claude'd better security things

2025-10-17 19:35:58 -04:00
parent 9e35448f04
commit f9515dd160
34 changed files with 327 additions and 144 deletions
--- a/age-secrets.nix
+++ b/age-secrets.nix
@@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  # Configure all agenix secrets
+  age.secrets = {
+    # ZFS encryption key
+    zfs-key = {
+      file = ./secrets/zfs-key.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    # Secureboot keys archive
+    secureboot-tar = {
+      file = ./secrets/secureboot.tar.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    # System passwords
+    hashedPass = {
+      file = ./secrets/hashedPass.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    # Service authentication
+    caddy_auth = {
+      file = ./secrets/caddy_auth.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    jellyfin-api-key = {
+      file = ./secrets/jellyfin-api-key.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    slskd_env = {
+      file = ./secrets/slskd_env.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    # Network configuration
+    wg0-conf = {
+      file = ./secrets/wg0.conf.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+  };
+}