titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
bd12ce2a0b56a87767972918ff8307a0e041bee9
nixos/modules/server-age-secrets.nix
Simon Gardling 3da843c3ff
Some checks failed
Build and Deploy / mreow (push) Successful in 56s
Details
Build and Deploy / yarn (push) Successful in 53s
Details
Build and Deploy / muffin (push) Failing after 33s
Details
fix secrets
2026-05-05 12:40:11 -04:00

232 lines
6.0 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [
inputs.agenix.nixosModules.default
];
# Configure all agenix secrets
age.secrets = {
# ZFS encryption key
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
zfs-key = {
file = ../secrets/server/zfs-key.age;
mode = "0400";
owner = "root";
group = "root";
path = "/etc/zfs-key";
};
# Secureboot keys archive
secureboot-tar = {
file = ../secrets/server/secureboot.tar.age;
mode = "0400";
owner = "root";
group = "root";
};
# System passwords
hashedPass = {
file = ../secrets/server/hashedPass.age;
mode = "0400";
owner = "root";
group = "root";
};
# Service authentication
caddy_auth = {
file = ../secrets/server/caddy_auth.age;
mode = "0400";
owner = "caddy";
group = "caddy";
};
# Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
njalla-api-token-env = {
file = ../secrets/server/njalla-api-token-env.age;
mode = "0400";
owner = "caddy";
group = "caddy";
};
# ddns-updater config.json with Njalla provider credentials
ddns-updater-config = {
file = ../secrets/server/ddns-updater-config.age;
mode = "0400";
owner = "ddns-updater";
group = "ddns-updater";
};
jellyfin-api-key = {
file = ../secrets/server/jellyfin-api-key.age;
mode = "0400";
owner = "root";
group = "root";
};
slskd_env = {
file = ../secrets/server/slskd_env.age;
mode = "0500";
owner = config.services.slskd.user;
group = config.services.slskd.group;
};
# Network configuration
wg0-conf = {
file = ../secrets/server/wg0.conf.age;
mode = "0400";
owner = "root";
group = "root";
};
# ntfy-alerts secrets (group-readable for CI runner notifications)
ntfy-alerts-topic = {
file = ../secrets/server/ntfy-alerts-topic.age;
mode = "0440";
owner = "root";
group = "gitea-runner";
};
ntfy-alerts-token = {
file = ../secrets/server/ntfy-alerts-token.age;
mode = "0440";
owner = "root";
group = "gitea-runner";
};
# Firefox Sync server secrets (SYNC_MASTER_SECRET)
firefox-syncserver-env = {
file = ../secrets/server/firefox-syncserver-env.age;
mode = "0400";
};
# MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS)
mollysocket-env = {
file = ../secrets/server/mollysocket-env.age;
mode = "0400";
};
# Murmur (Mumble) server password
murmur-password-env = {
file = ../secrets/server/murmur-password-env.age;
mode = "0400";
owner = "murmur";
group = "murmur";
};
# Coturn static auth secret
coturn-auth-secret = {
file = ../secrets/server/coturn-auth-secret.age;
mode = "0400";
owner = "turnserver";
group = "turnserver";
};
# Matrix (continuwuity) registration token
matrix-reg-token = {
file = ../secrets/server/matrix-reg-token.age;
mode = "0400";
owner = "continuwuity";
group = "continuwuity";
};
# Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
# decrypted separately so continuwuity can read it with its own ownership
matrix-turn-secret = {
file = ../secrets/server/coturn-auth-secret.age;
mode = "0400";
owner = "continuwuity";
group = "continuwuity";
};
# CI deploy SSH key
ci-deploy-key = {
file = ../secrets/server/ci-deploy-key.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
};
# Git-crypt symmetric key for the unified nixos repo.
git-crypt-key-nixos = {
file = ../secrets/server/git-crypt-key-nixos.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
};
# Gitea Actions runner registration token
gitea-runner-token = {
file = ../secrets/server/gitea-runner-token.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
};
# llama-cpp API key for bearer token auth
llama-cpp-api-key = {
file = ../secrets/server/llama-cpp-api-key.age;
mode = "0400";
owner = "root";
group = "root";
};
# Harmonia binary cache signing key
harmonia-sign-key = {
file = ../secrets/server/harmonia-sign-key.age;
mode = "0400";
owner = "harmonia";
group = "harmonia";
};
# Caddy basic auth for nix binary cache (separate from main caddy_auth)
nix-cache-auth = {
file = ../secrets/server/nix-cache-auth.age;
mode = "0400";
owner = "caddy";
group = "caddy";
};
# Firefly III application encryption key (base64:<32 random bytes>)
firefly-iii-app-key = {
file = ../secrets/server/firefly-iii-app-key.age;
mode = "0400";
owner = "firefly-iii";
group = "caddy";
};
# Firefly III Data Importer Laravel APP_KEY (base64:<32 random bytes>)
firefly-iii-data-importer-app-key = {
file = ../secrets/server/firefly-iii-data-importer-app-key.age;
mode = "0400";
owner = "firefly-iii-data-importer";
group = "caddy";
};
# Firefly III Personal Access Token used by the data importer (FIREFLY_III_ACCESS_TOKEN).
# First-deploy ciphertext is a placeholder string; rotate after creating
# the PAT in the Firefly UI (Profile → OAuth → Personal Access Tokens).
firefly-iii-fidi-token = {
file = ../secrets/server/firefly-iii-fidi-token.age;
mode = "0400";
owner = "firefly-iii-data-importer";
group = "caddy";
};
# LiveKit + lk-jwt-service shared signing keys (`<keyname>: <secret>` per
# nixpkgs services.livekit.keyFile docs). systemd reads via LoadCredential
# before dropping privileges, so root-only is correct for both consumers.
livekit-keys = {
file = ../secrets/server/livekit-keys.age;
mode = "0400";
owner = "root";
group = "root";
};
};
}
Reference in New Issue View Git Blame Copy Permalink