From 169d7fb87436603207e79cdcc9b51d84eb11e39e Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Sun, 26 Dec 2021 15:11:48 -0500 Subject: [PATCH] feat(grfn/mugwump): Set up agenix Start setting up agenix with secrets in //users/grfn/secrets for mugwump, starting with my cloudflare API key which I use for the ddns from my home apartment Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683 Reviewed-by: grfn Autosubmit: grfn Tested-by: BuildkiteCI --- users/grfn/secrets/.envrc | 1 + users/grfn/secrets/cloudflare.age | 9 +++++++++ users/grfn/secrets/default.nix | 2 ++ users/grfn/secrets/secrets.nix | 8 ++++++++ users/grfn/secrets/shell.nix | 8 ++++++++ users/grfn/system/system/machines/mugwump.nix | 11 +++++++++-- 6 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 users/grfn/secrets/.envrc create mode 100644 users/grfn/secrets/cloudflare.age create mode 100644 users/grfn/secrets/default.nix create mode 100644 users/grfn/secrets/secrets.nix create mode 100644 users/grfn/secrets/shell.nix diff --git a/users/grfn/secrets/.envrc b/users/grfn/secrets/.envrc new file mode 100644 index 000000000..051d09d29 --- /dev/null +++ b/users/grfn/secrets/.envrc @@ -0,0 +1 @@ +eval "$(lorri direnv)" diff --git a/users/grfn/secrets/cloudflare.age b/users/grfn/secrets/cloudflare.age new file mode 100644 index 000000000..1c9fa3ca6 --- /dev/null +++ b/users/grfn/secrets/cloudflare.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 CpJBgQ w4W+pzmVIEMF0uZN7KZMAppJaLjEeDKoe7i9LGayKDQ +Rd8k+3csmbZQIrp09ZUfCAOZVwI0BZ6hCBN3nkZQMp4 +-> ssh-ed25519 LfBFbQ dyv1splvcftMd1zWDkPBfsgvXxH5neZlO7ZjrhyzNHI +N/kqc/luOl8lsZcbaxF8/3ULsL78zvZhkiCarohe+G4 +-> \w7t-grease lo&b JZpCA +nN2lH0W9+zulMjZMLPMk61+xsrQ +--- voTpUbu8OiJQyuKB7tIOvlErgY0jg2w7N3MehD5FIdM +&czl |KM~2eUN8P~}*hSYJJ FɊoc=L`zO7KgZ.aXD HЦ878 \ No newline at end of file diff --git a/users/grfn/secrets/default.nix b/users/grfn/secrets/default.nix new file mode 100644 index 000000000..26b1998f5 --- /dev/null +++ b/users/grfn/secrets/default.nix @@ -0,0 +1,2 @@ +{ depot, ... }: +depot.ops.secrets.mkSecrets ./. (import ./secrets.nix) diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix new file mode 100644 index 000000000..ef5ddb791 --- /dev/null +++ b/users/grfn/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA"; + mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB"; +in + +{ + "cloudflare.age".publicKeys = [ grfn mugwump ]; +} diff --git a/users/grfn/secrets/shell.nix b/users/grfn/secrets/shell.nix new file mode 100644 index 000000000..fe912fe79 --- /dev/null +++ b/users/grfn/secrets/shell.nix @@ -0,0 +1,8 @@ +let + depot = import ../../.. {}; +in +depot.third_party.nixpkgs.mkShell { + buildInputs = [ + depot.third_party.agenix.cli + ]; +} diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index 9ef428c23..d4e61b74a 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -8,6 +8,7 @@ with lib; (modulesPath + "/installer/scan/not-detected.nix") "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix" "${depot.path}/users/grfn/xanthous/server/module.nix" + "${depot.third_party.agenix.src}/modules/age.nix" ]; networking.hostName = "mugwump"; @@ -64,6 +65,12 @@ with lib; nix.gc.dates = "monthly"; + age.secrets = let + secret = name: depot.users.grfn.secrets."${name}.age"; + in { + cloudflare.file = secret "cloudflare"; + }; + services.depot.auto-deploy = { enable = true; interval = "1d"; @@ -132,7 +139,7 @@ with lib; }; systemd.services.ddclient.serviceConfig = { - EnvironmentFile = "/etc/secrets/cloudflare.env"; + EnvironmentFile = "/run/agenix/cloudflare"; DynamicUser = lib.mkForce false; ExecStart = lib.mkForce ( let runtimeDir = @@ -149,7 +156,7 @@ with lib; security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; - credentialsFile = "/etc/secrets/cloudflare.env"; + credentialsFile = "/run/agenix/cloudflare"; webroot = mkForce null; };