From f33fa54b65b920685f2b210524174bc318883de1 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 12 Jun 2023 00:32:27 +0200 Subject: [PATCH] refactor: move relevant secrets to microvms --- hosts/ward/microvms/grafana/default.nix | 8 ++++---- .../grafana}/secrets/grafana-secret-key.age | 0 hosts/ward/microvms/grafana/secrets/host.pub | 1 + hosts/ward/microvms/kanidm/default.nix | 2 -- hosts/ward/microvms/kanidm/secrets/host.pub | 1 + .../kanidm}/secrets/kanidm-self-signed.crt.age | Bin .../kanidm}/secrets/kanidm-self-signed.key.age | Bin hosts/ward/microvms/loki/default.nix | 2 -- hosts/ward/microvms/loki/secrets/host.pub | 1 + hosts/ward/secrets/acme-credentials.age | Bin 527 -> 0 bytes hosts/ward/secrets/loki-basic-auth-password.age | 9 --------- 11 files changed, 7 insertions(+), 17 deletions(-) rename hosts/ward/{ => microvms/grafana}/secrets/grafana-secret-key.age (100%) create mode 100644 hosts/ward/microvms/grafana/secrets/host.pub create mode 100644 hosts/ward/microvms/kanidm/secrets/host.pub rename hosts/ward/{ => microvms/kanidm}/secrets/kanidm-self-signed.crt.age (100%) rename hosts/ward/{ => microvms/kanidm}/secrets/kanidm-self-signed.key.age (100%) create mode 100644 hosts/ward/microvms/loki/secrets/host.pub delete mode 100644 hosts/ward/secrets/acme-credentials.age delete mode 100644 hosts/ward/secrets/loki-basic-auth-password.age diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index f95b79e..3f4285f 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -6,8 +6,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; networking.nftables.firewall = { @@ -35,13 +33,15 @@ group = "grafana"; }; - age.secrets.loki-basic-auth-password = { - rekeyFile = ./secrets/loki-basic-auth-password.age; + age.secrets.grafana-loki-basic-auth-password = { + rekeyFile = ./secrets/grafana-loki-basic-auth-password.age; generator = "alnum"; mode = "440"; group = "grafana"; }; + nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password]; + services.grafana = { enable = true; settings = { diff --git a/hosts/ward/secrets/grafana-secret-key.age b/hosts/ward/microvms/grafana/secrets/grafana-secret-key.age similarity index 100% rename from hosts/ward/secrets/grafana-secret-key.age rename to hosts/ward/microvms/grafana/secrets/grafana-secret-key.age diff --git a/hosts/ward/microvms/grafana/secrets/host.pub b/hosts/ward/microvms/grafana/secrets/host.pub new file mode 100644 index 0000000..e8bb16b --- /dev/null +++ b/hosts/ward/microvms/grafana/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix index da6a99b..1340c88 100644 --- a/hosts/ward/microvms/kanidm/default.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -6,8 +6,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; # TODO this as includable module? diff --git a/hosts/ward/microvms/kanidm/secrets/host.pub b/hosts/ward/microvms/kanidm/secrets/host.pub new file mode 100644 index 0000000..d0decaf --- /dev/null +++ b/hosts/ward/microvms/kanidm/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq diff --git a/hosts/ward/secrets/kanidm-self-signed.crt.age b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age similarity index 100% rename from hosts/ward/secrets/kanidm-self-signed.crt.age rename to hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age diff --git a/hosts/ward/secrets/kanidm-self-signed.key.age b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age similarity index 100% rename from hosts/ward/secrets/kanidm-self-signed.key.age rename to hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix index 463aa02..1aeaa93 100644 --- a/hosts/ward/microvms/loki/default.nix +++ b/hosts/ward/microvms/loki/default.nix @@ -5,8 +5,6 @@ utils, ... }: { - age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; - extra.wireguard.proxy-sentinel.client.via = "sentinel"; networking.nftables.firewall = { diff --git a/hosts/ward/microvms/loki/secrets/host.pub b/hosts/ward/microvms/loki/secrets/host.pub new file mode 100644 index 0000000..f227506 --- /dev/null +++ b/hosts/ward/microvms/loki/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno diff --git a/hosts/ward/secrets/acme-credentials.age b/hosts/ward/secrets/acme-credentials.age deleted file mode 100644 index 2bbf452cedc2c61379659a076d739faad5adc41d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 527 zcmV+q0`UD|XJsvAZewzJaCB*JZZ2RCDW3v8x=m*`eUnzL0OF~q!t_=A#|_>%RI|1 z_0XR%_LSLK6(-AKPsH?;GTPT2*ow~B1=g5M=uRo%$~6M3$Zr5N0@nM~o$*|bSj2W} zRKc?n%_WnDw|mmDW09r()MGIjLtF%Pi}g!ESPpxb=jB}m5Qe>bT<&A#n>{gOXKs>A R8E4uEHC)_QT3bEE9OZ1K#>oHx diff --git a/hosts/ward/secrets/loki-basic-auth-password.age b/hosts/ward/secrets/loki-basic-auth-password.age deleted file mode 100644 index 9eb7907..0000000 --- a/hosts/ward/secrets/loki-basic-auth-password.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> X25519 WrGssql6ABmtiNPFxIuKmjEjNWp8yQ9CbIdaPkE1BmU -lX/mIQPjjBp62RZyZV3WZrzzM/RAVEVMslOvQiO3ztw --> piv-p256 xqSe8Q A+/jWovwGhsvkNHNvfnhEOSKu6qkfQGCKnVYRJo1IWFM -oWybJl7iZ6pkBAGmv3SmE9q1eEpkDtnIxR+3MCKi6bo --> a6-grease O~| \B n <1fV!LUr -y0AAIziu ---- 0K+cIttoHGYTWwzdoYJn1rIdtDqiBGz/jLOvPnns2CM -Bu ¶;{þº:qJ6„¼’]rL(@ۨףC8Áñ¸ì*ü¾–]ªù¡¾£=j1îãØ €kk¯â<4"[Üj©bLÅ;U2wc-4 \ No newline at end of file