From 60c469ee7f182bb861555a5b0730d0d5c4744dbe Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 28 Nov 2025 20:18:12 -0600 Subject: [PATCH 1/2] feat: cleaned up secrets and tested restic --- modules/nixos/services/restic/default.nix | 38 +++++++---------------- parts/default.nix | 6 ++++ secrets/secrets.yaml | 22 ++++++------- 3 files changed, 28 insertions(+), 38 deletions(-) diff --git a/modules/nixos/services/restic/default.nix b/modules/nixos/services/restic/default.nix index 2c1ab9b..ceb49df 100755 --- a/modules/nixos/services/restic/default.nix +++ b/modules/nixos/services/restic/default.nix @@ -9,7 +9,7 @@ let inherit (flake.config.people) user0; envFile = "backblaze/env"; repoFile = "backblaze/repo"; - passFile = "restic-pass"; + passFile = "restic/pass"; in { services.restic = { @@ -25,20 +25,20 @@ in }; paths = let - instanceHelper = instance: instances.${instance}.mntPaths.path0; + inst = instance: instances.${instance}.mntPaths.path0; in [ "/home/${user0}/.ssh" - (instanceHelper "firefly-iii") - (instanceHelper "forgejo") - (instanceHelper "mastodon") - (instanceHelper "opencloud") - (instanceHelper "minecraft0") - (instanceHelper "minecraft1") - (instanceHelper "vaultwarden") - ((instanceHelper "jellyfin") + "/cache") - ((instanceHelper "jellyfin") + "/data") - ((instanceHelper "jellyfin") + "/media/music") + (inst "firefly-iii") + (inst "forgejo") + (inst "mastodon") + (inst "opencloud") + (inst "minecraft0") + (inst "minecraft1") + (inst "vaultwarden") + ((inst "jellyfin") + "/cache") + ((inst "jellyfin") + "/data") + ((inst "jellyfin") + "/media/music") ]; }; }; @@ -63,18 +63,4 @@ in ] ); }; - - environment = { - variables = { - # AWS_ACCESS_KEY_ID = ""; - # AWS_SECRET_ACCESS_KEY = ""; - # RESTIC_PASSWORD_FILE = "pass.txt"; - # RESTIC_REPOSITORY = ""; - }; - systemPackages = builtins.attrValues { - inherit (pkgs) - restic - ; - }; - }; } diff --git a/parts/default.nix b/parts/default.nix index a90d9a1..8ca81e4 100755 --- a/parts/default.nix +++ b/parts/default.nix @@ -13,12 +13,14 @@ packages = builtins.attrValues { inherit (pkgs) age + fuse gitmoji-cli graphviz imv just nixfmt just-lsp + # restic rust-analyzer rustfmt litemdview @@ -32,6 +34,10 @@ watchexec ; }; + # AWS_ACCESS_KEY_ID = ""; + # AWS_SECRET_ACCESS_KEY = ""; + # RESTIC_PASSWORD_FILE = "pass.txt"; + # RESTIC_REPOSITORY = ""; shellHook = "${config.pre-commit.installationScript}"; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index b410887..ff428d6 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -12,11 +12,12 @@ mastodon: redis: ENC[AES256_GCM,data:lrbTQAuay170fXNUGooG7bJg5lROItwUrnlKYBalo7Zp,iv:osaPJhqOpT5fm4ZYP7rbn0y/jzCfOu8+iPwO8KhRkuM=,tag:ByQjwCT7MtJjgpGWNAoffA==,type:str] pass: ENC[AES256_GCM,data:VlWIQQK89E4FaIUNXu1+sPuEbSQIVdYeGVWt8eztCMpikVsmeFd+G3XxS1Zm76m0tNFZjF7oHILpCudHU4M8k810ePwadcUOiglCP4P2Dkn1vrrB384T5Ed9gn8NHo3S1HlXczsNKmy6j8fP2CNKSb8Mar5VQBbajqryA73bB9pI,iv:EvlNrU4ImdYe5/HQytXCxqDui3Df3oIcC1vLkor7be4=,tag:lnkyjWHyEUTWPVqjwYx+cg==,type:str] fedifetcher-token: ENC[AES256_GCM,data:dKAzD+hDQgbhNosvR7xo8UWe8g8LtaTAvF4oHY9hw5ThXJKN/LplmfoDGSY=,iv:yXaRQGHiJDk+1kco9jTjzD/ava0k6YqcIefm2X/ouYA=,tag:ouqufvNfHA50Sg+IkSgSXw==,type:str] -peertube-smtp: ENC[AES256_GCM,data:rYwL0RNVvC9DUsSRJ5WpLX3VqT4zHYarxSe/tdRBHqs=,iv:cQKRbxdMOF+g84djLZcOk3hMYifucO+r0JxV8EnRjro=,tag:ZnN/LmQ/A3FR4bdJ9DYoEw==,type:str] -peertube-database: ENC[AES256_GCM,data:nm0bHwTcT+ROZc2BC9jx+tXWjZ3689rdn4fdYW+7JTU=,iv:EeQVBAIXPut9gs+I9WpRf7L3f7ACTeTWycUFIKAneKk=,tag:QjGQmZ3zMAgB/WDbxTZVIQ==,type:str] -peertube-redis: ENC[AES256_GCM,data:SQoPzPjgf4YN9dhvO0wo2DEra7cTgfZBx4vCBpNVSXI=,iv:mcCwYtE9E/Mb4V0j9NnU9WhaUMeBpX7BOcc8HGDiEvI=,tag:CsSiS4peZhnZ22uNtUC44w==,type:str] -peertube-root: ENC[AES256_GCM,data:BR0pmqEYYJuDqK7fstyW/hvh8V1GQXVHP24iz2eDeho500IbWaMuDxkNQyfInmIfjC3YvfsHME3S,iv:EgaLKBHYrklF+q5jBPvGKFYJosZxFFMXElTcyKU0ypQ=,tag:PztyBdK5OzeEDvQi/yqRIg==,type:str] -peertube-secret: ENC[AES256_GCM,data:Of4UsWGTXd+uzHE4XkxQOLKBbDd0sQHWQrLgxmn8C9bHgEB85ZnSqOe04IZ4chYKheuzBQ4Vg7pYfGFVBDjx8Q==,iv:cXuVrmQOEHtq7Q6+vzPXKdiuYjLx9hjsd3bCHpBQBqw=,tag:xL8us1XLJsdON/O+BG+xpQ==,type:str] +peertube: + smtp: ENC[AES256_GCM,data:yrx7Ovy3zmApaODk+V3k26XJDUj5sGr0YAQ168V/o0dY,iv:s2P2Rf5/QnjBeNgFTXpXKPI+y8P97RJqaXRK4b19V/w=,tag:4X830RBQFzx1Mirwd5smeA==,type:str] + database: ENC[AES256_GCM,data:T7cd/jrmpzdKuE7nZ6/Zh4DI8E35J26Jn/wt3yZEf+ce,iv:wfeoQljDlp0/isxsbH04ZRG31KTY0d0mBsShjy89ddo=,tag:XrtzpyRr6wvkArg2pGObBQ==,type:str] + redis: ENC[AES256_GCM,data:CZ3/Jxs/S8fGnI8iAHrQpu/wxZTsLCLAivVqbFk8dLjL,iv:mYQ3LqVPMFemMrFuvZ4U0hFG7ovsn3oTyDl3WfbYRBM=,tag:Kt0wiO+oJIvTj18COrQ8fg==,type:str] + root: ENC[AES256_GCM,data:cMHXjWtZzeCwuzsw7hhTZI+g9inXV9X0/ez4X8APXria5DuZ+fyqTZu7MMCFceKuQzD3Gp2pyVsIQQ==,iv:S9017GWX6tC6Y0pG/H4SMNhKGE8xModDp7Rpdlehblg=,tag:oRaxoBze+z7DPvtXIQ/ofw==,type:str] + secret: ENC[AES256_GCM,data:I+/FLyqsnt+PFsb0tidton95pwU/kMCL+ajsBrBpa8YdTdosgAK8QQOcJHbbMYKRIoWbsjWjzIqff6jgQ4B7Q/s=,iv:x+VD3KHLeNjvNvfsQqVQk7IJzUyGvSI2MPKCEdUpGks=,tag:1Kz/P9ffIAL4yx7nhVQIow==,type:str] forgejo: database: ENC[AES256_GCM,data:KhwJNJdICaZpnouDecDQM/ShL60nzqzPuyTCO7reilJc,iv:LQord5Bkfhuq/13DqEk51EB+qtunWpJ+g5fFXbhXV90=,tag:TG/fsyXerdy+MEnsjBbuBg==,type:str] smtp: ENC[AES256_GCM,data:rL1loo/yKrIPmZVpa6S8ka9lX2bwkgCNYRCZ1Np07ANp,iv:Si2sqBNlVQzi8rlfp8WQFUoyu4xJGfPYc9N6V6jrry4=,tag:SdPIRaiiIaHe1DnOxp1Y0Q==,type:str] @@ -32,10 +33,6 @@ dns: cloudflare: ENC[AES256_GCM,data:H0ODjZvDZpaicYwM1qX1V05iaiCsJMUo5aIZYVzQ2bGvsVA+nQYKy7i1qCNbG796WmBOvUJOo1XJHsceTyfGB7rQpgs103RA0CXmc9WfvU74tsER+sVbnCxsGrG1kvyZvD80ACsx53s6j9nXkZO2m7uZgdM8LbEEaj/CVOMDg39YWWKwug==,iv:EALcT+2ES7q/4zEwUXDsyrDzSZnUCsYtYZLIU3xNJQs=,tag:RTyPzUpMcrQtDT4UKn4SNw==,type:str] claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str] searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str] -wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str] -wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y44Y2rqhhsZgcXG5M=,iv:onyHBn4npqiwC/v37SOMJLLhdfcrtvPmKbMVTgxaSQg=,tag:OmXDL3oYCDPwH1yBsKAYKQ==,type:str] -wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str] -wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str] wireguard-private: ENC[AES256_GCM,data:JjkTL+ZiU90Rxq1Ut/0TuLLYINAVjOfjHEC8PvUQJLBCORoimUObKT5Q+XI=,iv:XFuc4SlgiVK0kp+QH/jXKyOrRpjSto+ilnkIxRXzWhQ=,tag:+DpxdNJQQWdbs39yCLFgVQ==,type:str] wireguard-public: ENC[AES256_GCM,data:X2UEVJmLu24w5imKJ6z68wmp4hMdG5ugD59xa9m+xNFTVgOzzhE+0fLN7Rs=,iv:IzW5NkUE6MHpb6Vi2nzCmR9OfB6Ftca5M3xWWhNeZSU=,tag:I2OJPLDC/8YZTjchsIWAwg==,type:str] wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhdaxUG2KryNGgKU3HO4yig7JxuE=,iv:WHDqJFJrNTWdq46VDj8Zf6zCgi6rXwSJvnkY2cyPv4o=,tag:BSzN6WyIJM558EW3q9LicQ==,type:str] @@ -61,7 +58,8 @@ torrent: backblaze: env: ENC[AES256_GCM,data:cdOYt77KocuGB3aqYz13oBokoLkEIgI1AW+cYC5uutgZYujG3PqoLEh6Gvbpzn3O+0OWg1/4UAYr4f2v7oCsgwFzPWS3HrhqC5+kIBjrPCyAnxDxlu2xaQ9hR+ogFh5UTDo=,iv:6+jx4Dj5CNV72DAss6NNYm44f9gSHco/EUBvL2o2CNI=,tag:6/cx84MgTDqQJxu/zINEeA==,type:str] repo: ENC[AES256_GCM,data:sRae9XELIfkWPaXelCdgEXIDbLTHVqGcRO0o+WA9aBfB8MUw92JjRCYgMgGXT0Apy38eszyuEHFB3XPpRmtQ7g==,iv:EilVA9zdHm6B9pTIhNxyj6Th1248nXvh0kpnEqZJ5HI=,tag:q9ASAgx5vgY0IePws4rT5Q==,type:str] -restic-pass: ENC[AES256_GCM,data:WtVFKDBKIdSAgPCsgpSGIMxIjFD2itFUVxzr9T5zWyk=,iv:KEgauoBqD9Htemfznm7n2ImH3HyB3ivYL/etGZHIcC0=,tag:mzJsu5QzqDMTuvulKAxtOA==,type:str] +restic: + pass: ENC[AES256_GCM,data:I5Bf7or9jNwtdK/r/DzUHw6FohzeMtWVrs5AG71geVr6,iv:WnHsFW6oJCBsm84y1rzQ6HbLG8ydPBPQQbHoXKGR7JM=,tag:HsoJxLv8FvrUNSwI0OFCbQ==,type:str] password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str] sops: age: @@ -74,7 +72,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-27T18:54:52Z" - mac: ENC[AES256_GCM,data:ZxkJZUJJ1AfDlmxAy8Botu73EPt+1prsdbX7RhU9bVNaEhpPzrvqlO74D8ek/OqFG51k1K4mdW5SWXWs/D5oR34i/yA+329j4jHNAe3Yajkx1gn/xDEa/kgiVGkc7dE3dnzmy5zr4X8U06khJl9rg+qLujke0GCgIv+82xkFFRI=,iv:0UYNIZTxXdPqrZsjVYNGfSlt6UH3+Q102EF6XeC5yh4=,tag:3oj0X73xRnGBXWdGsUv2xg==,type:str] + lastmodified: "2025-11-29T01:51:40Z" + mac: ENC[AES256_GCM,data:Ojnh9iSEc3FRAOkRzoq58UxX/C7Vn8KxbDf4sBmgnmiJIFq4ZKLfckOI4kXvDT/x+y+QjP0mZyh+AkK9nOpnxw3XTayCOGiG5ozaReJFaQ5LTRurxTY6go81GBSLclho8O6f8ep0DIHkGYPlIC468D4HQq+pVQAOZfPBRARTpZc=,iv:f5fEL+pjHGD8MnCkTOYCQ7lSy6pePZI4Q9dGQ48mE/A=,tag:7Ft2VrVY9vTcQuIl2O8yOg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9df4b8c8a0b21c8b99316a0d55786259b7ef49bd Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 28 Nov 2025 20:35:50 -0600 Subject: [PATCH 2/2] chore: refactored sops secrets --- modules/nixos/core/environment/default.nix | 2 +- modules/nixos/desktop/network/default.nix | 4 +-- .../nixos/services/glance/config/server.nix | 2 +- modules/nixos/services/glance/default.nix | 2 +- modules/nixos/services/peertube/default.nix | 14 ++++---- modules/nixos/services/restic/default.nix | 1 - .../nixos/services/searx/config/server.nix | 2 +- modules/nixos/services/searx/default.nix | 2 +- profiles/user0/default.nix | 6 ++-- secrets/secrets.yaml | 36 +++++++++++-------- systems/ceres/config/wireguard.nix | 6 ++-- systems/deimos/config/wireguard.nix | 6 ++-- systems/mars/config/wireguard.nix | 6 ++-- 13 files changed, 47 insertions(+), 42 deletions(-) diff --git a/modules/nixos/core/environment/default.nix b/modules/nixos/core/environment/default.nix index eeb9c3c..209e0c4 100755 --- a/modules/nixos/core/environment/default.nix +++ b/modules/nixos/core/environment/default.nix @@ -31,7 +31,7 @@ in NIXPKGS_ALLOW_INSECURE = "1"; NIXPKGS_ALLOW_UNFREE = "1"; GTK_THEME = "catppuccin-macchiato-mauve-compact"; - # ANTHROPIC_API_KEY = config.sops.secrets.claude-api-key.path; + # ANTHROPIC_API_KEY = config.sops.secrets."claude/key".path; }; }; } diff --git a/modules/nixos/desktop/network/default.nix b/modules/nixos/desktop/network/default.nix index cbcf3a5..e06bab1 100755 --- a/modules/nixos/desktop/network/default.nix +++ b/modules/nixos/desktop/network/default.nix @@ -6,13 +6,13 @@ in networking.wireless = { networks = { "TheWeeFeez!" = { - psk = config.sops.secrets."wifi-home".path; + psk = config.sops.secrets."wifi/home".path; }; }; }; sops = { secrets = { - "wifi-home" = { + "wifi/home" = { path = "/var/lib/secrets/wifi-home-pass"; owner = user0; }; diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 37dec84..be848e5 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -10,7 +10,7 @@ in host = ceres.wireguard.ip0; port = configHelpers.service.ports.port0; # auth = { - # secret-key = config.sops.secrets."${service.name}-key".path; + # secret-key = config.sops.secrets."${service.name}/key".path; # users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path; # }; } diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index 1afdc33..4730737 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -61,7 +61,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${configHelpers.service.name}-${secret}"; + name = "${configHelpers.service.name}/${secret}"; value = sopsPath secret; }) [ diff --git a/modules/nixos/services/peertube/default.nix b/modules/nixos/services/peertube/default.nix index 774ab2c..a860bc9 100755 --- a/modules/nixos/services/peertube/default.nix +++ b/modules/nixos/services/peertube/default.nix @@ -28,7 +28,7 @@ in listenWeb = caddy.ports.port1; listenHttp = service.ports.port0; localDomain = host; - serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path; + serviceEnvironmentFile = config.sops.secrets."${service.name}/root".path; user = service.name; plugins = { enable = true; @@ -43,7 +43,7 @@ in }; secrets = { - secretsFile = config.sops.secrets."${service.name}-secret".path; + secretsFile = config.sops.secrets."${service.name}/secret".path; }; settings = { instance = { @@ -64,16 +64,16 @@ in }; database = { createLocally = true; - passwordFile = config.sops.secrets."${service.name}-database".path; + passwordFile = config.sops.secrets."${service.name}/database".path; }; redis = { enableUnixSocket = true; createLocally = true; - passwordFile = config.sops.secrets."${service.name}-redis".path; + passwordFile = config.sops.secrets."${service.name}/redis".path; }; smtp = { createLocally = true; - passwordFile = config.sops.secrets."${service.name}-smtp".path; + passwordFile = config.sops.secrets."${service.name}/smtp".path; }; }; @@ -94,7 +94,7 @@ in sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; + path = "${service.sops.path0}/${service.name}/${secret}"; owner = service.name; mode = "600"; }; @@ -103,7 +103,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${service.name}/${secret}"; value = sopsPath secret; }) [ diff --git a/modules/nixos/services/restic/default.nix b/modules/nixos/services/restic/default.nix index ceb49df..d79f495 100755 --- a/modules/nixos/services/restic/default.nix +++ b/modules/nixos/services/restic/default.nix @@ -1,7 +1,6 @@ { config, flake, - pkgs, ... }: let diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/services/searx/config/server.nix index 9ed9cc8..a036dd5 100755 --- a/modules/nixos/services/searx/config/server.nix +++ b/modules/nixos/services/searx/config/server.nix @@ -11,7 +11,7 @@ in port = configHelpers.service.ports.port0; bind_address = if configHelpers.hostname == ceres.name then ceres.wireguard.ip0 else configHelpers.localhost; - secret_key = config.sops.secrets.searx-key.path; + secret_key = config.sops.secrets."searx/key".path; limiter = false; public_instance = false; image_proxy = true; diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index f7070e9..72079d0 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -82,7 +82,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${configHelpers.service.name}-${secret}"; + name = "${configHelpers.service.name}/${secret}"; value = sopsPath secret; }) [ diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix index e8667c2..1dac1ff 100755 --- a/profiles/user0/default.nix +++ b/profiles/user0/default.nix @@ -16,7 +16,7 @@ in { sops.secrets = { - "password-user0" = { + "passwords/user0" = { neededForUsers = true; sopsFile = ../../secrets/secrets.yaml; }; @@ -25,14 +25,14 @@ in users = { users = { "root" = { - hashedPasswordFile = config.sops.secrets."password-user0".path; + hashedPasswordFile = config.sops.secrets."passwords/user0".path; }; ${user0} = { description = name; name = user0; isNormalUser = true; shell = pkgs.nushell; - hashedPasswordFile = config.sops.secrets."password-user0".path; + hashedPasswordFile = config.sops.secrets."passwords/user0".path; extraGroups = [ "adbusers" "caddy" diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index ff428d6..1836602 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -31,23 +31,28 @@ vaultwarden: dns: namecheap: ENC[AES256_GCM,data:Afxyf4cHvdnPIXYoPN3viBOzzqUOeRs3YjQ5ugerlnL9H4iSf/iAsxyzHYysOgZ/9xc0OWt6G6A7cEZHW4i82MX1+mLbvWN5ir1iHL73RtesC14=,iv:3XMTQ4TNL7iXPYFLSa+BapSgqILYuM6ZaQLMQZSJ2pc=,tag:PO69wRhCoey+CwPgnOOR6A==,type:str] cloudflare: ENC[AES256_GCM,data:H0ODjZvDZpaicYwM1qX1V05iaiCsJMUo5aIZYVzQ2bGvsVA+nQYKy7i1qCNbG796WmBOvUJOo1XJHsceTyfGB7rQpgs103RA0CXmc9WfvU74tsER+sVbnCxsGrG1kvyZvD80ACsx53s6j9nXkZO2m7uZgdM8LbEEaj/CVOMDg39YWWKwug==,iv:EALcT+2ES7q/4zEwUXDsyrDzSZnUCsYtYZLIU3xNJQs=,tag:RTyPzUpMcrQtDT4UKn4SNw==,type:str] -claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str] -searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str] -wireguard-private: ENC[AES256_GCM,data:JjkTL+ZiU90Rxq1Ut/0TuLLYINAVjOfjHEC8PvUQJLBCORoimUObKT5Q+XI=,iv:XFuc4SlgiVK0kp+QH/jXKyOrRpjSto+ilnkIxRXzWhQ=,tag:+DpxdNJQQWdbs39yCLFgVQ==,type:str] -wireguard-public: ENC[AES256_GCM,data:X2UEVJmLu24w5imKJ6z68wmp4hMdG5ugD59xa9m+xNFTVgOzzhE+0fLN7Rs=,iv:IzW5NkUE6MHpb6Vi2nzCmR9OfB6Ftca5M3xWWhNeZSU=,tag:I2OJPLDC/8YZTjchsIWAwg==,type:str] -wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhdaxUG2KryNGgKU3HO4yig7JxuE=,iv:WHDqJFJrNTWdq46VDj8Zf6zCgi6rXwSJvnkY2cyPv4o=,tag:BSzN6WyIJM558EW3q9LicQ==,type:str] -wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] -wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] -wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] -wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str] -wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str] -glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] +claude: + key: ENC[AES256_GCM,data:2uIoCdnTCbo58ZSVaQMmDMUen6IBBCXpglg0cfoW40DNP5Wa5luJVn+QrlPfiYMJm6vESfOuKr3XnP0pxR7mGN8z9EGwp4A88YnzQohNL8YUZDhIt8/lrAWEGpyXGvv8FbUssd/BR0sI6u/uRA==,iv:VqORBkpztn25D9AY9H8keTaviiqXND/cK9bRfmtG7uQ=,tag:1lnZqfXY+ZkTeKeZdMlr2g==,type:str] +searx: + key: ENC[AES256_GCM,data:GBdZXEKa9/CQt6GfOjzujj0weJ1N6DrxPPxlUzcRhEPw,iv:WGgIlLIZefJ8YWuf8oBdR1f2Z7s7qVKxGwuSa9ll6wo=,tag:ek/BpRvnGohEYGiaQfmxZg==,type:str] +wireguard: + private: ENC[AES256_GCM,data:WvtevXxIXSo7RgRmjPGRTcPaqxITb05HUqBWi6L2OTi0WoaYBBfDwvxXj68E,iv:x/K+vRnh3D2ZXoBEq04shP/7G90WpSSIfzPKO/ovClg=,tag:J3X9/SAlxjBBP1UJOh2z4Q==,type:str] + public: ENC[AES256_GCM,data:jv9+6L0wVw4CPqalirTEoTSlg6cRoiwRUXB4nddUqRV7HOQT8KxLoCVyowQs,iv:/uo+hOtb9H7q2zjvK+syCfus0joTolnvK8CGGRgdVgY=,tag:l9dmh4yUZEGwZVlyq5GK6A==,type:str] + phone-private: ENC[AES256_GCM,data:VsyKRS3G4Jb1zbvPfwJ57KRp9lpgR0X0g1YXKOX0BfLmWCvjVpCDGLMaS69w,iv:P4hXJohkAFgJXjP3/sSWdxbTinFidtbQ4T19eWfPVXA=,tag:huYs/zP6pAJUdvXAsN8NXw==,type:str] + phone-public: ENC[AES256_GCM,data:9CPAWETK3UlLrq4rX6G5gG7YBtMBZ3YpKEvA+q4TRrXzPjMhxm0iXHBo7iKT,iv:9hxWvd9TfJLnz40e7k9RD1U1cWYmLWCd3pagfh7NbBw=,tag:J51qDgxRRcq1fCZyoaYG6Q==,type:str] + mars-private: ENC[AES256_GCM,data:8pDGDdiye+grBRHjqzvzT9ksSYmDDHEyRR9RdiT1l5q/rDPyJeFBdlBcx7uU,iv:umX+j+3kB1fqFfY++GF20qKTlMUbT68yUlYIhcRBOVM=,tag:5yzNtEFg1fFSQjA5FJhspQ==,type:str] + mars-public: ENC[AES256_GCM,data:xANXRsX7AYr42HMlpQeJsTuJHkoopCUPGaiVbss3K55l1LLDoajjVzjeqLP6,iv:4nyjeuvHNENRguTXypqHIqSYu4TncyPFmE306Ol3vAU=,tag:+kC41plakQWOFqSLNKqHHA==,type:str] + deimos-private: ENC[AES256_GCM,data:2rZ+NokSP5E1Vzlm6mnHh8UGT7S/pXo06c5Z1Zxf4A/m7/VMBzyrPSPBDvmC,iv:1HZGsckq+sUd1mKrM+MBlTvS0C3TVvtoxY42/Xfss1c=,tag:3PLQZ2pVnqxz6WDjenFEWA==,type:str] + deimos-public: ENC[AES256_GCM,data:BWsejiKYvCBKKppZw9ckT6uFSpUqrZPmpoB0O93R4n9RuxkEdwdUJIzBxl9l,iv:weYCa3ZGIjpCnjxJpPP5vvpMq5LQQNQ62DFtUojOuc4=,tag:lY2QZhMbM+gcePRYBYVTQA==,type:str] +glance: + jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str] opencloud: projectenv: ENC[AES256_GCM,data:+XCd3xScfxCN1Zl5L+4RAOjpmMPhVLSBtqH2nkEUpXhssy5EU82qAanNmqwiIJ1VrYXYovuu3XOwRKY3Ub1nsR5h1S0KUCwav2zmFKVopxF/5jVNIk6qR8Ggz/fAa1YQSW+SAnrtRGvP0Q1SERlCgnH4isVxNvWPyWCZKIgiX2Enu7hVwsJXKLYDomRWt47zzXNUzw50aFn7xPtXE/AYbMPBa+FweCrCfkaQ6i6jPvkdc6VBYTqIanD0908wB2SJA+1xvY7bYgRVB17/4a/9DuUN5J4xU84TOW7EFkvC/hWhlhC58GqQrOFyAgTP4YJHKGbLVKPlc4fcNMh5+pENpPG2fRDElCaLoJcYe6sYhaCDSegpDR/U9bgzKirnCu/hmdG+NQ3sGK/C89JL2kZT+tVT1u5JWnKGOGvLGQm73QUmnssDZVd8ubNsnd57W7siqAXY3+DN46yLrGgmTfHTRi4x2DKF8VCD9jXOxWsyoLvKYDyz09H9dI72xlCtSmcrFAt7bY7uEAWutrPCf3Kh/gq6oFUAPBEwfqhgnpgGA1vyA6o4zhxl4Rqye5YZMx2uNkxdA4wmk9KB/e7BVR/P04TSXoAV931OX7bnlw3XjSw5NTPEPnpmwZ3VPRGGkz171RiQQp+CkwUr35+DdwFrGazuv3wlwAhM19h9SRn8jikrw6PPGVehYp8mB/FhpNgqV0nM2DfjaBqE3yMfDzXH5b92t4Q=,iv:6mlHq6yh03x/FbZNu+A9QBoV6ALX1rRWuL13ItJWriI=,tag:tK6Ek2fzgPPWT8WCeU1Frw==,type:str] caddy: share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] comfyui-auth: ENC[AES256_GCM,data:7VTXoRxnD0NyVCFRAjHaZswEUsFuQd/ZIwVfqGPmNNV87hn6CBYWvxvcPPFwe+uw7BmKMt+I66DyKx5ydYENTWxPocyT/rFdgdtWwNoenj+JwsUzegmMbEiH2HCZdiwKj0h1lo142mtA6zkc,iv:xT5XHCj8D4dyvglstE2oqo92fLdscCkaNMux43hJ7nQ=,tag:HgU9wAmjPvfoDXgnorB5yA==,type:str] -wifi-home: ENC[AES256_GCM,data:5NYSCUyalDf7gZF7WaRQJCo=,iv:RkVZKsmVEBg5M28DSkBD41673iLM+dqDAAhSwjqejck=,tag:QQ17VSWOnU0bGglZq6455Q==,type:str] +wifi: + home: ENC[AES256_GCM,data:kjidpmWRBta4EZkLBkDpVtku,iv:8SYK/6LhovjqfhKaAvgsQZj3CiTSjS5BHCDgei91pOI=,tag:RjOHpV92r0T7j7uwXmVsGA==,type:str] firefly-iii: pass: ENC[AES256_GCM,data:WjHcoTuEzEq9pfw4QoqRjI4jhu5VPEMOXlHL0olg9dqUj4EGa1Shv5T/kIxdRFuao0y3zQ==,iv:4/fmFOxxDLzplsNGpSJMQOeoNviZw2c2pFlB1ZkRu+o=,tag:7TQ2q/kEFDU4tZxPx53ebw==,type:str] data: ENC[AES256_GCM,data:921LhcRTWVk24eEAQoDMV+RllSP3PbSXCCIDXlQA80Mq,iv:YXEgas77DgdyPTnBZa/ySjcERBIwmdDZJbijeNKNF24=,tag:Wj25wA7tLJ2bZ/faG9DUhg==,type:str] @@ -60,7 +65,8 @@ backblaze: repo: ENC[AES256_GCM,data:sRae9XELIfkWPaXelCdgEXIDbLTHVqGcRO0o+WA9aBfB8MUw92JjRCYgMgGXT0Apy38eszyuEHFB3XPpRmtQ7g==,iv:EilVA9zdHm6B9pTIhNxyj6Th1248nXvh0kpnEqZJ5HI=,tag:q9ASAgx5vgY0IePws4rT5Q==,type:str] restic: pass: ENC[AES256_GCM,data:I5Bf7or9jNwtdK/r/DzUHw6FohzeMtWVrs5AG71geVr6,iv:WnHsFW6oJCBsm84y1rzQ6HbLG8ydPBPQQbHoXKGR7JM=,tag:HsoJxLv8FvrUNSwI0OFCbQ==,type:str] -password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str] +passwords: + user0: ENC[AES256_GCM,data:72ABhoc8Hjdf56eHkxu82Ls1zTJwUJRkly9hqlHKhQ4INepT66LrUGRHUG1x+4FemNWvAirEXVHvPVtu+rArCrDpGP2ZIbP77f8=,iv:ukq8E7orUwFOUfoqPp9RMjZNm0MMobXcjbWLzx9z1+4=,tag:E9OTDzLkliDIlH5DrLqQVw==,type:str] sops: age: - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0 @@ -72,7 +78,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-29T01:51:40Z" - mac: ENC[AES256_GCM,data:Ojnh9iSEc3FRAOkRzoq58UxX/C7Vn8KxbDf4sBmgnmiJIFq4ZKLfckOI4kXvDT/x+y+QjP0mZyh+AkK9nOpnxw3XTayCOGiG5ozaReJFaQ5LTRurxTY6go81GBSLclho8O6f8ep0DIHkGYPlIC468D4HQq+pVQAOZfPBRARTpZc=,iv:f5fEL+pjHGD8MnCkTOYCQ7lSy6pePZI4Q9dGQ48mE/A=,tag:7Ft2VrVY9vTcQuIl2O8yOg==,type:str] + lastmodified: "2025-11-29T02:32:25Z" + mac: ENC[AES256_GCM,data:DiW/akEjhRu7Bvfh3je1llcfj6ytRT5+ntWUIobdvVZA4fu7z00skzUYiAdAg/CAnepEgAJ1R8JDag/TFIrnKg+JHM4Kdv7F4Ier/qaSGURxGQ/rxG5jwsj5N9ar8nWxpt9X3Ox7alyNyGpCW5bzbLL2EWzPmHVQiHWpfrlkivc=,iv:QOWZ5uAq7eNPiJF2/YY83bCnSaCXhm3b25egDcFDczg=,tag:zSlHQvCRugSP/wxJ7P+gGw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 19d717d..1890381 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -20,7 +20,7 @@ in wg0 = { ips = [ "${ceres.wireguard.ip0}/24" ]; listenPort = service.ports.port1; - privateKeyFile = config.sops.secrets."${service.name}-private".path; + privateKeyFile = config.sops.secrets."${service.name}/private".path; peers = [ # if you need to create a new key pair # wg genkey | save --raw --force privatekey @@ -41,7 +41,7 @@ in sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; + path = "${service.sops.path0}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; @@ -50,7 +50,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${service.name}/${secret}"; value = sopsPath secret; }) [ diff --git a/systems/deimos/config/wireguard.nix b/systems/deimos/config/wireguard.nix index ca471a2..d4b55aa 100755 --- a/systems/deimos/config/wireguard.nix +++ b/systems/deimos/config/wireguard.nix @@ -9,7 +9,7 @@ in wireguard.interfaces = { wg0 = { ips = [ "${deimos.wireguard.ip0}/32" ]; - privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path; + privateKeyFile = config.sops.secrets."${service.name}/deimos-private".path; }; }; }; @@ -17,7 +17,7 @@ in sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; + path = "${service.sops.path0}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; @@ -26,7 +26,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${service.name}/${secret}"; value = sopsPath secret; }) [ diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index 70f0f09..d3e6148 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -9,7 +9,7 @@ in wireguard.interfaces = { wg0 = { ips = [ "${mars.wireguard.ip0}/32" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; + privateKeyFile = config.sops.secrets."${service.name}/mars-private".path; }; }; }; @@ -17,7 +17,7 @@ in sops = let sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; + path = "${service.sops.path0}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; @@ -26,7 +26,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${service.name}-${secret}"; + name = "${service.name}/${secret}"; value = sopsPath secret; }) [