From 4d14dcd48cfc67abed640c2ac19e0e89af4e9112 Mon Sep 17 00:00:00 2001 From: "Gustavo \"Guz\" L de Mello" Date: Sat, 13 Sep 2025 11:29:15 -0300 Subject: [PATCH] refactor: remove lesser secrets --- secrets.nix | 60 ++++----- secrets/spacestation.yaml => secrets.yaml | 0 secrets/spacestation.lesser.json | 147 ---------------------- 3 files changed, 24 insertions(+), 183 deletions(-) rename secrets/spacestation.yaml => secrets.yaml (100%) delete mode 100644 secrets/spacestation.lesser.json diff --git a/secrets.nix b/secrets.nix index ff06861..59f6cc8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,62 +4,50 @@ lib, pkgs, ... -}: let - lesser-secrets = with builtins; - fromJSON (readFile ./secrets/spacestation.lesser.decrypted.json); - jsonType = pkgs.formats.json {}; -in { +}: +with lib; { imports = [ inputs.sops-nix.nixosModules.sops ]; - options.spacestation-secrets = with lib; - with lib.types; { - lesser = mkOption { - type = submodule ({...}: { - freeformType = jsonType.type; - options = {}; - }); - default = lesser-secrets; - }; - }; - config = with lib; { - environment.systemPackages = with pkgs; [ - sops - ]; - sops.defaultSopsFile = ./secrets/spacestation.yaml; - sops.defaultSopsFormat = "yaml"; + environment.systemPackages = with pkgs; [ + sops + ]; - sops.secrets."guz/password" = { - owner = config.users.users."guz".name; - }; + sops.defaultSopsFile = ./secrets.yaml; + sops.defaultSopsFormat = "yaml"; - sops.secrets."keiko/env-file" = { - owner = config.services.keikos.web.user; - }; + sops.secrets = { + "cloudflared/tunnel-env" = {}; - sops.secrets."forgejo/user1/name" = mkIf config.services.forgejo.enable { + "forgejo/user1/name" = mkIf config.services.forgejo.enable { owner = config.services.forgejo.user; }; - sops.secrets."forgejo/user1/password" = mkIf config.services.forgejo.enable { + "forgejo/user1/password" = mkIf config.services.forgejo.enable { owner = config.services.forgejo.user; }; - sops.secrets."forgejo/user1/email" = mkIf config.services.forgejo.enable { + "forgejo/user1/email" = mkIf config.services.forgejo.enable { owner = config.services.forgejo.user; }; - sops.secrets."forgejo/git-password" = mkIf config.services.forgejo.enable { + "forgejo/git-password" = mkIf config.services.forgejo.enable { owner = config.services.forgejo.user; }; - sops.secrets."forgejo/anubis/hexFile" = { + "forgejo/anubis/hexFile" = { owner = config.services.anubis.instances."forgejo".user; }; - sops.secrets."medama/anubis/hexFile" = { - owner = config.services.anubis.instances."medama".user; + "guz/password" = { + owner = config.users.users."guz".name; }; - sops.secrets."cloudflared/tunnel-env" = {}; + "keiko/env-file" = { + owner = config.services.keikos.web.user; + }; - sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt"; + "medama/anubis/hexFile" = { + owner = config.services.anubis.instances."medama".user; + }; }; + + sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt"; } diff --git a/secrets/spacestation.yaml b/secrets.yaml similarity index 100% rename from secrets/spacestation.yaml rename to secrets.yaml diff --git a/secrets/spacestation.lesser.json b/secrets/spacestation.lesser.json deleted file mode 100644 index 1935813..0000000 --- a/secrets/spacestation.lesser.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "tailnet-name": "ENC[AES256_GCM,data:f9T+/IRApqThgMlE,iv:LufRlHxdon5mahAi1+jwbhTqcOZh2bdnUubfEL6QFg0=,tag:KmJ4E0EggzQh8ZCm2fLeGw==,type:str]", - "device-ip": "ENC[AES256_GCM,data:Ed6hS/9F52UGVLpAyw==,iv:sg9iVEmZxA2lNJoc0xwLRyDzoF1Cy48wp9CQf3zOOzQ=,tag:77RYGvjgw0QdZUsPcqVTvA==,type:str]", - "homelab-domain": "ENC[AES256_GCM,data:XkgOP94q3gBknoGzcA==,iv:pKnrjhi9VnW0xWIEQfnxV+wb/iNxT/TFs07K9/NW8sU=,tag:N2sGj5lTCJHFBpI9baja9Q==,type:str]", - "devices": { - "defaultGateway": "ENC[AES256_GCM,data:QDx9ptJ5zd5hcqc=,iv:6ofaRLYQUO8x3qbwMsSkeFhmAsCYxQRMuxfUGJNpSms=,tag:9l1c8XeA6Qh16+TIAeidYg==,type:str]", - "spacestation": "ENC[AES256_GCM,data:Cx+yn7+/ZP9zoNgLfw==,iv:BeRrS78SHX9QWpqWMidHynor8zlj47GX/2HSrdY41lA=,tag:op20lsjQ38EU98YKP/wLfw==,type:str]" - }, - "capytal": { - "cloudflare-funnel": "ENC[AES256_GCM,data:WPbSA95btherLi0zTfspTfCsWX+5nZLOHnSGCjFtrdPdb7i2x1sv7KZdgtLivlSwXyZKUm7EiaPhQzidfRO2WQrCw3v9nIOHgnZweiVJqAGEWn0Oo1RioaGR8PZRsb46NdPmNAit+cmFPq99Kt5Dhd9fjwrg6INyXl0ulu8j1ByCU7UY2aJP+ccA24EdsIUjA29Nd4OPiIJwswEb5qaQJI4eQMg4scSZJIuynHGnJVD0KjuU8E1Mfw==,iv:2nozvsCqO5xnvJDbWV7jaUIPoCbkWPT5YlFFlNMY7QI=,tag:dwwAUWfDy48EvyLnamvUCg==,type:str]", - "caddy": { - "email": "ENC[AES256_GCM,data:OwCqxT+aiwmyoY3i4vO+i8FAyHzN/wU=,iv:8Gw0cqrW1OKyyANlmIIKXKisch1CGYaznIfTjGYyZa8=,tag:xvTKXhag6Gp0V7xmv8NBhg==,type:str]", - "defaultIp": "ENC[AES256_GCM,data:u+sITdDcl9TzabF8Pg==,iv:3GEn3lERvdbyKKf2r7qTxPOjq9/Im6TJraSKnrtOzWA=,tag:7A31e17vqsgI72Aj0kZqjA==,type:str]", - "hosts": [ - { - "pattern": "ENC[AES256_GCM,data:M8iIEiyC8dp2qFnxP5+7EEd4iAiXnxw=,iv:CyVp710aXqLVZkTNLorOz1BJIAX+LMCLk3yBc/3X69g=,tag:ee5f4niv3/S5k9MlHUErBQ==,type:str]", - "config": { - "redir": "ENC[AES256_GCM,data:9haYlXbUUkYtfHA+RdMmBgTxcUFtq5QN/2eV3su6ueE=,iv:N2xhz/gMofcxX35w0p+NYNKa2bNsDf173hr/CvOPkV0=,tag:NcHZpdB1zcQOdnhYGuGJuA==,type:str]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:CXqDhBeiI+JvOZ5VgGKV8RCBD/1xrTg0,iv:nrp3iAUb3mQlPGw/CF6Ec8n1s6QVLS2WUzRYAeF8B6Q=,tag:9fNae5dqVdQ0PFbBvYW8dQ==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:hLsg+g==,iv:AUBzBTW77WfZ++WuXI3Qt8S+hUVDadGGU0hutF/xj5o=,tag:GdxguYHjbwK2orkTgHDNRw==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:isvmRsofmk/icmu0XOLytLJWQvRNmA==,iv:/5Qh/HzHoW8heMqPR6ZMfhrW83/v92n3ycZuRjasYoY=,tag:Y/NJWB3VnZ7iOsAErRx3+Q==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:B3mFfw==,iv:DJvviYYCINzcEmXkd657UQR4lgcedGWCbtE1M+CZPVc=,tag:m8Yl11jTRH08H6QjM48ggw==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:TlyclBJgutYVottPkEEYm2o9hz9TVw==,iv:FVccv+ac/eqVCMSFcp2jjuquPG5armboYvLaAc+PHpI=,tag:YR6TVaTG4msI8ggdzqPTzA==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:9AAArA==,iv:sveBGP4ltKbeBD6IRerSHQxzjFy958DAzw1MSs0R7Hw=,tag:AnJcyGU4rJq0m3IvwwRZ3w==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:7631wlUSUfvV+uNECvMoYr74lQZMug==,iv:GF9H4rEHVX3MnxGpAnNDDm0uhxCZzqApnPrKr8VsogQ=,tag:A+Q139PKx32hOpU1ammcKA==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:RZtqyQ==,iv:XHS+fbJwNx+i4TJHe/REO0ZGg7HDSEuhc9rZ/eDSCQ0=,tag:nVvx9cuk2CmvKlAnHJ3T4A==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:2bwI6saJvcuQTKdE0C1qElMEP6TE8A==,iv:ptTIxkMqRYZb3AD1lA3jr3cjlnJij4+f64aTb34BkGo=,tag:BCwTM+dHEaRfsd+3k19V4w==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:oxlscg==,iv:C7PiR6yMzieXnPl/E5aNTRMsH8xgIlv5CRyyom2bDqw=,tag:xuTtIIB8N1eTknRx43Q6Iw==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:VheGanizkj6hZvI95A4FBkQayNFaJQ==,iv:mDFzX3k6G3Q9OUVU3gTFYZDGv58mnZA7FrAWO5yyLlQ=,tag:Bk/n+pJGHtEClJlwai9CyQ==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:hGsChw==,iv:SF42YLgM20LLEKXLvelZHeWM/q2OztAKQHhhcc5ovN4=,tag:PYCKwv/etrtJvKT7GqvM0Q==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:XdHkPDrUajh8LIVewnirgDrBkHRAickE2BHH,iv:CuXWgpLo+YZ1YBoqNYW1YyIbN6vQYdHLplNTX46HODo=,tag:E8c3ms9zsaZjOidzIjpyKw==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:ARzYdw==,iv:IXtZkdkfesNcAi78K/+5jx9GZju0T0OjfIgn0Jg0H1w=,tag:uyt/iLEPomARsDeHA/DdMQ==,type:float]" - } - }, - { - "pattern": "ENC[AES256_GCM,data:aLoMiLJn3We5EjBzzr3GY0A=,iv:CZ05BwoPdkE+b6yP07YfSiz0GlWNKKKHbZ7ru5+SMrA=,tag:3QmqBjbKZ3xu/yltMjdLcg==,type:str]", - "config": { - "port": "ENC[AES256_GCM,data:JRy9OQ==,iv:WWdjQVc12IAKWqsQnXC5WYALmc6QcJlJGnQGbkPWWBQ=,tag:mJE45PfqIMqOjXSVyPBNBw==,type:float]", - "env": "ENC[AES256_GCM,data:7VCj6pEXmpY=,iv:nVrrzX4SufKFcZVv+X+KnTs+RrEzzcWfwhucOqrcxbs=,tag:PTbnoPKJL1WAiGptiZtzhA==,type:str]", - "auth": [ - { - "user": "ENC[AES256_GCM,data:XogBJ61GPQ==,iv:VECpTjq+5f+uJ4LHIXJjjqkjxKTEee8I+tahiqqhu4I=,tag:aM4o19REPU1IMZZPw6kXKA==,type:str]", - "passwd": "ENC[AES256_GCM,data:TBHBmtRbUdnP1fh9FKW5iBduo6cMixL8ubXzYI2WoKSgVu2qLayEY/Z+NX4wVEv6ZOvdTn8T+0LoBnNy,iv:/QZQMlU6DMK14CBTnKxtNTSZ3JCHht38BNFVKOzG8Zs=,tag:4JrgPJRORi4HlxXbbOXQcg==,type:str]" - } - ] - } - } - ] - }, - "services": { - "forgejo": { - "port": "ENC[AES256_GCM,data:LeoJgg==,iv:VNzohA79PsxMwGVjjwpIO7/IhDZjsKUSwN9zduDkdz8=,tag:nCtJLCEJIkgnHqsSnQfWzw==,type:float]", - "actions": { - "token": "ENC[AES256_GCM,data:FvNghTF9R+dY3ucCupjld1+pAAcUSMUs+Bs4zLB6602il5Vc8rB+tw==,iv:eFdV22mOgqYGtV7GPlHV3V1vHI8y7PxcZHKR+IVbe9w=,tag:s0EtlH71nWA0BCMILzj77A==,type:str]", - "labels": [ - "ENC[AES256_GCM,data:zk436D5fBpL5Uup+jRLkmRvdzarcVcxx6VkswAJGBd3OHAYOqAP5UF/IuCpj+yX+Zgo43HDlXn++jHpkfg==,iv:vQKe8YyvZypjM+y26AIP+ahIPROjbsqo0QXCFK9t7MY=,tag:h7itIhOLnLSBJ0U7oX/+2w==,type:str]", - "ENC[AES256_GCM,data:JoJ2CCjTwiP4LJk3yn6SwqRcgUO01HNQPtqXv8JRPdLkXrfWEPTkY/DfNhXp3r1WeFjHV9eJKA0nQLe5bA==,iv:bJyj1IalIVfpt9DQPBaB2e3lPBVtppVWFKWl+Iz/SrU=,tag:cPsPkEoiFuqw1j1fdfEJrg==,type:str]", - "ENC[AES256_GCM,data:WY14CU0nb7q+Zcu+RIYn+xpgrtRdJ8s82eW8cN8RngDUM0SFt0BhGM9lRmgMuaeLZqSR5CWS,iv:/X0g5osVSRQm1u+UcbFQgNEr4yo+E2d6+aqZJ0DanP0=,tag:a4/hb3A7egpQBM7EbQn5yQ==,type:str]", - "ENC[AES256_GCM,data:yM9lFk2j/c2ockfgHFrA7ay3ExLyf3uyKHN84nzhgS5KnnRt3iBTt4XW65ZVxGmO,iv:/jvTN39uBwMAV5Ok4XeT0KrcANHkAILUgOgoFCTEcd4=,tag:yTU7aArSGfvNjvMtLtUUVA==,type:str]" - ] - } - }, - "garage": { - "admin": { - "port": "ENC[AES256_GCM,data:cKzOaA==,iv:2GqreOOa9UMTmqy21guRiCKJlBl4UZRrY3m0IFJxttA=,tag:H+bISRexfnp8jr4g2tA46w==,type:float]", - "token": "ENC[AES256_GCM,data:1jGcB30AUDngld/y50ZEu6PgjQxmn6N93QJ4MeXFUOe25jlGMIaWzMW46pY8LMj+hLfVvtOfm6IQ//9AKyoAuQ==,iv:5BJX00gYBaOSGBIkqhJh+sH44bndldp5HZ1RG/wxZtk=,tag:IU4FtnudF7253bFAzdJNMw==,type:str]", - "metrics_token": "ENC[AES256_GCM,data:HvAR20PscWrPeHddk45D6rJQS0ClomoxBljEZbaPFwNaDocefAlAw2bI27WzRpuQ+4bdlKWq/dVb5kjSxOJN0Q==,iv:rybJlxPwdJ2wHIsXlFYoD3SWJ0cveoIsT2V0kW8QJWU=,tag:BuvJqv0xBPipfVVuVUK0+g==,type:str]" - }, - "api": { - "port": "ENC[AES256_GCM,data:AXl7ww==,iv:tCqRl/oA9vSRTnDgdMvlunZHBgvZmGQS/X23ATkusYQ=,tag:IxDylhwpET/J1R2wv/hTqw==,type:float]" - }, - "k2v": { - "port": "ENC[AES256_GCM,data:QI1rpA==,iv:yUsb/E5Qcv7tkiOv4TtNBimlhVgu1d+z1JlB0RugQfY=,tag:DYsl7ILyMF1CPfMuM3H1ig==,type:float]" - }, - "rpc": { - "port": "ENC[AES256_GCM,data:vRZh0w==,iv:Mb++GGgTEJ+3a1/8bSc3aYfp7yWloGWyD6RoDm2ChRg=,tag:GhTQxLJPrPlm01skGCsJZQ==,type:float]", - "token": "ENC[AES256_GCM,data:fyQlzxMzGsz77/tmaAx6f6NyCDq38vDyK8wY1TUE5FKH+8DC6RCotf5yJ6irG2ZXx9Yxb9dkqVXh8qT6G6TkGA==,iv:73ATBcbQaVeyEDClMsp7u6YPSDbVdnDsaDmrpvFxqO8=,tag:iMsuT1XYM5acRlTUN0zp/w==,type:str]" - }, - "web": { - "port": "ENC[AES256_GCM,data:OGqEOA==,iv:Sm7CgAanwVq99aOt8WYxVegJjOnEWVV9m0hwpWQko1M=,tag:pHKY2GZB1rU7fmjaiRdK0g==,type:float]" - } - }, - "sqld": { - "http-port": "ENC[AES256_GCM,data:jtEa8A==,iv:NuNwjNdDg0HFxAaExIbrhIYGPHpduM+1wxwu1t6CRtg=,tag:VrEZVCygKmfouZ3W/gUrNQ==,type:float]", - "grpc-port": "ENC[AES256_GCM,data:B2Xigw==,iv:aHszMeiMa52bkrA8fUsz4mO1VwyR2a/GEJVweHKzslo=,tag:sCBxQW36A910ayiPYscyfg==,type:float]" - } - } - }, - "guz": { - "services": { - "adguard": { - "port": "ENC[AES256_GCM,data:g4kgZg==,iv:GR9LMXiAjak8iOREQzqmUU4TTjrVDRlupZfZaS7RQ2Y=,tag:pZXMsxw0BKaGpNklKiCH6w==,type:float]" - }, - "keikos.work": { - "port": "ENC[AES256_GCM,data:2oxzgg==,iv:yVGXfq9d0DtZfm7CwCIq+2xfi+twuwwhxh//9fD7XIc=,tag:b7cApWwibu+YthjyZufuKQ==,type:float]" - }, - "capytal.cc": { - "port": "ENC[AES256_GCM,data:9PxJZw==,iv:epPPxy5tsFomNv5jc5hxbkzalBilkQ6Qugwic/yvyQU=,tag:jGdSuGmcmBgcpHh8mEjafg==,type:float]" - } - } - }, - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3dCY1VLMmoxRFRmS0Ir\nV0ppTnI0RE5ZMjcvRGNPWkNxWFdJYTBDTG00ClRGQkh1UStGTmc0RE5aNy9nL3FI\nbHJIa3hLR0ZkTjd6WkFzOFkzeFdMNUEKLS0tIDBidk93Qy9LenFlSGZ2aEpuTUFt\nWVM2eS9UdXAvbzE4eEdKMjVEM3RLdm8KKeIhk+YOKVL9Y19lLyb6/Pxv8rbewK2e\nLm96jx+LOMOCFcQGxuFKWqQbTB4br/cPvRKSY5jFmFWqVg7pCPTAzQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-03-31T21:47:18Z", - "mac": "ENC[AES256_GCM,data:OXwJvWOGWOO45KuptYWs4TO1yxiOIOej02ZRUD2pNUiWqIJfXOc9Yz3SVcu0kcIR+CqXsGSP5Rpoc4echQ8szWy725Yx4V8V16HplaXqhIWvcjMWzAhXvzbMov5nu+82NlMhS2Xm5QIDEpH7t2rFNXUrTC1Je51o/BHdKK6giXs=,iv:f0WjrPMwtLoINleQ6C057daFsapYhTfK3e8FTwj4GLw=,tag:sHd0M5awyKuHdSNgnYRtyw==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file