From 8e174ba500c8fb0ec4fcee6fc7cebda121b7998f Mon Sep 17 00:00:00 2001 From: Jet Pham Date: Thu, 5 Mar 2026 15:10:30 -0800 Subject: [PATCH] feat: migrate to agenix for secret management --- .envrc | 1 + README.md | 47 +++++++++++---------- agenix.nix | 13 ++++++ configuration.nix | 33 ++++++++++----- flake.lock | 82 +++++++++++++++++++++++++++++++++++++ flake.nix | 11 +++-- modules/caddy.nix | 1 - modules/forgejo.nix | 8 +--- modules/mail.nix | 8 +--- modules/matrix.nix | 3 +- modules/monitoring.nix | 2 +- modules/ntfy.nix | 18 ++++++-- modules/searx.nix | 3 +- secrets/forgejo-db.age | 7 ++++ secrets/grafana-secret.age | 7 ++++ secrets/matrix-macaroon.age | 8 ++++ secrets/mymx-webhook.age | 7 ++++ secrets/ntfy-admin-hash.age | 8 ++++ secrets/searx-env.age | 9 ++++ secrets/secrets-scheme.nix | 45 -------------------- secrets/secrets.nix.example | 17 -------- secrets/stalwart-admin.age | 9 ++++ secrets/tailscale-key.age | 7 ++++ 23 files changed, 234 insertions(+), 120 deletions(-) create mode 100644 agenix.nix create mode 100644 secrets/forgejo-db.age create mode 100644 secrets/grafana-secret.age create mode 100644 secrets/matrix-macaroon.age create mode 100644 secrets/mymx-webhook.age create mode 100644 secrets/ntfy-admin-hash.age create mode 100644 secrets/searx-env.age delete mode 100644 secrets/secrets-scheme.nix delete mode 100644 secrets/secrets.nix.example create mode 100644 secrets/stalwart-admin.age create mode 100644 secrets/tailscale-key.age diff --git a/.envrc b/.envrc index 3550a30..9cfafa6 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,2 @@ use flake +export RULES="$PWD/agenix.nix" diff --git a/README.md b/README.md index 0d12e21..83684fb 100644 --- a/README.md +++ b/README.md @@ -16,42 +16,47 @@ services: ## Deployment -This repository uses **untracked secrets**, so you must build the system locally before deploying. +Secrets are managed with [agenix](https://github.com/ryantm/agenix) — encrypted in git, decrypted on the server at runtime. ### 1. Setup Secrets -1. `cp secrets/secrets.nix.example secrets/secrets.nix` -2. Fill in the values (generate random keys, etc). - - `openssl rand -base64 32` is a good way to make a new key - - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. -### 2. Verify Configuration Locally -Because `secrets/secrets.nix` is untracked by git, standard `nix flake check` will fail. -To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run: +Key mapping is in `agenix.nix`. The `agenix` CLI and `RULES` env var are provided by the devShell via direnv. ```bash -nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run +direnv allow +agenix -e secrets/forgejo-db.age +agenix -e secrets/stalwart-admin.age +agenix -e secrets/searx-env.age # SEARXNG_SECRET= +agenix -e secrets/tailscale-key.age +agenix -e secrets/grafana-secret.age +agenix -e secrets/matrix-macaroon.age # macaroon_secret_key: "" +agenix -e secrets/ntfy-admin-hash.age +agenix -e secrets/mymx-webhook.age +``` + +To edit an existing secret, run the same command again. + +### 2. Verify Configuration + +```bash +nix flake check ``` ### 3. Initial Install (Wipe & Install) -Run this command to build and deploy. **Warning: Wipes the server disk.** + +**Warning: Wipes the server disk.** ```bash -# Replace with your server's IP nix run github:nix-community/nixos-anywhere -- --store-paths \ - $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \ - $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \ root@ | tee install.log ``` -### 4. Update Existing Server (No Wipe) -Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. +### 4. Update Existing Server + +`nhs` and `nh` are provided via direnv. ```bash -# Update via Tailscale (uses nhs convenience script) nhs - -# Or manually via IP -nh os switch --hostname extremist-software --target-host root@ --impure path:. ``` - -repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git. diff --git a/agenix.nix b/agenix.nix new file mode 100644 index 0000000..c8acf14 --- /dev/null +++ b/agenix.nix @@ -0,0 +1,13 @@ +let + server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB"; + jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"; +in { + "secrets/forgejo-db.age".publicKeys = [ server jet ]; + "secrets/stalwart-admin.age".publicKeys = [ server jet ]; + "secrets/searx-env.age".publicKeys = [ server jet ]; + "secrets/tailscale-key.age".publicKeys = [ server jet ]; + "secrets/grafana-secret.age".publicKeys = [ server jet ]; + "secrets/matrix-macaroon.age".publicKeys = [ server jet ]; + "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ]; + "secrets/mymx-webhook.age".publicKeys = [ server jet ]; +} diff --git a/configuration.nix b/configuration.nix index 733cdc2..cf81901 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,13 +12,19 @@ ./modules/ntfy.nix ./modules/uptime-kuma.nix # mymx module is imported via flake input in flake.nix - ./secrets/secrets-scheme.nix - # Impure Secrets - ./secrets/secrets.nix ]; - # ... (rest of imports block replaced by ./secrets/secrets.nix being added to imports) - + # Agenix secrets + age.secrets = { + forgejo-db.file = ./secrets/forgejo-db.age; + stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; }; + searx-env.file = ./secrets/searx-env.age; + tailscale-key.file = ./secrets/tailscale-key.age; + grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; }; + matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; }; + ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age; + mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; }; + }; # Bootloader boot.loader.grub.enable = true; @@ -36,7 +42,7 @@ # Users users.users.root.openssh.authorizedKeys.keys = [ - config.mySecrets.sshPublicKey + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" ]; # SSH - Secure it @@ -77,9 +83,17 @@ clean.extraArgs = "--keep 2"; }; + # Automatic upgrades + system.autoUpgrade = { + enable = true; + dates = "04:00"; + allowReboot = false; + }; + # System system.stateVersion = "24.05"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + services.postgresql.package = pkgs.postgresql_15; nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.) # Time @@ -89,15 +103,12 @@ zramSwap.enable = true; zramSwap.memoryPercent = 50; - # Secrets handled via ./secrets.nix importing to config.mySecrets - environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey; - environment.etc."secrets/mymx-webhook".text = config.mySecrets.mymxWebhookSecret; - services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth"; + services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path; # MyMX services.mymx = { enable = true; - webhookSecretFile = "/etc/secrets/mymx-webhook"; + webhookSecretFile = config.age.secrets.mymx-webhook.path; }; # Allow Tailscale traffic diff --git a/flake.lock b/flake.lock index 349dacd..92021b4 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,50 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", + "owner": "ryantm", + "repo": "agenix", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -20,6 +65,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "mymx": { "inputs": { "nixpkgs": [ @@ -59,6 +125,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "disko": "disko", "mymx": "mymx", "nixpkgs": "nixpkgs" @@ -84,6 +151,21 @@ "repo": "rust-overlay", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 40e40fb..9dc9ded 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,8 @@ mymx.url = "git+https://git.extremist.software/jet/mymx"; mymx.inputs.nixpkgs.follows = "nixpkgs"; - + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, disko, ... }@inputs: { @@ -20,6 +21,7 @@ modules = [ disko.nixosModules.disko inputs.mymx.nixosModules.default + inputs.agenix.nixosModules.default ./disk-config.nix ./configuration.nix @@ -29,11 +31,12 @@ devShells.x86_64-linux.default = let pkgs = nixpkgs.legacyPackages.x86_64-linux; deploy = pkgs.writeShellScriptBin "nhs" '' - nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:. "$@" + nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@" ''; in pkgs.mkShell { - packages = [ - pkgs.nh + packages = [ + pkgs.nh + inputs.agenix.packages.x86_64-linux.default deploy ]; }; diff --git a/modules/caddy.nix b/modules/caddy.nix index 399c5d3..282cb8a 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -170,5 +170,4 @@ # Ensure Caddy can read the certs too now that they are in the acme group users.users.caddy.extraGroups = [ "acme" ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 7ba72a4..88c4d73 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -14,12 +14,8 @@ }; # You can configure SMTP here using secrets if needed }; - # Secret for DB password - settings.database.PASSWORD = config.mySecrets.forgejoDb; + database.passwordFile = config.age.secrets.forgejo-db.path; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_15; - }; + services.postgresql.enable = true; } diff --git a/modules/mail.nix b/modules/mail.nix index dc60e4f..5dae503 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -43,7 +43,7 @@ authentication.fallback-admin = { user = "admin"; - secret = config.mySecrets.stalwartAdmin; + secret = "%{file:/run/agenix/stalwart-admin}%"; }; }; }; @@ -51,10 +51,4 @@ # Allow Stalwart to read the ACME certificate procured for Caddy systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ]; - # Open Firewalls for Mail - networking.firewall.allowedTCPPorts = [ - 993 # IMAP (Secure) - 4190 # Sieve - 8080 # Admin UI (Reverse proxied, but good to double check loopback) - ]; } diff --git a/modules/matrix.nix b/modules/matrix.nix index 9b45778..eb7db69 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -3,6 +3,7 @@ { services.matrix-synapse = { enable = true; + extraConfigFiles = [ config.age.secrets.matrix-macaroon.path ]; settings = { server_name = "extremist.software"; public_baseurl = "https://matrix.extremist.software"; @@ -24,8 +25,6 @@ ]; enable_registration = false; - registration_shared_secret = "extremist_software_admin_creation"; - macaroon_secret_key = config.mySecrets.matrixMacaroon; database = { name = "psycopg2"; allow_unsafe_locale = true; diff --git a/modules/monitoring.nix b/modules/monitoring.nix index 2fb7ab4..68b5bc8 100644 --- a/modules/monitoring.nix +++ b/modules/monitoring.nix @@ -31,7 +31,7 @@ domain = "status.extremist.software"; }; security = { - secret_key = config.mySecrets.grafanaSecret; + secret_key = "$__file{/run/agenix/grafana-secret}"; }; }; provision = { diff --git a/modules/ntfy.nix b/modules/ntfy.nix index a7a1407..f4668f7 100644 --- a/modules/ntfy.nix +++ b/modules/ntfy.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { services.ntfy-sh = { @@ -10,12 +10,22 @@ auth-file = "/var/lib/ntfy-sh/user.db"; auth-default-access = "deny-all"; enable-login = true; - auth-users = [ - "jet:${config.mySecrets.ntfyAdminHash}:admin" - ]; auth-access = [ "*:up*:write-only" ]; }; }; + + # Patch the generated config at runtime to inject the admin bcrypt hash + systemd.services.ntfy-sh = { + serviceConfig.RuntimeDirectory = "ntfy-sh"; + serviceConfig.ExecStartPre = let + script = pkgs.writeShellScript "ntfy-patch-config" '' + cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml + HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path}) + printf '\nauth-users:\n - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml + ''; + in [ "+${script}" ]; + serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml"; + }; } diff --git a/modules/searx.nix b/modules/searx.nix index 262480a..f9d1125 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -5,11 +5,12 @@ enable = true; package = pkgs.searxng; redisCreateLocally = true; + environmentFile = config.age.secrets.searx-env.path; settings = { server = { port = 8082; bind_address = "127.0.0.1"; - secret_key = config.mySecrets.searxKey; + secret_key = "@SEARXNG_SECRET@"; }; search = { request_timeout = 1.5; diff --git a/secrets/forgejo-db.age b/secrets/forgejo-db.age new file mode 100644 index 0000000..989d149 --- /dev/null +++ b/secrets/forgejo-db.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg mtSxHYyX33fx/dUTpNGgu4ah3X/I6zTB0amu7Ji+iWU +6EXDWMEoDuDZ36rYqUR52IQFASZb5s0bm3KRyAKIXUg +-> ssh-ed25519 Ziw7aw zqjgjZGh9C3H/gpuLx+dUC9EngSoHB/feiyCgqss+F4 +MyCY88yFfDSqAr0PbYSg/FbHo+B6rxXBPkVxczgW93E +--- qGC9Dxmqtgm92IqNd3azWYEtkMEwwWRNsuXow6oZjlE +X)1str(fP,ۂ78փ V֔11&%(F-D"(7w=xmٞvS \ No newline at end of file diff --git a/secrets/grafana-secret.age b/secrets/grafana-secret.age new file mode 100644 index 0000000..b661c2a --- /dev/null +++ b/secrets/grafana-secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg 6TMM/HxgvFAlsOOJuEhoKfnN5CcjEvck9BKUXTNQsjk +Y0G/GK6+t5jFK+cPqovD/oxs1ZLRAprstr27pZ6mb0c +-> ssh-ed25519 Ziw7aw TQWn+XR8FHTv2+ol4id6hcL3C+Jk92jsB2hHFacoD3o +fr+xO4DvOHLSPn05u6JZi++wBABw0z9WqghdwJ62pz0 +--- PS3uOR8IZPAUoS8XA5WsBcCsLEfTxwS+vW6eHdZy3Fo +ȯʔ1/ۜ%r)+0Wg?hJYۮi݌%[=ydw,xS \ No newline at end of file diff --git a/secrets/matrix-macaroon.age b/secrets/matrix-macaroon.age new file mode 100644 index 0000000..a72bc68 --- /dev/null +++ b/secrets/matrix-macaroon.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg gbXdVVx0trOnWR5v3V4jjfP58B5jXWKwoi8Da2JKx1Y +s8rPw207y5TzjlLPXm+gG+eQqBqh6geeFvnn4iH3s84 +-> ssh-ed25519 Ziw7aw 99vuNfyVaByhU5bwxJTuoxeYoQWryP36ddAd/fZOhBY +hdtoLgoFVslZpm9luo3Edns4hYMQESIReI7laFDjeOQ +--- Zgwav28km0/q1wX2FZDT5xpVQurkcjqu0lmOWr8ZH38 +K)-y.u%To(:^Ep"9>j#F*8W- S1jI4n +2 \ No newline at end of file diff --git a/secrets/mymx-webhook.age b/secrets/mymx-webhook.age new file mode 100644 index 0000000..13a07b6 --- /dev/null +++ b/secrets/mymx-webhook.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg EC9vi+nqoSqUHET3/4fWoiuW9vTZo5XOB1dc+Fe36U0 +FYKWAiLaAbotst3AuOulpgqAg+JHUqD3uWWLk7hxrH8 +-> ssh-ed25519 Ziw7aw naV+WKfldJhOnIzz13Q9zKSK+z+oRhiVfeEYuG+dtS0 +/GLmF3ws0aUsSVTAv9zzzD+8Cp/IkMlHWFzv1CbgSiM +--- PdqmGwHvR/R0tqf46e1ZJl/QIzB1qadFtNyONpoQl30 +wn4@D~r*j!-*v})0F7)}r/>H/3S$ }ٵ@ \ No newline at end of file diff --git a/secrets/ntfy-admin-hash.age b/secrets/ntfy-admin-hash.age new file mode 100644 index 0000000..701609c --- /dev/null +++ b/secrets/ntfy-admin-hash.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg Cccnzwl3XTJOW5+IuxDAsiI0L8Fy8JhJnpdERg9qgXU +vgvQdUbmwRna+gLjGsmsheGGeG2KIxsWoDw4XAVSjEA +-> ssh-ed25519 Ziw7aw vMnvy4HgMvhwALtUI14DmX6LbQiLXROINbJPlVfoW0g +FGxDYfiejy2a5W9eZKww1YgQ3mQFTj/mORwBwTsEW80 +--- lThDR400zmmiBqnNmi2QKp2l3z3wCZ0jAxqIROLWn74 +?3J4zrK +k[5D/DTX+lfrjг v΀,#z*}*QǤJ蜴ơX1 ssh-ed25519 uKftJg s5orwA5GrqKWguh/hIhdJGyUP+Vx7iGqoQKuEO48DiY +K+CrOTAFATdTsax+GwQBjJkni4IYDnfPdsVop8eMkKs +-> ssh-ed25519 Ziw7aw 27Zr3vWFaQNfeTxJmNajNkigC5RUcwgz6Qs7183fUTM +Bmj69hGO8tIZUJG5tiXqZHy+Ft6T5J2iJAYIxyYxZj8 +--- rC5PWCFkjuuPrSWRImrY7IzODjxevS30MFSXdV5qpG4 +#NR!F3{ + !61bF?ǯg!o}$iR5 +jMgqS,_r:qf \ No newline at end of file diff --git a/secrets/secrets-scheme.nix b/secrets/secrets-scheme.nix deleted file mode 100644 index 63d4eef..0000000 --- a/secrets/secrets-scheme.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options.mySecrets = { - forgejoDb = mkOption { - type = types.str; - description = "Forgejo Database Password"; - }; - stalwartAdmin = mkOption { - type = types.str; - description = "Stalwart Mail Admin Password"; - }; - searxKey = mkOption { - type = types.str; - description = "Searx Secret Key"; - }; - - tailscaleKey = mkOption { - type = types.str; - description = "Tailscale Auth Key"; - }; - sshPublicKey = mkOption { - type = types.str; - description = "SSH Public Key for Root User"; - }; - grafanaSecret = mkOption { - type = types.str; - description = "Grafana Secret Key for security"; - }; - matrixMacaroon = mkOption { - type = types.str; - description = "Macaroon Secret Key for Matrix Synapse"; - }; - ntfyAdminHash = mkOption { - type = types.str; - description = "Bcrypt hash for ntfy admin user"; - }; - mymxWebhookSecret = mkOption { - type = types.str; - description = "MyMX Webhook Secret for signature verification"; - }; - }; -} diff --git a/secrets/secrets.nix.example b/secrets/secrets.nix.example deleted file mode 100644 index 8307b22..0000000 --- a/secrets/secrets.nix.example +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, config, lib, ... }: - -{ - # Copy this file to secrets.nix and fill in real values - mySecrets = { - forgejoDb = "changeme_forgejo_db"; - stalwartAdmin = "changeme_stalwart_admin"; - searxKey = "changeme_searx_secret"; - minecraftRcon = "changeme_rcon"; - tailscaleKey = "tskey-auth-PLACEHOLDER"; - sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."; - grafanaSecret = "changeme_grafana_secret"; - matrixMacaroon = "changeme_matrix_macaroon_secret_key"; - ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash"; - mymxWebhookSecret = "changeme_mymx_webhook_secret"; - }; -} diff --git a/secrets/stalwart-admin.age b/secrets/stalwart-admin.age new file mode 100644 index 0000000..2c123f4 --- /dev/null +++ b/secrets/stalwart-admin.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg E7BMWjT2cbnomhydZCaRs5EMKoDGyU9O+NAvKHjflzs +8yl7y2iXNrBuCyT05sOatAHiJhizUSFgFJt0NlMZ9pY +-> ssh-ed25519 Ziw7aw PTAzjpRIfFk86q3docaVsh4CbXjDiCNJR2Of8YAYSBQ +5WLY3czA6TKBJyTMwGVxSR7kuIVxBDMaKZ41VYgGhN8 +--- DHfY8BOaO+vb2MYxX/3XbgAIlwilFEPLRGUlZGJh1g0 +{-L^8;ljO +7Lya]ڀ, jE\m\ +:"yX< 7XȵVՕlM \ No newline at end of file diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age new file mode 100644 index 0000000..0fbd734 --- /dev/null +++ b/secrets/tailscale-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uKftJg c78IHZJHcr9y//w/tqXHsuwqPjclpCPeGUzCQ1Huwkw +h/3PruYSzkFbrGPPLrYpqoo+btj2NAHS0BlJk//U8x0 +-> ssh-ed25519 Ziw7aw O/aFm27iQeYXA04hqRNGcoUy0JmAAKDLsK1Bp/p/miY +EBqXc31Ymh3YgjagBvICwQvX6KKwkkMF3Tv7XqsAvPs +--- sIkeKQZHLKTLXEVZdwmP/FpjbUWyyIZYx2/nKswFWoQ +6vI.`\cZB;xmHR3o ӣTqeld"'\I]T2Kl~OB0 \ No newline at end of file