From b3c19a2e167ec01a74c691aed0b469bccc4da73f Mon Sep 17 00:00:00 2001 From: Mike Vink Date: Wed, 18 Oct 2023 01:18:26 +0200 Subject: machine specific secrets --- profiles/core/secrets.nix | 36 ++++++++++++++++++++++-------------- profiles/email/gmail.nix | 2 +- profiles/station/music.nix | 4 ++-- secrets/hello | 20 -------------------- secrets/lemptop/mopidy.yaml | 21 +++++++++++++++++++++ secrets/mopidy.yaml | 21 --------------------- 6 files changed, 46 insertions(+), 58 deletions(-) delete mode 100644 secrets/hello create mode 100644 secrets/lemptop/mopidy.yaml delete mode 100644 secrets/mopidy.yaml diff --git a/profiles/core/secrets.nix b/profiles/core/secrets.nix index fc11563..f0897be 100644 --- a/profiles/core/secrets.nix +++ b/profiles/core/secrets.nix @@ -1,4 +1,20 @@ -{machine,inputs,config,lib,pkgs,...}: with lib; { +{machine,inputs,config,lib,pkgs,...}: with lib; +let + getSecrets = dir: + mapAttrs' (name: _: let + parts = splitString "." name; + base = head parts; + format = if length parts > 1 then elemAt parts 1 else "binary"; + in nameValuePair base { + sopsFile = "${dir}/${name}"; + inherit format; + key = machine.hostname; + }) (if (filesystem.pathIsDirectory dir) then + (filterAttrs (n: v: v != "directory") (builtins.readDir dir)) + else + {}); +in +{ imports = [ inputs.sops-nix.nixosModules.sops (mkAliasOptionModule [ "secrets" ] [ "sops" "secrets" ]) # TODO: get my username(s) from machine config @@ -7,19 +23,11 @@ age.sshKeyPaths = []; age.keyFile = mkIf (machine.hostname == "lemptop") "${config.hm.xdg.configHome}/sops/age/keys.txt"; - secrets = mapAttrs' (name: _: let - parts = splitString "." name; - base = head parts; - format = if length parts > 1 then elemAt parts 1 else "binary"; - in - { - name = base; - value = { - sopsFile = "${inputs.self}/secrets/${name}"; - inherit format; - key = machine.hostname; - }; - }) (builtins.readDir "${inputs.self}/secrets"); # keep it out of the store + secrets = attrsets.mergeAttrsList + [ + (getSecrets "${inputs.self}/secrets") + (getSecrets "${inputs.self}/secrets/${machine.hostname}") + ]; }; environment = { diff --git a/profiles/email/gmail.nix b/profiles/email/gmail.nix index 6f2f7df..1a8381e 100644 --- a/profiles/email/gmail.nix +++ b/profiles/email/gmail.nix @@ -92,7 +92,7 @@ Inbox = { farPattern = "INBOX"; nearPattern = "INBOX"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; Archive = { farPattern = "[Gmail]/All Mail"; nearPattern = "Archive"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; Spam = { farPattern = "[Gmail]/Spam"; nearPattern = "Spam"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; - Trash = { farPattern = "[Gmail]/Bin"; nearPattern = "Trash"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; + Trash = { farPattern = "[Gmail]/Trash"; nearPattern = "Trash"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; Important = { farPattern = "[Gmail]/Important"; nearPattern = "Important"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; Sent = { farPattern = "[Gmail]/Sent Mail"; nearPattern = "Sent"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; FarDrafts = { farPattern = "[Gmail]/Drafts"; nearPattern = "FarDrafts"; extraConfig = { Create = "Near"; Expunge = "Both"; }; }; diff --git a/profiles/station/music.nix b/profiles/station/music.nix index 80e0a51..b26a2ee 100644 --- a/profiles/station/music.nix +++ b/profiles/station/music.nix @@ -83,8 +83,8 @@ progressbar_elapsed_color = "blue:b"; statusbar_color = "red"; statusbar_time_color = "cyan:b"; - execute_on_song_change="pkill -RTMIN+11 dwmblocks"; - execute_on_player_state_change="pkill -RTMIN+11 dwmblocks"; + execute_on_song_change=''"pkill -RTMIN+11 dwmblocks"''; + execute_on_player_state_change=''"pkill -RTMIN+11 dwmblocks"''; }; }; } diff --git a/secrets/hello b/secrets/hello deleted file mode 100644 index 27b3a95..0000000 --- a/secrets/hello +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:iZxyYQ6u7mUWk/1dr5bK09ko95QAJd3OTyZo/CT4HXSueFyHfo8fL8DDQNUSGMA=,iv:vSwpBRPCedBslzaqdeFun9YP9uHtFqsz44lU2mNd8yU=,tag:EE+4AsotaE2HBKB7ADwzqw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbTNCUUI1UXBVRDJKVWRC\ndDgwRys5V1pZYm9IaGNBVUJpdldNK0gyWHo4CmF4VTRLTnRhVGErSGVnZGdNUUl4\nN1pVYWFPaThZdC94Y3ByaytRUnpxdTAKLS0tIGZJbktoMVp4bDBTSFVOWnpOOTlS\nSXJjeUNkZjVuQmdJdmtBa2N6UnMrNVkKpqPVSJud8ccgtYQc5mkhD3x4zMB+Sw8N\nJ6TxxGWt9tmwPb03Hy1BbeasmN93hA60tTF29WiAzcAiMBk+4o4IyQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-10-16T19:06:39Z", - "mac": "ENC[AES256_GCM,data:OnCstF0Kch19iTjg/mlMR96UEJKkMSW9xL3weNR2P+h8TmaredEzOjxRVtX8yWevQ3NH0+EEnasjhwSQJ85slUMZoCrNK8xG3Z+Is3ey+1rahskJ20e9UJ6AMP3mwjPNfW2nLVjjikbnRirw4cG151vqTCbkC+FLNaSVi3K1H+g=,iv:Pcq6sq9gpTPW1wy6helri73jpmkvhdm/Et/rzLn9vxU=,tag:cabq18p9PHkeRQVdGv8BdQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/secrets/lemptop/mopidy.yaml b/secrets/lemptop/mopidy.yaml new file mode 100644 index 0000000..2f38ee3 --- /dev/null +++ b/secrets/lemptop/mopidy.yaml @@ -0,0 +1,21 @@ +lemptop: ENC[AES256_GCM,data:oQL/CmXYLQTsMglwf28TyCHqpVOXgmu2tGt8gKBNUMDhR4z8jd1tNq2I86KmwTfSobowkntTyHtLjYrRKM1jEM/1xL9AilXYEDWpunU/ODpWWkIr6iEtCu0/uXLC/1TX8CqdUargYFFoN6KMBZNGH55x95DiiLL47Vp8uEgWuTly8xQE3u9vzH143R5wcfAnGfzsBsea1TJYSZMT9Ey2EeXgnaSIAD2sZx8VCWoqbbagERWy,iv:UHPA7mhHRIhBXgdvcJEzL/BCWerJB5gxWZlWhIhMuro=,tag:+HiHYOL+VWk5443Qc5f6sQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N2t5RTF1Wm56U2xvNkoy + YXo0SmdtUWhndEE3WDFrWFBTVll2cVFKZFdFCk91QUZvOUI2L0tlTjF2cXorK0k1 + RGtObVMrV2tsZHVTMG4vdnRsQ0dxMlkKLS0tIHcxcXBLdW5UWmNVV2VFTVJGQzJO + SjN6SklFSmViTVRoTEZYK1Q1aS9jbFUKdvLte8aMlVpjgAwvGS4HRIV8l8qO80tl + LWGng7B0gCfd21VVdokb1ZFmls8ElEQQAqK7Obf76IF7eNs1+0xdNA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-17T19:27:11Z" + mac: ENC[AES256_GCM,data:fFWP4z/Q0pY56xFYMeKQlWdIpS0nlWqO+u233BXLrXL57l5Z1zO+3vKNre0CeDmNMMIdnE0LcY87+dpXFKvVC/EaKhsy75MixOqnmRtB6JHeBXYOeEBOn8e5Ur3pfTfxvcjQF6HFOD6n4VU1d4zG1r8zWkkCaah+fuQAg5j7r/0=,iv:NgQmn0DJ5liAIiA4ZL6BLWwL37RhJnrQPLiPByq13xk=,tag:P9zlmdq9nXD/kIVeDnZGpw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.0 diff --git a/secrets/mopidy.yaml b/secrets/mopidy.yaml deleted file mode 100644 index 2f38ee3..0000000 --- a/secrets/mopidy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -lemptop: ENC[AES256_GCM,data:oQL/CmXYLQTsMglwf28TyCHqpVOXgmu2tGt8gKBNUMDhR4z8jd1tNq2I86KmwTfSobowkntTyHtLjYrRKM1jEM/1xL9AilXYEDWpunU/ODpWWkIr6iEtCu0/uXLC/1TX8CqdUargYFFoN6KMBZNGH55x95DiiLL47Vp8uEgWuTly8xQE3u9vzH143R5wcfAnGfzsBsea1TJYSZMT9Ey2EeXgnaSIAD2sZx8VCWoqbbagERWy,iv:UHPA7mhHRIhBXgdvcJEzL/BCWerJB5gxWZlWhIhMuro=,tag:+HiHYOL+VWk5443Qc5f6sQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N2t5RTF1Wm56U2xvNkoy - YXo0SmdtUWhndEE3WDFrWFBTVll2cVFKZFdFCk91QUZvOUI2L0tlTjF2cXorK0k1 - RGtObVMrV2tsZHVTMG4vdnRsQ0dxMlkKLS0tIHcxcXBLdW5UWmNVV2VFTVJGQzJO - SjN6SklFSmViTVRoTEZYK1Q1aS9jbFUKdvLte8aMlVpjgAwvGS4HRIV8l8qO80tl - LWGng7B0gCfd21VVdokb1ZFmls8ElEQQAqK7Obf76IF7eNs1+0xdNA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-17T19:27:11Z" - mac: ENC[AES256_GCM,data:fFWP4z/Q0pY56xFYMeKQlWdIpS0nlWqO+u233BXLrXL57l5Z1zO+3vKNre0CeDmNMMIdnE0LcY87+dpXFKvVC/EaKhsy75MixOqnmRtB6JHeBXYOeEBOn8e5Ur3pfTfxvcjQF6HFOD6n4VU1d4zG1r8zWkkCaah+fuQAg5j7r/0=,iv:NgQmn0DJ5liAIiA4ZL6BLWwL37RhJnrQPLiPByq13xk=,tag:P9zlmdq9nXD/kIVeDnZGpw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.0 -- cgit v1.2.3