cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

chore(agenix): refactor some secrets

Browse Source
This commit is contained in:
cnst
2025-09-27 14:35:04 +02:00
parent 68f1cb9b09
commit f6bb6672bb
7 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/nixos/services/agenix/default.nix
View File

@@ -74,18 +74,11 @@ in {
wgCredentials.file = "${self}/secrets/wgCredentials.age"; wgCredentials.file = "${self}/secrets/wgCredentials.age";
wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age"; wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age"; gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
pihole.file = "${self}/secrets/pihole.age";
slskd.file = "${self}/secrets/slskd.age";
}; };
}) })
(mkIf cfg.ziggy.enable { (mkIf cfg.ziggy.enable {
secrets = { secrets = {
cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age"; cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age";
piholeZiggy.file = "${self}/secrets/piholeZiggy.age";
}; };
}) })
(mkIf cfg.toothpc.enable { (mkIf cfg.toothpc.enable {

6
modules/server/nextcloud/default.nix
View File

@@ -2,6 +2,7 @@
config, config,
pkgs, pkgs,
lib, lib,
self,
... ...
}: let }: let
unit = "nextcloud"; unit = "nextcloud";
@@ -45,6 +46,11 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.fail2ban = lib.mkIf config.server.fail2ban.enable { server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = { jails = {
nextcloud = { nextcloud = {

6
modules/server/podman/default.nix
View File

@@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
self,
... ...
}: let }: let
srv = config.server; srv = config.server;
@@ -121,6 +122,11 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
virtualisation = { virtualisation = {
containers.enable = true; containers.enable = true;
podman.enable = true; podman.enable = true;

12
modules/server/vaultwarden/default.nix
View File

@@ -2,14 +2,13 @@
{ {
config, config,
lib, lib,
self,
... ...
}: }: let
let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config; vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden; cfg = config.server.vaultwarden;
in in {
{
options = { options = {
server.vaultwarden = { server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden"; enable = mkEnableOption "Enables vaultwarden";
@@ -35,6 +34,11 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server = { server = {
fail2ban = lib.mkIf config.server.fail2ban.enable { fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = { jails = {

4
secrets/secrets.nix
View File

@@ -47,14 +47,14 @@ in {
"wgCredentials.age".publicKeys = core ++ sobotka; "wgCredentials.age".publicKeys = core ++ sobotka;
"wgSobotkaPrivateKey.age".publicKeys = core ++ sobotka; "wgSobotkaPrivateKey.age".publicKeys = core ++ sobotka;
"gluetunEnvironment.age".publicKeys = core ++ sobotka; "gluetunEnvironment.age".publicKeys = core ++ sobotka;
"pihole.age".publicKeys = core ++ sobotka; "sobotkaPihole.age".publicKeys = core ++ sobotka;
"slskd.age".publicKeys = core ++ sobotka; "slskd.age".publicKeys = core ++ sobotka;
"authentikEnv.age".publicKeys = core ++ sobotka; "authentikEnv.age".publicKeys = core ++ sobotka;
"traefikEnv.age".publicKeys = core ++ sobotka; "traefikEnv.age".publicKeys = core ++ sobotka;
# Ziggy-specific # Ziggy-specific
"cloudflareDnsCredentialsZiggy.age".publicKeys = core ++ ziggy; "cloudflareDnsCredentialsZiggy.age".publicKeys = core ++ ziggy;
"piholeZiggy.age".publicKeys = core ++ ziggy; "ziggyPihole.age".publicKeys = core ++ ziggy;
# Both sobotka + ziggy (for HA stuff like keepalived) # Both sobotka + ziggy (for HA stuff like keepalived)
"keepalived.age".publicKeys = core ++ sobotka ++ ziggy; "keepalived.age".publicKeys = core ++ sobotka ++ ziggy;

0
secrets/pihole.age → secrets/sobotkaPihole.age
View File

0
secrets/piholeZiggy.age → secrets/ziggyPihole.age
View File