chore: move generated secrets to separate directory

flake.lock

@@ -47,12 +47,13 @@
         ]
       },
       "locked": {
-        "lastModified": 1687304097,
-        "narHash": "sha256-VId0oZxpYm4HSHwbsuGKI84zFkL6Gp4wuoJbbl52oZg=",
-        "owner": "oddlama",
-        "repo": "agenix-rekey",
-        "rev": "b1811920562ba287b680f35644ce3ed78d029cdf",
-        "type": "github"
+        "lastModified": 1690798647,
+        "narHash": "sha256-7871l3pVqSIozmY/31G2aJRVmbN3kHbxj+GP2LS9N6k=",
+        "ref": "refs/heads/main",
+        "rev": "af31e2c282ab26d2c7bb3524f6508df1cb88ff10",
+        "revCount": 72,
+        "type": "git",
+        "url": "file:///root/projects/agenix-rekey"
       },
       "original": {
         "owner": "oddlama",
@@ -159,11 +160,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690278259,
-        "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=",
+        "lastModified": 1690739034,
+        "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170",
+        "rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
         "type": "github"
       },
       "original": {
@@ -364,11 +365,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690269402,
-        "narHash": "sha256-SybA24IOGigiHfcTB5eBge4UZQI6a0z8Ah+EzD17tdk=",
+        "lastModified": 1690790567,
+        "narHash": "sha256-fymHCZFy+qjrNh+EZDHYEEtbZw1TvjtxtCBPBSWU7CM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0306d5ed7e9d1662b55ec0d08afc73d4cb5eadca",
+        "rev": "729ab77f9e998e0989fa30140ecc91e738bc0cb1",
         "type": "github"
       },
       "original": {
@@ -379,11 +380,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1684264534,
-        "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=",
+        "lastModified": 1690797372,
+        "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "89253fb1518063556edd5e54509c30ac3089d5e6",
+        "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851",
         "type": "github"
       },
       "original": {
@@ -414,10 +415,12 @@
         ]
       },
       "locked": {
-        "lastModified": 1689768420,
-        "narHash": "sha256-j6i9S2UNoBIpkUvGmI3GZr+rX4YiwACZsMypwKJJ9Tw=",
-        "type": "git",
-        "url": "file:///root/projects/microvm.nix"
+        "lastModified": 1690673766,
+        "narHash": "sha256-CXid4DnH57//153gEdI+E9Fljoy7LMpf3xhBI1C40bI=",
+        "owner": "astro",
+        "repo": "microvm.nix",
+        "rev": "3183d2a0c00e25772ed3926a24908e3445c69bbc",
+        "type": "github"
       },
       "original": {
         "owner": "astro",
@@ -463,11 +466,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1690200740,
-        "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=",
+        "lastModified": 1690704397,
+        "narHash": "sha256-sgIWjcz0e+x87xlKg324VtHgH55J5rIuFF0ZWRDvQoE=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf",
+        "rev": "96e5a0a0e8568c998135ea05575a9ed2c87f5492",
         "type": "github"
       },
       "original": {
@@ -499,11 +502,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1690179384,
-        "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
+        "lastModified": 1690640159,
+        "narHash": "sha256-5DZUYnkeMOsVb/eqPYb9zns5YsnQXRJRC8Xx/nPMcno=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
+        "rev": "e6ab46982debeab9831236869539a507f670a129",
         "type": "github"
       },
       "original": {
@@ -586,11 +589,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1689668210,
-        "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=",
+        "lastModified": 1690743255,
+        "narHash": "sha256-dsJzQsyJGWCym1+LMyj2rbYmvjYmzeOrk7ypPrSFOPo=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "eb433bff05b285258be76513add6f6c57b441775",
+        "rev": "fcbf4705d98398d084e6cb1c826a0b90a91d22d7",
         "type": "github"
       },
       "original": {

hosts/ward/microvms/grafana.nix

@@ -17,8 +17,7 @@ in {
   };
 
   age.secrets.grafana-loki-basic-auth-password = {
-    rekeyFile = config.node.secretsDir + "/grafana-loki-basic-auth-password.age";
-    generator = "alnum";
+    generator.script = "alnum";
     mode = "440";
     group = "grafana";
   };

hosts/ward/microvms/kanidm.nix

@@ -73,7 +73,9 @@ in {
   };
 
   systemd.services.kanidm = {
+    # TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon,
+    # a requiredforonline might be necessary
     after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = "60"; # Retry every minute
   };
 }

hosts/ward/microvms/loki.nix

@@ -14,10 +14,7 @@ in {
     networking.providedDomains.loki = lokiDomain;
 
     age.secrets.loki-basic-auth-hashes = {
-      rekeyFile = config.node.secretsDir + "/loki-basic-auth-hashes.age";
-      # Copy only the script so the dependencies can be added by the nodes
-      # that define passwords (using distributed-config).
-      generator.script = config.age.generators.basic-auth.script;
+      generator.script = "basic-auth";
       mode = "440";
       group = "nginx";
     };

hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE
-fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE
--> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq
-8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs
--> {-grease tf)|=
-cDF+oRa+QUDN9YzV7BnKiI94C7JkDw
---- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs
-ý­!hdÎß`0ýœ”Áìú�Rýdµ0‚k-ç·¯©	„/ðNêòìÌmø•‚¸x„Åy±Ä?7'š¡r®J=>
_¦¦\©„MMxðD˜™)

modules/config/secrets.nix

@@ -25,10 +25,10 @@
     # current system due to yubikey availability.
     forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
     hostPubkey = config.node.secretsDir + "/host.pub";
+    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
   };
 
-  age.generators.dhparams.script = {pkgs, ...}: "${pkgs.openssl}/bin/openssl dhparam 4096";
-  age.generators.basic-auth.script = {
+  age.generators.basic-auth = {
     pkgs,
     lib,
     decrypt,

modules/meta/nginx.nix

@@ -36,8 +36,7 @@ in {
 
   config = mkIf config.services.nginx.enable {
     age.secrets."dhparams.pem" = {
-      rekeyFile = config.node.secretsDir + "/dhparams.pem.age";
-      generator = "dhparams";
+      generator.script = "dhparams";
       mode = "440";
       group = "nginx";
     };

modules/meta/promtail.nix

@@ -25,8 +25,7 @@ in {
 
   config = mkIf cfg.enable {
     age.secrets.promtail-loki-basic-auth-password = {
-      rekeyFile = config.node.secretsDir + "/promtail-loki-basic-auth-password.age";
-      generator = "alnum";
+      generator.script = "alnum";
       mode = "440";
       group = "promtail";
     };

modules/meta/telegraf.nix

@@ -16,7 +16,6 @@
     ;
 
   cfg = config.meta.telegraf;
-  nodeName = config.node.name;
 in {
   options.meta.telegraf = {
     enable = mkEnableOption (mdDoc "telegraf to push metrics to influx.");
@@ -92,7 +91,7 @@ in {
           flush_interval = "20s";
           flush_jitter = "5s";
           precision = "1ms";
-          hostname = nodeName;
+          hostname = config.node.name;
           omit_hostname = false;
         };
         outputs = {

modules/optional/initrd-ssh.nix

@@ -3,17 +3,7 @@
   pkgs,
   ...
 }: {
-  age.secrets.initrd_host_ed25519_key = {
-    rekeyFile = config.node.secretsDir + "/initrd_host_ed25519_key.age";
-    # Generate only an ssh-ed25519 private key
-    generator.script = {
-      pkgs,
-      lib,
-      ...
-    }: ''
-      (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <<<y >/dev/null 2>&1)
-    '';
-  };
+  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
 
   boot.initrd.network.enable = true;
   boot.initrd.network.ssh = {