diff --git a/flake.lock b/flake.lock index dcad82e..33028a8 100644 --- a/flake.lock +++ b/flake.lock @@ -524,11 +524,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1764992299, - "narHash": "sha256-6vJ4teDUQus5TsOMfJZEfDOslsjvkhHPELZiOAeOX8s=", + "lastModified": 1765212399, + "narHash": "sha256-QEjuaK17HddWr0ZBRhsg3nt4QhSxQZ1i9YO2ctV045c=", "ref": "refs/heads/main", - "rev": "5c3122fc8dd5d6fe855d7da42740272cb2c313d4", - "revCount": 32, + "rev": "43c8697580bb389aea565459802c3b9827aa2d3d", + "revCount": 38, "type": "git", "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets" }, diff --git a/roles/server/ddclient.nix b/roles/server/ddclient.nix index d9102f9..a4dfd83 100755 --- a/roles/server/ddclient.nix +++ b/roles/server/ddclient.nix @@ -1,12 +1,6 @@ -{ - config, - flakeSelf, - ... -}: let - hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName; -in { +{config, ...}: { # Set up secrets - age.secrets = {ddclient-passwd.file = hostSecrets + "/ddclient-password.age";}; + sops.secrets.ddclientPassword = {}; services.ddclient = { enable = true; @@ -15,7 +9,7 @@ in { protocol = "namecheap"; server = "dynamicdns.park-your-domain.com"; username = "toast003.xyz"; - passwordFile = config.age.secrets.ddclient-passwd.path; + passwordFile = config.sops.secrets.ddclientPassword.path; domains = ["@"]; }; } diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix index 763cce2..22dfa17 100644 --- a/roles/server/forgejo.nix +++ b/roles/server/forgejo.nix @@ -1,24 +1,20 @@ { config, lib, - flakeSelf, pkgs, ... -}: let - hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; -in { - age.secrets = { - forgejo-host-key = { - file = hostSecrets + "forgejoPrivateKey.age"; - mode = "0400"; - owner = "forgejo"; - group = "forgejo"; +}: { + sops.secrets = let + owner = config.services.forgejo.user; + group = config.services.forgejo.group; + in{ + "forgejoHostKey/private" = { + inherit owner group; + name = "id_forgejo"; }; - "forgejo-host-key.pub" = { - file = hostSecrets + "forgejoPublicKey.age"; - mode = "0400"; - owner = "forgejo"; - group = "forgejo"; + "forgejoHostKey/public" = { + inherit owner group; + name = "id_forgejo.pub"; }; }; @@ -36,8 +32,8 @@ in { ROOT_URL = "https://git.toast003.xyz"; START_SSH_SERVER = true; SSH_PORT = 4222; - SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path; - SSH_SERVER_HOST_KEY = "forgejo-host-key"; + SSH_SERVER_HOST_KEYS = config.sops.secrets."forgejoHostKey/private".path; + SSH_SERVER_HOST_KEY = "id_forgejo"; }; repository = { ENABLE_PUSH_CREATE_USER = true; diff --git a/roles/server/grafana.nix b/roles/server/grafana.nix index 957c41b..7563efb 100644 --- a/roles/server/grafana.nix +++ b/roles/server/grafana.nix @@ -1,23 +1,16 @@ -{ - config, - flakeSelf, - ... -}: let +{config, ...}: let domain = "monitoring.everest.tailscale"; in { users.users.caddy.extraGroups = ["grafana"]; - age.secrets = let - hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; + sops.secrets = let + owner = "grafana"; + group = "grafana"; in { - grafanaAdminName = { - file = hostSecrets + "grafana/admin_name.age"; - owner = "grafana"; - group = "grafana"; + "grafanaAdmin/username" = { + inherit owner group; }; - grafanaAdminPassword = { - file = hostSecrets + "grafana/admin_password.age"; - owner = "grafana"; - group = "grafana"; + "grafanaAdmin/password" = { + inherit owner group; }; }; services = { @@ -34,8 +27,8 @@ in { settings = { analytics.reporting_enabled = false; security = { - admin_user = "$__file{${config.age.secrets.grafanaAdminName.path}}"; - admin_password = "$__file{${config.age.secrets.grafanaAdminPassword.path}}"; + admin_user = "$__file{${config.sops.secrets."grafanaAdmin/username".path}}"; + admin_password = "$__file{${config.sops.secrets."grafanaAdmin/password".path}}"; cookie_secure = true; strict_transport_security = true; content_security_policy = true; diff --git a/roles/server/ssh.nix b/roles/server/ssh.nix index e4d0da1..7907dee 100755 --- a/roles/server/ssh.nix +++ b/roles/server/ssh.nix @@ -1,11 +1,9 @@ { - flakeSelf, config, pkgs, lib, ... }: let - hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; hostKeyPath = "/etc/ssh/everest_host_key"; notify = pkgs.writers.writePython3 "send-discord-login-notification" { @@ -16,7 +14,7 @@ if os.environ["PAM_TYPE"] != "open_session": raise SystemExit - secretPath = "${config.age.secrets.discord-webhook.path}" + secretPath = "${config.sops.secrets.discordWebhook.path}" webhookUrl: str @@ -34,19 +32,10 @@ result = requests.post(webhookUrl, json=data) ''; in { - age.secrets = { - everest-host-key = { - file = hostSecrets + "host-private-key.age"; - path = hostKeyPath; - mode = "0400"; - }; - "everest-host-key.pub" = { - file = hostSecrets + "host-public-key.age"; - path = hostKeyPath + ".pub"; - }; - discord-webhook = { - file = hostSecrets + "discord-webhook.age"; - }; + sops.secrets = { + discordWebhook = {}; + "hostKey/private".path = "${hostKeyPath}.pub"; + "hostKey/public".path = hostKeyPath; }; users.users.toast.openssh.authorizedKeys.keys = [