rpqt/flocon
rpqt/flocon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remove agenix and migrate secrets to clan vars

Browse source 
squash this
This commit is contained in:
Romain Paquet 2025-07-18 00:10:29 +02:00
parent b91a52da5e
commit 8b3841a87f
18 changed files with 96 additions and 165 deletions
Download patch file Download diff file Expand all files Collapse all files

1
devShells/flake-module.nix
View file

@ -8,7 +8,6 @@
{
devShells.default = pkgs.mkShellNoCC {
packages = [
inputs'.agenix.packages.default
inputs'.clan-core.packages.clan-cli
pkgs.garage
pkgs.nil # Nix language server

102
flake.lock generated
View file

@ -1,28 +1,5 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"clan-core": {
"inputs": {
"data-mesher": "data-mesher",
@ -37,7 +14,7 @@
"nixpkgs"
],
"sops-nix": "sops-nix",
"systems": "systems_2",
"systems": "systems",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -54,28 +31,6 @@
"url": "https://git.clan.lol/clan/clan-core"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"data-mesher": {
"inputs": {
"flake-parts": [
@ -228,7 +183,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_5"
"systems": "systems_4"
},
"locked": {
"lastModified": 1726560853,
@ -283,27 +238,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -330,7 +264,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1751905641,
@ -366,7 +300,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1745334376,
@ -565,11 +499,10 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"clan-core": "clan-core",
"disko": "disko_2",
"flake-parts": "flake-parts",
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"ignis": "ignis",
"impermanence": "impermanence",
"matugen": "matugen",
@ -617,16 +550,16 @@
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"repo": "default-linux",
"type": "github"
}
},
@ -646,21 +579,6 @@
}
},
"systems_4": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

3
flake.nix
View file

@ -75,9 +75,6 @@
nixos-generators.url = "github:nix-community/nixos-generators";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
clan-core.url = "git+https://git.clan.lol/clan/clan-core";
clan-core.inputs.nixpkgs.follows = "nixpkgs";
clan-core.inputs.flake-parts.follows = "flake-parts";

10
machines/crocus/radicle.nix
View file

@ -2,7 +2,7 @@
{
services.radicle = {
enable = true;
privateKeyFile = config.age.secrets.radicle-private-key.path;
privateKeyFile = config.clan.core.vars.generators.radicle.files.radicle-private-key.path;
publicKey = keys.services.radicle;
node = {
openFirewall = true;
@ -17,5 +17,11 @@
};
};
age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
clan.core.vars.generators.radicle = {
prompts.radicle-private-key = {
description = "radicle node private key";
type = "hidden";
persist = true;
};
};
}

12
machines/genepi/acme.nix
View file

@ -1,21 +1,25 @@
{ config, ... }:
{
imports = [
../../modules/gandi.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "admin@rpqt.fr";
};
age.secrets.gandi.file = ../../secrets/gandi.age;
security.acme = {
certs."home.rpqt.fr" = {
group = config.services.nginx.group;
domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5";
dnsPropagationCheck = true;
environmentFile = config.age.secrets.gandi.path;
environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
email = "admin@rpqt.fr";
};
};
clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
}

1
machines/genepi/configuration.nix
View file

@ -4,7 +4,6 @@
}:
{
imports = [
self.inputs.agenix.nixosModules.default
./acme.nix
./boot.nix
./builder.nix

17
machines/genepi/freshrss.nix
View file

@ -4,23 +4,26 @@ let
subdomain = "rss.${domain}";
in
{
age.secrets.freshrss = {
file = ../../secrets/freshrss.age;
mode = "700";
owner = config.services.freshrss.user;
};
services.freshrss = {
enable = true;
baseUrl = "https://${subdomain}";
virtualHost = "${subdomain}";
defaultUser = "rpqt";
passwordFile = config.age.secrets.freshrss.path;
passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
};
services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
forceSSL = true;
useACMEHost = "${domain}";
};
clan.core.vars.generators.freshrss = {
prompts.freshrss-password = {
description = "freshrss default user password";
type = "hidden";
persist = true;
};
files.freshrss-password.owner = config.services.freshrss.user;
};
}

2
machines/haze/configuration.nix
View file

@ -4,8 +4,6 @@
}:
{
imports = [
# inputs.disko.nixosModules.disko
self.inputs.agenix.nixosModules.default
./boot.nix
./chat.nix
./firefox.nix

13
machines/haze/secrets/secrets.nix
View file

@ -1,13 +0,0 @@
let
keys = import ../../../parts/keys.nix;
in
{
"syncthing-key.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
"syncthing-cert.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
}

BIN
machines/haze/secrets/syncthing-cert.pem.age
View file

Binary file not shown.

8
machines/haze/secrets/syncthing-key.pem.age
View file

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
àT!Û÷<12>ù6˜
·TÀƒrϵKr»9ÕÅw¹ÌžÀ8æ¸ÇEƒ<45>¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
µ3Ée„xnâg~/)݇aƒÄWÔèžG~ºÒÈBNV·ˆi¨a<05>æÝuÕÛ•ÜR=­ûMòO)$HS„Ýf¥f<ç›cóü?àï~*€Täà<>)WtÊ<74>ñÅÀ&Ü8i˜óºz½è:5Ž¹[sc"ýÀì<>& UýËÓ9ÂÓ'í§_»´{xkE½ïؼYÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âUÕÆQLSl5 U™qÚšþ!¨h<C2A8>×W¼ã@}<7D>OW¨ŠÃ

27
machines/haze/syncthing.nix
View file

@ -7,24 +7,21 @@ let
home = config.users.users.${user}.home;
in
{
# age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
# age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
services.syncthing = {
enable = false;
enable = true;
user = user;
group = "users";
dataDir = home;
configDir = "${home}/.config/syncthing";
key = config.age.secrets.syncthing-key.path;
cert = config.age.secrets.syncthing-cert.path;
key = config.clan.core.vars.generators.syncthing.files."key".path;
cert = config.clan.core.vars.generators.syncthing.files."cert".path;
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
devices = {
"genepi" = {
id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
id = "TNP3M2Z-2AJ3CJE-4LLYHME-3KWCLN4-XQWBIDJ-PTDRANE-RRBYQWQ-KXJFTQU";
};
"pixel-7a" = {
id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
@ -60,4 +57,20 @@ in
};
};
};
clan.core.vars.generators.syncthing = {
prompts.key = {
description = "syncthing private key";
type = "hidden";
persist = true;
};
files.key.owner = config.services.syncthing.user;
prompts.cert = {
description = "syncthing cert";
type = "hidden";
persist = true;
};
files.cert.owner = config.services.syncthing.user;
};
}

15
modules/gandi.nix Normal file
View file

@ -0,0 +1,15 @@
{
clan.core.vars.generators.gandi = {
prompts.gandi-token = {
description = "gandi access token";
type = "hidden";
};
files.gandi-env = {
secret = true;
};
script = ''
printf %s "GANDIV5_PERSONAL_ACCESS_TOKEN=" >> $out/gandi-env
cat $prompts/gandi-token >> $out/gandi-env
'';
};
}

12
secrets/freshrss.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw jpMQTBWxbVVfpRmNC4lyDKCcrpz01Qx7LbkmSnieyHA
RWh0M0kj8BGn3u7e1A2Tki1soeMUQCHk5xTXyBF5dRA
-> ssh-ed25519 8TpKTA qAvhyZSeKUYdZMhwPxd/eh4FNg1DAM1F2Stc6zvmV2A
pEP1XxQZaC/acpjMpX0NN/Hnq3vZzfeHYlNUt2bwNzY
--- F/XBgHsBJAJIlfuT0DA4DcAS+3Ci8PI6XIkKbndI898
În sÂ…$€}é¶IĘgáÀÖá<C396>ºK¼,÷<>“¨\c<>4$0Ødyi o/ï^g{dɼ̅B
-> ssh-ed25519 JzHbnw JQOFdZFRMy3CUajSKR2pbUXw06LEGJoUCilV3QrlhAg
nc9+a/wm+oTESW/f91UIBHyodXYpAwkp7iiBARsQqs8
-> ssh-ed25519 8TpKTA bSzgxGzN9/cdSlb1PH3fYDa2bRSJC0vE6z1i5Me6wR4
OqQXlelajxJNZ5RC7ooBvoUc03g5RELGQSX8BwEm428
--- 68+PLIpazLNfF1NVo9dMFBiUrEIinXhYUufOiF+5Ic0
±oB‡˙×°i=<3D>&´ďňŻńřo×e.ĚŽĄNÚ`"Ôr=çř:+nI}¦‡cÔ9y

13
secrets/gandi.age
View file

@ -1,8 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw eURiwsZGmazGksGekjCeLJah8T5YKJNZHy1LMTh+fDw
7LBu9JjwrZ+ad0rOrRARRLj2ydho3y5PFUJFvaaXOao
-> ssh-ed25519 8TpKTA SVqAdtOxogTlJJEHm1Ohe7WQ3XfV8lWCPHAn0cj/D0Q
Fd/E7QUFqirSJsMp9h81R/9V9kRlG8nvF/EoZMynLGE
--- 4dMwgCHnuTMpxeKktAlx4aYwcRwWqBFIFEqUFlY+Avg
<EFBFBD>£W+ÿ’Bn\N?|å^È
´A+)UâÔóó†ùD¸ ÷ó€$|È”¤“.ökË\*OLÚ1s7ѵ<C391>·V9»…=K>Efß<66>û}Ñ$xŸá®åû¨É0Ć1¢¾¯5¼É0À>áy¨p‰
-> ssh-ed25519 JzHbnw T31pRlZxX8+uEmZzer9n0L6zuNX0wk4dhqzJGUnJ5BY
wLPjZofbVL6ujdMz0DCnEa/6aPiQxxO6Lfwfdy4SS+k
-> ssh-ed25519 8TpKTA IBv4smbKRnRjZ1dnOBTkX/rLO+viU8Bk4ztx4KFkw3I
Mcl0iIXi6C6tmTXeccnQfSv1QRWVaA4alGcus35b4TQ
--- hzcS/phyG9Q8F66INJJS4D4ODIpwH+jjPko7PmWBEcA
8Bï‡><>‰@“^HÙð„ÆdÈxb±hktÐ3–™YÙ—½©ÛÇ6™'9bÜ] ¿xUo>&õK¬èÙ§ôõ5!z£ŽmªÖ™xÞQjz3o¼YÓI¸­ÇŸ[ŸVtßüvß|¯

BIN
secrets/radicle-private-key.age
View file

Binary file not shown.

13
secrets/restic-genepi-storagebox-key.age
View file

@ -1,7 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw FL+4gD29OjqU5cFEHUBsYbweEOVvQ3q7v6X7Zbkghx8
tmK+CgVUcLJpP7SxLdakqfQ6q4+ZIW+bOKmsQ7h5z7I
-> ssh-ed25519 8TpKTA it+shCL614xDviBsDOidOHQ/mIGD0a4flmMeAL7ilAA
mRSTRcqloI+ojmEK4gQ3KO+nMlobdain8hmWkH/kX+w
--- /RZZE995XzGRj793ENRV2pRZOzz9fXg1LjXTRaojl8E
r¸<C2B8>Ãñ6ª¦#gaŸ¡Æ¶‡0t¦<74>fþä7Pç1þœYûh!¹à8ÐkµÝI “L¶™ORþÙ[t(oSÑQjîXìŠ6í<36>õ¾ÞÇû×·7fÃP¸Íâ
-> ssh-ed25519 JzHbnw jcLmvaUel10bjSo1m+vL5929Ev6Qtq36d9avIxZ2uDg
MZ+R18igyow8lCI5qCH2Jl5tNy19KYdJEZkSimMsd24
-> ssh-ed25519 8TpKTA /RgGofvCDFINYdk6hHkfv48SZCocMWFvO3cznQVB3Bs
jJy65KCMIUEyb63cpdBD/MjCEq6Du7KoWBsMHCKZpok
--- yxtOdFqzs1OQIko6OIlZPofBckezYd5fJkbyM1wb6AU
:"ç !h<>"|íòCâ†y±)‹®Ç Ÿ¥sañg?ËtØJa Ô¥éÕâ_!žÌkTXæ.Ë®„Â…6cPC,§Kгoº)|ˆ¹Zl:Iº
î<>É„L5vê

12
secrets/restic-genepi-storagebox-password.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw 03K1eF97VQ1Gt3LoIVYk6RTJ2wuOoOFpx5Msh1qzb10
o5qJMOa+AzF7czu1xtx2/aJ+tJqVv14J58pgvGcq4hI
-> ssh-ed25519 8TpKTA AcBv+loPwmanCwbVoQtj2ZD3ZRJ27SJqg0oklQMy7Ec
uT2oIf9AENKn4SzAbKqT8igUJ6TsoE26iLgs/Ds/Bag
--- JuOE19Ap5gs+hw5sJnrfYFi8G9cesSj626cgxaWV6QY
¢Y®Û;ÁWFì‰ÇÒHµ«ÆmýÕ™³þŽø@¥"ûb ;g ¼oj>
-> ssh-ed25519 JzHbnw aEdPsShqoC1O4YVmeRnuky+elRay3fAipvIDhgSP02Q
Gvh/ER7d6VaCXQ/cA2puOrhwz0PQDO7sNfi06X6yw5M
-> ssh-ed25519 8TpKTA YKagwotojOY57tuvf+lkHh5+1M8NoV3slITN8X/1yD8
fNf1DBeW5KJMjq1dzi6KR7SR+fw7aFA2CRemRwdE6/M
--- 5Gfha3Txw0O0a7v0AmJov3shlxihBp4EONcBFPU0NT8
6±VkðÑ•kíÞèý®È p|<7C>U~\¸Ö+f¡ Ò<„Œ(´}…†qQߧ9