feat: set up agenix secrets management

2022-05-04 03:02:47 +02:00 · 2022-05-04 03:02:47 +02:00 · 5f329f550e
commit 5f329f550e
parent cc6226d335
32 changed files with 279 additions and 44 deletions
--- a/secrets/cfdyndns.age
+++ b/secrets/cfdyndns.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA Emv7LuDzOeexxdx2VAcq4eHd1Ui0i8SC5TTuiGZOO30
+SnveZYGyGw1ScrHiGKeTCcF4+gVX8JSc3SctDAztJAE
+-> ssh-ed25519 lJaKnA J355LOx5+epedQBxWKzPkl5AE/dGhMvWDx1e602Pcmk
+qRJqL5xgUmP35K7BSa+J/eZKfIGWYbSKWdtnvkABPq8
+-> ssh-ed25519 lJaKnA /eU6VAS8l8D0P9gQoGnkiOLkS+RMRtvexHsGMYr0PS0
+SBbQ2dGElppICUmUxtMrCJuSoEqG19FK/+jSj/N0Prc
+-> ySZ!-grease t[TQ^2 7st Z=@p5*y
+HuR5RgLmPS3L10XdpXFMXIJ9EWYKfpp9c3NdZLXMTcEtpasU7bK9
+--- UGXt/VHxcQjXGCOTY44K5NnXCw2nhwgCISFy3q6eMbw
+¡’.}he|¿jœ0n=v6±@hŒöM¹¤ü–bëÎ±çŠMÜ)Ñ/Õ¥‚†Áÿµ·Bë©j,‹ÿ3çÂ¶aß%²«%‰
--- a/secrets/etebase-server.age
+++ b/secrets/etebase-server.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA PiJaReRK5NQZCDIflhIcHk1Oq6rgjj5ypd8FHgKd/kE
+xMFuaJRHVLNQ2tuKIASzTwT1thx7eRu70Bu0QcFy6MY
+-> ssh-ed25519 lJaKnA FIpBmZMfYSYG6lYgkeao7WCNA7rqhLW0611ZvEfY4Tw
+Eg4J4FhHi3IGobunEp6HI/TYL8YM3cK0MVtjjtzXzWk
+-> ssh-ed25519 lJaKnA vFQD+W6AUUnCQQGaESC0CkzNAU3bpX6Fhe/SwUmXbX8
+DK7gzSaASAsF5Gnjnsre1sp8roRAcO/ir375H/KpISk
+-> &QP@0b-grease k7$s7 8\h&#a ei| QHd^p;ZF
+WSmIa6aLNAlhZrMHAFCwHzPb3PDVeOoGOoZLmGFYbAQVtvb6f2bViQ
+--- 0xuMti4919O+zoKW2QmriKd7/596BI7GOqIcBhATDu0
+ô× _óÊiÔòÃI-%æï¼\\qg`Vm$/ÿ‡±D5öIî²XšÞÒÚw\MÛø<WÞž*fBUK$@jt;êõš–Ú2ƒÊ2@
+·é
--- a/secrets/home-server/hostKey.age
+++ b/secrets/home-server/hostKey.age
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 4iybMfkurGBEDspucYYcgRDxCUsCC4QBTlpFs2DgK0Y
+6ybOeDNPt1li/676g6YYi48ayGhwdADpVREUn18PF8M
+-> ssh-ed25519 lJaKnA BJZQVEzgQRxlllIRKWuNS2yWbxSqg4cRIYhCX17W0F4
+qwwHkX6S9w2ThoGFceDTQxF2cI1rCAzW1O30Gghhd2E
+-> ssh-ed25519 lJaKnA GM8nbZz4k5ervWWtxms+3nslzUrD6B7T22OhoXlko0s
+obBIKd7KQiRNdKqHIK7GF5nuL6d1gl9LuylfpojBRfc
+-> G?-grease DH=|Af jdM6?L2 C3]pza"
+Bttx2gTtRctBmFAzZgXciFHsYG+gM+YdnuD18Jf7a5lhAMDIEJsEcruaqOoHVB8z
+jKgp6mtVweMNmGAH/lUP+9ARDShCThvJPduubVZgCfDRiOK3hxcVRtO+DxjJ
+--- l4j5QC9J2Zof2U/F/HXxj509cvZfSV4CKLcB6xVdgW4
+F¯Îââ?ò®†«Q;"°MUox3º9ýAÑ	'6é‚’Ë¤`#¤2-®O â_Ã5÷4ìÈU‹ŒJA!ì‰×'Q¹ºl¶Ñöí¢=_Ž&jù›ÛJºîïHî«A¶.c/³<>7Eo¡*¡'oÿLVT
--- a/secrets/mqtt/birgit.age
+++ b/secrets/mqtt/birgit.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA faxHH3lztiUsqL3pIfsCLYyEvJQRKTzdHZ9ZQBY0ZiE
+sqF7QhvixdTe+W6ejULAt0g6iTO6i039bQAXQTnKBQg
+-> ssh-ed25519 lJaKnA 3udnbkWVw15uUKUrN88ClL41r5tiFTkZ/EskHq1kzHQ
+4JX/zV9kNVjJpcYqLMpX6KlmRiiuArZSQ+W7aw1QvHg
+-> ssh-ed25519 lJaKnA amRDwgekxxMTM+xiyYcpw0NrvlgIGFugsz3RkPObZ3c
+oC2rhhYfUg+FeU8s2WSyQwdXjH+0OTv1vYW8nu5HYx0
+-> !w-grease TE w-n 7K-t)0h+ ?8
+E5SI33giJqUQSZsWDP6soRdg+tQQI0DX9J7xNXtFkzPz8qVNuw5pgQ4vMW/Bzqi1
+
+--- ars8pQpDQPk9xsIBm58zuB5gasfkLBj9jaUVnJRUS5g
+ Z<C2A0><DŔő±WąˇUl9<>˘ WsĄ«Q`}W`´ľ«e; ŐĐm™
kť×UęčđR%*Ň„{1L.î2Ţ¶Ý(¦bŐŤ”+z\Ú`•Ô·č
+”ŇŃÚŤA8ˇTŘ0Ä) ;ÖĘ9?60a_S7(ř$őŢ÷ĺ‡„	¶X”Ü™=HE)
--- a/secrets/mqtt/felix.age
+++ b/secrets/mqtt/felix.age
--- a/secrets/mqtt/hass.age
+++ b/secrets/mqtt/hass.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA JOMz5YdPIoGZevxlmInkiPA4ihiBADP3oI2jYd2rqwI
+lve12oZbEgjbUg4I4HLY0s+BxFACyMGYn+OPESenwxQ
+-> ssh-ed25519 lJaKnA gI1N9OByqOZyU1dDDsFL2eSrsYajUnTNYrHmjSQFbgw
+ZvkkMjgp/ZQWJbtK9VvBVomXfAa3UP2pedB21Wzd4OU
+-> ssh-ed25519 lJaKnA NG74HNqwQf+f3BgcIFkobLtJBR84iU4vWgaQ35Hz/QI
+n/cyj5lkcnVP8QIYrjdgrS1smM/HtoNInX5S+CylFCI
+-> {+%}-grease ts3
+xV6pJqcF5eys768Ebfnc
+--- 4c28/eIybtMWAKq/QKIk3iLhxW8TKw9ppXV6AUXs5uw
+å’ŒÕ»Øa™MN% §Äþ@ŽGíýœÓ¾w¶ªÄi¤—¹&@žT|æå"<22>Ô1ƒø<C692><C3B8>7¶yåÔI¶BkUÉáÜ	rÌLØƒõ¿»áÀˆ?œhUð?ç¹_Ù%“’ÆR<C386>	dBL‹‡wrI u‹-<2D>âSžõb6K@>c(éÄAfú]	®DMÏ
--- a/secrets/mqtt/owntracks-plain.age
+++ b/secrets/mqtt/owntracks-plain.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 9ZDFWbY8ASraHwjd0JuvAZfTSWFgF2qsp6nG6rJPgz0
+pG8rnhj9VKn5daVED/xumCSvvgMAhuR/9asfZqAUsjk
+-> ssh-ed25519 lJaKnA evqpHayE6msY4w3SoVar9gbH8u8eLBZPe6p7Bb+Yhjw
+m1v4Nbhnhb5g9aNEv7v/73PXGwPzX8479Hoot4Xw1S8
+-> ssh-ed25519 lJaKnA zYmrvOXvmG5pMmEj+rAG7Fup2xa+a+FAkQRBfdqsdmY
+Z8LrR55uu6RQOfio2e5l6AkndlN8gJ3PK00vlbz1L6w
+-> _-grease k/_|
+RnSdSY+/8WfoCjSSjyXt95UbSy2H5Xo+ZddNgo3McJhYZ4e+4KfVWKShh8A
+--- uPq0CoCBxWjMHmMGsOJVuYokN/FUdGbf6JhMmlkHk/o
+"%ﾏovｲょ紅4@ﾌ<><EFBE8C>lｧ(0閘H$ﾚsKﾛｻﾋ募ｹ<1D>絣f$ｴｾ4所ｽ%ﾆ!z`,<2C>ｨ!Gﾇ
--- a/secrets/mqtt/owntracks.age
+++ b/secrets/mqtt/owntracks.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 9APgopeRiTUoUlAv9y7JJc/qVz4Joh5GGV2gDx8len0
+68e/QQpbpJfodwDP3wVAlK6OizsUqnYO60JM+z132K4
+-> ssh-ed25519 lJaKnA XofGre3Pp6+alLDM4Uirpd3EzfK07etl2aDG2CE/kE0
+l17gDsyyvlFaCe7xe/2xGA3HbUpHcAK9vsQSgJEeRgw
+-> ssh-ed25519 lJaKnA As7CB1OUAprJdLh59D0GDZxaX4wfJTepuHTafuk/W2E
+7TmnXgc0pZVwC+ZDtkK0Q80cKI73ioihiHdkNrd7Mt8
+-> 6-grease 3$\~e`: iv$y.x: qmtg87 Zu
+QN1eUCtxbXQl8hUfoDNH4w2nZJGcTr6u56DgeoR3yv/63jcmatAg2Tjj1j+oC4db
+Eg
+--- dCHdmNkda0Qcbz0dFoOrLwxf1j+JOO/t2zBWI8jr3Yw
+^©‚O‹€ê¬v„gÞA_´t–ÀÁ`GMôRR‡Á¦	|Qþ.•P<™±+Vô¯Ž±Oz<4F>ju‡å÷©á{©Q.zCb©ÖCkìòÂ´Zoa+áz"»Mv^õŒ„ÇS<C387>†ìY£ä9¸`Œ'ýŒkü•›ªãGêM‰øDíêyh
+ùph‰¢
--- a/secrets/mqtt/tasmota.age
+++ b/secrets/mqtt/tasmota.age
@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA RwiNDZQbaam7wumvD5lMya9nJAPjBeadTZNgwRP+P3Y
+s+RQNFXBNFcmODZkUkrOJ6/hWHyNT/9I/xMQyQZTVlQ
+-> ssh-ed25519 lJaKnA ohDv40O7aE3OS2LKoUHpqxJS/ieIJT8j09+7XSKsyXs
+qjIge/Vr+KYgsl9mHMyU4i/u+8WeacvqtOWn65t8mjU
+-> ssh-ed25519 lJaKnA +V5DEilKUoZXCiUT1PXCbS1BLle2YnnOJNmidgkIsxY
+0lBl9QVJEJrk/aeV54ekFg8KUEP7MaIM+QPHfZL4rgg
+-> =1`m\-grease +wT5Dx TI)H
+tIFfbrDUu9t78n1Wt+YlgIkHr6NMDgNXgFj8SF+psNkGXP1dLXK8qK0bNRJy+irq
+vigAG5CtTx3YPWIg6ZuiGhpsZdWFBqNPCbimSeDxbuxXIF628yJqbU66q/vFjqdN
+pEI
+--- PX2eCsYZBakfzt72x6uZ8X0nRvcCN+XDsGgXgz9biyo
+õïeDÀu5‚´ypÉ*ºp0ÿŒ<Àá–ý|\§PðØùÓd#‘^å™¥»S±‰Ô¼lÈèWOòÀ|Wª76O-Œ¸Ä”—è¿ŸÆý±Ô]_Ç:øÔÞ›ã‰œžë"€ß¹$âµñvQˆ]ŠsºáÚªÝœ÷kxØÁ
+pfJJ×Ì¯»Ë;WN
--- a/secrets/nextcloud/admin.age
+++ b/secrets/nextcloud/admin.age
--- a/secrets/owntracks/htpasswd.age
+++ b/secrets/owntracks/htpasswd.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA PnM/rcfmbOTuCsk1FxEOPZZOw+HoBdKJsOWPX5StCzo
+eHOMjzow7uJv+AFgg7LpHkIerObFRiTmGDnlDPYuug8
+-> ssh-ed25519 lJaKnA SBliQvSaM3MsANtYIeA5lLmGdYCddQvHtCPnbE7AwxU
+DJ6Da2Oo3Vw0ZjqLzzHYjC1Fx9jf3sZFSKr0ENswENs
+-> ssh-ed25519 lJaKnA 114+dYd75UOk38aM47rYxReZbqzRr85db0T4cD4Kll8
+bFso7p5rMbp2D+Hve79NJVuBLQNLSyIxuJqhlVKVOG4
+-> 'w,HX)U-grease
+pc+FROn+syWXfA
+--- 4JJ+abXUqrakmR6ykdbOGRuAxwlqWodcsCd/ljZjkak
+örol)lÁb¶|Lƒ°Ë²±£X‚òc0…3²Æ»ç´–m†É%<25>53
!Ò©8JFA™¥PGõ[ˆÜÞ<C39C>zøzÂƒ¾fêˆ:K
--- a/secrets/restic/b2.age
+++ b/secrets/restic/b2.age
--- a/secrets/restic/password.age
+++ b/secrets/restic/password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA fbM8lDDIcSZuJuz7/wXRJMcTRTGGOlDeH0RxPq0OzBI
+FlmhO4F+26Y7qVKjUheeDLy6mq6hvHotBtXx3Kb+8Vw
+-> ssh-ed25519 lJaKnA o9ze7N8CYlBzsq1KjRmbewuN6CPkoZD/9B1qHK7x82U
+GlOVGR73HtZimuk5oZAQLxVN5LISX1eWpYTWBld9M5Y
+-> ssh-ed25519 lJaKnA YPaLYoPKH+TU8Y710gxn2tqenlRrEVT7/75mW7URsHU
+VySQYMgmHDGnnWsMk9m+0xkOWvpeIAZ3ud+YzFPsb4c
+-> fa[~+&A-grease (NimzZu
+Dz/ZPmLAUm8/2uyzdjOpQDRqzknifW0xxvJdTXMFZslYbNDO/2kw56yXqI5QHVXr
+pvQ55xiQ+bhyqC7f7zb3IIVPL9X1rBXCiwzEGyjgAHgDPWxq4n8LsFmK0OQ
+--- olMB+qz19Awqlt03jGB1jirQ4GB2FzDFARKTiaXTlME
+ˆñ›æD™ ë· Í ÜÛë¨ú ‰ {´ÏD=Ð9
+ôEÚd<EFBFBD>²s™µmÏÎ×Ê’ fb#0®ñŒþ:_‚
--- a/secrets/samba.age
+++ b/secrets/samba.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,36 @@
+let
+  # age-specific key in ~/.ssh/id_ed25519: `ssh-keygen -t ed25519`
+  felschr =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbQpMo1JOGk59Rzl6pVoOcMHOoqezph+aIlEXZP4rBu";
+  users = [ felschr ];
+
+  # `ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key`
+  home-pc =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFTQvIcSdhEKl/Kq+pcS/cPCyyZ1ygj+djfuaXzaRMx";
+  home-server =
+    # TODO which key is correct?
+    # ssh-keyscan:
+    # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw/BoHY5LGtQblqwZA65/awp30lB/OQABd9dD7wc18n";
+    # /etc/ssh/ssh_host_ed25519_key.pub:
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFTQvIcSdhEKl/Kq+pcS/cPCyyZ1ygj+djfuaXzaRMx";
+  systems = [ home-pc home-server ];
+in {
+  "restic/b2.age".publicKeys = [ felschr home-pc home-server ];
+  "restic/password.age".publicKeys = [ felschr home-pc home-server ];
+  "smtp.age".publicKeys = [ felschr home-pc home-server ];
+  "samba.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/felix.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/birgit.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/hass.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/tasmota.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/owntracks.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/owntracks-plain.age".publicKeys = [ felschr home-pc home-server ];
+  "cfdyndns.age".publicKeys = [ felschr home-pc home-server ];
+  "owntracks/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
+  "etebase-server.age".publicKeys = [ felschr home-pc home-server ];
+  "miniflux.age".publicKeys = [ felschr home-pc home-server ];
+  "paperless.age".publicKeys = [ felschr home-pc home-server ];
+  "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];
+
+  "home-server/hostKey.age".publicKeys = [ felschr home-server ];
+}
--- a/secrets/smtp.age
+++ b/secrets/smtp.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 43J8smzoqtcwu7PTuDqMKDhrZY4SOTnkW7QPaucr5Ec
+2yzgWNtcIwlzmzemrMViGcSNjaXh1ZByhDuz8rNgJiY
+-> ssh-ed25519 lJaKnA e1Z8S7N7Uy4HXOak0Kv4LmDIwYZwBGtBlj4IhxenGAg
+uX76aQ070jWZSJAukU2PUlbnqc5DRm8inI/K7oQr0aI
+-> ssh-ed25519 lJaKnA jjDu7ZCYJd/acTpA370El9M7r57Cng2nanBZQ1et+Qo
+3kdlDpUQmWeFLjQTxvYIChG7l1tFD9nGdelaxmVUmGE
+-> Nm$>*-grease
+vr3ixslEPoZymosVwpW1M5D5t2W8JMN6/q2/ANyx6cb/mufaXIarQHiEHTM5SKzP
+T1iEoaPmOInemN2mwUozamlpXYN45RmZHGRGkk1SuI9W7VL76SdbkqJJtryJjhE
+--- vIejhGkUPWUAjgWK/mkftMPVYUuiD3ovjz7v/qLa5F8
+†Ó\\ ¨öò'z	¢æšîóL0œ»æÇÑ5·g¸oã»Wá‘‡‘„ÆÇ#¬Ž„ëx•[Ê«<E½°Ø"Ê®Ë& †C‹NzÀ_Œ