feat(grfn/mugwump): Set up agenix

Start setting up agenix with secrets in //users/grfn/secrets for mugwump, starting with my cloudflare API key which I use for the ddns from my home apartment Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-12-26 15:11:48 -05:00 · 2021-12-26 15:11:48 -05:00 · 169d7fb874
commit 169d7fb874
parent ef62e51b7b
6 changed files with 37 additions and 2 deletions
--- a/users/grfn/secrets/.envrc
+++ b/users/grfn/secrets/.envrc
@ -0,0 +1 @@
 eval "$(lorri direnv)"
--- a/users/grfn/secrets/cloudflare.age
+++ b/users/grfn/secrets/cloudflare.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 CpJBgQ w4W+pzmVIEMF0uZN7KZMAppJaLjEeDKoe7i9LGayKDQ
 Rd8k+3csmbZQIrp09ZUfCAOZVwI0BZ6hCBN3nkZQMp4
 -> ssh-ed25519 LfBFbQ dyv1splvcftMd1zWDkPBfsgvXxH5neZlO7ZjrhyzNHI
 N/kqc/luOl8lsZcbaxF8/3ULsL78zvZhkiCarohe+G4
 -> \w7t-grease lo&b JZpCA
 nN2lH0W9+zulMjZMLPMk61+xsrQ
 --- voTpUbu8OiJQyuKB7tIOvlErgY0jg2w7N3MehD5FIdM
 &cŽz“læ	Î|Kœ<4B>M<EFBFBD>~<7E>®2àe¢ºÐ¨°úUN8“Pâ~}Ý*ÇhÞÁêSYJJÇØÁFÉŠâoºÂc=ˆL<CB86>û`z«“ŽO7€ùòËK—ÖgZ”ÝÛÕ¿.ÎaXDÚHÐ¦€ýÙ8„7½ÙÉÌþã–ó8
--- a/users/grfn/secrets/default.nix
+++ b/users/grfn/secrets/default.nix
@ -0,0 +1,2 @@
 { depot, ... }:
 depot.ops.secrets.mkSecrets ./. (import ./secrets.nix)
--- a/users/grfn/secrets/secrets.nix
+++ b/users/grfn/secrets/secrets.nix
@ -0,0 +1,8 @@
 let
  grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
  mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB";
 in
 {
  "cloudflare.age".publicKeys = [ grfn mugwump ];
 }
--- a/users/grfn/secrets/shell.nix
+++ b/users/grfn/secrets/shell.nix
@ -0,0 +1,8 @@
 let
  depot = import ../../.. {};
 in
 depot.third_party.nixpkgs.mkShell {
  buildInputs = [
    depot.third_party.agenix.cli
  ];
 }
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@ -8,6 +8,7 @@ with lib;
    (modulesPath + "/installer/scan/not-detected.nix")
    "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
    "${depot.path}/users/grfn/xanthous/server/module.nix"
    "${depot.third_party.agenix.src}/modules/age.nix"
  ];
  networking.hostName = "mugwump";
@ -64,6 +65,12 @@ with lib;
  nix.gc.dates = "monthly";
  age.secrets = let
    secret = name: depot.users.grfn.secrets."${name}.age";
  in {
    cloudflare.file = secret "cloudflare";
  };
  services.depot.auto-deploy = {
    enable = true;
    interval = "1d";
@ -132,7 +139,7 @@ with lib;
  };
  systemd.services.ddclient.serviceConfig = {
-    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    EnvironmentFile = "/run/agenix/cloudflare";
    DynamicUser = lib.mkForce false;
    ExecStart = lib.mkForce (
      let runtimeDir =
@ -149,7 +156,7 @@ with lib;
  security.acme.certs."metrics.gws.fyi" = {
    dnsProvider = "cloudflare";
-    credentialsFile = "/etc/secrets/cloudflare.env";
+    credentialsFile = "/run/agenix/cloudflare";
    webroot = mkForce null;
  };
		`@ -0,0 +1,2 @@`
							`{ depot, ... }:`
							`depot.ops.secrets.mkSecrets ./. (import ./secrets.nix)`