diff --git a/README.md b/README.md index b9eb2f5a..30088a8c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,20 @@ # NixOS config +## Secrets + +There are two types of secrets in this repository. Secret secrets, and +secret configuration. + +Secret secrets should never be world-readable, even to users who are +logged in to one of the hosts managed by this configuration. These are +generally managed by agenix, allowing them to still be put in the nix +store. + +Secret configuration is generally more security through obscurity +(e.g. some services that I run that I don't want the whole world to +know what ports they run on). These are managed with git-crypt and are +files that end in `secret.nix`. + ## Setting up a new dev environment * Create a new `*.nix` file in the shells directory that describes the environment (this is the hard part). diff --git a/configurations/mounts.nix b/configurations/mounts.nix index 45bee3ee..37a2e125 100644 --- a/configurations/mounts.nix +++ b/configurations/mounts.nix @@ -1,7 +1,25 @@ { pkgs, ... }: +let + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; +in { - imports = [ ./mounts/secret.nix ]; + fileSystems = { + "/mnt/ugent/files" = { + device = "//files.ugent.be/ecvpeteg"; + fsType = "cifs"; + options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0,noperm,domain=UGENT,sec=ntlmv2i" ]; + noCheck = true; + }; + "/mnt/ugent/webhost" = { + device = "//webhost.ugent.be/ecvpeteg"; + fsType = "cifs"; + options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0" ]; + noCheck = true; + }; + }; + + age.secrets."passwords/ugent-mount-credentials".file = ../secrets/passwords/ugent-mount-credentials.age; environment.systemPackages = [ pkgs.keyutils ]; # Remove this once https://github.com/NixOS/nixpkgs/issues/34638 is resolved diff --git a/configurations/mounts/secret.nix b/configurations/mounts/secret.nix deleted file mode 100644 index 306b3ddc..00000000 Binary files a/configurations/mounts/secret.nix and /dev/null differ diff --git a/containers/data-access/config.nix b/containers/data-access/config.nix index 6297ca31..c291e8fc 100644 --- a/containers/data-access/config.nix +++ b/containers/data-access/config.nix @@ -16,8 +16,8 @@ enable = true; permitRootLogin = "no"; hostKeys = [ - { bits = 4096; path = "/var/secrets/ssh_host_rsa_key"; type = "rsa"; } - { path = "/var/secrets/ssh_host_ed25519_key"; type = "ed25519"; } + { bits = 4096; path = "/run/secrets/ssh_host_rsa_key"; type = "rsa"; } + { path = "/run/secrets/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; } diff --git a/containers/data-access/default.nix b/containers/data-access/default.nix index 49288bd5..dfcfa77f 100644 --- a/containers/data-access/default.nix +++ b/containers/data-access/default.nix @@ -14,8 +14,8 @@ hostPath = "/srv/data"; isReadOnly = false; }; - "/var/secrets" = { - hostPath = "${config.chvp.dataPrefix}/var/secrets/data-access"; + "/run/secrets" = { + hostPath = "/run/secrets/data-access"; isReadOnly = true; }; }; @@ -26,5 +26,10 @@ localAddress6 = "fc00::2"; config = import ./config.nix; }; + + age.secrets."data-access/ssh_host_rsa_key".file = ../../secrets/data-access/ssh_host_rsa_key.age; + age.secrets."data-access/ssh_host_rsa_key.pub".file = ../../secrets/data-access/ssh_host_rsa_key.pub.age; + age.secrets."data-access/ssh_host_ed25519_key".file = ../../secrets/data-access/ssh_host_ed25519_key.age; + age.secrets."data-access/ssh_host_ed25519_key.pub".file = ../../secrets/data-access/ssh_host_ed25519_key.pub.age; }; } diff --git a/flake.lock b/flake.lock index 7a378d79..dbd5b946 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,32 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1620877075, + "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "emacs-overlay": { "locked": { - "lastModified": 1624097579, - "narHash": "sha256-vy447LhWdLaikwXx3BtNdlY4rmgNM35fwZzZ5SyY/4M=", + "lastModified": 1624127230, + "narHash": "sha256-0Wg07rR5u4F/02/mJU+CjwyYryBHB/zMOz7ArEnMlt8=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "eb561e58db5ab3b52b1157da189c48a27fb7dca9", + "rev": "e9ced9b4f2e49488a97b20dc43fafea7284715a7", "type": "github" }, "original": { @@ -70,6 +90,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "emacs-overlay": "emacs-overlay", "home-manager": "home-manager", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 83311002..804ec2cc 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,10 @@ description = "Nixos configuration flake"; inputs = { + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; emacs-overlay.url = "github:nix-community/emacs-overlay/master"; home-manager = { url = "github:nix-community/home-manager/master"; @@ -11,7 +15,7 @@ utils.url = "github:gytis-ivaskevicius/flake-utils-plus/master"; }; - outputs = inputs@{ self, nixpkgs, emacs-overlay, home-manager, utils }: utils.lib.systemFlake { + outputs = inputs@{ self, nixpkgs, agenix, emacs-overlay, home-manager, utils }: utils.lib.systemFlake { inherit self inputs; # This config can only be evaluated on x86_64-linux because of IFD supportedSystems = [ "x86_64-linux" ]; @@ -27,6 +31,7 @@ nix.nixPath = [ "/etc/channels" ]; }) utils.nixosModules.saneFlakeDefaults + agenix.nixosModules.age home-manager.nixosModules.home-manager ./modules ]; @@ -44,6 +49,7 @@ buildInputs = [ pkgs.nixpkgs-fmt (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch") + agenix.defaultPackage.x86_64-linux ]; }; }; diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix index 056dd2f8..101cb252 100644 --- a/machines/kharbranth/default.nix +++ b/machines/kharbranth/default.nix @@ -18,6 +18,7 @@ docker.enable = true; eid.enable = true; git.email = "charlotte.vanpetegem@ugent.be"; + sshd.enable = true; zfs = { enable = true; encrypted = true; diff --git a/machines/kharbranth/hardware.nix b/machines/kharbranth/hardware.nix index cbe10b60..f51bb43f 100644 --- a/machines/kharbranth/hardware.nix +++ b/machines/kharbranth/hardware.nix @@ -22,31 +22,36 @@ fileSystems."/" = { device = "rpool/local/root"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix" = { device = "rpool/local/nix"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix/store" = { device = "rpool/local/nix-store"; fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/A5BA-352A"; - fsType = "vfat"; + neededForBoot = true; }; fileSystems."/cache" = { device = "rpool/local/cache"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/data" = { device = "rpool/safe/data"; fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A5BA-352A"; + fsType = "vfat"; }; swapDevices = [ diff --git a/machines/kholinar/default.nix b/machines/kholinar/default.nix index d748284e..4c8a2a6e 100644 --- a/machines/kholinar/default.nix +++ b/machines/kholinar/default.nix @@ -34,6 +34,7 @@ eid.enable = true; git.email = "charlotte@vanpetegem.me"; minecraft.client = true; + sshd.enable = true; zeroad.enable = true; zfs = { enable = true; diff --git a/machines/kholinar/hardware.nix b/machines/kholinar/hardware.nix index 88385f00..28ed3e64 100644 --- a/machines/kholinar/hardware.nix +++ b/machines/kholinar/hardware.nix @@ -22,24 +22,27 @@ fileSystems."/" = { device = "rpool/local/root"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix" = { device = "rpool/local/nix"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/data" = { device = "rpool/safe/data"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/cache" = { device = "rpool/local/cache"; fsType = "zfs"; + neededForBoot = true; }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/BEEE-D83A"; fsType = "vfat"; diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix index 07d24180..061ef980 100644 --- a/machines/lasting-integrity/hardware.nix +++ b/machines/lasting-integrity/hardware.nix @@ -25,22 +25,27 @@ "/" = { device = "zroot/local/root"; fsType = "zfs"; + neededForBoot = true; }; "/nix" = { device = "zroot/local/nix"; fsType = "zfs"; + neededForBoot = true; }; "/nix/store" = { device = "zroot/local/nix-store"; fsType = "zfs"; + neededForBoot = true; }; "/data" = { device = "zroot/safe/data"; fsType = "zfs"; + neededForBoot = true; }; "/cache" = { device = "zroot/safe/cache"; fsType = "zfs"; + neededForBoot = true; }; "/srv/data" = { device = "zdata/data"; diff --git a/machines/urithiru/hardware.nix b/machines/urithiru/hardware.nix index 603a19a7..b0aaac82 100644 --- a/machines/urithiru/hardware.nix +++ b/machines/urithiru/hardware.nix @@ -25,22 +25,27 @@ "/" = { device = "zroot/local/root"; fsType = "zfs"; + neededForBoot = true; }; "/nix" = { device = "zroot/local/nix"; fsType = "zfs"; + neededForBoot = true; }; "/nix/store" = { device = "zroot/local/nix-store"; fsType = "zfs"; + neededForBoot = true; }; "/data" = { device = "zroot/safe/data"; fsType = "zfs"; + neededForBoot = true; }; "/cache" = { device = "zroot/safe/cache"; fsType = "zfs"; + neededForBoot = true; }; "/srv/data" = { device = "zdata/data"; diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix index f0d84f85..ee162c1c 100644 Binary files a/machines/urithiru/secret.nix and b/machines/urithiru/secret.nix differ diff --git a/modules/accentor.nix b/modules/accentor.nix index f1b06dad..213e858c 100644 --- a/modules/accentor.nix +++ b/modules/accentor.nix @@ -106,7 +106,7 @@ in environment = env; path = [ pkgs.ffmpeg gems gems.wrappedRuby ]; serviceConfig = { - EnvironmentFile = "${config.chvp.dataPrefix}/var/secrets/accentor-api"; + EnvironmentFile = config.age.secrets."passwords/services/accentor".path; Type = "simple"; User = "accentor"; Group = "accentor"; @@ -128,7 +128,7 @@ in environment = env; path = [ pkgs.ffmpeg gems gems.wrappedRuby ]; serviceConfig = { - EnvironmentFile = "${config.chvp.dataPrefix}/var/secrets/accentor-api"; + EnvironmentFile = config.age.secrets."passwords/services/accentor".path; Type = "simple"; User = "accentor"; Group = "accentor"; @@ -140,6 +140,11 @@ in }) 4)); + age.secrets."passwords/services/accentor" = { + file = ../secrets/passwords/services/accentor.age; + owner = "accentor"; + }; + users.users.accentor = { group = "accentor"; home = "${config.chvp.dataPrefix}/var/lib/accentor"; diff --git a/modules/default.nix b/modules/default.nix index 7ebfe10a..447e47a7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,6 @@ { imports = [ - ./default/secret.nix ./accentor.nix ./bluetooth.nix ./docker.nix @@ -132,8 +131,15 @@ home = "/home/charlotte"; description = "Charlotte Van Petegem"; extraGroups = [ "systemd-journal" ] ++ lib.optionals config.chvp.graphical [ "input" "video" ]; + passwordFile = config.age.secrets."passwords/users/charlotte".path; }; + root.passwordFile = config.age.secrets."passwords/users/root".path; }; }; + + age.secrets = { + "passwords/users/charlotte".file = ../secrets/passwords/users/charlotte.age; + "passwords/users/root".file = ../secrets/passwords/users/root.age; + }; }; } diff --git a/modules/default/secret.nix b/modules/default/secret.nix deleted file mode 100644 index 1fb856d2..00000000 Binary files a/modules/default/secret.nix and /dev/null differ diff --git a/modules/global-mailer.nix b/modules/global-mailer.nix index 06e27db0..888343b1 100644 --- a/modules/global-mailer.nix +++ b/modules/global-mailer.nix @@ -6,16 +6,18 @@ example = true; }; - config = lib.mkIf config.chvp.smartd.enable { + config = lib.mkIf config.chvp.globalMailer.enable { services.ssmtp = { enable = true; authUser = "webmaster@vanpetegem.me"; - authPassFile = "/data/var/secrets/ssmtp-mail-pass"; + authPassFile = config.age.secrets."passwords/services/ssmtp-pass".path; domain = "${config.networking.hostName}.vanpetegem.me"; hostName = "mail.vanpetegem.me:465"; root = "webmaster@vanpetegem.me"; setSendmail = true; useTLS = true; }; + + age.secrets."passwords/services/ssmtp-pass".file = ../secrets/passwords/services/ssmtp-pass.age; }; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 42338c1b..0c4290c1 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -20,7 +20,7 @@ dbtype = "pgsql"; dbhost = "/run/postgresql"; adminuser = "admin"; - adminpassFile = "${config.chvp.dataPrefix}/var/secrets/nextcloud-admin-password"; + adminpassFile = config.age.secrets."passwords/services/nextcloud-admin".path; }; }; nginx.virtualHosts."nextcloud.vanpetegem.me" = { @@ -37,6 +37,10 @@ }]; }; }; + age.secrets."passwords/services/nextcloud-admin" = { + file = ../secrets/passwords/services/nextcloud-admin.age; + owner = "nextcloud"; + }; systemd.services."nextcloud-setup" = { requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; diff --git a/modules/nginx.nix b/modules/nginx.nix index 7e3e5bfa..b3bc336d 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -13,7 +13,6 @@ fqdn = "data.vanpetegem.me"; options = { default = true; - basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd"; root = "/srv/data"; locations = { "/".extraConfig = '' @@ -47,7 +46,7 @@ security.acme = { certs."vanpetegem.me" = { dnsProvider = "cloudflare"; - credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare"; + credentialsFile = config.age.secrets."passwords/services/acme".path; extraDomainNames = [ "*.vanpetegem.me" "cvpetegem.be" @@ -61,6 +60,10 @@ acceptTerms = true; preliminarySelfsigned = false; }; + age.secrets."passwords/services/acme" = { + file = ../secrets/passwords/services/acme.age; + owner = "acme"; + }; chvp.zfs.systemLinks = [ { type = "data"; path = "/var/lib/acme"; } ]; diff --git a/modules/sshd.nix b/modules/sshd.nix index b88edd7d..6623071f 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -1,10 +1,6 @@ { config, lib, ... }: { - imports = [ - ./sshd/secret.nix - ]; - options.chvp.sshd.enable = lib.mkOption { default = false; example = true; @@ -19,6 +15,10 @@ { bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } { path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; + authorizedKeysFiles = [ "/run/secrets/authorized_keys/%u" ]; }; + + age.secrets."authorized_keys/charlotte".file = ../secrets/authorized_keys/charlotte.age; + age.secrets."authorized_keys/root".file = ../secrets/authorized_keys/root.age; }; } diff --git a/modules/sshd/secret.nix b/modules/sshd/secret.nix deleted file mode 100644 index 7f05fbe3..00000000 Binary files a/modules/sshd/secret.nix and /dev/null differ diff --git a/modules/syncthing-server.nix b/modules/syncthing-server.nix index 81595154..b54cef77 100644 --- a/modules/syncthing-server.nix +++ b/modules/syncthing-server.nix @@ -9,8 +9,8 @@ config = lib.mkIf config.chvp.syncthing-server.enable { services.syncthing = { enable = true; - dataDir = "${config.chvp.dataPrefix}/var/lib/synthing"; - configDir = "${config.chvp.dataPrefix}/var/lib/synthing/.config"; + dataDir = "${config.chvp.dataPrefix}/var/lib/syncthing"; + configDir = "${config.chvp.dataPrefix}/var/lib/syncthing/.config"; openDefaultPorts = true; guiAddress = "127.0.0.1:8384"; }; @@ -20,9 +20,13 @@ fqdn = "syncthing.vanpetegem.me"; basicProxy = "http://localhost:8384"; options = { - basicAuthFile = "${config.chvp.dataPrefix}/var/secrets/syncthing.vanpetegem.me.htpasswd"; + basicAuthFile = config.age.secrets."passwords/services/syncthing-basic-auth".path; }; } ]; + age.secrets."passwords/services/syncthing-basic-auth" = { + file = ../secrets/passwords/services/syncthing-basic-auth.age; + owner = "nginx"; + }; }; } diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 00000000..8373e6d4 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,46 @@ +let + kholinar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL8MzChayhcVTfZvE3/ExwXpq2+LbihjzUVlKeIGoOL"; + lasting-integrity = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKJmeY7j5LxWVv3fKzqG4Bvg/ZhOp8iwk0utpyMWMSk"; + urithiru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrzOpyzDc5BVtAeb5//PnMRcp+9B+DjfU7p2YpaH6a2"; + hosts = [ + kholinar + lasting-integrity + urithiru + ]; + servers = [ + lasting-integrity + urithiru + ]; + + charlotte = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDb17zAg3zwvdYHNZqXSGYKseCz5281Ha6oOYPbwFYD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY5nXR/V6wcMRxugD7GTOF8kwfGnAT2CRuJ2Qi60vsm" + ]; + users = charlotte; +in +{ + "secrets/passwords/users/charlotte.age".publicKeys = hosts ++ users; + "secrets/passwords/users/root.age".publicKeys = hosts ++ users; + + "secrets/authorized_keys/charlotte.age".publicKeys = hosts ++ users; + "secrets/authorized_keys/root.age".publicKeys = hosts ++ users; + + "secrets/passwords/ugent-mount-credentials.age".publicKeys = [ kholinar ] ++ users; + + "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users; + + "secrets/passwords/services/ssmtp-pass.age".publicKeys = servers ++ users; + + "secrets/passwords/services/acme.age".publicKeys = servers ++ users; + + "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users; + + "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users; + + "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; + + "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users; +} diff --git a/secrets/authorized_keys/charlotte.age b/secrets/authorized_keys/charlotte.age new file mode 100644 index 00000000..fa839dd9 Binary files /dev/null and b/secrets/authorized_keys/charlotte.age differ diff --git a/secrets/authorized_keys/root.age b/secrets/authorized_keys/root.age new file mode 100644 index 00000000..f2735d7a Binary files /dev/null and b/secrets/authorized_keys/root.age differ diff --git a/secrets/data-access/ssh_host_ed25519_key.age b/secrets/data-access/ssh_host_ed25519_key.age new file mode 100644 index 00000000..be89db54 Binary files /dev/null and b/secrets/data-access/ssh_host_ed25519_key.age differ diff --git a/secrets/data-access/ssh_host_ed25519_key.pub.age b/secrets/data-access/ssh_host_ed25519_key.pub.age new file mode 100644 index 00000000..0af255f2 Binary files /dev/null and b/secrets/data-access/ssh_host_ed25519_key.pub.age differ diff --git a/secrets/data-access/ssh_host_rsa_key.age b/secrets/data-access/ssh_host_rsa_key.age new file mode 100644 index 00000000..2fd2a944 Binary files /dev/null and b/secrets/data-access/ssh_host_rsa_key.age differ diff --git a/secrets/data-access/ssh_host_rsa_key.pub.age b/secrets/data-access/ssh_host_rsa_key.pub.age new file mode 100644 index 00000000..e8ce5cd2 Binary files /dev/null and b/secrets/data-access/ssh_host_rsa_key.pub.age differ diff --git a/secrets/passwords/services/accentor.age b/secrets/passwords/services/accentor.age new file mode 100644 index 00000000..c46f9bfb Binary files /dev/null and b/secrets/passwords/services/accentor.age differ diff --git a/secrets/passwords/services/acme.age b/secrets/passwords/services/acme.age new file mode 100644 index 00000000..f73240eb --- /dev/null +++ b/secrets/passwords/services/acme.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ wr/VRSxPJd0I4JDFD9MrHkp5KFOOPxZS7m1HjSegRCw +JFCiaYNZEQJmyvW4hLCOwIq7VX3KSlmnAIoh2UhNAJY +-> ssh-ed25519 9PfEBQ dZRsqkDI9rfIvO6TpVzGWFYwPBXICkKTe5x8VXIVDGM +2uS5NUHLEWUNy9C8x06+RUdX7xQpBBfjr+01rDMbgBU +-> ssh-ed25519 s9rb8g 46cu8IBR9fma7MFs4otOWjoMXHqnbuRDM+bj4IxDVGw +/UkN3Agfceht7ChZbh+ceoUuB++mYmugd16vuLSPqxE +-> ssh-ed25519 yad4VQ Hv13vZsVZvbV2w5uNQdB8PQZCLvok2MpNVC4PPLGKUc +6NrLD1I8u0ClEtSsOb4jVVFDVzuJL9n3IW4CnA75ovA +-> NO3YbI(z-grease m4 \QIZ]> +f69xlR/avrj2Rt86RB0MfdYwgW9xOUKko5dLppsenHk +--- Af1B47mEXz4XvANBR/JACMf1lKXsgKcofVAAKPq4A9E +G[~U6 +Y7@g9۽zLb_XC9m[&c¹;.R-ļI| }tVW8/rNI4*yk?"y, 2@3 [DRPrR \ No newline at end of file diff --git a/secrets/passwords/services/data-basic-auth.age b/secrets/passwords/services/data-basic-auth.age new file mode 100644 index 00000000..77558f32 Binary files /dev/null and b/secrets/passwords/services/data-basic-auth.age differ diff --git a/secrets/passwords/services/nextcloud-admin.age b/secrets/passwords/services/nextcloud-admin.age new file mode 100644 index 00000000..f6c02013 --- /dev/null +++ b/secrets/passwords/services/nextcloud-admin.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ x9t/cSncNIVOU166JjWIntDJ08ar6jqEDqm2SHdIJmU +Wi1kSAfImT7O3ZHQffngy2+OK9MkcxRdTIsWj0Uvppc +-> ssh-ed25519 s9rb8g FBbDb07Wot6y7VbFtZ6p6pmdPXu61fOMXn4zobmYXn0 +9WV10AVHinYMy6DfsTbDnNuCry1lunNiL8rYlM3VAu0 +-> ssh-ed25519 yad4VQ qkqTUmEzVzMlL+MzQZ6jbuEuMMr7fmkao02BTEXz0CI +NuJBm09rWAPDAAiKCpjOvLn/lTqrjv4O8ZlNdZqaMsU +-> OPQKCjr-grease {eEXe/H n +LeU7ay4hMrv1r+ot0bHboLAzGJBQ7E02y3lMXZaMfyYd9eBh9W3iQ8Js+UZa9g9G +gODPDb4M8+UtZh3VSGHqtfJzTCrvkPjbys3CpGRz/3oZR2v5PP8 +--- JmNEtjO4ODYoLNKN2K6Di0/XwkCgq8dAEhEkrQSjBwQ +-3=tk\R|b{Kβ^KtZ`Z>QS{sԮy \ No newline at end of file diff --git a/secrets/passwords/services/ssmtp-pass.age b/secrets/passwords/services/ssmtp-pass.age new file mode 100644 index 00000000..0ae4d1f2 --- /dev/null +++ b/secrets/passwords/services/ssmtp-pass.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ BDIrYjLZNtA13rPVoIxP6W1dWF88I+CLL6pUvJ6vK0g +MeEh3+IhgF5InzslImtzfa9lvlpDzWM6u5YYfPXKhd4 +-> ssh-ed25519 9PfEBQ vaD7NtryG1+F4D520aqqzjy4nlCKed3lA+KZqDl2YGk +TNhvAb5h30I1s9t4nOwRdm0MjSSflPmS5sHbundkNTM +-> ssh-ed25519 s9rb8g xjBrIBaOJIo6wKzPzXGOtnk07jxTxooVL/0m+MIy/HE +HV2SSpBGm/zf90PEkUjkkEDpFdunF2MoYvE1F4CAqjo +-> ssh-ed25519 yad4VQ ET642EsdlhOrFWumUNg0lu2fGKCC88VkeEuATqGLuks +nPNM56yWuAVt6NWSjIswR/y0S0eSNMooz5Kfm5KRz0M +-> Djkn-grease +WAU+Og +--- v4AxWOuI+CKCiqa/71rOuE2b37ez7tJ7Q4bdsYLZ2fA +gۂf8=x]ToL:"<D&! +5q|HҌ \ No newline at end of file diff --git a/secrets/passwords/services/syncthing-basic-auth.age b/secrets/passwords/services/syncthing-basic-auth.age new file mode 100644 index 00000000..81b82e78 --- /dev/null +++ b/secrets/passwords/services/syncthing-basic-auth.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ 63BaTeRhefvCFbl7sXA7zathah0syNOsB0PjWTtCd1c +cdfHW5eOGchofdjrnY7Ze1wyFI/rBmP/OEdw8xovkTI +-> ssh-ed25519 s9rb8g n8oehnxhiyHiu3WY54SBcei+hVdmGAvNL5qpDcJYIwQ +0CCTSTWzxS6A0yLdbxkkOlv2Fh+ybIUUrAq+QPv8gII +-> ssh-ed25519 yad4VQ lbuGjXnI6dRhGPgC1ffKwkMuncqJFRF3SlLmiAMGjGA +zuQv5lIHDNhjnDYAwyZ+FvEQB48e78GsFZniHVJWWNM +-> wcaNCh-grease SaMY3 Tu|&}! xRRDg'( +hvUFh0BFX9rSu/X0SVH7baf9JZLMhOI6PSimLxLgZpXb+0pjSU3Jb1IzFSFK94PC +gK3HgTrqyzvp7qb5E1Xm0P19 +--- uzs+KId6F4ecLgEE295pBQra5JvdXRTVAZiyrIj5mr8 +&u H7Zyiæ*0ɸ{B?;e韏l"uW:짱2`BNgX2!p$ \ No newline at end of file diff --git a/secrets/passwords/ugent-mount-credentials.age b/secrets/passwords/ugent-mount-credentials.age new file mode 100644 index 00000000..939800e4 --- /dev/null +++ b/secrets/passwords/ugent-mount-credentials.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng VKPLzPWI+pe5Yd/MSdHdBDuTX8rZC/+p469vEPFoXxk +98Yzz1zt1wyQgjG86118I5idbFuSuKAEkvjddC+T4fs +-> ssh-ed25519 s9rb8g BEGtkNLFNifqjGFk8qEqjuXEv+2WcDI0DRPxXtm+OCU +trMzwuQwyICXkZuA4wuVflqWFVkUb3d7meW/EpxoqfE +-> ssh-ed25519 yad4VQ 4j0mcq45zOkde4411/Dm9/A8plCsWWipTpC8oVjsBxE +yWVNOfmT0UBkZRVKrd8eK1ZXEbj0DBmUfLm3P75ue3c +-> dA-grease KK9j4 +>n>m % +ZT+0vtK8K2BUHbW13tlDNHKtMzQW4oZUOazYJ0naCCgKSRu9am9cfsm+Ul3TpafN +enO42MOQ5i00H/6KCIo+0qc4hw4kQV0 +--- hR3HgO0pfUOtWM2K4/l1OT+nIa7ZBBxSt+KWYwHEuXs +B٬INax+uğNOILu޽'󔬼Ur[5q͘r5U.";04!"6- \ No newline at end of file diff --git a/secrets/passwords/users/charlotte.age b/secrets/passwords/users/charlotte.age new file mode 100644 index 00000000..5290ce1d --- /dev/null +++ b/secrets/passwords/users/charlotte.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng WEsRJzdyJ2h91IjEW9qyJgdFL27slwb0bjNu2oWlOXA +ZTWFzYPh6nKz7aF4sUpQpqEEtwhv6XBDqsDeIZ5N8y8 +-> ssh-ed25519 hKAFvQ e4tF880/zOdeGMErRQgG2UrAu9qRKG7c53ZW8HFDbwA +P2PTG82mqsyCwwbkNuUEaesj8jt3zh5bQJO3cXjPZUk +-> ssh-ed25519 9PfEBQ eSTg5KgEj/Mo5bdm5KIJuhT4obRRNjHuQtINEtRujCc +WvL4uXbwESfRlv7LiSXJDcxbUmhVMgVuvfxcwn5kQoU +-> ssh-ed25519 s9rb8g hYZ3gd2LKLkVwdWBB7KIR4UeWKwF+h9k03SrkYy2EwE +VhSvTYWMcJE4tjgOqZR/qUrZqKQ7r5N+0uHGuxNyYqk +-> ssh-ed25519 yad4VQ D6MeV5YwTfPEz/YLQaxnzYr1LFq5RnVTsYln1uQMaUc +btZV3uKDahlmR1oSlJtRRuO8pbWYW8KqaHSAxRO0roc +-> ]V-grease 7lw %=7"61= R:.zkVJ: + +--- Qjis1vuiXUaYlXuArvVJT7At/jQlGxYMNL+fxAlSGG8 +Z&@tbʄۣ =RXu@X1 ?P~M΄F4{@Z0$Q&kf'{!# SygxHV=Dܦ<[e \ No newline at end of file diff --git a/secrets/passwords/users/root.age b/secrets/passwords/users/root.age new file mode 100644 index 00000000..05e765d7 --- /dev/null +++ b/secrets/passwords/users/root.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng 8n1tz2i+HxzSliHHBHc+kmgpWbbNgCppLrEN0P+9DFQ +hE3bzq0j5gxNdk8VmYQypxjT+da8jRLIkUR3GP+4DnU +-> ssh-ed25519 hKAFvQ M9Ju7grYMVOKxLjYVP3GGvV4rYT6F3VfDLI8EhsIEyQ +Slkggok27UFcYpKyEO1m4UMiJm/lp7CxVRmx4kQxqlg +-> ssh-ed25519 9PfEBQ bf4KuUS1ep4Gk3fDmG78I2FcEh848++jRE71CYIQIRg +Wldrb1cqj3/8vOITln7X8KtC+CTljsj0WY7knNySeQg +-> ssh-ed25519 s9rb8g Gp2mA+WShFq16ZYU8fImzqAJ96HZSv4MnT0tZ8RmyAM +t8tIVz/PYgkAuCnmaoBzdNN7Eedk47pXN62fLnvCkvQ +-> ssh-ed25519 yad4VQ 5oHcwG9X9fQ/I1gkCFP0bR9X1dlugq+XLhNChahcD18 +M2+r0JfRNooc3bOPMtbae7RMJMvmdeFgvwFc9eNaJHs +-> E:Oz-grease Ehb$" +oL5+EmXX4BIy3ug9u4HrEOoCtO8aNMu70KjMWQqOqwkuk4t81DoG28+/ruew+a5m +zcEsAb1gDFJb+usuVPF37nijiR8 +--- v4M0JQCd5ST1rzXfkpfgHfibXDN7EZ3/3VnYXnT23tY +#vtz