refactor: move relevant secrets to microvms

2023-06-12 00:32:27 +02:00 · 2023-06-12 00:32:27 +02:00 · f33fa54b65
commit f33fa54b65
parent dfe1abdfde
11 changed files with 7 additions and 17 deletions
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -6,8 +6,6 @@
  utils,
  ...
 }: {
  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
  extra.wireguard.proxy-sentinel.client.via = "sentinel";
  networking.nftables.firewall = {
@ -35,13 +33,15 @@
    group = "grafana";
  };
-  age.secrets.loki-basic-auth-password = {
+  age.secrets.grafana-loki-basic-auth-password = {
-    rekeyFile = ./secrets/loki-basic-auth-password.age;
+    rekeyFile = ./secrets/grafana-loki-basic-auth-password.age;
    generator = "alnum";
    mode = "440";
    group = "grafana";
  };
  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password];
  services.grafana = {
    enable = true;
    settings = {
--- a/hosts/ward/microvms/grafana/secrets/grafana-secret-key.age
+++ b/hosts/ward/microvms/grafana/secrets/grafana-secret-key.age
--- a/hosts/ward/microvms/grafana/secrets/host.pub
+++ b/hosts/ward/microvms/grafana/secrets/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -6,8 +6,6 @@
  utils,
  ...
 }: {
  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
  extra.wireguard.proxy-sentinel.client.via = "sentinel";
  # TODO this as includable module?
--- a/hosts/ward/microvms/kanidm/secrets/host.pub
+++ b/hosts/ward/microvms/kanidm/secrets/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq
--- a/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age
+++ b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.crt.age
--- a/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age
+++ b/hosts/ward/microvms/kanidm/secrets/kanidm-self-signed.key.age
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -5,8 +5,6 @@
  utils,
  ...
 }: {
  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
  extra.wireguard.proxy-sentinel.client.via = "sentinel";
  networking.nftables.firewall = {
--- a/hosts/ward/microvms/loki/secrets/host.pub
+++ b/hosts/ward/microvms/loki/secrets/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno
--- a/hosts/ward/secrets/acme-credentials.age
+++ b/hosts/ward/secrets/acme-credentials.age
--- a/hosts/ward/secrets/loki-basic-auth-password.age
+++ b/hosts/ward/secrets/loki-basic-auth-password.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> X25519 WrGssql6ABmtiNPFxIuKmjEjNWp8yQ9CbIdaPkE1BmU
 lX/mIQPjjBp62RZyZV3WZrzzM/RAVEVMslOvQiO3ztw
 -> piv-p256 xqSe8Q A+/jWovwGhsvkNHNvfnhEOSKu6qkfQGCKnVYRJo1IWFM
 oWybJl7iZ6pkBAGmv3SmE9q1eEpkDtnIxR+3MCKi6bo
 -> a6-grease O~| \B n <1fV!LUr
 y0AAIziu
 --- 0K+cIttoHGYTWwzdoYJn1rIdtDqiBGz/jLOvPnns2CM
 Bu ¶;{þº:qJ�6„¼’]rL(@Û�¨×£C8Áñ¸ì*ü¾–]ªù¡¾£=j1îãØ€kk¯â<4"[�Üj©bLÅ;U�2wc-4
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno`