan-core": { "clan-core": {
"inputs": { "inputs": {
"data-mesher": "data-mesher", "data-mesher": "data-mesher",
@ -37,7 +14,7 @@
"nixpkgs" "nixpkgs"
], ],
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"systems": "systems_2", "systems": "systems",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
@ -54,28 +31,6 @@
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"data-mesher": { "data-mesher": {
"inputs": { "inputs": {
"flake-parts": [ "flake-parts": [
@ -228,7 +183,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_5" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1726560853,
@ -283,27 +238,6 @@
} }
}, },
"home-manager": { "home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -330,7 +264,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_3" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1751905641, "lastModified": 1751905641,
@ -366,7 +300,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_4" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1745334376, "lastModified": 1745334376,
@ -565,11 +499,10 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"clan-core": "clan-core", "clan-core": "clan-core",
"disko": "disko_2", "disko": "disko_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"home-manager": "home-manager_2", "home-manager": "home-manager",
"ignis": "ignis", "ignis": "ignis",
"impermanence": "impermanence", "impermanence": "impermanence",
"matugen": "matugen", "matugen": "matugen",
@ -617,16 +550,16 @@
}, },
"systems_2": { "systems_2": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1689347949,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"type": "github" "type": "github"
} }
}, },
@ -646,21 +579,6 @@
} }
}, },
"systems_4": { "systems_4": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_5": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

3
flake.nix
View file

@ -75,9 +75,6 @@
nixos-generators.url = "github:nix-community/nixos-generators"; nixos-generators.url = "github:nix-community/nixos-generators";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
clan-core.url = "git+https://git.clan.lol/clan/clan-core"; clan-core.url = "git+https://git.clan.lol/clan/clan-core";
clan-core.inputs.nixpkgs.follows = "nixpkgs"; clan-core.inputs.nixpkgs.follows = "nixpkgs";
clan-core.inputs.flake-parts.follows = "flake-parts"; clan-core.inputs.flake-parts.follows = "flake-parts";

10
machines/crocus/radicle.nix
View file

@ -2,7 +2,7 @@
{ {
services.radicle = { services.radicle = {
enable = true; enable = true;
privateKeyFile = config.age.secrets.radicle-private-key.path; privateKeyFile = config.clan.core.vars.generators.radicle.files.radicle-private-key.path;
publicKey = keys.services.radicle; publicKey = keys.services.radicle;
node = { node = {
openFirewall = true; openFirewall = true;
@ -17,5 +17,11 @@
}; };
}; };
age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age; clan.core.vars.generators.radicle = {
prompts.radicle-private-key = {
description = "radicle node private key";
type = "hidden";
persist = true;
};
};
} }

12
machines/genepi/acme.nix
View file

@ -1,21 +1,25 @@
{ config, ... }: { config, ... }:
{ {
imports = [
../../modules/gandi.nix
];
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "admin@rpqt.fr"; defaults.email = "admin@rpqt.fr";
}; };
age.secrets.gandi.file = ../../secrets/gandi.age;
security.acme = { security.acme = {
certs."home.rpqt.fr" = { certs."home.rpqt.fr" = {
group = config.services.nginx.group; group = config.services.nginx.group;
domain = "home.rpqt.fr"; domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ]; extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5"; dnsProvider = "gandiv5";
dnsPropagationCheck = true; dnsPropagationCheck = true;
environmentFile = config.age.secrets.gandi.path; environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
email = "admin@rpqt.fr";
}; };
}; };
clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
} }

1
machines/genepi/configuration.nix
View file

@ -4,7 +4,6 @@
}: }:
{ {
imports = [ imports = [
self.inputs.agenix.nixosModules.default
./acme.nix ./acme.nix
./boot.nix ./boot.nix
./builder.nix ./builder.nix

17
machines/genepi/freshrss.nix
View file

@ -4,23 +4,26 @@ let
subdomain = "rss.${domain}"; subdomain = "rss.${domain}";
in in
{ {
age.secrets.freshrss = {
file = ../../secrets/freshrss.age;
mode = "700";
owner = config.services.freshrss.user;
};
services.freshrss = { services.freshrss = {
enable = true; enable = true;
baseUrl = "https://${subdomain}"; baseUrl = "https://${subdomain}";
virtualHost = "${subdomain}"; virtualHost = "${subdomain}";
defaultUser = "rpqt"; defaultUser = "rpqt";
passwordFile = config.age.secrets.freshrss.path; passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
}; };
services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = { services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; useACMEHost = "${domain}";
}; };
clan.core.vars.generators.freshrss = {
prompts.freshrss-password = {
description = "freshrss default user password";
type = "hidden";
persist = true;
};
files.freshrss-password.owner = config.services.freshrss.user;
};
} }

2
machines/haze/configuration.nix
View file

@ -4,8 +4,6 @@
}: }:
{ {
imports = [ imports = [
# inputs.disko.nixosModules.disko
self.inputs.agenix.nixosModules.default
./boot.nix ./boot.nix
./chat.nix ./chat.nix
./firefox.nix ./firefox.nix

13
machines/haze/secrets/secrets.nix
View file

@ -1,13 +0,0 @@
let
keys = import ../../../parts/keys.nix;
in
{
"syncthing-key.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
"syncthing-cert.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
}

BIN
machines/haze/secrets/syncthing-cert.pem.age
View file

Binary file not shown.

8
machines/haze/secrets/syncthing-key.pem.age
View file

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
àT!Û÷<12>ù6˜
·TÀƒrϵKr»9ÕÅw¹ÌžÀ8æ¸ÇEƒ<45>¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
µ3Ée„xnâg~/)݇aƒÄWÔèžG~ºÒÈBNV·ˆi¨a<05>æÝuÕÛ•ÜR=­ûMòO)$HS„Ýf¥f<ç›cóü?àï~*€Täà<>)WtÊ<74>ñÅÀ&Ü8i˜óºz½è:5Ž¹[sc"ýÀì<>& UýËÓ9ÂÓ'í§_»´{xkE½ïؼYÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âUÕÆQLSl5 U™qÚšþ!¨h<C2A8>×W¼ã@}<7D>OW¨ŠÃ

27
machines/haze/syncthing.nix
View file

@ -7,24 +7,21 @@ let
home = config.users.users.${user}.home; home = config.users.users.${user}.home;
in in
{ {
# age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
# age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
services.syncthing = { services.syncthing = {
enable = false; enable = true;
user = user; user = user;
group = "users"; group = "users";
dataDir = home; dataDir = home;
configDir = "${home}/.config/syncthing"; configDir = "${home}/.config/syncthing";
key = config.age.secrets.syncthing-key.path; key = config.clan.core.vars.generators.syncthing.files."key".path;
cert = config.age.secrets.syncthing-cert.path; cert = config.clan.core.vars.generators.syncthing.files."cert".path;
openDefaultPorts = true; openDefaultPorts = true;
overrideDevices = true; overrideDevices = true;
overrideFolders = true; overrideFolders = true;
settings = { settings = {
devices = { devices = {
"genepi" = { "genepi" = {
id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4"; id = "TNP3M2Z-2AJ3CJE-4LLYHME-3KWCLN4-XQWBIDJ-PTDRANE-RRBYQWQ-KXJFTQU";
}; };
"pixel-7a" = { "pixel-7a" = {
id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU"; id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
@ -60,4 +57,20 @@ in
}; };
}; };
}; };
clan.core.vars.generators.syncthing = {
prompts.key = {
description = "syncthing private key";
type = "hidden";
persist = true;
};
files.key.owner = config.services.syncthing.user;
prompts.cert = {
description = "syncthing cert";
type = "hidden";
persist = true;
};
files.cert.owner = config.services.syncthing.user;
};
} }

15
modules/gandi.nix Normal file
View file

@ -0,0 +1,15 @@
{
clan.core.vars.generators.gandi = {
prompts.gandi-token = {
description = "gandi access token";
type = "hidden";
};
files.gandi-env = {
secret = true;
};
script = ''
printf %s "GANDIV5_PERSONAL_ACCESS_TOKEN=" >> $out/gandi-env
cat $prompts/gandi-token >> $out/gandi-env
'';
};
}

12
secrets/freshrss.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 JzHbnw jpMQTBWxbVVfpRmNC4lyDKCcrpz01Qx7LbkmSnieyHA -> ssh-ed25519 JzHbnw JQOFdZFRMy3CUajSKR2pbUXw06LEGJoUCilV3QrlhAg
RWh0M0kj8BGn3u7e1A2Tki1soeMUQCHk5xTXyBF5dRA nc9+a/wm+oTESW/f91UIBHyodXYpAwkp7iiBARsQqs8
-> ssh-ed25519 8TpKTA qAvhyZSeKUYdZMhwPxd/eh4FNg1DAM1F2Stc6zvmV2A -> ssh-ed25519 8TpKTA bSzgxGzN9/cdSlb1PH3fYDa2bRSJC0vE6z1i5Me6wR4
pEP1XxQZaC/acpjMpX0NN/Hnq3vZzfeHYlNUt2bwNzY OqQXlelajxJNZ5RC7ooBvoUc03g5RELGQSX8BwEm428
--- F/XBgHsBJAJIlfuT0DA4DcAS+3Ci8PI6XIkKbndI898 --- 68+PLIpazLNfF1NVo9dMFBiUrEIinXhYUufOiF+5Ic0
În sÂ…$€}é¶IĘgáÀÖá<C396>ºK¼,÷<>“¨\c<>4$0Ødyi o/ï^g{dɼ̅B ±oB‡˙×°i=<3D>&´ďňŻńřo×e.ĚŽĄNÚ`"Ôr=çř:+nI}¦‡cÔ9y

13
secrets/gandi.age
View file

@ -1,8 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 JzHbnw eURiwsZGmazGksGekjCeLJah8T5YKJNZHy1LMTh+fDw -> ssh-ed25519 JzHbnw T31pRlZxX8+uEmZzer9n0L6zuNX0wk4dhqzJGUnJ5BY
7LBu9JjwrZ+ad0rOrRARRLj2ydho3y5PFUJFvaaXOao wLPjZofbVL6ujdMz0DCnEa/6aPiQxxO6Lfwfdy4SS+k
-> ssh-ed25519 8TpKTA SVqAdtOxogTlJJEHm1Ohe7WQ3XfV8lWCPHAn0cj/D0Q -> ssh-ed25519 8TpKTA IBv4smbKRnRjZ1dnOBTkX/rLO+viU8Bk4ztx4KFkw3I
Fd/E7QUFqirSJsMp9h81R/9V9kRlG8nvF/EoZMynLGE Mcl0iIXi6C6tmTXeccnQfSv1QRWVaA4alGcus35b4TQ
--- 4dMwgCHnuTMpxeKktAlx4aYwcRwWqBFIFEqUFlY+Avg --- hzcS/phyG9Q8F66INJJS4D4ODIpwH+jjPko7PmWBEcA
<EFBFBD>£W+ÿ’Bn\N?|å^È 8Bï‡><>‰@“^HÙð„ÆdÈxb±hktÐ3–™YÙ—½©ÛÇ6™'9bÜ] ¿xUo>&õK¬èÙ§ôõ5!z£ŽmªÖ™xÞQjz3o¼YÓI¸­ÇŸ[ŸVtßüvß|¯
´A+)UâÔóó†ùD¸ ÷ó€$|È”¤“.ökË\*OLÚ1s7ѵ<C391>·V9»…=K>Efß<66>û}Ñ$xŸá®åû¨É0Ć1¢¾¯5¼É0À>áy¨p‰

BIN
secrets/radicle-private-key.age
View file

Binary file not shown.

13
secrets/restic-genepi-storagebox-key.age
View file

@ -1,7 +1,8 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 JzHbnw FL+4gD29OjqU5cFEHUBsYbweEOVvQ3q7v6X7Zbkghx8 -> ssh-ed25519 JzHbnw jcLmvaUel10bjSo1m+vL5929Ev6Qtq36d9avIxZ2uDg
tmK+CgVUcLJpP7SxLdakqfQ6q4+ZIW+bOKmsQ7h5z7I MZ+R18igyow8lCI5qCH2Jl5tNy19KYdJEZkSimMsd24
-> ssh-ed25519 8TpKTA it+shCL614xDviBsDOidOHQ/mIGD0a4flmMeAL7ilAA -> ssh-ed25519 8TpKTA /RgGofvCDFINYdk6hHkfv48SZCocMWFvO3cznQVB3Bs
mRSTRcqloI+ojmEK4gQ3KO+nMlobdain8hmWkH/kX+w jJy65KCMIUEyb63cpdBD/MjCEq6Du7KoWBsMHCKZpok
--- /RZZE995XzGRj793ENRV2pRZOzz9fXg1LjXTRaojl8E --- yxtOdFqzs1OQIko6OIlZPofBckezYd5fJkbyM1wb6AU
r¸<C2B8>Ãñ6ª¦#gaŸ¡Æ¶‡0t¦<74>fþä7Pç1þœYûh!¹à8ÐkµÝI “L¶™ORþÙ[t(oSÑQjîXìŠ6í<36>õ¾ÞÇû×·7fÃP¸Íâ :"ç !h<>"|íòCâ†y±)‹®Ç Ÿ¥sañg?ËtØJa Ô¥éÕâ_!žÌkTXæ.Ë®„Â…6cPC,§Kгoº)|ˆ¹Zl:Iº
î<>É„L5vê

12
secrets/restic-genepi-storagebox-password.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 JzHbnw 03K1eF97VQ1Gt3LoIVYk6RTJ2wuOoOFpx5Msh1qzb10 -> ssh-ed25519 JzHbnw aEdPsShqoC1O4YVmeRnuky+elRay3fAipvIDhgSP02Q
o5qJMOa+AzF7czu1xtx2/aJ+tJqVv14J58pgvGcq4hI Gvh/ER7d6VaCXQ/cA2puOrhwz0PQDO7sNfi06X6yw5M
-> ssh-ed25519 8TpKTA AcBv+loPwmanCwbVoQtj2ZD3ZRJ27SJqg0oklQMy7Ec -> ssh-ed25519 8TpKTA YKagwotojOY57tuvf+lkHh5+1M8NoV3slITN8X/1yD8
uT2oIf9AENKn4SzAbKqT8igUJ6TsoE26iLgs/Ds/Bag fNf1DBeW5KJMjq1dzi6KR7SR+fw7aFA2CRemRwdE6/M
--- JuOE19Ap5gs+hw5sJnrfYFi8G9cesSj626cgxaWV6QY --- 5Gfha3Txw0O0a7v0AmJov3shlxihBp4EONcBFPU0NT8
¢Y®Û;ÁWFì‰ÇÒHµ«ÆmýÕ™³þŽø@¥"ûb ;g ¼oj> 6±VkðÑ•kíÞèý®È p|<7C>U~\¸Ö+f¡ Ò<„Œ(´}…†qQߧ9