Update Ophanim and add sops.
This commit is contained in:
parent
79b05baecf
commit
ec93123f4d
GPG key ID:
C0F1D326C7626543
5 changed files with 61 additions and 7 deletions
|
|
@ -2,7 +2,7 @@ keys:
|
||||||
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
|
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
|
||||||
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
|
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
|
||||||
- &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
|
- &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
|
||||||
- &ophanim age19j87dhkpgrjc5hghwh0njkt6fdgr6tg90hvxrhlrfqa063cwxepq32a23m
|
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: machines/Lilim/[^/]+.yaml$
|
- path_regex: machines/Lilim/[^/]+.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
{ pkgs, ... }:
|
{ nixpkgs, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
[ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
|
||||||
];
|
];
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
|
|
@ -12,7 +12,6 @@
|
||||||
extraModulePackages = [ ];
|
extraModulePackages = [ ];
|
||||||
loader.grub = {
|
loader.grub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
version = 2;
|
|
||||||
device = "/dev/sda"; # or "nodev" for efi only
|
device = "/dev/sda"; # or "nodev" for efi only
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ in {
|
||||||
"server"
|
"server"
|
||||||
];
|
];
|
||||||
services = [
|
services = [
|
||||||
"fail2ban"
|
"acme"
|
||||||
"gitea"
|
"gitea"
|
||||||
# "hydra"
|
# "hydra"
|
||||||
"mailserver"
|
"mailserver"
|
||||||
|
|
@ -41,8 +41,8 @@ in {
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowPing = false;
|
allowPing = false;
|
||||||
allowedUDPPorts = [ 22 80 443 ];
|
allowedUDPPorts = [ 22 80 443 7776 ];
|
||||||
allowedTCPPorts = [ 80 443 ];
|
allowedTCPPorts = [ 80 443 7776 ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
44
machines/Ophanim/secrets.yaml
Normal file
44
machines/Ophanim/secrets.yaml
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
users:
|
||||||
|
derped:
|
||||||
|
password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
|
||||||
|
mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
|
||||||
|
services:
|
||||||
|
gitea:
|
||||||
|
dbPass: ENC[AES256_GCM,data:Td8oYUkIPi0xDgepRW4LNTLpWRbGYin4VT8gxGP6fAIADaX2F3pf5g==,iv:pTUvtCkpSZXQLheHfOEKLivervrsCc/lHqXbZ1ennGY=,tag:LcEGyoZNigEYXEHp2lCgDQ==,type:str]
|
||||||
|
hydra:
|
||||||
|
secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str]
|
||||||
|
nextcloud:
|
||||||
|
adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str]
|
||||||
|
dbPass: ENC[AES256_GCM,data:6x6efRMiBvIt44SrZANwEGe3iZn3U+ZvY6bdOS/q3Olymm+kEwY+cQ==,iv:aJEADtgIbUu1ewV4MjDvepzoJ6nlFG3J4JgVonPNWfM=,tag:2Sgj1dmr8WcahKnpo3nTSg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F
|
||||||
|
Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX
|
||||||
|
cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl
|
||||||
|
Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
|
||||||
|
0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-09-10T12:32:05Z"
|
||||||
|
mac: ENC[AES256_GCM,data:uJ5Wi9vYGLB/Z3QHHS5nxFkn1CtxR/wkk/wwYZiL1LWa3w/ZeeBy7L3Kq1i8FIYET3i2cHeeimDYLWtl3xQIEH9FF1fXeTKFMMOh2NTWZC6ZdtRnVtPJapHYaCieBd8R0dga+KE2WzFBjwKiYu6OW+nD8W7tBqbSy0lXAY1WyFU=,iv:QdXhTubQAmuR4bLSPwZcECIuNTPYLoKzVfpfx7e3VJY=,tag:G78fxo87AdRUcNG48RLAPg==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2023-09-10T17:32:58Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w
|
||||||
|
08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL
|
||||||
|
1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY
|
||||||
|
dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR
|
||||||
|
LkjqppMzPP/4OQ==
|
||||||
|
=+ryG
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
||||||
11
machines/Ophanim/sops.nix
Normal file
11
machines/Ophanim/sops.nix
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
age = {
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue