diff --git a/README.md b/README.md index c87beb5..71ce749 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,15 @@ details as to what they are for. As an overview: - [`infra/`](./infra) contains the configurations for the various VMs that are in production for the project, for instance the Git instances or the Wiki. +- [`keys/`](./keys) contains the public keys of the contributors to this project + as well as the systems that we administrate. + - [`matrix/`](./matrix) contains everything having to do with setting up a fully-featured Matrix server. +- [`secrets/`](./secrets) contains the secrets that need to get injected into + machine configurations. + - [`server/`](./server) contains the configuration of the VM hosting the website. This should be integrated into `infra/` shortly in the future, as tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31. diff --git a/flake.lock b/flake.lock index c8e7fa7..0bbdc67 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "flake": false, "locked": { @@ -34,9 +55,31 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1731274291, @@ -266,7 +309,7 @@ "inputs": { "flake-compat": "flake-compat", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -339,6 +382,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -519,7 +583,7 @@ "flake-parts": "flake-parts_2", "nix": "nix", "nix-cargo-integration": "nix-cargo-integration", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-old": "nixpkgs-old" }, "locked": { @@ -541,7 +605,7 @@ "flake-parts": "flake-parts_4", "nix": "nix_2", "nix-cargo-integration": "nix-cargo-integration_2", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1727424043, @@ -560,16 +624,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730958623, - "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -723,6 +787,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1730958623, + "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1732837521, "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=", @@ -738,7 +818,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1724819573, "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", @@ -754,7 +834,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1732350895, "narHash": "sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4=", @@ -934,12 +1014,13 @@ }, "root": { "inputs": { + "agenix": "agenix", "disko": "disko", "flake-parts": "flake-parts", "git-hooks": "git-hooks", "nixops4": "nixops4", "nixops4-nixos": "nixops4-nixos", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" } }, "rust-overlay": { @@ -1028,6 +1109,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 4187e6e..f7251cc 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; flake-parts.url = "github:hercules-ci/flake-parts"; git-hooks.url = "github:cachix/git-hooks.nix"; + agenix.url = "github:ryantm/agenix"; disko.url = "github:nix-community/disko"; @@ -26,7 +27,9 @@ ./deployment/flake-part.nix ./infra/flake-part.nix + ./keys/flake-part.nix ./services/flake-part.nix + ./secrets/flake-part.nix ]; perSystem = @@ -47,6 +50,8 @@ optin = [ "deployment" "infra" + "keys" + "secrets" "services" ]; files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$"; @@ -69,6 +74,7 @@ devShells.default = pkgs.mkShell { packages = [ pkgs.nil + inputs'.agenix.packages.default inputs'.nixops4.packages.default ]; shellHook = config.pre-commit.installationScript; diff --git a/infra/flake-part.nix b/infra/flake-part.nix index f98b35c..bed71fc 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ self, inputs, ... }: { nixops4Deployments.git = @@ -13,11 +13,15 @@ ssh = { host = "185.206.232.34"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; + hostPublicKey = self.keys.systems.vm02116; }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02116 ]; + imports = [ + ./vm02116 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02116; } + ]; }; }; @@ -27,11 +31,15 @@ ssh = { host = "185.206.232.179"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; + hostPublicKey = self.keys.systems.vm02179; }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02179 ]; + imports = [ + ./vm02179 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02179; } + ]; }; }; @@ -41,11 +49,15 @@ ssh = { host = "185.206.232.186"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; + hostPublicKey = self.keys.systems.vm02186; }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02186 ]; + imports = [ + ./vm02186 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02186; } + ]; }; }; }; @@ -63,11 +75,15 @@ ssh = { host = "185.206.232.187"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83"; + hostPublicKey = self.keys.systems.vm02187; }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02187 ]; + imports = [ + ./vm02187 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02187; } + ]; }; }; }; diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix index 157e8d6..78357eb 100644 --- a/infra/vm02116/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -27,15 +27,21 @@ in FROM = "git@fediversity.eu"; USER = "git@fediversity.eu"; }; - secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw"; + secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path; database = { type = "mysql"; socket = "/run/mysqld/mysqld.sock"; - passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword"; + passwordFile = config.age.secrets.forgejo-database-password.path; }; }; + age.secrets.forgejo-database-password = { + owner = "forgejo"; + group = "forgejo"; + mode = "440"; + }; + users.groups.keys.members = [ "forgejo" ]; services.mysql = { diff --git a/infra/vm02179/gitea-runner.nix b/infra/vm02179/gitea-runner.nix index b471bd4..2b1a0d9 100644 --- a/infra/vm02179/gitea-runner.nix +++ b/infra/vm02179/gitea-runner.nix @@ -1,6 +1,6 @@ -{ pkgs, ... }: -{ +{ config, pkgs, ... }: +{ virtualisation.docker.enable = true; services.gitea-actions-runner = { @@ -9,8 +9,7 @@ enable = true; name = "vm02179.procolix.com"; url = "https://git.fediversity.eu"; - # Obtaining the path to the runner token file may differ - token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk"; + tokenFile = config.age.secrets.forgejo-runner-token.path; labels = [ "docker:docker://node:16-bullseye" "native:host" diff --git a/infra/vm02179/token.txt b/infra/vm02179/token.txt deleted file mode 100644 index 680567c..0000000 --- a/infra/vm02179/token.txt +++ /dev/null @@ -1 +0,0 @@ -MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk diff --git a/infra/vm02186/gitea-runner.nix b/infra/vm02186/gitea-runner.nix index 58434b7..598a2a5 100644 --- a/infra/vm02186/gitea-runner.nix +++ b/infra/vm02186/gitea-runner.nix @@ -9,7 +9,7 @@ name = config.networking.fqdn; url = "https://git.fediversity.eu"; - token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk"; + tokenFile = config.age.secrets.forgejo-runner-token.path; settings = { log.level = "info"; diff --git a/infra/vm02187/wiki.nix b/infra/vm02187/wiki.nix index 858790d..afb4464 100644 --- a/infra/vm02187/wiki.nix +++ b/infra/vm02187/wiki.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, ... }: { services.phpfpm.pools.mediawiki.phpOptions = '' @@ -11,7 +11,7 @@ name = "Fediversity Wiki"; webserver = "nginx"; nginx.hostName = "wiki.fediversity.eu"; - passwordFile = pkgs.writeText "password" "eiM9etha8ohmo9Ohphahpesiux0ahda6"; + passwordFile = config.age.secrets.wiki-password.path; extraConfig = '' # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; @@ -24,7 +24,7 @@ ## Permissions $wgGroupPermissions['*']['edit'] = false; - $wgGroupPermissions['*']['createaccount'] = false; + $wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true; $wgGroupPermissions['user']['edit'] = true; $wgGroupPermissions['user']['createaccount'] = true; @@ -35,6 +35,19 @@ $wgUploadSizeWarning = 1024*1024*512; $wgMaxUploadSize = 1024*1024*1024; + $wgEnableEmail = true; + $wgPasswordSender = "wiki@fediversity.eu"; + $wgEmergencyContact = "wiki@fediversity.eu"; + $wgSMTP = [ + 'host' => 'mail.protagio.nl', + 'IDHost' => 'fediversity.eu', + 'localhost' => 'fediversity.eu', + 'port' => 587, + 'auth' => true, + 'username' => 'wiki@fediversity.eu', + ]; + require_once("${config.age.secrets.wiki-smtp-password.path}"); + $wgHeadScriptCode = <<<'END' END; @@ -45,17 +58,19 @@ }; }; + age.secrets.wiki-smtp-password.owner = "mediawiki"; + services.nginx = { enable = true; virtualHosts."wiki.fediversity.eu" = { - basicAuth = { - fediv = "SecretSauce123!"; - }; + basicAuthFile = config.age.secrets.wiki-basicauth-htpasswd.path; forceSSL = true; enableACME = true; }; }; + age.secrets.wiki-basicauth-htpasswd.owner = "nginx"; + security.acme = { acceptTerms = true; defaults.email = "systeemmail@procolix.com"; diff --git a/keys/contributors/niols b/keys/contributors/niols new file mode 100644 index 0000000..d8d9475 --- /dev/null +++ b/keys/contributors/niols @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace diff --git a/keys/default.nix b/keys/default.nix new file mode 100644 index 0000000..9c1a2bd --- /dev/null +++ b/keys/default.nix @@ -0,0 +1,32 @@ +let + inherit (builtins) + attrValues + elemAt + foldl' + mapAttrs + match + readDir + readFile + ; + ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`, + ## but we would rather avoid a dependency in nixpkgs for this file. + mergeAttrs = x: y: x // y; + concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v)); + removePubSuffix = + s: + let + maybeMatch = match "(.*)\.pub" s; + in + if maybeMatch == null then s else elemAt maybeMatch 0; + removeTrailingWhitespace = s: elemAt (match "(.*[^[:space:]])[[:space:]]*" s) 0; + + collectKeys = + dir: + concatMapAttrs (name: _: { + "${removePubSuffix name}" = removeTrailingWhitespace (readFile (dir + "/${name}")); + }) (readDir dir); +in +{ + contributors = collectKeys ./contributors; + systems = collectKeys ./systems; +} diff --git a/keys/flake-part.nix b/keys/flake-part.nix new file mode 100644 index 0000000..7e01c8f --- /dev/null +++ b/keys/flake-part.nix @@ -0,0 +1,3 @@ +{ + flake.keys = import ./.; +} diff --git a/keys/systems/vm02116 b/keys/systems/vm02116 new file mode 100644 index 0000000..95d0e9d --- /dev/null +++ b/keys/systems/vm02116 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr diff --git a/keys/systems/vm02179 b/keys/systems/vm02179 new file mode 100644 index 0000000..d3e0494 --- /dev/null +++ b/keys/systems/vm02179 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM diff --git a/keys/systems/vm02186 b/keys/systems/vm02186 new file mode 100644 index 0000000..a3a78b6 --- /dev/null +++ b/keys/systems/vm02186 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW diff --git a/keys/systems/vm02187 b/keys/systems/vm02187 new file mode 100644 index 0000000..b79a78f --- /dev/null +++ b/keys/systems/vm02187 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83 diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..08b135e --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,51 @@ +# Secrets + +Secrets are handled using [Agenix](https://github.com/ryantm/agenix). + +## Cheat sheet + +### Adding a secret + +As an example, let us add a secret in a file “cheeses” whose content should be +“best ones come unpasteurised”. + +1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with + the file name mapped to the systems that should be able to decrypt the + secret, for instance: + ```nix + cheeses = [ vm02116 forgejo-ci ]; + ``` + +2. Run Agenix to add the content of the file. Agenix is provided by the + development Shell but can also be run directly with `nix run + github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age` + extension); this will open your `$EDITOR` ; enter “best ones come + unpasteurised”, save and close. + +3. If you are doing something flake-related such as NixOps4, remember to commit + or at least stage the secret. + +4. In the machine's configuration, load our `ageSecrets` NixOS module, declare the machine's host key and start using your secrets, eg.: + ```nix + { self, config, ... }: + { + imports = [ self.nixosModules.ageSecrets ]; + fediversity.hostPublicKey = self.keys.systems.vmFromage; + services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path; + } + ``` + If the secrets requires specific owner/group/mode, those can be set with: + ```nix + age.secrets.cheeses.owner = "jeanpierre"; + age.secrets.cheeses.group = "france"; + age.secrets.cheeses.mode = "440"; + ``` + +5. Never read the content of the file in Nix, that is never do anything like: + ```nix + services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path; + ``` + This will put the secret as a world-readable file in the Nix store. The + service that you are using must be able to read from a file at runtime, and + if the NixOS default module options do not provide that, you must find a way + around it. diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix new file mode 100644 index 0000000..b2e1874 --- /dev/null +++ b/secrets/flake-part.nix @@ -0,0 +1,39 @@ +{ + inputs, + lib, + ... +}: + +let + inherit (builtins) elem; + inherit (lib.attrsets) concatMapAttrs optionalAttrs; + inherit (lib.strings) removeSuffix; + + secrets = import ./secrets.nix; +in +{ + flake = { + inherit secrets; + + nixosModules.ageSecrets = ( + { config, ... }: + { + imports = [ inputs.agenix.nixosModules.default ]; + + options.fediversity.hostPublicKey = lib.mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; + + config.age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = ./. + "/${name}"; + }) + ) secrets; + } + ); + }; +} diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age new file mode 100644 index 0000000..435d5a0 Binary files /dev/null and b/secrets/forgejo-database-password.age differ diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age new file mode 100644 index 0000000..9de91e3 --- /dev/null +++ b/secrets/forgejo-email-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA +Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU +-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw +S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4 +--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0 +~Cs%}+ xΥNX^ +s$bbٝN \ No newline at end of file diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..a0e126a --- /dev/null +++ b/secrets/forgejo-runner-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o +TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0 +-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q +e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU +-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI +8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA +--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY +DN+VU8ؼQvҐA~+āLw`EXfV0@qHj +RGOY +.?D9O[%\ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..3bc5281 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,37 @@ +let + inherit (builtins) attrValues foldl' mapAttrs; + ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`, + ## but we would rather avoid a dependency in nixpkgs for this file. + mergeAttrs = x: y: x // y; + concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v)); + + keys = import ../keys; + contributors = attrValues keys.contributors; +in + +concatMapAttrs + (name: systems: { + "${name}.age".publicKeys = contributors ++ systems; + }) + + ( + with keys.systems; + + ############################################################################## + ## File name <-> system host keys mapping + ## + ## This attribute set defines precisely which secrets exist and which systems + ## are able to decrypt them. + + { + forgejo-database-password = [ vm02116 ]; + forgejo-email-password = [ vm02116 ]; + forgejo-runner-token = [ + vm02179 + vm02186 + ]; + wiki-basicauth-htpasswd = [ vm02187 ]; + wiki-password = [ vm02187 ]; + wiki-smtp-password = [ vm02187 ]; + } + ) diff --git a/secrets/wiki-basicauth-htpasswd.age b/secrets/wiki-basicauth-htpasswd.age new file mode 100644 index 0000000..2748996 Binary files /dev/null and b/secrets/wiki-basicauth-htpasswd.age differ diff --git a/secrets/wiki-password.age b/secrets/wiki-password.age new file mode 100644 index 0000000..d180694 --- /dev/null +++ b/secrets/wiki-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ yJ53uyB0OqgbyZS+0Qu/glWZGqx8ALEr2Z0hKUrQgUg +Ewvye5oREhNCASqyql56m2mNbAGnK69fVkjZ0N2ILMk +-> ssh-ed25519 dgBsjw glI8t7C/N4BqpnuZlCnv6TFb+YUQn+0oAjbJI7GrzWw +qFxxFVt2R6FkupbP7qErZ+VFHYwEHVmY4iC6hyEf+Vg +--- fQbt68Fdj7wk8mWFx0W0Z1iRbkWxxK7+zIKw/v+BCE0 +O+Q׋F^0縿9?\Te˖B(gs'7(O=><)h`q&^ \ No newline at end of file diff --git a/secrets/wiki-smtp-password.age b/secrets/wiki-smtp-password.age new file mode 100644 index 0000000..997a6e6 --- /dev/null +++ b/secrets/wiki-smtp-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ 4BpvvqFr+tmHeapy7bk3uS6fCS/CbeYkAJuxb5r1g00 +YVGpim5rYSzHMTA85lcTy22Fr5464Axdy/nKR3/z8RA +-> ssh-ed25519 dgBsjw mF++5ewvC+oordjFMR82SvGukQTYhqnH80nIgzUkunA +siCm1cQfuzs0I1xl1ACv6gomHmfONqGcxmj2fa4oABY +--- 2dszG1nnnEflzPy+dRj/0CW39mq49QPdgw+to8T1fRg +&;D÷3s[-0=xy#+&MD ie/|q3r|iI~ĢRfC`J \ No newline at end of file