From f3cffa22368488df994e17b86ae2baba18c356be Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Mon, 18 Aug 2025 22:19:21 -0500 Subject: [PATCH] update common secrets add vaultwarden env --- common/secrets/default.nix | 5 ++ common/secrets/secrets/secrets.nix | 50 ++++++++++++-------- common/secrets/secrets/vaultwarden_env.age | 18 +++++++ hosts/h001/containers/zitadel.nix | 2 - hosts/oracle/o001/containers/vaultwarden.nix | 6 +++ hosts/oracle/o001/flake.nix | 1 + 6 files changed, 59 insertions(+), 23 deletions(-) create mode 100644 common/secrets/secrets/vaultwarden_env.age diff --git a/common/secrets/default.nix b/common/secrets/default.nix index b31e6eb..3fe2071 100644 --- a/common/secrets/default.nix +++ b/common/secrets/default.nix @@ -123,6 +123,11 @@ in owner = users_cfg.primary; mode = "444"; # World readable! }; + vaultwarden_env = { + file = ./secrets/vaultwarden_env.age; + owner = users_cfg.primary; + mode = "444"; # World readable! + }; }; }; }; diff --git a/common/secrets/secrets/secrets.nix b/common/secrets/secrets/secrets.nix index 510d00a..9ead478 100644 --- a/common/secrets/secrets/secrets.nix +++ b/common/secrets/secrets/secrets.nix @@ -46,7 +46,11 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQLt2Hc+CN6+e7/sf3Fv0FQlp6+yrIbIJ/J9AdnJCjI luser@h003" ]; - publicKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003; + trustedKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003; + + o001 = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrwvahx1x4rue28QHCzyADQndOeTESIv80f7d00NXWT" # root + ]; in { ## To make a new secret: @@ -58,69 +62,73 @@ in # Git keys "nix2github.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2bitbucket.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2gitforgejo.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2gitjosh.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2nix.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; # Server keys "nix2h001.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2h002.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2h003.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2joe.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2gpdPocket3.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2t.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2l002.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2linode.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2oracle.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2lio.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "nix2oren.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; # Others "github_read_token.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "headscale_auth.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "obsidian_sync_env.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "us_chi_wg.age" = { - inherit publicKeys; + publicKeys = trustedKeys; }; "zitadel_master_key.age" = { # h001 only publicKeys = authorityKey ++ h001; }; + "vaultwarden_env.age" = { + # h001 only + publicKeys = authorityKey ++ o001; + }; } diff --git a/common/secrets/secrets/vaultwarden_env.age b/common/secrets/secrets/vaultwarden_env.age new file mode 100644 index 0000000..9d4b896 --- /dev/null +++ b/common/secrets/secrets/vaultwarden_env.age @@ -0,0 +1,18 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBTRDFr +K01YOW9GNi95ODkyclB4TTk2aXYvaTlNVXIvMjVVZ3RldnBHcXg0CjRSVzBXL05p +K0dXYUcwNzFGM3dZZEE4L1ZwTmJFdURrRHB4RUVYU3J3TE0KLT4gc3NoLWVkMjU1 +MTkgc2EwSmpnIFpCSk9NMFJhV3gwWVBsYzJidXdablpoclF1SlF2TjgrZWFzR2hV +amN4d3cKbnlVbHIvUGtrOXJyK2RMOU1FOVRDWU9qV083b3VyelZMYSs0T2lyMitJ +awotPiBRJXl6RCwiLWdyZWFzZSBDJjh1MmBYOyBwcT40IC4KalRQYU9DOWtCaDF2 +aGR0WE9Qa1FZdVdta2drTUM2MUE3dHYrZzlqdU5mL1NqMTJHTGFBbjRKcjg4dm13 +NGtHKwpVVTFqUVZ3S0prOFpTQmprUXFzeUFOZFU0Tko0Tmc4WndyelB5d1JxaVhF +TUlpYTR4VnZITjhaTisrVQotLS0gVWplQ0gvTFpUM0FmTkJOcEFzK0pUcVZDajNU +MWVnWVhpaS9FSmNNRzYvZwrAi1J54VaqZu9Al7J4x2uHmE4L7DCjoXRzjpkSrmco +EJ/rMiHxFNUsl0qQLmk2DT0UsCJjhC099jqyAaS2h02NunVxTjOEktHCAlj9DxLH +PkRQWxIY1TcgZnfYRnvgmKjKfNP4SHvDITAAYOih/UXPNH+DSz8vI9Ok7+2BbayU +IdQ0q3NdmzuxTadnaKPmmpMd/goNQYvYRcvCR7LwkFlgbqCvTcg01zI8z481j/8J +FhI5E3VVTNiHtvyWTqy5lV9v5tE5Jdhyh2Q3tdSYWBSmZb8a738Alxab2B5IAInQ +8WZ2QNDtX3wDPjtxiVX/vxRLlGijNJQ92IbsZNOUahyWlZr0q4deozsf+LV41sHr +cJ9EljTO +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/h001/containers/zitadel.nix b/hosts/h001/containers/zitadel.nix index 5fe6add..5c24427 100644 --- a/hosts/h001/containers/zitadel.nix +++ b/hosts/h001/containers/zitadel.nix @@ -80,8 +80,6 @@ in }; }; - networking.firewall.allowedTCPPorts = [ 8080 ]; - # Ensure users exist on host machine inherit users; diff --git a/hosts/oracle/o001/containers/vaultwarden.nix b/hosts/oracle/o001/containers/vaultwarden.nix index 2e9e8a7..7644dd4 100644 --- a/hosts/oracle/o001/containers/vaultwarden.nix +++ b/hosts/oracle/o001/containers/vaultwarden.nix @@ -1,4 +1,5 @@ { + config, ... }: let @@ -38,6 +39,10 @@ in hostPath = "${hostDataDir}/backups"; isReadOnly = false; }; + "/var/secrets/vaultwarden.env" = { + hostPath = config.age.secrets.vaultwarden_env.path; + readOnly = true; + }; }; config = { ... }: @@ -56,6 +61,7 @@ in enable = true; dbBackend = "sqlite"; backupDir = "/var/lib/backups/vaultwarden"; + environmentFile = "/var/secrets/vaultwarden.env"; config = { DOMAIN = "https://vault.joshuabell.xyz"; SIGNUPS_ALLOWED = false; diff --git a/hosts/oracle/o001/flake.nix b/hosts/oracle/o001/flake.nix index 833bbf9..d99c6b5 100644 --- a/hosts/oracle/o001/flake.nix +++ b/hosts/oracle/o001/flake.nix @@ -60,6 +60,7 @@ ringofstorms_common = { systemName = configuration_name; + secrets.enable = true; general = { disableRemoteBuildsOnLio = true; readWindowsDrives = false;