public-cof: secure nextcloud using agenix

machines/public-cof/nextcloud.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
   services.nextcloud = {
     enable = true;
@@ -11,8 +11,8 @@
       dbtype = "pgsql";
       dbhost = "/run/postgresql";
 
-      dbpass = "TODO";
-      adminpass = "TODO";
+      dbpassFile = config.age.secrets.nextcloudDatabasePassword.path;
+      adminpassFile = config.age.secrets.nextcloudAdminPassword.path;
 
       defaultPhoneRegion = "FR";
     };

machines/public-cof/secrets/default.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age;
+  age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age;
+}

machines/public-cof/secrets/nextcloudAdminPasswordFile.age

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0
+66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I
+-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE
+cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs
+-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00
+WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g
+-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8
+zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw
+-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw
+Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4
+-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU
+haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM
+-> ssh-rsa krWCLQ
+pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh
+9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57
+yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk
+uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1
+vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB
+HDLu5vZddUtV7Wwm9Wa6Cw
+-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x
+5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/
+--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc
+(þ¾}$è11¯¹E-(»Sþr¾ÂlGb3`>óKÒ6BŒeé‚”	ÊjÉ“o"{G¦G=F7í¼

machines/public-cof/secrets/nextcloudDatabasePasswordFile.age

@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ
+3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs
+-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4
+7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU
+-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA
+sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg
+-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY
+zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI
+-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0
+Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0
+-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc
+CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY
+-> ssh-rsa krWCLQ
+IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT
+pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4
+vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw
++Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3
+auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv
+daiVtfDwNwoGbEmpw0iVCA
+-> ;LK-grease H638S/n
+76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux
+RvrDH2Qa7jGT0F86FTwrWK7fKQkT
+--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ
+Ž-zÆyl¾ç§,“˜ýj>8Ѐ¶Ô’ØÂÊ%‚>œM<C593>q<EFBFBD>o±)ÛDi0Èï YªžÇLçÌ©Ñ

machines/public-cof/secrets/secrets.nix

@@ -0,0 +1,13 @@
+let
+  pkgs = import <nixpkgs> {};
+  lib = pkgs.lib;
+  readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
+  superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd");
+  public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg";
+  systems = [ public-cof ];
+in
+  {
+    "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
+    "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
+  }
+