authentik yay

2025-09-07 00:11:16 +02:00 · 2025-09-07 00:11:16 +02:00 · f2fcbfb679
commit f2fcbfb679
parent d3a93fd115
34 changed files with 612 additions and 363 deletions
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@ -0,0 +1,66 @@
+victoriametrics:
+    basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str]
+wg:
+    psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str]
+msmtp:
+    host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str]
+    port: ENC[AES256_GCM,data:zbe7,iv:cwoK0oCIzwmQ6xHFX94KDfd7Fu+pC96c9+AnK/KpQp4=,tag:IfsCHk0SpBeQ4bD0WXyQcw==,type:int]
+    from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str]
+    user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str]
+    password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str]
+    aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str]
+sops:
+    lastmodified: "2025-09-06T16:50:17Z"
+    mac: ENC[AES256_GCM,data:QdWLok9IBqTaO3StKRiAXcMIZSV5YJQoYY+3cZZ7xARbmvn5cDqnapv3HIJju7v5V48tNG3aXy1nJHG4kKVuDIMd7s7PPjLL1k0dEsnTs4YwE8XugZX86nXuSUZeUuQNfnR9sFOKho/o/I9W5hCp0IcEgo+Bs1dD3IvYxuv6Nzk=,iv:IHEDtI6lo76qPgBvBETg/SiT/tfFivN8r8J7tt93IbQ=,tag:ifW8UVaf5r8Y9HUUtCkAQQ==,type:str]
+    pgp:
+        - created_at: "2025-09-06T16:37:33Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hL4DAAAAAAAAAAASBAMEo8G+ATJBHsaSSDlUcbO8DIUVsdkQX89uewGyB6VB0bsl
+            PYyC465BriUoCYLuob8JFkVvHL1fkcRf4+EAZv9Zuqm05iOBEFxizRn2s9OXshfO
+            B58S3aWlCMPi40OT8zpdtABeKYH8FwVuG2y+JxFJgXZ1dyrT72QvqnIilaphMdkw
+            8fTx8Z33q0Mr0Qpw9QViOYlGYH1noFdwtv37kxrBOGSibXLaux9yksvw2tR0iZbE
+            0lwBffsODaWMDRpxKN/w5d/G+x6LD4T3kjJHo8pXfElPowLyYJVEg9xGxm5UZvTR
+            UpAKltoDQ5URiWMcHfFd9LlMqVzNC3I3hCdQdgyDhyypHjjKTRriUav5q9eXVw==
+            =eIGU
+            -----END PGP MESSAGE-----
+          fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
+        - created_at: "2025-09-06T16:37:33Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv/eHdSXzib4ebCSgYp+JklSTfhRpwk5dX+D+dgJyvz1TVI
+            eIuuCbKHMSGr9GJbyxhoZ9I0tZ3AL+vmYy4gKa3uQWrP/D1Zc4oZ8nYj4+saMD+W
+            OUmV+o0u7MMpGQqi5HSWGHyxCc+S+dT/14rYDPh2iPw15h5hCG43KlM6OoL2gG0a
+            0HJ57y6DjzdCzJ66MDKeXSac7GI4lsf+8yimK1MvXtXJ3w6qxvY8Mar+k2QKrAT+
+            QBAt22oJHz31X4xGeD9Ns4MJiEfYYRLgzh8INW0UTOi/2tSWvroFKRFJt9hZD4Ey
+            ar8yqSMp1GPEBUkluJPLcOACq3l4IExmqscp1QhhHp7m/+dJfEKq8Xf5WkBkeiiS
+            QnNowMDjbfdY/4Bwt2995AjDBYeU0w03Aw+wsMH81Zio/J4bbLIcQ7pO5cEpfT+R
+            ItC0f7DlLjKkQxvi9n2aYIWzDQA908yy1JIlk/UKqiH4x8ACtcp+9/HVu9Rv6sv+
+            6CWZcRLPL9C3bHlff5hV0lYBiGwXZVn5Vjgq+J08vyZth1e0EhjQTkyVFoek8uxS
+            kah0UxAcQA9978NYwyYdGPSq6eyZSf79ZwmB/KL9jCqV9CEGnVTBlEm46y9xCkMR
+            SeTVXQInPQ==
+            =ISty
+            -----END PGP MESSAGE-----
+          fp: fada7e7be28e186e463ad745a38d17f36849d8a7
+        - created_at: "2025-09-06T16:37:33Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMAwAAAAAAAAAAAQv9FqBlKRGJgVzJg9sWKdmqPnUVffGETE/0/qeI68hxzeUo
+            Axx1Ff3xjUSQYTUrLpVwHCOIT+3r1RtSMgZYIIMJsbPvffssTR9dJeE/BsCLvMLM
+            AbfNvPyoSKDi3cHQ4UoqGuy/GwTuXaWNM9ilBhdBDv87MfeC+UEkqXJ5gWjUu7uH
+            vS0LwcwmvikRBK7poES/i1kaRStvCIF2biOVYAzB9IMLt+sltsngZUtefVk1UuKi
+            sj9iTxFpfYfEoA0bA1YfUw//STqxvmlC8doYWH2TfIn93HNi74bZ5mFu2JDnY0pU
+            pfodbhY7ltPHqo+mOKvSVDtVrdQkOZyjI33wXcS8vyWxt0EVHH3kVtbWH80J0+pR
+            Tz72bpW1wUKXwCXg7gKfLJFJ5kGNUkARVw/tD1/ZzcFqJ9NJz1c4jdtvzWlYqRxG
+            XlcRcRCfZmlrV96QD9Ai2IdIj5IgLFcrOZehHvH2rXjVWqoThWK6gvn9irPGsurW
+            d+Se7fP8UWZMXPOTCQII0lYBuZfd3BFbe5Xfx9hW4vazWddbKFXakylSy4M8WSOq
+            nCKLNTMvinlb4QPWKGsDnQvlu4fMus1vINnvthphEs7dKBO0TQyoRZ0fO7hBiOUX
+            OKJvcyTUrA==
+            =qv0p
+            -----END PGP MESSAGE-----
+          fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/secrets/deploy-secrets.py
+++ b/secrets/deploy-secrets.py
@ -1,51 +0,0 @@
-#!/usr/bin/env python
-
-import subprocess
-import sys
-import argparse
-import json
-
-parser = argparse.ArgumentParser()
-parser.add_argument("flake")
-parser.add_argument("-f", "--force", action='store_true')
-args = parser.parse_args()
-
-NIX_OUTPUT_JSON_PATH = subprocess.run(["nix", "build", f"{args.flake}.config.xyno.secret-output", "--no-link")
-HOSTNAME = subprocess.run(["nix", "eval", f"{args.flake}.config.networking.hostName", "--raw"])
-
-nix_output_json
-
-with open(NIX_OUTPUT_JSON_PATH, "r") as f:
-    nix_output_json = json.load(f)
-
-def run_ssh(command):
-    return subprocess.run("ssh", HOSTNAME, command)
-
-def check_tpm():
-    return run_ssh("systemd-analyze has-tpm2").returncode == 0
-
-def push_secret(secret_name, secret_content):
-
-    if !args.force && secret_name in run_ssh("systemd-creds list"):
-        print(f"[INFO] secret {secret_name} exists on target, skipping")
-        print(f"[INFO] run with --force to skip")
-        return
-    
-    command 
-    if secret_content["random"] != null:
-        command = f"openssl rand -hex {secret_content["random"]} | systemd-creds encrypt - {secret_name}"
-    else if secret_content["ageFile"] != null:
-        secret_output = subprocess.run(["rage", "-d", secret_content["ageFile"]])
-        command = f"echo '{secret_output}' | systemd-creds encrypt - {secret_name}"
-    else if secret_content["command"] != null:
-        secret_output = subprocess.run(["sh", "-c", secret_content["command"]])
-        command = f"echo '{secret_output}' | systemd-creds encrypt - {secret_name}"
-    else:
-        print(f"[ERROR] no secret content set for {secret_name}: {secret_content}")
-        return
-    run_ssh(command)
-
-    
-
-for secret_name, secret_content in nix_output_json:
-    push_secret(secret_name,secret_content)
--- a/secrets/nixos-module.nix
+++ b/secrets/nixos-module.nix
@ -1,56 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-with lib;
-let
-  cfg = config.xyno.secrets;
-  json = builtins.toJSON cfg;
-
-in
-{
-  options.xyno.secret-output = lib.mkOption {
-    type = types.str;
-  };
-  options.xyno.secrets = mkOption {
-    type = types.attrsOf (
-      types.submodule {
-        options = {
-          random = mkOption {
-            type = types.nullOr types.int;
-            default = null;
-            description = ''
-              have the secret be a random hex string with n bytes
-            '';
-          };
-          ageFile = mkOption {
-            type = types.nullOr types.str;
-            default = null;
-            description = ''
-              have the secret be a age encrypted file
-            '';
-          };
-          command = mkOption {
-            type = types.nullOr types.str;
-            default = null;
-            description = ''
-              have the secret be the output of a command (impure grrrrr)
-            '';
-          };
-        };
-      }
-    );
-  };
-  config = {
-    systemd.tpm2.enable = true;
-    boot.initrd.systemd.tpm2.enable = true;
-    # TODO: ensure secrets are loaded in activation script
-
-    xyno.secret-output = pkgs.writeFile "xyno-secret.json" json;
-    environment.systemPackages = [
-      pkgs.openssl # needed for random secrets
-    ];
-  };
-}