colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

nix-serve: port secrets to sops

Browse Source
This commit is contained in:
Colin 2022-06-08 16:27:35 -07:00
parent e188db9344
commit 46b0f10b9d
3 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
machines/uninsane/services/nix-serve.nix
View File

@ -1,12 +1,15 @@
# docs: https://nixos.wiki/wiki/Binary_Cache
# to copy something to this machine's nix cache, do:
# nix copy --to ssh://nixcache.uninsane.org PACKAGE
{ secrets, ... }:
{ config, ... }:
{
services.nix-serve = {
enable = true;
secretKeyFile = builtins.toFile "nix-serve-priv-key.pem" secrets.nix-serve.cache-priv-key;
# "/var/cache-priv-key.pem";
secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
};
sops.secrets.nix_serve_privkey = {
sopsFile = ../../../secrets/uninsane.yaml;
};
}

3
secrets/default.nix
View File

@ -9,7 +9,4 @@
# keep this synchronized with the dovecot auth
matrix-synapse.smtp_pass = "<REPLACEME>";
# generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem
nix-serve.cache-priv-key = "<REPLACEME>";
} // import ./local.nix

7
secrets/uninsane.yaml
View File

@ -12,6 +12,9 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H
#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
#ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment]
nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str]
#ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment]
sops:
kms: []
gcp_kms: []
@ -45,8 +48,8 @@ sops:
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-08T22:19:57Z"
mac: ENC[AES256_GCM,data:is+X0WOPSehNSjHzMInBtn0Sjzv11SDWL+JMc5Pj0i0GsM8ogSlpPCEsi0HiTMSnEZIvMQf83WRe7oRymUDPdmkz0XRGTBYuLGAd/IOMKEeKe8L8+kDeiWu6d9XgA5TaNxEdj0xUYZ4sC/PZo0pG/NuzMOeTtzK8WFOTy69R+oM=,iv:LnHLL0sucI0NeQu9waHV23/HHZCbk2kTXYq0sPC1n0o=,tag:abLJvbCZeYHl8/2rb/aVGA==,type:str]
lastmodified: "2022-06-08T23:22:55Z"
mac: ENC[AES256_GCM,data:jFaqskot1Zft5qKoJpaz/0sDSDldw7wIJi4DuUapgVLKKhTxb+gu8FM77bF8yxLqDdAWD2rOQFakFohPFeSLoKXRtVsJi5nrl8dPXdSmcbw7fvaFpeGVY3mX9EoSXyh7aS1lwllvpg0A4bXWaj6VfNbb3NIyXzuGpioVjY5PgXo=,iv:dmGSTtHeCyjQHkaM7oO9WhZSWwSXL2UD5HXm4PMMYsA=,tag:8qyb6RiYj77Hz614t/qGCg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3