Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge branch '#49_add_vaultwarden' into 'main'

Browse source 
#49 add vaultwarden

Closes #49

See merge request compsoc1/skynet/nixos!26
This commit is contained in:
silver 2023-11-07 13:51:05 +00:00
commit c27f1749a2
9 changed files with 621 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
applications/bitwarden/_bitwarden-directory-connector.nix Normal file
View file

@ -0,0 +1,55 @@
{
lib,
buildNpmPackage,
fetchFromGitHub,
pkgs,
git,
python3,
pkg-config,
libsecret,
nodejs_18,
}: let
buildNpmPackage' = buildNpmPackage.override {nodejs = nodejs_18;};
in
buildNpmPackage' rec {
pname = "bitwarden-directory-connector";
version = "2023.10.0";
src = fetchFromGitHub {
owner = "bitwarden";
repo = "directory-connector";
rev = "b2bc45137013b258bffda2c2703715cb9f6e687f";
hash = "sha256-CgaCnMWNVWCJBypNcdoseVCwD8Mlq4YaWpK+VZT/7Qk=";
leaveDotGit = true;
};
npmDepsHash = "sha256-jBAWWY12qeX2EDhUvT3TQpnQvYXRsIilRrXGpVzxYvw=";
env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
makeCacheWritable = true;
npmBuildScript = "build:cli:prod";
installPhase = ''
mkdir -p $out
cp -R {build-cli,node_modules} $out
'';
buildInputs = [
libsecret
];
nativeBuildInputs = [
git
python3
pkg-config
];
meta = with lib; {
description = "A LDAP connector for Bitwarden";
homepage = "https://github.com/bitwarden/directory-connector";
license = licenses.gpl3Only;
maintainers = with maintainers; [Silver-Golden];
platforms = platforms.linux;
};
}

334
applications/bitwarden/_bitwarden_sync_module.nix Normal file
View file

@ -0,0 +1,334 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
# to be changed once the package is accepted
connector = pkgs.callPackage ./_bitwarden-directory-connector.nix {};
cfg = config.services.bitwarden_connector;
nodejs = pkgs.nodejs-18_x;
ldap_data = ''
{
"ssl": ${boolToString cfg.ldap.ssl},
"startTls": ${boolToString cfg.ldap.startTls},
"sslAllowUnauthorized": ${boolToString cfg.ldap.startTls},
"port": ${toString cfg.ldap.port},
"currentUser": false,
"ad": ${boolToString cfg.ldap.ad},
"pagedSearch": true,
"password": "to_be_replaced",
"hostname": "${cfg.ldap.hostname}",
"rootPath": "${cfg.ldap.root}",
"username": "${cfg.ldap.username}"
}
'';
sync_data = ''
{
"removeDisabled": ${boolToString cfg.sync.removeDisabled},
"overwriteExisting": ${boolToString cfg.sync.overwriteExisting},
"largeImport": ${boolToString cfg.sync.largeImport},
"creationDateAttribute": "${cfg.sync.creationDateAttribute}",
"memberAttribute": "${cfg.sync.memberAttribute}",
"useEmailPrefixSuffix": ${boolToString cfg.sync.emailPrefixSuffix.enable},
${optionalString cfg.sync.emailPrefixSuffix.enable ''
"emailPrefixAttribute": "${cfg.sync.emailPrefixSuffix.prefixAttribute}",
"emailSuffix": "${cfg.sync.emailPrefixSuffix.suffix}",
''}
"users": ${boolToString cfg.sync.users.enable},
${optionalString cfg.sync.users.enable ''
"userPath": "${cfg.sync.users.path}",
"userObjectClass": "${cfg.sync.users.objectClass}",
"userEmailAttribute": "${cfg.sync.users.emailAttribute}",
"userFilter": "${cfg.sync.users.filter}",
''}
"groups": ${boolToString cfg.sync.groups.enable},
${optionalString cfg.sync.groups.enable ''
"groupPath": "${cfg.sync.groups.path}",
"groupObjectClass": "${cfg.sync.groups.objectClass}",
"groupNameAttribute": "${cfg.sync.groups.nameAttribute}",
"groupFilter": "${cfg.sync.groups.filter}",
''}
"interval": 5
}
'';
sed_string = string: builtins.replaceStrings ["." "/" "\n"] ["\\." "\\/" "\\n"] string;
in {
imports = [];
options.services.bitwarden_connector = {
enable = mkEnableOption "Bitwarden Directory Connector";
domain = mkOption {
type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessable on.";
example = "https://vaultwarden.example.com";
};
user = mkOption {
type = types.str;
description = lib.mdDoc "User to run the program.";
default = "bwdc";
};
directory = mkOption {
type = types.str;
description = lib.mdDoc "Folder to store the config file.";
default = "/etc/bitwarden/${cfg.user}";
};
ldap = {
ssl = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Use SSL.";
};
startTls = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Use startTls.";
};
sslAllowUnauthorized = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Is Active Directory.";
};
port = mkOption {
type = types.int;
default = 389;
description = lib.mdDoc "Port LDAP is accessable on";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessable on.";
example = "ldap.example.com";
};
root = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
pw_env = mkOption {
type = types.str;
description = lib.mdDoc "The ENV var that the ldap password is stored.";
default = "LDAP_PW";
};
};
sync = {
interval = mkOption {
type = types.str;
default = "*:0,15,30,45";
description = lib.mdDoc "When to run the connector, cron syntax.";
};
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you ar syncing more than 2000 users/groups.";
};
memberAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "uniqueMember";
};
creationDateAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists a users creation date.";
example = "whenCreated";
};
emailPrefixSuffix = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
};
prefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that has a users username.";
example = "accountName";
};
suffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
example = "@example.com";
};
};
users = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync users.";
};
path = mkOption {
type = types.str;
description = lib.mdDoc "User directory, relative to root.";
example = "ou=users";
};
objectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that users will have.";
example = "inetOrgPerson";
};
emailAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a users email.";
example = "mail";
};
filter = mkOption {
type = types.str;
description = lib.mdDoc "Filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
};
};
groups = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync groups.";
};
path = mkOption {
type = types.str;
description = lib.mdDoc "Group directory, relative to root.";
example = "ou=groups";
};
objectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
example = "groupOfNames";
};
nameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
example = "cn";
};
filter = mkOption {
type = types.str;
description = lib.mdDoc "Filter for groups.";
example = "(cn=sales)";
};
};
};
env = {
description = "Env files to be passed in.";
ldap = mkOption rec {
type = types.str;
description = "Auth for the LDAP, has ${cfg.ldap.pw_env}";
};
bitwarden = mkOption rec {
type = types.str;
description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET";
};
};
};
config = mkIf cfg.enable {
users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = {
createHome = true;
isSystemUser = true;
home = "${cfg.directory}";
group = "${cfg.user}";
homeMode = "711";
};
systemd = {
timers."${cfg.user}" = {
description = "Timer for ${cfg.user}";
wantedBy = ["timers.target"];
partOf = ["${cfg.user}.service"];
timerConfig = {
OnCalendar = cfg.sync.interval;
Unit = "${cfg.user}.service";
Persistent = true;
};
};
services."${cfg.user}" = {
description = "Main process for Bitwarden Directory Connector";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = [];
environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = cfg.directory;
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
};
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
Group = "${cfg.user}";
ExecStartPre = pkgs.writeShellScript "${cfg.user}-config" ''
# create the config file
${nodejs}/bin/node ${connector}/build-cli/bwdc.js data-file
${nodejs}/bin/node ${connector}/build-cli/bwdc.js config server ${cfg.domain}
# now login to set credentials
${nodejs}/bin/node ${connector}/build-cli/bwdc.js login
# set the ldap details
sed -i 's/"ldap": null/"ldap": ${sed_string ldap_data}/' ${cfg.directory}/data.json
# set the client id
orgID=$(echo $BW_CLIENTID | sed 's/organization\.//g')
sed -i "s/\"organizationId\": null/\"organizationId\": \"$orgID\"/" ${cfg.directory}/data.json
# and sync data
sed -i 's/"sync": null/"sync": ${sed_string sync_data}/' ${cfg.directory}/data.json
# final config
${nodejs}/bin/node ${connector}/build-cli/bwdc.js config directory 0
${nodejs}/bin/node ${connector}/build-cli/bwdc.js config ldap.password --secretenv ${cfg.ldap.pw_env}
'';
ExecStart = ''${nodejs}/bin/node ${connector}/build-cli/bwdc.js sync'';
EnvironmentFile = [
"${cfg.env.ldap}"
"${cfg.env.bitwarden}"
];
};
};
};
};
}

64
applications/bitwarden/bitwarden_sync.nix Normal file
View file

@ -0,0 +1,64 @@
{
pkgs,
config,
lib,
...
}: let
in {
imports = [
./_bitwarden_sync_module.nix
];
options = {};
config = {
age.secrets.bitwarden_sync_api.file = ../../secrets/bitwarden/api.age;
age.secrets.bitwarden_sync_ldap.file = ../../secrets/ldap/details.age;
services.bitwarden_connector = {
enable = true;
domain = "https://pw.skynet.ie";
ldap = {
ssl = false;
startTls = false;
sslAllowUnauthorized = false;
ad = false;
port = 389;
hostname = "account.skynet.ie";
root = "dc=skynet,dc=ie";
username = "cn=admin,dc=skynet,dc=ie";
pw_env = "LDAP_ADMIN_PW";
};
sync = {
removeDisabled = true;
overwriteExisting = false;
largeImport = false;
memberAttribute = "member";
creationDateAttribute = "skCreated";
emailPrefixSuffix.enable = false;
users = {
enable = true;
path = "ou=users";
objectClass = "inetOrgPerson";
emailAttribute = "skMail";
filter = "(|(memberOf=cn=skynet-committee,ou=groups,dc=skynet,dc=ie)(memberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))";
};
groups = {
enable = true;
path = "ou=groups";
objectClass = "groupOfNames";
nameAttribute = "cn";
filter = "";
};
};
env = {
bitwarden = config.age.secrets.bitwarden_sync_api.path;
ldap = config.age.secrets.bitwarden_sync_ldap.path;
};
};
};
}

93
applications/bitwarden/vaultwarden.nix Normal file
View file

@ -0,0 +1,93 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_vaultwarden;
domain_sub = "pw";
domain = "${domain_sub}.skynet.ie";
in {
imports = [
../acme.nix
../dns.nix
../nginx.nix
];
options.services.skynet_vaultwarden = {
enable = mkEnableOption "Skynet vaultwarden server";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
# Website config
skynet_acme.domains = [
domain
];
skynet_dns.records = [
{
record = domain_sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
# has ADMIN_TOKEN and SMTP_PASSWORD
age.secrets.bitwarden_details.file = ../../secrets/bitwarden/details.age;
services.vaultwarden = {
enable = true;
environmentFile = config.age.secrets.bitwarden_details.path;
config = {
DOMAIN = "https://${domain}";
SENDS_ALLOWED = true;
SIGNUPS_ALLOWED = false;
INVITATION_ORG_NAME = "Skyhold";
ORG_GROUPS_ENABLED = true;
USE_SENDMAIL = false;
SMTP_HOST = "mail.skynet.ie";
SMTP_FROM = "vaultwarden@skynet.ie";
SMTP_FROM_NAME = "Skynet Bitwarden server";
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_USERNAME = "vaultwarden@skynet.ie";
SMTP_AUTH_MECHANISM = "Login";
SMTP_EMBED_IMAGES = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
};
};
};
}

11
machines/kitt.nix
View file

@ -23,6 +23,8 @@ in {
imports = [
../applications/ldap/server.nix
../applications/discord.nix
../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix
];
deployment = {
@ -66,4 +68,13 @@ in {
services.discord_bot = {
enable = true;
};
services.skynet_vaultwarden = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

17
secrets/bitwarden/api.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 9sIoEpzKd/eI94AuhnxT1jyTIpLiqvNLvZ2oDqEzXUY
YstVwGRjZUXguF+MVJrzi4pj4h3YJI222mw0yzZf6NQ
-> ssh-ed25519 4PzZog 7kF/5y4OqdF88N4Dhx7G93fUCO2RwR+6QxWn5tH6RVQ
cV2hwmEhwGWIjpktlUnXDvBU8Zlc0nHNfDgrhNnH9+g
-> ssh-ed25519 5Nd93w Wjt9rcp1YEgkt9/P8vYUeVbNA420drbz/mZZERZFUGU
VE5a0Wx5WTy12cCm2Vg3J8GYQ1B+WnEca/FTFPhZ3nE
-> ssh-ed25519 q8eJgg EmdkKgMt9LkZSVm0pN0vf35p8UwpBWzF/cC32VviyQM
Ii+g+vgMoCj9XYpCoOyTD4sahYNUhbQRoDwgDnZCUEU
-> ssh-ed25519 IzAMqA pNlr1079F7f8zqfb4bujzQPNahoKUBH4GShDu9g2r30
FUa1QqHBLy2qb4eHYeZgQetyjX44LnckPlv46694Sds
-> 1-grease Jr S68AA 6z@gP Y)
--- mEkHKhEzkas0RT9tzEVFeEenFW6Av4E0uXzCeYgCdRA
Bïα<>¼™U@!õ*´<>«yþä
C1!ûëÄt{ËÒbÙ*•leHOŒ¸ŒíµÔh#/V,œ—à5J:)¿°4f<½…h
¡ A (Ÿ7†Ä³^òÓ²Ó7öñ|Í¡êO<ðo¶l‡“‰&á~~ù½9_å3û˜·©ðYf¿rM<72>x16Ò™©

16
secrets/bitwarden/details.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA d3Xy8iQxiSb8gV8NRqBAxBm0g5V1INUAeHJDFdAqe3o
Uaw/Q/BjZabCWBoKJmSICiUn8/OWXjj+/sx0BZKxWj8
-> ssh-ed25519 4PzZog qxpYb+zz05nntFRA8k0ZwWSmpvOA8gnf8AaBuy5xyhQ
ssOtug0RBDkPbSEC4Acs/UNelfLmkLLH2pEm0geAuVE
-> ssh-ed25519 5Nd93w iXfwzbDeUuFqwXPztMdaBXnfXY7W8sQXmcxEtMqkPzM
t88pMxJ09RtrNEd1tn8N5iUh2mnaHwzb3dD6xlt8jRw
-> ssh-ed25519 q8eJgg 4NAejBkAf4tZEsq6YsWJiOTq3wBBkDHB3Z1CFG8LeSk
yIicVNLUkaHs9RzaEFFn0SVqR5QiKNJZShehiEfvTh4
-> ssh-ed25519 IzAMqA orpGqetn3ND76DC2QejaGnAlPDlV43l7/GdJB47SFQA
U0Bm9/VgoY6/dwIdqZpOY5rQc5j/TBlKzRS8rndyxu4
-> _-grease yOwV[T R\ b>SI aVM^#_X
VfqPBdd5CK3GXPcBxXzbq9ak7qYJrnrxU7O7pKmfavJJ55dsmXKvEI7NE2tgASsr
Gxc1ttbQ4310R2CN0IM7xvMRLQsg/MnA2WGiwO52OYkHJXZ/i9F8ro4sq8q5cJE
--- T8NUXH3YnnAIycabcEi8uFUfnDuvdgy3COrUoPPA+lQ
QýPÀŒÍE“*NcYÞ³³ Î Y튰nK¶Bžù•°íšêaâšz<C5A1>˜^fJy¢h£™W!u|¶dDq'ê} €6^Ô5½ðÍwSÊží³k1%ÈN¹sº÷wÁ½i+ó|Dƒ´“°pÏ”½qr!1¿É™ì ü<>‡¨ïš£°?µŒžÙÀ¢ïH†îèш$›‰Ýð(fÍ<66>‰gKn{ïa93tlÜì…Gbrˆã<CB86>§bMYÆ(¹—Öî¬`y&,â'«{è=

44
secrets/email/details.age
View file

@ -1,23 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA P02Xzq2IYlbZMvvBUjy6eM0FN1CfSyCinTJnQrZUUlg
QU9CrDYFL0KwDiH9T0zOzydeJBm4eS+Rp4m2ozA3FA0
-> ssh-ed25519 4PzZog 0dqzbH7AY96+GFtwrkrcxYKuO/c9eBPgdxMKa1qliw0
y0Kx5IG3CCzFcXM5MuS3eLij/l7QFKaHlr3VQty+gsA
-> ssh-ed25519 5Nd93w i9j9spcBf2ww6koxQu+802p8ua70VmQTtuLNC/v8MzY
wgYQc+JdSPd2cen/mQyL4NVn9fHtRsHX0E5lDW06yMs
-> ssh-ed25519 q8eJgg L55YurMQv+czgj6uwgHS3L2vX2A5VYRcUEXsGcj0r38
vLRAuYLEljcVqVXs6k0hrVQNkRIpvvpCUeMP4jWVItQ
-> ssh-ed25519 IzAMqA Q1wP64lIZtvFPa0wAD+jQZtS7NwDr4rkthZEoVtuJjo
EnLKgtFFpzEKpLZMatZFNTt0rINciFUryYd0GMIUSp0
-> ssh-ed25519 uZzB3g EwOnsGci+aqHj7XR+sVCi2pNowFbTLtQimzFNHy7LTo
jtl2RhtNayPr44rrZ1ESgR6p1hDJg1h70flu/0rDCjg
-> ssh-ed25519 Hb0ipQ Jmcvd8zOLb7qf2ZIY1HsBrMA3wETGJFUTicBb/Gf2n4
RTiE+f1N+npbnh1M20x76MJ/uj/5SDTdWKj1uMWPThM
-> ssh-ed25519 IzAMqA cSzsukksm2E0coLmIXmd6DsEs/gHmIeGfcH/unNd1B4
6ThlGLwm5iFG/UXoNMtAup909MVxz5JTpK45HJDeYFk
-> d7'/PSOq-grease BF,
ka0OOXHqf7TrhcdP9NFMQVGlF2x+fnC5PRZba5o
--- s5GXDMgktkfdge6Ndk1J8ooCdXVsryH9XzD2+TF6wC8
`2ÕÊÇÅöå™SÇ
•cA¥¥Ž¼2˜¦ƒÊˆ<E2809D> åw L(<28>žq\Ò0ô})€D#k)¢Yí€\&¬ûºX£"į¬06|4ù)¼Þ._vD6N”Ò½üé*+RÇ)£59†š
EñÔ}£â ~g<>©C1ÁÝðƒÀ ÷´e
-> ssh-ed25519 V1pwNA jq+XbDiOKLZYMvnmsSod+uedgov0IG0owyKLnh8UWSE
Qvoh1P8BCj677JtljcNsz+wlimAsOc6VhUMJhV1GqiU
-> ssh-ed25519 4PzZog QW53/Ugxrrxc409WcGAIvM1/Y4Vmx3ApggipX/eIEjw
IAYk1jPQmim0+TItOXAskS3PVgCnZDtYdIBKlvcLxwA
-> ssh-ed25519 5Nd93w sCuEYWuaUPIMRjZXmggeeWCgkIaJT7D5bAXb2ixWq2Q
1o9D3Uz/mNnh4ys0I78j25MiKlHqhGdaP+D8HvtpOWY
-> ssh-ed25519 q8eJgg 6WC13FFyND94sHo7cbG+3uZUNsmy42DmpUOVkCmVbHw
RJJ+3aUtwP1M4bDkiHKr0uz+HwRwH0bAn+GPEs4utGQ
-> ssh-ed25519 IzAMqA 87Jsefduk7iRFF84+ZvPGdTpz/FzRYuzg9UkbPQxPW8
xBUyjiOg9/zq28fXFo2/kHitPuz3HaZ+ckEwgWqYXH4
-> ssh-ed25519 uZzB3g 2/G93JVSGG8Bq3TzXiC7VxGvLgt8VpfBDxNLnsQJnzQ
eqvUUuCxDnj1YJt31bOXEZtCk6W8Fb073LUp6JoCLSs
-> ssh-ed25519 Hb0ipQ VrLe6mWpNh3VasQNuZoYVSG+UoExVvp9plKEuRi6+DQ
xem0syYeUihXShPuhN4Y0caleqYD3Guw89phtQ+IzHw
-> ssh-ed25519 IzAMqA Ki9fF+v0YtXbnZFOX9Qyp2RF8NkvtgVM2vWxvc7TiDI
parIXPuSLa9NKLw3tUJFWK3FsGfD85h+DL28y5sNgrk
-> c{-grease -ufY Ew|
tdST+ze++xYVJLumh6+FoeoLRYS2WKdR/HSY8UphDPJx1OW+2ZSJNyG5XjTX582r
zSM85sEgYsJe0arZqPDHwnjssUCkAuiLMZM8atLM
--- PICAIqdJW/DCPw9lvrRLsdMJLUFsE48EQxd03DboxqI
H<EFBFBD>„r á§!{ýì'ž!‡­æy™•o$¤µà0Ô:dáä6àituìRf©ú;ä Í´‰ƒÝˆ¹Ñ?…¥€·ðM«a½ˆâ6lÚ;
°P¦Ë@pX×kiÄrðò&â ò£|2…»S#Ÿœü¶¢Ü×…þÁ¢Á…Ú…ÌÀ6A@~T§*R/

10
secrets/secrets.nix
View file

@ -93,6 +93,10 @@ let
nextcloud = [
cadie
];
bitwarden = [
kitt
];
in {
# nix run github:ryantm/agenix -- -e secret1.age
@ -115,7 +119,7 @@ in {
# for ldap
"ldap/pw.age".publicKeys = users ++ ldap;
# for use connectring to teh ldap
"ldap/details.age".publicKeys = users ++ ldap ++ discord;
"ldap/details.age".publicKeys = users ++ ldap ++ discord ++ bitwarden;
# everyone has access to this
"backup/restic.age".publicKeys = users ++ systems;
@ -133,4 +137,8 @@ in {
# handles pulling in data from teh wolves api
"wolves/details.age".publicKeys = users ++ ldap ++ discord;
# for bitwarden connector
"bitwarden/api.age".publicKeys = users ++ bitwarden;
"bitwarden/details.age".publicKeys = users ++ bitwarden;
}