homeage: add secrets

* infra backend
* infra vars
* general envs

this way, secrets are only ever stored on the system (including the nix
store) in an encrypted form in ${XDG_RUNTIME_DIR}.

.zshrc

@@ -138,6 +138,7 @@
 
 # User configuration
  source ~/.dotenv
+ source ${XDG_RUNTIME_DIR}/secrets/envs
  source ~/.zsh/aliases.zsh
  source ~/.zsh/functions.zsh
 

home-leo.nix

@@ -35,6 +35,18 @@ in {
       # can be "copies" or "symlink"
       symlinks = [".config/sops/age/keys.txt"];
     };
+
+    file."envs" = {
+      source = ./secrets/envs.age;
+    };
+
+    # infra secrets.
+    file."infra-backend" = {
+      source = ./secrets/infra-backend.age;
+    };
+    file."infra-vars" = {
+      source = ./secrets/infra-vars.age;
+    };
   };
 
   # build a configuration and switch:

secrets/.recipients

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJL8/M+tTejrAPoomHKtlYk8lINBLHaH+p4SLt3sBG
+age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y

secrets/envs.age

@@ -0,0 +1,19 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDZUei9UUSBvSUtX
+b2FkTXgwQ3IxeThvNC9lOERXOVNjbEtNRjVIY0tyMXBQalByMFR3CmhOMlRoS09q
+UzJvTWpBTVUwMEFkT29tTEx5UGQzUml3bUtxOXNmdUd5R2MKLT4gWDI1NTE5IGFm
+dDZZVWRYbHlIY2NjbUtmNU80Rno4R0lTdSt5b3g3a1hXVG00eGJXMk0KeFVGZWtm
+VU1uenJaZU9CbFpBSFdSYnFYYWNpRTFRbkRKdDVqUVVLdktzdwotLS0gU1BvOGpl
+d01Meks4VnRkVlRjRjRsdXV4eG1aUjlkcUJIQ3Z2aG85bmJxWQqm0MSO0q9WZyS+
+FFOOTm7RDZp6jF2GSmLnTV+RCx2Cmt+pGb96qqBdHj6LwqZjL6PjhxbLkPBy5aO8
+MQfHSukMcKiGeHYw+go35z4ZbB2u98N1R9YzxKLrVLhr1rJXfuL0Hs9YILAZ2c73
+mPk57KA04ni6USxbdmoetWScnppUUis/59elYSVabYC0+KXE0pTPqBOFlB8uIei/
+15ZeudfVgGZwijGzAZF6xLHXbx+P4BDZypQA8YPgcPbp4GCpFb+n1c4DuZxAGS2g
+OlfCTOHl81vubPiqemQ+VS/GGahxdzjhXs2TRqRdHgPSMwidzIjEtjx4r+xhgCoG
+WrK+0v7zyUU6G3ykhbttto2LMxWPS98K9pP1iWGr4J1+UykQiG/GyWoZYa5UwmHN
+Km06kEHC51tZ8GwF/ALZWk80+Wubc35dYLZNfb0R6FG3Lvel3Su0ZhosvKlTTrnP
+U9ituCCy8+XwLXGb5t2oioGUxA/QSBdzcGFGSqOLQG5OtikR/Kl3np3MITpXpwLB
+uGxeAed0/DAGjMfen8eGlGPXIM2RWshvsXvtBoKfkkaSgW3r0eV+JENefP0Ls3P5
+SezfBwEymwZwGTgD2PH41T6k3bJNfdNPaTrivd66fnNyTevpQf2LshDAotm7dqWM
+FNArctQ6406/wrS5Fn79ibEV8hEgQRawrbA=
+-----END AGE ENCRYPTED FILE-----

secrets/infra-backend.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDZUei9UUSBzb3dt
+M2prVGp6dlArbk1wT1VrK05ZcDJXTmgyM0JITmFHblpLcTRpSzNNCjU1Y1BvOXZS
+NTJEVDFWeENSSWZZWG1rRTlKZHJHYTA1MXpiUDliTkpWbWMKLT4gWDI1NTE5IFgz
+V3A1WEtXVWcybEh5NFFOMS9iZS9hVXJHTVV3bDE1MmE0c2Z5UVRFVXcKT3p3cmRX
+VlZLdnBmZG53aDJqOWJrc0M5cE5qVWxRbWJMU2hLSVdtYmNpWQotLS0gYzIzbmVW
+Wi9IM256TFJMWkFzckc3K0RqdHYrcHlNOVhlc2F3b3hYQitvZwrCioyrYO/hFHDT
+AAiwVCvCCYiNYhKtuEOFqPjnOEeK7c+3lJVP+ZLJifL45TMF1fwl5cVG1r7ToQk1
+giJGDtwffkAYtYBa8GkqsEwAvbTiJa0DGmM9MSrTzLFXHS/hhtfl0E4Otwn7rH+z
+n5QQBnpJVaoU/WvIt0DoT6rDYYtgsOFegR9Wgui066pFB3YXBkLiuS7afZCryPSG
+JmDpxoaQReYpV/8orMVHrqdSKK5F8ekBg2rK2QKVNlniqj/qLswBqPSL/xutXoy1
+-----END AGE ENCRYPTED FILE-----

secrets/infra-vars.age

@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDZUei9UUSBYZUc5
+WVhUVkdraDlvbXkzYllJYUdydDlLdmNSZGlTMzE4Q0ZrcWJaN0dZCms1NUUzaVR3
+eWtEci9kdGNXa0JNNWxjRGdWZjVaTVRlUlRRaW9MUngwSUEKLT4gWDI1NTE5ICs0
+OW5oWDNNUFF4c1BLeWJiaWIwZExrVlFpeEtZN1l2OTFIZ2hKUFk3UkkKUmhnSEM4
+VFZUZWd2WHlRQkFZRnNDUzJRV2E0NWRXTExXWmpiQnUvMlNldwotLS0gaWtpZ1ow
+U3Y0b25naGJ2bTk1dXcyYVd2U2M0dlp6WG9EaDVyOUt6WnFGOAqvuD3+A22eJGJW
+awMb51pWjgC+dc3vu07rfm8n4XpQrYMJ5sO2i4++Bszg5Y4VYdRy7nX5XfvBcVoo
+/q3BVXKXdNL2c+UIyoRR8Kh/FOvrK13mXSnwvCOL8xo/OCFUyBsUSapSKLuvMuIQ
+DLWB5feiEeKzdI6vEQHGcRkT2mokCCvWdbn4XuyBr9gkXaxiVxkzHHenAsCyxz9Y
+osEpDpnqaioZ8hq33jm/wWCDHDj12XHWSj9oPH0yaTDUhoknDqxyH2TW00+PjHbf
+dPECATbsHHcEzMQ/8/xfTsUdQBa6DjOQMmhX6aGw6bg7Oq+Egffb8ky4YYIXEv5u
+cchVpZxYFUxJLvUjlwjV+O71D64yNBtQavTGlvqqxeFxuMP/gOiUlNJDtigAZEa+
+2ltZih+oSue90MhC3RBNAwMLuo/jDR8DQOYzGTWbvDQAVzJAk2uC25tZ+2FaoGbO
+gNcl4E8KBpsOg6nU7+nJLYdK9PlIdyHy7GfN/QLNvwnCs/yAUQ==
+-----END AGE ENCRYPTED FILE-----