From ce00f9c7071a92199596ae19c58bdb623cdf67a6 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Wed, 8 Nov 2023 20:32:58 +0100 Subject: Track secrets on lud --- tw/system/files/mythic-dns.scm.enc | 8 +++++++ tw/system/files/nextcloud-database-password.enc | 8 +++++++ tw/system/files/restic/lud-nextcloud.enc | 7 ++++++ tw/system/files/wireguard/lud-fp4.psk.enc | 8 +++++++ tw/system/files/wireguard/lud-lap.psk.enc | 8 +++++++ tw/system/files/wireguard/lud-pi3.psk.enc | 8 +++++++ tw/system/files/wireguard/lud-vin.psk.enc | 8 +++++++ tw/system/files/wireguard/lud.key.enc | 8 +++++++ tw/system/lud.scm | 30 +++++++++++++++++++++++++ 9 files changed, 93 insertions(+) create mode 100644 tw/system/files/mythic-dns.scm.enc create mode 100644 tw/system/files/nextcloud-database-password.enc create mode 100644 tw/system/files/restic/lud-nextcloud.enc create mode 100644 tw/system/files/wireguard/lud-fp4.psk.enc create mode 100644 tw/system/files/wireguard/lud-lap.psk.enc create mode 100644 tw/system/files/wireguard/lud-pi3.psk.enc create mode 100644 tw/system/files/wireguard/lud-vin.psk.enc create mode 100644 tw/system/files/wireguard/lud.key.enc (limited to 'tw') diff --git a/tw/system/files/mythic-dns.scm.enc b/tw/system/files/mythic-dns.scm.enc new file mode 100644 index 00000000..f00fdd06 --- /dev/null +++ b/tw/system/files/mythic-dns.scm.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAyRkN6 +ZTlrMkpweFMxZzZkREYzclZWSy9VblU5NkJZY3pUK041eUwxbjJrClc5K05DL3N0 +MXR5bnNSR0NiRzhaV2VWaW5PVW9MWDcwblRNU3FkQmo1aDQKLS0tIGdsVjNDVVZM +cmQ3ZmFZbG42d00rc0FCUHRJQW9pT29wYmtHT2NVeWdJYUkKX7viRsQ5Eyb7YZDH +smS/q+v8YJDILSxqlik9jX5tAt/fim8N4vf6wfbwf1TwKzPDA6i9JEeKXA2Hp9WE +PDGvyXzFmaz5kAm8LmTOC0NT3tY8nxARd6+Gt/eOy1TaA8+fHHU56LH9w+eljTJx +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/nextcloud-database-password.enc b/tw/system/files/nextcloud-database-password.enc new file mode 100644 index 00000000..4eeb0560 --- /dev/null +++ b/tw/system/files/nextcloud-database-password.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFczhq +M05ycStUclh0cE41UnhuR0NwWWNoTG01S2dNN3lXK2NkYlpHRW5nCkVKcnVZcU80 +M3ZLZStab3FFaDJ0RndsdVhQMSt2YTAzR2xadm9xNTkrWU0KLS0tIEd5L3cwQTNT +QkRWRi9HdDBnSEQxWkorVGNzSllMTXFQeEFScjJycitqcG8KCHUAzFhnZ2ZrzL+W +yY4rZObLkg2yfvoj4JLTnsO+QrZyJo+hvyTm8Dx2BuZqf/Nx9V9mLyT2j1hvIFV0 +94+1BIU= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/restic/lud-nextcloud.enc b/tw/system/files/restic/lud-nextcloud.enc new file mode 100644 index 00000000..8146287d --- /dev/null +++ b/tw/system/files/restic/lud-nextcloud.enc @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBMK2My +cWlSMXJvUk1NVXJFWTlab2QzdXcxZWtPTXBXalRzOHBGS3lzYVFFCmF6R3ZLTVhB +bElEaTBrWVpRQ01yQzI4TEZ1K3hjVElFaC9oRER2ZWMxN0EKLS0tIGp4M1JLRThk +T2h6anFWRkpld1dicFZFR1hudkJMellHT3BqMjR0cjh6ZU0Ka0NIaSmfpHNKCA3E +KKIL3r9BsX8owop1nfpzLWUqd3pnAOy2XnD38OVSjq9jV8e0ZQ== +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-fp4.psk.enc b/tw/system/files/wireguard/lud-fp4.psk.enc new file mode 100644 index 00000000..dedc8814 --- /dev/null +++ b/tw/system/files/wireguard/lud-fp4.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA5Y2dn +N0M2dkZZN3MyU0dMbnExbGdBSEVlVGxIVjkwY1VieEN3TWR5cDE0CnFIS1ZsSDll +UHNwaG1jZU1LQTJGSE5nS2hsMkRVdmhrUFhMYVlwMHdOaGcKLS0tIHY1bjkzcE9t +UzlySGxtUFRuQUIyYldmY1ZpeTlXOVFYYmdRQXBuUmN1Z2MK14xQAizZ0KvIA0DR +2IEexRvj8V49M5fSShXxQrY3RU+s96Dg5d1giDFvYmIpwQbECFKDwYKfSMQwVtpW +R9XiBZz2ptyPgQJ19Kku12k= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-lap.psk.enc b/tw/system/files/wireguard/lud-lap.psk.enc new file mode 100644 index 00000000..91d1bb1a --- /dev/null +++ b/tw/system/files/wireguard/lud-lap.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA3VGNL +NHhLejluZzk1K3B4bzdUaThzU2Z3TWMzZUJrV0tGWHlnY2xSangwCm1pSUFYV3k2 +UHdIT25adWhVRXZ5eXJqR2ZyVVhtdnpOd1V5aWlpVG91c00KLS0tIHpjV1Y5blNO +bysvbHJUWFprTUtrM054VDZwaTFPWHArb1JES2lNWVNUbUUKPAedksMUAimxMhC1 +Qad62SexojfI3+iI/vzdEDhjNOpohMBPejy4cLPY3EpQKtp3XoFz8S5E2hd+SraQ +bJcw6u7JGgr3zdKBrI6TW/Y= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-pi3.psk.enc b/tw/system/files/wireguard/lud-pi3.psk.enc new file mode 100644 index 00000000..32b8097a --- /dev/null +++ b/tw/system/files/wireguard/lud-pi3.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAwWmVh +dFZ1S2ZCOXpNZ1VkNmFtcVBzOGczV1FUV2U1eVdZQXVvTFhLL0dZCkRBZE5KTERL +UFBlQ1c3NnhMNllsRTF0QVN5ZERiUFVpQTVONVY5WkZaWmcKLS0tIDNPaWlVYS9L +cm1lU21obm9Yb1h4djhDTk5jQ1prbnF4VnptNmVCY0p6c1EKWijtgsgWpKl+d5tL +Mf16dmJ31IzLNuY8uy0VFtiAqLnyfa5mpYpDUG9OH/i80zDrlqWOQpWtrp76BLdT +PfILs3kDlReEYXlPSNVSyIQ= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-vin.psk.enc b/tw/system/files/wireguard/lud-vin.psk.enc new file mode 100644 index 00000000..693a886a --- /dev/null +++ b/tw/system/files/wireguard/lud-vin.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBHRjlH +OUVkb1VvZ3N0WFl0MzFyeGIzcVJvWGVNQ0lZN2Y2VWNJS3RldnpBCkZWdlZBSFNw +QlBjM2dsbU5rYTQrQlFTWnlzY1VxY3ltbjkwek42Q1lMc0kKLS0tIExud1NrOWhi +a0d1bmdIL1FERWhVK2ZDbytSRGd5R0M2Z2dia3BPMEp2aTQKQPxKQXV49/O/5IAW +/nm4VVQKUfR5vZrp7Y9syodHz9+wm1zEoAELpRFyhLhd9DH1v0Bk2q+36lysKXD0 +FKd4ldl2NvSmt4o39YM3BP0= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud.key.enc b/tw/system/files/wireguard/lud.key.enc new file mode 100644 index 00000000..5001f4ce --- /dev/null +++ b/tw/system/files/wireguard/lud.key.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFcGhX +RWF4RUhQYThRV3dtOTBLQlZJWmJNQWlUU3Y4UnpaNFZuUGJ0Z3pFCmtUcjl6TEpp +UE50ejIySTNGQ3JBTmNUWjVVNjVrdzFDSHZFQnVlYkVkaEkKLS0tIEVqWGN3b0Ni +cVBrZVpzelllb0dLZVljV2x3RkZNTkMyQzVSY0RnSXIwVWsKW42mh3RidTcaeqqV +3+Fbk3w9S1c3TKpO3Pz6Ei2SpH2V9zfNnQjJYfJFumZzQbDNAx956KaBvarjiDjk +omyjFTuUtAUjZslkDuz3h0s= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 5ea47fa0..295f1739 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -9,6 +9,7 @@ #:use-module (tw services nextcloud) #:use-module (tw services matrix) #:use-module (tw services media) + #:use-module (tw services secrets) #:use-module (tw system)) (use-package-modules admin bash certs databases linux man php python rsync @@ -184,6 +185,35 @@ innodb_io_capacity = 4000 ;; TODO: Syncthing exporter ;; TODO: Transmission exporter + (service secrets-service-type + (secrets-configuration + (secrets + (list + (secret + (encrypted-file (local-file "files/mythic-dns.scm.enc")) + (destination "/etc/mythic-dns.scm")) + (secret + (encrypted-file (local-file "files/nextcloud-database-password.enc")) + (destination "/etc/nextcloud-database-password.enc")) + (secret + (encrypted-file (local-file "files/restic/lud-nextcloud.enc")) + (destination "/etc/restic/lud-nextcloud")) + (secret + (encrypted-file (local-file "files/wireguard/lap.key.enc")) + (destination "/etc/wireguard/private.key")) + (secret + (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc")) + (destination "/etc/wireguard/fp4.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc")) + (destination "/etc/wireguard/lud.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc")) + (destination "/etc/wireguard/pi3.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc")) + (destination "/etc/wireguard/vin.psk")))))) + ;; Only this server has SSDs, not vin. (simple-service 'fstrim mcron-service-type (list #~(job "0 4 * * *" ; after guix gc -- cgit v1.2.3