ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update common secrets add vaultwarden env

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-08-18 22:19:21 -05:00
parent 4f2110fc3f
commit f3cffa2236
6 changed files with 59 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

5
common/secrets/default.nix
View file

@ -123,6 +123,11 @@ in
owner = users_cfg.primary; owner = users_cfg.primary;
mode = "444"; # World readable! mode = "444"; # World readable!
}; };
vaultwarden_env = {
file = ./secrets/vaultwarden_env.age;
owner = users_cfg.primary;
mode = "444"; # World readable!
};
}; };
}; };
}; };

50
common/secrets/secrets/secrets.nix
View file

@ -46,7 +46,11 @@ let
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQLt2Hc+CN6+e7/sf3Fv0FQlp6+yrIbIJ/J9AdnJCjI luser@h003" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILQLt2Hc+CN6+e7/sf3Fv0FQlp6+yrIbIJ/J9AdnJCjI luser@h003"
]; ];
publicKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003; trustedKeys = authorityKey ++ gpdPocket3 ++ lio ++ joe ++ oren ++ h001 ++ h002 ++ h003;
o001 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrwvahx1x4rue28QHCzyADQndOeTESIv80f7d00NXWT" # root
];
in in
{ {
## To make a new secret: ## To make a new secret:
@ -58,69 +62,73 @@ in
# Git keys # Git keys
"nix2github.age" = { "nix2github.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2bitbucket.age" = { "nix2bitbucket.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2gitforgejo.age" = { "nix2gitforgejo.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2gitjosh.age" = { "nix2gitjosh.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2nix.age" = { "nix2nix.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
# Server keys # Server keys
"nix2h001.age" = { "nix2h001.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2h002.age" = { "nix2h002.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2h003.age" = { "nix2h003.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2joe.age" = { "nix2joe.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2gpdPocket3.age" = { "nix2gpdPocket3.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2t.age" = { "nix2t.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2l002.age" = { "nix2l002.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2linode.age" = { "nix2linode.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2oracle.age" = { "nix2oracle.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2lio.age" = { "nix2lio.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"nix2oren.age" = { "nix2oren.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
# Others # Others
"github_read_token.age" = { "github_read_token.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"headscale_auth.age" = { "headscale_auth.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"obsidian_sync_env.age" = { "obsidian_sync_env.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"us_chi_wg.age" = { "us_chi_wg.age" = {
inherit publicKeys; publicKeys = trustedKeys;
}; };
"zitadel_master_key.age" = { "zitadel_master_key.age" = {
# h001 only # h001 only
publicKeys = authorityKey ++ h001; publicKeys = authorityKey ++ h001;
}; };
"vaultwarden_env.age" = {
# h001 only
publicKeys = authorityKey ++ o001;
};
} }

18
common/secrets/secrets/vaultwarden_env.age Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBTRDFr
K01YOW9GNi95ODkyclB4TTk2aXYvaTlNVXIvMjVVZ3RldnBHcXg0CjRSVzBXL05p
K0dXYUcwNzFGM3dZZEE4L1ZwTmJFdURrRHB4RUVYU3J3TE0KLT4gc3NoLWVkMjU1
MTkgc2EwSmpnIFpCSk9NMFJhV3gwWVBsYzJidXdablpoclF1SlF2TjgrZWFzR2hV
amN4d3cKbnlVbHIvUGtrOXJyK2RMOU1FOVRDWU9qV083b3VyelZMYSs0T2lyMitJ
awotPiBRJXl6RCwiLWdyZWFzZSBDJjh1MmBYOyBwcT40IC4KalRQYU9DOWtCaDF2
aGR0WE9Qa1FZdVdta2drTUM2MUE3dHYrZzlqdU5mL1NqMTJHTGFBbjRKcjg4dm13
NGtHKwpVVTFqUVZ3S0prOFpTQmprUXFzeUFOZFU0Tko0Tmc4WndyelB5d1JxaVhF
TUlpYTR4VnZITjhaTisrVQotLS0gVWplQ0gvTFpUM0FmTkJOcEFzK0pUcVZDajNU
MWVnWVhpaS9FSmNNRzYvZwrAi1J54VaqZu9Al7J4x2uHmE4L7DCjoXRzjpkSrmco
EJ/rMiHxFNUsl0qQLmk2DT0UsCJjhC099jqyAaS2h02NunVxTjOEktHCAlj9DxLH
PkRQWxIY1TcgZnfYRnvgmKjKfNP4SHvDITAAYOih/UXPNH+DSz8vI9Ok7+2BbayU
IdQ0q3NdmzuxTadnaKPmmpMd/goNQYvYRcvCR7LwkFlgbqCvTcg01zI8z481j/8J
FhI5E3VVTNiHtvyWTqy5lV9v5tE5Jdhyh2Q3tdSYWBSmZb8a738Alxab2B5IAInQ
8WZ2QNDtX3wDPjtxiVX/vxRLlGijNJQ92IbsZNOUahyWlZr0q4deozsf+LV41sHr
cJ9EljTO
-----END AGE ENCRYPTED FILE-----

2
hosts/h001/containers/zitadel.nix
View file

@ -80,8 +80,6 @@ in
}; };
}; };
networking.firewall.allowedTCPPorts = [ 8080 ];
# Ensure users exist on host machine # Ensure users exist on host machine
inherit users; inherit users;

6
hosts/oracle/o001/containers/vaultwarden.nix
View file

@ -1,4 +1,5 @@
{ {
config,
... ...
}: }:
let let
@ -38,6 +39,10 @@ in
hostPath = "${hostDataDir}/backups"; hostPath = "${hostDataDir}/backups";
isReadOnly = false; isReadOnly = false;
}; };
"/var/secrets/vaultwarden.env" = {
hostPath = config.age.secrets.vaultwarden_env.path;
readOnly = true;
};
}; };
config = config =
{ ... }: { ... }:
@ -56,6 +61,7 @@ in
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
backupDir = "/var/lib/backups/vaultwarden"; backupDir = "/var/lib/backups/vaultwarden";
environmentFile = "/var/secrets/vaultwarden.env";
config = { config = {
DOMAIN = "https://vault.joshuabell.xyz"; DOMAIN = "https://vault.joshuabell.xyz";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;

1
hosts/oracle/o001/flake.nix
View file

@ -60,6 +60,7 @@
ringofstorms_common = { ringofstorms_common = {
systemName = configuration_name; systemName = configuration_name;
secrets.enable = true;
general = { general = {
disableRemoteBuildsOnLio = true; disableRemoteBuildsOnLio = true;
readWindowsDrives = false; readWindowsDrives = false;