Infra/pi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ref: cleanup

Browse source
This commit is contained in:
Katharina Heidenreich 2026-04-04 17:06:07 +02:00
parent ed0db330f1
commit 36822ce013
5 changed files with 0 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.sops.yaml
View file

@ -2,6 +2,5 @@ creation_rules:
- path_regex: ^secrets/.*(?:$|\.(ya?ml|json|env|txt|key|pub))$
key_groups:
- age:
# Replace these placeholders with your real recipients.
- age1g5q3hwnpgsas682jkq0zmee3zqggucfe0v5ec0a6pv7wzexadehqne66cj
- age1qmnmge7atpg5k0zdaky0tuux2rgtehxfhtnshcjpyl0n2hx2udhqe62wyj

3
config/services.nix
View file

@ -1,6 +1,3 @@
# Config-backed service registry.
# NOTE: VPN credentials are temporarily stored here and will be moved
# to the dedicated secret system in a later migration step.
let
storage_data = import ../config/storage.nix;
secrets = import ../intermediate/secrets.nix;

2
config/web.nix
View file

@ -1,5 +1,3 @@
# Declarative web store config.
# Keep only root declarations here; parsing/loading happens in intermediate/web.nix.
rec {
stores = {
home = {

56
secrets/README.md
View file

@ -1,56 +0,0 @@
# Encrypted Secrets
This directory is intended for encrypted secret files managed with sops.
Phase 1 notes:
- Keep encrypted files in git under `secrets/`.
- Do not commit plaintext secret material.
- Update `.sops.yaml` recipients before creating real secrets.
Typical next step:
1. Set real age recipients in `.sops.yaml`.
2. Fill the template YAML files with real secret values.
3. Encrypt them in place using `sops`.
## Phase 3 expected file
Create these encrypted files:
- `secrets/autossh/remote_proxy_key`
- `secrets/autossh/remote_proxy_known_hosts`
- `secrets/openssh/authorized_keys`
Expected YAML keys:
- `qbittorrent.vpn.username`
- `qbittorrent.vpn.password`
These are materialized at runtime to:
- `/run/secrets/autossh/remote_proxy_key`
- `/run/secrets/autossh/remote_proxy_known_hosts`
- `/run/secrets/openssh_authorized_keys`
File secrets are stored as encrypted whole files, so the decrypted runtime content is exactly the file body. That is the right choice for bigger files like SSH private keys and known_hosts files.
`config/secrets.nix` is the source of truth for the tree, and `config/sops.nix` is derived from it.
## How to encrypt them
Fill in the placeholders, then run:
```bash
sops -e -i secrets/autossh/remote_proxy_key
sops -e -i secrets/autossh/remote_proxy_known_hosts
sops -e -i secrets/openssh/authorized_keys
```
For scalar secrets such as `secrets/qbittorrent/vpn.yaml`, use the same command and keep the YAML structure.
## Template files to fill
- `secrets/autossh/remote_proxy.yaml`
- `secrets/qbittorrent/vpn.yaml`
- `secrets/openssh/authorized_keys.yaml`
After editing, encrypt each file in place with `sops -e -i <file>`.

13
services/README.md
View file

@ -1,13 +0,0 @@
# Services
## List
- DHCP
- Kea
- DNS
- unbound
- Reverse Proxy
- nginx
- Torrent
- qbittorrent
- Wiki
- kiwix