Handle secrets using agenix

2021-08-09 01:10:51 +01:00 · 2021-08-09 01:10:51 +01:00 · f5b58f97ca
parent 88a7394651
commit f5b58f97ca
6 changed files with 30 additions and 3 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -100,6 +100,12 @@
    dates = "14:00";
  };

+  # Specify secrets
+  age.secrets = {
+    soundcloud_api_key.file = secrets/soundcloud_api_key.age;
+    wireguard.file = secrets/wireguard.age;
+  };
+
  # Import other configuration modules
  imports = [
    ./modules/hardware-configuration.nix
--- a/modules/audio.nix
+++ b/modules/audio.nix
@ -64,7 +64,7 @@

      [soundcloud]
      enabled = true
-      auth_token = PLACEHOLDER
+      auth_token = ${config.age.secrets.soundcloud_api_key.path}
      explore_songs = 100

      [m3u]
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -19,7 +19,7 @@
  networking.wg-quick.interfaces = {
    home = {
      address = [ "10.8.0.2/32" ];
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
      dns = [ "10.8.0.1" ];
      peers = [
        # zion
@ -32,7 +32,7 @@
    };
    coace = {
      address = [ "10.9.0.2/32" ];
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        # unit
        {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,7 @@
+let
+  coolneng =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC57m1j/G6iQyi2EpU3nj3+df5Z4PL/XbiOmDcqA7ODg";
+in {
+  "soundcloud_api_key.age".publicKeys = [ coolneng ];
+  "wireguard.age".publicKeys = [ coolneng ];
+}
--- a/secrets/soundcloud_api_key.age
+++ b/secrets/soundcloud_api_key.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5UUhw tVGNxVkibTRSr8c2l7Wmo3pMhnyI6JHBZzddC93sv2E
+0NOlI4vaBZz+Wg7LDji6CRrNsBPVhQ5rFyjPUe+ekg0
+-> *NFvF-grease b1zp>
+TIRHkh0
+--- Y9Rt0ibteW6VSuzIGt4EenoFoOmRnvIUeFbJkqkL5m4
+P隝}ｫｮ7ｩ}t逋vﾋ酢T[c#ibｶC<EFBDB6>i|ｶﾎｵ?%%ﾘｼ｣lｯﾆDｱﾜﾉｱｭ羊･Iｪy,Z{｣､_
--- a/secrets/wireguard.age
+++ b/secrets/wireguard.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5UUhw ORYEDFD+GUYWiTOhOgjFNa/SQ7DGPIdDFXTUnYkjKUg
+4oM7eE8cg15T8gbHBNOa/oB97SCaSANd7/7vM6+EbNc
+-> ",?]B-grease #sF Zg_{'
+P+bwL7YflfWA4f9LRIM
+--- O+3vZIjCS6xIQwO/fwmdfeMcFqBCpQWTe9UltdlXx5o
+9ß¢Æ]?ÛÉw>“•¾ÓÍ¯®8sn‰òæ"_üªŸÄ@4˜w÷c¬‡¯W¯øNžñ¶Øxšeª~ËOƒ±<C692>ŽPà!„~1ôú>