From 903041b6e1efa16b0a0666870754ff73330c3c97 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 12 Dec 2020 16:50:25 +0100
Subject: [PATCH] Use pass for secrets management

Fixes #4
---
 lib/krops.nix                                 |   4 ++++
 machines/nunotaba/krops.nix                   |   2 +-
 machines/nunotaba/secrets/wg-home_private_key | Bin 67 -> 0 bytes
 machines/sayuri/hardware-configuration.nix    |   2 +-
 machines/sayuri/secrets/data_luks_key         | Bin 4118 -> 0 bytes
 machines/sayuri/secrets/wg-home_private_key   | Bin 67 -> 0 bytes
 modules/restic.nix                            |   4 ++--
 modules/wireguard/home.nix                    |   2 +-
 secrets/restic_password                       | Bin 71 -> 0 bytes
 secrets/s3_credentials                        | Bin 124 -> 0 bytes
 10 files changed, 9 insertions(+), 5 deletions(-)
 delete mode 100644 machines/nunotaba/secrets/wg-home_private_key
 delete mode 100644 machines/sayuri/secrets/data_luks_key
 delete mode 100644 machines/sayuri/secrets/wg-home_private_key
 delete mode 100644 secrets/restic_password
 delete mode 100644 secrets/s3_credentials

diff --git a/lib/krops.nix b/lib/krops.nix
index ff301c2..ab4ed97 100644
--- a/lib/krops.nix
+++ b/lib/krops.nix
@@ -17,6 +17,10 @@ let
       };
       config.file = toString ../.;
       nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
+      secrets.pass = {
+        dir = toString ~/.password-store;
+        name = "nixos/machines/${hostname}";
+      };
     } // extraSources)
   ];
 in
diff --git a/machines/nunotaba/krops.nix b/machines/nunotaba/krops.nix
index 3e5a158..8ea98a9 100644
--- a/machines/nunotaba/krops.nix
+++ b/machines/nunotaba/krops.nix
@@ -1,3 +1,3 @@
-import ../../lib/krops.nix {
+import ../../lib/krops.nix rec {
   hostname = "nunotaba";
 }
diff --git a/machines/nunotaba/secrets/wg-home_private_key b/machines/nunotaba/secrets/wg-home_private_key
deleted file mode 100644
index e0d4ee0d1ab34b7b611f3a25147d4a86902d7a05..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 67
zcmV-J0KESIM@dveQdv+`0O5U|hVdFfAai8pRRx8>1`8b&qy6#hG$t<!F<Yd$yE^$)
ZGqfNy=7o|r4y#63ff*-~^bR0ytFm`N8$kd7

diff --git a/machines/sayuri/hardware-configuration.nix b/machines/sayuri/hardware-configuration.nix
index 6a9265d..e76f56d 100644
--- a/machines/sayuri/hardware-configuration.nix
+++ b/machines/sayuri/hardware-configuration.nix
@@ -40,7 +40,7 @@
         label = "data";
         enable = true;
         blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
-        keyFile = "/mnt-root" + toString ./secrets/data_luks_key;
+        keyFile = "/mnt-root" + toString <secrets/luks-data>;
       };
     };
   };
diff --git a/machines/sayuri/secrets/data_luks_key b/machines/sayuri/secrets/data_luks_key
deleted file mode 100644
index cac47d4ea98567ba7db3b76a445bd2ffbf8a11bb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4118
zcmV+x5b5s#M@dveQdv+`0N=o?S@nASE_09Pn+OOZ{!v|v89#WC;4JF&;bv}z;dL*H
ztO{teT=R^OBsU3<_44{7Vc2}`>H13OiOMyo&-ZqWkCqqgL4$UQmJ%OQ+er2e>n^}=
zY$uz_Apy5zVzfU_{x!^vbT~3bE}16j?^nUI3Zz~JI|;jfMRO)WZ=*qpm*uH6VB_&)
z&hFZlt_L_}fB3F`YTr!`(0*(^*f91MsZaHoP*q9wi*ihf)T1-M<eJOC427xCE|?9~
z;YlVb60|Fb!{MReapAkNQ>X|l69QR}XMe$%_e0QVyX+q@s8lo>q#Sg}(C70m)^yTn
zHZk`kPm<4VtjUouD#v4*>q`$~f~L~kuRemDZ5Hx9v;^t~Np_9gv{p@Bqf=args4tR
zyU9Xwu&AeP>&Rkcd@xUj4`!a`f4R|nS_7w1<Pl2F=xDYhISlwL+~A6q?HWDjnh)~F
z2#9V@XrfJx=ZE(ky46ymjlg_Ap%t=WGXZNUmq{axo_so?Y(~?aH=IH7NJ=SbXkoDG
z8<7d*g@L#(Py<NI2|Gghrmj{Q*id)cIMl*lw}4UFXS<A8#j2Nwb=S_X<_QZRLueIZ
zO5h#^eiZS{o#hFTOOC6h=UcZ3z#%92tou!AOpwPF5f6A0(V)F9J!Mi91@l(5ydP(V
zdb<#h_QVLD9sTit>B6Cbg=Tk78D@;80VvA2yHI(VMK1pR+i#!A$7W*=d~-k{Y5X^;
z^tp<eff}o=qRlCSka)tOP(f^&m7g_iRfo~iErKex1vIUEJNz{YSKbT_AhYPV_>Y}g
zAmSPHxf7jR?Gf>pgzw4<sk<Uw{TwEFj6&NBIL0DEM=H=2h{-IB#t$AJ(}jk45(>1E
z_U7k3s-qUg{3!rrPI%r*<hOX$Jx}*i;{itC@uV{fZbxGiZ*a!_l@_n2OSJ?ry?#5f
z;7XCD!@Z^9HKdw%83x-F?6GrLWAAT{*iDSM2|x+-bY<jEq30}SzmdvBcbU!U*ZLTs
z8nBG+I80bcjRJ(U&UN(zNa%bD<T`TF2yf&S=>$I#U$dYlPz~ORuR-In;x3Rz7O(~A
zkGg(6*+IXkfMktLeBY2qV9;@v|I%y>lyt%)ut?8_3GMfB0Gkc@WHv?6Yp+qCZVO3v
zf3fz-&CIetG?9K&(Y+vJ?EF_G1=SL?6b>Ag)!bd#SciO3Lp%6aAl9A8))*DW7pjR>
zC%+~VF_o&ghky;WJvPrA?}(b5<jOEQ$(kR-Ui`cw$P+AJyfQfMhfVx9jvNN94uqVx
zL!~#Fxy7Zyb|nJlvxp;kP=+{g+gPk4;IzlUmgw_ih?7QMub3w0{|_0wh@god3DK>I
zoe-FdeVl?QH1~2*aO$p_@EJrTA<rY@t(UmXWes*t$!Z$Z-gV@+Ci03P%QKIDl+Oq$
z&X}qix+7(G!RjzW8-A+@QO~bJ%Y+laqi3NPBFP015=uRwO$%9_hZ!LtH)i%B<s3zT
zc(ikFmsmVzhHnL$cymj3>T~?-7nmqr0;3wok7{zzMd)x2ns@veqA)v#9;6VYsnEAI
zY#CUhb%J7tP4l=ajm%zRkq$l;@^hQd5-NFrxZ&w5BEn&$Ey$cKt9YR>x)de@&P7AM
zHX=fuY1V8n(yThyNNe580Lc!1@kp*6dlXe)qroy@ve|aL$xnEE#Q<%jeH);%3YnnJ
zu3Q!3hcRG_DE0&goKic8*r4bUa4ZOs`w0NulP!6zZGW-SE20&f=An;4>aQgaAA1j@
zjLOlI;~~KAIvg^9JThyNmfIvzw)5a1C5<ruL@h!r{`N_MgSNB?Pu=TF&*)9o;@`qJ
zNO``bux_Iy;^FPpCsH#`gi&EAvJuZt7cvoT21~?eo1L5tv%NPTPk)vm6p=Q~;H{5S
z_Y!6Hqcf7dF0eHOmL3lYJX?D<tM!~S5P-RiiUq7xVtMdDcWq2VUBt4Gxm?^OcaVJq
z%344G)}w|tKuwgf6_s_Z`2A?tAn))zJ4D^VPI6hD7~=s^I0Tr{Q18?+9~RG}+}^Vv
z`eKv{_-hKI*M|oO3LBM|vZrt9Mho4<wLqM>fqEm;<8f-u6v|sdW9qF;&x&Z+lY_=v
ze$xLQ*s@a6t=}mqaw`n(^Qf(RSy7!$h=FTBacUxwF&i{gqS<Ot-BM_n_#ys)p9OZ-
zy<2+{rg_xLf}alem3>#U2JZS)hU;d0q8u|6SH$w;U`O{+Woc5N7$p;VJgtAr;d<^`
zkTsNhmcfCKo4RJAmH><2J1}Q9F>2g_G*-Q16s$54OJiviuY(Ew)qgc%(SzgNnduCu
z3FHHouQtrIyJVcXzrZ&5TRCihswzJLryF!y=2#b_XlsgoX%e^l>$SXcwg+{{Lral@
zR(JeMXm+27FmMn4&W1DS5&af!LE;j7$sSUO#}h`qnTe!+yCCJF;S=iM%VOa@dn9Vo
z)CehA6cuoNGn5~Gu&dyglpxHDia0kS!ck~&4%jD2a+dWCoLTPBiIzW0m#EaVCp8`z
z913YAv^%ZlAb0!evqTxG+9Xk7q2Tl_Ci~C0o_*_~T)(iWmHSIT9BSVxy&$5b+O7iO
zbEX(E!31d*!JJ#v`6&2t$Dp6<(k8L<!l!qJdu+(I_Vr+xpw`z`>9Oh$wsKS&Tu=hE
zvIr`0z(yiU7R12_O|XM&Gd*m<z+?29N6r~7j`{woH)txE>9<5>iBE-&{=QI&Jn*BC
zaML_VI}g_wo?W+3Qu`~Yi+ibjyxxL4o+e?JRK)vg)g1INR_GggL>Z$+$IGO$Stwh&
z5OwP<;p2Rx;5Csh?}0&2VBG-B!#mQ3kjge%iOna2l(zRL{Bh9O5ovO?;W#-ha#3*A
zrx?P>B~bIO5NGPX)0-r`8smQe>;?ucob<#PsC4yZPr1xnW@O9Z8iMq-;77b72RRlf
zU4;=59sGV)4`VI`M(h!Bkh)?J!6e?O9_3vo&X-OWKX2FO0$s08Eilwh=`sU|fs`jp
z{<f>j_=5BRu9mF7VJyR6AwyeNRj(}qV)pkKhDcXx8Z>B-?r=F4mEyA*Sz*N9wc?a`
zi%yY*BX!GYL$Q)SjLa}6GnY^OW}3Izo#7D<+Q5WHfcrhA4w{5{OgAbj`!W4UD|2o_
z<l%PAd`*Rd@Mocrf|hMBJBE^izmFjAR7bH;BNXEgXJSiW%VSlb+_`@$iMh+XHhT6_
zwR!A$(mfjfr8!Ss1hos3CO~RqZ=#&$fx6lhXvZhE(Vr;E?_|0?xSTm#(M=;ewS5BD
z_2vfryM~+z$5+vpyN2QXGSZ(ayxuM@4A3+zE*Iw$$wuKmB5lU3pKWzCD(Ar#B~i~7
z+zTL!s}(jE`s@xy-*#14HwU@<htvHlG$KO+0VVxamjMR&Kv`!0A)Xh<CE+Q1_=cp{
z?02X=Qm06i;mdiTX1W#?T|i+J>_TidNq8K^2cP@a(IHD&j4o#cQPMh0OAYncuHLz9
zY$~~oDu8XKk5l9lhLJ!G7nARs4|v)@#`r&i;;EdyF}*H1UX-4;Kt|f~+#c1l_6u(i
zm2U7XQ&8&~HiM%`Be|J@EBEcdi5udn<?2pvZdg1KJ%MOpEN#D0rq3PE=>H(npM3i7
zlap$a0sPUm5|Hpms5x2>Ul{ta`xx%XRd-j8HC(<5#yng@2&X#`oKgaFkF~2L5+@nQ
zwDu?>jp?kVSr7t>8Gfy+yf4nV)XA;RCuD$!u140kx~--?X~C1<xf${3LD3k-Yf?^T
z?a-wo%=)0vtaDCnR<wQmBzs-5h=8&CtDE^GO#fMfbheCn#O@6jN-eC(Lw3d`NW?s$
zA1iF2=N)8y9t)-sighBkcS4lvfWb3FcgoEE2on<`PTg0@0IZyvnKZkC7AI*wUJSu6
z3uiA>w(|T+P#6L)3N76qGesB{0#wN7?;{Ub<15lN$(b4R0rABOR34h1mip|c$eXA#
zevc^0&MR=5_LYYAHUps>x%@a|;MPIs>@vC97Z?(@HR430f8~|6hzG&vgFI7BI@RT?
z0BZVuAfLgAyCQje=@7+>Ak^bc<}-{oXEsuzvBI#nHniGPp`uiDybR6<b|2?i64SnT
z-@V;B$|J!SSEW>h`w|Lh*}&7q!@<ebdkxT%&5WZ_tgVmvt-o9)a1}Y;b(oT?Ce<tp
zb<x}PWj3G<X7`ux5)t~fR_I2bfHaCzt+_kW6>B_Vi)}ke+Yv(BsS%I5-x|MpWx%Sj
z<s-;oGTl!{*M>0cUpMI66Q0DpdS7U=>eDc4C!s{L?VJc@ECCD4IQ()AqHaBnKElq8
zU#?OWL=SVI8Q<(uEW%^0Ua|6AS6gIk^PSVp@Rve&<}Z`_dD(K6r3@l^8wd2U+YvFs
zi}kcxWdnMF3_$~k_V#jDDhWne5u_5Mm~TJ$WD|LO*>Ql0BMC}16lvmj<7G+>MT6ML
z5FLWC2jMK2a;pCs{YP<(LH3U%7igWgd?U-MXy0kmqaaf1COT{HAUwg;C(OrF20(T0
zcYRE=Ffj+Lhjn)OevYa;dp<L`ogA19D6Uddb%fOV^s(*M3Ra;#v4z{)Vzz(WR5%bt
zLYJy$FaH(@CVO+&+PTyecsI)_+#{#T11z0?uRnmk8P4nxX#`HSJB#^T*{rY>T#e!N
z0_#b8F#jGi8$6`~VTLRo_}i{<BEHvW{4cJ4q$BqMj6qbKv_xR4qAhN;hjSf&Azgc$
z<%T+BnKaTdfEa-EgFt^&-reOEH?t>iNpL;c3flNy2$ce^Xp?K+&;olgJ*~Qk8IDu3
zU|2eLc&B#9c;}gjJZ6eN!Q${qO0$z-thXC!9q%GXn3AEnzJNX9zKsaQl}IsFgD6nl
z88Y)QLJmvDyipth;v>n_8nLVOQijKal_Mm$5EmrRWH~=DN5h;-uKOG5roLligB@K6
zOVzv2V<L8v?PCZvZ+cS_n`?HwpPF-)*US7JV|r$R<L%4ONzYDAx3k^qm(^O(*V0VV
zx1!jZP7eh5mz@0SF5`r^g82JUgBR_yqgKDo?Uf+iGuz!1mkOCPi^5pDD)#XV${WzT
zLR75uxk0wk2Yqf1P&k+LeS<7nAw`~-Cq5M(U-ok-WseR{rMl!cmlM)^Gv|^1%`z(A
z9p24>Cy0V%yTy$g*$<>lK<mO9CHY9glBK~Qw_?ZM)Nl>)a8@5W8D&T0L8iN4O`)|J
z;~_)(J?>8j@grX5gB)VLJ~C+YBZNg2yg~a{X=&#%g1Oyf@kmAeb{jphFPD0N#CC8b
zajHGJ<*R<<^rDVDESO1#VnhT~P{h<xA0372caVmTg9mDz9y}lj2k}-=I~7kYsR0_+
zIzXq06I3p04nY~&+LR7*-lTKvFO_iCxO`hbt$1;<iHR@{f)?D)3NSznfz^(2J6eRo
U3^1R#cb;R1#au2T;@k!po{bCMZvX%Q

diff --git a/machines/sayuri/secrets/wg-home_private_key b/machines/sayuri/secrets/wg-home_private_key
deleted file mode 100644
index 321042c65d2f89eb448b0508320904281f817eb4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 67
zcmV-J0KESIM@dveQdv+`03f!!@a3s5_Cx%D9uUS&lv7moF#Q*IqnDu8^sq3IP9BG^
ZZ9jlaZDJ{l>LryI-zmUaEKJK{v*i89A7TIi

diff --git a/modules/restic.nix b/modules/restic.nix
index 44c9b12..65eeea7 100644
--- a/modules/restic.nix
+++ b/modules/restic.nix
@@ -69,8 +69,8 @@ in
 
   config = lib.mkIf cfg.enable {
     services.restic.backups."${name}" = {
-      passwordFile = toString (../secrets/restic_password);
-      s3CredentialsFile = toString ../secrets/s3_credentials;
+      passwordFile = toString <secrets/restic-password>;
+      s3CredentialsFile = toString <secrets/restic-s3>;
       repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
       paths = lib.mkDefault (
         [ ]
diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix
index 194d4b6..6eb3b69 100644
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@@ -14,7 +14,7 @@ in
       privateKeyFile = lib.mkOption {
         type = lib.types.str;
         description = "Private key file";
-        default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
+        default = toString <secrets/wg-home-private-key>;
       };
     };
   };
diff --git a/secrets/restic_password b/secrets/restic_password
deleted file mode 100644
index a565a3025b656758af3dd602859c37349f3f301b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 71
zcmV-N0J#4EM@dveQdv+`09(E5tI~pzpJ+ClA>#4d_$v5q4b_kQih%;A?!D7l(1x!k
d-Wg0a<Vuz|{@+r-?H5iArv_(6@ipgzcc1I;BpUz#

diff --git a/secrets/s3_credentials b/secrets/s3_credentials
deleted file mode 100644
index 1785b2139ea7aac207c7455ed7a407c709299ae6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 124
zcmV-?0E7PkM@dveQdv+`07Ur7rvTfOU=^Wa3#PCwgz&LqynbZXUqF--=Uf9<wK_}5
zVTx4+r)ulW8QgtB_Z7v?LsSEPV%Gx_gIk}OVm}*8HcB2;s1W#BN}vm!4`>=><61Qt
e@VS)ekk(TBh7xvwxOnYIfsST<>7$kS7PdMXAUH(;