Track secrets on lud

author: Timo Wilken 2023-11-08 20:32:58 +0100
committer: Timo Wilken 2023-11-08 20:32:58 +0100
commit: ce00f9c7071a92199596ae19c58bdb623cdf67a6 (patch)
tree: 8affac8874a26d8b7cb91d363a2b2629df71bfa5 /tw
parent: 53e10a969148f3ee1a1d434b677e370359873365 (diff)
9 files changed, 93 insertions, 0 deletions
diff --git a/tw/system/files/mythic-dns.scm.enc b/tw/system/files/mythic-dns.scm.enc
new file mode 100644
index 00000000..f00fdd06
--- /dev/null
+++ b/tw/system/files/mythic-dns.scm.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAyRkN6
+ZTlrMkpweFMxZzZkREYzclZWSy9VblU5NkJZY3pUK041eUwxbjJrClc5K05DL3N0
+MXR5bnNSR0NiRzhaV2VWaW5PVW9MWDcwblRNU3FkQmo1aDQKLS0tIGdsVjNDVVZM
+cmQ3ZmFZbG42d00rc0FCUHRJQW9pT29wYmtHT2NVeWdJYUkKX7viRsQ5Eyb7YZDH
+smS/q+v8YJDILSxqlik9jX5tAt/fim8N4vf6wfbwf1TwKzPDA6i9JEeKXA2Hp9WE
+PDGvyXzFmaz5kAm8LmTOC0NT3tY8nxARd6+Gt/eOy1TaA8+fHHU56LH9w+eljTJx
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/nextcloud-database-password.enc b/tw/system/files/nextcloud-database-password.enc
new file mode 100644
index 00000000..4eeb0560
--- /dev/null
+++ b/tw/system/files/nextcloud-database-password.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFczhq
+M05ycStUclh0cE41UnhuR0NwWWNoTG01S2dNN3lXK2NkYlpHRW5nCkVKcnVZcU80
+M3ZLZStab3FFaDJ0RndsdVhQMSt2YTAzR2xadm9xNTkrWU0KLS0tIEd5L3cwQTNT
+QkRWRi9HdDBnSEQxWkorVGNzSllMTXFQeEFScjJycitqcG8KCHUAzFhnZ2ZrzL+W
+yY4rZObLkg2yfvoj4JLTnsO+QrZyJo+hvyTm8Dx2BuZqf/Nx9V9mLyT2j1hvIFV0
+94+1BIU=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/restic/lud-nextcloud.enc b/tw/system/files/restic/lud-nextcloud.enc
new file mode 100644
index 00000000..8146287d
--- /dev/null
+++ b/tw/system/files/restic/lud-nextcloud.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBMK2My
+cWlSMXJvUk1NVXJFWTlab2QzdXcxZWtPTXBXalRzOHBGS3lzYVFFCmF6R3ZLTVhB
+bElEaTBrWVpRQ01yQzI4TEZ1K3hjVElFaC9oRER2ZWMxN0EKLS0tIGp4M1JLRThk
+T2h6anFWRkpld1dicFZFR1hudkJMellHT3BqMjR0cjh6ZU0Ka0NIaSmfpHNKCA3E
+KKIL3r9BsX8owop1nfpzLWUqd3pnAOy2XnD38OVSjq9jV8e0ZQ==
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/lud-fp4.psk.enc b/tw/system/files/wireguard/lud-fp4.psk.enc
new file mode 100644
index 00000000..dedc8814
--- /dev/null
+++ b/tw/system/files/wireguard/lud-fp4.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA5Y2dn
+N0M2dkZZN3MyU0dMbnExbGdBSEVlVGxIVjkwY1VieEN3TWR5cDE0CnFIS1ZsSDll
+UHNwaG1jZU1LQTJGSE5nS2hsMkRVdmhrUFhMYVlwMHdOaGcKLS0tIHY1bjkzcE9t
+UzlySGxtUFRuQUIyYldmY1ZpeTlXOVFYYmdRQXBuUmN1Z2MK14xQAizZ0KvIA0DR
+2IEexRvj8V49M5fSShXxQrY3RU+s96Dg5d1giDFvYmIpwQbECFKDwYKfSMQwVtpW
+R9XiBZz2ptyPgQJ19Kku12k=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/lud-lap.psk.enc b/tw/system/files/wireguard/lud-lap.psk.enc
new file mode 100644
index 00000000..91d1bb1a
--- /dev/null
+++ b/tw/system/files/wireguard/lud-lap.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA3VGNL
+NHhLejluZzk1K3B4bzdUaThzU2Z3TWMzZUJrV0tGWHlnY2xSangwCm1pSUFYV3k2
+UHdIT25adWhVRXZ5eXJqR2ZyVVhtdnpOd1V5aWlpVG91c00KLS0tIHpjV1Y5blNO
+bysvbHJUWFprTUtrM054VDZwaTFPWHArb1JES2lNWVNUbUUKPAedksMUAimxMhC1
+Qad62SexojfI3+iI/vzdEDhjNOpohMBPejy4cLPY3EpQKtp3XoFz8S5E2hd+SraQ
+bJcw6u7JGgr3zdKBrI6TW/Y=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/lud-pi3.psk.enc b/tw/system/files/wireguard/lud-pi3.psk.enc
new file mode 100644
index 00000000..32b8097a
--- /dev/null
+++ b/tw/system/files/wireguard/lud-pi3.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAwWmVh
+dFZ1S2ZCOXpNZ1VkNmFtcVBzOGczV1FUV2U1eVdZQXVvTFhLL0dZCkRBZE5KTERL
+UFBlQ1c3NnhMNllsRTF0QVN5ZERiUFVpQTVONVY5WkZaWmcKLS0tIDNPaWlVYS9L
+cm1lU21obm9Yb1h4djhDTk5jQ1prbnF4VnptNmVCY0p6c1EKWijtgsgWpKl+d5tL
+Mf16dmJ31IzLNuY8uy0VFtiAqLnyfa5mpYpDUG9OH/i80zDrlqWOQpWtrp76BLdT
+PfILs3kDlReEYXlPSNVSyIQ=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/lud-vin.psk.enc b/tw/system/files/wireguard/lud-vin.psk.enc
new file mode 100644
index 00000000..693a886a
--- /dev/null
+++ b/tw/system/files/wireguard/lud-vin.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBHRjlH
+OUVkb1VvZ3N0WFl0MzFyeGIzcVJvWGVNQ0lZN2Y2VWNJS3RldnpBCkZWdlZBSFNw
+QlBjM2dsbU5rYTQrQlFTWnlzY1VxY3ltbjkwek42Q1lMc0kKLS0tIExud1NrOWhi
+a0d1bmdIL1FERWhVK2ZDbytSRGd5R0M2Z2dia3BPMEp2aTQKQPxKQXV49/O/5IAW
+/nm4VVQKUfR5vZrp7Y9syodHz9+wm1zEoAELpRFyhLhd9DH1v0Bk2q+36lysKXD0
+FKd4ldl2NvSmt4o39YM3BP0=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/lud.key.enc b/tw/system/files/wireguard/lud.key.enc
new file mode 100644
index 00000000..5001f4ce
--- /dev/null
+++ b/tw/system/files/wireguard/lud.key.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFcGhX
+RWF4RUhQYThRV3dtOTBLQlZJWmJNQWlUU3Y4UnpaNFZuUGJ0Z3pFCmtUcjl6TEpp
+UE50ejIySTNGQ3JBTmNUWjVVNjVrdzFDSHZFQnVlYkVkaEkKLS0tIEVqWGN3b0Ni
+cVBrZVpzelllb0dLZVljV2x3RkZNTkMyQzVSY0RnSXIwVWsKW42mh3RidTcaeqqV
+3+Fbk3w9S1c3TKpO3Pz6Ei2SpH2V9zfNnQjJYfJFumZzQbDNAx956KaBvarjiDjk
+omyjFTuUtAUjZslkDuz3h0s=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 5ea47fa0..295f1739 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -9,6 +9,7 @@
   #:use-module (tw services nextcloud)
   #:use-module (tw services matrix)
   #:use-module (tw services media)
+  #:use-module (tw services secrets)
   #:use-module (tw system))
 
 (use-package-modules admin bash certs databases linux man php python rsync
@@ -184,6 +185,35 @@ innodb_io_capacity = 4000
             ;; TODO: Syncthing exporter
             ;; TODO: Transmission exporter
 
+            (service secrets-service-type
+              (secrets-configuration
+               (secrets
+                (list
+                 (secret
+                  (encrypted-file (local-file "files/mythic-dns.scm.enc"))
+                  (destination "/etc/mythic-dns.scm"))
+                 (secret
+                  (encrypted-file (local-file "files/nextcloud-database-password.enc"))
+                  (destination "/etc/nextcloud-database-password.enc"))
+                 (secret
+                  (encrypted-file (local-file "files/restic/lud-nextcloud.enc"))
+                  (destination "/etc/restic/lud-nextcloud"))
+                 (secret
+                  (encrypted-file (local-file "files/wireguard/lap.key.enc"))
+                  (destination "/etc/wireguard/private.key"))
+                 (secret
+                  (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc"))
+                  (destination "/etc/wireguard/fp4.psk"))
+                 (secret
+                  (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc"))
+                  (destination "/etc/wireguard/lud.psk"))
+                 (secret
+                  (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc"))
+                  (destination "/etc/wireguard/pi3.psk"))
+                 (secret
+                  (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc"))
+                  (destination "/etc/wireguard/vin.psk"))))))
+
             ;; Only this server has SSDs, not vin.
             (simple-service 'fstrim mcron-service-type
               (list #~(job "0 4 * * *"  ; after guix gc
author	Timo Wilken	2023-11-08 20:32:58 +0100
committer	Timo Wilken	2023-11-08 20:32:58 +0100
commit	ce00f9c7071a92199596ae19c58bdb623cdf67a6 (patch)
tree	8affac8874a26d8b7cb91d363a2b2629df71bfa5 /tw
parent	53e10a969148f3ee1a1d434b677e370359873365 (diff)