From 53fb8e06dc22442db40e2d3e00ee63cffc985f1c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:34:59 +0200 Subject: [PATCH] Added zitadel masterkey + rewritten agenix secrets module. --- .locksverify | 0 secrets/default.nix | 64 +++++++++++++++++++-------------------- secrets/secrets.nix | 2 +- secrets/zitadel-key.age | 15 +++++++++ system/server/zitadel.nix | 2 +- 5 files changed, 49 insertions(+), 34 deletions(-) create mode 100644 .locksverify create mode 100644 secrets/zitadel-key.age diff --git a/.locksverify b/.locksverify new file mode 100644 index 0000000..e69de29 diff --git a/secrets/default.nix b/secrets/default.nix index 3aa47f4..642ae61 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,41 +1,41 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.niksos) server; + serviceUser = x: config.systemd.services.${x}.serviceConfig.User; + abstrServiceUser = x: config.services.${x}.user; in { age.secrets = { - transferSh = { - file = ./transfer-sh.age; - owner = "jsw"; - }; - dcbot = { - file = ./dcbot.age; - owner = - if config.niksos.server - then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; - bread-dcbot = { - file = ./bread-dcbot.age; - owner = - if config.niksos.server - then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; password.file = ./password.age; - matrix-registration = { - file = ./matrix-registration.age; - owner = - if config.niksos.server - then config.services.matrix-continuwuity.user - else "root"; + + # NOTE: server things + dcbot = mkIf server { + file = ./dcbot.age; + owner = serviceUser "dcbot"; # }; - cloudflare-acme.file = ./cloudflare-acme.age; - mail-admin = { - # owner = #FIXME: revert when stopped using docker for stalwart. - # if config.niksos.server - # then serviceUser "stalwart-mail" - # else "root"; + bread-dcbot = mkIf server { + file = ./bread-dcbot.age; + owner = "bread-dcbot"; + }; + matrix-registration = mkIf server { + file = ./matrix-registration.age; + owner = abstrServiceUser "matrix-continuwuity"; + }; + mail-admin = mkIf server { + # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel.file = ./zitadel.age; + zitadel = mkIf server { + file = ./zitadel.age; + owner = abstrServiceUser "zitadel"; + }; + zitadel-key = mkIf server { + file = ./zitadel-key.age; + owner = abstrServiceUser "zitadel"; + }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1ed79c2..032f1bb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,7 +18,7 @@ in { "dcbot.age".publicKeys = keys; "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; - "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel.age".publicKeys = keys; + "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age new file mode 100644 index 0000000..2eba485 --- /dev/null +++ b/secrets/zitadel-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo +0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs +-> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0 +6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c +-> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10 +Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE +-> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0 +CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA +-> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c +SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E +-> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE +7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34 +--- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s +F9Y–Âaåy©|WÞª5Z9…kÛLºÎ$Ú;L%zíàklSIZ–òÑÄdyíþG…;Ÿñ’È–B oðƒ× \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index f3fd8e0..646b8d2 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -15,7 +15,7 @@ in { services.zitadel = { enable = true; - masterKeyFile = "/etc/default/zitadel"; + masterKeyFile = config.age.secrets.zitadel-key.path; settings = { inherit Port ExternalDomain; ExternalPort = 443;