diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index f95b79e..3f4285f 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -6,8 +6,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; networking.nftables.firewall = { @@ -35,13 +33,15 @@ group = "grafana"; }; - age.secrets.loki-basic-auth-password = { - rekeyFile = ./secrets/loki-basic-auth-password.age; + age.secrets.grafana-loki-basic-auth-password = { + rekeyFile = ./secrets/grafana-loki-basic-auth-password.age; generator = "alnum"; mode = "440"; group = "grafana"; }; + nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password]; + services.grafana = { enable = true; settings = { diff --git a/hosts/ward/secrets/grafana-secret-key.age b/hosts/ward/microvms/grafana/secrets/grafana-secret-key.age similarity index 100% rename from hosts/ward/secrets/grafana-secret-key.age rename to hosts/ward/microvms/grafana/secrets/grafana-secret-key.age diff --git a/hosts/ward/microvms/grafana/secrets/host.pub b/hosts/ward/microvms/grafana/secrets/host.pub new file mode 100644 index 0000000..e8bb16b --- /dev/null +++ b/hosts/ward/microvms/grafana/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix index da6a99b..1340c88 100644 --- a/hosts/ward/microvms/kanidm/default.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -6,8 +6,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; # TODO this as includable module? diff --git a/hosts/ward/microvms/kanidm/secrets/host.pub b/hosts/ward/microvms/kanidm/secrets/host.pub new file mode 100644 index 0000000..d0decaf --- /dev/null +++ b/hosts/ward/microvms/kanidm/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq diff --git a/hosts/ward/secrets/kanidm-self-signed.crt.age b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age similarity index 100% rename from hosts/ward/secrets/kanidm-self-signed.crt.age rename to hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age diff --git a/hosts/ward/secrets/kanidm-self-signed.key.age b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age similarity index 100% rename from hosts/ward/secrets/kanidm-self-signed.key.age rename to hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix index 463aa02..1aeaa93 100644 --- a/hosts/ward/microvms/loki/default.nix +++ b/hosts/ward/microvms/loki/default.nix @@ -5,8 +5,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; networking.nftables.firewall = { diff --git a/hosts/ward/microvms/loki/secrets/host.pub b/hosts/ward/microvms/loki/secrets/host.pub new file mode 100644 index 0000000..f227506 --- /dev/null +++ b/hosts/ward/microvms/loki/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno diff --git a/hosts/ward/secrets/acme-credentials.age b/hosts/ward/secrets/acme-credentials.age deleted file mode 100644 index 2bbf452..0000000 Binary files a/hosts/ward/secrets/acme-credentials.age and /dev/null differ diff --git a/hosts/ward/secrets/loki-basic-auth-password.age b/hosts/ward/secrets/loki-basic-auth-password.age deleted file mode 100644 index 9eb7907..0000000 --- a/hosts/ward/secrets/loki-basic-auth-password.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> X25519 WrGssql6ABmtiNPFxIuKmjEjNWp8yQ9CbIdaPkE1BmU -lX/mIQPjjBp62RZyZV3WZrzzM/RAVEVMslOvQiO3ztw --> piv-p256 xqSe8Q A+/jWovwGhsvkNHNvfnhEOSKu6qkfQGCKnVYRJo1IWFM -oWybJl7iZ6pkBAGmv3SmE9q1eEpkDtnIxR+3MCKi6bo --> a6-grease O~| \B n <1fV!LUr -y0AAIziu ---- 0K+cIttoHGYTWwzdoYJn1rIdtDqiBGz/jLOvPnns2CM -Bu ¶;{þº:qJ6„¼’]rL(@ۨףC8Áñ¸ì*ü¾–]ªù¡¾£=j1îãØ €kk¯â<4"[Üj©bLÅ;U2wc-4 \ No newline at end of file