diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix index 0fa7f34d..57d79e47 100644 --- a/hosts/ni/default.nix +++ b/hosts/ni/default.nix @@ -31,7 +31,7 @@ }; services.openssh.hostKeys = [{ - path = config.sops.secrets."ni/ssh-key".path; + path = config.sops.secrets."ssh-key".path; type = "ed25519"; }]; @@ -53,7 +53,7 @@ }; sops.secrets = lib.getSecrets ./secrets/secrets.yaml { - "ni/ssh-key" = { }; + "ssh-key" = { }; }; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/ni/modules/wireguard.nix b/hosts/ni/modules/wireguard.nix index 0dfef1c1..bedc218a 100644 --- a/hosts/ni/modules/wireguard.nix +++ b/hosts/ni/modules/wireguard.nix @@ -27,15 +27,15 @@ in { networking.firewall.allowedUDPPorts = [ wireguardPort ]; sops.secrets = lib.getSecrets ../secrets/secrets.yaml { - "ni/wireguard/private-key" = { }; - "ni/wireguard/preshared-keys/plover" = { }; - "ni/wireguard/preshared-keys/phone" = { }; + "wireguard/private-key" = { }; + "wireguard/preshared-keys/plover" = { }; + "wireguard/preshared-keys/phone" = { }; }; } (lib.mkIf config.networking.networkmanager.enable { networking.wg-quick.interfaces.wireguard0 = { - privateKeyFile = config.sops.secrets."ni/wireguard/private-key".path; + privateKeyFile = config.sops.secrets."wireguard/private-key".path; listenPort = wireguardPort; dns = with interfaces.lan; [ IPv4.address IPv6.address ]; postUp = @@ -57,7 +57,7 @@ in # The "server" peer. { publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover); - presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; + presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; allowedIPs = wireguardAllowedIPs; endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; persistentKeepalive = 25; @@ -66,7 +66,7 @@ in # The "phone" peer. { publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone); - presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; + presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; allowedIPs = wireguardAllowedIPs; } ]; @@ -86,9 +86,9 @@ in secretPaths; in applySystemdAttr [ - "ni/wireguard/private-key" - "ni/wireguard/preshared-keys/phone" - "ni/wireguard/preshared-keys/plover" + "wireguard/private-key" + "wireguard/preshared-keys/phone" + "wireguard/preshared-keys/plover" ]; systemd.network = { @@ -99,7 +99,7 @@ in }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."ni/wireguard/private-key"; + PrivateKeyFile = config.sops.secrets."wireguard/private-key"; ListenPort = wireguardPort; }; @@ -107,7 +107,7 @@ in # The "server" peer. { PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover; - PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; + PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; PersistentKeepalive = 25; @@ -116,7 +116,7 @@ in # The "phone" peer. { PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone; - PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; + PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; } ]; diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index ca857c8c..a20b6971 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -75,13 +75,13 @@ in }; sops.secrets = lib.getSecrets ./secrets/secrets.yaml { - "plover/ssh-key" = { }; - "plover/lego/env" = { }; + "ssh-key" = { }; + "lego/env" = { }; - "plover/borg/repos/host/patterns/keys" = { }; - "plover/borg/repos/host/password" = { }; - "plover/borg/repos/services/password" = { }; - "plover/borg/ssh-key" = { }; + "borg/repos/host/patterns/keys" = { }; + "borg/repos/host/password" = { }; + "borg/repos/services/password" = { }; + "borg/ssh-key" = { }; }; # All of the keys required to deploy the secrets. @@ -100,7 +100,7 @@ in email = "admin+acme@foodogsquared.one"; dnsProvider = "rfc2136"; dnsResolver = "1.1.1.1"; - credentialsFile = config.sops.secrets."plover/lego/env".path; + credentialsFile = config.sops.secrets."lego/env".path; }; # Enable generating new DH params. @@ -108,7 +108,7 @@ in # !!! The keys should be rotated at an interval here. services.openssh.hostKeys = [{ - path = config.sops.secrets."plover/ssh-key".path; + path = config.sops.secrets."ssh-key".path; type = "ed25519"; }]; @@ -148,7 +148,7 @@ in yearly = 6; }; startAt = "monthly"; - environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/borg/ssh-key".path}"; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}"; }; borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}"; @@ -158,10 +158,10 @@ in # acceptable for it to be backed up monthly. host-backup = jobCommonSettings { patternFiles = [ - config.sops.secrets."plover/borg/repos/host/patterns/keys".path + config.sops.secrets."borg/repos/host/patterns/keys".path ]; repo = borgRepo "host"; - passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}"; + passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}"; }; # Backups for various services. @@ -172,13 +172,13 @@ in "/var/lib/acme" ]; repo = borgRepo "services"; - passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}"; + passCommand = "cat ${config.sops.secrets."borg/repos/services/password".path}"; } // { startAt = "weekly"; }; }; programs.ssh.extraConfig = '' Host ${hetzner-boxes-server} - IdentityFile ${config.sops.secrets."plover/borg/ssh-key".path} + IdentityFile ${config.sops.secrets."borg/ssh-key".path} ''; system.stateVersion = "23.05"; diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix index 4862d9e9..d9c35e8a 100644 --- a/hosts/plover/modules/services/bind.nix +++ b/hosts/plover/modules/services/bind.nix @@ -60,9 +60,9 @@ in }; in lib.getSecrets ../../secrets/secrets.yaml { - "plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute; - "plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; - "plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // { + "dns/${domain}/mailbox-security-key" = dnsFileAttribute; + "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; + "dns/${domain}/rfc2136-key" = dnsFileAttribute // { reloadUnits = [ "bind.service" ]; }; }; @@ -138,7 +138,7 @@ in ''; extraConfig = '' - include "${config.sops.secrets."plover/dns/${domain}/rfc2136-key".path}"; + include "${config.sops.secrets."dns/${domain}/rfc2136-key".path}"; acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; }; @@ -186,7 +186,7 @@ in let domainZone' = zoneFile domain; fqdnZone' = zoneFile fqdn; - secretPath = path: config.sops.secrets."plover/dns/${path}".path; + secretPath = path: config.sops.secrets."dns/${path}".path; in lib.mkAfter '' [ -f '${domainZone'}' ] || { install -Dm0600 '${domainZone}' '${domainZone'}' diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix index 9ccffb2c..69b9ab90 100644 --- a/hosts/plover/modules/services/gitea.nix +++ b/hosts/plover/modules/services/gitea.nix @@ -12,8 +12,8 @@ let in { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { - "plover/gitea/db/password".owner = giteaUser; - "plover/gitea/smtp/password".owner = giteaUser; + "gitea/db/password".owner = giteaUser; + "gitea/smtp/password".owner = giteaUser; }; services.gitea = { @@ -21,7 +21,7 @@ in appName = "foodogsquared's code forge"; database = { type = "postgres"; - passwordFile = config.sops.secrets."plover/gitea/db/password".path; + passwordFile = config.sops.secrets."gitea/db/password".path; }; # Allow Gitea to take a dump. @@ -33,7 +33,7 @@ in # There are a lot of services in port 3000 so we'll change it. lfs.enable = true; - mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path; + mailerPasswordFile = config.sops.secrets."gitea/smtp/password".path; # You can see the available configuration options at # https://docs.gitea.io/en-us/config-cheat-sheet/. diff --git a/hosts/plover/modules/services/portunus.nix b/hosts/plover/modules/services/portunus.nix index 0132400c..427e74c2 100644 --- a/hosts/plover/modules/services/portunus.nix +++ b/hosts/plover/modules/services/portunus.nix @@ -9,7 +9,7 @@ let in { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { - "plover/ldap/users/foodogsquared/password".owner = portunusUser; + "ldap/users/foodogsquared/password".owner = portunusUser; }; services.portunus = { @@ -51,7 +51,7 @@ in ../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub ../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub ]; - password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."plover/ldap/users/foodogsquared/password".path ]; + password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."ldap/users/foodogsquared/password".path ]; } ]; }; diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix index 9c253cee..56284033 100644 --- a/hosts/plover/modules/services/vaultwarden.nix +++ b/hosts/plover/modules/services/vaultwarden.nix @@ -13,13 +13,13 @@ let in { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { - "plover/vaultwarden/env".owner = vaultwardenUser; + "vaultwarden/env".owner = vaultwardenUser; }; services.vaultwarden = { enable = true; dbBackend = "postgresql"; - environmentFile = config.sops.secrets."plover/vaultwarden/env".path; + environmentFile = config.sops.secrets."vaultwarden/env".path; config = { DOMAIN = "https://${passwordManagerDomain}"; diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index 2dd914a7..5a5cd052 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -25,9 +25,9 @@ in }; in lib.getSecrets ../../secrets/secrets.yaml { - "plover/wireguard/private-key" = systemdNetworkdPermission; - "plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission; - "plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission; + "wireguard/private-key" = systemdNetworkdPermission; + "wireguard/preshared-keys/ni" = systemdNetworkdPermission; + "wireguard/preshared-keys/phone" = systemdNetworkdPermission; }; networking.firewall = { @@ -67,7 +67,7 @@ in }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."plover/wireguard/private-key".path; + PrivateKeyFile = config.sops.secrets."wireguard/private-key".path; ListenPort = wireguardPort; }; @@ -76,7 +76,7 @@ in { wireguardPeerConfig = { PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni; - PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path; + PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/ni".path; AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses; }; } @@ -85,7 +85,7 @@ in { wireguardPeerConfig = { PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone; - PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path; + PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path; AllowedIPs = lib.concatStringsSep "," phonePeerAddresses; }; }