parent
8c77376e36
commit
5b80da7323
6 changed files with 98 additions and 4 deletions
|
@ -2,6 +2,7 @@ keys:
|
|||
# after updating this, you will need to `sops updatekeys secrets.file` for any files that need the new key(s)
|
||||
- &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
|
||||
- &sshd-at-beefcake age1etv56f7kf78a55lxqtydrdd32dpmsjnxndf4u28qezxn6p7xt9esqvqdq7 # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
|
||||
- &sshd-at-router age1zd7c3g5d20shdftq8ghqm0r92488dg4pdp4gulur7ex3zx2yq35ssxawpn # ssh router "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(ya?ml|json|env|ini)$
|
||||
key_groups:
|
||||
|
@ -12,3 +13,8 @@ creation_rules:
|
|||
- age:
|
||||
- *daniel
|
||||
- *sshd-at-beefcake
|
||||
- path_regex: secrets/router/[^/]+\.(ya?ml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *daniel
|
||||
- *sshd-at-router
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -569,6 +569,17 @@
|
|||
linux
|
||||
troubleshooting-tools
|
||||
|
||||
outputs.nixosModules.deno-netlify-ddns-client
|
||||
|
||||
{
|
||||
services.deno-netlify-ddns-client = {
|
||||
enable = true;
|
||||
username = "router.h";
|
||||
# TODO: ipv6
|
||||
ipv6 = false;
|
||||
};
|
||||
}
|
||||
|
||||
/*
|
||||
NOTE: maybe use this someday, but I think I need more concrete
|
||||
networking knowledge before I know how to use it well. Additionally,
|
||||
|
|
|
@ -1645,7 +1645,37 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
|
|||
};
|
||||
}
|
||||
{
|
||||
# TODO: paperless-ngx
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-paperless" = {
|
||||
"/storage/paperless" = {
|
||||
"d" = {
|
||||
mode = "0750";
|
||||
user = "paperless";
|
||||
group = "paperless";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.restic.commonPaths = [
|
||||
"/storage/paperless"
|
||||
];
|
||||
|
||||
sops.secrets.paperless-superuser-password = {
|
||||
owner = "paperless";
|
||||
group = "paperless";
|
||||
mode = "400";
|
||||
};
|
||||
|
||||
services.paperless = {
|
||||
enable = true;
|
||||
package = pkgs.paperless-ngx;
|
||||
dataDir = "/storage/paperless";
|
||||
passwordFile = config.sops.secrets.paperless-superuser-password.path;
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts."paperless.h.lyte.dev" = {
|
||||
extraConfig = ''reverse_proxy :${toString config.services.paperless.port}'';
|
||||
};
|
||||
}
|
||||
{
|
||||
systemd.tmpfiles.settings = {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
# outputs,
|
||||
# config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
|
@ -51,6 +51,7 @@
|
|||
"idm.h.lyte.dev"
|
||||
"git.lyte.dev"
|
||||
"video.lyte.dev"
|
||||
"paperless.h.lyte.dev"
|
||||
"audio.lyte.dev"
|
||||
"a.lyte.dev"
|
||||
"bw.lyte.dev"
|
||||
|
@ -107,6 +108,21 @@ in {
|
|||
iftop
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets/router/secrets.yml;
|
||||
age = {
|
||||
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
secrets = {
|
||||
netlify-ddns-password = {mode = "0400";};
|
||||
};
|
||||
};
|
||||
services.deno-netlify-ddns-client = {
|
||||
passwordFile = config.sops.secrets.netlify-ddns-password.path;
|
||||
};
|
||||
|
||||
boot.kernel.sysctl =
|
||||
sysctl-entries
|
||||
// {
|
||||
|
|
|
@ -26,6 +26,7 @@ api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/n
|
|||
restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYejw9rdOTdCNW3a7zL/Ny1+XCI/P3bMOsY6UTmg/gxA2itp4cSbvqjg==,iv:5GwaEExn7b3dIkCVehLxaBXW+nUuSexY/bcqfCUwF5Q=,tag:dinyyw2XeVoSnw/IsYfK0w==,type:str]
|
||||
restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str]
|
||||
restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str]
|
||||
paperless-superuser-password: ENC[AES256_GCM,data:lypWK73mOYI2hyQAW/4T3cDiVtsts3kKb7LZb9ES3n97Kn5l,iv:jBHUBFbb4GqQ3gnK0h5VCaGj3/kd3/eGa1QFiE7+B9I=,tag:UoQar+x1xVnCV2k+9hYjWA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -50,8 +51,8 @@ sops:
|
|||
bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq
|
||||
rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-11T20:26:42Z"
|
||||
mac: ENC[AES256_GCM,data:a0gC3hbOoEkRWWv9o1wUbiuvTnp9+vSDTD+l1xxRnwApXW6oqoLpcChbfrHNKNpJKMOQ7KUEgR2Gc5oWQUk+sth4QY/P59QeTtXNAWdmyB8SsbaRdmms/EapUhH8qSy2v24JOaqIdCv/HrRF1MJnHjJ0qZX/bTC6JVmIrsM6LlQ=,iv:AkMwDNRPn+yUOWFcHCdPLerkztAi9/W0W87LQSD/aZo=,tag:+6fi773Qc5lTM60fIVHSnQ==,type:str]
|
||||
lastmodified: "2024-09-13T05:09:18Z"
|
||||
mac: ENC[AES256_GCM,data:rS12xfQ6FQwVa19rdfk6i1DThUOfsrw+IdKGYOMrX8a7sOKPkNxyxyZASfaKopg3BaM8qmoOFUW4B9VWwTh4d+MhruH3DhJO3UuZpOtDv7H8JFmzqg8rlYx0nm+8/+dB0zjgK7m2FP8wn0jfXraaaQ7/HobgLgGtl+NAsXQkrwQ=,iv:+JO3Yq6Kp2CHu20dSRDOJf0ivq5ASHYrKvlCgg1vGxQ=,tag:y6nIISSZFQwRoFNvqaQWbg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
30
secrets/router/secrets.yml
Normal file
30
secrets/router/secrets.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
netlify-ddns-password: ENC[AES256_GCM,data:zp58uV2L+/n/9Cvp1BnQBhdfmNfuyH8C73R6JYrJ3pw0QbEpPpIWuzod9S28QxNq50Bj5/zGzE+D125dkYFX0A==,iv:kceEl04Nb6LWcyjl2fHYjsl0RSO8OulN3DKlDLwjIu4=,tag:nOi2H56dEX9K5okaiDaWOQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQlZqSzBaTUROMkp2K2xI
|
||||
Z0ZIdllGNnlNYnFtVERPbVN6Y1FnWC9aeGlFCnZYci9CblA3VFZsOG5OOXE3cDZj
|
||||
TlZkbU0yY0F1ZDA5amczRVFldU1ZWGcKLS0tIEFTdi9uRFdlQW1MbUdSdm9jRW5n
|
||||
emxsSGN2b3JLZGNYQmVDYk96QUY5aVEK0w7Q/zEsIJKFcQjhgQovmRs4Iv6bhuaz
|
||||
cKn8M/p8dG+p5G50ALsiIiuTFBUM7vmFVF000PxqsEFr0Yl6eDg+uA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zd7c3g5d20shdftq8ghqm0r92488dg4pdp4gulur7ex3zx2yq35ssxawpn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK1lRTlRIc2ZxcllsRFRp
|
||||
aEZIOC80TSt2Ly9MUEdiVGQ5akkrUUJwcDFJClIyMUl0SWY3TXFLcWl0TGw3K3VM
|
||||
N0VWaGpCaVp6MXg4M2pwcnNhNkhPYjQKLS0tIEZOVGVTcUxaMmxBNEVJQ2VFSjRm
|
||||
L2lpaExJM2FkUFdqa3JpalZmOFZYV0kKmXlu5CUIYnNEOlIco3JveS7KdiF2yWTn
|
||||
r/KOKA9/v3zPbnsYc+HETxYNy1OWrQ/qDGIbR6jz8L5+v35FN+larw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-13T05:37:38Z"
|
||||
mac: ENC[AES256_GCM,data:r1qpYSojCuN84FYX1c684XifKMKUPTOl7dvzuoYYuLf+mwbZrD4fUErDmZczzA4g2ttSNNv05bEq5D7XgfoXPcbhqtj/jggxvX4EGLltpo3Jy77EyKabr1c7KsYV3ciYT13sRGzFYrge06wVrUUPpozPfvAbp1qv0CwK4dUg4dc=,iv:Bpnrx8KcZnWkld4f3VRl39xMmaU388KQunig9xohUto=,tag:vKUupMf/dRb5bY8BMV4oVw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
Loading…
Reference in a new issue