Use pass for secrets management

Fixes #4
This commit is contained in:
Simon Bruder 2020-12-12 16:50:25 +01:00
parent 0c5143e216
commit 903041b6e1
No known key found for this signature in database
GPG key ID: 6F03E0000CC5B62F
10 changed files with 9 additions and 5 deletions

View file

@ -17,6 +17,10 @@ let
}; };
config.file = toString ../.; config.file = toString ../.;
nixos-config.symlink = "config/machines/${hostname}/configuration.nix"; nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
secrets.pass = {
dir = toString ~/.password-store;
name = "nixos/machines/${hostname}";
};
} // extraSources) } // extraSources)
]; ];
in in

View file

@ -1,3 +1,3 @@
import ../../lib/krops.nix { import ../../lib/krops.nix rec {
hostname = "nunotaba"; hostname = "nunotaba";
} }

View file

@ -40,7 +40,7 @@
label = "data"; label = "data";
enable = true; enable = true;
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a"; blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
keyFile = "/mnt-root" + toString ./secrets/data_luks_key; keyFile = "/mnt-root" + toString <secrets/luks-data>;
}; };
}; };
}; };

View file

@ -69,8 +69,8 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.restic.backups."${name}" = { services.restic.backups."${name}" = {
passwordFile = toString (../secrets/restic_password); passwordFile = toString <secrets/restic-password>;
s3CredentialsFile = toString ../secrets/s3_credentials; s3CredentialsFile = toString <secrets/restic-s3>;
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic"; repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
paths = lib.mkDefault ( paths = lib.mkDefault (
[ ] [ ]

View file

@ -14,7 +14,7 @@ in
privateKeyFile = lib.mkOption { privateKeyFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Private key file"; description = "Private key file";
default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key); default = toString <secrets/wg-home-private-key>;
}; };
}; };
}; };

Binary file not shown.

Binary file not shown.