aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--home/profiles/darwin.nix13
-rw-r--r--home/programs/restic.nix8
-rw-r--r--machines/argonath.nix16
-rw-r--r--machines/bree.nix18
-rw-r--r--machines/mba-personal.nix14
-rw-r--r--machines/mbp-work.nix7
-rw-r--r--machines/rivendell.nix48
-rw-r--r--profiles/home-manager.nix1
-rw-r--r--secrets/acme-cloudflare-env.agebin380 -> 380 bytes
-rw-r--r--secrets/anthropic-api-key.age7
-rw-r--r--secrets/argonath/wireguard.agebin367 -> 367 bytes
-rw-r--r--secrets/authelia-jwks.agebin2026 -> 2026 bytes
-rw-r--r--secrets/authelia-jwt-key.agebin409 -> 409 bytes
-rw-r--r--secrets/authelia-storage-key.agebin409 -> 409 bytes
-rw-r--r--secrets/authelia-users.yaml.agebin581 -> 581 bytes
-rw-r--r--secrets/bree/disk-passphrase.age13
-rw-r--r--secrets/bree/disk-unlock-key.agebin721 -> 721 bytes
-rw-r--r--secrets/bree/wireguard.age14
-rw-r--r--secrets/grafana-oidc.age12
-rw-r--r--secrets/miniflux-oidc.agebin395 -> 395 bytes
-rw-r--r--secrets/restic-nas-smb-config.agebin431 -> 431 bytes
-rw-r--r--secrets/restic-pw.age12
-rw-r--r--secrets/rivendell/wireguard.agebin367 -> 367 bytes
-rw-r--r--secrets/rsync-ssh-nas.agebin721 -> 721 bytes
-rw-r--r--secrets/secrets.nix3
-rw-r--r--secrets/ssh-remote-builder.agebin721 -> 721 bytes
-rw-r--r--secrets/users/fcuny/anthropic-api-key.agebin321 -> 0 bytes
-rw-r--r--secrets/users/fcuny/llm.agebin413 -> 0 bytes
28 files changed, 98 insertions, 88 deletions
diff --git a/home/profiles/darwin.nix b/home/profiles/darwin.nix
index c0e9a8e..d8942c8 100644
--- a/home/profiles/darwin.nix
+++ b/home/profiles/darwin.nix
@@ -1,16 +1,5 @@
{ pkgs, config, ... }:
{
- age = {
- identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ];
- secretsDir = "${config.home.homeDirectory}/.local/share/agenix";
-
- secrets = {
- anthropic-api-key = {
- file = ../../secrets/users/fcuny/anthropic-api-key.age;
- };
- };
- };
-
imports = [
../programs/aider.nix
../programs/bat.nix
@@ -46,7 +35,7 @@
};
programs.fish.shellInit = ''
- export ANTHROPIC_API_KEY="$(cat ${config.age.secrets.anthropic-api-key.path})"
+ export ANTHROPIC_API_KEY="$(cat /run/agenix/anthropic-api-key)"
'';
home.sessionPath = [
diff --git a/home/programs/restic.nix b/home/programs/restic.nix
index 0661251..582384f 100644
--- a/home/programs/restic.nix
+++ b/home/programs/restic.nix
@@ -21,15 +21,9 @@ in
{
home.packages = with pkgs; [ restic ];
- age.secrets.restic-password = {
- file = ../../secrets/restic-pw.age;
- path = "${config.home.homeDirectory}/.config/restic/password";
- mode = "400";
- };
-
home.sessionVariables = {
RESTIC_REPOSITORY = resticRepository;
- RESTIC_PASSWORD_FILE = config.age.secrets.restic-password.path;
+ RESTIC_PASSWORD_FILE = "/run/agenix/restic-password";
};
home.file.".config/restic/includes" = {
diff --git a/machines/argonath.nix b/machines/argonath.nix
index 3d1b1eb..d1f1f7e 100644
--- a/machines/argonath.nix
+++ b/machines/argonath.nix
@@ -1,5 +1,13 @@
{ adminUser, ... }:
{
+ wgPublicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
+
+ age.secrets = {
+ wireguard.file = ../secrets/argonath/wireguard.age;
+ acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age;
+ };
+
imports = [
../profiles/core-metrics.nix
../profiles/defaults.nix
@@ -15,14 +23,6 @@
networking.hostName = "argonath";
- wgPublicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
- publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
-
- age.secrets = {
- wireguard.file = ../secrets/argonath/wireguard.age;
- acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age;
- };
-
system.stateVersion = "25.05"; # Did you read the comment?
home-manager.users.${adminUser.name} = {
diff --git a/machines/bree.nix b/machines/bree.nix
index 24089a0..1560ce6 100644
--- a/machines/bree.nix
+++ b/machines/bree.nix
@@ -5,6 +5,15 @@
...
}:
{
+ wgPublicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
+
+ age.secrets = {
+ wireguard.file = ../secrets/bree/wireguard.age;
+ disk-unlock-key.file = ../secrets/bree/disk-unlock-key.age;
+ disk-passphrase.file = ../secrets/bree/disk-passphrase.age;
+ };
+
imports = [
../profiles/core-metrics.nix
../profiles/defaults.nix
@@ -21,15 +30,6 @@
networking.useDHCP = lib.mkDefault true;
systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
- wgPublicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
- publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
-
- age.secrets = {
- wireguard.file = ../secrets/bree/wireguard.age;
- disk-unlock-key.file = ../secrets/bree/disk-unlock-key.age;
- disk-passphrase.file = ../secrets/bree/disk-passphrase.age;
- };
-
services.remoteDiskUnlock = {
enable = true;
hosts = [
diff --git a/machines/mba-personal.nix b/machines/mba-personal.nix
index 2d82567..0ce4279 100644
--- a/machines/mba-personal.nix
+++ b/machines/mba-personal.nix
@@ -1,6 +1,18 @@
{ adminUser, pkgs, ... }:
{
- age.secrets.ssh-remote-builder.file = ../secrets/ssh-remote-builder.age;
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c";
+
+ age.secrets = {
+ ssh-remote-builder.file = ../secrets/ssh-remote-builder.age;
+ anthropic-api-key = {
+ file = ../secrets/anthropic-api-key.age;
+ owner = "${toString adminUser.uid}";
+ };
+ restic-password = {
+ file = ../secrets/restic-pw.age;
+ owner = "${toString adminUser.uid}";
+ };
+ };
imports = [
../profiles/darwin.nix
diff --git a/machines/mbp-work.nix b/machines/mbp-work.nix
index 16d9c59..851444a 100644
--- a/machines/mbp-work.nix
+++ b/machines/mbp-work.nix
@@ -1,5 +1,12 @@
{ adminUser, pkgs, ... }:
{
+ age.secrets = {
+ anthropic-api-key = {
+ file = ../secrets/users/fcuny/anthropic-api-key.age;
+ owner = "${toString adminUser.uid}";
+ };
+ };
+
imports = [
../profiles/darwin.nix
../profiles/home-manager.nix
diff --git a/machines/rivendell.nix b/machines/rivendell.nix
index 6b16d67..0c4ac28 100644
--- a/machines/rivendell.nix
+++ b/machines/rivendell.nix
@@ -5,27 +5,8 @@
...
}:
{
- imports = [
- ../profiles/authelia.nix
- ../profiles/core-metrics.nix
- ../profiles/defaults.nix
- ../profiles/disk/btrfs-on-luks.nix
- ../profiles/git-server.nix
- ../profiles/hardware/framework-desktop.nix
- ../profiles/home-manager.nix
- ../profiles/miniflux.nix
- ../profiles/monitoring.nix
- ../profiles/remote-unlock.nix
- ../profiles/restic-backup.nix
- ../profiles/server.nix
- ../profiles/storage-media.nix
- ../profiles/users/admin-user.nix
- ../profiles/users/builder.nix
- ../profiles/users/home-manager.nix
- ../profiles/wireguard.nix
- ];
-
- boot.kernelModules = [ "sg" ];
+ wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
age.secrets = {
wireguard.file = ../secrets/rivendell/wireguard.age;
@@ -52,13 +33,32 @@
};
};
+ imports = [
+ ../profiles/authelia.nix
+ ../profiles/core-metrics.nix
+ ../profiles/defaults.nix
+ ../profiles/disk/btrfs-on-luks.nix
+ ../profiles/git-server.nix
+ ../profiles/hardware/framework-desktop.nix
+ ../profiles/home-manager.nix
+ ../profiles/miniflux.nix
+ ../profiles/monitoring.nix
+ ../profiles/remote-unlock.nix
+ ../profiles/restic-backup.nix
+ ../profiles/server.nix
+ ../profiles/storage-media.nix
+ ../profiles/users/admin-user.nix
+ ../profiles/users/builder.nix
+ ../profiles/users/home-manager.nix
+ ../profiles/wireguard.nix
+ ];
+
+ boot.kernelModules = [ "sg" ];
+
networking.hostName = "rivendell";
networking.useDHCP = lib.mkDefault true;
systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
- wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
- publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
-
services = {
website = {
enable = true;
diff --git a/profiles/home-manager.nix b/profiles/home-manager.nix
index 6db8dd0..1b77b27 100644
--- a/profiles/home-manager.nix
+++ b/profiles/home-manager.nix
@@ -21,7 +21,6 @@
};
home-manager.sharedModules = [
- inputs.agenix.homeManagerModules.default
../home/modules/userinfo.nix
]
++ (if pkgs.stdenv.isDarwin then [ inputs.mac-app-util.homeManagerModules.default ] else [ ]);
diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age
index db0a29e..7d538bc 100644
--- a/secrets/acme-cloudflare-env.age
+++ b/secrets/acme-cloudflare-env.age
Binary files differ
diff --git a/secrets/anthropic-api-key.age b/secrets/anthropic-api-key.age
new file mode 100644
index 0000000..1f985b7
--- /dev/null
+++ b/secrets/anthropic-api-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA yI+KEvnDxw4YJOCs5rf3CF+rgYxAIukvnvJyi8Mgkig
+YVc6u5MQJscBYjeXGNgIf1Zlg5U/I7ipAqgvVmOEV6g
+-> ssh-ed25519 E2Yu8Q PBIOCRrQeVxmWdZAuMB5f0FPCGKYvebHBS33vZ1hFHg
+xb9t9EDGIjhbgr/y76PYXHx28JQdjIv4V5a/TzBnSQQ
+--- ttindQRKMzXBKuIY2aPx5HIuf73gk2q5jQNKb3MPyoo
+1^($ܠqyvJ{/*uXésci{Φ+CP3'jo?l}E@e~FCyFhNsmyES9q\%q4 \ No newline at end of file
diff --git a/secrets/argonath/wireguard.age b/secrets/argonath/wireguard.age
index 5ae3a5b..411dde8 100644
--- a/secrets/argonath/wireguard.age
+++ b/secrets/argonath/wireguard.age
Binary files differ
diff --git a/secrets/authelia-jwks.age b/secrets/authelia-jwks.age
index 4f4d52b..cd10015 100644
--- a/secrets/authelia-jwks.age
+++ b/secrets/authelia-jwks.age
Binary files differ
diff --git a/secrets/authelia-jwt-key.age b/secrets/authelia-jwt-key.age
index ac2058f..d7a5570 100644
--- a/secrets/authelia-jwt-key.age
+++ b/secrets/authelia-jwt-key.age
Binary files differ
diff --git a/secrets/authelia-storage-key.age b/secrets/authelia-storage-key.age
index f315afe..e4d38dd 100644
--- a/secrets/authelia-storage-key.age
+++ b/secrets/authelia-storage-key.age
Binary files differ
diff --git a/secrets/authelia-users.yaml.age b/secrets/authelia-users.yaml.age
index d21f4e0..9bc44eb 100644
--- a/secrets/authelia-users.yaml.age
+++ b/secrets/authelia-users.yaml.age
Binary files differ
diff --git a/secrets/bree/disk-passphrase.age b/secrets/bree/disk-passphrase.age
index 3811173..95c3c40 100644
--- a/secrets/bree/disk-passphrase.age
+++ b/secrets/bree/disk-passphrase.age
@@ -1,8 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA r/Q4nB/VcKaVXoJjDuIgnMVUr5K0rhrsVVq2lvQgQRQ
-ZmwHs0sWxVKjS9njqPQR4rEV1aXxS80wWJQrAuf47vM
--> ssh-ed25519 OxmK1A /9e7fHg/Nh929cY7+0EagkxwME4jo0RxzBwdh8tuZnM
-9UPI8Vnwebjick9WPlcT8lvNub687qchX4D4ntbanos
---- bwBCnL9gJhzuygCddmh0h0OXh/C6ysAgMfH9QBrQUMY
-
-I4ڍ:;X3T.n{A0^笆4F]P.uΕެ \ No newline at end of file
+-> ssh-ed25519 pFjJaA amjhPadNRYlNHV8VnR2l/p31tUXDeAeeq0wdOLfa61w
+a8ja6ZNQecw/32i4REXdjEn7VxD74PXfjbPYMq0q6XI
+-> ssh-ed25519 OxmK1A 1kpfibZx+8BnID8GcKYrRdB0D0hZSNxmzS7SEIutSn8
+xh5UvhD6nxoKZn1iq7CCZKRIUpnfnccGsZmkfw3EYlc
+--- ltJag28NYz/qET0O3UdDLrn8Uw1XNzK/yKlGyWGngnA
+V<O/(gF p#>sH]bM9X!I^ M b3 wA \ No newline at end of file
diff --git a/secrets/bree/disk-unlock-key.age b/secrets/bree/disk-unlock-key.age
index 6d9a549..a67976f 100644
--- a/secrets/bree/disk-unlock-key.age
+++ b/secrets/bree/disk-unlock-key.age
Binary files differ
diff --git a/secrets/bree/wireguard.age b/secrets/bree/wireguard.age
index de570fa..33ff5fe 100644
--- a/secrets/bree/wireguard.age
+++ b/secrets/bree/wireguard.age
@@ -1,7 +1,9 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA 0gvJUmVKqpTedh5fWA1vMslSIUXGfVFS9bArPGEiZko
-NuKvkX+sCZE59zqkbF+ecDsqqvGxJd7Fjyc/wZfTtMM
--> ssh-ed25519 OxmK1A 1NL6Ai4P/bB9un6eQqDacBcs7gbUI2wEaXLqO5EujQk
-xdpVqWKmAi2pofuDnp3U4y8gUnib8/LK4LsD9ATTdy4
---- cq7KLv/+tx4zisjpe+cny29DcmKhOhee1SWxaR80KlU
-x6Q42ftDdеQQGd Lz=3 d1PfUM9~OcP*yP \ No newline at end of file
+-> ssh-ed25519 pFjJaA y5EPSfL02alDpNQhDF7cC4hEfqw8nlC6lt9A4dw+Xyc
+Kkz1lBQ0x5esAz7lzE8TRKwB7MBZIkDfzYQ9aOA/ctU
+-> ssh-ed25519 OxmK1A 8GV691zYXFVjzYSkb/uvDAKXHHiDQVBiACF0eVc3an4
+vPp5DwhbcdrcpjUQWYMr/HObpihC8yAT5rC7JkalIN0
+--- O4riBfvot65rkI4y8t1tzCyw7g5kAwsD4F6AsrMKuCw
+,ˀ
+z cw4KbPw"1W%*XoEVc
+8HSFBT/@& \ No newline at end of file
diff --git a/secrets/grafana-oidc.age b/secrets/grafana-oidc.age
index deaf0c4..3f96b88 100644
--- a/secrets/grafana-oidc.age
+++ b/secrets/grafana-oidc.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA nXdpTOxE+KOi+hkTl8WrFzsXTLlX6JQhY/6+w6ZcZ0k
-6TZjec0mdP37hXGXEev7dN27BqGhvO0EVEJi7XPJsrc
--> ssh-ed25519 Y5h84Q 1um4Z+C9sRiHVMEJszpc4ygNhONX0tNvAsABlvDmwHA
-IN3pQyGFCRWphTHLAaxrCVci0OaRViHUaZYqZPEA14A
---- ABsJxwFEMn+GNkH+BqcrSIFfeZJaqSvRTNid1yEDJaA
-F꧒bRMwɨqo ;\1nD4 XQLU*oIM:YyItƖJE@ i˸\a% \ No newline at end of file
+-> ssh-ed25519 pFjJaA HdsOVYuL1Wrr551YuIUYMEhd0KA/SJEYvyIlsW6wbQw
+hbQVHyLr23NMuHR+l0fgMS/1wHPK39aQayb8QNK7xe0
+-> ssh-ed25519 Y5h84Q ADIdN9tU4YwPoLPDcUZ4Z1zprmI1ykkXogQg1EgtxVY
+ThkxeGFVVpRJQSTQddClQwbJSxeY3jl+4M4O8vadBo8
+--- rNXcnjt5DbSSgiiPcNBlKeGhArFVff5aCtGm78z1sUo
+T*L2nIpcHXƧBWbɱuGvE9N}g e$h7=1L<U: \ No newline at end of file
diff --git a/secrets/miniflux-oidc.age b/secrets/miniflux-oidc.age
index ba2457f..77dc7fc 100644
--- a/secrets/miniflux-oidc.age
+++ b/secrets/miniflux-oidc.age
Binary files differ
diff --git a/secrets/restic-nas-smb-config.age b/secrets/restic-nas-smb-config.age
index 74047f0..acb515a 100644
--- a/secrets/restic-nas-smb-config.age
+++ b/secrets/restic-nas-smb-config.age
Binary files differ
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
index e31115e..3c6e3d6 100644
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA 93OdFK5vyi9aXKsbdBv+IXPEwZv10t+BTHCBC2EyoXo
-WouHs78MciA5/sk85pMl0lpWqeCe0cTjMohvuKeBawE
--> ssh-ed25519 Y5h84Q ciIyqDWsGxojjG8cSY57HXs7Fqu7zExnpDN4SxavmmY
-w+7oNXkXpOaOLnUUIJBG6wHZyORWxZXyokNmoc8O7GM
---- GTA4ZcvzcN6lHSCAqz8RWWJnLu2StkAys/Rt6WWWrnY
-D2hN!I6吓^m*GI)w+/ \ No newline at end of file
+-> ssh-ed25519 pFjJaA BDxbdGKOHMfWwakq8+CYHWvVSIMXOcgDqri1RQrjyxc
+dtNirwH4Sds82/iysIgOQf7sjbkTI4yc08VfKTxIsG4
+-> ssh-ed25519 Y5h84Q nzkqXhFSH2cH9VRubGuEJyOA6F+614F8jHhuK8twNXY
+1b88Yeku4ref6kq8UvRokofXf6OyMzQFeSAsKQYdeNI
+--- d6YVTAvCyB9p/wbcQkSNSF92QsTFVnQTRZUgkbFBF60
+sjң@ 8QtO)pM~Y]י)&6[Ad6X=+ \ No newline at end of file
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index edc808d..2612e9e 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
Binary files differ
diff --git a/secrets/rsync-ssh-nas.age b/secrets/rsync-ssh-nas.age
index b71e4ca..cb798c2 100644
--- a/secrets/rsync-ssh-nas.age
+++ b/secrets/rsync-ssh-nas.age
Binary files differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2930859..78d2b0a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -98,7 +98,8 @@ in
hosts.argonath
];
- "users/fcuny/anthropic-api-key.age".publicKeys = [
+ "anthropic-api-key.age".publicKeys = [
users.fcuny
+ hosts.mba
];
}
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index 374b72e..0c8b5b3 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age
Binary files differ
diff --git a/secrets/users/fcuny/anthropic-api-key.age b/secrets/users/fcuny/anthropic-api-key.age
deleted file mode 100644
index 650e54e..0000000
--- a/secrets/users/fcuny/anthropic-api-key.age
+++ /dev/null
Binary files differ
diff --git a/secrets/users/fcuny/llm.age b/secrets/users/fcuny/llm.age
deleted file mode 100644
index 4d623d8..0000000
--- a/secrets/users/fcuny/llm.age
+++ /dev/null
Binary files differ
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-20 11:59:08 +0000