Squash merge sops-nix into main

system/dev/dn-server/networking.nix

@@ -1,5 +1,4 @@
-{ config, pkgs, ... }:
-
+{ ... }:
 {
   networking = {
     networkmanager.enable = true;

system/dev/dn-server/nextcloud.nix

@@ -64,7 +64,7 @@
               tar -xf passwords.tar.gz
               mv passwords/* ./
               rm passwords.tar.gz
-              rm -rpasswords
+              rm -r passwords
             '';
           });
     };
@@ -72,7 +72,7 @@
 
     database.createLocally = true;
     config = {
-      adminpassFile = "/run/keys/nextcloud-admin-password.key";
+      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
       dbtype = "pgsql";
     };
 

system/dev/dn-server/secret.yaml

@@ -0,0 +1,27 @@
+wireguard:
+    privateKey: ENC[AES256_GCM,data:0lryTtUwLxr7d+EKdu618HwVAl9kSDkDfkpTrX5cMGJATXMmEnaMEVGPYnY=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:RAQIkl6zRQzFuzorg2aeew==,type:str]
+    conf: ""
+nextcloud:
+    adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str]
+step_ca:
+    password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuKzJObXlPVUJzUkEyZXlV
+            Q0tEbzBPTy9kUXIwVmJkckUyWklUMzhCcTE0Ckh3bXIwRkpESTJYeTBPMGhQYk9y
+            L2NQTWFuMWVqYzJHZGhTaHpDRE5CRGMKLS0tIEsybHdPMk9JeEM2cXFwdlpOeXRj
+            Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY
+            11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-21T12:56:08Z"
+    mac: ENC[AES256_GCM,data:b1e1MemL+HHD1pl5X8gnSpczuM7bR+tmkwZJgdZclwkJwi0yBCq14Fy4VE9LklpU2k+WtD1RLqpSZtgz95skpYQog/3phaQNSPLZKXCRfnmTtDxUxWC52cBkhv/RIe99ROzIoG9hBvoPptnCZDlv70vL21xBFyhgzyo1guQUC6w=,iv:VNFKWZMNO+wkrC4NCsmFUrQa09FibMlu+yQOhzqduO0=,tag:imZRSLg4NBF1zaDTmIAPvA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

system/dev/dn-server/services.nix

@@ -1,5 +1,6 @@
 {
   settings,
+  config,
   pkgs,
   lib,
   ...
@@ -303,7 +304,7 @@ in
         ${personal.interface} = {
           ips = [ personal.ip ];
           listenPort = personal.port;
-          privateKeyFile = "/etc/wireguard/privatekey";
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
           peers = builtins.map (r: {
             publicKey = r.publicKey;
             allowedIPs = r.allowedIPs;
@@ -313,7 +314,7 @@ in
         ${kube.interface} = {
           ips = [ kube.ip ];
           listenPort = kube.port;
-          privateKeyFile = "/etc/wireguard/privatekey";
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
           peers = [ ];
         };
       };

system/dev/dn-server/step-ca.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   environment.systemPackages = with pkgs; [ step-cli ];
 
@@ -12,9 +12,72 @@
   services.step-ca = {
     enable = true;
     address = "0.0.0.0";
-    settings = builtins.fromJSON (builtins.readFile /var/lib/step-ca/config/ca.json);
+    settings = {
+      address = ":443";
+      authority = {
+        provisioners = [
+          {
+            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUTZYbDJOdkFabGZZSTZ5QnBrZWp6dyJ9.z
+Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB1ezz4NvpSDe9GIweBlTLH4DpZ7As65QftJf-32vFeSjw_8So8ugpS2BmfWaMcL6rHxJG369zf-Ninecy3yg4AvQ0WvzUWCYnR2m5-B2YYFJ0SlTv-FXOf_412ZaGdIK9FQo
+8LszKMGzw0e3YkBuAAfEsqYaCTd27trDDPUelTVnC20zblVDEkBlusvoNeYEiy7nphjqy2OPW6bxLKdQMg-b9zVgZqkImRqojBBqnV85sBHaSyQWA9rP2PPJM8AVjVBtrVLG3YIVObbjiLAa21WMaFe1bW4LK7BNj7KwQ2JJzlBfkDkdmo3gZvYag--9AarieKeIumQ.Vxj5NwzSurT
+47yHhoiCOug";
+            key = {
+              alg = "ES256";
+              crv = "P-256";
+              kid = "ywqnDBi0j1wjIx4i8xOBhqd6sCqsI_Z7aGQ6QifKFtM";
+              kty = "EC";
+              use = "sig";
+              x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
+              y = "y5OFjciRMVg8ePaEsjSPWbKp_
+NjQ6U4CtbplRx7z3Bw";
+            };
+            name = "danny@smallstep.net.dn";
+            type = "JWK";
+          }
+          {
+            claims = {
+              maxTLSCertDuration = "8760h";
+            };
+            name = "acme";
+            options = {
+              enableRenewal = true;
+            };
+            type = "ACME";
+          }
+        ];
+      };
+      crt = "/var/lib/s
+tep-ca/certs/intermediate_ca.crt";
+      db = {
+        badgerFileLoadingMode = "";
+        dataSource = "/var/lib/step-ca/db";
+        type = "badgerv2";
+      };
+      dnsNames = [
+        "10.0.0.1"
+        "ca.net.dn"
+      ];
+      federatedRoots = null;
+      insecureAddress = "";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+      logger = {
+        format = "text";
+      };
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_EC
+DHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        maxVersion = 1.3;
+        minVersion = 1.2;
+        renegotiation = false;
+      };
+
+    };
     port = 8443;
     openFirewall = true;
-    intermediatePasswordFile = "/run/keys/step-password";
+    intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
   };
 }