update common secrets add vaultwarden env

common/secrets/default.nix

@@ -123,6 +123,11 @@ in
             owner = users_cfg.primary;
             mode = "444"; # World readable!
           };
+          vaultwarden_env = {
+            file = ./secrets/vaultwarden_env.age;
+            owner = users_cfg.primary;
+            mode = "444"; # World readable!
+          };
         };
     };
   };

common/secrets/secrets/secrets.nix

@@ -46,7 +46,11 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQLt2Hc+CN6+e7/sf3Fv0FQlp6+yrIbIJ/J9AdnJCjI luser@h003"
   ];
 
-  publicKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003;
+  trustedKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003;
+
+  o001 = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrwvahx1x4rue28QHCzyADQndOeTESIv80f7d00NXWT" # root
+  ];
 in
 {
   ## To make a new secret:
@@ -58,69 +62,73 @@ in
 
   # Git keys
   "nix2github.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2bitbucket.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2gitforgejo.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2gitjosh.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2nix.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   # Server keys
   "nix2h001.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2h002.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2h003.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2joe.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2gpdPocket3.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2t.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2l002.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2linode.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2oracle.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2lio.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "nix2oren.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   # Others
   "github_read_token.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "headscale_auth.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "obsidian_sync_env.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "us_chi_wg.age" = {
-    inherit publicKeys;
+    publicKeys = trustedKeys;
   };
   "zitadel_master_key.age" = {
     # h001 only
     publicKeys = authorityKey ++ h001;
   };
+  "vaultwarden_env.age" = {
+    # h001 only
+    publicKeys = authorityKey ++ o001;
+  };
 }

common/secrets/secrets/vaultwarden_env.age

@@ -0,0 +1,18 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBTRDFr
+K01YOW9GNi95ODkyclB4TTk2aXYvaTlNVXIvMjVVZ3RldnBHcXg0CjRSVzBXL05p
+K0dXYUcwNzFGM3dZZEE4L1ZwTmJFdURrRHB4RUVYU3J3TE0KLT4gc3NoLWVkMjU1
+MTkgc2EwSmpnIFpCSk9NMFJhV3gwWVBsYzJidXdablpoclF1SlF2TjgrZWFzR2hV
+amN4d3cKbnlVbHIvUGtrOXJyK2RMOU1FOVRDWU9qV083b3VyelZMYSs0T2lyMitJ
+awotPiBRJXl6RCwiLWdyZWFzZSBDJjh1MmBYOyBwcT40IC4KalRQYU9DOWtCaDF2
+aGR0WE9Qa1FZdVdta2drTUM2MUE3dHYrZzlqdU5mL1NqMTJHTGFBbjRKcjg4dm13
+NGtHKwpVVTFqUVZ3S0prOFpTQmprUXFzeUFOZFU0Tko0Tmc4WndyelB5d1JxaVhF
+TUlpYTR4VnZITjhaTisrVQotLS0gVWplQ0gvTFpUM0FmTkJOcEFzK0pUcVZDajNU
+MWVnWVhpaS9FSmNNRzYvZwrAi1J54VaqZu9Al7J4x2uHmE4L7DCjoXRzjpkSrmco
+EJ/rMiHxFNUsl0qQLmk2DT0UsCJjhC099jqyAaS2h02NunVxTjOEktHCAlj9DxLH
+PkRQWxIY1TcgZnfYRnvgmKjKfNP4SHvDITAAYOih/UXPNH+DSz8vI9Ok7+2BbayU
+IdQ0q3NdmzuxTadnaKPmmpMd/goNQYvYRcvCR7LwkFlgbqCvTcg01zI8z481j/8J
+FhI5E3VVTNiHtvyWTqy5lV9v5tE5Jdhyh2Q3tdSYWBSmZb8a738Alxab2B5IAInQ
+8WZ2QNDtX3wDPjtxiVX/vxRLlGijNJQ92IbsZNOUahyWlZr0q4deozsf+LV41sHr
+cJ9EljTO
+-----END AGE ENCRYPTED FILE-----