From 0b8de70330af79e4fcb655688bac0072fe6aeb37 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 27 Aug 2023 01:19:03 +0200 Subject: [PATCH] chore: generate and use new secrets --- hosts/sentinel/oauth2.nix | 6 +++++- .../generated/sentinel/oauth2-client-secret.age | 10 ++++++++++ .../ward-kanidm/kanidm-oauth2-forgejo.age | 11 +++++++++++ .../ward-kanidm/kanidm-oauth2-grafana.age | Bin 0 -> 381 bytes .../ward-kanidm/kanidm-oauth2-web-sentinel.age | 10 ++++++++++ 5 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 secrets/generated/sentinel/oauth2-client-secret.age create mode 100644 secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age create mode 100644 secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age create mode 100644 secrets/generated/ward-kanidm/kanidm-oauth2-web-sentinel.age diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 19ff6f2..48f6109 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -46,7 +46,6 @@ redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token"; validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo"; clientID = clientId; - keyFile = config.age.secrets.oauth2-cookie-secret.path; email.domains = ["*"]; extraConfig = { @@ -55,4 +54,9 @@ #skip-provider-button = true; }; }; + + systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [ + config.age.secrets.oauth2-cookie-secret.path + config.age.secrets.oauth2-client-secret.path + ]; } diff --git a/secrets/generated/sentinel/oauth2-client-secret.age b/secrets/generated/sentinel/oauth2-client-secret.age new file mode 100644 index 0000000..44188cc --- /dev/null +++ b/secrets/generated/sentinel/oauth2-client-secret.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 5TjTxQw48pHP3ns0GRrkVjHedoEnu82sv/5OtYZBFyM +y3iPeOI5oGzTG+cZmIhFeOlvYVSbq+ISJq1XG7ouL00 +-> piv-p256 xqSe8Q ArPaLs8WYjgMN+kOzXDEsiCBvqdjU/WVmFGsU9hSn5oz +HYpOCs8Mysegzk0VJ5i4yYxAV95s/B0RIb3opvGpFlo +-> O[]-grease 1TcN!PY +LArbTZLib5yBGl70FKw3Sfsy3LWfvcvDJCCCeHmn9j26hQx+NGIsj/KJ00cN/zb7 +zj9v2QZZqOFafyUT7t3rdqkK +--- 9uRRxrzXDJ65tOb3Y13LGGyovnN+Se2x781QCDEHpz0 +6æp>Jot_/*zxvő˥ҷFS LGmʵA\;ؼ! ,E#XNzyG~0$-S \ No newline at end of file diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age b/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age new file mode 100644 index 0000000..f4d41aa --- /dev/null +++ b/secrets/generated/ward-kanidm/kanidm-oauth2-forgejo.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 6svR9FxeCfNCAHbxLZhh83mQTcmPKYRcIQovBFF15TI +vWV7btlmt0CvRX1iBBh+s1Sy0gI+XPIDQWlHct2T6k8 +-> piv-p256 xqSe8Q AjJtyH+kwD0KROHPs6hmZfCFDGM9MH79URrmKcD0HXzr +JqlKNTOXebzG6iH6BYQ2nteiQEsunl0eWrTLkN/w2fE +-> jU-grease Q7, Tgb +CJ9w/mvrGz9ZTjj7H2anoA3Y70tFeoWQbXzKZUPHPG17OuB3lcIVEXMoruvV02eZ +nid+JBBulFiOqaatm+yL7DGt08nKfGm+YSS55R7LDGipmp5maDotqIRbm2w +--- 8c/0zJWpfnsDr0hAVs8Zl3Wo0F/jVOw3Dvi6rUDlpv0 +]Mő5Mb+} +[z|SfP/m6^927p E?l;C5f"B, \ No newline at end of file diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age b/secrets/generated/ward-kanidm/kanidm-oauth2-grafana.age new file mode 100644 index 0000000000000000000000000000000000000000..1ff6cd2bf25f822e818a39651de7d5633ea71fd2 GIT binary patch literal 381 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{a}t2+DTPcdu~sEOig?_YJm4 zEUCx}C@n27Hctxhi8R(X%5gK&4=#2!FyZpZC@x5~FiJ}Hstk8`OfxJC_46)Di82W_ zsxmb5j4+Qfc1rimC^L`nbOhN@kXfc%U}S2hP*E71Y7wa5XcAIT98sWOoShn87?N*f z7-bfgZE9+yU7q6^ X25519 YpfsXOubxJqRA44WEtm4+DleuReMP3OXiCGNQLpwkGg +rrL3eqaG0GzvOBnqB09BuUosAkq4EQs1fF4Qe+p5csE +-> piv-p256 xqSe8Q Agz+luMhbrLq1vZdQg6FCxyp08Jhn0/H6zKJkl9xpcQw +5hjyXxHmOW1JW0fr2/BRI/lDLuOFqZHESUYrpPlSSyY +-> f@