diff --git a/.locksverify b/.locksverify new file mode 100644 index 0000000..e69de29 diff --git a/secrets/default.nix b/secrets/default.nix index 99356d8..2e96df6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,40 +1,37 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.niksos) server; + serviceUser = x: config.systemd.services.${x}.serviceConfig.User; + abstrServiceUser = x: config.services.${x}.user; in { age.secrets = { - transferSh = { - file = ./transfer-sh.age; - owner = "jsw"; - }; - dcbot = { - file = ./dcbot.age; - owner = - if config.niksos.server - then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; - bread-dcbot = { - file = ./bread-dcbot.age; - owner = - if config.niksos.server - then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; password.file = ./password.age; - matrix-registration = { - file = ./matrix-registration.age; - owner = - if config.niksos.server - then config.services.matrix-continuwuity.user - else "root"; + + # NOTE: server things + dcbot = mkIf server { + file = ./dcbot.age; + owner = serviceUser "dcbot"; # }; - cloudflare-acme.file = ./cloudflare-acme.age; - mail-admin = { - # owner = #FIXME: revert when stopped using docker for stalwart. - # if config.niksos.server - # then serviceUser "stalwart-mail" - # else "root"; + bread-dcbot = mkIf server { + file = ./bread-dcbot.age; + owner = "bread-dcbot"; + }; + matrix-registration = mkIf server { + file = ./matrix-registration.age; + owner = abstrServiceUser "matrix-continuwuity"; + }; + mail-admin = mkIf server { + # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; + zitadel-key = mkIf server { + file = ./zitadel-key.age; + owner = abstrServiceUser "zitadel"; + }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2db3699..5f4df5c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,6 @@ in { "dcbot.age".publicKeys = keys; "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; - "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; + "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age new file mode 100644 index 0000000..f5751e4 --- /dev/null +++ b/secrets/zitadel-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8 +XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8 +-> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30 +QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU +-> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE +vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE +-> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY +PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk +-> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c +UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og +-> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM +t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA +--- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8 +JqU0]D_Տz =1׶S!-.t="緿e