Use pass for secrets management

Fixes #4
This commit is contained in:
Simon Bruder 2020-12-12 16:50:25 +01:00
parent 0c5143e216
commit 903041b6e1
No known key found for this signature in database
GPG key ID: 6F03E0000CC5B62F
10 changed files with 9 additions and 5 deletions

View file

@ -17,6 +17,10 @@ let
};
config.file = toString ../.;
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
secrets.pass = {
dir = toString ~/.password-store;
name = "nixos/machines/${hostname}";
};
} // extraSources)
];
in

View file

@ -1,3 +1,3 @@
import ../../lib/krops.nix {
import ../../lib/krops.nix rec {
hostname = "nunotaba";
}

View file

@ -40,7 +40,7 @@
label = "data";
enable = true;
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
keyFile = "/mnt-root" + toString ./secrets/data_luks_key;
keyFile = "/mnt-root" + toString <secrets/luks-data>;
};
};
};

View file

@ -69,8 +69,8 @@ in
config = lib.mkIf cfg.enable {
services.restic.backups."${name}" = {
passwordFile = toString (../secrets/restic_password);
s3CredentialsFile = toString ../secrets/s3_credentials;
passwordFile = toString <secrets/restic-password>;
s3CredentialsFile = toString <secrets/restic-s3>;
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
paths = lib.mkDefault (
[ ]

View file

@ -14,7 +14,7 @@ in
privateKeyFile = lib.mkOption {
type = lib.types.str;
description = "Private key file";
default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
default = toString <secrets/wg-home-private-key>;
};
};
};

Binary file not shown.

Binary file not shown.