move encrypted secrets near relevant files

2025-03-15 03:27:06 +00:00 · 2025-03-09 17:09:33 +00:00 · 2025-03-09 17:09:33 +00:00 · 37d1d7724a
commit 37d1d7724a
parent f59ac536a2
60 changed files with 27 additions and 94 deletions
--- a/disks/README.md
+++ b/disks/README.md
@ -1,5 +0,0 @@
 # Disks
 These are my [disko](https://github.com/nix-community/disko) configurations,
 which allow me to save desired disk formatting layouts as a declarative file so
 I don't have to remember how to format my disks later on.
--- a/hosts-by-platform/aarch64-linux/flame/cloudflared-flame.age
+++ b/hosts-by-platform/aarch64-linux/flame/cloudflared-flame.age
--- a/hosts-by-platform/aarch64-linux/flame/default.nix
+++ b/hosts-by-platform/aarch64-linux/flame/default.nix
@ -52,7 +52,7 @@ rec {
  nmasur.presets.services.cloudflared = {
    tunnel = {
      id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
-      credentialsFile = ../../../private/cloudflared-flame.age;
+      credentialsFile = ./cloudflared-flame.age;
      ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
    };
  };
--- a/hosts-by-platform/default.nix
+++ b/hosts-by-platform/default.nix
@ -34,7 +34,7 @@ in
  ];
  x86_64-linux-hosts = lib.pipe (lib.filesystem.listFilesRecursive ./x86_64-linux) [
    # Get only files ending in default.nix
-    (builtins.filter (name: lib.hasSuffix ".nix" name))
+    (builtins.filter (name: lib.hasSuffix "default.nix" name))
    # Import each host function
    (map (file: {
      name = lib.removeSuffix ".nix" (builtins.baseNameOf file);
--- a/hosts-by-platform/x86_64-linux/staff/default.nix
+++ b/hosts-by-platform/x86_64-linux/staff/default.nix
--- a/hosts-by-platform/x86_64-linux/swan/cloudflared-swan.age
+++ b/hosts-by-platform/x86_64-linux/swan/cloudflared-swan.age
--- a/hosts-by-platform/x86_64-linux/swan/default.nix
+++ b/hosts-by-platform/x86_64-linux/swan/default.nix
@ -85,7 +85,7 @@ rec {
  nmasur.presets.services.cloudflared = {
    tunnel = {
      id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
-      credentialsFile = ../../private/cloudflared-swan.age;
+      credentialsFile = ./cloudflared-swan.age;
      ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
    };
  };
--- a/hosts-by-platform/x86_64-linux/swan/root.nix
+++ b/hosts-by-platform/x86_64-linux/swan/root.nix
--- a/hosts-by-platform/x86_64-linux/tempest/cloudflared-tempest.age
+++ b/hosts-by-platform/x86_64-linux/tempest/cloudflared-tempest.age
--- a/hosts-by-platform/x86_64-linux/tempest/default.nix
+++ b/hosts-by-platform/x86_64-linux/tempest/default.nix
@ -98,7 +98,7 @@ rec {
  nmasur.presets.services.cloudflared = {
    tunnel = {
      id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
-      credentialsFile = ../../../private/cloudflared-tempest.age;
+      credentialsFile = ./cloudflared-tempest.age;
      ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPY6C0HmdFCaxYtJxFr3qV4/1X4Q8KrYQ1hlme3u1hJXK+xW+lc9Y9glWHrhiTKilB7carYTB80US0O47gI5yU4= open-ssh-ca@cloudflareaccess.org";
    };
  };
--- a/hosts-old/aarch64-darwin/default.nix
+++ b/hosts-old/aarch64-darwin/default.nix
@ -1,18 +0,0 @@
 # Return a list of all nix-darwin hosts
 { lib, ... }:
 lib.pipe (lib.filesystem.listFilesRecursive ./.) [
  # Get only files ending in default.nix
  (builtins.filter (name: lib.hasSuffix "default.nix" name))
  # Remove this file
  (builtins.filter (name: name != ./default.nix))
  # Import each host function
  map
  (file: {
    name = builtins.baseNameOf (builtins.dirOf file);
    value = import file;
  })
  # Convert to an attrset of hostname -> host function
  (builtins.listToAttrs)
 ]
--- a/hosts-old/aarch64-linux/default.nix
+++ b/hosts-old/aarch64-linux/default.nix
@ -1,22 +0,0 @@
 # Return a list of all NixOS hosts
 { nixpkgs, ... }:
 let
  inherit (nixpkgs) lib;
 in
 lib.pipe (lib.filesystem.listFilesRecursive ./.) [
  # Get only files ending in default.nix
  (builtins.filter (name: lib.hasSuffix "default.nix" name))
  # Remove this file
  (builtins.filter (name: name != ./default.nix))
  # Import each host function
  map
  (file: {
    name = builtins.baseNameOf (builtins.dirOf file);
    value = import file;
  })
  # Convert to an attrset of hostname -> host function
  (builtins.listToAttrs)
 ]
--- a/hosts-old/x86_64-linux/arrow/aws/ec2.tf
+++ b/hosts-old/x86_64-linux/arrow/aws/ec2.tf
--- a/hosts-old/x86_64-linux/arrow/aws/image.tf
+++ b/hosts-old/x86_64-linux/arrow/aws/image.tf
--- a/hosts-old/x86_64-linux/arrow/aws/main.tf
+++ b/hosts-old/x86_64-linux/arrow/aws/main.tf
--- a/hosts-old/x86_64-linux/arrow/aws/outputs.tf
+++ b/hosts-old/x86_64-linux/arrow/aws/outputs.tf
--- a/hosts-old/x86_64-linux/arrow/aws/variables.tf
+++ b/hosts-old/x86_64-linux/arrow/aws/variables.tf
--- a/hosts-old/x86_64-linux/arrow/default.nix
+++ b/hosts-old/x86_64-linux/arrow/default.nix
--- a/hosts-old/x86_64-linux/arrow/modules.nix
+++ b/hosts-old/x86_64-linux/arrow/modules.nix
--- a/hosts-old/x86_64-linux/arrow/vultr/main.tf
+++ b/hosts-old/x86_64-linux/arrow/vultr/main.tf
--- a/hosts-old/x86_64-linux/hydra/default.nix
+++ b/hosts-old/x86_64-linux/hydra/default.nix
--- a/hosts-old/x86_64-linux/staff/default.nix
+++ b/hosts-old/x86_64-linux/staff/default.nix
--- a/hosts-old/x86_64-linux/default.nix
+++ b/hosts-old/x86_64-linux/default.nix
@ -1,22 +0,0 @@
 # Return a list of all NixOS hosts
 { nixpkgs, ... }:
 let
  inherit (nixpkgs) lib;
 in
 lib.pipe (lib.filesystem.listFilesRecursive ./.) [
  # Get only files ending in default.nix
  (builtins.filter (name: lib.hasSuffix "default.nix" name))
  # Remove this file
  (builtins.filter (name: name != ./default.nix))
  # Import each host function
  map
  (file: {
    name = builtins.baseNameOf (builtins.dirOf file);
    value = import file;
  })
  # Convert to an attrset of hostname -> host function
  (builtins.listToAttrs)
 ]
--- a/platforms/home-manager/modules/nmasur/presets/services/mbsync/mailpass.age
+++ b/platforms/home-manager/modules/nmasur/presets/services/mbsync/mailpass.age
--- a/platforms/home-manager/modules/nmasur/presets/services/mbsync/mbsync.nix
+++ b/platforms/home-manager/modules/nmasur/presets/services/mbsync/mbsync.nix
@ -112,7 +112,7 @@ in
            notmuch.enable = true;
            # Used to login and send and receive emails
-            passwordCommand = "${lib.getExe pkgs.age} --decrypt --identity ~/.ssh/id_ed25519 ${pkgs.writeText "mailpass.age" (builtins.readFile ../../../../../../private/mailpass.age)}";
+            passwordCommand = "${lib.getExe pkgs.age} --decrypt --identity ~/.ssh/id_ed25519 ${pkgs.writeText "mailpass.age" (builtins.readFile ./mailpass.age)}";
            smtp = {
              host = cfg.smtpHost;
--- a/platforms/nixos/modules/nmasur/presets/programs/msmtp/mailpass-system.age
+++ b/platforms/nixos/modules/nmasur/presets/programs/msmtp/mailpass-system.age
--- a/platforms/nixos/modules/nmasur/presets/programs/msmtp/msmtp.nix
+++ b/platforms/nixos/modules/nmasur/presets/programs/msmtp/msmtp.nix
@ -32,7 +32,7 @@ in
    passwordFile = lib.mkOption {
      type = lib.types.path;
      description = "Password file for SMTP";
-      default = ../../../../../../private/mailpass-system.age;
+      default = ./mailpass-system.age;
    };
  };
--- a/platforms/nixos/modules/nmasur/presets/services/arr/arr.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/arr.nix
@ -250,27 +250,27 @@ in
    # Secrets for Prometheus exporters
    secrets.radarrApiKey = {
-      source = ../../../private/radarr-api-key.age;
+      source = ./radarr-api-key.age;
      dest = "/var/private/radarr-api";
      prefix = "API_KEY=";
    };
    secrets.readarrApiKey = {
-      source = ../../../private/radarr-api-key.age;
+      source = ./radarr-api-key.age;
      dest = "/var/private/readarr-api";
      prefix = "API_KEY=";
    };
    secrets.sonarrApiKey = {
-      source = ../../../private/sonarr-api-key.age;
+      source = ./sonarr-api-key.age;
      dest = "/var/private/sonarr-api";
      prefix = "API_KEY=";
    };
    secrets.prowlarrApiKey = {
-      source = ../../../private/prowlarr-api-key.age;
+      source = ./prowlarr-api-key.age;
      dest = "/var/private/prowlarr-api";
      prefix = "API_KEY=";
    };
    secrets.sabnzbdApiKey = {
-      source = ../../../private/sabnzbd-api-key.age;
+      source = ./sabnzbd-api-key.age;
      dest = "/var/private/sabnzbd-api";
      prefix = "API_KEY=";
    };
--- a/platforms/nixos/modules/nmasur/presets/services/arr/prowlarr-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/prowlarr-api-key.age
--- a/platforms/nixos/modules/nmasur/presets/services/arr/radarr-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/radarr-api-key.age
--- a/platforms/nixos/modules/nmasur/presets/services/arr/sabnzbd-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/sabnzbd-api-key.age
--- a/platforms/nixos/modules/nmasur/presets/services/arr/sonarr-api-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/arr/sonarr-api-key.age
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare-api.age
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare-api.age
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/cloudflare.nix
@ -98,7 +98,7 @@ in
    # Private key is used for LetsEncrypt
    secrets.letsencrypt-key = {
-      source = ../../../../../../private/letsencrypt-key.age;
+      source = ./letsencrypt-key.age;
      dest = "${config.secretsDirectory}/letsencrypt-key";
      owner = "caddy";
      group = "caddy";
@ -106,7 +106,7 @@ in
    # API key must have access to modify Cloudflare DNS records
    secrets.cloudflare-api = {
-      source = ../../../../../../private/cloudflare-api.age;
+      source = ./cloudflare-api.age;
      dest = "${config.secretsDirectory}/cloudflare-api";
      owner = "caddy";
      group = "caddy";
--- a/platforms/nixos/modules/nmasur/presets/services/cloudflare/letsencrypt-key.age
+++ b/platforms/nixos/modules/nmasur/presets/services/cloudflare/letsencrypt-key.age
--- a/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-local.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-local.nix
@ -52,7 +52,7 @@ in
    # API key needed to connect to Gitea
    secrets.giteaRunnerToken = {
-      source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
+      source = ./gitea-runner-token.age; # TOKEN=xyz
      dest = "${config.secretsDirectory}/gitea-runner-token";
    };
    systemd.services.giteaRunnerToken-secret = {
--- a/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-token.age
+++ b/platforms/nixos/modules/nmasur/presets/services/gitea-runner-local/gitea-runner-token.age
--- a/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix
@ -17,7 +17,7 @@ in
    # Allow Grafana to connect to email service
    secrets.mailpass-grafana = {
-      source = ../../../../../../private/mailpass-grafana.age;
+      source = ./mailpass-grafana.age;
      dest = "${config.secretsDirectory}/mailpass-grafana";
      owner = "grafana";
      group = "grafana";
--- a/platforms/nixos/modules/nmasur/presets/services/grafana/mailpass-grafana.age
+++ b/platforms/nixos/modules/nmasur/presets/services/grafana/mailpass-grafana.age
--- a/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2-password.age
+++ b/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2-password.age
--- a/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2-token.age
+++ b/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2-token.age
--- a/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/influxdb2/influxdb2.nix
@ -33,7 +33,7 @@ in
    # Create credentials file for InfluxDB admin
    secrets.influxdb2Password = lib.mkIf config.services.influxdb2.enable {
-      source = ../../../../../../private/influxdb2-password.age;
+      source = ./influxdb2-password.age;
      dest = "${config.secretsDirectory}/influxdb2-password";
      owner = "influxdb2";
      group = "influxdb2";
@ -44,7 +44,7 @@ in
      before = [ "influxdb2.service" ];
    };
    secrets.influxdb2Token = lib.mkIf config.services.influxdb2.enable {
-      source = ../../../../../../private/influxdb2-token.age;
+      source = ./influxdb2-token.age;
      dest = "${config.secretsDirectory}/influxdb2-token";
      owner = "influxdb2";
      group = "influxdb2";
--- a/platforms/nixos/modules/nmasur/presets/services/litestream/backup.age
+++ b/platforms/nixos/modules/nmasur/presets/services/litestream/backup.age
--- a/platforms/nixos/modules/nmasur/presets/services/litestream/litestream.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/litestream/litestream.nix
@ -29,7 +29,7 @@ in
      accessKeySecret = lib.mkOption {
        type = lib.types.nullOr lib.types.path;
        description = "S3 secret key path for Litestream backups";
-        default = ../../../../../../private/backup.age;
+        default = ./backup.age;
      };
    };
  };
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-exporters.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-exporters.nix
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-remote-write.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus-remote-write.nix
@ -38,7 +38,7 @@ in
    # Create credentials file for remote Prometheus push
    secrets.prometheus = {
-      source = ../../../../../../private/prometheus.age;
+      source = ./prometheus.age;
      dest = "${config.secretsDirectory}/prometheus";
      owner = "prometheus";
      group = "prometheus";
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus.age
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/prometheus.age
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/victoriametrics.nix
@ -71,7 +71,7 @@ in
    };
    secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
-      source = ../../../../../../private/prometheus.age;
+      source = ./prometheus.age;
      dest = "${config.secretsDirectory}/vmauth";
      prefix = "PASSWORD=";
    };
--- a/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/metrics/vm-agent.nix
@ -47,7 +47,7 @@ in
    };
    secrets.vmagent = {
-      source = ../../../../../../private/prometheus.age;
+      source = ./prometheus.age;
      dest = "${config.secretsDirectory}/vmagent";
    };
    systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
--- a/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.age
+++ b/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.age
--- a/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/nextcloud/nextcloud.nix
@ -200,7 +200,7 @@ in
    # Create credentials file for nextcloud
    secrets.nextcloud = {
-      source = ../../../private/nextcloud.age;
+      source = ./nextcloud.age;
      dest = "${config.secretsDirectory}/nextcloud";
      owner = "nextcloud";
      group = "nextcloud";
--- a/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.age
+++ b/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.age
--- a/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/paperless/paperless.nix
@ -51,7 +51,7 @@ in
    services.cloudflare-dyndns.domains = [ hostnames.paperless ];
    secrets.paperless = {
-      source = ../../../../../../private/prometheus.age;
+      source = ./paperless.age;
      dest = "${config.secretsDirectory}/paperless";
      owner = "paperless";
      group = "paperless";
--- a/platforms/nixos/modules/nmasur/presets/services/restic/restic.age
+++ b/platforms/nixos/modules/nmasur/presets/services/restic/restic.age
--- a/platforms/nixos/modules/nmasur/presets/services/restic/restic.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/restic/restic.nix
@ -10,7 +10,7 @@ in
    resticPassword = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      description = "Password file path for Restic backups";
-      default = ../../../../../../private/restic.age;
+      default = ./restic.age;
    };
    s3 = {
      endpoint = lib.mkOption {
@ -26,7 +26,7 @@ in
      accessKeySecretPair = lib.mkOption {
        type = lib.types.nullOr lib.types.path;
        description = "Path to file containing S3 access and secret key for Restic backups";
-        default = ../../../../../../private/s3-glacier.age;
+        default = ./s3-glacier.age;
      };
    };
  };
--- a/platforms/nixos/modules/nmasur/presets/services/restic/s3-glacier.age
+++ b/platforms/nixos/modules/nmasur/presets/services/restic/s3-glacier.age
--- a/platforms/nixos/modules/nmasur/presets/services/vaultwarden/vaultwarden.age
+++ b/platforms/nixos/modules/nmasur/presets/services/vaultwarden/vaultwarden.age
--- a/platforms/nixos/modules/nmasur/presets/services/vaultwarden/vaultwarden.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/vaultwarden/vaultwarden.nix
@ -43,7 +43,7 @@ in
    };
    secrets.vaultwarden = {
-      source = ../../../../../../private/vaultwarden.age;
+      source = ./vaultwarden.age;
      dest = "${config.secretsDirectory}/vaultwarden";
      owner = "vaultwarden";
      group = "vaultwarden";
--- a/platforms/nixos/modules/nmasur/presets/services/wireguard/wireguard.age
+++ b/platforms/nixos/modules/nmasur/presets/services/wireguard/wireguard.age
--- a/platforms/nixos/modules/nmasur/presets/services/wireguard/wireguard.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/wireguard/wireguard.nix
@ -52,7 +52,7 @@ in
    # Create private key file for wireguard
    secrets.wireguard = {
-      source = ../../../private/wireguard.age;
+      source = ./wireguard.age;
      dest = "${config.secretsDirectory}/wireguard";
    };
  };