lelgenio/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 2 Releases Packages Wiki Activity Actions

phantom: migrate secrets to sops

Browse source
This commit is contained in:
Leonardo Eugênio 2026-02-15 03:47:47 -03:00
parent 5f57fb269a
commit 3be05b100b
11 changed files with 24 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/phantom/invidious.nix
View file

@ -23,7 +23,7 @@
# "visitor_data": "...",
# "po_token": "..."
# }
extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
settings = {
force_resolve = "ipv6";
db = {
@ -33,8 +33,7 @@
};
};
age.secrets.phantom-invidious-settings = {
file = ../../secrets/phantom-invidious-settings.age;
sops.secrets."invidious/settings.json" = {
mode = "666";
};
}

5
hosts/phantom/mastodon.nix
View file

@ -14,15 +14,14 @@
host = "lelgenio.com";
fromAddress = "noreply@social.lelgenio.com";
user = "noreply@social.lelgenio.com";
passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
passwordFile = config.sops.secrets."mastodon/smtp-password".path;
};
streamingProcesses = 2;
extraConfig.SINGLE_USER_MODE = "true";
mediaAutoRemove.olderThanDays = 5;
};
age.secrets.phantom-mastodon-mailer-password = {
file = ../../secrets/phantom-mastodon-mailer-password.age;
sops.secrets."mastodon/smtp-password" = {
mode = "400";
owner = "mastodon";
};

13
hosts/phantom/nextcloud.nix
View file

@ -11,7 +11,7 @@
https = true;
config = {
dbtype = "sqlite"; # TODO: move to single postgres db
adminpassFile = config.age.secrets.phantom-nextcloud.path;
adminpassFile = config.sops.secrets."nextcloud/default-password".path;
};
};
@ -20,12 +20,9 @@
enableACME = true;
};
age = {
secrets.phantom-nextcloud = {
file = ../../secrets/phantom-nextcloud.age;
mode = "400";
owner = "nextcloud";
group = "nextcloud";
};
sops.secrets."nextcloud/default-password" = {
mode = "400";
owner = "nextcloud";
group = "nextcloud";
};
}

13
hosts/phantom/writefreely.nix
View file

@ -12,19 +12,16 @@
nginx.forceSSL = true;
host = "blog.lelgenio.com";
admin.name = "lelgenio";
admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
settings.app = {
site_name = "Leo's blog";
single_user = true;
};
};
age = {
secrets.phantom-writefreely = {
file = ../../secrets/phantom-writefreely.age;
mode = "400";
owner = "writefreely";
group = "writefreely";
};
sops.secrets."writefreely/password" = {
mode = "400";
owner = "writefreely";
group = "writefreely";
};
}

16
secrets/phantom-invidious-settings.age
View file

@ -1,16 +0,0 @@
age-encryption.org/v1
-> ssh-rsa BwwxHg
iTcgtxF1IxopbtF+aw7V8IQfH7tWiMk9lE/eWlVHVjeaRvER5W6Y3xZNOFCjtbqY
VwEyV6ibfZ4GJt1jRu2icEH/AnLUJFFGQnxu/K/rtoZ3tqSIk9WCBv3aPo4oZRiU
uaaxi2gD8qo1RLyl/Ij7Djw4i/isUOO1EON5sgx1d39k6qUD4Mak0DSU4EtGdTsr
OaxDAc0kAxhxZQOUH/QlKa0HLonaFcy1LHqvttOcw3UZuZnaYfZiPlcqe3USS9cm
96aIC5cS9pHr4JFrqRYvfpla2TY5jlCB/xBGw3KjGEIQoBPXSsJZA6BCMZyp00++
tdfS2aomt9HFmb1wZDS0jWAxkVF6nXXBbolFVih+58h0nYLljtHIQ3SizRoXY459
x3JE9NReHp2OO3SlIeO03Kv8YMBvj7nSSd1C1PMpu+hJ/eCXi1WQxD6QY+40muk6
KhqE3PZ8BCY2b+VpywUF5gVH28mo3jscqAzhf2dZ3SQlzldI+hFyKPxTdAqkfUOH
--- cinb+wzjVfTkpfm1CtFIFaepwoQVCj1MquB5rAC45Ew
¾
6
ZCþHS0 7ïº ÖóýE¼X* Àqb=üOßíÛÉwu¥¤³­Pºþ¹ Ùçǖѳ/£ómvòÞ×Ë2VœÄ«
ÁŠxvç[“£µ£±”ÌA~ evdÓåÙ0¢Œni³1Ò¹Qý„"í@Ù¹§ÞÔ{KpÐ:åϵuµsÊÎBñò(X…r[ÂQVg¢Tš¤°ðœîËï@Ä*ÇõÿíB «<>.§¯žhE鲟èÐë­÷½¥Žûzlz|kã`l8´Mcch<63>îáZ`ƒ ?yeoƒ+ÈM-:/–À**ìè¦ÊcŸÎZD¡2Ñá¼é&·÷¾Ç¢ ¹£e¤ï*Hnç"Þ~+|ua(û6óËJ

13
secrets/phantom-mastodon-mailer-password.age
View file

@ -1,13 +0,0 @@
age-encryption.org/v1
-> ssh-rsa BwwxHg
Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
/WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
--- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
ÆJ…¨Úãè·<hUs/¿ïš}ó´Zi`ˆ JŸ°z5ùÃgõãŸ%€ì‡`¤º%/˜‚±<01>ˆ„á-Î<x—íõÉ’|

15
secrets/phantom-nextcloud.age
View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-rsa BwwxHg
bpGCgyaAPDutva1Gp/YPuek6IZTXJHKb7+oIAV/x+7Ry4Oci9zM2VWvPVE/rPE/d
0AzBX1NvsWBB005w42RfiErk4FQYRCouwNR1FNjUWNdQOmku++RPfxBXspAFIDkQ
yM7mqbhwf5by5rZY+2kl20QxkErkVtZolus1am9RV4uyXfdPaRcKjWOuPiEim42d
YdeCXq4nJGxlL3tRunIqLIZGhV08wHBl7Dubhn9hdD6/ekDk0RloVTBDZUY5tUPL
dJk+bfFPI0DimytzCwyQbWEHOkdiWYSNzbx2JhTSvuqefHP1UzB2LukaQc2gOJFV
mVKvQuGpOWknytMUhM6zCTvRw4OQutAZd96OniQYTas/vnmfT2l2n9aMEzQK157A
U9DmsvhBypILiQSPpA7QrGB1QVuRjAFJA86ASY1FAT6MdBBK4vZ8fK7mpT06JO/n
gwv+UlvFBziWHzA/1GOLrfD+ExjmbeucRZr5XGszrAaK/7GPZt4LF69hRmKegL94
-> 9I3~SC,<-grease M$2 RibFL]C
uR6MirHtTc4Tyrcw3T2my+BN2Q
--- 56zk9BqgwQqNymga1mUDgpvtfIpMy5i/JnaSXbjx6jk
ÞQÚÞ—Ž)NâÿÚ¦¨Žß-†ŸÀ ÷ÑDz-ÖIÅß-°]p$ÉX5æT·PU=u;kæ8}wÁV¦mšç=

16
secrets/phantom-renawiki.age
View file

@ -1,16 +0,0 @@
age-encryption.org/v1
-> ssh-rsa BwwxHg
BUJ9L1bwZ0RWj3FmMghmZDkY4iuc0gujS3Rfat+hj/pg+MALZ69Tovc5RnqmOZT/
pTGPTzWj3WO70YU+wCUHKZ74JcKdL3wSD1FWOWYRvyDV3gxZjDTjw4Grs+sH9M4Z
MrhdoyY95fhmGZHJ7Qkx/aKCAK/OaFSu5Vhh37ykmLd1gQ9NJYQ+G3lLr1Mrqjd/
1QaBqJtJpAFTA0eCd3+oBtQ/qgHD2ZBJcOmkS9sRC6S4YKNoyoDifTbL29aJC4f/
08myI0WH/ApbtN1hWuiVWibmy/9/76IAvgUqi8fULNY5w7Otz3nKGV+mDA5+oD11
jCHZJdcec9JFyZ/V2mh/PoHpNawksNPy85eJ0MpM1avM25Qib8kWJM6fnZb7uJzt
DsYCl2q4ILnTaieuTSJUfgacKbrwSv7MQfgdh1SkXAShyZ7aSCoDhsgSdOVwYoAX
Mspm0NtodeV7493qZwYspO6H0xbfh20vXa1DOeMt98T1iP0aYYhfRXkb0wACx1QF
-> \z/RLj3S-grease cmv( uCkG*= .cX3S 9r^&
OVTVTnB3PjD4COiRCtQ
--- EhfDqxfjLIHF9Sa7V4ytO1xsRK8p23WDsWcB9/B9fRw
.ß=–£))/’ö‰Í¹êÒ‹#´ýLÁƒŒÓ‰Ž—|p
7 ÍñÄKä®7ò²Š@üCJfš:w6Pè•@@/N<>7¿

12
secrets/phantom/default.yaml
View file

@ -10,6 +10,14 @@ example_booleans:
- ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
forgejo:
smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
invidious:
settings.json: ENC[AES256_GCM,data:wzbBnj3qrhw+clHpetEm/FYs+zkMM0kG0JO97E2wPEPaoBZDuOy3BRAbzmwkn4RUEt2hWVN89/A1qweXuuScXt5LSgaQXFXmGQQ2RzXY7K7Pr3uBNol53pnNQI5M6Mi1bif26rdiwznE0QgZCuptadhPcHbCaWB2QrXyYDdTdvQ6Wd+ZueSXPXCjpRnXaqZzTFc5VJf09wqTFahUvVkgjkhgiLVUu218b8xghekJLwJ3bKwmXuXsnmGSQjFry6ttbFPQJawVXWqsiNY7iaE0k1K3NKcTu5Fm2XiriPTKuGM51EXrqaw97ywWN8JEBGxZTk7kcWg2tAf9ddOewYMG,iv:2oDgPdFihZ9O8IkAydL2DtlUtCBUw70u2F2Rn+eW9rs=,tag:zvdZbEdQzbtWgft+i00ufQ==,type:str]
mastodon:
smtp-password: ENC[AES256_GCM,data:ciRTgcCKueSiYerBjWHOD4c9wlpMlcV9jiFaEWFh92vgA6J9,iv:TAaPiMIL8Yfd9k4j9dN40dWqQWAPb+24ngvPC7GTrlE=,tag:+7fGAN7FKiPIWvdsQXGqxg==,type:str]
nextcloud:
default-password: ENC[AES256_GCM,data:mR0KRCheXh6NBVn+odK9Kx0e4njJDuZ6OS37Iw==,iv:PAb/sCt7hq5WKZwr4FMfiMqf7mGvpXQEnZcbzmDz9oI=,tag:ukBDHbFKrStXckzuE1TwJA==,type:str]
writefreely:
password: ENC[AES256_GCM,data:5hzvM8Aitvj4Hb/RgViV1QjsnpQqln0k1nZvEz8Y7vdZvcHo,iv:Wi+pKcGqi09050sitgxt/+hYGF2mlmYC0SDjmqSWPr4=,tag:V0KSBgIV4fgMbxuADVTxrA==,type:str]
sops:
age:
- recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@ -30,8 +38,8 @@ sops:
RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-15T06:20:05Z"
mac: ENC[AES256_GCM,data:3S52Sd3qaqHWy5TL8MAq9yOpH7ZYMDUHprJH3JtW1Vs2rNJIm9li7x3RT0mRnct4NYgikyFi9PBghDJsDN/QKxxKfEDm6KWET+okL41/h/KnzJRFqHoG8sxZYnr4NWc1R60A6WdD+xIa6njCwCNLP4hDjHeQuLjhDsvhqSG4dO8=,iv:xsqZB0GaFYN7QhP24Ik602JoBjVnPGEtgKRbIp9a7Pc=,tag:ZfrKyzRn2bd9lY1bvFjZrQ==,type:str]
lastmodified: "2026-02-15T06:46:07Z"
mac: ENC[AES256_GCM,data:lnvq80oOH2pO6AxBbnjNxvz0xcukTFowcxKf24RKFf/ZouRL6uCJEWJwNCoAKCGOHibrztsGHLDL/cgOffv9CTivIYmzbB+9q2MCQNGxrSL7CkWr/mK9xb5Yz1ASvvZxcGB7WmZNVZXvjIr6mdZy50UweHJoit+oDvE03cmG9Bw=,iv:CikhhcnCE9SXpRasZEImUR6vU5cauD4YIplxPYsPo4A=,tag:+QaBv8Nrk40UCYhUskepyw==,type:str]
pgp:
- created_at: "2025-03-07T22:49:19Z"
enc: |-

13
secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
View file

@ -1,13 +0,0 @@
age-encryption.org/v1
-> ssh-rsa BwwxHg
KCVF4Sy49stOeQs2uunYKkvadqeimmWlJ4ucEJxfXy2z+OkkZpixUnWgJEH2nCa4
NL/F0Wezbqvh+Texl4FlHN8PT2w/d5gdg/L+fI4jBYCvbbiHA4sdUgmXWigY8zrU
5H7Y9mgb1Y174fA6zfTCk2fHmk+KARoV27YrS2fzGoVQiPhnvv8ZT51eF1E+Zs4I
+YtXehxEOqYljJKYJJnF9ElzfNa8nypACGtcjTE8eEq0DlZu2U7qV+QWwQudHbcs
MbFR2VtkHWQaNdK1vVBGND1CMlfshSCqbUzGcexownMiCVSal1RKA2uAWnYdOEc/
QSR8cKn8QQ5dyPFCqZ8RnlCMUegCVLg5cC0/rlTUD0C/Ti2SRBYTH3HvJjmSNk8k
3LdcNwK4YtG4d1gkqLVjwCM1Yg8I/UICb5nQYclvBz5VQ2drvL/gU/+Vc7Z5KUFI
0G/7uNmeJ16Eky+X9c73ZZxVqm0TzDENE2GzkPhBHEfXBR+4j6m8KKEWxQmA2ZSg
--- Oq9wU0h90iU/8g1XTNI+LuAg7t09hngj9DCK91V1+pg
χvõP·Êì}ÓN,×ÿWl ?y0)eVw‰©Aði±ýê•Å<E280A2>Sm¥œ¼¸à‡ì>‰ð°ÑD“ÂQž¦C-ùëB†Ôáôôø0ŽúVµ|÷=ŽXÊ6©ë ¢œW<E280B9>>ãÒì~·-qIÞ%

5
secrets/secrets.nix
View file

@ -2,9 +2,4 @@ let
main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
in
{
"phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
"phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
"phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
"phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
"phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
}