Update Ophanim and add sops.

This commit is contained in:
Kevin Baensch 2023-09-10 15:35:55 +02:00
parent 79b05baecf
commit ec93123f4d
Signed by: derped
GPG key ID: C0F1D326C7626543
5 changed files with 61 additions and 7 deletions

View file

@ -2,7 +2,7 @@ keys:
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
- &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
- &ophanim age19j87dhkpgrjc5hghwh0njkt6fdgr6tg90hvxrhlrfqa063cwxepq32a23m
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
creation_rules:
- path_regex: machines/Lilim/[^/]+.yaml$
key_groups:

View file

@ -1,8 +1,8 @@
{ pkgs, ... }:
{ nixpkgs, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
[ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
];
boot = {
@ -12,7 +12,6 @@
extraModulePackages = [ ];
loader.grub = {
enable = true;
version = 2;
device = "/dev/sda"; # or "nodev" for efi only
};
};

View file

@ -21,7 +21,7 @@ in {
"server"
];
services = [
"fail2ban"
"acme"
"gitea"
# "hydra"
"mailserver"
@ -41,8 +41,8 @@ in {
firewall = {
enable = true;
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 22 80 443 7776 ];
allowedTCPPorts = [ 80 443 7776 ];
};
};
}

View file

@ -0,0 +1,44 @@
users:
derped:
password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
services:
gitea:
dbPass: ENC[AES256_GCM,data:Td8oYUkIPi0xDgepRW4LNTLpWRbGYin4VT8gxGP6fAIADaX2F3pf5g==,iv:pTUvtCkpSZXQLheHfOEKLivervrsCc/lHqXbZ1ennGY=,tag:LcEGyoZNigEYXEHp2lCgDQ==,type:str]
hydra:
secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str]
nextcloud:
adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str]
dbPass: ENC[AES256_GCM,data:6x6efRMiBvIt44SrZANwEGe3iZn3U+ZvY6bdOS/q3Olymm+kEwY+cQ==,iv:aJEADtgIbUu1ewV4MjDvepzoJ6nlFG3J4JgVonPNWfM=,tag:2Sgj1dmr8WcahKnpo3nTSg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F
Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX
cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl
Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-10T12:32:05Z"
mac: ENC[AES256_GCM,data:uJ5Wi9vYGLB/Z3QHHS5nxFkn1CtxR/wkk/wwYZiL1LWa3w/ZeeBy7L3Kq1i8FIYET3i2cHeeimDYLWtl3xQIEH9FF1fXeTKFMMOh2NTWZC6ZdtRnVtPJapHYaCieBd8R0dga+KE2WzFBjwKiYu6OW+nD8W7tBqbSy0lXAY1WyFU=,iv:QdXhTubQAmuR4bLSPwZcECIuNTPYLoKzVfpfx7e3VJY=,tag:G78fxo87AdRUcNG48RLAPg==,type:str]
pgp:
- created_at: "2023-09-10T17:32:58Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w
08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL
1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY
dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR
LkjqppMzPP/4OQ==
=+ryG
-----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted
version: 3.7.3

11
machines/Ophanim/sops.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}