Handle secrets using agenix

2021-08-09 01:10:51 +01:00
parent 88a7394651
commit f5b58f97ca
6 changed files with 30 additions and 3 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -100,6 +100,12 @@
    dates = "14:00";
  };

+  # Specify secrets
+  age.secrets = {
+    soundcloud_api_key.file = secrets/soundcloud_api_key.age;
+    wireguard.file = secrets/wireguard.age;
+  };
+
  # Import other configuration modules
  imports = [
    ./modules/hardware-configuration.nix
--- a/modules/audio.nix
+++ b/modules/audio.nix
@@ -64,7 +64,7 @@

      [soundcloud]
      enabled = true
-      auth_token = PLACEHOLDER
+      auth_token = ${config.age.secrets.soundcloud_api_key.path}
      explore_songs = 100

      [m3u]
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -19,7 +19,7 @@
  networking.wg-quick.interfaces = {
    home = {
      address = [ "10.8.0.2/32" ];
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
      dns = [ "10.8.0.1" ];
      peers = [
        # zion
@@ -32,7 +32,7 @@
    };
    coace = {
      address = [ "10.9.0.2/32" ];
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        # unit
        {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  coolneng =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC57m1j/G6iQyi2EpU3nj3+df5Z4PL/XbiOmDcqA7ODg";
+in {
+  "soundcloud_api_key.age".publicKeys = [ coolneng ];
+  "wireguard.age".publicKeys = [ coolneng ];
+}
--- a/secrets/soundcloud_api_key.age
+++ b/secrets/soundcloud_api_key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5UUhw tVGNxVkibTRSr8c2l7Wmo3pMhnyI6JHBZzddC93sv2E
+0NOlI4vaBZz+Wg7LDji6CRrNsBPVhQ5rFyjPUe+ekg0
+-> *NFvF-grease b1zp>
+TIRHkh0
+--- Y9Rt0ibteW6VSuzIGt4EenoFoOmRnvIUeFbJkqkL5m4
+P<><50>}<7D><>7<EFBFBD>}t<><74>vː|T[c#ib<69>C<EFBFBD><43>i|<7C>ε?%%ؼ<>l<><6C>D<EFBFBD><44>ɱ<><18>r<EFBFBD>I<EFBFBD>y,Z{<7B><>_
--- a/secrets/wireguard.age
+++ b/secrets/wireguard.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5UUhw ORYEDFD+GUYWiTOhOgjFNa/SQ7DGPIdDFXTUnYkjKUg
+4oM7eE8cg15T8gbHBNOa/oB97SCaSANd7/7vM6+EbNc
+-> ",?]B-grease #sF Zg_{'
+P+bwL7YflfWA4f9LRIM
+--- O+3vZIjCS6xIQwO/fwmdfeMcFqBCpQWTe9UltdlXx5o
+9ߢ<EFBFBD>]?<3F><18>w><17><><EFBFBD><EFBFBD>ͯ<EFBFBD>8sn<73><6E><EFBFBD>"_<01><><EFBFBD><EFBFBD>@4<>w<EFBFBD>c<11><04><>W<10><>N<EFBFBD><4E><EFBFBD><EFBFBD>x<19>e<EFBFBD>~<7E>O<EFBFBD><4F><EFBFBD><EFBFBD>P<EFBFBD>!<21>~1<><31>>