feat: migrate to agenix for secret management

2026-03-05 15:10:30 -08:00 · 2026-03-05 15:10:30 -08:00 · 8e174ba500
commit 8e174ba500
parent e7e8d154aa
23 changed files with 234 additions and 120 deletions
--- a/secrets/forgejo-db.age
+++ b/secrets/forgejo-db.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg mtSxHYyX33fx/dUTpNGgu4ah3X/I6zTB0amu7Ji+iWU
+6EXDWMEoDuDZ36rYqUR52IQFASZb5s0bm3KRyAKIXUg
+-> ssh-ed25519 Ziw7aw zqjgjZGh9C3H/gpuLx+dUC9EngSoHB/feiyCgqss+F4
+MyCY88yFfDSqAr0PbYSg/FbHo+B6rxXBPkVxczgW93E
+--- qGC9Dxmqtgm92IqNd3azWYEtkMEwwWRNsuXow6oZjlE
+›ìX)1±s™tr(fæÕPµ,Û‚7›8Öƒ™	ŠVøÍÖ”·1õ1&%ŒÃ(–¶Fë-úˆD"(–‚7ów=›äéþîßxmÙžãväS
--- a/secrets/grafana-secret.age
+++ b/secrets/grafana-secret.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg 6TMM/HxgvFAlsOOJuEhoKfnN5CcjEvck9BKUXTNQsjk
+Y0G/GK6+t5jFK+cPqovD/oxs1ZLRAprstr27pZ6mb0c
+-> ssh-ed25519 Ziw7aw TQWn+XR8FHTv2+ol4id6hcL3C+Jk92jsB2hHFacoD3o
+fr+xO4DvOHLSPn05u6JZi++wBABw0z9WqghdwJ62pz0
+--- PS3uOR8IZPAUoS8XA5WsBcCsLEfTxwS+vW6eHdZy3Fo
+£È¯Ê”¼1È/Ûœ<C39B>%®öÆr–¹Ë)+í°Ãý0ÚWg¯?hÌJÍYãåÄœ¢Û®öçiÝŒ%[ê=–æyÔd·à˜w§€¦õ,xS
--- a/secrets/matrix-macaroon.age
+++ b/secrets/matrix-macaroon.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg gbXdVVx0trOnWR5v3V4jjfP58B5jXWKwoi8Da2JKx1Y
+s8rPw207y5TzjlLPXm+gG+eQqBqh6geeFvnn4iH3s84
+-> ssh-ed25519 Ziw7aw 99vuNfyVaByhU5bwxJTuoxeYoQWryP36ddAd/fZOhBY
+hdtoLgoFVslZpm9luo3Edns4hYMQESIReI7laFDjeOQ
+--- Zgwav28km0/q1wX2FZDT5xpVQurkcjqu0lmOWr8ZH38
+K)-¢áÊy•˜.uƒì€è³%’Tµo(ñ:^ßE°p"ëé9>ºj´#ÔF*Æë•ž8Wž-ñ S1j–Iò§4·Án
+2
--- a/secrets/mymx-webhook.age
+++ b/secrets/mymx-webhook.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg EC9vi+nqoSqUHET3/4fWoiuW9vTZo5XOB1dc+Fe36U0
+FYKWAiLaAbotst3AuOulpgqAg+JHUqD3uWWLk7hxrH8
+-> ssh-ed25519 Ziw7aw naV+WKfldJhOnIzz13Q9zKSK+z+oRhiVfeEYuG+dtS0
+/GLmF3ws0aUsSVTAv9zzzD+8Cp/IkMlHWFzv1CbgSiM
+--- PdqmGwHvR/R0tqf46e1ZJl/QIzB1qadFtNyONpoQl30
+wnÿ4Âò@ŠýÐÞD~Ír³×Ë*þj·®!„-*½ûv})0–<30>±ú´÷ÞÏÉFÛ7)®}rá/>Häè/3åS$	}ÅÙµìû«@¯Ð
--- a/secrets/ntfy-admin-hash.age
+++ b/secrets/ntfy-admin-hash.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg Cccnzwl3XTJOW5+IuxDAsiI0L8Fy8JhJnpdERg9qgXU
+vgvQdUbmwRna+gLjGsmsheGGeG2KIxsWoDw4XAVSjEA
+-> ssh-ed25519 Ziw7aw vMnvy4HgMvhwALtUI14DmX6LbQiLXROINbJPlVfoW0g
+FGxDYfiejy2a5W9eZKww1YgQ3mQFTj/mORwBwTsEW80
+--- lThDR400zmmiBqnNmi2QKp2l3z3wCZ0jAxqIROLWn74
+?¿3JÃ€4zýrˆK
+œk×Ï[ˆ€Àå“5D/Ò×DTX+lü<1F>©frjÐ³„±½v©Î€›ñ³,ø…¤•#ê“z*}*Q°Ç¤Jèœ´åÆ¡ŽX1<JÑ¿n<>
--- a/secrets/searx-env.age
+++ b/secrets/searx-env.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg s5orwA5GrqKWguh/hIhdJGyUP+Vx7iGqoQKuEO48DiY
+K+CrOTAFATdTsax+GwQBjJkni4IYDnfPdsVop8eMkKs
+-> ssh-ed25519 Ziw7aw 27Zr3vWFaQNfeTxJmNajNkigC5RUcwgz6Qs7183fUTM
+Bmj69hGO8tIZUJG5tiXqZHy+Ft6T5J2iJAYIxyYxZj8
+--- rC5PWCFkjuuPrSWRImrY7IzODjxevS30MFSXdV5qpG4
+#N¥<4E>R!F”²3{
+!šŠ6Ï1bF?ùœÇ¯ßg!o}$…iR‚½ƒ5øÞ×
+¶ûçjÈõýMÿgÕqµÝÈS,_r:ªqf‘
--- a/secrets/secrets-scheme.nix
+++ b/secrets/secrets-scheme.nix
@ -1,45 +0,0 @@
-{ lib, ... }:
-
-with lib;
-
-{
-  options.mySecrets = {
-    forgejoDb = mkOption {
-      type = types.str;
-      description = "Forgejo Database Password";
-    };
-    stalwartAdmin = mkOption {
-      type = types.str;
-      description = "Stalwart Mail Admin Password";
-    };
-    searxKey = mkOption {
-      type = types.str;
-      description = "Searx Secret Key";
-    };
-
-    tailscaleKey = mkOption {
-      type = types.str;
-      description = "Tailscale Auth Key";
-    };
-    sshPublicKey = mkOption {
-      type = types.str;
-      description = "SSH Public Key for Root User";
-    };
-    grafanaSecret = mkOption {
-      type = types.str;
-      description = "Grafana Secret Key for security";
-    };
-    matrixMacaroon = mkOption {
-      type = types.str;
-      description = "Macaroon Secret Key for Matrix Synapse";
-    };
-    ntfyAdminHash = mkOption {
-      type = types.str;
-      description = "Bcrypt hash for ntfy admin user";
-    };
-    mymxWebhookSecret = mkOption {
-      type = types.str;
-      description = "MyMX Webhook Secret for signature verification";
-    };
-  };
-}
--- a/secrets/secrets.nix.example
+++ b/secrets/secrets.nix.example
@ -1,17 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-{
-  # Copy this file to secrets.nix and fill in real values
-  mySecrets = {
-    forgejoDb = "changeme_forgejo_db";
-    stalwartAdmin = "changeme_stalwart_admin";
-    searxKey = "changeme_searx_secret";
-    minecraftRcon = "changeme_rcon";
-    tailscaleKey = "tskey-auth-PLACEHOLDER";
-    sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";
-    grafanaSecret = "changeme_grafana_secret";
-    matrixMacaroon = "changeme_matrix_macaroon_secret_key";
-    ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash";
-    mymxWebhookSecret = "changeme_mymx_webhook_secret";
-  };
-}
--- a/secrets/stalwart-admin.age
+++ b/secrets/stalwart-admin.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg E7BMWjT2cbnomhydZCaRs5EMKoDGyU9O+NAvKHjflzs
+8yl7y2iXNrBuCyT05sOatAHiJhizUSFgFJt0NlMZ9pY
+-> ssh-ed25519 Ziw7aw PTAzjpRIfFk86q3docaVsh4CbXjDiCNJR2Of8YAYSBQ
+5WLY3czA6TKBJyTMwGVxSR7kuIVxBDMaKZ41VYgGhN8
+--- DHfY8BOaO+vb2MYxX/3XbgAIlwilFEPLRGUlZGJh1g0
+<04>{<7B>-L^ﾂ粮8ﾎﾊ;ﾈﾇﾓﾇ碓
+･7Лy囹aﾕ]ﾚ<EFBE9A>,<2C>jEｽ\<5C><>\ｾ
+:"yX<ﾞ	7Xﾈｵ綏ﾕ浜M
--- a/secrets/tailscale-key.age
+++ b/secrets/tailscale-key.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg c78IHZJHcr9y//w/tqXHsuwqPjclpCPeGUzCQ1Huwkw
+h/3PruYSzkFbrGPPLrYpqoo+btj2NAHS0BlJk//U8x0
+-> ssh-ed25519 Ziw7aw O/aFm27iQeYXA04hqRNGcoUy0JmAAKDLsK1Bp/p/miY
+EBqXc31Ymh3YgjagBvICwQvX6KKwkkMF3Tv7XqsAvPs
+--- sIkeKQZHLKTLXEVZdwmP/FpjbUWyyIZYx2/nKswFWoQ
+ö6¥àô§™v<>†Iú.`<60>‚\cZÒÕB³á;»‰x«mHR©‘’€3ÕoÁ§·Ó£T«q‚ÇeÐldÇ"'«ý£\I]T2ÑKõl ùú¾¯§¨â~ÜÂO±B0Æ