diff --git a/.sops.yaml b/.sops.yaml index 32d4baf..f7514fa 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 - &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67 - - &ophanim age19j87dhkpgrjc5hghwh0njkt6fdgr6tg90hvxrhlrfqa063cwxepq32a23m + - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du creation_rules: - path_regex: machines/Lilim/[^/]+.yaml$ key_groups: diff --git a/machines/Ophanim/hardware-configuration.nix b/machines/Ophanim/hardware-configuration.nix index 83329fb..ceb6e68 100644 --- a/machines/Ophanim/hardware-configuration.nix +++ b/machines/Ophanim/hardware-configuration.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: +{ nixpkgs, pkgs, ... }: { imports = - [ + [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ]; boot = { @@ -12,7 +12,6 @@ extraModulePackages = [ ]; loader.grub = { enable = true; - version = 2; device = "/dev/sda"; # or "nodev" for efi only }; }; diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix index 882d958..25fa46e 100644 --- a/machines/Ophanim/options.nix +++ b/machines/Ophanim/options.nix @@ -21,7 +21,7 @@ in { "server" ]; services = [ - "fail2ban" + "acme" "gitea" # "hydra" "mailserver" @@ -41,8 +41,8 @@ in { firewall = { enable = true; allowPing = false; - allowedUDPPorts = [ 22 80 443 ]; - allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 22 80 443 7776 ]; + allowedTCPPorts = [ 80 443 7776 ]; }; }; } diff --git a/machines/Ophanim/secrets.yaml b/machines/Ophanim/secrets.yaml new file mode 100644 index 0000000..38ab453 --- /dev/null +++ b/machines/Ophanim/secrets.yaml @@ -0,0 +1,44 @@ +users: + derped: + password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str] + mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str] +services: + gitea: + dbPass: ENC[AES256_GCM,data:Td8oYUkIPi0xDgepRW4LNTLpWRbGYin4VT8gxGP6fAIADaX2F3pf5g==,iv:pTUvtCkpSZXQLheHfOEKLivervrsCc/lHqXbZ1ennGY=,tag:LcEGyoZNigEYXEHp2lCgDQ==,type:str] + hydra: + secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str] + nextcloud: + adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str] + dbPass: ENC[AES256_GCM,data:6x6efRMiBvIt44SrZANwEGe3iZn3U+ZvY6bdOS/q3Olymm+kEwY+cQ==,iv:aJEADtgIbUu1ewV4MjDvepzoJ6nlFG3J4JgVonPNWfM=,tag:2Sgj1dmr8WcahKnpo3nTSg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F + Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX + cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl + Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD + 0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-10T12:32:05Z" + mac: ENC[AES256_GCM,data:uJ5Wi9vYGLB/Z3QHHS5nxFkn1CtxR/wkk/wwYZiL1LWa3w/ZeeBy7L3Kq1i8FIYET3i2cHeeimDYLWtl3xQIEH9FF1fXeTKFMMOh2NTWZC6ZdtRnVtPJapHYaCieBd8R0dga+KE2WzFBjwKiYu6OW+nD8W7tBqbSy0lXAY1WyFU=,iv:QdXhTubQAmuR4bLSPwZcECIuNTPYLoKzVfpfx7e3VJY=,tag:G78fxo87AdRUcNG48RLAPg==,type:str] + pgp: + - created_at: "2023-09-10T17:32:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w + 08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL + 1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY + dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR + LkjqppMzPP/4OQ== + =+ryG + -----END PGP MESSAGE----- + fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/Ophanim/sops.nix b/machines/Ophanim/sops.nix new file mode 100644 index 0000000..85c8b25 --- /dev/null +++ b/machines/Ophanim/sops.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; +}