Update Ophanim and add sops.

2023-09-10 15:35:55 +02:00 · 2023-09-10 15:35:55 +02:00 · ec93123f4d
parent 79b05baecf
commit ec93123f4d
5 changed files with 61 additions and 7 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,7 +2,7 @@ keys:
  - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
  - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
  - &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
-  - &ophanim age19j87dhkpgrjc5hghwh0njkt6fdgr6tg90hvxrhlrfqa063cwxepq32a23m
+  - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
 creation_rules:
  - path_regex: machines/Lilim/[^/]+.yaml$
    key_groups:
--- a/machines/Ophanim/hardware-configuration.nix
+++ b/machines/Ophanim/hardware-configuration.nix
@ -1,8 +1,8 @@
-{ pkgs, ... }:
+{ nixpkgs, pkgs, ... }:

 {
  imports =
-    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
    ];

  boot = {
@ -12,7 +12,6 @@
    extraModulePackages = [ ];
    loader.grub = {
      enable = true;
-      version = 2;
      device = "/dev/sda"; # or "nodev" for efi only
    };
  };
--- a/machines/Ophanim/options.nix
+++ b/machines/Ophanim/options.nix
@ -21,7 +21,7 @@ in {
      "server"
    ];
    services = [
-      "fail2ban"
+      "acme"
      "gitea"
 #      "hydra"
      "mailserver"
@ -41,8 +41,8 @@ in {
    firewall = {
      enable = true;
      allowPing = false;
-      allowedUDPPorts = [ 22 80 443 ];
-      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 22 80 443 7776 ];
+      allowedTCPPorts = [ 80 443 7776 ];
    };
  };
 }
--- a/machines/Ophanim/secrets.yaml
+++ b/machines/Ophanim/secrets.yaml
@ -0,0 +1,44 @@
+users:
+    derped:
+        password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
+        mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
+services:
+    gitea:
+        dbPass: ENC[AES256_GCM,data:Td8oYUkIPi0xDgepRW4LNTLpWRbGYin4VT8gxGP6fAIADaX2F3pf5g==,iv:pTUvtCkpSZXQLheHfOEKLivervrsCc/lHqXbZ1ennGY=,tag:LcEGyoZNigEYXEHp2lCgDQ==,type:str]
+    hydra:
+        secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str]
+    nextcloud:
+        adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str]
+        dbPass: ENC[AES256_GCM,data:6x6efRMiBvIt44SrZANwEGe3iZn3U+ZvY6bdOS/q3Olymm+kEwY+cQ==,iv:aJEADtgIbUu1ewV4MjDvepzoJ6nlFG3J4JgVonPNWfM=,tag:2Sgj1dmr8WcahKnpo3nTSg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F
+            Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX
+            cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl
+            Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
+            0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-10T12:32:05Z"
+    mac: ENC[AES256_GCM,data:uJ5Wi9vYGLB/Z3QHHS5nxFkn1CtxR/wkk/wwYZiL1LWa3w/ZeeBy7L3Kq1i8FIYET3i2cHeeimDYLWtl3xQIEH9FF1fXeTKFMMOh2NTWZC6ZdtRnVtPJapHYaCieBd8R0dga+KE2WzFBjwKiYu6OW+nD8W7tBqbSy0lXAY1WyFU=,iv:QdXhTubQAmuR4bLSPwZcECIuNTPYLoKzVfpfx7e3VJY=,tag:G78fxo87AdRUcNG48RLAPg==,type:str]
+    pgp:
+        - created_at: "2023-09-10T17:32:58Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w
+            08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL
+            1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY
+            dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR
+            LkjqppMzPP/4OQ==
+            =+ryG
+            -----END PGP MESSAGE-----
+          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/machines/Ophanim/sops.nix
+++ b/machines/Ophanim/sops.nix
@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}