secrets/secrets.nix at main · jaspermayone.com/dots

jaspermayone.com / dots
fork atom
@jaspermayone.com's dotfiles
fork atom
dots / secrets / secrets.nix
at main 119 lines 3.3 kB view raw
wrap content
jaspermayone.com add witcc cf cred 6w ago
797b3b99
  1# Agenix secrets configuration
  2#
  3# This file declares which SSH keys can decrypt which secrets.
  4# Run `agenix -e <secret>.age` to create/edit secrets.
  5
  6let
  7  # User SSH public keys
  8  jsp = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHm7lo7umraewipgQu1Pifmoo/V8jYGDHjBTmt+7SOCe jsp@remus";
  9
 10  # Host SSH public keys
 11  alastor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwkC1CiWpLB10NNVaJwu4LSyiL0wM7ExI1VoKqIsgeG root@alastor-vnic";
 12  dippet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqi0ZRAHUqBL4zolSeVTgp1oZ6HKD+Hq5AktpLolely jsp@Dippet";
 13  horace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYGMXvsqRFPCtDLSq65TzJPYx+Nz675+RbTY4ox/9Gw root@nixos";
 14
 15  # Groups for convenience
 16  allUsers = [ jsp ];
 17  allHosts = [
 18    alastor
 19    dippet
 20    horace
 21  ];
 22  all = allUsers ++ allHosts;
 23in
 24{
 25  # frp authentication token (used by both server and clients)
 26  # This is the shared secret between frps and bore clients
 27  "frps-token.age".publicKeys = all;
 28
 29  # Cloudflare API credentials for ACME DNS challenge
 30  # Format: CF_DNS_API_TOKEN=xxxxx
 31  "cloudflare-credentials.age".publicKeys = [
 32    jsp
 33    alastor
 34  ];
 35
 36  "cloudflare-credentials-witcc.age".publicKeys = [
 37    jsp
 38    alastor
 39  ];
 40
 41  # Bore client token (same as frps-token, but separate file for clarity)
 42  # Used on client machines (remus, etc)
 43  "bore-token.age".publicKeys = all;
 44
 45  # Tangled Knot server secret
 46  # Generate with: openssl rand -hex 32
 47  "knot-secret.age".publicKeys = all;
 48
 49  "pds.age".publicKeys = [
 50    jsp
 51    alastor
 52  ];
 53
 54  # If using Resend SMTP, include API key here too
 55  "pds-mailer.age".publicKeys = [
 56    jsp
 57    alastor
 58  ];
 59
 60  # WiFi passwords for NixOS machines
 61  # Format: NETWORK_PSK=password
 62  "wifi-passwords.age".publicKeys = all;
 63
 64  # GitHub token for knot-sync service
 65  # Format: GITHUB_TOKEN=ghp_xxxxx
 66  "knot-sync-github-token.age".publicKeys = all;
 67
 68  # GitHub Personal Access Token for Claude Code MCP server
 69  # Format: ghp_xxxxx (just the token, no prefix)
 70  "claude-github-token.age".publicKeys = all;
 71
 72  # Atuin encryption key for sync
 73  # Contains the raw encryption key for Atuin shell history sync
 74  "atuin-key.age".publicKeys = all;
 75
 76  # Espanso secrets (sensitive text expansions)
 77  # Contains: email addresses, EINs, personal addresses
 78  "espanso-secrets.age".publicKeys = all;
 79
 80  # Wakatime API key
 81  # Format: api_key = xxxxx
 82  "wakatime-api-key.age".publicKeys = all;
 83
 84  # NPM registry tokens
 85  # Contains: npmjs.org and GitHub packages auth tokens
 86  "npmrc.age".publicKeys = all;
 87
 88  # Restic backup secrets (for B2 or any S3-compatible storage)
 89  # restic/env.age: B2_ACCOUNT_ID and B2_ACCOUNT_KEY (or AWS_ACCESS_KEY_ID, etc.)
 90  # restic/repo.age: Repository URL (e.g., b2:bucket-name:/path)
 91  # restic/password.age: Repository encryption password
 92  "restic/env.age".publicKeys = [
 93    jsp
 94    alastor
 95  ];
 96  "restic/repo.age".publicKeys = [
 97    jsp
 98    alastor
 99  ];
100  "restic/password.age".publicKeys = [
101    jsp
102    alastor
103  ];
104
105  # Strings pastebin server secrets
106  # Format: AUTH_PASSWORD=yourpassword
107  "strings-hogwarts.age".publicKeys = [
108    jsp
109    alastor
110  ];
111  "strings-witcc.age".publicKeys = [
112    jsp
113    alastor
114  ];
115
116  # Strings CLI credentials (for use on client machines)
117  # Format: STRINGS_USER=username\nSTRINGS_PASS=password
118  "strings-cli.age".publicKeys = all;
119}