secrets: migrate some of them to agenix.

secrets/redhat/AMS2.ovpn.age

Binary file

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 ItIHHA AglYAOVVI8Dpr+mwSmvkO0wqbRRvz4lAfQRAORKL5zi0
+Q1txW7qii/4Iy7JP6e9runqJjnlkEYlFvvUo4/6SGSU
+-> ssh-ed25519 irMfZA Wfoq97gLQ0aOK+/xHOjfCwoKQe4WVzT0pyIVpPpS1wg
+F3cs4EvtS+Pd09w6uU4NtPjcDQj4Uz5/TjRGmO+fyB8
+-> ssh-ed25519 9N8CYA lQDpzpp6+jFLU5/+iRVG+tvgOdyQ4Iz/WN8o2g1kBF4
+DsUWpfRo0ejGDOQ5xH9PjUUzuAfTrGaz1m2s9RYW790
+--- 8u5IaBPRcYexi5GZjx7tiKTgyarB+KD1oL5Q3e15wDo
+����8`���{z����4�1�0Gd��+��P�(XO+´���oGd�M�e,W�oqJE3����1�*{���^�l���
�m�C�����)R���'�8d�}��U��C0���B-+�!��/3�rstZZ�`��yy���4���I���}�����9ۖ�����ֈ�]����P�$�wy�۸�� �ZLR�Krc{}�,-#Tv�uG������W�ORH6J���v��m�����m���\3(�4���R�|4@��
$ڢY�[dX�ݎ�K�L�)0>��ч��	2(J��	�@�R:��n�f���]XG��[
�݊H�
��'}�B?W�!T���Q.�ik\�;!�������:�U�Zm�I�b�����t&��D��t�5�:����i+vWg����.6�����*�b	����n��
@��>��f��\����3�@�b��Fz�"������1�.w�$ܸc���l�k`�n�oO�����-��� p�D���c�����`�<�y� �Wq���S�ɷ����CYZ�
\ No newline at end of file

@@ -24,41 +24,28 @@ in
       })
       libnotify
     ];
-    sops.secrets."krb5.conf" = {
-      inherit (common) mode owner group sopsFile;
+    # Kerberos
+    age.secrets."krb5.conf" = {
       path = "/etc/krb5.conf";
     };
     # NetworkManager
-    sops.secrets."1-RHVPN.ovpn" = {
-      inherit (common) owner group sopsFile;
-      path = "/etc/NetworkManager/system-connections/1-RHVPN.ovpn";
+    age.secrets."RHVPN.ovpn" = {
+      path = "/etc/NetworkManager/system-connections/RHVPN.ovpn";
       mode = "600";
     };
-    sops.secrets."AMS2.ovpn" = {
-      inherit (common) owner group sopsFile;
+    age.secrets."redhat/AMS2.ovpn" = {
+      file = ../../../secrets/redhat/AMS2.ovpn.age;
       path = "/etc/NetworkManager/system-connections/AMS2.ovpn";
       mode = "600";
     };
-    sops.secrets."BBRQ.ovpn" = {
-      inherit (common) owner group sopsFile;
+    age.secrets."BBRQ.ovpn" = {
       path = "/etc/NetworkManager/system-connections/BBRQ.ovpn";
       mode = "600";
     };
-    sops.secrets."RDU2.ovpn" = {
-      inherit (common) owner group sopsFile;
+    age.secrets."RDU2.ovpn" = {
       path = "/etc/NetworkManager/system-connections/RDU2.ovpn";
       mode = "600";
     };
-    sops.secrets."PNQ2.ovpn" = {
-      inherit (common) owner group sopsFile;
-      path = "/etc/NetworkManager/system-connections/PNQ2.ovpn";
-      mode = "600";
-    };
-    sops.secrets."FAB.ovpn" = {
-      inherit (common) owner group sopsFile;
-      path = "/etc/NetworkManager/system-connections/FAB.ovpn";
-      mode = "600";
-    };
     # Certificates
     sops.secrets."ipa.crt" = {
       inherit (common) mode owner group sopsFile;

@@ -0,0 +1,37 @@
+let
+  vincent-yubikey5a = "";
+  #vincent-yubikey5a = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFT5Rx+4Wuvd8lMBkcHxb4oHdRhm/OTg+p5tvPzoIN9enSmgRw5Inm/SlS8ZzV87G1NESTgzDRi6hREvqDlKvxs=";
+  vincent-yubikey5c1 = "age1yubikey1q0g72w5n3zgt4qv64fkymcttqlpct0yh0rf29079h3696d6wkruakkst877"; # does this work ? Otherwise the ssh one.
+  # vincent-yubikey5c1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGHMa4rHuBbQQYv+8jvlkFCD2VYRGA4+5fnZAhLx8iDirzfEPqHB60UJWcDeixnJCUlpJjzFbS4crNOXhfCTCTE=";
+  # vincent-yubikey5c2 = "";
+  users = [ vincent-yubikey5c1 vincent-yubikey5a ];
+
+  aomi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME"; # ssh-keyscan -q -t ed25519 aomi.sbr.pm
+  athena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh"; # ssh-keyscan -q -t ed25519 athena.sbr.pm
+  demeter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqQfEyHyjIGglayB9FtCqL7bnYfNSQlBXks2IuyCPmd"; # ssh-keyscan -q -t ed25519 demeter.sbr.pm
+  kerkouane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJguVoQYObRLyNxELFc3ai2yDJ25+naiM3tKrBGuxwwA"; # ssh-keyscan -q -t ed25519 kerkouane.sbr.pm
+  sakhalin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/PMBThi4DhgZR8VywbRDzzMVh2Qp3T6NJAcPubfXz6"; # ssh-keyscan -q -t ed25519 sakhalin.sbr.pm
+  shikoku = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH18c6kcorVbK2TwCgdewL6nQf29Cd5BVTeq8nRYUigm"; # ssh-keyscan -q -t ed25519 shikoku.sbr.pm
+  wakasu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrAh07USjRnAdS3mMNGdKee1KumjYDLzgXaiZ5LYi2D"; # ssh-keyscan -q -t ed25519 wakasu.sbr.pm
+  desktops = [ aomi wakasu ];
+  servers = [ athena demeter kerkouane sakhalin shikoku ];
+  systems = servers ++ desktops;
+in
+{
+  # Red Hat
+  "secrets/redhat/krb5.conf.age".publicKeys = users ++ [ aomi wakasu ];
+  "secrets/redhat/RHVPN.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
+  "secrets/redhat/AMS2.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
+  "secrets/redhat/RDU2.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
+  "secrets/redhat/BBRQ.ovpn.age".publicKeys = users ++ [ aomi wakasu ];
+  # "some-secret.age".publickeys = users ++ systems;
+  # "some-desktops-secrets.age".publicKeys = desktops;
+  # "some-servers-secrets.age".publicKeys = servers;
+  # "aomi/foo.age".publicKeys = [ aomi ];
+  # "athena/foo.age".publicKeys = [ athena ];
+  # "demeter/foo.age".publicKeys = [ demeter ];
+  # "kerkouane/foo.age".publicKeys = [ kerkouane ];
+  # "sakhalin/foo.age".publicKeys = [ sakhalin ];
+  # "shikoku/foo.age".publicKeys = [ shikoku ];
+  # "wakasu/foo.age".publicKeys = [ wakasu ];
+}

Commit 11ac8025f9e7

Commit `11ac8025f9e7`