From 5b80da73236c9c944f4d8786150e4a5130d66669 Mon Sep 17 00:00:00 2001
From: Daniel Flanagan <daniel@lyte.dev>
Date: Fri, 13 Sep 2024 00:38:04 -0500
Subject: [PATCH] Router secrets

---
 .sops.yaml                   |  6 ++++++
 flake.nix                    | 11 +++++++++++
 nixos/beefcake.nix           | 32 +++++++++++++++++++++++++++++++-
 nixos/router.nix             | 18 +++++++++++++++++-
 secrets/beefcake/secrets.yml |  5 +++--
 secrets/router/secrets.yml   | 30 ++++++++++++++++++++++++++++++
 6 files changed, 98 insertions(+), 4 deletions(-)
 create mode 100644 secrets/router/secrets.yml

diff --git a/.sops.yaml b/.sops.yaml
index d598e74..f5e2e07 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   # after updating this, you will need to `sops updatekeys secrets.file` for any files that need the new key(s)
   - &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
   - &sshd-at-beefcake age1etv56f7kf78a55lxqtydrdd32dpmsjnxndf4u28qezxn6p7xt9esqvqdq7 # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
+  - &sshd-at-router age1zd7c3g5d20shdftq8ghqm0r92488dg4pdp4gulur7ex3zx2yq35ssxawpn # ssh router "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
 creation_rules:
   - path_regex: secrets/[^/]+\.(ya?ml|json|env|ini)$
     key_groups:
@@ -12,3 +13,8 @@ creation_rules:
     - age:
       - *daniel
       - *sshd-at-beefcake
+  - path_regex: secrets/router/[^/]+\.(ya?ml|json|env|ini)$
+    key_groups:
+    - age:
+      - *daniel
+      - *sshd-at-router
diff --git a/flake.nix b/flake.nix
index 99d4a61..1693b6c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -569,6 +569,17 @@
           linux
           troubleshooting-tools
 
+          outputs.nixosModules.deno-netlify-ddns-client
+
+          {
+            services.deno-netlify-ddns-client = {
+              enable = true;
+              username = "router.h";
+              # TODO: ipv6
+              ipv6 = false;
+            };
+          }
+
           /*
           NOTE: maybe use this someday, but I think I need more concrete
           networking knowledge before I know how to use it well. Additionally,
diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index b3f2fd6..867c1c1 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -1645,7 +1645,37 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
       };
     }
     {
-      # TODO: paperless-ngx
+      systemd.tmpfiles.settings = {
+        "10-paperless" = {
+          "/storage/paperless" = {
+            "d" = {
+              mode = "0750";
+              user = "paperless";
+              group = "paperless";
+            };
+          };
+        };
+      };
+      services.restic.commonPaths = [
+        "/storage/paperless"
+      ];
+
+      sops.secrets.paperless-superuser-password = {
+        owner = "paperless";
+        group = "paperless";
+        mode = "400";
+      };
+
+      services.paperless = {
+        enable = true;
+        package = pkgs.paperless-ngx;
+        dataDir = "/storage/paperless";
+        passwordFile = config.sops.secrets.paperless-superuser-password.path;
+      };
+
+      services.caddy.virtualHosts."paperless.h.lyte.dev" = {
+        extraConfig = ''reverse_proxy :${toString config.services.paperless.port}'';
+      };
     }
     {
       systemd.tmpfiles.settings = {
diff --git a/nixos/router.nix b/nixos/router.nix
index 0278bc8..ff8d685 100644
--- a/nixos/router.nix
+++ b/nixos/router.nix
@@ -1,7 +1,7 @@
 {
+  config,
   lib,
   # outputs,
-  # config,
   pkgs,
   ...
 }: let
@@ -51,6 +51,7 @@
         "idm.h.lyte.dev"
         "git.lyte.dev"
         "video.lyte.dev"
+        "paperless.h.lyte.dev"
         "audio.lyte.dev"
         "a.lyte.dev"
         "bw.lyte.dev"
@@ -107,6 +108,21 @@ in {
     iftop
   ];
 
+  sops = {
+    defaultSopsFile = ../secrets/router/secrets.yml;
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    secrets = {
+      netlify-ddns-password = {mode = "0400";};
+    };
+  };
+  services.deno-netlify-ddns-client = {
+    passwordFile = config.sops.secrets.netlify-ddns-password.path;
+  };
+
   boot.kernel.sysctl =
     sysctl-entries
     // {
diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml
index 70c973c..dd41417 100644
--- a/secrets/beefcake/secrets.yml
+++ b/secrets/beefcake/secrets.yml
@@ -26,6 +26,7 @@ api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/n
 restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYejw9rdOTdCNW3a7zL/Ny1+XCI/P3bMOsY6UTmg/gxA2itp4cSbvqjg==,iv:5GwaEExn7b3dIkCVehLxaBXW+nUuSexY/bcqfCUwF5Q=,tag:dinyyw2XeVoSnw/IsYfK0w==,type:str]
 restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str]
 restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str]
+paperless-superuser-password: ENC[AES256_GCM,data:lypWK73mOYI2hyQAW/4T3cDiVtsts3kKb7LZb9ES3n97Kn5l,iv:jBHUBFbb4GqQ3gnK0h5VCaGj3/kd3/eGa1QFiE7+B9I=,tag:UoQar+x1xVnCV2k+9hYjWA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -50,8 +51,8 @@ sops:
             bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq
             rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-11T20:26:42Z"
-    mac: ENC[AES256_GCM,data:a0gC3hbOoEkRWWv9o1wUbiuvTnp9+vSDTD+l1xxRnwApXW6oqoLpcChbfrHNKNpJKMOQ7KUEgR2Gc5oWQUk+sth4QY/P59QeTtXNAWdmyB8SsbaRdmms/EapUhH8qSy2v24JOaqIdCv/HrRF1MJnHjJ0qZX/bTC6JVmIrsM6LlQ=,iv:AkMwDNRPn+yUOWFcHCdPLerkztAi9/W0W87LQSD/aZo=,tag:+6fi773Qc5lTM60fIVHSnQ==,type:str]
+    lastmodified: "2024-09-13T05:09:18Z"
+    mac: ENC[AES256_GCM,data:rS12xfQ6FQwVa19rdfk6i1DThUOfsrw+IdKGYOMrX8a7sOKPkNxyxyZASfaKopg3BaM8qmoOFUW4B9VWwTh4d+MhruH3DhJO3UuZpOtDv7H8JFmzqg8rlYx0nm+8/+dB0zjgK7m2FP8wn0jfXraaaQ7/HobgLgGtl+NAsXQkrwQ=,iv:+JO3Yq6Kp2CHu20dSRDOJf0ivq5ASHYrKvlCgg1vGxQ=,tag:y6nIISSZFQwRoFNvqaQWbg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/secrets/router/secrets.yml b/secrets/router/secrets.yml
new file mode 100644
index 0000000..847ca77
--- /dev/null
+++ b/secrets/router/secrets.yml
@@ -0,0 +1,30 @@
+netlify-ddns-password: ENC[AES256_GCM,data:zp58uV2L+/n/9Cvp1BnQBhdfmNfuyH8C73R6JYrJ3pw0QbEpPpIWuzod9S28QxNq50Bj5/zGzE+D125dkYFX0A==,iv:kceEl04Nb6LWcyjl2fHYjsl0RSO8OulN3DKlDLwjIu4=,tag:nOi2H56dEX9K5okaiDaWOQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQlZqSzBaTUROMkp2K2xI
+            Z0ZIdllGNnlNYnFtVERPbVN6Y1FnWC9aeGlFCnZYci9CblA3VFZsOG5OOXE3cDZj
+            TlZkbU0yY0F1ZDA5amczRVFldU1ZWGcKLS0tIEFTdi9uRFdlQW1MbUdSdm9jRW5n
+            emxsSGN2b3JLZGNYQmVDYk96QUY5aVEK0w7Q/zEsIJKFcQjhgQovmRs4Iv6bhuaz
+            cKn8M/p8dG+p5G50ALsiIiuTFBUM7vmFVF000PxqsEFr0Yl6eDg+uA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zd7c3g5d20shdftq8ghqm0r92488dg4pdp4gulur7ex3zx2yq35ssxawpn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK1lRTlRIc2ZxcllsRFRp
+            aEZIOC80TSt2Ly9MUEdiVGQ5akkrUUJwcDFJClIyMUl0SWY3TXFLcWl0TGw3K3VM
+            N0VWaGpCaVp6MXg4M2pwcnNhNkhPYjQKLS0tIEZOVGVTcUxaMmxBNEVJQ2VFSjRm
+            L2lpaExJM2FkUFdqa3JpalZmOFZYV0kKmXlu5CUIYnNEOlIco3JveS7KdiF2yWTn
+            r/KOKA9/v3zPbnsYc+HETxYNy1OWrQ/qDGIbR6jz8L5+v35FN+larw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-13T05:37:38Z"
+    mac: ENC[AES256_GCM,data:r1qpYSojCuN84FYX1c684XifKMKUPTOl7dvzuoYYuLf+mwbZrD4fUErDmZczzA4g2ttSNNv05bEq5D7XgfoXPcbhqtj/jggxvX4EGLltpo3Jy77EyKabr1c7KsYV3ciYT13sRGzFYrge06wVrUUPpozPfvAbp1qv0CwK4dUg4dc=,iv:Bpnrx8KcZnWkld4f3VRl39xMmaU388KQunig9xohUto=,tag:vKUupMf/dRb5bY8BMV4oVw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0