chore: move generated secrets to separate directory

2025-10-11 07:10:39 +02:00 · 2023-07-31 12:42:46 +02:00 · 2023-07-31 12:42:46 +02:00 · 788e7e3fa7
commit 788e7e3fa7
parent eeac57d30d
27 changed files with 42 additions and 63 deletions
--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@ -17,8 +17,7 @@ in {
  };

  age.secrets.grafana-loki-basic-auth-password = {
-    rekeyFile = config.node.secretsDir + "/grafana-loki-basic-auth-password.age";
-    generator = "alnum";
+    generator.script = "alnum";
    mode = "440";
    group = "grafana";
  };
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@ -73,7 +73,9 @@ in {
  };

  systemd.services.kanidm = {
+    # TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon,
+    # a requiredforonline might be necessary
    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = "60"; # Retry every minute
  };
 }
--- a/hosts/ward/microvms/loki.nix
+++ b/hosts/ward/microvms/loki.nix
@ -14,10 +14,7 @@ in {
    networking.providedDomains.loki = lokiDomain;

    age.secrets.loki-basic-auth-hashes = {
-      rekeyFile = config.node.secretsDir + "/loki-basic-auth-hashes.age";
-      # Copy only the script so the dependencies can be added by the nodes
-      # that define passwords (using distributed-config).
-      generator.script = config.age.generators.basic-auth.script;
+      generator.script = "basic-auth";
      mode = "440";
      group = "nginx";
    };
--- a/hosts/ward/secrets/adguardhome/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/adguardhome/promtail-loki-basic-auth-password.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> X25519 bh8fwQruEHmdxScw+dcMTWh0glw6YiRNMgjbMdo5OEE
-0dj/BAUTL3s3KS5SYKSGoQBlFTVbWJwShKEZCK8JiH8
-> piv-p256 xqSe8Q AvDgcX/5rsg9BeqDFRhk74nA1iDKAb27Nr83IxhYvsDC
-incamQkzY1sjpqZyAsiYfPXRo6Wmpy1v+HPwEJ6bxOI
-> QiWG-grease 9Ye .2/ `ao[ 79Qu+e
-/XooMMBJ7rlyir1gJg
--- D/V5bteoODs/ogRGHrFVGWblgwpKwdtvL3wG7EaJpf4
-ªúÈ•Jö‹æy�ã¥¨œâ8î¸õ/xzLFdÁ·çÊ�«µ(ÈÝ¢±õu‚!ÐIÜ›8‹þzŸŒ“jˆI�ˆU0`Ëac®1ûó‚Û}‡
--- a/hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age
+++ b/hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE
-fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE
-> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq
-8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs
-> {-grease tf)|=
-cDF+oRa+QUDN9YzV7BnKiI94C7JkDw
--- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs
-ý!hdÎß`0ýœ”Áìú�Rýdµ0‚k-ç·¯©	„/ðNêòìÌmø•‚¸x„Åy±Ä?7'š¡r®J=>_¦¦\©„MMxðD˜™)
--- a/hosts/ward/secrets/grafana/grafana-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/grafana/grafana-loki-basic-auth-password.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns
-DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A
-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb
-jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA
-> gu'-grease
-uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f
--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E
-0ß¾.D¨$Ê¼C G‰KŽ	Bˆ¿FËméXêŸ]¢,'0›áæo!‘ß¸#‹¬]%öðŽ=—Óž~QÜèß€ÐÌƒ›Gæ¶Òœr—
--- a/hosts/ward/secrets/grafana/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/grafana/promtail-loki-basic-auth-password.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> X25519 eJWTsTZwak+CdL0UPXcav0OmE2WFV525MS71EUREQRI
-4EVofvIdJooLW5GIGUMnKbjdBGvaq5PJc59pTcWfi2I
-> piv-p256 xqSe8Q A54r2NQ4TDs0tzJs3hAOLIfwL/63kxw8UrFSyFUOoOpX
-BYs5RA4H1GgIiWp9hI0dsMQh43kOOKQjGvNeJjezbz0
-> %jrC:-grease ;
-kSYxb5Aa4C7zMe+2nsSw+hn+xyU7EmVDznX5k7acTOOlEfUQOlUAiF4DhObUsFgS
-Rz045u3t6SK7p0tqkYI/84chCJPfDc0wxVBiE2poYkZrs96a2iJa5LUw8oUiXlo
--- ueHYLEER0SQZdLT9eKJZVPdiFynhP7SgfwvTAbzHRco
-·�Á’L*
#�Z”“�VbÉªF>Âë
‰+ƒ¿ßxÈƒYfé$õá®ö¬ÞŸ	‡T ›=n«(�@y¾çÃ*†—‚wXeq�^Ê#‚
--- a/hosts/ward/secrets/influxdb/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/influxdb/promtail-loki-basic-auth-password.age
--- a/hosts/ward/secrets/initrd_host_ed25519_key.age
+++ b/hosts/ward/secrets/initrd_host_ed25519_key.age
--- a/hosts/ward/secrets/kanidm/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/kanidm/promtail-loki-basic-auth-password.age
--- a/hosts/ward/secrets/loki/loki-basic-auth-hashes.age
+++ b/hosts/ward/secrets/loki/loki-basic-auth-hashes.age
--- a/hosts/ward/secrets/loki/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/loki/promtail-loki-basic-auth-password.age
@ -1,11 +0,0 @@
-age-encryption.org/v1
-> X25519 3x+QeciEIcDcJO3U+0386XIoJtOVn3b4myIxWOgDxjs
-oFCwl+TjzC6kjDcEm2CNgHuWIta/j9Zq9c9ZvoDAKBc
-> piv-p256 xqSe8Q Ax9ZRwkb1UMUmpqg8U1vPU3+8wnWxOA3AkvPEjMDvduj
-e/iORb0ckijeWEg9N4IpBP+YxCB2eZnEt1FgcwrAL8c
-> mcyx<Hk-grease
-npBOgSbaCG2/DizSzk9Ynaoq9T4mfFDujSptkpkRXzn247iR6kSYAGkjWN6eqCsH
-DrECWw
--- 2tgfQ7Ff2bUUDo24ceUiyDiNHoK+UbIFqmCv74dGQ/E
-ø�Hój¡øvkÑ³€êØj’c¦ˆBÑMQÉ{§Óœ‰	¤¦‹¸Ûkf`Ãˆp]�‡w²ª5’€�”çå¬'`:£Ó?]
-@gr
--- a/hosts/ward/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/promtail-loki-basic-auth-password.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ
-2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A
-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp
-21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE
-> DJt-grease ipE| /Qlv %,8pl
-6Pg7ViLxJIt1CrQFYVZvTPGz
--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g
-Í\©¬ü®ÆÄ[Ñbr©WÝ%úÿ‘ÜZ‚ÇÑ:Ù¦ý¿O_Ô6YpÔ½pÁÒƒ —"ó)Z
¼G/B§–H¶&©}3ª‘]u�	æ½õEÏóÌ‚§
--- a/hosts/ward/secrets/vaultwarden/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/vaultwarden/promtail-loki-basic-auth-password.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> X25519 3mvQNS9Df1Kw6g4DK2OezJLlhRjeJuzoqu2LcQXobV8
-zsBLhAEhcUcun3GsDMP69zDqlhaYXIw3bNUGP7w0fWQ
-> piv-p256 xqSe8Q AwmwPRJqCuGx5lVPro9yRP0vRvpkgufB/MwRRgYi3VZl
-3TvviCPeB4uSQc1raS5F4ky6IClqo+duR7jDPBrlE4M
-> o-grease i0o: +r`
-LIUlecnKyS32IU1xbPVKqNN86PaiJP6ujjX7NCwUZD+PgvWWTxiiEdJMJbGO1fZ+
-9En9Ekiq7mGnLsRIMiWFAaoT8ZYe8ymuK4AOTG2Lb6s
--- Hc8thFUczd8KIKMgQruJC8/9k1O22DPzEizmk7rlJt0
-mßu�ìÙßëÂ©¾:MQ¾QÏöóf˜’¨x½Ë‚Í?7< ‰ÊØkPÏ!é3ÀU›ršudÛè;æfÜkkªÖ€‹ØÀEncÚÏ˜‚gÅj