From 36822ce0138330b912b62eb6558dbce161afd810 Mon Sep 17 00:00:00 2001 From: Katharina Heidenreich Date: Sat, 4 Apr 2026 17:06:07 +0200 Subject: [PATCH] ref: cleanup --- .sops.yaml | 1 - config/services.nix | 3 --- config/web.nix | 2 -- secrets/README.md | 56 --------------------------------------------- services/README.md | 13 ----------- 5 files changed, 75 deletions(-) delete mode 100644 secrets/README.md delete mode 100644 services/README.md diff --git a/.sops.yaml b/.sops.yaml index 6c4e757..8a35d8a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,5 @@ creation_rules: - path_regex: ^secrets/.*(?:$|\.(ya?ml|json|env|txt|key|pub))$ key_groups: - age: - # Replace these placeholders with your real recipients. - age1g5q3hwnpgsas682jkq0zmee3zqggucfe0v5ec0a6pv7wzexadehqne66cj - age1qmnmge7atpg5k0zdaky0tuux2rgtehxfhtnshcjpyl0n2hx2udhqe62wyj \ No newline at end of file diff --git a/config/services.nix b/config/services.nix index 57afc0b..ae13d08 100644 --- a/config/services.nix +++ b/config/services.nix @@ -1,6 +1,3 @@ -# Config-backed service registry. -# NOTE: VPN credentials are temporarily stored here and will be moved -# to the dedicated secret system in a later migration step. let storage_data = import ../config/storage.nix; secrets = import ../intermediate/secrets.nix; diff --git a/config/web.nix b/config/web.nix index f001d65..8914df2 100644 --- a/config/web.nix +++ b/config/web.nix @@ -1,5 +1,3 @@ -# Declarative web store config. -# Keep only root declarations here; parsing/loading happens in intermediate/web.nix. rec { stores = { home = { diff --git a/secrets/README.md b/secrets/README.md deleted file mode 100644 index b3f53df..0000000 --- a/secrets/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# Encrypted Secrets - -This directory is intended for encrypted secret files managed with sops. - -Phase 1 notes: -- Keep encrypted files in git under `secrets/`. -- Do not commit plaintext secret material. -- Update `.sops.yaml` recipients before creating real secrets. - -Typical next step: -1. Set real age recipients in `.sops.yaml`. -2. Fill the template YAML files with real secret values. -3. Encrypt them in place using `sops`. - -## Phase 3 expected file - -Create these encrypted files: - -- `secrets/autossh/remote_proxy_key` -- `secrets/autossh/remote_proxy_known_hosts` -- `secrets/openssh/authorized_keys` - -Expected YAML keys: - -- `qbittorrent.vpn.username` -- `qbittorrent.vpn.password` - -These are materialized at runtime to: - -- `/run/secrets/autossh/remote_proxy_key` -- `/run/secrets/autossh/remote_proxy_known_hosts` -- `/run/secrets/openssh_authorized_keys` - -File secrets are stored as encrypted whole files, so the decrypted runtime content is exactly the file body. That is the right choice for bigger files like SSH private keys and known_hosts files. - -`config/secrets.nix` is the source of truth for the tree, and `config/sops.nix` is derived from it. - -## How to encrypt them - -Fill in the placeholders, then run: - -```bash -sops -e -i secrets/autossh/remote_proxy_key -sops -e -i secrets/autossh/remote_proxy_known_hosts -sops -e -i secrets/openssh/authorized_keys -``` - -For scalar secrets such as `secrets/qbittorrent/vpn.yaml`, use the same command and keep the YAML structure. - -## Template files to fill - -- `secrets/autossh/remote_proxy.yaml` -- `secrets/qbittorrent/vpn.yaml` -- `secrets/openssh/authorized_keys.yaml` - -After editing, encrypt each file in place with `sops -e -i `. \ No newline at end of file diff --git a/services/README.md b/services/README.md deleted file mode 100644 index 88e8873..0000000 --- a/services/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# Services - -## List -- DHCP - - Kea -- DNS - - unbound -- Reverse Proxy - - nginx -- Torrent - - qbittorrent -- Wiki - - kiwix