init

2026-05-08 06:50:11 -04:00 · 2026-04-15 20:58:07 -04:00 · 2026-04-15 20:58:07 -04:00 · 864c69fe61
commit 864c69fe61
147 changed files with 11233 additions and 0 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,68 @@
+# Secrets Management
+
+```
+secrets/
+├── system/     # System-level secrets (WiFi, VPN, etc.)
+└── user/       # User-level secrets (password-store, API keys, etc.)
+```
+
+## Prerequisites
+
+Age identity files are stored in `src/user/config/keys/age/` and deployed automatically.
+
+```bash
+# For testing with a local key:
+age-keygen > src/user/config/keys/age/local
+
+# For Yubikey (see "Migrating to Yubikey" below):
+age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
+
+# Add the public key to .sops.yaml in repo root
+```
+
+After rebuild, the identity is written to `~/.config/sops/age/keys.txt`.
+
+## Adding Secrets
+
+1. Create or edit a YAML file:
+   ```bash
+   vim secrets/system/example.yaml
+   ```
+
+2. Encrypt in place:
+   ```bash
+   sops -e -i secrets/system/example.yaml
+   ```
+
+3. Reference in NixOS config:
+   ```nix
+   sops.secrets."SECRET_NAME" = {
+     sopsFile = path/to/example.yaml;
+   };
+   ```
+
+## Editing Secrets
+
+```bash
+# Opens decrypted in $EDITOR, re-encrypts on save
+sops secrets/system/wifi.yaml
+```
+
+## Viewing Secrets
+
+```bash
+# Decrypt to stdout
+sops -d secrets/system/wifi.yaml
+```
+
+## Removing Secrets
+
+1. Remove from NixOS config
+2. Delete the encrypted file or remove the key from it via `sops`
+
+## Re-keying (after adding/removing age keys)
+
+```bash
+# Update .sops.yaml with new keys, then:
+sops updatekeys secrets/system/wifi.yaml
+```
--- a/secrets/system/cameras.yaml
+++ b/secrets/system/cameras.yaml
@ -0,0 +1,17 @@
+RTSP_USER: ENC[AES256_GCM,data:yketGXU=,iv:KQVYzBjzkkDepiD+hjGWLjvyC3iySK6JMZ9Fyrdo1Eo=,tag:7sHqOYROk6qNd56xWex1Bw==,type:str]
+RTSP_PASS: ENC[AES256_GCM,data:QGfg7bZVdGAjuw==,iv:uS/6XpHlMgpZ812tVxGFjwMeyqX5YvfBNJUVuc0C+z8=,tag:5SIdu/yGVxzhYclyOUrOCg==,type:str]
+sops:
+    age:
+        - recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSys1ZzdwRmRybkR2TGFn
+            RG1wVGI4aTNkYTZpOUtUSlBJQTVnU1JsdmpzCklLdUY0K1ZjSzhId3NVNXcvUWl0
+            eE95cmVHWGNsZVNYWHQvSXlNZjl5WWMKLS0tIFBpek81aGlhUXUxWm91ZjV1RFk0
+            SzZFalY2NXJOMFNSVFVxbDZPb1Q1amsKaDZqJvFfqxhqVcd5ldRHC+3XC/lBb9N7
+            VUQ/hQZM5a1WUk321Y2bBXTN6cE/06UYrl6HXwZgxTVydou4eHywww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-15T06:01:25Z"
+    mac: ENC[AES256_GCM,data:EwPCYlEKUgjcrZ0c75UH7n9FjkbF+WEMQzJ7Xb1+fXkD0zIIVgjudgCNtwwJTbSVupyuCVcJfCKN9n4kBpG+HyIqDZQl1MTy5YzcvvMoj3rkPLIRMfkLXFs4FRe/cFKFdxARbQrlEJqfgQME8/M07Bl+VcZRIq0mz7HlrxZFbgg=,iv:WDGCSNFT8l+MEOQCWSDDtYTj9gdDoCk+kl8UdQg+9mw=,tag:4b9vRle/waBqQX284cIiNA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/secrets/system/llama.yaml
+++ b/secrets/system/llama.yaml
@ -0,0 +1,25 @@
+LLAMA_API_KEY: ENC[AES256_GCM,data:ZVDpwGAxnHbHxt+JW3mYGyyBU5JfFAbjc/byq6Ok9wTlpQZBx969Z0wV74F5pR4axmpdGs7XlZDh1rJaQTn7lg==,iv:oAG9G25x+1FRkRNBRzLW2UJmbSxgx5Cu64Qo/6VzAyw=,tag:nkO/SdzjjLxH4fkgIdwUYQ==,type:str]
+sops:
+    age:
+        - recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUmV6Q2dCMWU3TUFkZ0I0
+            dHA3dXd2U0RSRzNtL3YvdG8rYWdnOTZoTkMwCkNnYnVlVmMyRDNnS1FmWktlNU9N
+            UW1OMlJYODVzSHNIZWZMRkpPY05Ed3cKLS0tIDg0b0VkT0NrS3NIWE9EdWtWYXc1
+            NjNESHpYbVptcnVRYWFKb3RlYkJ6OWMK3JsRXPDvJdKv2UyYIH8kr/WKbXgUDXbc
+            fYOD0Huo73BA0vr8PlrsF4STVgJr/arKCMdI1C0bDdcwjExKnR1tIw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGNKOWczaityaXowWi9I
+            dmh0MjJoelV3bVlzeGpLZmVTVzJjckwwQUFzCk81ZHlTcm5oWHRQNklreUR4bWNS
+            OVdQelQ4YXkzeWZqOWZoNWlOVkZpWUkKLS0tIDZKQUU3LzV0UUhnRHVHQkFadkxm
+            djRyUEYyZ2srMlVxR0JtQlFqSWV1QWcKMIF9Sq4TUUmpVZAukjTjFbIrMxcE3+el
+            QSrHIm1HXLXwCKLDQ2N6b8Q9iUo/XMV0wsD3TLxdnUfegpQpfsDhag==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-14T05:45:37Z"
+    mac: ENC[AES256_GCM,data:G+o6OhNF5AFBDKQEU3f1MZ+GOkxQj/m7NNk4Ti8PxPPOHdByoCrauvgB78SdQf5ubcfupElcNB0yF5QsG3/m7eGaSA+8J0cDL6jB3NEE5EUbW1Fuzzg2Ez1JnFu4BstkLiDRD/TribXMNFAjykmNrHt4zee6fhU3H0MOn7+Acok=,iv:IqBLSBq1kOMRHQn1IvU8OgmWGn6EFJcef/rNr38txmY=,tag:/mSWgbPbhUNoIm3x+6zyRA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/secrets/system/searxng.yaml
+++ b/secrets/system/searxng.yaml
@ -0,0 +1,16 @@
+SEARXNG_TOKEN: ENC[AES256_GCM,data:6hI9+Gk9D7OjgcNV7WHUkcT8Kzta+QbJ8bq5uDv1AU/n1lpD/41RSWAZ91v5f0VSAldKvDMIuRdjxmKaE0ITOA==,iv:LURC0t6YwectCMllBBx8TIGxM80vXS84pkvczmWtO6U=,tag:ZSRbU7B+LKsLw8R7Yi9uzg==,type:str]
+sops:
+    age:
+        - recipient: age198jg29ryg3c0qj3yg6y9ha4ce2ue4hjdaa9kalf49fxju74dhchsquvjzp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWkRjc0xWR3o5ZFlnUXRY
+            bnNKUWhNL3dFcnJ0a0tLZHNuRU1obEwzam44CjczSEEvdVUyUXN5MEpsYnA5Y3NQ
+            M2N6VXZpM3ZxMHd0ZWV1MG5qT3ZnZzgKLS0tIGN3UG01eW4xZ1A4bkF3TzNKVkdv
+            eE9uRmpId2R5VTJSeDhRVUkvSWt4RHMK/oXVHDAWN5SY/4hPCm0QsTo2ubBD+uBf
+            fOZr/4HNDOyq8AIfbRVbilC7l/Ozg8snu8chRo1keCjqHp+Pt+Yzhw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-13T19:21:23Z"
+    mac: ENC[AES256_GCM,data:qxBRF1wSTXeFEvjs+5HiRmk6wqt1Rtx1kNFigpqicfd/IJsZTJY/6g3SmZXrJNkpkYwyOBNlblGfLAfKMWm6/eg1KYBJHlSAAqkH/xECdDqKY0rTkMj3rfPTZzLGmi4kVp6v8jg9OO5SwK8sLGtbaK2S/VjdTI0NXlMMnsB30Sg=,iv:GacmqywEsxCyKQKmCPu42uyqy6Q0JhR7STDAMFvW7kQ=,tag:G1Lbu6DKuO5yLWs6kXjwHA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/secrets/system/wifi.yaml
+++ b/secrets/system/wifi.yaml
@ -0,0 +1,19 @@
+WIFI_HOME_SSID: ENC[AES256_GCM,data:xZl6DE4=,iv:koEKZTW3O+bctlwoSzZCBLRT4iG380RmP/olukUd8Xc=,tag:4HM6d+FslbM1hRYcn3JTqA==,type:str]
+WIFI_HOME_PSK: ENC[AES256_GCM,data:jyC4VXzhpIE=,iv:fN33x0y4kmRrPQe7ydWGdeTQaR5a3ekBaUKHX9FpHk0=,tag:tQUUj5LU6kidYTTI2RWf8w==,type:str]
+WIFI_CAMS_SSID: ENC[AES256_GCM,data:yJ/oUCfSbaw=,iv:foswCMqFLOUyPQP9KL08Mhix0j2+Jt4sHHaPV49RFe4=,tag:rBG9IyQDmbNsUp4E+tnmZg==,type:str]
+WIFI_CAMS_PSK: ENC[AES256_GCM,data:VlVxqxbHof6rmqSRJrXEQsT15BNl1lrghg==,iv:B6si07a0Z5ZJfMkK0HN9fa5zvQDzf7lvIQt1ZBpBZdk=,tag:21622mki8lITWA5fh7bKrg==,type:str]
+sops:
+    age:
+        - recipient: age17ejyzyk52unr6eyaa9rpunxpmf7u9726v6sx7me3ww3mdu5xzgjqsgj9gl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaFRWRnNGVm9TTkhJVFAv
+            RWQ1Q2Q3RStBa0E4V2hFYUV2ZHFPZnJGdkFJClY0WThYbWk2Nmx6V0g4UU9WSGRZ
+            bFpNalZJRlZyWjFTMU1JK1dpWndPS3cKLS0tIHI0M3ZUVlI3TTV6c2h1WmdrdW1l
+            VWtxaFNVUUFHT20xVTZpSjVWRHozTzQKAAsNbFf6bU6eelqOX7Ei+Zrtw0aw0WgQ
+            5zOWrxd92MaG/AvVpL0jC1LuWtZeK3MK7Qpgtm8t0rgugUas16KYpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-15T06:25:12Z"
+    mac: ENC[AES256_GCM,data:+Lhmcr2Jg1htfcMMMPu8AxrDhvlm4yLVIunxAcs4adX8NeJccD+/UVvZO+qtzF6iQmXCdTvRDo3shqmJKHvs6ZUJVe3jokTKMJoQdIbSIS0fSwULUV8evK5Incf8qzpnHd2J1Kg4qCL8oWeN9t4TBJTPVrNJzd/sOF1Kp2g9IBE=,iv:/ORst/Lnj3h16fJQWxAaJ5vMWKMN2lGhGoIQjNxNpGQ=,tag:NURI5mwbfECaWTgbSs6clA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1