about summary refs log tree commit diff
diff options
context:
space:
mode:
authorGriffin Smith <grfn@gws.fyi>2021-12-26T20·11-0500
committerclbot <clbot@tvl.fyi>2021-12-27T03·46+0000
commit169d7fb87436603207e79cdcc9b51d84eb11e39e (patch)
tree3ef4cb8c97d25b414494935d73e459c2e75a354f
parentef62e51b7bc390d3b046b2eb1af0b44a2e771cbe (diff)
feat(grfn/mugwump): Set up agenix r/3454
Start setting up agenix with secrets in //users/grfn/secrets for
mugwump, starting with my cloudflare API key which I use for the ddns
from my home apartment

Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
-rw-r--r--users/grfn/secrets/.envrc1
-rw-r--r--users/grfn/secrets/cloudflare.age9
-rw-r--r--users/grfn/secrets/default.nix2
-rw-r--r--users/grfn/secrets/secrets.nix8
-rw-r--r--users/grfn/secrets/shell.nix8
-rw-r--r--users/grfn/system/system/machines/mugwump.nix11
6 files changed, 37 insertions, 2 deletions
diff --git a/users/grfn/secrets/.envrc b/users/grfn/secrets/.envrc
new file mode 100644
index 000000000000..051d09d292a8
--- /dev/null
+++ b/users/grfn/secrets/.envrc
@@ -0,0 +1 @@
+eval "$(lorri direnv)"
diff --git a/users/grfn/secrets/cloudflare.age b/users/grfn/secrets/cloudflare.age
new file mode 100644
index 000000000000..1c9fa3ca6bf6
--- /dev/null
+++ b/users/grfn/secrets/cloudflare.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 CpJBgQ w4W+pzmVIEMF0uZN7KZMAppJaLjEeDKoe7i9LGayKDQ
+Rd8k+3csmbZQIrp09ZUfCAOZVwI0BZ6hCBN3nkZQMp4
+-> ssh-ed25519 LfBFbQ dyv1splvcftMd1zWDkPBfsgvXxH5neZlO7ZjrhyzNHI
+N/kqc/luOl8lsZcbaxF8/3ULsL78zvZhkiCarohe+G4
+-> \w7t-grease lo&b JZpCA
+nN2lH0W9+zulMjZMLPMk61+xsrQ
+--- voTpUbu8OiJQyuKB7tIOvlErgY0jg2w7N3MehD5FIdM
+&czl	|KM~2eUN8P~}*hSYJJFɊoc=L`zO7KgZ.aXDHЦ878
\ No newline at end of file
diff --git a/users/grfn/secrets/default.nix b/users/grfn/secrets/default.nix
new file mode 100644
index 000000000000..26b1998f565b
--- /dev/null
+++ b/users/grfn/secrets/default.nix
@@ -0,0 +1,2 @@
+{ depot, ... }:
+depot.ops.secrets.mkSecrets ./. (import ./secrets.nix)
diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix
new file mode 100644
index 000000000000..ef5ddb791ba0
--- /dev/null
+++ b/users/grfn/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA";
+  mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB";
+in
+
+{
+  "cloudflare.age".publicKeys = [ grfn mugwump ];
+}
diff --git a/users/grfn/secrets/shell.nix b/users/grfn/secrets/shell.nix
new file mode 100644
index 000000000000..fe912fe791ea
--- /dev/null
+++ b/users/grfn/secrets/shell.nix
@@ -0,0 +1,8 @@
+let
+  depot = import ../../.. {};
+in
+depot.third_party.nixpkgs.mkShell {
+  buildInputs = [
+    depot.third_party.agenix.cli
+  ];
+}
diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix
index 9ef428c2399b..d4e61b74a4c6 100644
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@@ -8,6 +8,7 @@ with lib;
     (modulesPath + "/installer/scan/not-detected.nix")
     "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
     "${depot.path}/users/grfn/xanthous/server/module.nix"
+    "${depot.third_party.agenix.src}/modules/age.nix"
   ];
 
   networking.hostName = "mugwump";
@@ -64,6 +65,12 @@ with lib;
 
   nix.gc.dates = "monthly";
 
+  age.secrets = let
+    secret = name: depot.users.grfn.secrets."${name}.age";
+  in {
+    cloudflare.file = secret "cloudflare";
+  };
+
   services.depot.auto-deploy = {
     enable = true;
     interval = "1d";
@@ -132,7 +139,7 @@ with lib;
   };
 
   systemd.services.ddclient.serviceConfig = {
-    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    EnvironmentFile = "/run/agenix/cloudflare";
     DynamicUser = lib.mkForce false;
     ExecStart = lib.mkForce (
       let runtimeDir =
@@ -149,7 +156,7 @@ with lib;
 
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "cloudflare";
-    credentialsFile = "/etc/secrets/cloudflare.env";
+    credentialsFile = "/run/agenix/cloudflare";
     webroot = mkForce null;
   };