main
1let
2 #vincent-yubikey5a = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFT5Rx+4Wuvd8lMBkcHxb4oHdRhm/OTg+p5tvPzoIN9enSmgRw5Inm/SlS8ZzV87G1NESTgzDRi6hREvqDlKvxs=";
3 vincent-yubikey5c1 = "age1yubikey1q0g72w5n3zgt4qv64fkymcttqlpct0yh0rf29079h3696d6wkruakkst877"; # does this work ? Otherwise the ssh one.
4 # vincent-yubikey5c1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBFzxC16VqwTgWDQfw2YCiOw2JzpH3z9XgHtKoHhBdHi2i9m9XUc7fIUeEIIf7P8ARRNd8q5bjvl8JY7LtPkNCU=";
5 vincent-yubikey5c2 = "age1yubikey1qdj6ld6dlcumxq59xy2xrdl22yu6pc46zyu3mvxe6s9h6kesdm5kcm320qe";
6 users = [
7 vincent-yubikey5c1
8 vincent-yubikey5c2
9 ];
10
11 aomi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME"; # ssh-keyscan -q -t ed25519 aomi.sbr.pm
12 athena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh"; # ssh-keyscan -q -t ed25519 athena.sbr.pm
13 demeter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqQfEyHyjIGglayB9FtCqL7bnYfNSQlBXks2IuyCPmd"; # ssh-keyscan -q -t ed25519 demeter.sbr.pm
14 kerkouane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJguVoQYObRLyNxELFc3ai2yDJ25+naiM3tKrBGuxwwA"; # ssh-keyscan -q -t ed25519 kerkouane.sbr.pm
15 rhea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFH3Lk4bRgNyFRK/Hzg1PvVbL/dpyI1SmLJFkb6VQDw"; # ssh-keyscan -q -t ed25519 rhea.sbr.pm
16 sakhalin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/PMBThi4DhgZR8VywbRDzzMVh2Qp3T6NJAcPubfXz6"; # ssh-keyscan -q -t ed25519 sakhalin.sbr.pm
17 shikoku = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH18c6kcorVbK2TwCgdewL6nQf29Cd5BVTeq8nRYUigm"; # ssh-keyscan -q -t ed25519 shikoku.sbr.pm
18 # wakasu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrAh07USjRnAdS3mMNGdKee1KumjYDLzgXaiZ5LYi2D"; # ssh-keyscan -q -t ed25519 wakasu.sbr.pm
19 kyushu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd795m+P54GlGJdMaGci9pQ9N942VUz8ri2F14+LWxg"; # ssh-keyscan -q -t ed25519 kyushu.sbr.pm
20 aion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXDNi2KtoRU83y/V5OWnMbFWmxwBknPmrNWV4RChE7R"; # ssh-keyscan -q -t ed25519 aion.sbr.pm
21 aix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoUicDySCGETPAgmI0P3UrgZEXXw3zNsyCIylUP0bML"; # ssh-keyscan -q -t ed25519 aix.sbr.pm
22 nagoya = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfep1SkMsAPHggXFLfEJNzZb7eoihtkqDeQruG+TbhF";
23 okinawa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8vCZ0h6geJZt6i5k6chEDZBggoyq91Z+oNSjvVeSfW"; # From globals.nix
24 carthage = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDurbEy1PiidOirbiPXz84ySdv3rwosPTAlCqacc73a"; # ssh-keyscan -q -t ed25519 carthage.sbr.pm
25 desktops = [
26 kyushu
27 okinawa
28 ];
29 servers = [
30 aion
31 aix
32 aomi
33 athena
34 carthage
35 demeter
36 kerkouane
37 nagoya
38 rhea
39 sakhalin
40 shikoku
41 ];
42 systems = servers ++ desktops;
43in
44{
45 # ATProto PDS secrets
46 "secrets/carthage/pds.env.age".publicKeys = users ++ [ carthage ];
47 # Restic backup password for carthage
48 "secrets/carthage/restic-aix-password.age".publicKeys = users ++ [ carthage ];
49
50 # Mail passwords
51 "secrets/mails/icloud-vdemeester.age".publicKeys = users ++ [ athena ];
52
53 # Red Hat
54 "secrets/redhat/krb5.conf.age".publicKeys = users ++ [
55 aomi
56 kyushu
57 okinawa
58 ];
59 "secrets/redhat/RHVPN.ovpn.age".publicKeys = users ++ [
60 aomi
61 kyushu
62 okinawa
63 ];
64 "secrets/redhat/AMS2.ovpn.age".publicKeys = users ++ [
65 aomi
66 kyushu
67 okinawa
68 ];
69 "secrets/redhat/RDU2.ovpn.age".publicKeys = users ++ [
70 aomi
71 kyushu
72 okinawa
73 ];
74 "secrets/redhat/BBRQ.ovpn.age".publicKeys = users ++ [
75 aomi
76 kyushu
77 okinawa
78 ];
79 "secrets/redhat/ipa.crt.age".publicKeys = users ++ [
80 aomi
81 kyushu
82 okinawa
83 ];
84 "secrets/redhat/2022-RH-IT-Root-CA.pem.age".publicKeys = users ++ [
85 aomi
86 kyushu
87 okinawa
88 ];
89 "secrets/redhat/Eng-CA.crt.age".publicKeys = users ++ [
90 aomi
91 kyushu
92 okinawa
93 ];
94 "secrets/redhat/newca.crt.age".publicKeys = users ++ [
95 aomi
96 kyushu
97 okinawa
98 ];
99 "secrets/redhat/oracle_ebs.crt.age".publicKeys = users ++ [
100 aomi
101 kyushu
102 okinawa
103 ];
104 "secrets/redhat/pki-ca-chain.crt.age".publicKeys = users ++ [
105 aomi
106 kyushu
107 okinawa
108 ];
109 "secrets/redhat/RH_ITW.crt.age".publicKeys = users ++ [
110 aomi
111 kyushu
112 okinawa
113 ];
114 "secrets/redhat/win-intermediate-ca.cer.age".publicKeys = users ++ [
115 aomi
116 kyushu
117 okinawa
118 ];
119 "secrets/redhat/redhat.pem.age".publicKeys = users ++ systems;
120 # Others
121 "secrets/minica.pem.age".publicKeys = users ++ systems;
122 "secrets/shikoku/aria2rpcsecret.age".publicKeys = users ++ [ shikoku ];
123 "secrets/rhea/gandi.env.age".publicKeys = users ++ [
124 rhea
125 aion # For XMPP ACME DNS-01 challenge
126 ];
127 "secrets/rhea/exportarr-sonarr-apikey.age".publicKeys = users ++ [
128 rhea
129 aion
130 ];
131 "secrets/rhea/exportarr-radarr-apikey.age".publicKeys = users ++ [
132 rhea
133 aion
134 ];
135 "secrets/rhea/exportarr-lidarr-apikey.age".publicKeys = users ++ [
136 rhea
137 aion
138 ];
139 "secrets/rhea/exportarr-prowlarr-apikey.age".publicKeys = users ++ [
140 rhea
141 aion
142 ];
143 "secrets/rhea/exportarr-readarr-apikey.age".publicKeys = users ++ [
144 rhea
145 aion
146 ];
147 "secrets/rhea/exportarr-bazarr-apikey.age".publicKeys = users ++ [
148 rhea
149 aion
150 ];
151 "secrets/rhea/jellyfin-auto-collections-api-key.age".publicKeys = users ++ [ rhea ];
152 "secrets/rhea/jellyfin-auto-collections-jellyseerr-password.age".publicKeys = users ++ [ rhea ];
153 "secrets/rhea/jellyfin-favorites-sync-api-key.age".publicKeys = users ++ [ rhea ];
154 "secrets/rhea/jellyfin-favorites-sync-ssh-key.age".publicKeys = users ++ [ rhea ];
155 "secrets/rhea/webdav-password.age".publicKeys = users ++ [ rhea ];
156 "secrets/sakhalin/grafana-admin-password.age".publicKeys = users ++ [ sakhalin ];
157 "secrets/sakhalin/grafana-secret-key.age".publicKeys = users ++ [ sakhalin ];
158 "secrets/sakhalin/ntfy-token.age".publicKeys = users ++ [
159 sakhalin
160 aion
161 okinawa
162 rhea
163 kerkouane
164 carthage
165 ];
166 "secrets/sakhalin/homeassistant-prometheus-token.age".publicKeys = users ++ [ sakhalin ];
167 "secrets/demeter/mosquitto-homeassistant-password.age".publicKeys = users ++ [ demeter ];
168 "secrets/aion/restic-aix-password.age".publicKeys = users ++ [ aion ];
169 # OpenCode web on okinawa
170 "secrets/okinawa/opencode-password.age".publicKeys = users ++ [ okinawa ];
171 "secrets/okinawa/groq-api-key.age".publicKeys = users ++ [ okinawa ];
172 "secrets/okinawa/openrouter-api-key.age".publicKeys = users ++ [ okinawa ];
173 "secrets/okinawa/gemini-api-key.age".publicKeys = users ++ [ okinawa ];
174 # Daneel XMPP bot on okinawa
175 "secrets/okinawa/xmpp-research-bot-password.age".publicKeys = users ++ [ okinawa ];
176 "secrets/rhea/restic-aix-password.age".publicKeys = users ++ [ rhea ];
177
178 # Harmonia binary cache signing keys
179 "secrets/harmonia/aion-signing-key.age".publicKeys = users ++ [ aion ];
180 "secrets/harmonia/okinawa-signing-key.age".publicKeys = users ++ [ okinawa ];
181
182 # SearXNG on sakhalin
183 "secrets/sakhalin/searxng-secret-key.age".publicKeys = users ++ [ sakhalin ];
184
185 # Flux website generator on carthage
186 "secrets/carthage/flux-github-token.age".publicKeys = users ++ [ carthage ];
187}