secrets: move all the secrets under module/

Refactor a bit the configuration, which should simplify the management
and usage of secrets from now on.

9 files changed, 51 insertions, 0 deletions

diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..e6f3a7b
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,24 @@
+{ config, inputs, lib, options, ... }:
+
+{
+  imports = [ inputs.agenix.nixosModules.age ];
+
+  config.age = {
+    secrets = let
+      toName = lib.removeSuffix ".age";
+      userExists = u: builtins.hasAttr u config.users.users;
+      # Only set the user if it exists, to avoid warnings
+      userIfExists = u: if userExists u then u else "root";
+      toSecret = name:
+        { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+      convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+      secrets = import ./secrets.nix;
+    in lib.mapAttrs' convertSecrets secrets;
+
+    identityPaths = options.age.identityPaths.default
+      ++ [ "/home/fcuny/.ssh/id_ed25519" ];
+  };
+}
diff --git a/secrets/network/aptos/wireguard_privatekey.age b/modules/secrets/network/aptos/wireguard_privatekey.age
index 2f6edf3..2f6edf3 100644
--- a/secrets/network/aptos/wireguard_privatekey.age
+++ b/modules/secrets/network/aptos/wireguard_privatekey.age
Binary files differdiff --git a/secrets/network/tahoe/wireguard_privatekey.age b/modules/secrets/network/tahoe/wireguard_privatekey.age
index 4304cfe..4304cfe 100644
--- a/secrets/network/tahoe/wireguard_privatekey.age
+++ b/modules/secrets/network/tahoe/wireguard_privatekey.age
Binary files differdiff --git a/secrets/rclone/config.ini.age b/modules/secrets/rclone/config.ini.age
index a017b29..a017b29 100644
--- a/secrets/rclone/config.ini.age
+++ b/modules/secrets/rclone/config.ini.age
Binary files differdiff --git a/secrets/rclone/gcs_service_account.json.age b/modules/secrets/rclone/gcs_service_account.json.age
index 982dd30..982dd30 100644
--- a/secrets/rclone/gcs_service_account.json.age
+++ b/modules/secrets/rclone/gcs_service_account.json.age
Binary files differdiff --git a/secrets/restic/repo-systems.age b/modules/secrets/restic/repo-systems.age
index 79363e6..79363e6 100644
--- a/secrets/restic/repo-systems.age
+++ b/modules/secrets/restic/repo-systems.age
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
new file mode 100644
index 0000000..45b1d33
--- /dev/null
+++ b/modules/secrets/secrets.nix
@@ -0,0 +1,27 @@
+let
+  fcuny_aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
+  users = [ fcuny_aptos ];
+
+  aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTcPGaiL+/Mwl8JzLHrBwas7QvWPjix4lnaAA1tw+5t";
+  tahoe =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
+
+  systems = [ aptos tahoe ];
+in {
+  "network/aptos/wireguard_privatekey.age".publicKeys = [ fcuny_aptos aptos ];
+
+  "network/tahoe/wireguard_privatekey.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "traefik/gcp_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "unifi/unifi-poller.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+
+  "restic/repo-systems.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/config.ini.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/gcs_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+}
diff --git a/secrets/traefik/gcp_service_account.json.age b/modules/secrets/traefik/gcp_service_account.json.age
index 0f99905..0f99905 100644
--- a/secrets/traefik/gcp_service_account.json.age
+++ b/modules/secrets/traefik/gcp_service_account.json.age
Binary files differdiff --git a/secrets/unifi/unifi-poller.age b/modules/secrets/unifi/unifi-poller.age
index bd71926..bd71926 100644
--- a/secrets/unifi/unifi-poller.age
+++ b/modules/secrets/unifi/unifi-poller.age