rpqt/flocon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove agenix and migrate secrets to clan vars

Browse Source 
squash this
This commit is contained in:
Romain Paquet
2025-07-18 00:10:29 +02:00
parent b91a52da5e
commit 8b3841a87f
18 changed files with 96 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
devShells/flake-module.nix
View File

@@ -8,7 +8,6 @@
{
devShells.default = pkgs.mkShellNoCC {
packages = [
inputs'.agenix.packages.default
inputs'.clan-core.packages.clan-cli
pkgs.garage
pkgs.nil # Nix language server

102
flake.lock generated
View File

@@ -1,28 +1,5 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"clan-core": {
"inputs": {
"data-mesher": "data-mesher",
@@ -37,7 +14,7 @@
"nixpkgs"
],
"sops-nix": "sops-nix",
"systems": "systems_2",
"systems": "systems",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@@ -54,28 +31,6 @@
"url": "https://git.clan.lol/clan/clan-core"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"data-mesher": {
"inputs": {
"flake-parts": [
@@ -228,7 +183,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_5"
"systems": "systems_4"
},
"locked": {
"lastModified": 1726560853,
@@ -283,27 +238,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@@ -330,7 +264,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1751905641,
@@ -366,7 +300,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1745334376,
@@ -565,11 +499,10 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"clan-core": "clan-core",
"disko": "disko_2",
"flake-parts": "flake-parts",
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"ignis": "ignis",
"impermanence": "impermanence",
"matugen": "matugen",
@@ -617,16 +550,16 @@
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"repo": "default-linux",
"type": "github"
}
},
@@ -646,21 +579,6 @@
}
},
"systems_4": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

3
flake.nix
View File

@@ -75,9 +75,6 @@
nixos-generators.url = "github:nix-community/nixos-generators";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
clan-core.url = "git+https://git.clan.lol/clan/clan-core";
clan-core.inputs.nixpkgs.follows = "nixpkgs";
clan-core.inputs.flake-parts.follows = "flake-parts";

10
machines/crocus/radicle.nix
View File

@@ -2,7 +2,7 @@
{
services.radicle = {
enable = true;
privateKeyFile = config.age.secrets.radicle-private-key.path;
privateKeyFile = config.clan.core.vars.generators.radicle.files.radicle-private-key.path;
publicKey = keys.services.radicle;
node = {
openFirewall = true;
@@ -17,5 +17,11 @@
};
};
age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
clan.core.vars.generators.radicle = {
prompts.radicle-private-key = {
description = "radicle node private key";
type = "hidden";
persist = true;
};
};
}

12
machines/genepi/acme.nix
View File

@@ -1,21 +1,25 @@
{ config, ... }:
{
imports = [
../../modules/gandi.nix
];
security.acme = {
acceptTerms = true;
defaults.email = "admin@rpqt.fr";
};
age.secrets.gandi.file = ../../secrets/gandi.age;
security.acme = {
certs."home.rpqt.fr" = {
group = config.services.nginx.group;
domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5";
dnsPropagationCheck = true;
environmentFile = config.age.secrets.gandi.path;
environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
email = "admin@rpqt.fr";
};
};
clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
}

1
machines/genepi/configuration.nix
View File

@@ -4,7 +4,6 @@
}:
{
imports = [
self.inputs.agenix.nixosModules.default
./acme.nix
./boot.nix
./builder.nix

17
machines/genepi/freshrss.nix
View File

@@ -4,23 +4,26 @@ let
subdomain = "rss.${domain}";
in
{
age.secrets.freshrss = {
file = ../../secrets/freshrss.age;
mode = "700";
owner = config.services.freshrss.user;
};
services.freshrss = {
enable = true;
baseUrl = "https://${subdomain}";
virtualHost = "${subdomain}";
defaultUser = "rpqt";
passwordFile = config.age.secrets.freshrss.path;
passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
};
services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
forceSSL = true;
useACMEHost = "${domain}";
};
clan.core.vars.generators.freshrss = {
prompts.freshrss-password = {
description = "freshrss default user password";
type = "hidden";
persist = true;
};
files.freshrss-password.owner = config.services.freshrss.user;
};
}

2
machines/haze/configuration.nix
View File

@@ -4,8 +4,6 @@
}:
{
imports = [
# inputs.disko.nixosModules.disko
self.inputs.agenix.nixosModules.default
./boot.nix
./chat.nix
./firefox.nix

13
machines/haze/secrets/secrets.nix
View File

@@ -1,13 +0,0 @@
let
keys = import ../../../parts/keys.nix;
in
{
"syncthing-key.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
"syncthing-cert.pem.age".publicKeys = [
keys.hosts.haze
keys.rpqt.haze
];
}

BIN
machines/haze/secrets/syncthing-cert.pem.age
View File

Binary file not shown.

8
machines/haze/secrets/syncthing-key.pem.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
<EFBFBD>T!<21><><12>\Β<>6<16>
<EFBFBD>T<><54>rϵKr<4B>9<EFBFBD><39>w<EFBFBD>̞<EFBFBD>8<04><><EFBFBD><EFBFBD>E<EFBFBD><45><EFBFBD><EFBFBD>,<2C>R.<2E><><EFBFBD><EFBFBD><EFBFBD>i<> <20><><EFBFBD><EFBFBD>_'2<>;i<>ń<EFBFBD>8d<04><><EFBFBD><EFBFBD><EFBFBD>&Dݫq<><71><EFBFBD>xd
<EFBFBD>3<EFBFBD>e<EFBFBD>xn<EFBFBD>g~<7E>/)݇a<DD87><13>W<><57><EFBFBD>G~<1F><><EFBFBD>BNV<4E><56>i<EFBFBD>a<05>{<7B><17><>u<EFBFBD>ە<1B>R=<3D><>M<EFBFBD>O)$HS<48><53>f<EFBFBD>f<<3C><>c<><63>?<3F><01>~*<2A>T<EFBFBD><07><>)Wtʁ<18><><EFBFBD>&<15><>8i<38><69><EFBFBD>z<EFBFBD><7A>:5<><35>[sc"<22><><1A><>& U<><55><EFBFBD>9<EFBFBD><39>'<27><>_<5F><7F>{xkE<6B><45>ؼY<0E>@<40><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>f<EFBFBD>U<EFBFBD>+<2B><>B<EFBFBD>u<EFBFBD>=<3D><>Y4<0F>e3<65>U<01><>QLSl5 U<><1B>!<10>h<EFBFBD><68>W<EFBFBD><57>@}<7D>OW<4F><57><EFBFBD>

27
machines/haze/syncthing.nix
View File

@@ -7,24 +7,21 @@ let
home = config.users.users.${user}.home;
in
{
# age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
# age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
services.syncthing = {
enable = false;
enable = true;
user = user;
group = "users";
dataDir = home;
configDir = "${home}/.config/syncthing";
key = config.age.secrets.syncthing-key.path;
cert = config.age.secrets.syncthing-cert.path;
key = config.clan.core.vars.generators.syncthing.files."key".path;
cert = config.clan.core.vars.generators.syncthing.files."cert".path;
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
devices = {
"genepi" = {
id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
id = "TNP3M2Z-2AJ3CJE-4LLYHME-3KWCLN4-XQWBIDJ-PTDRANE-RRBYQWQ-KXJFTQU";
};
"pixel-7a" = {
id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
@@ -60,4 +57,20 @@ in
};
};
};
clan.core.vars.generators.syncthing = {
prompts.key = {
description = "syncthing private key";
type = "hidden";
persist = true;
};
files.key.owner = config.services.syncthing.user;
prompts.cert = {
description = "syncthing cert";
type = "hidden";
persist = true;
};
files.cert.owner = config.services.syncthing.user;
};
}

15
modules/gandi.nix Normal file
View File

@@ -0,0 +1,15 @@
{
clan.core.vars.generators.gandi = {
prompts.gandi-token = {
description = "gandi access token";
type = "hidden";
};
files.gandi-env = {
secret = true;
};
script = ''
printf %s "GANDIV5_PERSONAL_ACCESS_TOKEN=" >> $out/gandi-env
cat $prompts/gandi-token >> $out/gandi-env
'';
};
}

12
secrets/freshrss.age
View File

@@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw jpMQTBWxbVVfpRmNC4lyDKCcrpz01Qx7LbkmSnieyHA
RWh0M0kj8BGn3u7e1A2Tki1soeMUQCHk5xTXyBF5dRA
-> ssh-ed25519 8TpKTA qAvhyZSeKUYdZMhwPxd/eh4FNg1DAM1F2Stc6zvmV2A
pEP1XxQZaC/acpjMpX0NN/Hnq3vZzfeHYlNUt2bwNzY
--- F/XBgHsBJAJIlfuT0DA4DcAS+3Ci8PI6XIkKbndI898
<EFBFBD>n s…$<24>}<7D><>IĘg<C498><67><EFBFBD>ᐺK<E190BA>,<2C><><EFBFBD><EFBFBD>\c)<29><>4$0<>dyi o/<05>^g{dɼ̅B
-> ssh-ed25519 JzHbnw JQOFdZFRMy3CUajSKR2pbUXw06LEGJoUCilV3QrlhAg
nc9+a/wm+oTESW/f91UIBHyodXYpAwkp7iiBARsQqs8
-> ssh-ed25519 8TpKTA bSzgxGzN9/cdSlb1PH3fYDa2bRSJC0vE6z1i5Me6wR4
OqQXlelajxJNZ5RC7ooBvoUc03g5RELGQSX8BwEm428
--- 68+PLIpazLNfF1NVo9dMFBiUrEIinXhYUufOiF+5Ic0
<EFBFBD>oB<EFBFBD><EFBFBD><1F><16>i<1D><1A>=<3D>&<26><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>o<EFBFBD>e.<2E><08><><EFBFBD>N<EFBFBD>`"<22>r=<3D><>:+nI}<1A><>c<EFBFBD>9y

13
secrets/gandi.age
View File

@@ -1,8 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw eURiwsZGmazGksGekjCeLJah8T5YKJNZHy1LMTh+fDw
7LBu9JjwrZ+ad0rOrRARRLj2ydho3y5PFUJFvaaXOao
-> ssh-ed25519 8TpKTA SVqAdtOxogTlJJEHm1Ohe7WQ3XfV8lWCPHAn0cj/D0Q
Fd/E7QUFqirSJsMp9h81R/9V9kRlG8nvF/EoZMynLGE
--- 4dMwgCHnuTMpxeKktAlx4aYwcRwWqBFIFEqUFlY+Avg
<EFBFBD><EFBFBD>W+<2B><>Bn\N?|<7C>^<EFBFBD>
<EFBFBD>A+)U<><55><EFBFBD><EFBFBD><EFBFBD><0E>D<EFBFBD>
-> ssh-ed25519 JzHbnw T31pRlZxX8+uEmZzer9n0L6zuNX0wk4dhqzJGUnJ5BY
wLPjZofbVL6ujdMz0DCnEa/6aPiQxxO6Lfwfdy4SS+k
-> ssh-ed25519 8TpKTA IBv4smbKRnRjZ1dnOBTkX/rLO+viU8Bk4ztx4KFkw3I
Mcl0iIXi6C6tmTXeccnQfSv1QRWVaA4alGcus35b4TQ
--- hzcS/phyG9Q8F66INJJS4D4ODIpwH+jjPko7PmWBEcA
8B<EFBFBD><EFBFBD>><3E><><EFBFBD>@<40>^H<><48><EFBFBD><EFBFBD>d<EFBFBD>xb<78>hkt<0F>3<><7F>Yٗ<><03><><EFBFBD>6<EFBFBD>'9b<39>] <0B>xUo>&<11>K<EFBFBD><4B>٧<EFBFBD><D9A7>5!z<><7A>m<EFBFBD>֙x<D699>Qjz3o<33>Y<EFBFBD>I<EFBFBD><49><10>ǟ[<5B>Vt<56><74>v<EFBFBD>|<EFBFBD>

BIN
secrets/radicle-private-key.age
View File

Binary file not shown.

13
secrets/restic-genepi-storagebox-key.age
View File

@@ -1,7 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw FL+4gD29OjqU5cFEHUBsYbweEOVvQ3q7v6X7Zbkghx8
tmK+CgVUcLJpP7SxLdakqfQ6q4+ZIW+bOKmsQ7h5z7I
-> ssh-ed25519 8TpKTA it+shCL614xDviBsDOidOHQ/mIGD0a4flmMeAL7ilAA
mRSTRcqloI+ojmEK4gQ3KO+nMlobdain8hmWkH/kX+w
--- /RZZE995XzGRj793ENRV2pRZOzz9fXg1LjXTRaojl8E
-> ssh-ed25519 JzHbnw jcLmvaUel10bjSo1m+vL5929Ev6Qtq36d9avIxZ2uDg
MZ+R18igyow8lCI5qCH2Jl5tNy19KYdJEZkSimMsd24
-> ssh-ed25519 8TpKTA /RgGofvCDFINYdk6hHkfv48SZCocMWFvO3cznQVB3Bs
jJy65KCMIUEyb63cpdBD/MjCEq6Du7KoWBsMHCKZpok
--- yxtOdFqzs1OQIko6OIlZPofBckezYd5fJkbyM1wb6AU
:"<22>
!h<>"|<7C><0F>C<><43>y<EFBFBD>)<29><><EFBFBD>

12
secrets/restic-genepi-storagebox-password.age
View File

@@ -1,7 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 JzHbnw 03K1eF97VQ1Gt3LoIVYk6RTJ2wuOoOFpx5Msh1qzb10
o5qJMOa+AzF7czu1xtx2/aJ+tJqVv14J58pgvGcq4hI
-> ssh-ed25519 8TpKTA AcBv+loPwmanCwbVoQtj2ZD3ZRJ27SJqg0oklQMy7Ec
uT2oIf9AENKn4SzAbKqT8igUJ6TsoE26iLgs/Ds/Bag
--- JuOE19Ap5gs+hw5sJnrfYFi8G9cesSj626cgxaWV6QY
<EFBFBD>Y<EFBFBD><EFBFBD><EFBFBD>;<3B>WF<57><46><07><>H<EFBFBD><02><>m<EFBFBD>ՙ<EFBFBD><D599><19><>@<40>"<22>bc<><63>;g
-> ssh-ed25519 JzHbnw aEdPsShqoC1O4YVmeRnuky+elRay3fAipvIDhgSP02Q
Gvh/ER7d6VaCXQ/cA2puOrhwz0PQDO7sNfi06X6yw5M
-> ssh-ed25519 8TpKTA YKagwotojOY57tuvf+lkHh5+1M8NoV3slITN8X/1yD8
fNf1DBeW5KJMjq1dzi6KR7SR+fw7aFA2CRemRwdE6/M
--- 5Gfha3Txw0O0a7v0AmJov3shlxihBp4EONcBFPU0NT8
6<>Vk<56>ѕk<16><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><1D>p|<7C>U~\<5C><>+f<>