chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity
nixfiles/hosts/vault/secrets.nix

65 lines
2.9 KiB
Nix
Raw Normal View History

secrets
2022-11-02 10:24:47 +00:00
{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
beep
2022-11-02 11:32:03 +00:00
systemd.tmpfiles.rules = [ "d /secrets - root root" ];
secrets
2022-11-02 10:24:47 +00:00
environment.systemPackages = [
(pkgs.writeShellScriptBin "init-secrets" ''
beep
2022-11-02 11:32:03 +00:00
set -e -o pipefail
secrets
2022-11-02 10:24:47 +00:00
beep
2022-11-02 11:32:03 +00:00
VAULT_ADDR_DEFAULT="https://vault.owo.monster"
secrets
2022-11-02 10:24:47 +00:00
[ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
export PATH=$PATH:${pkgs.vault}/bin
export PATH=$PATH:${pkgs.jq}/bin
kv_get() {
vault kv get -format json $1
}
simple_get() {
kv_get $1 | jq .data.data$2 -r
}
simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password
chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password
chmod ${secrets-db.restic_password.permissions} /secrets/restic_password
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env
chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
initial work on wireguard mess
2022-11-11 20:53:17 +00:00
file=${secrets-db.wg_priv.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file
chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
chmod ${secrets-db.wg_priv.permissions} $file
file=${secrets-db.wg_preshared_hetzner-vm.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file
chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
file=${secrets-db.wg_preshared_tablet.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file
chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
chmod ${secrets-db.wg_preshared_tablet.permissions} $file
more wg
2022-11-11 21:17:57 +00:00
file=${secrets-db.wg_preshared_storage.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file
chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
chmod ${secrets-db.wg_preshared_storage.permissions} $file
updates & more wireguard & per-hostname keys
2022-11-12 13:01:43 +00:00
file=${secrets-db.wg_preshared_iphone8.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file
chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
secrets
2022-11-02 10:24:47 +00:00
'')
];
}
Reference in a new issue Copy permalink