From b0ae5e394fd64f32d7355a40f142f0be791f5e1e Mon Sep 17 00:00:00 2001 From: zuckerberg <5-zuckerberg@users.noreply.git.neet.dev> Date: Mon, 14 Jun 2021 22:48:23 -0400 Subject: [PATCH] use agenix --- common/common.nix | 7 +------ flake.nix | 5 +++++ machines/liza/configuration.nix | 3 +++ secrets/searx.age | 18 ++++++++++++++++++ secrets/secrets.nix | 9 +++++++++ 5 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 secrets/searx.age create mode 100644 secrets/secrets.nix diff --git a/common/common.nix b/common/common.nix index 40f3432..08aad4c 100644 --- a/common/common.nix +++ b/common/common.nix @@ -40,12 +40,7 @@ users.users.googlebot = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat - ]; + openssh.authorizedKeys.keys = (import ./ssh.nix).users; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; }; } diff --git a/flake.nix b/flake.nix index 2a95556..eb3852b 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05"; + agenix.url = "github:ryantm/agenix"; }; outputs = inputs: { @@ -14,6 +15,10 @@ modules = [ path inputs.simple-nixos-mailserver.nixosModule + inputs.agenix.nixosModules.age + { + environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ]; + } ]; specialArgs = { inherit inputs; }; }; diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix index 61e1e18..06f1483 100644 --- a/machines/liza/configuration.nix +++ b/machines/liza/configuration.nix @@ -31,7 +31,9 @@ }; services.searx.enable = true; + services.searx.environmentFile = "/run/secrets/searx"; services.searx.settings.server.port = 8080; + services.searx.settings.server.secret_key = "@SEARX_SECRET_KEY@"; services.nginx.virtualHosts."search.neet.space" = { enableACME = true; forceSSL = true; @@ -39,6 +41,7 @@ proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}"; }; }; + age.secrets.searx.file = ../../secrets/searx.age; security.acme.acceptTerms = true; security.acme.email = "zuckerberg@neet.dev"; diff --git a/secrets/searx.age b/secrets/searx.age new file mode 100644 index 0000000..73a11d8 --- /dev/null +++ b/secrets/searx.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 G2eSCQ Z0lX5ZlHIpggimOiFj1+ZVgOP37LFr/w94cCtqWFZT8 +7rzvrJSdK+dUAsswTjVq0wkCiL2XQaryycun3ux0W9w +-> ssh-ed25519 2a2Yhw g5nEPzN5X0Vr+vauzUe5jg6H50ONh8NVjD93AG/2+i0 +6qUsQzDKLtU5gp3ve1iF8tKuB4Rx+K0+HZQy9ks2iwI +-> ssh-ed25519 N240Tg JIzitiQPOTthl6QbborOGU3n9RqIjul39BFYOfB8diY +4NOqzWpUwF9j0JzYaJn7Uqa3Crl6QLr48hCaBnOsGPQ +-> ssh-ed25519 mbw8xA zjorFxrWa3TSj99VRfBrGkiLrcBzof+5jKrwhf5fDyU +tcRZMBobPQ5/PeDKTllFaJMEV26Gc88s9XkrLkWe7PQ +-> ssh-ed25519 xoAm7w 9sZy5pPgQ1ooFMcuiybut220iYgZFKV8HfVcSjo+2hU +6vKyFN5ujm25ihAGtwYwY6oQLzu4/ETHb+DStIJr55E +-> Hyy_H$H-grease 96O> WKPyA0k. +IKjwegCjx6684Vp2IY1rShLipM16jQspX9cUtWz/7JGMoOdlVaYmzfu5VfdDiO32 +Oc/d3FWCEGLBEYu6m2oOLMuCGf8lljSigmbl8/3odwQQGo4F1ECYEkIxzf5xQW9m +6w +--- R3auwtnTaQRkfqoZBVitJInFrpdhIDMSKCcSoS2qNqo +}z<(QuܤVb&Ⴣ4w/YmaEpl-7/,TN2DcsaTBi=3svq+`| +jG^ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..68d56e4 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + keys = import ../common/ssh.nix; + systems = keys.systems; + users = keys.users; + all = users ++ systems; +in +{ + "searx.age".publicKeys = all; +} \ No newline at end of file