From da9160559c21e1f0eb06f807d31fc9a5123fc46e Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Sun, 20 Jun 2021 00:18:20 +0200 Subject: [PATCH] Start using age for secret management --- README.md | 15 ++++++ configurations/mounts.nix | 20 +++++++- configurations/mounts/secret.nix | Bin 695 -> 0 bytes containers/data-access/config.nix | 4 +- containers/data-access/default.nix | 9 +++- flake.lock | 27 ++++++++-- flake.nix | 8 ++- machines/kharbranth/default.nix | 1 + machines/kharbranth/hardware.nix | 15 ++++-- machines/kholinar/default.nix | 1 + machines/kholinar/hardware.nix | 5 +- machines/lasting-integrity/hardware.nix | 5 ++ machines/urithiru/hardware.nix | 5 ++ machines/urithiru/secret.nix | Bin 2342 -> 2509 bytes modules/accentor.nix | 9 +++- modules/default.nix | 8 ++- modules/default/secret.nix | Bin 328 -> 0 bytes modules/global-mailer.nix | 6 ++- modules/nextcloud.nix | 6 ++- modules/nginx.nix | 7 ++- modules/sshd.nix | 8 +-- modules/sshd/secret.nix | Bin 1234 -> 0 bytes modules/syncthing-server.nix | 10 ++-- secrets.nix | 46 ++++++++++++++++++ secrets/authorized_keys/charlotte.age | Bin 0 -> 8893 bytes secrets/authorized_keys/root.age | Bin 0 -> 4808 bytes secrets/data-access/ssh_host_ed25519_key.age | Bin 0 -> 905 bytes .../data-access/ssh_host_ed25519_key.pub.age | Bin 0 -> 595 bytes secrets/data-access/ssh_host_rsa_key.age | Bin 0 -> 2246 bytes secrets/data-access/ssh_host_rsa_key.pub.age | Bin 0 -> 967 bytes secrets/passwords/services/accentor.age | Bin 0 -> 612 bytes secrets/passwords/services/acme.age | 14 ++++++ .../passwords/services/data-basic-auth.age | Bin 0 -> 621 bytes .../passwords/services/nextcloud-admin.age | 12 +++++ secrets/passwords/services/ssmtp-pass.age | 14 ++++++ .../services/syncthing-basic-auth.age | 12 +++++ secrets/passwords/ugent-mount-credentials.age | 12 +++++ secrets/passwords/users/charlotte.age | 15 ++++++ secrets/passwords/users/root.age | 17 +++++++ 39 files changed, 281 insertions(+), 30 deletions(-) delete mode 100644 configurations/mounts/secret.nix delete mode 100644 modules/default/secret.nix delete mode 100644 modules/sshd/secret.nix create mode 100644 secrets.nix create mode 100644 secrets/authorized_keys/charlotte.age create mode 100644 secrets/authorized_keys/root.age create mode 100644 secrets/data-access/ssh_host_ed25519_key.age create mode 100644 secrets/data-access/ssh_host_ed25519_key.pub.age create mode 100644 secrets/data-access/ssh_host_rsa_key.age create mode 100644 secrets/data-access/ssh_host_rsa_key.pub.age create mode 100644 secrets/passwords/services/accentor.age create mode 100644 secrets/passwords/services/acme.age create mode 100644 secrets/passwords/services/data-basic-auth.age create mode 100644 secrets/passwords/services/nextcloud-admin.age create mode 100644 secrets/passwords/services/ssmtp-pass.age create mode 100644 secrets/passwords/services/syncthing-basic-auth.age create mode 100644 secrets/passwords/ugent-mount-credentials.age create mode 100644 secrets/passwords/users/charlotte.age create mode 100644 secrets/passwords/users/root.age diff --git a/README.md b/README.md index b9eb2f5a..30088a8c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,20 @@ # NixOS config +## Secrets + +There are two types of secrets in this repository. Secret secrets, and +secret configuration. + +Secret secrets should never be world-readable, even to users who are +logged in to one of the hosts managed by this configuration. These are +generally managed by agenix, allowing them to still be put in the nix +store. + +Secret configuration is generally more security through obscurity +(e.g. some services that I run that I don't want the whole world to +know what ports they run on). These are managed with git-crypt and are +files that end in `secret.nix`. + ## Setting up a new dev environment * Create a new `*.nix` file in the shells directory that describes the environment (this is the hard part). diff --git a/configurations/mounts.nix b/configurations/mounts.nix index 45bee3ee..37a2e125 100644 --- a/configurations/mounts.nix +++ b/configurations/mounts.nix @@ -1,7 +1,25 @@ { pkgs, ... }: +let + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; +in { - imports = [ ./mounts/secret.nix ]; + fileSystems = { + "/mnt/ugent/files" = { + device = "//files.ugent.be/ecvpeteg"; + fsType = "cifs"; + options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0,noperm,domain=UGENT,sec=ntlmv2i" ]; + noCheck = true; + }; + "/mnt/ugent/webhost" = { + device = "//webhost.ugent.be/ecvpeteg"; + fsType = "cifs"; + options = [ "credentials=/run/secrets/passwords/ugent-mount-credentials,${automount_opts},users,vers=3.0" ]; + noCheck = true; + }; + }; + + age.secrets."passwords/ugent-mount-credentials".file = ../secrets/passwords/ugent-mount-credentials.age; environment.systemPackages = [ pkgs.keyutils ]; # Remove this once https://github.com/NixOS/nixpkgs/issues/34638 is resolved diff --git a/configurations/mounts/secret.nix b/configurations/mounts/secret.nix deleted file mode 100644 index 306b3ddc99406f42340580567ba7850bb7546b67..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 695 zcmZQ@_Y83kiVO&0IKET!>VyKuozXQX50$xbow`=4KK-i3!zj(JHkAJI2IFVqWfKVNfEe4m>p_e>E7 znQYTyeeKUjc5S*9Wp^*=@cbR=4`&1!=%i?_In8qSYsa~RH@yG9-fke0@b{$XvIC2_ zHBDp;?%BOsWn;6UMsT|O*&O#eHs4Q&9vqDJvOf~~>9EdKISczqtSmOEuh=h6WDbnU z-`8VZte=wZTlsHR-SNaTSIhs2DsI}huUucMT4~qWKMTB1b2;XAMwL7}aAmf9RGsi6 zmIM*+1tE*r-@Oi4-Jr z=6PHz)y2{R@9sQ*RrRUq76(z@A9I{5ThwL=albB751!nxs-tXM;*VRqzD6#}6>Z&d zCF{DWW$7v*->z@Uv-TbB&rK=5-=2T7^&o>!>9zZZz3khl>Cweuw`?V$1k4Qwj9(ZyiZ@PDM M^e678pK7=p09RXF0RR91 diff --git a/containers/data-access/config.nix b/containers/data-access/config.nix index 6297ca31..c291e8fc 100644 --- a/containers/data-access/config.nix +++ b/containers/data-access/config.nix @@ -16,8 +16,8 @@ enable = true; permitRootLogin = "no"; hostKeys = [ - { bits = 4096; path = "/var/secrets/ssh_host_rsa_key"; type = "rsa"; } - { path = "/var/secrets/ssh_host_ed25519_key"; type = "ed25519"; } + { bits = 4096; path = "/run/secrets/ssh_host_rsa_key"; type = "rsa"; } + { path = "/run/secrets/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; } diff --git a/containers/data-access/default.nix b/containers/data-access/default.nix index 49288bd5..dfcfa77f 100644 --- a/containers/data-access/default.nix +++ b/containers/data-access/default.nix @@ -14,8 +14,8 @@ hostPath = "/srv/data"; isReadOnly = false; }; - "/var/secrets" = { - hostPath = "${config.chvp.dataPrefix}/var/secrets/data-access"; + "/run/secrets" = { + hostPath = "/run/secrets/data-access"; isReadOnly = true; }; }; @@ -26,5 +26,10 @@ localAddress6 = "fc00::2"; config = import ./config.nix; }; + + age.secrets."data-access/ssh_host_rsa_key".file = ../../secrets/data-access/ssh_host_rsa_key.age; + age.secrets."data-access/ssh_host_rsa_key.pub".file = ../../secrets/data-access/ssh_host_rsa_key.pub.age; + age.secrets."data-access/ssh_host_ed25519_key".file = ../../secrets/data-access/ssh_host_ed25519_key.age; + age.secrets."data-access/ssh_host_ed25519_key.pub".file = ../../secrets/data-access/ssh_host_ed25519_key.pub.age; }; } diff --git a/flake.lock b/flake.lock index 7a378d79..dbd5b946 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,32 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1620877075, + "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "emacs-overlay": { "locked": { - "lastModified": 1624097579, - "narHash": "sha256-vy447LhWdLaikwXx3BtNdlY4rmgNM35fwZzZ5SyY/4M=", + "lastModified": 1624127230, + "narHash": "sha256-0Wg07rR5u4F/02/mJU+CjwyYryBHB/zMOz7ArEnMlt8=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "eb561e58db5ab3b52b1157da189c48a27fb7dca9", + "rev": "e9ced9b4f2e49488a97b20dc43fafea7284715a7", "type": "github" }, "original": { @@ -70,6 +90,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "emacs-overlay": "emacs-overlay", "home-manager": "home-manager", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 83311002..804ec2cc 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,10 @@ description = "Nixos configuration flake"; inputs = { + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; emacs-overlay.url = "github:nix-community/emacs-overlay/master"; home-manager = { url = "github:nix-community/home-manager/master"; @@ -11,7 +15,7 @@ utils.url = "github:gytis-ivaskevicius/flake-utils-plus/master"; }; - outputs = inputs@{ self, nixpkgs, emacs-overlay, home-manager, utils }: utils.lib.systemFlake { + outputs = inputs@{ self, nixpkgs, agenix, emacs-overlay, home-manager, utils }: utils.lib.systemFlake { inherit self inputs; # This config can only be evaluated on x86_64-linux because of IFD supportedSystems = [ "x86_64-linux" ]; @@ -27,6 +31,7 @@ nix.nixPath = [ "/etc/channels" ]; }) utils.nixosModules.saneFlakeDefaults + agenix.nixosModules.age home-manager.nixosModules.home-manager ./modules ]; @@ -44,6 +49,7 @@ buildInputs = [ pkgs.nixpkgs-fmt (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch") + agenix.defaultPackage.x86_64-linux ]; }; }; diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix index 056dd2f8..101cb252 100644 --- a/machines/kharbranth/default.nix +++ b/machines/kharbranth/default.nix @@ -18,6 +18,7 @@ docker.enable = true; eid.enable = true; git.email = "charlotte.vanpetegem@ugent.be"; + sshd.enable = true; zfs = { enable = true; encrypted = true; diff --git a/machines/kharbranth/hardware.nix b/machines/kharbranth/hardware.nix index cbe10b60..f51bb43f 100644 --- a/machines/kharbranth/hardware.nix +++ b/machines/kharbranth/hardware.nix @@ -22,31 +22,36 @@ fileSystems."/" = { device = "rpool/local/root"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix" = { device = "rpool/local/nix"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix/store" = { device = "rpool/local/nix-store"; fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/A5BA-352A"; - fsType = "vfat"; + neededForBoot = true; }; fileSystems."/cache" = { device = "rpool/local/cache"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/data" = { device = "rpool/safe/data"; fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A5BA-352A"; + fsType = "vfat"; }; swapDevices = [ diff --git a/machines/kholinar/default.nix b/machines/kholinar/default.nix index d748284e..4c8a2a6e 100644 --- a/machines/kholinar/default.nix +++ b/machines/kholinar/default.nix @@ -34,6 +34,7 @@ eid.enable = true; git.email = "charlotte@vanpetegem.me"; minecraft.client = true; + sshd.enable = true; zeroad.enable = true; zfs = { enable = true; diff --git a/machines/kholinar/hardware.nix b/machines/kholinar/hardware.nix index 88385f00..28ed3e64 100644 --- a/machines/kholinar/hardware.nix +++ b/machines/kholinar/hardware.nix @@ -22,24 +22,27 @@ fileSystems."/" = { device = "rpool/local/root"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/nix" = { device = "rpool/local/nix"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/data" = { device = "rpool/safe/data"; fsType = "zfs"; + neededForBoot = true; }; fileSystems."/cache" = { device = "rpool/local/cache"; fsType = "zfs"; + neededForBoot = true; }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/BEEE-D83A"; fsType = "vfat"; diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix index 07d24180..061ef980 100644 --- a/machines/lasting-integrity/hardware.nix +++ b/machines/lasting-integrity/hardware.nix @@ -25,22 +25,27 @@ "/" = { device = "zroot/local/root"; fsType = "zfs"; + neededForBoot = true; }; "/nix" = { device = "zroot/local/nix"; fsType = "zfs"; + neededForBoot = true; }; "/nix/store" = { device = "zroot/local/nix-store"; fsType = "zfs"; + neededForBoot = true; }; "/data" = { device = "zroot/safe/data"; fsType = "zfs"; + neededForBoot = true; }; "/cache" = { device = "zroot/safe/cache"; fsType = "zfs"; + neededForBoot = true; }; "/srv/data" = { device = "zdata/data"; diff --git a/machines/urithiru/hardware.nix b/machines/urithiru/hardware.nix index 603a19a7..b0aaac82 100644 --- a/machines/urithiru/hardware.nix +++ b/machines/urithiru/hardware.nix @@ -25,22 +25,27 @@ "/" = { device = "zroot/local/root"; fsType = "zfs"; + neededForBoot = true; }; "/nix" = { device = "zroot/local/nix"; fsType = "zfs"; + neededForBoot = true; }; "/nix/store" = { device = "zroot/local/nix-store"; fsType = "zfs"; + neededForBoot = true; }; "/data" = { device = "zroot/safe/data"; fsType = "zfs"; + neededForBoot = true; }; "/cache" = { device = "zroot/safe/cache"; fsType = "zfs"; + neededForBoot = true; }; "/srv/data" = { device = "zdata/data"; diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix index f0d84f8560c2c13a8dd4566a21e3df9451064cd9..ee162c1cafb6263624b0a3cecb53d54ad7b36086 100644 GIT binary patch literal 2509 zcmZQ@_Y83kiVO&0aI1~-j2G!ON(sFgVq(keE&k^I%nNDS8i#LG%@e4KExkK`$r2OC z3%t+mFN$os5HD(-cx>|q4{I5F&nJbSD&{@=S@vzws^Uv5S9X2aQOLjOR*Pxt+k*xx z0`)FWIqLdRs@_;;4yO_Csa@A9=f|Ep7I`-)VOQIS`Hzk54KEyh;eR`xRb0V2K|%itXVoasto~H>-#g<2*ZOsr^h_eBF-e>AFVkDKs3yYjt$x63(cHt|^WQFW z|1`Nn;ZNzAxw1JAqT_Tn@hd*%Pi9&4LRxTM?Y^&Z%N}~(emLtMqh0T4%-WR2{#^IaPl}KDb#(OscO< zDpk1~-Fa5eLuX2Ps%@d=z5;&V*{0Gbcim*Ycl}irL-zGOA_tQe@8j#wbXum{@ch}F z&vWlT@iEJb`o`w-Fvw@K>aJ-CyB5bE4lMj|npv9DwU9w1xAX0t_x7LS9VZ{$kk>YI ze%O?}wRazIeN36GGR<3;?bYHJZx*wh`>^4hS9xIL&Yhx+aSTbx3L%s3OrG-2fxUHQ zll-42K2C~j?`o=Cpn8%n9D(tR5!A#(nMVC`w#r1_= zJDbnvzd3$x%m20Fd3RDvr-|;2KK^k1-ZughJ{q-nsI7S0IQg^V*9FVOm37!owg!ez zbvH5MOl0M9Z25L4J!jdgzbkatIDcJMIaz7x*?-+EQ}wN%S3O)e;Xr@sr>Nd{Q$PL8 zJ-P2e?B3aZTMy2Te;3eSX1y|eriG6?`+JdHl9QC!70j}wbxbP02W;53<6FZ14Poi- zN&aP~LFrvnEP8hQopkyDwA#$2%I>?)9r@0DvDxb6bHx+Z zPw!6=*s|U+S?a>PiVrtVEMm@ITK71+%h+pA$b9xh$&l?$A_44gW~QE)mLy!amnAuS zpZ%9jlM?x!H#BX_R#7&|*16d&wY{=h_FCGJB(9Vl=Vw2%E#zB0wavEr@5bHJ=hyFH zm1C|u@aw~#+w0n%c7{FePh&A@3t1p8^~!nb_2WyG_x{~}$S@;e|Mjc~B~dlsl6GYO zX}j5cyw*LhAu)^9@(80Y!vYqON!3%+74q|@)!hp&$=~;tgX`$kc)4%(o^^R$B^?v4 zESU7}+0FpHt+(~Uxi~LWnVq>R`~UX3*Ydk|i8W=HeBmf~*k15l;!od^MfFa7lSIm7 zXG^U2wm00q^w6}K6W7?)-@cs~zCLk+t%kzcjT-gx&yC&uwjaLb`6K+)rY~P|7G>9n zS+@%O_2{$jmCxY1*mA)+%uN0|SBmD*qc=puCziWh&e*n}=SxA*-4hYqXM|)H8Xmfx z8+XHcW81Ee%o#mDUgp-mJ#wLaJHz9RE9Zaox4U`w@Xt7dt(yEBpU<49 z+pcrDkE@eA`DibpkHLL%9KE9HB?#gmi4*hPWhWUTrI;Q_~-|Uoj zw6scSaPRG`4#k}Wt`JjN8;d0rmxHH$iqN=a{cbdj3`S3{1 zwG~ePU+L`F^_p|}=aQ{A7EJlTe#Or!X-k^*wtFWh&SaB0m-V|b)8$=F=27V_pABdI z`n~CG&!4x9BJbOp7M!(MQ+Q^Th}bpznuXVT&nR&}cDgg+z^C^Ui&}CgHZ?2dTrH4y z<Yy!ovKcGGPU2M zQrh<`S9nJN155Q$@!To$e_z*?EY>@4bdkoH9hc;JUwldpfAcToc6+^TWb3lSMTsKc z7hIORntkH?Yf)=;t#1ko=jbqXMJk6G7wljy+}N>_?esO(H|r&o7KZCixY(6*vxHkU zq~2a!>YrnA=%L`l>JqPhOyJDW@Z~$aN`k-o1pcE`zK{K@2tp4k=5OB zYN~r;oT9ycP~(F`Q-n9T=U!JlSgz@Cz<^g%f#sH7E<=2z==Xb?StSi#Uh?w{@=EV_ z{fTZYh+4jUUU}L%&&!1=n|9dL?{c^hn5OmO!tL&+pn&Lv=NnQ!H3l`Ty!oz_=l5Tw zT(7<2k6M;SFdk6uYMP_;OpSBKW&_7FsxqdH;^_tF9)-1j;@f=NN6JY>HuQGH8u9wT z1r>WYHH)3@*?v21mRR@8(;`pf?tN&S|M~d++v$>GeAoIM*3T>`OpZBq_*Uv$|N5wY zkMx&*FZma3es;2UdNx;;#MZl)7QU~4m$UT#MDHly8QWC9gj_tz`=d}ne@&S3c}A;! zvzJT%b)CAEeV%;ihs5WZzh&l6eLSn*&}~|>@{2o5&go5wWLx@3&FyDL(uXN}w(A7e zRTZY{`lyvy+H~{zn@`oXU1;|>by0Dp(lJLRqm^ME)9P^B{cdCQBc0&iA7?(TpLgQ;S!+St&wnTAb)@WJ zRXpN+R*sKJGt+d^|El0c2Ul)hov~!Ac&a0xyV@tGB)xjixHXRd4qmms@hC9*m2I}- zC27uv?o3N#DvWmKR1b3i8bbEYN#;31G=Cy`CJOKb}kKXhE literal 2342 zcmZQ@_Y83kiVO&0__}p&_R5J(YgVqmeKz&rTi4q;0qegp&&im5Xy4+Wt!bjVr~X#t zR@$u&3#)UT^`7|}` zc9~VEd2m(#oBH@g=&se#U+(MA_~7H)=-uD-vT=h?Qq%+OUA9@%r?fTYX`L5cy8q#8 zf2Y`on&%(YRERxEY_|W=HRI_c8_s`Tk#i2dG}6f59A+rfs#RTcmfiE?Gp89BS++m! zeVbg7xOf%ox43{e9yjV%eN(&lKWg^&6OEt4y2AF}H$T)YrTqM^*8|JsB}FOQ4yIgM zH~HDOm}N0LwH{W>Jbkf4)?IX;L+RD1%F;lNP4ADTm!&!_HJ@}YZbxQ;v+L59EWU_E zE>@cLtY&+*=trs)GOwPyUSrCGC`nCww$`iJj9ypEU%MQ%YCg_lT(tQ?Wzo5Q8^1%r zdkwcQ?=L3xU-paQ;*KF9sAL90N)58^lM?}8l zs52C#n6;b@mN)gPb6&iBu8ZHCg1ncPI)$enKgE9F?CH;;><1sZ`!ACH8!m9hsae1~ zNrlCExp__B{Qd>(brYXU%#yS@!YaIiOEWE7HRJs;tCJEd{a5Szz2Ljn$Z}iYcB1NZ zd#k^9Lv_l9%Xp8SL)T{mh4q8}ZaR(khQe&3YU zH7BYcuStFUu%<)(lSFk}@4Uw^&v3QZ&*ouy9K1Ksywy2;>;FK`Ctd=4wzDLC%X{5> z3L@s*ILV!}QRSUlX6#pUyLn%#TOSr$upgQ}_o~BdOHH56 zFl}z%AGxM9bx}aiXZ2+l-SUsFUfGewAJBE>a5cw_U zg@QxFHqXmv!-8*1i8`(oRg0g*Zp%?bB-b5x$1+V)Q4o97qy zQGe2bH)^Surro({yxHdM?5QHgE0*tma^~l*NxP(#P1}wX^{rpar*l+n?&*IVb0_|+ z=jN43n6p~Q{aVJS>2(1|XRTeJ^xN^`r%z((TECx2oVe$}xO>^$t=o8~T6U;fFa6N- z@vdm9Vduk^Z6AO6ADGDX#TtdN3Paa|ExUmj%y0*Tvk4VZU1iF z((YideYmMZ<#R-5cB#hgurG(bQWgoh_`@P-f%C8HLnM7>56>9Z5_Mk1-ri3ZF?GkJEO~eX`}vm}uAoj$CAr^lqDoE!+BpdT;*IJYO1a{Oj1} z_ROj8JM*H?SC(0va?} z+-$u23#Xz<-QCam{l^48dMxMM{_nX#`*}W}8^QX2KOb#7-qt?f|L(cu`8D%RWY~9z z1RmGC5P4cpWhcM=`Fn?wRi^bb%_+E0H)BWH|7(t~Z9P8n2laeg8xR(Kcjbb=LT0lP zL$snU9hbTD|NWkclS?{Te(17n^}P0VQsCcvQoj?AKegrNRed<=zoo+2t44b~)Wu$E zMjO_oxS{wF7THn0>MTIHjp2q`c4zI2Da<3D-&$}_j4Wf^Ha%za{0MAW;AtM+n5U%ojxgz28{*Hf~`Q|7X&KVGHG5m9;8hQ0RA z?$bF2Q||w`f8vf(Qs3$%svBR=ZB{|pF21w zvNis#;!Nkgum1{MdnpxtJ>JErdwE*5wH4PaThkJsbH;zq{fTy+u(j*?R8&An%eYg3RiFQHptM6OCC@pr> zTw;9h__;?PxSU)z>@xV9=C%H>pZ&76fgfTj<{Zm-CV&2U_1kOl7gq8siLa_wWVGfM izvOrF8cE1P>f>VSi#h}S8jgwVO=pN>3C<`Hq6 zn|vboWYvl`TjiCVf0U(nSnWAkw%Z|Q>g|{9ht9v_hznjeFZsq>=KA$u`*CQ;_F-w%cA6eaTU|!(l zRlfOBU&KB#&hd6&ZTCsu$0$}ddGnIc=Eh22r~ONlpUC>E_k6CsZKpAD1E=TCR*4gT o^H)6*bF$xh@%;j44YQ+`2^+hAzij-pG28IGfLFHLanX6=00l0gJOBUy diff --git a/modules/global-mailer.nix b/modules/global-mailer.nix index 06e27db0..888343b1 100644 --- a/modules/global-mailer.nix +++ b/modules/global-mailer.nix @@ -6,16 +6,18 @@ example = true; }; - config = lib.mkIf config.chvp.smartd.enable { + config = lib.mkIf config.chvp.globalMailer.enable { services.ssmtp = { enable = true; authUser = "webmaster@vanpetegem.me"; - authPassFile = "/data/var/secrets/ssmtp-mail-pass"; + authPassFile = config.age.secrets."passwords/services/ssmtp-pass".path; domain = "${config.networking.hostName}.vanpetegem.me"; hostName = "mail.vanpetegem.me:465"; root = "webmaster@vanpetegem.me"; setSendmail = true; useTLS = true; }; + + age.secrets."passwords/services/ssmtp-pass".file = ../secrets/passwords/services/ssmtp-pass.age; }; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 42338c1b..0c4290c1 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -20,7 +20,7 @@ dbtype = "pgsql"; dbhost = "/run/postgresql"; adminuser = "admin"; - adminpassFile = "${config.chvp.dataPrefix}/var/secrets/nextcloud-admin-password"; + adminpassFile = config.age.secrets."passwords/services/nextcloud-admin".path; }; }; nginx.virtualHosts."nextcloud.vanpetegem.me" = { @@ -37,6 +37,10 @@ }]; }; }; + age.secrets."passwords/services/nextcloud-admin" = { + file = ../secrets/passwords/services/nextcloud-admin.age; + owner = "nextcloud"; + }; systemd.services."nextcloud-setup" = { requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; diff --git a/modules/nginx.nix b/modules/nginx.nix index 7e3e5bfa..b3bc336d 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -13,7 +13,6 @@ fqdn = "data.vanpetegem.me"; options = { default = true; - basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd"; root = "/srv/data"; locations = { "/".extraConfig = '' @@ -47,7 +46,7 @@ security.acme = { certs."vanpetegem.me" = { dnsProvider = "cloudflare"; - credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare"; + credentialsFile = config.age.secrets."passwords/services/acme".path; extraDomainNames = [ "*.vanpetegem.me" "cvpetegem.be" @@ -61,6 +60,10 @@ acceptTerms = true; preliminarySelfsigned = false; }; + age.secrets."passwords/services/acme" = { + file = ../secrets/passwords/services/acme.age; + owner = "acme"; + }; chvp.zfs.systemLinks = [ { type = "data"; path = "/var/lib/acme"; } ]; diff --git a/modules/sshd.nix b/modules/sshd.nix index b88edd7d..6623071f 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -1,10 +1,6 @@ { config, lib, ... }: { - imports = [ - ./sshd/secret.nix - ]; - options.chvp.sshd.enable = lib.mkOption { default = false; example = true; @@ -19,6 +15,10 @@ { bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } { path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; + authorizedKeysFiles = [ "/run/secrets/authorized_keys/%u" ]; }; + + age.secrets."authorized_keys/charlotte".file = ../secrets/authorized_keys/charlotte.age; + age.secrets."authorized_keys/root".file = ../secrets/authorized_keys/root.age; }; } diff --git a/modules/sshd/secret.nix b/modules/sshd/secret.nix deleted file mode 100644 index 7f05fbe39fe8989ae5334da21484ef2986dc5589..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1234 zcmZQ@_Y83kiVO&0@Qji=>o$4CnI-ZzK@K-KB2o?&Y1;SCIp6ejW#hk_w)|J;@d(bk zTk9!ib~*bmyZF!Fw}o8g*Goify75`y#KLDYEQ_kAde>=J38d)Q-M*}=F||HFNqhR2 zy|)ZH?Ux07oAP|?InL0@3yf5sA1`lMQpr1a<EVSZeA&sek$A2YcbDU;M=3} zE$aF2wEu6rIFoI{S7shh4bdLWJL-v2Q;*fH+Qzk#bxUEzAA8p~)d63&iW(kOi_Txy zrEqOk`$Vt(Iy+y?k-0s=Kc$HI;JcmEAHM0%*PFSWEz!wABQ9Jb;<*R=-MNM>kGGlq z0>{HJ>r=4~wd_G!oVQ}ZQ1ng8lHQ1zIicHpx36z2@R2i8ZH zg#`yVX=guJsFUXE^0p|Kr_wQ^>(kAhYDb(6Tf?9It_?iI{JCAjvg-6vdz-4sr-SVO zFdM5E>-?-0>=3>aHMwS@N&ER9k>9?~f7A7#X+~Aje9l!q8{WU;Fch&A5x*bXAkJv; z;)&`3#r@lh&)jpa=KgTbThkzJ-GW=P>(2_GUHoLhbD1KSe};!5tM*QN+hcs^z_r4; z_jXytCErvp);j#x=9+*++bo{>N$)!5J!ribZ)eK?Cf|LhmVvwb&qeD5Qa8*I;*_7l z{ZVK2DaTs@j4Pzq^S=2fYAb7Sd&=TF$LBm03O7C6bN>%tQ|tE#mIPs*8O-0?)_q@@ z@7=?*X4;iw$Db?tU2faRsj#5pz%37Hg?!$tvc|Vv_Ap9+j@f)-VcV`2Xy9k0~yMD65T9^_YZe!Hud(ssMo z9-n7yojqf=W=w{F$N`gkywR?&Qzrjw?g7ai5y zSEIG6;cN0DwoMz2etG@nWWS|*#FGCp&!gnZ;wdLrD76)w@78aM2({aLrz1z}T#2;| zTUadXZAW$nW5FFlvA_52J*MV(`_PtKxd)7&J;?g6-5|ymB0f8S|Du@gv#C@4g;D~X zk8u9FwCDNbuS?cQ9dD6!IhVWt!-qhLD|6~%*0t%BdmnCU_IAtoTeC2De%$hFf3pK( zj})bCm$`nQ&ojX3cy+wx6k{{5u(o(31+HpG_Sgf7`|D>_hj?e2A8ii*?cJ<>!|-@T zV1~=}z=S7)A5*_M`2S!NOW%Jr^bz;17MqDh`*}-jrkQ`%`@33A&#-LeYqi3+TY6;I z3TGFd%6jx@!juFZtxJ7V+FiN`(`KQP%|=yG!h=l7Z~<_=3mYuROFd$B*YEpo)mv668V2UFb1u7}YP?W;>Ct`jc8k=ld>Omk_h9|4 G(m4P;hgv28 diff --git a/modules/syncthing-server.nix b/modules/syncthing-server.nix index 81595154..b54cef77 100644 --- a/modules/syncthing-server.nix +++ b/modules/syncthing-server.nix @@ -9,8 +9,8 @@ config = lib.mkIf config.chvp.syncthing-server.enable { services.syncthing = { enable = true; - dataDir = "${config.chvp.dataPrefix}/var/lib/synthing"; - configDir = "${config.chvp.dataPrefix}/var/lib/synthing/.config"; + dataDir = "${config.chvp.dataPrefix}/var/lib/syncthing"; + configDir = "${config.chvp.dataPrefix}/var/lib/syncthing/.config"; openDefaultPorts = true; guiAddress = "127.0.0.1:8384"; }; @@ -20,9 +20,13 @@ fqdn = "syncthing.vanpetegem.me"; basicProxy = "http://localhost:8384"; options = { - basicAuthFile = "${config.chvp.dataPrefix}/var/secrets/syncthing.vanpetegem.me.htpasswd"; + basicAuthFile = config.age.secrets."passwords/services/syncthing-basic-auth".path; }; } ]; + age.secrets."passwords/services/syncthing-basic-auth" = { + file = ../secrets/passwords/services/syncthing-basic-auth.age; + owner = "nginx"; + }; }; } diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 00000000..8373e6d4 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,46 @@ +let + kholinar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL8MzChayhcVTfZvE3/ExwXpq2+LbihjzUVlKeIGoOL"; + lasting-integrity = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKJmeY7j5LxWVv3fKzqG4Bvg/ZhOp8iwk0utpyMWMSk"; + urithiru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrzOpyzDc5BVtAeb5//PnMRcp+9B+DjfU7p2YpaH6a2"; + hosts = [ + kholinar + lasting-integrity + urithiru + ]; + servers = [ + lasting-integrity + urithiru + ]; + + charlotte = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDb17zAg3zwvdYHNZqXSGYKseCz5281Ha6oOYPbwFYD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY5nXR/V6wcMRxugD7GTOF8kwfGnAT2CRuJ2Qi60vsm" + ]; + users = charlotte; +in +{ + "secrets/passwords/users/charlotte.age".publicKeys = hosts ++ users; + "secrets/passwords/users/root.age".publicKeys = hosts ++ users; + + "secrets/authorized_keys/charlotte.age".publicKeys = hosts ++ users; + "secrets/authorized_keys/root.age".publicKeys = hosts ++ users; + + "secrets/passwords/ugent-mount-credentials.age".publicKeys = [ kholinar ] ++ users; + + "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users; + + "secrets/passwords/services/ssmtp-pass.age".publicKeys = servers ++ users; + + "secrets/passwords/services/acme.age".publicKeys = servers ++ users; + + "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users; + + "secrets/passwords/services/syncthing-basic-auth.age".publicKeys = [ lasting-integrity ] ++ users; + + "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; + + "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users; + "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users; +} diff --git a/secrets/authorized_keys/charlotte.age b/secrets/authorized_keys/charlotte.age new file mode 100644 index 0000000000000000000000000000000000000000..fa839dd949b1eeef1295fb0d35bd46d3ff13d853 GIT binary patch literal 8893 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn3{A20OIL7nE=x~O zD>W;x^0Wvkh$s)Ps`9U}a0;&s$tumuwg_-eF{tz@axBdYbmYoTjYu?4&T(lcXdkS1yapWYgd@Q}d{D&*ZR_!d#Plm#}nWL(d8$cT>+O z%Z$pj@REq40C!8TNOZpyTNWi*q$_xb_!{S0dPGDRYdeNGS-4jeWqBIwyH;d)mz#Md zXjVxT2>YYXJn_Dm-|Llg}MfqM;3Xz6_!{Uq?YR!Tl)C; zh4`l>JEGfGnV4b{7O3E95aFU9>JjE!m0jR&mR9cS73x?XQtlS6U72E-UFsO2pPf;a z>1kmSWWiOGpPK7eQJPZ}QIu0$nQv}XY2p>`msgnPS>>IWm{jVOmu_Tk*IOw4=W=DH zf5wxBl@~th%bor3wrl^t_tW?yjLUjX2;BK`OycZXK9N%9!|%$HEUhXHeP>BaJ--xL z{#+>1!qqb}`ToI)n)2?35~c-v4=v}fo%#Q8A3yicJ2wE<|o# zJTYZ|M)89=N_WpN@90#voWnMYQET4={)@k+Y`7=sclA>yyT<;_6}ufnbdNe1t4Xq3 zPrD>wQ|EHh^;z|6*{iYAZn-S{jGmMDrnI-`tvj9DG10&$@Oko#bCSCsv@pC-jP^Ks zYWe4RUo=iF&@$QJJmp2hYtNUNCaK=04+2h2`oD0OpzO~XEPb`xmzef%4-wtSZUa{0F-7PD7F){rA z@4P)O{KC5%c3)zan9*WOR|h^l;h=S|j3k1u~#TbC@eS3f;(5kE^! znYraGe~s^)UV4W#?0;T3YM-~T+v@O>ZvBTwmLF9`_xC(MoYqlycao%MX|hMb!!z@a zr7>^P?zUa3F@bM|nEYkSgDEE~j{Q{lw1n%1!L0W6`o}#s9Qoeg)b?@JwaGi?sxCXo z@Z#4TZf5OuN)NYgOYD5!|}tqx6@^~vHx!R0G&zs=;n7E`rAp>5lz zNiGkszM1@Ymw-^CarxzmXFkq8rFlufi$lsb{_nHjRw|d1LymrFcr9`$&ZhMAJ=H@O zlY?I^?ONs}aj=!`W=!S=wrc)sE^53{ev^B5>wbDZhgH?pW%p#80F;m7pLw8Q-H(i|(TbOv7fI|oI&0Fm(Ye=BMKK zAKn%RiVJKxx7Ti+lgg)g=S16OQaA04obqM4`uoj#7VMX&O$k-onHhr6`&h%X;o`||Dnm^V)!1ApuY{^Fp!{59{ zpZktn4u3r5>z^BfqMNb{Ud}9@6591OE?r@3$=qL|T@DoYu(f;oY|;o43;Y$}>u>_HA?H`&4wVFxFo8v^!IxpL6JkhG!4-9=B`i zq@_-GjoUBrS~mCd`zz{?a*nMrV10KdXkPXUjj84zqkHdLZaI^?b+4nOk5FUv&NWBw zaxJ_h^>NQZ+n!F>>&|Q&ukHzVW@Vp|ULQaI>daFz=KfX=mT6H%`j*|izja&$YxCxJ z2j9MHQF&uwa?K{qBg<>Oz0P{wc>hu4q3YaKx~E%Mb;VQnE%)4a}i`}cGvv)hE@FwIsDXjT@v|#~v=gu3mC-sUP65|tB*th3r zqzq%bzToY)Eg=heVz}I&&og=D@+f%Crrxt`=}wAO@0X_B;Hl;BNvjI~dRM>f`%@iV zr{rZXl|BAkSbO*n!?}I^mdb5`tCwu!`uaASW2(kOX#olE6;}#&$gB@xZ4SI6-173u zQKK_?HyFINoZou;E&V(xscnXK!GfCE^0lldE-yOv&2duKfy{4`X8YY&ZrWeIuJ*jV z3uABIo0T!!7D&qeeEECzrl3Meooa_O7Dt$tb9`sMk@xVzeebV7#NTcFY;uiPnk((9 z+6mzepN_}>WC$%h*zu7${p-h?%0{gyAIwUKvHlcfkYIRkFZ_b_W12exHcWXSIRj{u8?3R38mWIH;a`kyi zX`=4S|8`o+dp>0jSd)4F)T-ldQ|&(fd}Z_GkHQ{H8PR735vM+Ek=eg}>HI(cpH9Dg z>+N3W)pu$(z5RQdS?^!y$K>DI4QU@mSD4N?wuw!Qvw?4qABfy)WXMbA@hj#(?RG)&hz%>7#Waqv7Oq&!UrRhT^M7A)B1l|(i^8&Q?MH=^ zUtj4}I$dPC-{zF;ijGzZ)pBXwqBZ%*TYX;(B;PAazRTPAXRXF<^=0~&A$*5?JeMrG z>G$=Ud*Gz~U01xFK4~TG{%E5eRJKR*op#l_xLsT+4Qu=NEfCR7E%AN2enQEzkN0ks zbZQvy-^XBX@2~GI{qM(GE#p5O%9)`TKD4(al&?$KV_-iq@6Rf~t9u@7s=K^cxh~-# z%RH%Z9aAn?MevE_T>@UmwTw##; zYxNoz>#d?z-?eLFLndxuGkoxR7DHNeXY$(XHPX+Tb|!7y5tpr>DE4gjuY^s-Dreu? zXxQ0qkNx^8lUH26UM#o6SnW{0amFT7&dMKMs}r8y&)wZn*-T$Z?vv^o^)E{W$I`Y^y+j0XK6IQg!)e1h3ltmuK(NSKmGC&gNX>H&h+1y?V~{IMr2(#yzezW?ce{_iEHY)@XJFDY?GsMVd@bQ)KP&HuF$ zJ>SaTDOD}xF#XoTomBhqs8HM%b+>QLNnS+_Y_Y}71z8Ob0$qwNc@k#qcfWO2x8;hB zsGxO>=$^Y%ALw6OxBk~%-fX!zmemLEratWXbo|&wo?ngUC!gQ3;cjX^f2Pc(1KZq} zJg`vF>^HcxT~GAY#U<7KoAj8PXIu%JIg^RkOS4nT$7f5D4x=RZvCA#Nzb#Zh-_V)< z@uASk^o=Zw`j7qbFO>P#*t zAFJk==+VT~@i_EYPGzoPft<&OZ!b67F8hAfGjo+}$>jTN6)aKartgm?^nP7h`ms^& zX-0~i*|I}_CyN*zovITbo}1UPf0>+$zN6LoxnZ(VQ{QzLd{SQKpLx-+r*eO#(K7Ax z(L%TCGbQVGDK1ZcSdvoxbz=NhX$^_XaSH_mSGU#N}3m(iuk-O8C;E*=*!YdjDwAYIM5x0dtg_F`AXJ#W|b%~`J{I(Kroq-)^e zNRA9oS>x+w_rF$In5f(j{{66P;@S7rfwM1u)y)yO;vsvfg43j)Uu|>#F~7BTDo2?N zV;dg%%~F`m9dB?mUnJ|jA+z3={6{uB-&uazu+=7oPv(T3f@M$pLiJlhTa^x9owDs& zhDp-J!u8UpANVT@9b36+LI%gV{VTVyMZH=$&#!CG&Y8MW4cyyn7)@H9fB1WN{n5Kp z{wp~W{yzD}|EX*B#ET;8I`vMb%S=vvnwfF8C-sk|WOvh=nj#bVm3b#z{#K;yHd>i? z{##J8q4kanF6tI-4&|5T9DB++bpn=JCpxA23+5>A}wi-@g;qgi35s z;9j-Y@`S1LzDbu)O%R{<|HOrqLw4IX|0(Ic+jV*2^8nAMCQ44_uVU6loiABc?%$B3 zliRhb?sA>Sq8Ya9-ngxBi)WZ}A$H0`?t=YK=FjcF^ZNBQP0>$cMwVV{d8)M|etogK zZqk13yjRJWDcXBKU6E-w?vp)u&VN_=$&Hsg&R+en`s1Y%&!6Wdc)Y3_E(&hhfAEs} zRvtY8IZrP?-H(%sr|sAfTd=U#KmM90|G;?B7Q`RDzMujSt6E9yM= zO*D$T@6Po2)%yQ0zE6GbIZ?U7;QJl9Q)+cLOL+fm{Ux$PeaWLI*VX^U&w4iNheWu< zrjTY&5$jbam`ptbo8&rtl#i~ej@)MTa9{oN-W~6_(tSDvFNTXPo42UA_Ta?X$v5U5 zGP`#oTP*lPbK}}iOfD;g^L78XJbbn!T{WQDRA_gAm!kKygtSdHF6D1uI;~T=Kfyuv z-+vzE?1YLq8%Bmh&G(+0Hhl3n@(_sssmpZYjA>s_(~j^8gQ-S)!VYJIhHq1<&ph7t ztzLxr_xayk7ymq(u=&NM?PvV5kIJW}rb()OVJ|TgKl{4uzQ{9w;ajIUH|P7G*ZSPY zSCeTwDSgtEP>oNK@07~AHm2r$GO;(>`ZDXfjK${vH}`#C{_bt7F6FLbSmfBfKw zrrwIGcM2J58p^sgyVb8~q^T+JKdIks5nE#2bia_*x%WQf_ftC!GFUgB>R6TJFv)vY zx|CwvB#s@Y7A|g(TB4)(X6DQC*_HEdHMQpMt6nXrA-Xr?%Ynxe^UY>O@yweWRBvf` zWQ%ls^|96Li{q1PHl(cWdGhXX-htUkeCb)o>@Hss?Ogm!`+L&9yN_JsqHKPi%bYI$ zUt!V~txRi?nEDW=1J-X8Tue@{;fP^i^pjwS>NUIU6KN?Qd^)80+?}HZ6GXRb^6qwG z_+23OI_}-&L;r8|y6TJR`35#^PrAXO_w~DjN8r!qE2kA7zSsZiA`@`r-x)Q@qJ`H4 zES4{i%b$0OS9pB^i$>+6r)LiBOY-MXe%JjXJ>$sFt75)6KWMp7-xr2A9I$cSe$Hod5h)nHKWr?1$6m z1Ja+GP5+huc0-Y%!m6mi_{E1x{qHw_d{p9MwJ%l7E-kk9r=Pc4$eg&Y86nmmU-)gE z`Eh;q>v!6>YfjGQw4SS6+va#}#?1XsPKGdk3E8W}^JAZ~pYZi5zHhIYub@OIvOf0h5A*%kwsrfBa%7Z8qckGLy^dKLs}3 zx+L=b`|BM$-~IpXn)>|DgK9B;rr0!v4|YomreE3Jr1JKR;`(*}@(fM&laI~gfAo4U zw`=UGHjq~S18@YOS|td-|C%l#BQ(9C_# z<$*M}O4B=!o`pxcwHMy-e8-&Bsaj_^b-U}M*9p4z&sjfheU((P?MC3-MHNf+3r?CeC1mAtG8!Xyl*|cuyFs?yp|jK&s5gFkM{fbB;=StQd&jendBwc*u zrE>g-@DEp}rD=y&6>`QGAG7A!+`Pdg;FjW(to7xO%ejvj-A^&wb$*-ewv^p7*UdJ6 zczc!hd{K=bS4%lo##rpR{URx7lDnek&xcPNR?a#1`^L}E1xkMNxYPDUJo_Od6dL99 zG3QZuz=Jg(j$NAOz2Ta}Zn<@*WvUTl-t9tiN02!@c$~2t8PHK(o7d z-R{nd*H`@4E^~ZquI?5!{haKbEBX^EHyw)G7bezniv7vLPjW`fYZmR5T)r}-pHR6|VHhnpV zNjO(gT}-7q&9+{O$(Awq^r?xi60L_n8gJu0w&ZBI@rz%Iev^t;)>y9 zffY$Do5W5f+<7E-n>(w0<$c|*yk#ygb1MQCa>X4q*)KW2h2_*B`!G=?zl(! zzk7FQ@;}zSb(X8d(n4SCUlVlGq#>j$TJy+nqtiu=(>F-D&pao;`qQSHMmq1@Cr{)| z`0!$>-{s8ZIXWk!;x~yLSFX$Xeobup=jTz%8gl{)9m)cxZQ1Clqqpc#<;(!7odNpK z&+1LqUZE1R@@js10Oyt~>4#UGZ>YJm`^Y^5ch91ZJ!RQ}akJtkyY!Pk867@3IqvqtkX^zbO+M!y|FHRoPRaV<)1N&;HwyWr)i5t833y^@@btxh z3lGaq^Y?y>4HD#E`JB`EdURHHj9-}1`{#*Iz0R1Lvv@>(Zaulr>h5aM()ThC7M;=g zpt#-MzBnuLGN0V;#RcYZIXQM=32(C8KiK4-r-!|5IR-8$Qyt?;^ zt*_C%>J3{Snx0*ytGVTy=k(}D-cKjrYRH(kXrH#yxhr0|ec`rjGnEydrCsoxny~6X z!QQB>9Ql){#Lg%53yU4dwB0EcKkJ~LfWLbT>*RQTlbw7AS+`Ul+>qqm&%9~lrysfg zcV@QlJ*jqBsc?$^1&0SmPb@y&+P33S_r9;4wev0&ybf)B#m^f_?wE zg?6xcbgZk7`Lgig9EK!e{??oy-&Zd`RlUButf;>KAPdX;4GC2mA5A)~A6&24(LenX zisxU$MA89){0bKeXTxY!TZ}o9NI%0 zXL&EX`@+GvR$S_q@QY4^T>_gvD*W8*G--Lel)rz&#D(oj&-SvN_`>mSdF9ENE)&1y z6X&f<-K3W|`FNq%vZv)M8<~~E`L~C#GCBBs4BE0c;~VR)P0>d$9{0Jib*;0EQ`xlQ z-4b#+=Xk%loIZN@-X~?NWYGmTH~mg^71?koX$to;rh60iSwvnJd$Bgo=`M%tnRWe> z_*d?_`0!p~fSe7ZhjSsb+xMc|A<<3qd*=qdKG@59#DhuEg@ZF>)gQI|-(hvT_Z(XB zhU3IGuSea|#r+>|aGIWPeO>k7*p8a#VU@8C3|j7?bIvqxcH6e>%*EK&jeDklb@Q5X zh|fS^Vfgct*Qa)`Ugs(@Wl=-Hx*a>45&Fr7pJg3emD3@9t^3pf^rpdZRT+Al_Un|a87Pq4?``2>Ev&GvQTv*~e zk2s%t)}t=4?3}DpOW@!83DVn7%r0No&@XHo_~{+%(iCm;{jt>v>J!zUd8L2hnYX23 z`2&CLOYiP)dpPBeN7gLu2O=jK45YPVkMDhY%j|&ZLMdM-|5(iomE-6BT$P(wxFSI)%VEp1ZojkE$y-wuLgfw}vIzSg z_}44rmDv#wM&G&>6V4a5d~3Y&)K*2zFK>~PgLK#~gO@pa+!M8;ch7TO%l?$}v{%y) zk1zIY+)n4qFWs%&s8J!mBamU=ZyDXrbnV-ntkJ9aGxiyWB}sNwNO)RL?UF9{xpCuA zz_-Sd{;5Tw)vt1_Cf@Lo@@ldZcCYL@zs%A;Te+5Ht+d^)@<8?a+3X*ZcD(wqlYQd( zYi7)vag%s$YQAl>oPX-q2QRN}hZb&ZI@Dj#BfR>ApGdTwVa3t(%wJj3m3BKzzAu?& zReR&Jk>;F9AD=mBC3`G0c+YoZZ`hG@QV04@)oHdx@hK@}uSyL$qUe0{)JKog2o*nsGfvEUq;*h+{{` zl#k6j{FEFFwm8jWI(OxeXtnOKr3drH*J$d7)m{3;l{LltvV48y$AT#7_3N+Pma~wa z@>g}KZN=StRfm{&Deai_yY=ZNv1?v+MJo=!f56Q1m|Nzd!o{?k(~fzyN0vt!7bo9+ zki4DylHBB!SX+-(hstgVJzO+((%QtY+1fi;#Xs}ykVE2sDLV>^YmfW0snnE1!D7jpJq)Ts2=XRqws@)U1Ke z_OG4!&%JAA7v415{Nss;K>5OH8FQ=+40V51s?D3aUDV^JX!5}s8uE7z1(>=Y);-JGy-Q@$j=k!& zGrwMN{POwk&a?B^J`Ov>yMt}onL%WNXa~ zmq>Wrz2(H!n99e^N-1yIm!0PSUch;yn^UJ{-iEjvb;s@+@6hS#TQaLLf;ofPo8`dK z9JYneeQkqpFcdjo_|q5oWm)7D>*EXmR%Bk&^Y|i^?3!|^`^x)U54JI!>^D9lE|kN$ zd+FC%|J-A}8r~GDo?e--#jw|R=?~QlVj6Qb58a!?c=K+7%2QL!1d9Q@D#U33 literal 0 HcmV?d00001 diff --git a/secrets/authorized_keys/root.age b/secrets/authorized_keys/root.age new file mode 100644 index 0000000000000000000000000000000000000000..f2735d7ae69d318ec501637a88aca7a1bf334b1d GIT binary patch literal 4808 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn3{A20OII+@GY%;A z^iOm*b&W7Dwa7@S)Hlj;bG1k_3CT6d3{6QfPuDNZ4$}`059Knph^&Z=3JOa%&d)J5 zEHL#ocPz>At#r=`F$&2@PP81&D}XLJkmHV&DgopAT2LBIUU_L%YZajr$7aNFLw)9$AIF3un4z`s8S23jL3}a zL?17=3XlA>Tz98j%K}fo#1d!yTu-jj%1AHwkdg>(!<;OW@<6wu!1O?Ux3b*y)Szsm zto-zdtgJ9^*EF-xG*@)niY<$hEYcM`Dm^RxEDB2<%_@wdJTps7EOU&Dt9(MdjLR&N z45}(ae8aP~^$qhQ-8{Jx4NWaWU4t!i%OdoX%nOPPa=e^#ay=@m5|hkw^3yzuJkw1o zJxy~;O(M~4t4vHW2@6!P&@L>os4z(h$q25}cPWpw46E=+aq-FU3XL@O%c=~u@GXhT zE{V|BHq7U8%M5pR@^>qD&q?$v4E3-yvq(uX&I=FENH;LfChKSNvLDCv%jUOVNhB~MPY7Yn7fa2wwHdnK}o)gVLsOi zmo2HznaP3`o4^11A*i+?E@b(ynCtciPvw3FNInX1Dq1 zD%A}Rf0O>%c{cQR?c-T^>DSv|=5mE!j8|Qry_VnO&ey{lU(fCTrCPM}lLqr|Aye@P z>y{dYmpdZ3_AR-v@WrOC&MWNV;yGX5+DQDxV?Yg?zz2H{KBWdYfgtTJ~}nYHKbrN$ER~o_kN71iIA!aHe%Oj zsG4TJkExn}g8juSJjah(ty~lFR4Y|no@w%d!wyv)3;Vu{O#Y-W-SK(FewS4;_7C^O zC~~(1_doV{HEFhXf6cYx*Ev`JU2yU;H#xrgBu9K8m+YGphvqGCG2$@&5On2mKemM)-LYuWnsxRb7j)v? zdH*=I^cghXn$r|wAe6k}ZF$=FQwz6RZ!w$Fz_hvCP_oNA=jP-!^Us@@RBL~jkiRH2 z<@)v8Ws0gk^Ys!Pw`QMv`GxQ1;==UBE`J{UZT47db=jpn1gzOqLY?`HJ|5jv6D?Mbs zzvK17Y++^Jb>GiTa10TV`MzmY=Jt-m`lWL?(`&XbvI{7VIpe7>yv?3(`{dq05s~>k zb<+~_E%RsJnRNO1heIt_m;cuNafpwn_4}<0BpJ!q{(fe`7szo#3UbFmv%AEJj2O+U+*CW@}`8ytdvp34v@o)7D z>$^fPmZl19XX4%^sb%)AlIcij_w=p0DswNbaFBA7(J)-Evvh8<zUiFl zwpuj$gu&`1$#;(5_){I=t8nJnQNOcyn@W792QFCVBDw4Er`glLxOBCcCzf|VQhUpA zKD#Q2VfCZ5hn6#@M7Vw{vbXZtE#xBLcJT$9t(3TXdE<$tW=x+}yq}-`q4>y)Gjgp5 z@;`jskvR1q_fO@}L(}DCwFC+dEw5U5=Ed$XpLciq^w{#(-}%i_+Ou}i$8hagiQg;w z${rm(rN%w;lf|6^J3GaqXMguH{FoM|T?^EyS&E9tN19R%PKij@7jp%v%^tbB^EuRxLOLacQKg#CP+AzIi^6q4l ztUpnIHf)=G@OUMomF4y`ogMpZfAp;Wf7SA4vw7${Z}$evowgm&Ea^1mZ;ljHltvhy_@`slOuG31yY#qv-!_q zx^%C-V3Ea#3jgQ#LT5g$3Vst2oOEV$^jX<}w%oj3vMlGLS?nyg#e271Kbl`#wPf8q zyTbP;j1y8LLMBO0sj#g$?~zg}_1<+m$Aq|xYATCd^nc7gGH1@=!@pm<=;lAFEdKQN zXX^ju4lm!ddC%Lw;qZA!C;P7V6EDACmB{^4^R3r3hc!30hVH$(W3S_$Gj%4 zkyU;?BmL!y`N73W_Pp(1Dsv|PKglb;Y|34G!@s&eUrqeH^}QL(f$`Pb>l(ND{~hWq@=HzW&h}aKckyKD&+Zi(MN={C89WpIp%;O)8h#bmYIA~iRP$zf8?>zE!}xCTsEJsXBDN0n1;S+ zIMWd+?4zmH)zP-};upP#H8Hbm9_*>IvpvX}xVI$Nxn{b*})UqEhHX>ZLnT` z-AA6g@z&Lw&$ROvuAH=J_LeMtiE|%!?$p3ZwQ-qX4sK>)KE2iAnzzy|zwdrrYv!9@C2gw#Up}e&@{eFQ-p7 z9$NRWdCF<|*6!kVm49;={?(kfTWXC@vc#lof@^z^@@|p}S+d3^(mgckNrBqZOm;`l zGV@95mhwr{p0M0`pqHRhdBZ{c;gOtchTDBkc|ZD@{mbOp!TPyYU)x!$^+it>KW=ql zcG=y=b#Zb>+5ArTFLHXVRa+LxIy>xN@<03G%iCY)uYC|Pcfm2I`nOp|J67&zm@(hZ z#{Xibf28vEi1qe=kM!pTJ`QJk|Mz(n>$+cV3G41%+T+=|JO5l@Uj1?rhBRHqGxG8e zm=1K^|Hr*Hll9+&_*)j0{k>OIJ{1`h(}NT#5g~= z-txsZv5fEAE1Nck#Pqz(m{}!u@uSP#ANIf2&C7|AIUQhe{okIpggG0y`H5k6;eAOIV;*jvF=FlYn5qQ^O-&<2%kGI&d)#j_C>>* zDHHXt*=J0cYJcNxm5_%`vfceVs}&;r%ujG0x7f$LBUin*|K^Rviat}W!?g!HEdJj5 zBeN>K)NXQvLeYLxO@q#B{RiI16o+d6pL(wLsMGb?Z8H@>tm^7 z*N&X=Sf$tI6g-J@Zm#V6^NMmYZ_1ZN&GF8Y;)rE$FjkZKuG`0xE;VDHTTyN5@5ryd z(-&3UG|1)Z%}?6(%V={2d!or^#@!*We7|aBmNTy5I`==hhcjTA>a<7QZ0bK(x$T{l@bJgX zlvf@`+}|GcoacKSRJ?n0sr!L>F{#V`b<(?<_^L(S*q;rRLyn@5pRd%TeM_q1z zHb3{!qvM%AJ4{xd?DIDLFEUNT;rX=0uSdNPK0e5md&qF-FO^Ryx zn0>s7Y2L1fJ;L`2<<2^V_U=%ew|WErs^T-NYq=kEE|SgNvh@v*hGkftZTwQp8FE_t znRl=$^~^reajSUa)q4+xPX!bno6Pu%U*PjUvz2m|Pum=KCtSGKb)rAoS^fP&4ht4R zlgCf9_=8p5KOErNxqoiPl+#Pp3nb5KZt>s$vut+sUz?h!&}gJy2TRKCPDysv87nJ3?mgqRrQ^tk!YS89eui?aseitQ z`>3DwY|-sM73Wfom?#58AhbRGRFw!6mawT7=&)wU_C4URoBZ9g{ii9YWYx!w9r@@kv!cpp@o z>7sJfJf!8Lski0*RY$(Qb@|)Mbnw=W!VAtWCO730j?|uLoM02*G;Q zs_N!)@2XYYhd-q6zcIm`!DQ<H)mtX%>(;H`_^*gyty61_{Qs*z=4TzLx2Zcfd%KCg=cN^a42m<>No=uR!SQxM-U*}l>cZvwLO3|v zEsv=w`iDMi>*wo{WGY#|?sE2~`TyeI>|Cb!cH*3wjPw8GpO)&>T(YOqYx%WJ(;^gg zGmB#N#KQ|z-^6qr*|4HuJ&(D9yxrk3GU?%VhSxo*Q9O@uqlQ*!;!a`nc!cl1ujcGGTf#D}o6qk8ho;C0et~)aB@B1o zV0p0TY0dB3eJs8m=1DDla^VdL-Fj2%GcK z#Ygw$rgt|lya+E};5#eh{GynAk*~|S^*`G=1rYS%Bi;3gvL$`Wb zv=duy2TXb;u{SLIWO}&y%sP)vzoIJ{IlunNXZ%(E3m4!u zq+Dg=I@^^ywZ56XR^ik9?0aoLzd(+)-e2!X26_D(4)FZT0taWgW^)-KR4O))672=#Uj%;qXFHa98=_4KREDEAJF zh|Dl?_R9CqiYgB)O)-c_Hq5ECEGkbk$S}?G&qued*s>_eB3&Wf*)Pq-)Ggo3%rD*CH%DAgMCaq9Q!Z%q`tG*Ad;e%ET0tut0@~Wc{?9!pgGX!VKpU{VeB9)4Yn{ zu#5ulDBrBCz?@)Dw;-on{d5m6$8@f$)a=q?ZO5<(XUDuCcLQhNq$J1UD8qD1)3D$i z6PGAgv#2oNa6?bC)IgAJF;*5%hWfhcMX8C!sS0LXZV{%YZh?`J1=(J1r9MRw=`LpO zNl`hG$x)`B*%lE2g|2zQ`9&F3u8v%~y1EL<{^k~GAw{9)!4ZX?nPHB}uHFVYCYDjI zA!Zf&dD-R}ZYHKhUSU~2F3DVj)b{kZCM5z|dG?kD0~xa?X!UB4lI(CGMbt4HO> zW8D{My?q~=m9zWvme*%ZiZ+_N9XPSUs`&!D26Kvd!s4eQ-@O0+Ikla=-;nj3#--Ao z0&?3NECe`&B};z&)v?+ye&gWNlE><|7svkVD>)ZeHl=^(nw7WT%0JSL|0M5t?27Mm zscuP+s|s4D*g4KIM7_zmepTgsk~vei_ROfmZle3k4WF)O&@0F=$~M1x-uakJ+%~<8 zo3kyxbm;tCac%a=LoJJsn!P_`x#(tD^d;W|M?TNEd;GJuiQHT+kC^q`234`0m)AV* zd$&b)ugmMK>qgsmnrg5r+&AiY@c!wn!XqLQZBl$OZyYp^Bx*R+J}roGoN~mTb3cEl zilFI5!!J3T#Aa{oGd{TZtnsaV_e;B3y~}EMKc8!LsqoN+P48;>w`=Wm`qkWZo5gWK z(bV-UbHna-|MK7UC|)glPsWSS%t3}C9MueLzv_5`cEz1}>msTynR4XY=a#SBeuig_ zFBMA12`8z&F|P}a+#1(xciUSuXA5K1@A65zOf|mpRB84cHhl7S^5?%rGj_Hu=|7%h Xdt%n{?*B9M+g6&%cukmnVQD@9SMhO2 literal 0 HcmV?d00001 diff --git a/secrets/data-access/ssh_host_ed25519_key.pub.age b/secrets/data-access/ssh_host_ed25519_key.pub.age new file mode 100644 index 0000000000000000000000000000000000000000..0af255f2bb2a208e24ad7786f482833fe7a95279 GIT binary patch literal 595 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)3`lcz3RK8RHuvyM zv$XVb%*is$C`>92@pLS)Fv|B!jPeZ1F$s1zH_yp&baX8VcI7HbHgFH9^sNjk%gA&r zb~em+$}EV=un6%qO3%#HHp~r=NH({qD$XiM%|^Ga*s>_eB3+@--N3ift0>1ZAj&wj zGB7wSGONhk%q%r9tsqCcBrC+tILODbA}=a0%#kawz|<%$*FD#(vPeIvq}atXARs5K z%-hw`G&I5|z{AtfBfzaPO+U#Zy%^oL%ET0tut0^tbOT@0^hC=_?Q|!TF#od3B+rVl zLQhk}aEpk<5cAMPBcn8@@U(1;Obf1xY;DUF-(vUl@TxK&*YwQPB-fybQgeNaVxOGC zk`n!7uhf*#oJ#X_BVUkh(Fq>*+PdjQsfop@3VuoMiXqir3O+6hh0!MFT-v3TQMr|# zp;fs?em*5dp=P;mp#jdt1@1Ze1sOh(rChqYx(ewL#{Q1EuKro(=|z4S=9Yo}xsgd_ zIXTXSxn{X0fx)f?Ssn$29zm%k*<1{9H?Bk~o?+RvIqfq;r_?R`XPw_|Y+d#wtmb|7 zT+LqaEcd0eA}5^6Bd4|9^qW;& HeqlxcP6E|T literal 0 HcmV?d00001 diff --git a/secrets/data-access/ssh_host_rsa_key.age b/secrets/data-access/ssh_host_rsa_key.age new file mode 100644 index 0000000000000000000000000000000000000000..2fd2a9449d7e4ed97005c0fbc6f73f5d1d04fa96 GIT binary patch literal 2246 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)3`lcz3RH*;)wj%W zP4_8xPw~nPDz@|}FLo{tHF7OAF>o?2b1KdbjwmSgcht6UcI0v~FH8$}EHO4MO)~a0 zGce8%@iU0>^ViNz)h{bC(5^@+DDaBRFE#RZ_C&X>*s>_eB3;2VEiy4Tv&y5wFg(J; zqcl9TEU>I1D$+c_G9@_NKO!qEJuAh@%&pR(%9qQj*uX2mINaUCEj7R>Upv1%(9to) zG&wUhASungEI-dIG%2aXFIZbYz!lxL%ET0tut0@!p9(+6G`DQeAjh04$85iJ|CEYA z?R3YCBA*nukg9B_2ouW!gMgqg*HEs=+`J64)Sxm$1553qvg|6i(tPh=|CDqS10QoI zV|^d(Jfq~0Vvlmq^n8$Q%HC0mM)|twMX8C!sR~|PffiZ5hAAew?wRH09`2*{=Q`|eKjUjDOcS>vihpZj+1Tz`ja%e~7dtIcL7CvGix zxzTIULpzNRmW(HxADk$2I(U*{Z-bcc$$pt7`{nPq1>I4O`t|wX8IgGlyPwTJnkyCE zep*iAk<1_718ET(j)gA2_^K$s)^N)257OG9jy6VHvje<8;JM4P#=i}wH z#?y`o8&h7UW=4DI70k6wk3Arxu>9iP*YB=`B>Z(<$GGXf{-GY%Y`2xk|3YkcY+;q% zXnpLQS#{a0BmC}djO;hL7k8u{=dJ%cZ$f*C$O)77HIH%)&ArVkYifR;{a{^EBk$Ps zdM>l|4awhP7cZJ_vziuItMyI#*)H>lFi-yepHu2z%GTel*qqg-C_E?Rbf5mL;;63M zKcf$NoDMs2v@780-47kdJxx6$3MOT7Jy<=xXZ{Q#8lpOuI{2=3Kg~YrB|nXJe6cBkuq=V@2A~cid&!fifGB7i$3}9 zbK3iqt6R9*R_u*sVfy0#@N<8FnNqh{N>;GXflCtt=ca!POP-{zc=FbpughFDZwEdS zj>)`*Gdu z9dj!Lte2@WbbL8|^-IV6HJ<9~g(tK9v@gvJJ<+->|L=9nU|u#CGq&D~AuRO?~uc>HViGqxaftX{}l{`QW#Z zB7M)7_0uoSjNG^7u*#z}g)DZtH%lh>tvEcjV)4IUD;;O0s;T~%vGKJ`AJd1>sV$}= z%{OmnO%gq8F6wK<$mdh`KJ8yb5^F{1#J%ay&vZ|1?{d3-_FbfoPpIaPT%9%6Z7zu? zaGU2<`flf2~LI~-0nF2^{Q%*neOWz=tH8-D3Fm(K40XB+!+ zs^gON3%7aPw$C<7U|yXNnR@<$%BzDjboTw=E`4$RM^{SWbXm8Hzw=UBxzBxE8uInt zMAH@Vt%-X?=7z5A&aqOT`{>DM-CaHFRsT5N(Rw|ne~LI4N9@mInVU}u)^=&uDlooC zeeSt{_lKIF%I2env$j56`(oXhpckKc8JAW{yh{w&Gx_y=Rrl+Dhv%|LEcDdp3AdWn zCTC{$&9;5P>CV4ddqmDpp4FRhF7@uMi7M6%^Et#q3?EHgwsGE0)z|;@>X=!lxh_d7 ztec1 zJk&x?(wfot>BYK=NmrfIySL74Sdv`(PIR4n`Lk`C?wxzQV0lU&>+xl`4K-2{&Pcu$ zIkX|ZS#LG}t2>8mOT#^QRQD7`cxSxwmT*YuZ8dZ6KV;y+E-dt*+4P_YpKjj8eH?d- zzyAKHuXEz!%WGxM9v_ZPP!c`!|7V`OvY%yQ!y=a{I*K{lbOY~NXk5B|;sI}?$?7BS zQ?{@Ca!Tl^!s@$Sa``veZK@l5=ZWq9KiBifGKOigPt{kjrHg)=KWFpxt-W7vZP**) zY5i~Fi>?icr#G}2CdllV%q$EH%`dIY&o+y2E_X9@^38S$H{i_eB3;3!$~dSvxgf~IH?Oov zyDTF(*E1m4)j!QK-N-R7-8a<2DcmWoz&pS!*o3PrGSR%qFwEc4I62(7Jf+ahIiRE{ zIkzm)xLDuF-Nmvv%FwgQ+qJ?qA`;!U%ET0tut0@$lgu2~0Qbt|jHul3!W3Ue|48$& z$W*h`@RYLLDt*^P|E#paz`%?gCkw8UVB;+J{1St*!Zde7_v`>?=WsVKlQ5?uzuaO| zeZ$=B!u0IG6w3&MG82$(isptoRl2(AMX8C!sa&CcLHQQ?K6yn^p>A#^#rehV{;8(< z8G(g~CeE&28QzJ70WOXqNtqVuIZ5H3>A?~DWdXjv2I-!aS$mw>0G+Hx(ex$ z<@wH$&aM?vmFbz`d9LQ(q1ojgmd+lfrB43dhWZ{BiK)K&Y1$cikz5MW#*6QC3VvYS zQ5~?3@k6NBf{A|v3hY(?-~7b6W#it<0xqd8ntx>4x9{z|Y!Nsm?TY=%;|DUkwzU2X zK3c!p&En!Y36;k6LEMoOCy7_jio31!@vY`@HBQ+x0U`nI;yY9ecu-v0@)G&MW= z+6~6=ciid4$E9d-XwGs)P`kdp}+0fn9 z&bypbR#?x!m*BZFo?kT~<#q7ggWqDmy0x>XY^~FK$5Z6+I&rP#_gd93{WZRcS%)n4 z=A>?O+sd8FdVg8z%!*?tw=Oi9`TFl<32jIH7oS-lJDk1wyL6@3&%jdG^5TH~K3Coy zEu;Jn=uvjQ-8Lt)IQQxcHvwSFytUW;sr~z28Fw f!*|_eB3&V~&@(5@G%w1vq{!5# zD9yFZvMkrBNW0wK)H^gOBF8Pa($G6C$09%7#e~brEGjT7J14y$z%3xGFxA&j-_0@0 z%h267B(KC&+o-tEB-P#At0*xuu^ipD%ET0tut0^BWUs99pz^E&=gJiKNQa+Bgz zpJ2nV$f}^Ik_c_b%AoQBv(TuDaz`#-KmQ^ZbIVBItngIBtPslz`Z^> ze4~87q=*6o|MW7K46tpgE-H??=|!oD#i#h!(3 zF3E-N0ft5%zWH1^C8_By$@(VA{yDDYKIJLdi5}X?&W@H`y1Kdw=@GduZbm_VfuY&C z;ZaeRP99aINd_*)X`wz5p2d}E$)&F5L9V5iS&o5RmjhS+;C^_1?=t42c`xNt+-F<$ z+?2hwJo(D1#nZpM{JOqX=k%5SdqUQ!n}5Xe-%9z-ZLnR;^%%puw3gc@tF{JfO}sSo W)!PIAxfiodZeV9(uG#6*F9!gQ=GJ}y literal 0 HcmV?d00001 diff --git a/secrets/passwords/services/acme.age b/secrets/passwords/services/acme.age new file mode 100644 index 00000000..f73240eb --- /dev/null +++ b/secrets/passwords/services/acme.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ wr/VRSxPJd0I4JDFD9MrHkp5KFOOPxZS7m1HjSegRCw +JFCiaYNZEQJmyvW4hLCOwIq7VX3KSlmnAIoh2UhNAJY +-> ssh-ed25519 9PfEBQ dZRsqkDI9rfIvO6TpVzGWFYwPBXICkKTe5x8VXIVDGM +2uS5NUHLEWUNy9C8x06+RUdX7xQpBBfjr+01rDMbgBU +-> ssh-ed25519 s9rb8g 46cu8IBR9fma7MFs4otOWjoMXHqnbuRDM+bj4IxDVGw +/UkN3Agfceht7ChZbh+ceoUuB++mYmugd16vuLSPqxE +-> ssh-ed25519 yad4VQ Hv13vZsVZvbV2w5uNQdB8PQZCLvok2MpNVC4PPLGKUc +6NrLD1I8u0ClEtSsOb4jVVFDVzuJL9n3IW4CnA75ovA +-> NO3YbI(z-grease m4 \QIZ]> +f69xlR/avrj2Rt86RB0MfdYwgW9xOUKko5dLppsenHk +--- Af1B47mEXz4XvANBR/JACMf1lKXsgKcofVAAKPq4A9E +G[~U6 +Y7@g9۽zLb_XC9m[&c¹;.R-ļI| }tVW8/rNI4*yk?"y, 2@3 [DRPrR \ No newline at end of file diff --git a/secrets/passwords/services/data-basic-auth.age b/secrets/passwords/services/data-basic-auth.age new file mode 100644 index 0000000000000000000000000000000000000000..77558f32075ad7ddb1d008275171b70523440fb3 GIT binary patch literal 621 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)3`lcz3RLiQEYvq~ zamw}g3MmPz%*%~%@=YuDO>wgfw)8GfPq%P2&oA>bOD%SHcjc-|bac_eB3&V{s4PFsG|$=0yxg~< zT)U*Sz#`Ah$;{Y4s@S4PJJ&IzxGXs+$tyk2D3Z%CCD^ngz%SL!CB3*bAkiz>#nYuU z+{?S%+%4GKyEMNdH#kYZ%-G$t%mCfC%ET0tut0^3uw*~)Bp0uo@_^jRE14EIvw{78^(QI>u&aUOYvy6Hu!iN&c3wkZl3T2Yz`nwmy|XJk*j?RgBVfoG#h6cWl>E`YMStbD~;o(7E=B80a#-7=Qp~(eNiIvGN z6`owWy1EJ`0mUXsrg=F?mu|6Yz~XaUxQG|{DuIFlN_CjrfZlEM~lnNzO2==^u@n4 e{i`P#7}q@(FEddT_2yICdAmht$vKn217QH2i_*OS literal 0 HcmV?d00001 diff --git a/secrets/passwords/services/nextcloud-admin.age b/secrets/passwords/services/nextcloud-admin.age new file mode 100644 index 00000000..f6c02013 --- /dev/null +++ b/secrets/passwords/services/nextcloud-admin.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ x9t/cSncNIVOU166JjWIntDJ08ar6jqEDqm2SHdIJmU +Wi1kSAfImT7O3ZHQffngy2+OK9MkcxRdTIsWj0Uvppc +-> ssh-ed25519 s9rb8g FBbDb07Wot6y7VbFtZ6p6pmdPXu61fOMXn4zobmYXn0 +9WV10AVHinYMy6DfsTbDnNuCry1lunNiL8rYlM3VAu0 +-> ssh-ed25519 yad4VQ qkqTUmEzVzMlL+MzQZ6jbuEuMMr7fmkao02BTEXz0CI +NuJBm09rWAPDAAiKCpjOvLn/lTqrjv4O8ZlNdZqaMsU +-> OPQKCjr-grease {eEXe/H n +LeU7ay4hMrv1r+ot0bHboLAzGJBQ7E02y3lMXZaMfyYd9eBh9W3iQ8Js+UZa9g9G +gODPDb4M8+UtZh3VSGHqtfJzTCrvkPjbys3CpGRz/3oZR2v5PP8 +--- JmNEtjO4ODYoLNKN2K6Di0/XwkCgq8dAEhEkrQSjBwQ +-3=tk\R|b{Kβ^KtZ`Z>QS{sԮy \ No newline at end of file diff --git a/secrets/passwords/services/ssmtp-pass.age b/secrets/passwords/services/ssmtp-pass.age new file mode 100644 index 00000000..0ae4d1f2 --- /dev/null +++ b/secrets/passwords/services/ssmtp-pass.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ BDIrYjLZNtA13rPVoIxP6W1dWF88I+CLL6pUvJ6vK0g +MeEh3+IhgF5InzslImtzfa9lvlpDzWM6u5YYfPXKhd4 +-> ssh-ed25519 9PfEBQ vaD7NtryG1+F4D520aqqzjy4nlCKed3lA+KZqDl2YGk +TNhvAb5h30I1s9t4nOwRdm0MjSSflPmS5sHbundkNTM +-> ssh-ed25519 s9rb8g xjBrIBaOJIo6wKzPzXGOtnk07jxTxooVL/0m+MIy/HE +HV2SSpBGm/zf90PEkUjkkEDpFdunF2MoYvE1F4CAqjo +-> ssh-ed25519 yad4VQ ET642EsdlhOrFWumUNg0lu2fGKCC88VkeEuATqGLuks +nPNM56yWuAVt6NWSjIswR/y0S0eSNMooz5Kfm5KRz0M +-> Djkn-grease +WAU+Og +--- v4AxWOuI+CKCiqa/71rOuE2b37ez7tJ7Q4bdsYLZ2fA +gۂf8=x]ToL:"<D&! +5q|HҌ \ No newline at end of file diff --git a/secrets/passwords/services/syncthing-basic-auth.age b/secrets/passwords/services/syncthing-basic-auth.age new file mode 100644 index 00000000..81b82e78 --- /dev/null +++ b/secrets/passwords/services/syncthing-basic-auth.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ 63BaTeRhefvCFbl7sXA7zathah0syNOsB0PjWTtCd1c +cdfHW5eOGchofdjrnY7Ze1wyFI/rBmP/OEdw8xovkTI +-> ssh-ed25519 s9rb8g n8oehnxhiyHiu3WY54SBcei+hVdmGAvNL5qpDcJYIwQ +0CCTSTWzxS6A0yLdbxkkOlv2Fh+ybIUUrAq+QPv8gII +-> ssh-ed25519 yad4VQ lbuGjXnI6dRhGPgC1ffKwkMuncqJFRF3SlLmiAMGjGA +zuQv5lIHDNhjnDYAwyZ+FvEQB48e78GsFZniHVJWWNM +-> wcaNCh-grease SaMY3 Tu|&}! xRRDg'( +hvUFh0BFX9rSu/X0SVH7baf9JZLMhOI6PSimLxLgZpXb+0pjSU3Jb1IzFSFK94PC +gK3HgTrqyzvp7qb5E1Xm0P19 +--- uzs+KId6F4ecLgEE295pBQra5JvdXRTVAZiyrIj5mr8 +&u H7Zyiæ*0ɸ{B?;e韏l"uW:짱2`BNgX2!p$ \ No newline at end of file diff --git a/secrets/passwords/ugent-mount-credentials.age b/secrets/passwords/ugent-mount-credentials.age new file mode 100644 index 00000000..939800e4 --- /dev/null +++ b/secrets/passwords/ugent-mount-credentials.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng VKPLzPWI+pe5Yd/MSdHdBDuTX8rZC/+p469vEPFoXxk +98Yzz1zt1wyQgjG86118I5idbFuSuKAEkvjddC+T4fs +-> ssh-ed25519 s9rb8g BEGtkNLFNifqjGFk8qEqjuXEv+2WcDI0DRPxXtm+OCU +trMzwuQwyICXkZuA4wuVflqWFVkUb3d7meW/EpxoqfE +-> ssh-ed25519 yad4VQ 4j0mcq45zOkde4411/Dm9/A8plCsWWipTpC8oVjsBxE +yWVNOfmT0UBkZRVKrd8eK1ZXEbj0DBmUfLm3P75ue3c +-> dA-grease KK9j4 +>n>m % +ZT+0vtK8K2BUHbW13tlDNHKtMzQW4oZUOazYJ0naCCgKSRu9am9cfsm+Ul3TpafN +enO42MOQ5i00H/6KCIo+0qc4hw4kQV0 +--- hR3HgO0pfUOtWM2K4/l1OT+nIa7ZBBxSt+KWYwHEuXs +B٬INax+uğNOILu޽'󔬼Ur[5q͘r5U.";04!"6- \ No newline at end of file diff --git a/secrets/passwords/users/charlotte.age b/secrets/passwords/users/charlotte.age new file mode 100644 index 00000000..5290ce1d --- /dev/null +++ b/secrets/passwords/users/charlotte.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng WEsRJzdyJ2h91IjEW9qyJgdFL27slwb0bjNu2oWlOXA +ZTWFzYPh6nKz7aF4sUpQpqEEtwhv6XBDqsDeIZ5N8y8 +-> ssh-ed25519 hKAFvQ e4tF880/zOdeGMErRQgG2UrAu9qRKG7c53ZW8HFDbwA +P2PTG82mqsyCwwbkNuUEaesj8jt3zh5bQJO3cXjPZUk +-> ssh-ed25519 9PfEBQ eSTg5KgEj/Mo5bdm5KIJuhT4obRRNjHuQtINEtRujCc +WvL4uXbwESfRlv7LiSXJDcxbUmhVMgVuvfxcwn5kQoU +-> ssh-ed25519 s9rb8g hYZ3gd2LKLkVwdWBB7KIR4UeWKwF+h9k03SrkYy2EwE +VhSvTYWMcJE4tjgOqZR/qUrZqKQ7r5N+0uHGuxNyYqk +-> ssh-ed25519 yad4VQ D6MeV5YwTfPEz/YLQaxnzYr1LFq5RnVTsYln1uQMaUc +btZV3uKDahlmR1oSlJtRRuO8pbWYW8KqaHSAxRO0roc +-> ]V-grease 7lw %=7"61= R:.zkVJ: + +--- Qjis1vuiXUaYlXuArvVJT7At/jQlGxYMNL+fxAlSGG8 +Z&@tbʄۣ =RXu@X1 ?P~M΄F4{@Z0$Q&kf'{!# SygxHV=Dܦ<[e \ No newline at end of file diff --git a/secrets/passwords/users/root.age b/secrets/passwords/users/root.age new file mode 100644 index 00000000..05e765d7 --- /dev/null +++ b/secrets/passwords/users/root.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng 8n1tz2i+HxzSliHHBHc+kmgpWbbNgCppLrEN0P+9DFQ +hE3bzq0j5gxNdk8VmYQypxjT+da8jRLIkUR3GP+4DnU +-> ssh-ed25519 hKAFvQ M9Ju7grYMVOKxLjYVP3GGvV4rYT6F3VfDLI8EhsIEyQ +Slkggok27UFcYpKyEO1m4UMiJm/lp7CxVRmx4kQxqlg +-> ssh-ed25519 9PfEBQ bf4KuUS1ep4Gk3fDmG78I2FcEh848++jRE71CYIQIRg +Wldrb1cqj3/8vOITln7X8KtC+CTljsj0WY7knNySeQg +-> ssh-ed25519 s9rb8g Gp2mA+WShFq16ZYU8fImzqAJ96HZSv4MnT0tZ8RmyAM +t8tIVz/PYgkAuCnmaoBzdNN7Eedk47pXN62fLnvCkvQ +-> ssh-ed25519 yad4VQ 5oHcwG9X9fQ/I1gkCFP0bR9X1dlugq+XLhNChahcD18 +M2+r0JfRNooc3bOPMtbae7RMJMvmdeFgvwFc9eNaJHs +-> E:Oz-grease Ehb$" +oL5+EmXX4BIy3ug9u4HrEOoCtO8aNMu70KjMWQqOqwkuk4t81DoG28+/ruew+a5m +zcEsAb1gDFJb+usuVPF37nijiR8 +--- v4M0JQCd5ST1rzXfkpfgHfibXDN7EZ3/3VnYXnT23tY +#vtz