From 7991d3365071c4bd216a18be9ea7e30702964d83 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Sat, 11 Dec 2021 13:20:55 +0800
Subject: [PATCH] Add secret files in the public

Was initially afraid of how age is secure for the publicly showing
secret files (even if encrypted). We'll start with something simple for
now.
---
 README.adoc                    |   3 +++
 secrets/README.adoc            |   5 +++++
 secrets/archive/borgmatic.json | Bin 0 -> 1847 bytes
 secrets/archive/password       | Bin 0 -> 518 bytes
 secrets/secrets.nix            |  16 ++++++++++++++++
 5 files changed, 24 insertions(+)
 create mode 100644 secrets/README.adoc
 create mode 100644 secrets/archive/borgmatic.json
 create mode 100644 secrets/archive/password
 create mode 100644 secrets/secrets.nix

diff --git a/README.adoc b/README.adoc
index 15e8cd70..340c9ba0 100644
--- a/README.adoc
+++ b/README.adoc
@@ -36,6 +36,7 @@ nixos-config
 ├── lib/
 ├── modules/
 ├── pkgs/
+├── secrets/
 ├── users/
 ├── flake.lock
 ├── flake.nix
@@ -52,6 +53,8 @@ For more information, see the link:./modules/README.adoc[related documentation].
 * link:./pkgs/[`./pkgs/`] contains my custom packages.
 It is exported in the flakes at `outputs.packages` compiled through various systems.
 
+* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/ryantm/agenix[agenix].
+
 * link:./users/[`./users/`] contains my link:https://github.com/nix-community/home-manager[home-manager] configurations and modules.
 It is exported in the flakes at `outputs.homeConfigurations`.
 For more information, see the link:./users/README.adoc[related documentation].
diff --git a/secrets/README.adoc b/secrets/README.adoc
new file mode 100644
index 00000000..aff0d253
--- /dev/null
+++ b/secrets/README.adoc
@@ -0,0 +1,5 @@
+= Secrets
+:toc:
+
+My secret files in public!
+This is managed through link:https://github.com/ryantm/agenix[agenix] (thus, uses the link:https://github.com/FiloSottile/age[age encryption tool]).
diff --git a/secrets/archive/borgmatic.json b/secrets/archive/borgmatic.json
new file mode 100644
index 0000000000000000000000000000000000000000..3e15605832b8ff2a4ccbc9c7f4b0bcf0acfb9365
GIT binary patch
literal 1847
zcmV-72gvwgXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQBO;BWI-TU
zQgC-eZcIu?Zc#ySc5YQGP-Ss*abZ<MX-7j%P+4_jW>I1|G;dZnL~ja5cP}<kXi+aS
zGB-0ZSXVbNMS4L~FLXg#RcA6sNp^8GFl<tKLoaAXLT3ssJ|J^*Xf0)AGBq_ZIUrJ1
zT3K*WAWlbUVog$XSV%8tZdOuQD`|CPIay;vM@dd$PB2<zGiPphbwhG`R7F;A3T{#|
zR#!7CL{B$!NKtTYb8}5tM0ZLyPfap7Q*w1wY(r{tP)jgvRWxgB3N1b$b8~1dWn?ln
zH8D9LT0={9WoIBpLug7>O-Xe(XgD}pP(^HOOEh75azRN+QFu;mOKWOtc`|W0R&7mc
zM{^2fc|}1)XG&O2GIv)&NHkV3a87kOLuF(yW@SrRYdA=7QE6*8N<=hND{~4hJ|KHj
zFnvWgEoX9NVRL05T0UYjKOkgjAVyzPeNzf6GiGLOQBQU<OiD~RX>DRmMn^$NadS9U
zb22hka!GYgc|m9^RYxy5O>1OwI8$mXYF9y1PD5c>Vp>sAV^nJjbU9^dZ8dK&M_Fw~
zYHN3GQDj3?MQl(xXKqGkW@j}*H)MB6S9xo63N0-yAVow=Wp-C~Y(-XNVlQ=Ab4F%w
zQ#C7AYhp!MOl(nDNm^@fS5r1ZZee3M3SgCZ2m|}-c>Jr!ixKg6i#w(EDxL~IT0fMt
z2S^dVp>1Entx^O=;)|-O+}WAXa|^rir~zc`Zky{>VDTbsB}CJOk=1@iJtvVf=H*et
z;|0>~MxgW?04)%qZX|eeau?|Q9}OY1tkU5tUA6bPu)t%erJIHu-2%p^Zar!cN;IKd
z4-<-3NT-eG|7pnz=~3rkeW>qK*wW;xUou9u8ey{MFq(680!59Q2Ttm0mBfB}s3Ux@
zpb&nj0*p|#4d3mk-V#<8{AED*loZ&@l$u%36o~;b6~J~SNkG03ez;d@^kl`crg0`b
z+2nDLIwQjj5`M?ee*;Up31duU-0xkef421{rTXW5;`QJpe5ueQI7zrBE(>H7kgWw^
zxokx<Kf&RZ5ku}GHPW-ze6fqgOYCVe{nFA%6&XOVUku88GKM+ea=T5_n967>QkX?Z
zEn16dDgSYc5v3g7j@Xuc9>LEhCMCr!s~^^jR<CN`LP}A|HGad}Y|H$!#KeVsw?&jy
zk<o$(CI*CX@p@K0_T1VWWOfry^MtpO4Bqmy($lcgYzhW*CiW~!ZlD%RE#FG1F%-M-
zqG%MtY$_?8<Yh9MJ;XXyKOTm9{2+6%<54_v^zu_$vaAcP31jwJZeGH4^IISyi;AIL
za6=3c!{tgm-LiR+;fOfuft^>j?|eQc@KGzsZzYIFtK1N%D9X!qEHEof3`pP2F~h;o
z6>2Ov@Jna3+U1P_>)PJ}nB#X=IO__>_IYa}U)T&Yp)&uas#NEt4U^>5LLv4M2_jmS
zF&~HX>B+PfMO<Xdu~+(=pO}<u7q%_L-pfG1D-=mF*95y<CHh62CyvdZ5kk@}Ycl}1
zQIz#?{!pTR@l#$o{fr7)k4-v`=NrOEe$R#ls>TB+HFlO&7IJTdN6UD&Fkr~Ogvv+J
zZFSg4*ahT2DS3$l!sqvVe7IkbR_HU#NcMf}H(1NjX|JknXdX*RZF3M~#vh^5@hs+w
zx{Guu*z{Y_cOe08q@iY~>mF|}Bni=%;zzGuxO&gAT6@A?6{PKcx!(!hu)IY1zH<~}
zd%nCFx(z`hg1@%MHn<nRa8*_+yx*lb|EK$^=!Z^w{--Ai+|?||^|*l`t-4-kou>{3
zn^F(C1o1^<_Q|4Uf&Qj<N$i5<P&Ibq({ft3tz>huLlRmYt{;Ib_-9Hq^i2SUiz822
zuK)f@cd^HB_(o}7_kiG<NrL{tT`8}URP3wbHjY2huEnYFvEW9h$iizN8wIOd@TJWg
zWmahx4HY{*G_z8U%fKlg&o^a-M}y9(E#(9&kX4Wf#R!KGDXYZk3@hj#;B2my`P(S*
z%NL+&3xYmO44q+~UFj49S9h0pH8otT@~p9m)p=huYnV=qMvld+vrK_~y%~UjIGcZ1
z3}tp_7;qDq@m__Qf6p~X{D?$bx!{{|ofmQXF)<02!PNc(u;!6a6$rrQTCYD;d)G^)
zH=k)X6nGC&_(a%5WMuhrm*Gw#2<kN#q7kVUc==h(FHp?kt9LJ`3lOVH6VW?!tZf;`
zG9}9>uB%tq=q*bCqfZfOrL3c`=^seH?fDd%Fpe5JP~vhDn6fm~H?Gt?dAJda>lZju
z&XH2S6BTgXAc7gkuS&O5_{FcrI=6`s+c*7RfpVGTx6`)@9z9kusLYsZwvyWd@w`N{
l8i>0Zt#31Rv>Jhb7)5M_8oF+sv|r(Q8EJYsBau_;{eo!lFMa?3

literal 0
HcmV?d00001

diff --git a/secrets/archive/password b/secrets/archive/password
new file mode 100644
index 0000000000000000000000000000000000000000..fb261cbe7c46f7bb6514f575c1bfa47af0d1fd30
GIT binary patch
literal 518
zcmZ9|xr)?a007_x1tD0AW!T1Ih`BbI1Vo%<Gsou6<d_7TT$4=x*(4^De<o|SwOEU#
zjm4r*Ac|HN3xfCpS_n3Rpq&S5yHD`J7iKAzmT}Y9n^jfbteOmmB!b;W+cwA2gkl(y
zM@?PcBqLPlb!L+Heph;4lYlz3X~!4Mx^#9dJr~NAN7r&piG8jji$liXc)KLVia2b^
z!$FYw9;2P4x>}1{gMmd3by|~1V{}oooWQS5bd!hc5Hh7Yj|chsh&ql2IOyvca4MRD
z9q>(aVQ5GCm}-%zk3rGtZWV5Mr4oo%o0|%^U5wgY)g+~5G8M5jMjg(9i&`McU7Dee
z9Yda-26~)<;b3Z?xRIwhJC_rt4Nj0lA@aOhmdP@g5H-11C6X>pCrxAV-NA4<61erc
zV2^DPifRm5$!O!g*0#=njZ*HoQnQa`O&Yc-V(DZ|a2~h7)2dQBb3(a+E#oW&=AMxu
z7>1$1jdyBO)G8ln&U6K5U`9+he=Cl;I$}~q2af%(kJ&&I`M4MDzU&w6-sfA79$u#(
z<7dx{OTTWwtAE%lr^u_P{7)qK{^7y1-<Q9hzp;LtFNM3(>%ph@XV>n-7vK8f+jrKJ
Gmwy2R|FS&*

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 00000000..af0d9416
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,16 @@
+let
+  system1 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG42LafAFOeh3oYz/cm6FXes0ss59/EOCXpGsYvhpI21";
+
+  user1 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMclb6WPpYRoMVqCCzQcG2XQHczB6vaIEDIHqjVsyQJi";
+  user2 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhrzY7tD0ZiGoA6nnfVxRQVQox0votQ2fuHz78LjNUD";
+  user3 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIytwsseYS6kV8ldiUV767C2Gy7okxckdDRW4aA3q/Ku";
+  user4 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtn+t2D7clY1U1rzKcSCBJjNbuJzbRArEiM3soyFcnv";
+in {
+  "archive/password".publicKeys = [ system1 user3 user4 ];
+  "archive/borgmatic.json".publicKeys = [ system1 user3 user4 ];
+}