feat(secrets)!: Replace sops with agenix-rekey
sops-nix is tending to be fairly complex for our use-cases, which adds
difficulty to deploying, maintaining our wrapper module, keeping
".env.bin" files, etc.
agenix-rekey is a lot simpler.
notable in this commit is the `// { outputPath = ...; }` hack in
flake.nix. This is needed due to snowfall-lib otherwise butchering paths
such that agenix-rekey is unable to show us what secrets exist with
`agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in
the secrets/default.nix file
Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/.sops.nix b/.sops.nix
deleted file mode 100644
index b3b0ab0..0000000
--- a/.sops.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Clicks Codes
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-nixpkgs:
-let
- keys = {
- users = {
- coded = "BC82DF237610AE9113EB075900E944BFBE99ADB5";
- minion = "76E0B09A741C4089522111E5F27E3E5922772E7A";
- pinea = "8F50789F12AC6E6206EA870CE5E1C2D43B0E4AB3";
- };
- hosts = {
- # nix run github:Mic92/ssh-to-pgp -- -i /etc/ssh/ssh_host_rsa_key
- teal = "67c66d58ac73fd744c2b49720f026aad93752d6a";
- };
- };
-in
-{
- creation_rules = [
- {
- path_regex = ''.*\/teal\/.*\.sops\.(yaml|json|env|ini|([^.]+\.)*bin)$'';
- pgp = nixpkgs.lib.concatStringsSep "," [
- keys.users.coded
- keys.users.minion
- keys.users.pinea
-
- keys.hosts.teal
- ];
- }
- ];
-}
-
-/* A1D1
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBAAAAAABEACSxCiPC32/kuhkaXnxLcXWQuNkKb3oimnzVn2cOl6X7mpwUQkO
-WSL4mP+s/bsEoHuC17h+IbuA3vm62fWhfxoC59sJe3J0zNUb9YzHu2RkyO23msoo
-WBbO+3qCs8W+/1FIh5LTW5X35V5Bl3D2p/4Xydk3qKvyU3VQp8JYJZahP2Rwxs8g
-2IGWV39dJVwwBL/3ZRY122jBc0m1TKXVtg1pzkpJoNLQNWVPH3xrRjhAplXY8ArF
-MT1trQHvTNC3fIxAlc+ED8Mf9nzYikxyQQmvwR98cE20Nzlrs8VSw+Xwo3v6/t0j
-hmlUQTtDJMl1Oow3VLUZwvsHcSc+JuZW24t/1i1iZ59fi5/ZlbXQGgJ/Iwrx/3n0
-3grQufiWAsN3ALHkyD0KFjxqlt9M8DSg8OYMzPvRK/75vPPB1oaXXG76Us9bkF/M
-vckCpHoxBEGu/eSY2MBcW7CrWXkLW898txJfhgh6o2TQjPWcnGCDn+tGA9AxvGl1
-HlnyVz+MIJvQ2Pp9DGMEqSPNWiv1ESPAgiyeIuDAL9pnpLO+WFfc/NU2GUnPybEk
-vzq8uYiD0Nyr01ruxdcsmagbI/7z8h93bNMpo8V7/nT8n881oJYUtTWrJ+CTB6F/
-9ulZteFbXBQ5i2Xk+VYeVjVZ2snkCZ16qm4j81PFojRm1NUbRmz5uoYFwQARAQAB
-zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQDwJqrZN1LWoCGw8CGQEAAC2GEAAK0ceEOyeb2YlhCN750G2s
-H+bGWlV+AyEDAocPEQJxxG3WJVMldXXaeZnFJ7bbILouMVBNcaGzWBHy8vuDGz3T
-GmjHRmscN5ZMA5to5khf42q+fd5XvBRgdgED5RKIqNlNT60VODqPe/sVtwOV0p2R
-3Mmk3ycnsJuOfmvxP3JCHCWDCeVlT/THN5qpZlAqBK12GUQBgpalUqTl/gfMR00E
-eSI/KEch1vZaj+hQr4Hmu+2tz+0K9Vjhr+esDWIbCLYUJ+pjLCcEY9V1KzSA/mgo
-lvdIXOKTDDvUw12LU2vZkvQBskjfQw65M9mnw8n95Y4QnynW0qzMXT5XE01WYi6q
-PdJCfJKllJ+2TXt8XlqcM/wQvJMJB+PDdbfC5Z468WBBrZdjkqFpJnVT4j77zTlK
-X6/3OHqVdD5bEPceIrG/Iefcy3LNYF38euR1QOCzpOywyMlaujYXQdJbBPngkXAc
-GjYO3gevAkfaltLWddX5cK0YzrRI5m8e0zCLVGbcqxU7vK5ZmJKwTJ8W7INQrH3h
-IDtqRQ8k0eRIv8mXF1sFgyFiPmyyJdYqaosR+hxi9nerAChk7TLTNN7fnoUirowN
-unr5YcMBKpjiT6VMeYLtVsLcpwjSqet/d+/+yHy+Yn6As67IV67c2+tkZAHk5N4I
-vs8VtLQNyjiNH4Rbc8c1RQ==
-=A4oI
------END PGP PUBLIC KEY BLOCK-----
-*/
diff --git a/configure.sh b/configure.sh
deleted file mode 100755
index 7ff1090..0000000
--- a/configure.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2024 Clicks Codes
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-nix eval -f .sops.nix --apply "(f: f (builtins.getFlake \"nixpkgs\"))" --json > .sops.yaml # regenerate the "yaml" so you can add secrets
diff --git a/flake.lock b/flake.lock
index e8fe841..21028ad 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,8 +1,52 @@
{
"nodes": {
+ "agenix": {
+ "inputs": {
+ "darwin": "darwin",
+ "home-manager": "home-manager",
+ "nixpkgs": "nixpkgs",
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1720546205,
+ "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+ "owner": "ryantm",
+ "repo": "agenix",
+ "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "agenix",
+ "type": "github"
+ }
+ },
+ "agenix-rekey": {
+ "inputs": {
+ "devshell": "devshell",
+ "flake-utils": "flake-utils",
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "pre-commit-hooks": "pre-commit-hooks"
+ },
+ "locked": {
+ "lastModified": 1721402988,
+ "narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=",
+ "owner": "oddlama",
+ "repo": "agenix-rekey",
+ "rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c",
+ "type": "github"
+ },
+ "original": {
+ "owner": "oddlama",
+ "repo": "agenix-rekey",
+ "type": "github"
+ }
+ },
"aux--docs-site": {
"inputs": {
- "flake-utils": "flake-utils",
+ "flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
@@ -43,9 +87,31 @@
"url": "https://git.auxolotl.org/auxolotl/wiki"
}
},
+ "darwin": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1700795494,
+ "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+ "owner": "lnl7",
+ "repo": "nix-darwin",
+ "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "lnl7",
+ "ref": "master",
+ "repo": "nix-darwin",
+ "type": "github"
+ }
+ },
"deploy-rs": {
"inputs": {
- "flake-compat": "flake-compat",
+ "flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
],
@@ -65,9 +131,47 @@
"type": "github"
}
},
+ "devshell": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix-rekey",
+ "nixpkgs"
+ ],
+ "systems": "systems_2"
+ },
+ "locked": {
+ "lastModified": 1695195896,
+ "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
+ "owner": "numtide",
+ "repo": "devshell",
+ "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "devshell",
+ "type": "github"
+ }
+ },
"flake-compat": {
"flake": false,
"locked": {
+ "lastModified": 1673956053,
+ "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-compat_2": {
+ "flake": false,
+ "locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
@@ -81,7 +185,7 @@
"type": "github"
}
},
- "flake-compat_2": {
+ "flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@@ -99,14 +203,14 @@
},
"flake-utils": {
"inputs": {
- "systems": "systems"
+ "systems": "systems_3"
},
"locked": {
- "lastModified": 1710146030,
- "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "lastModified": 1694529238,
+ "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@@ -117,7 +221,7 @@
},
"flake-utils-plus": {
"inputs": {
- "flake-utils": "flake-utils_3"
+ "flake-utils": "flake-utils_4"
},
"locked": {
"lastModified": 1715533576,
@@ -136,7 +240,7 @@
},
"flake-utils_2": {
"inputs": {
- "systems": "systems_3"
+ "systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@@ -154,7 +258,25 @@
},
"flake-utils_3": {
"inputs": {
- "systems": "systems_4"
+ "systems": "systems_6"
+ },
+ "locked": {
+ "lastModified": 1710146030,
+ "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flake-utils_4": {
+ "inputs": {
+ "systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
@@ -170,9 +292,52 @@
"type": "github"
}
},
+ "gitignore": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix-rekey",
+ "pre-commit-hooks",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1660459072,
+ "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1703113217,
+ "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "home-manager_2": {
+ "inputs": {
+ "nixpkgs": [
"nixpkgs"
]
},
@@ -207,6 +372,38 @@
},
"nixpkgs": {
"locked": {
+ "lastModified": 1703013332,
+ "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-stable": {
+ "locked": {
+ "lastModified": 1685801374,
+ "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-23.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
"lastModified": 1722087241,
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
"owner": "nixos",
@@ -221,23 +418,52 @@
"type": "github"
}
},
+ "pre-commit-hooks": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "flake-utils": [
+ "agenix-rekey",
+ "flake-utils"
+ ],
+ "gitignore": "gitignore",
+ "nixpkgs": [
+ "agenix-rekey",
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1694364351,
+ "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7",
+ "type": "github"
+ },
+ "original": {
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "type": "github"
+ }
+ },
"root": {
"inputs": {
+ "agenix": "agenix",
+ "agenix-rekey": "agenix-rekey",
"aux--docs-site": "aux--docs-site",
"aux--wiki": "aux--wiki",
"deploy-rs": "deploy-rs",
- "flake-utils": "flake-utils_2",
- "home-manager": "home-manager",
+ "flake-utils": "flake-utils_3",
+ "home-manager": "home-manager_2",
"impermanence": "impermanence",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"snowfall-lib": "snowfall-lib",
- "sops-nix": "sops-nix",
"unstable": "unstable"
}
},
"snowfall-lib": {
"inputs": {
- "flake-compat": "flake-compat_2",
+ "flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixpkgs"
@@ -257,29 +483,6 @@
"type": "github"
}
},
- "sops-nix": {
- "inputs": {
- "nixpkgs": [
- "unstable"
- ],
- "nixpkgs-stable": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1722114803,
- "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
- "owner": "Mic92",
- "repo": "sops-nix",
- "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
- "type": "github"
- },
- "original": {
- "owner": "Mic92",
- "repo": "sops-nix",
- "type": "github"
- }
- },
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -340,6 +543,51 @@
"type": "github"
}
},
+ "systems_5": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_6": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_7": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
"unstable": {
"locked": {
"lastModified": 1722062969,
@@ -358,7 +606,7 @@
},
"utils": {
"inputs": {
- "systems": "systems_2"
+ "systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
diff --git a/flake.nix b/flake.nix
index 0a703f4..1c7ddb5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,6 +7,13 @@
description = "Clicks Infrastructure";
inputs = {
+ agenix.url = "github:ryantm/agenix";
+
+ agenix-rekey = {
+ url = "github:oddlama/agenix-rekey";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
@@ -28,14 +35,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
- sops-nix = {
- url = "github:Mic92/sops-nix";
- inputs = {
- nixpkgs.follows = "unstable";
- nixpkgs-stable.follows = "nixpkgs";
- };
- };
-
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
aux--docs-site = {
@@ -64,11 +63,14 @@
}).snowfall.internal.system-lib;
in
lib.mkFlake {
- overlays = with inputs; [ ];
+ overlays = [
+ inputs.agenix-rekey.overlays.default
+ ];
systems.modules.nixos = [
+ inputs.agenix.nixosModules.default
+ inputs.agenix-rekey.nixosModules.default
inputs.impermanence.nixosModules.impermanence
- inputs.sops-nix.nixosModules.sops
];
deploy = lib.clicks.deploy.mkDeploy {
@@ -78,6 +80,14 @@
};
};
+ agenix-rekey = inputs.agenix-rekey.configure {
+ userFlake = inputs.self // { outPath = lib.pipe "" [
+ lib.snowfall.fs.get-snowfall-file
+ (lib.strings.removeSuffix "/")
+ ]; };
+ nodes = inputs.self.nixosConfigurations;
+ };
+
outputs-builder = channels: {
specs = let
nixFiles = lib.snowfall.fs.get-nix-files-recursive ./.;
diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix
deleted file mode 100644
index c8cf609..0000000
--- a/lib/secrets/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Clicks Codes
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-{ lib, inputs, ... }:
-{
- secrets.name = path: builtins.hashFile "sha256" path;
-}
diff --git a/modules/nixos/clicks/secrets/README.md b/modules/nixos/clicks/secrets/README.md
deleted file mode 100644
index 83f43b9..0000000
--- a/modules/nixos/clicks/secrets/README.md
+++ /dev/null
@@ -1,62 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2024 Clicks Codes
-
-SPDX-License-Identifier: GPL-3.0-only
--->
-
-# Clicks SOPS
-
-To create a secret you can do the following:
-
-```nix
-clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
- file = ./headscale.sops.json;
- group = "headscale";
- keys = [
- "oidc_client_secret"
- "database_password"
- "noise_private_key"
- "private_key"
- ];
- neededForUsers = false;
-};
-```
-The secret name is based on the secret file's hash.
-`file` is a path to the secrets file. It is required.
-`group` is the group the key should be owned by. We chose to use groups instead of users so that you can allow multiple
-different users to read the file. If you don't set it, we'll use `"root`.
-`keys` is a list of the keys of the secret file, assuming it's not a binary file. If it isn't a binary file, you are
-required to set this. If it is a binary file, you shouldn't specify this.
-`neededForUsers` requires the secret to be present before users are created on boot, it's identical to the sops option
-of the same name. Use it for user passwords. If you don't specify it, we'll use `false`.
-
----
-
-You can then refer to the different keys directly from the secret, no need to manually create individual files:
-
-```nix
-client_secret_path = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
-```
-
-If the secret file is a binary file, the path can be accessed via
-
-```nix
-private_key = config.clicks.secrets."${lib.clicks.secrets.name ./privatekey.bin}".path;
-```
-
----
-
-We recommend using `lib.clicks.secrets.name` with your path to name your secrets. This avoids you creating naming
-conflicts or having messy names. This is not a hard requirement for using the module outside of Clicks, but if you're
-contributing to Clicks infrastructure we will enforce this at review.
-
-This takes a path, and is guarenteed to be stable when passed the same file at the same path.
-
-```nix
-lib.clicks.secrets.name ./file.sops.json
-```
-
----
-
-In Clicks, secrets are only ever encrypted to a single host. You'll need to make the secrets within the
-`systems/<arch>/<hostname>` directory to let sops know what host to encrypt to.
diff --git a/modules/nixos/clicks/secrets/default.nix b/modules/nixos/clicks/secrets/default.nix
deleted file mode 100644
index 19f01b4..0000000
--- a/modules/nixos/clicks/secrets/default.nix
+++ /dev/null
@@ -1,138 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Clicks Codes
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-{
- lib,
- pkgs,
- config,
- ...
-}:
-let
- cfg = config.clicks.security.sops;
-
- guessFormat =
- extension:
- if extension == "json" then
- "json"
- else if extension == "yaml" || extension == "yml" then
- "yaml"
- else if extension == "env" then
- "dotenv"
- else if extension == "ini" then
- "ini"
- else
- "binary";
-
- getExtension =
- filePath:
- let
- pathParts = builtins.split ''\.'' (builtins.toString filePath);
- numPathParts = builtins.length pathParts;
- in
- builtins.elemAt pathParts (numPathParts - 1);
-in
-{
- options.clicks.secrets =
- let
- generateNonBinarySopsPaths =
- file: keys:
- lib.lists.forEach keys (key: {
- name = key;
- value = config.sops.secrets."${lib.clicks.secrets.name file}:${key}".path;
- });
- in
- lib.mkOption {
- type = lib.types.attrsOf (
- lib.types.submodule (
- { ... }@submodule:
- {
- options = {
- file = lib.mkOption {
- type = lib.types.pathInStore;
- description = "The store path to your secrets file";
- };
- group = lib.mkOption {
- type = lib.types.str;
- description = "The user the secret should be owned by.";
- default = "root";
- };
- keys = lib.mkOption {
- type = lib.types.nullOr (lib.types.listOf lib.types.str);
- description = "List of keys to pull from the structured data.";
- default = null;
- };
- neededForUsers = lib.mkEnableOption "This secret is needed for users";
- paths = lib.mkOption {
- type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
- description = "Automatically populated with the SOPS paths to your keys, null if you are using binary secrets";
- default =
- if guessFormat (getExtension submodule.config.file) != "binary" then
- builtins.listToAttrs (generateNonBinarySopsPaths submodule.config.file submodule.config.keys)
- else
- null;
- };
- path = lib.mkOption {
- type = lib.types.nullOr lib.types.str;
- description = "Populated automatically with the SOPS path of the secret, null if you are using non binary secrets";
- default =
- if guessFormat (getExtension submodule.config.file) == "binary" then
- config.sops.secrets.${lib.clicks.secrets.name submodule.config.file}.path
- else
- null;
- };
- };
- }
- )
- );
- description = "";
- default = { };
- };
-
- config =
- let
- generateBinarySopsSecret = secret: {
- name = lib.clicks.secrets.name secret.value.file;
- value = {
- mode = "0400";
- owner = config.users.users.root.name;
- group = config.users.groups.${secret.value.group}.name;
- sopsFile = secret.value.file;
- format = guessFormat (getExtension secret.value.file);
- inherit (secret.value) neededForUsers;
- };
- };
-
- generateNonBinarySopsSecrets =
- secret:
- lib.lists.forEach secret.value.keys (key: {
- name = "${lib.clicks.secrets.name secret.value.file}:${key}";
- value = {
- mode = "0040";
- owner = config.users.users.root.name;
- group = config.users.groups.${secret.value.group}.name;
- sopsFile = secret.value.file;
- format = guessFormat (getExtension secret.value.file);
- inherit (secret.value) neededForUsers;
- inherit key;
- };
- });
-
- secretsAsList = lib.attrsets.attrsToList config.clicks.secrets;
-
- secretsAsSops = lib.pipe secretsAsList [
- (map (
- secret:
- if guessFormat (getExtension secret.value.file) == "binary" then
- generateBinarySopsSecret secret
- else
- generateNonBinarySopsSecrets secret
- ))
- lib.flatten
- builtins.listToAttrs
- ];
- in
- {
- sops.secrets = secretsAsSops;
- };
-}
diff --git a/modules/nixos/clicks/security/secrets/default.nix b/modules/nixos/clicks/security/secrets/default.nix
new file mode 100644
index 0000000..9a97f9d
--- /dev/null
+++ b/modules/nixos/clicks/security/secrets/default.nix
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, lib, pkgs, inputs, ... }: let
+ cfg = config.clicks.security.secrets;
+in {
+ options.clicks.security.secrets.enable = lib.mkOption {
+ description = "Enable using agenix-rekey for secrets";
+ type = lib.types.bool;
+ default = true;
+ };
+
+ config = lib.mkIf cfg.enable {
+ age.rekey = {
+ masterIdentities = [
+ "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
+ "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
+ "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+ ];
+ storageMode = "local";
+ generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
+ localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
+ };
+
+ age.identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
+ "/persist/data/etc/ssh/ssh_host_ed25519_key"
+ "/persist/data/etc/ssh/ssh_host_rsa_key"
+ ];
+ };
+}
diff --git a/modules/nixos/clicks/services/headscale/README.md b/modules/nixos/clicks/services/headscale/README.md
index 9e87c05..6c22a0f 100644
--- a/modules/nixos/clicks/services/headscale/README.md
+++ b/modules/nixos/clicks/services/headscale/README.md
@@ -45,7 +45,7 @@
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_id = "headscale";
- client_secret_path = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.a1d1.json}".paths.oidc_client_secret;
+ client_secret_path = config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
};
```
@@ -64,9 +64,9 @@
```nix
clicks.services.headscale = {
- database_password_path = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.a1d1.json}".paths.database_password;
- noise_private_key_path = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.a1d1.json}".paths.noise_private_key;
- private_key_path = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.a1d1.json}".paths.private_key;
+ database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
+ noise_private_key_path = config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
+ private_key_path = config.age.secrets."clicks.services.headscale.private_key_path".path;
}
```
diff --git a/modules/nixos/clicks/services/postgres/README.md b/modules/nixos/clicks/services/postgres/README.md
index 3efd637..be29a14 100644
--- a/modules/nixos/clicks/services/postgres/README.md
+++ b/modules/nixos/clicks/services/postgres/README.md
@@ -8,12 +8,12 @@
You can create a database, user and credentials by using `clicks.services.postgres.databases.<name>`. You should set this to a file containing the password for your database user.
-We recommend using our secrets module to create this password file.
+We recommend using [agenix-rekey](https://github.com/oddlama/agenix-rekey) to create this password file
```nix
clicks.services.postgres = {
enable = true;
- databases.headscale = config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
+ databases.headscale = config.age.secrets."clicks.services.postgres.databases.headscale".path;
};
```
diff --git a/secrets/keys/minion/collabora-yubikey.pub b/secrets/keys/minion/collabora-yubikey.pub
new file mode 100644
index 0000000..a3061c2
--- /dev/null
+++ b/secrets/keys/minion/collabora-yubikey.pub
@@ -0,0 +1,7 @@
+# Serial: 20652804, Slot: 1
+# Name: MINION_COLLABORA_YUBIKEY
+# Created: Sun, 21 Jul 2024 12:55:44 +0000
+# PIN policy: Once (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ
diff --git a/secrets/keys/minion/iyubikey.pub b/secrets/keys/minion/iyubikey.pub
new file mode 100644
index 0000000..ec49feb
--- /dev/null
+++ b/secrets/keys/minion/iyubikey.pub
@@ -0,0 +1,7 @@
+# Serial: 24039462, Slot: 1
+# Name: MINION_iYUBIKEY
+# Created: Sun, 21 Jul 2024 12:57:17 +0000
+# PIN policy: Once (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
+AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA
diff --git a/secrets/keys/minion/tiny-yubikey.pub b/secrets/keys/minion/tiny-yubikey.pub
new file mode 100644
index 0000000..0838d68
--- /dev/null
+++ b/secrets/keys/minion/tiny-yubikey.pub
@@ -0,0 +1,7 @@
+# Serial: 23751432, Slot: 1
+# Name: MINION_TINY_YUBIKEY
+# Created: Sun, 21 Jul 2024 12:49:01 +0000
+# PIN policy: Once (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
+AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0
diff --git a/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age b/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age
new file mode 100644
index 0000000..a50c96a
--- /dev/null
+++ b/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA PxPtfASwbluRZaarn28rBJId3YuASEjV+7NC4KcXkUA
+vRy+qGCBKcs8QvlPRalY7SGKNLM/9ePMMM9Teoc1qXE
+-> !-grease Ib, "%_
+bQhUIOKRzSZIr1vX9lFkXNa0PuvEjOCzXOfIda/AjZ8heizSWbNNzP9HIR1ApGwn
+hJpRlYlSab4tkHnJZEOMdDNpOeTR7MQ7hLg
+--- ToA9JamqQKKy+94TIdE8tl+aOnjm/X3dlSB9Ftii0GA
+½ÍA�SQÿ�º:MÆwëÿÜ¢��e|À°v?¯è®ÄÃ�h-}üDKD©ÆïóWÃtz��-¼UE Æ�@.E./lá0�<.«n:F<$å·ÙX_ÿG¦Æ½
+#TâH�½ö4
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age b/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age
new file mode 100644
index 0000000..fc078c7
--- /dev/null
+++ b/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age
Binary files differ
diff --git a/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age b/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age
new file mode 100644
index 0000000..fc7569b
--- /dev/null
+++ b/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age
Binary files differ
diff --git a/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age b/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age
new file mode 100644
index 0000000..ede49f5
--- /dev/null
+++ b/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA FzEL+Xaw+yFAZNdTtrpDr1j3fV3QAENHM9zbmykHtTg
+IEiyq2hbwYorxvb3rxwLj0RZrAFnATz63tOvG1nqXoA
+-> tWj,IJ>N-grease
+wgJnIL2gnA9LaFebTsKncKeNo7b86lmPfpWRe3Mll8rESaifEJuKeetzlRieU2Je
+GL03hZVs836MEv9NU34rB3wIuCky+yTMHOq+cfk/a8EYxj+3fQ
+--- Vu4jHUeusiQ9+XWSnDeiCYBFMeVVJQzmjMN3l/KOl2w
+,å&3ÜW1ì;à%Ô�áqÂö(@]ñj�âÞ·-�Ø9n�a9¬�'1piáæê£D'�Åú¶úûà×z£e
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age b/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age
new file mode 100644
index 0000000..f719687
--- /dev/null
+++ b/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA jawiGDhN98fuOhz7f+UXHTyCZQdbb+BT1vBsowuJOVA
+yCjkR8A9GEHPEO9kkXBpljXTMy0PIR8cbVz9oTCMXP8
+-> *\J<1-grease
+KwZlxA
+--- flducxiyeXeYWvX9YgJh5/PBLTu6Epdzkkau/YOMheM
+ØÓO;�`s?¡tpt�ª�QrØyÔÁÛ�W~)Ð`ßÅÝÚÒ�ëü�èFK�bÚrkWb��Ó�Bwc{q[Þ
�oJa�ôI�·âj¿�ÎDÉH%ô¡®ø�«�ù%F�n¨
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age b/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age
new file mode 100644
index 0000000..88b5816
--- /dev/null
+++ b/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA F3wDStnzHGo44nFGHzvwkzayXr0ACLaMgWJPruIXT0M
+Ii6WDkM/IQA8OUQHuMLo6orko+qOxreSpyeclrXs/Qw
+-> a0v-grease :P.6 V) WO=JTd+
+0IKo7rm6uzGXXZFYdex5SzmE+l3c3YECTg5MY3XMx6worvbkLVPm4/zJTEoXTqUc
+VH8J64o
+--- HdEFiENd3nYo4fQMvKxpr2+VHIdk42sSCdsiqB8pubs
+�»�ñÌͯj�'Gçn
+Äål/àöe�©ëÓrÒe×�£`� á�[]Õ�¬tSúû´�öØæîz¥vFÛ?»1Z4è®ØÖ7��8Ë
Ǭ�{&Aî¸`
\ No newline at end of file
diff --git a/shells/default/default.nix b/shells/default/default.nix
index d453305..54a1dd9 100644
--- a/shells/default/default.nix
+++ b/shells/default/default.nix
@@ -4,15 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-only
{
+ agenix-rekey,
+ deploy-rs,
mkShell,
nix-unit,
reuse,
- deploy-rs,
}:
mkShell {
packages = [
- reuse # Used to provide licenses & copyright attribution
+ agenix-rekey # Used to manage secrets
deploy-rs # Used to deploy to our servers
nix-unit # Used to do unit testing
+ reuse # Used to provide licenses & copyright attribution
];
}
diff --git a/systems/x86_64-linux/teal/acme.sops.env.bin b/systems/x86_64-linux/teal/acme.sops.env.bin
deleted file mode 100644
index c66e26e..0000000
--- a/systems/x86_64-linux/teal/acme.sops.env.bin
+++ /dev/null
@@ -1,36 +0,0 @@
-{
- "data": "ENC[AES256_GCM,data:HgebCH+Hrzbu3pvXbWa66OMKEEy8uzkutqO0oSrj1ZgDuZnU/GHT/AZhd8NptUKIOIerSjWFxD4tZSMyYqOwj2c2,iv:7G1mmGkYDX24wlKqdGLTxBQvkRcPpSlA/J8IHJsyJZE=,tag:ah199Tfk3E60v2wBlb+sOg==,type:str]",
- "sops": {
- "kms": null,
- "gcp_kms": null,
- "azure_kv": null,
- "hc_vault": null,
- "age": null,
- "lastmodified": "2024-06-22T23:34:29Z",
- "mac": "ENC[AES256_GCM,data:jTCygJEQDbIpPBwU7xmlkqfntkautpQDEnvVchWzFq8QnzWCPV1/P/qeSayPjkwPAnB24x/wbFkuHCnNVamQ/QxNiuEVk8c977DYzdl+Hg/7MED4O/kExMzdU6cHQGtkKn3cXWatJNpZQVe5lko3xbhJN/JQwRFYYnzZKSN906Q=,iv:Mo0vwHkvFxvOQRUPnorLhJ476l8ZMQvgZ4wSyss4j3c=,tag:QOpuNQRe1+ZtoAVVAO3kyQ==,type:str]",
- "pgp": [
- {
- "created_at": "2024-06-22T23:23:10Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D6MHlIv4I/7ASAQdAygO+vRQVedxDSif6TnM4dI3OyMqTGqMaI2iBBIouKSkw\naxAi2caNG2Kkelgj1JMmlxV31wbtIMGWp3N2LhTAxcFX+N0idIDLrdF6aVjwMZaJ\n0l4BPkHzwA/jjIgMD5PurgGmarGiZkaXv0cOikEXhBaK52Kn849JjHt3hk0QZcIJ\n1PpLoatM8kwdJpJKrxePXWgmLGFlrv9Bza4Ephzfq2RzaUkS6eE6q7tKzSo2gFuj\n=UIIi\n-----END PGP MESSAGE-----",
- "fp": "BC82DF237610AE9113EB075900E944BFBE99ADB5"
- },
- {
- "created_at": "2024-06-22T23:23:10Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DxpBiwsu2o5wSAQdAw1CzYtLdBt3Wyn5VSl6WdCwrabGrFuFn1YoyTk2kUHkw\nrBYHoAFbhtSk0Kh5sEq4MbelLD8U8Vc4sWQ+uCBIP+IB3JqdFainNA3BgIX0xmuZ\n0l4Bp/Tim//p65+OYdtNXygpoK0QlM+jrcloND/fpbJ5DWEyKkPSHuDXTNXAa268\n9xLW2H3LhRimN/5y6hoh7QIT3WxAQoKkGRLruqWAvFq2fjyHAfepsu9xE1S80Jae\n=B3Aw\n-----END PGP MESSAGE-----",
- "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
- },
- {
- "created_at": "2024-06-22T23:23:10Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA9bzf+GUl7kkARAAt+5GEtj4hbrZPD1kRaoFBjdtZDESlGHZgug88YHjyXTq\nDjlTheDs65ZfHBRhE+3OzsqLU8QwLyACB8MNJdnns6sn/ssV+4UOwIi6MRfth+P1\nlbqnSfsS9octnz91JPYmqZ1s65Qp9VkM/D04TV7OdreZzU1aIOI241u0JOTYgBat\nD5E9QjQGlPwwYWwhlt+r0uIMISa4lwJIWuud2Xm4lJ1JPrzuuJB6VJp3D3eaJNoE\nms1NMvSJTn1Q/6NKSyeSD+901oeJRrtoikGbk4y4r4UlqSUsQhW/AptgswMRnkfg\nyI2SmtD2EC79g2h9MATwQfxgo1maMu47FPNx0zI2vmZdp+5LKeSWbe5RuNK11SCo\nnpyLKRqrtsXlKu0MfFg0+fJ1xqqMjvdGlPj5lo/T5ng4boyTwAgDmn8/rCHlS9yu\nbQpKOzH2dnOB1CXPWEt/kj9wXHUTgygfasOCpn60eMKcyOuSXn0qJJj9Mc3A0Jw3\nD1MPNFnnrnGTa7rWyRWQRYLZLNpZV4MzgIF/g3eJuhfJRJDpAFJmu/XY59RsCjfd\npOW7NYpEwH2KHGv1u0e4EnZRysKNqMqJ/Y3PYSyhdquAwxFxqMCRkmYYheNpvjP8\nPsJXv77KM+O1RGTsEX/IKoGnnBcOlUBNEVMIaUOK3E8jVCxeCGXlesK/xT81MBHS\nXgF523bW5yt5jQ0+gyCNW7RuDRiu/E24bJcqqNYAkhJRlysDBRcQs2vdDuw5+xbP\nF6fc7UT19SEA2KzeAXdQNtSKMsOuwPBBluZpXpjRmdqscYHrcScegRmEbLQsdTs=\n=CRaE\n-----END PGP MESSAGE-----",
- "fp": "8F50789F12AC6E6206EA870CE5E1C2D43B0E4AB3"
- },
- {
- "created_at": "2024-06-22T23:23:10Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw8Caq2TdS1qARAAhM0snxG2QBGF+kqH46cSfh2egIBfnooi5pSTtR3UBX01\n9B4AmKSC0wv4RcEmYgjS4rlVEkRa+a7V+rhPuIRLKSHvMjfpJKkAqbyawjf8rYR8\nKjh4gGr23+U0tna1TZ1amvZm/fBNfv71Tbb5gTshWnAamuIXevwOyIVlKAVhvAue\ngaLzlbhDbWf1+o1btA3VUdvUvUozrLlg2YJHmrzdyCfmS2SOO7WR9g1PAxJo1yii\ne+1fCQJ4PJOvsxRptuJ3tYS+AVhiHQh0VFU8OPjd9ThPHq4f4yIHu3b/M9a2b0R3\n2I5pVWUFP0/3DqeVg3ovdpaAquSKGJ9KzbHK5CyCHyzQr3AbTbWfH8u1bJdQjVpU\nrTgSSXxyAPf3iCBh4RFhHikNWelBcFcnjPibaxvXhD8zvKgK5RMbl+7OlVMBauxk\n8gKwIihfa78/akChZbZsANWHJd/TErJqc7DUKv0Vit7OUugSSEZ0UanEsVQuRayq\nyBRQsmHmuLwEluF2OP3G5Wn8MjXZ9gm9DgjQjSdn3qL00kIymB3U/fQmW8V0MR/e\nBdAg1WTWLWcAXiVXJvgYPWu6S/NnW4dCD9tZocD8yoqaeUo5BSL1FzFeM1YYZBkk\n0HZuIq9kYxQ5g7AoNmDnR/KoN+FxLipuXxZFg2d7ZV90O/U7JFb7mDCu420nCQTS\nWAFym4eE200cL8bzqho4aM76BnBZD38h7eaDJnG+L7L2E4pzg1bjs6guajx3qbhl\nzb/sclLIrDzV0WfU4X/s1KrIE5E22JwgNMZB26RQ3EG2WabObT/5WIQ=\n=hKk4\n-----END PGP MESSAGE-----",
- "fp": "67c66d58ac73fd744c2b49720f026aad93752d6a"
- }
- ],
- "unencrypted_suffix": "_unencrypted",
- "version": "3.8.1"
- }
-}
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/acme.sops.env.bin.license b/systems/x86_64-linux/teal/acme.sops.env.bin.license
deleted file mode 100644
index bda0f14..0000000
--- a/systems/x86_64-linux/teal/acme.sops.env.bin.license
+++ /dev/null
@@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2024 Clicks Codes
-
-SPDX-License-Identifier: GPL-3.0-only
diff --git a/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age b/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age
new file mode 100644
index 0000000..3cd5dd9
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age b/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age
new file mode 100644
index 0000000..875b683
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg AqG6xmH//FHa6O6Pd0YvIsGrs92iYwJ4FqIOAoWq9Xcq
+sdajJ2QNV/70mW5NLVLG8qyruOjq+pdO7xjzL01D534
+-> piv-p256 Hpt/+Q AxbUihvMM1OIz5tF+ywRr1MpnX3Ibvkhj4E8CCjlWQ+H
++qXOVExhZDpzvgsB53OZpdiAz+vVdNcxKFYcJrEn+ng
+-> piv-p256 zfskmQ AxYJBZErldYL6RA/pDiU9xNjnKh2hkXW7MtVs/o0otIQ
+DmettPDYZUyFeigDpxPt8h36y3Tk1s9u9xZbmvs2DQY
+-> .rYttX`-grease @]<S$rM B ?>78>Aa
+hD7fV1joAiqNCJq0kEsKrD23pdKl3qTp7/b5OiviCwtya2TAbR4
+--- VOzx+bHOjG/6f7ixT1v+/G38D79+lG7aBDRuUMMmBeg
+x�AÂo�Z£©�æ#Y ì/z^ÕÁÒ`'Ì�ï�äGà&ó®j�ªµ¡JRs$6�öÓ�l�ã)å»ëªz�;:pê#±²EòÈ��%�L©pÝ�ê®!%Øøæ�ã��Á�
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age
new file mode 100644
index 0000000..6d683e5
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg AiABIeb7nQsaUe7jxXow8KBHhq0BfXnPiuI29aSu/gWU
+GAyoIEnVyHY8Hnp/O1gbsgjhaKkmB4FzTGf+iwOSXwo
+-> piv-p256 Hpt/+Q AihPD+1l2PMwawMH0Yu0wYgjBNUcXgOWu7H4/JtcFjc8
++rRoRScmxnC3srf0V7CNKkwQ3mx26CSZ5RUkL5Ndk3s
+-> piv-p256 zfskmQ AnzTX8xfBDy2c6BhRSKFA95DNP8oGv6eLJK1e4AEWBOO
+ikE059yKB8ZkCjSoFbnk+CiLpYWRnDq0S5Hui8/vfYg
+-> Ta_1;0D-grease 3U~ esRL y)1 5D7@!
+ftM
+--- KV4ev4Q0XGspO1OMu9InZsNG1r34+3ttmkbGA8EOeag
+�x\Õ&�ݵV*\_�þ<6�q+m'VÂjìÊÕ1SÊh£�FqÓæÒCýoJ�����¬
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age
new file mode 100644
index 0000000..0a80da7
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age
new file mode 100644
index 0000000..dbe7f40
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age
new file mode 100644
index 0000000..ff84916
--- /dev/null
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> piv-p256 xE4ypg A/1AkQXyQfF7aTIhUDAw6OJ6JO6Ro9iSN5ZGIhFiSAqL
+MLsUkgt4+JeJTB4g4XRAv/K4+BZnc1mlAXJUTilZgqE
+-> piv-p256 Hpt/+Q AyReEFiNuDH9r4fchqNmAPsT1mSSoHm3Zw6jAFdraS7U
+6/mlABCjhArVnPTOR6bYtRcQ5JnHMovpdg7s/8yxhu4
+-> piv-p256 zfskmQ A1p28F/oDFbDEFz+HdvTVEe+wYDAA2NipMJIPrGgkBL/
+LTldK7n4lNRCh2V1BzTlMsCQIgptJJlNdtLXnHAgPC8
+-> 2M%-grease W5eYe~ .~*`-F
+VRvJBX8ur65GXtjI29c0Bef463yz3mRp9g8df6K7HKZ24LrQ/Ioi/RDJe7I94MFW
+sWkryndEdA
+--- JEiQ8CXqT6FikePa0ZUfE5gnOsCwubPTJwzp8QmGjwg
+
õûþ÷t^�§�d+*O¢»¨�J»�ÇNLnÀº¦¶M:Hñm»=9ãe4.Ãõ�¹Í�5ø¸Ca�44s}�êC§S¥/l((S+�'Òóþ%Ôxg�5ò)ŦG1åäµOjbÍ
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index d09bb7f..83cacf7 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -11,6 +11,8 @@
...
}:
{
+ age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPkKdPSPxsLdx3GUjjyibRLjLl3XfaXmfrrvemDFkjI3";
+
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@@ -31,7 +33,7 @@
defaults = {
email = "minion@clicks.codes";
dnsProvider = "cloudflare";
- environmentFile = config.clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".path;
+ environmentFile = config.age.secrets."clicks.security.acme.defaults.environmentFile".path;
};
};
};
@@ -49,14 +51,14 @@
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_secret_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
+ config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
database_password_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
+ config.age.secrets."clicks.services.headscale.database_password_path".path;
noise_private_key_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
+ config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
private_key_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
+ config.age.secrets."clicks.services.headscale.private_key_path".path;
acl =
let
internet = [
@@ -187,7 +189,7 @@
networking.tailscale = {
enable = true;
authKeyFile =
- config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
+ config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
};
storage = {
@@ -236,22 +238,28 @@
system.stateVersion = "24.05";
- clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
- file = ./headscale.sops.json;
+ age.secrets."clicks.security.acme.defaults.environmentFile".rekeyFile = ./clicks.security.acme.defaults.environmentFile.age;
+
+ age.secrets."clicks.services.headscale.oidc.client_secret_path" = {
+ rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
group = "headscale";
- keys = [
- "oidc_client_secret"
- "database_password"
- "noise_private_key"
- "private_key"
- ];
- neededForUsers = false;
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.database_password_path" = {
+ rekeyFile = ./clicks.services.headscale.database_password_path.age;
+ group = "headscale";
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.noise_private_key_path" = {
+ rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
+ group = "headscale";
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.private_key_path" = {
+ rekeyFile = ./clicks.services.headscale.private_key_path.age;
+ group = "headscale";
+ mode = "440";
};
- clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
- file = ./tailscale.sops.json;
- keys = [ "authKey" ];
- };
-
- clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".file = ./acme.sops.env.bin;
+ age.secrets."clicks.networking.tailscale.authKeyFile".rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
}
diff --git a/systems/x86_64-linux/teal/headscale.sops.json b/systems/x86_64-linux/teal/headscale.sops.json
deleted file mode 100644
index 881718b..0000000
--- a/systems/x86_64-linux/teal/headscale.sops.json
+++ /dev/null
@@ -1,39 +0,0 @@
-{
- "oidc_client_secret": "ENC[AES256_GCM,data:du4NPJBtH/x/vgybMf7RgLQqt0GdLfG27IFv20bvxQM=,iv:LW2fCg2cR8bB5DNLYW7wxgTYJM9ox0BHlQVRDYF07T4=,tag:v8nh7QkC86rQNpEc3Y9Wlw==,type:str]",
- "private_key": "ENC[AES256_GCM,data:qfg5g4YC6fZ4jEROcbnXXxWfyuVbZK7ZFOzPJRHY3uTkmlReXPYVnlUlrPSappak/TkPvpKr5gfu8IWB9TVZ385Eg77Gzs3f,iv:CQRfNWdXwVcAETgQ7LWGVoZJ2YF/9X8r8yHP8OhKXf0=,tag:Yg3AYEEjbvOD8JvKhRURJg==,type:str]",
- "noise_private_key": "ENC[AES256_GCM,data:8tMPzIRwgO8YR0RoRne6Difn1F/p3GRHAsRWtcxP3EEo6l10TkCrfVu9H+PirRp4X813QAR8Awb2raXsPULh/Ks0AV2zD3KI,iv:r6JXp0pI7rFbihtVZNgbHgcKooA2/ejSsCrfFBPYzaA=,tag:inccJyxd+ZP/D4gwr8RFFg==,type:str]",
- "database_password": "ENC[AES256_GCM,data:3bucm72144uHrkKzBQShV78smdM=,iv:BKP8HlH1J6iF+oL8iiyFfK4oaEMJZB7AtCXhuHfJNfk=,tag:IJRzlNAcFbv0ztGl2XHVDw==,type:str]",
- "sops": {
- "kms": null,
- "gcp_kms": null,
- "azure_kv": null,
- "hc_vault": null,
- "age": null,
- "lastmodified": "2024-06-08T22:46:01Z",
- "mac": "ENC[AES256_GCM,data:jAH8yiFPnfu8uW6rPnE5KBjD0S8/64TUxh0lfgQ9t6bXYCbdc3iEY6f9O4Ytc+IAh6lxyHQPuHMtBbKHOLL1P1wc492rSaLlbgTe5lItmoAMqT0hyTDv42rY2X/pmj7jXyEvCqNw2c7bMMpv3MF70mwW+G517bTNptn7GQpG0u4=,iv:M35BmeazOqhnB36CDTLsna0cuNra+l7zD+JOonMkLrg=,tag:shyZ6vDIpftOJwl5xf+0rw==,type:str]",
- "pgp": [
- {
- "created_at": "2024-06-08T19:13:02Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D6MHlIv4I/7ASAQdAApSEfHKLoIJg1WEUq3ZT0BrEUXp/53Oxg2pIOxEuDDgw\n7eKpufVyBr+0wxpMwYy/+g96i7k/5Degd5guwRraW5ToIZ9hC7Z61HTyjydbIfq1\n0lwBy8hlAEk4fwcsAxK0l5Xz+dQhF4Te7oRbERyzzygNYnfYr/ozpKK7aJSRx3FG\nuMgTs0DjyczKuv4LOAVyzLRaeRV1JFaAlEvXQ/DIc8OZvGyqTNEZ9YPeoA1m+A==\n=99Na\n-----END PGP MESSAGE-----",
- "fp": "BC82DF237610AE9113EB075900E944BFBE99ADB5"
- },
- {
- "created_at": "2024-06-08T19:13:02Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DxpBiwsu2o5wSAQdArUJbHBn3ldJS71e6Gfup7NawEvziU4tZQpPsCVLCjFww\neKakVSlHipeoNAqtMYKKzYK94kWPvk/4/8001oLyP89hO2k+3Nys42ARD8Pcnr6n\n0lwBw9WCRVqGUd0s09LDnnwqdAAVvYTw0duyaOqt8jsdj63B0b7TedbMgjYg8H4p\nD42iwa21FcnVD1+h5MYAXgyQrI/F8zK005e0Cp+ZYNyPafVg6DT4qhaysllzaQ==\n=Wcg5\n-----END PGP MESSAGE-----",
- "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
- },
- {
- "created_at": "2024-06-08T19:13:02Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA9bzf+GUl7kkARAAlgpNcSOKCxpK442mG1c/L+P4lT1wZ+XlR6oYlTX0U1/M\n1a08upxNiYsTHbCV82PpEvAYTIydY8fgS16mUQWcvXXEu/3vgT66Kb5yw5AzZPjG\n8OFM9EgFImGMxUpr67qUJ4IgiofRTtTvtcVBgFAmK471nI//MZpwoUtQTrrVuAQa\nLuUCFtjb4d1/lHieeXFTsH0LFk25gyQAByTJ5iJVVOerNFHt7DY5Wa2m9cJL/6Xb\nrK8AFrjdendd9MKWo7TRdSiQyDYF10ZBe0vungTK7Yemy8RzYcHdz8fDHJvwS8pB\nrDl+VzgJwxnxXrIcbfrSQp7OTRiRT0ANCdF+qspmrqShUuDsCwPIusWJDxBPm7ab\ntiBmsLszakPk6LtYCc7cNyiBJOhLuR1tB7VEO5Ti2AIP5x5HHW86YbE6Nlzgamsa\nRMpPrINCNd0gP4TDkSmJdUA3yqS+GRqt/e0IECIfw9/rTI2X4hcBK8yFG2M6+YAs\no7cIQSmOWWJnfKrapKUZbSiTLdEXTxkGCrNIMrzGu6bLJvg3+qVF+cfaGXdqvwwc\n1pnYf/WRMHwO4DnZ8NUD4Pa7R/C40oB3ejbgcb9dXyt385WvKXQ6c95Winj6j9U7\n/AqT036CcEE0nqu9j4MY5/sCuTeZOODptrRLRbzeCFUruJ3RJACokhaU+R9dh0nS\nXAF76H99O1zYauHDjnVZUSPvkEZhaO+qvcJrK6cRDlWCSnP0e/uNH5jW1mMJeX0Z\n5g7WMFVVozjIvHySwIacUkDqIoibFK2Y2RI2TJ0vZeOXvKUhU6TWkaSlOM1Z\n=GX8j\n-----END PGP MESSAGE-----",
- "fp": "8F50789F12AC6E6206EA870CE5E1C2D43B0E4AB3"
- },
- {
- "created_at": "2024-06-08T19:13:02Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw8Caq2TdS1qAQ/8DBFRc7DDXOUcZsfWVCaxNI78i6xvwzyDcHfuHyb+X8jO\nX0ITghV1JpWVpSpDKqLH+bRpzVyLnZkEDg5nixDYvLCmDz3Mnnsmw7YLf6tsKmog\nQ3lK9bKSECjoO/EW7CzczUj4YUCfUCP2vwANVLb+T94wL9NN+KL4F8tWVRJjb88M\nxTAZzVa8Fq21HXSFxZz8HiFNczxO018e6mqdH/a+46UMviO5PbjhYCj2ysGXPkoZ\nrIVMVnosNBtk2I8rsrtSMcNihutX9dLhaKCGcl/D85ZProXTdHa0BpXX+ZZvh0gX\nR63XfrNtzpRBwRYwFbR1AZP3bu05j+yewWJKIUrHEWU0ADbHUg6x2Goja2eTSBls\nETZRHgenAKke/8WyK7bDEqjKgeZZN6/QVgy8/kvxAT+hui2M/IzfSkQK64wiN5pR\nFOrkLckqgiwTlu6tlxwdAZNE/OYh/KRi+rjKMUVdMtAO4DY9Q/wWnwOMlNP5us4i\nkyUEuGQW2jpeDG++IuMTUHEu07ei7NlZXTpvRUIUh4upMQsow/mFqIec0co922Ba\n9eD9PkPN0a5r8RXRKvRBaDZTD533bDApqFXHeSDBE7M4GgywTD6fixRnrXh49HLo\nxUtdtAJRHeYsLfEuJFtoSFfjQ2IIB32bv2FSyo/Cky9gkVYxHcfkRlWRiUr8mDbS\nVgHrkYm0b3o+437gMXR23sp4qf2OyrhtxhaO9KN5fT36nqlAhg6i5l5k0SP19OsT\nBWPD3HqB81LHe0JKoBXPhH0+bnXJhQeYfmly9tfd1Ha0+EAbzSnp\n=H/it\n-----END PGP MESSAGE-----",
- "fp": "67c66d58ac73fd744c2b49720f026aad93752d6a"
- }
- ],
- "unencrypted_suffix": "_unencrypted",
- "version": "3.8.1"
- }
-}
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/headscale.sops.json.license b/systems/x86_64-linux/teal/headscale.sops.json.license
deleted file mode 100644
index bda0f14..0000000
--- a/systems/x86_64-linux/teal/headscale.sops.json.license
+++ /dev/null
@@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2024 Clicks Codes
-
-SPDX-License-Identifier: GPL-3.0-only
diff --git a/systems/x86_64-linux/teal/tailscale.sops.json b/systems/x86_64-linux/teal/tailscale.sops.json
deleted file mode 100644
index ff1483e..0000000
--- a/systems/x86_64-linux/teal/tailscale.sops.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
- "authKey": "ENC[AES256_GCM,data:Fpnxd58MoKDjpFWAUl9hK38p8yS6YPd0ZgdCZuIRKnEtmHXqpRcIUbcCrAuq+ja+,iv:ZOTBAJmdIdZ9WkhIoyg3Li/jSMZV8yxhrMy5TQnSCng=,tag:ZaFhr+MApSkCmPzGZWwBhw==,type:str]",
- "sops": {
- "kms": null,
- "gcp_kms": null,
- "azure_kv": null,
- "hc_vault": null,
- "age": null,
- "lastmodified": "2024-06-09T22:48:26Z",
- "mac": "ENC[AES256_GCM,data:/1hnKjEBozmYEAiISda91jsALJXo0bSC/YiMhj9GDCD8BAD74VEczSj9iTqk7pA39FLNg0+Sw8Um28azOrIe6TGFmemhnk1EkYH4k+aVGezRND/yhozvzml/UWE90sPx2xecHWUp33gfVgvbO4D8Kis0MmsSPnsopr4CAgydZkM=,iv:3OLsBKfcMJaTp4WisPczGqpVeGGxx1cr0zfFKW9XlMo=,tag:wUQDgFtJL6eCstx6dzO/mA==,type:str]",
- "pgp": [
- {
- "created_at": "2024-06-09T19:37:39Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D6MHlIv4I/7ASAQdA/2WUVwimMMk8s37AfsuMrhBHxdeWptDHzbEB4LQ6cGEw\nU2YTgbtQF6CeCaAAgxE7+OKPFfNPH4UgziBIvxhk1RXXLoV5rnKY9WPj95a56cxH\n0l4BDJ8dgh/ufGB2ai/3hu5z1F4vPbouKv347itkaHnhnU8ljR89cx5BgAPjVeQr\nwZi6H+H6KWS0VJtR7Ygbjzdo56Q+/F3X/xEC1GjbT7ZUBYlHAXIaQNepAE7SrnIi\n=y8Hs\n-----END PGP MESSAGE-----",
- "fp": "BC82DF237610AE9113EB075900E944BFBE99ADB5"
- },
- {
- "created_at": "2024-06-09T19:37:39Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DxpBiwsu2o5wSAQdAtpXcG/TCbQeoriZPp42t1YXOYE8usTsz3bifoGfwOUEw\nDIpm35PU+onEelcNndZ2UaJh2Z6M4OWuul68KxgZwF+WrXW/pIIX+3bHNBQ9mM2i\n0l4B6o2FwoUBn9P4+G7t+rKBnGadvDWNaA1Lf+qfkS6H9ohzikwE3UxDsnLdZ0RU\nJexicnSDCa/Uoao5593wiKl4rt2QE+vma7LdwoY/oqgzg6gqZWK6kMHF49u5bA6E\n=dpw2\n-----END PGP MESSAGE-----",
- "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
- },
- {
- "created_at": "2024-06-09T19:37:39Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA9bzf+GUl7kkARAAxci3NfjtURRnLV7bw6xJLGxfmGzynoETHRCsEk6Wqhyo\nFRGEVJzpaadqTzvLHODI7LF6gpL3jsU50LfLqUnHHoOtBSi8qLEebow/ah2dvPaX\nX7adcwx3B05YinYZXKfIP+VZXgnKxW6r0OODhKTeWQSwxzc3aLXJBpEZPBG6ndTi\ns8TyPesMZMKi60mGr8goQZqzsEjzKfUeAZgzl55Y3+/gu252ayfYD2DHNSHMD6cs\ny6lNfQ8ECLF9+p/tauBRFiYckgqRWFZakjMlqcKX8s5zucJIPPuvwjqRTOcj3R18\nupKNCuC05yAN3GormNvwGENZ7n8p+aBBbjfc5Qqq3mgPU8+oo6Uw8inTUiL1Z1CN\nPGgSL3t4I4CIL7Znh5Ib0wA/UhOYS6G0ExiLg2LAWjBhF/oRgGafUb+O9jbibfrk\nD0PVedWY6HMV29Td45+7CgMCo7DkpHgsL4T55BjUO1bX9hmyJ3ryTRJMSmovM9db\nIGiLb57f8t2VzZcvXvn9OMCcBC1BF3BHD5y70H4ROLYqE+hl5qOqvyTF2M0XOaZ7\n8PXZgZFBrIsq6dMNHQrI0DXXzROFqBw4on2nlj3iV2j/6HTrpaUY8IZ9iXQfIwfm\n83cAtbwAnpWDrty/cchX5ZJ5mvJ4FzbHaJdxkfyriK3UQHcymveGQR1D6YgXH1/S\nXgFbNKSqFuIDPJG66U9nDbOF9zhnwvF1Ztc2pH+FmIFyk9lP7SlYflx/civfWI15\n3JD9E7iDhOFKuhlJ8mFFreRaVRBELII6qE/cFm5VTic+RXsZ8CdOLABH7oOCfm4=\n=D+Ck\n-----END PGP MESSAGE-----",
- "fp": "8F50789F12AC6E6206EA870CE5E1C2D43B0E4AB3"
- },
- {
- "created_at": "2024-06-09T19:37:39Z",
- "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw8Caq2TdS1qAQ//fFgBgGmOXPYWdw7U1o8Alof3ZLtErIJDCgIc4WmY6git\nTdHcnHvDsIrI8kWEOrmr+Zz+ev0Px27BlFnsCj+p/8IUqTxxpqCdOu8rh4YPeHoD\n1ktfBxpxP1kBJKvsdmP6dwttYfm2bEEKCiIOnsJI2u+cNVszSz3UbTyuoI9CKfCL\nTgqVD3tF6P/5euFzbUHEBz+rSMDmV0OJBZ2nDupeiCwveYdGYS6qKRONcG9CZ2E6\nSayfZqvYq5ec3ETzLTTzio+fpN7aJsBMfy1DHo903Wk3MlPYyGlxrYaUdSfpjXDf\ngoEcVXN2abqjipnfJHWRhU3BDzH1f4TNHvOHuRemTqo6eickjuCp20KqBoWOYqY8\nULRH/5vfGjrEj8U2jKRbDV+FSwTDktY1lsU9u8MUPwiAANhdB691lK/pjpVfVg6C\nB800DFx7z5P84IQhsDJN4PrUmktnpMqbZ4hMhQJTzTrFpVtXDwFz15TckWK+JuyY\naqHgyvpfYFylc1Orn1uSUwqOXRl8zO335aP79Ss2hgNjfZZiFEOnRvjYipT4NvC6\n/mAWGRRrzOUzLjxT3/xcPSKFLiJ9Qx7R7VmxcoEU4Vs25DkZcpLt0y38WEH25qZZ\nO9LcarohWOb5SmSQ221TlvDFy7lm0yuoQu6mGjBMedw0y+mPQ4crASOx/C/KksLS\nWAGgSGR2jGpR1vhpmYUgX2IdPKrbk6bOAQFy1Hg2I1NzXYJBncIjKqklRrXUXDZI\n272hkAs02o7NFlS0u6qWcjiMMuhfgJn1jAqLbGnaS//CKK1fUGnjhXY=\n=c6ad\n-----END PGP MESSAGE-----",
- "fp": "67c66d58ac73fd744c2b49720f026aad93752d6a"
- }
- ],
- "unencrypted_suffix": "_unencrypted",
- "version": "3.8.1"
- }
-}
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/tailscale.sops.json.license b/systems/x86_64-linux/teal/tailscale.sops.json.license
deleted file mode 100644
index bda0f14..0000000
--- a/systems/x86_64-linux/teal/tailscale.sops.json.license
+++ /dev/null
@@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2024 Clicks Codes
-
-SPDX-License-Identifier: GPL-3.0-only