foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-16 06:19:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: update secrets and service configs

Browse Source
This commit is contained in:
Gabriel Arazas 2024-09-23 19:13:29 +08:00
parent 18e30ed70c
commit 4cfbee7326
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
6 changed files with 36 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configs/nixos/plover/files/ssh-key.pub
View File

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEv1ER/bAK0tTrlZUEMfV28pMTgi4n8zLUOECo3ltNR Plover server
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGo3tfNQjWZ5pxlqREfBgQJxdNzGHKJIy5hDS9Z+Hpth plover.foodogsquared.one

17
configs/nixos/plover/modules/services/backup.nix
View File

@ -41,7 +41,7 @@ let
yearly = 6;
};
startAt = "monthly";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."ssh-key".path}";
};
in
{
@ -50,23 +50,10 @@ in
config = lib.mkIf cfg.enable {
sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"borg/repos/host/patterns/keys" = { };
"borg/repos/host/password" = { };
"borg/repos/services/password" = { };
"borg/ssh-key" = { };
};
services.borgbackup.jobs = {
# Backup for host-specific files. They don't change much so it is
# acceptable for it to be backed up monthly.
host-backup = jobCommonSettings {
patternFiles = [
config.sops.secrets."borg/repos/host/patterns/keys".path
];
repo = borgRepo "host";
passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}";
};
# Backups for various services.
services-backup = jobCommonSettings
{
@ -81,7 +68,7 @@ in
programs.ssh.extraConfig = ''
Host ${hetzner-boxes-server}
IdentityFile ${config.sops.secrets."borg/ssh-key".path}
IdentityFile ${config.sops.secrets."ssh-key".path}
'';
};
}

2
configs/nixos/plover/modules/services/grafana.nix
View File

@ -166,7 +166,7 @@ in
services.grafana.settings."auth.generic_oauth" = {
api_url = authSubpath "oauth2/authorise";
client_id = "grafana";
client_secret = "$__file{${config.sops.secrets."vouch-proxy/client/secret".path}";
client_secret = "$__file{${config.sops.secrets."vouch-proxy/domains/${config.networking.domain}/jwt-secret".path}";
enabled = true;
name = "Kanidm";
oauth_url = authSubpath "ui/oauth2";

2
configs/nixos/plover/modules/services/idm.nix
View File

@ -23,7 +23,7 @@ in
enableServer = true;
serverSettings = {
domain = authDomain;
origin = "https://${authDomain}:${builtins.toString port}";
origin = "https://${authDomain}";
bindaddress = "127.0.0.1:${builtins.toString port}";
ldapbindaddress = "127.0.0.1:3636";
role = "WriteReplica";

16
configs/nixos/plover/modules/services/vouch-proxy.nix
View File

@ -5,6 +5,7 @@ let
cfg = hostCfg.services.vouch-proxy;
inherit (config.services.vouch-proxy.instances."${vouchDomain}") settings;
inherit (config.networking) domain;
vouchDomain = "vouch.${config.networking.domain}";
authDomain = config.services.kanidm.serverSettings.domain;
in
@ -14,6 +15,10 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports = {
"vouch-proxy-${domain}".value = 19900;
};
sops.secrets =
let
vouchPermissions = rec {
@ -23,8 +28,8 @@ in
};
in
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"vouch-proxy/jwt/secret" = vouchPermissions;
"vouch-proxy/client/secret" = vouchPermissions;
"vouch-proxy/domains/${domain}/jwt-secret" = vouchPermissions;
"vouch-proxy/domains/${domain}/client-secret" = vouchPermissions;
};
services.vouch-proxy = {
@ -32,16 +37,17 @@ in
instances."${vouchDomain}".settings = {
vouch = {
listen = "127.0.0.1";
port = 19900;
port = config.state.ports."vouch-proxy-${domain}".value;
domains = [ "foodogsquared.one" ];
jwt.secret._secret = config.sops.secrets."vouch-proxy/jwt/secret".path;
jwt.secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/jwt-secret".path;
cookie.secure = true;
};
oauth = rec {
provider = "oidc";
client_id = "vouch";
client_secret._secret = config.sops.secrets."vouch-proxy/client/secret".path;
client_secret._secret = config.sops.secrets."vouch-proxy/domains/${domain}/client-secret".path;
code_challenge_method = "S256";
auth_url = "https://${authDomain}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token";

63
configs/nixos/plover/secrets/secrets.yaml
View File

@ -1,61 +1,38 @@
ssh-key: ENC[AES256_GCM,data:UgJB9WiLs1nt8e95sYeBr9XJRw16CldxBFYazppwHD0Tx0rkv9YDsqJMdrMFQJJ15UgOx61yQ2rg56KoaR4cJIqQM/7foKY3+LgdI4ePtfnbGRebIMyeqCiEVWq+a5ppwsG6B9w9liRqaOG7LpD90JpXcLKVG6Lo/YwTmwDbOBGJHhyJk2DindJ7qWly1gcys5Mm9GTZmtuz8lKG7hNVQar5lmuq1fhyOolnxlFKCLG3zfumttVnT3U1ELd3TzZIaWnNIL7SuhfZDBko3ZO4bbDj/JdX1uNKlEh2FeS7Mp/DvylFlVleoQOMI9FTes/tQHmztVaA7DllYP6gKHzvLsKX577fXeoZihrGvQiNj11qDXxcj3qhUx/8iXdyVzvy/UTGWW5/QeDGNDsrT7wlwuVmqVHb7s+9Ep6Oq9tFbDQHkRMRv/Nl3C/xxtH23RuShJ1IjxXTPu9t+AiD/qPvecXyD0iZ9OX1YJn5AM9WyPLisEFasaFbgfhF6uDS2l61oCS3LPwjdbXA8UyB7vUi,iv:1OGfGUojkL0/DS+HMbyAK0GeVKa6AuQkyRwO5txiD54=,tag:TmD3ljgWGv0SNPq8GxI/kw==,type:str]
lego:
env: ENC[AES256_GCM,data:gmzfAQOK94baSS0nOHEX33n61kLbGRHqoAa1W+KnLsfC3RLSbtgeRXgmKfsKFwfd1czQE5Yf/ZB/eTjDSUPLfXcnt4OoiNAyJNxAoc5cpeveYIlp9WaqdSkcD+zefLPmwYDTVPyrBKS1qE8GjYBxpfObnesbwq8hxx9Tm19Z+MTB+DznYqhSFt5Yx5+VnBaeQBMKnLd3XGazRv//QnpUFvgJba0SF4mhD3I40SHKMt3enmj1M+ITIn99ELf7HG0XSCH7aGmccXraQNUnAOwdJCNXyFY/ASxoK0DLv8Um5VX6O04GZVg2y3EoGsNZkyH9T8/3jTg=,iv:iYct97YZhUcoy/C5aVmSlsHLEyPVlRP2pGdwvwTIm9w=,tag:Hf3CMJwUXY5yf0CUxPNbtQ==,type:str]
gitea:
db:
password: ENC[AES256_GCM,data:IyE1O7xzZqdycEayUAKh1L7+9rrpiPLQ6GevpsxWoDI7xmgCqlDCnY72jh1kQEvpGZxK1gfdP/fEQKX85T3imjwkAqPp4v6hRw==,iv:zChXWYtY1BIwE0ROJYtVj3FNhJbSLh/mu7adbhliawU=,tag:wSSx5horaghOjuiV7V/80w==,type:str]
smtp:
password: ENC[AES256_GCM,data:XmpnfRtKJ/jA174CFKqCMWkbqbRZRPOq27RVKVZdc5sn5Q6xLg5mTWWN0cKwuy/o+Ikrrx4D4HOgQdyzubxl+n+P87LA,iv:Ou3TlnoiK/8kr4Kl/iNpvMWm7Wv5Y5NqLk4FkxhG3ag=,tag:xSDTgo9w3sZxF2WMM2+yjg==,type:str]
vaultwarden:
env: ENC[AES256_GCM,data:4konD7dDPZsaQepjej6UB1w2xxSHNSslB1ELW5kJkNB2esY88J17Bi+ykpZtLIUwzZGNuONhpxQORU2O9YsUA7iK3SzBBbx8+HCZ67euISOt1ANMQq/GkZZiIWQXgjMpPMmxWaryzIk0ApaR+j1OMmMqIniKqOyumVDUL7RX+IH/SBzhPkIjADZoLDjeW4ovKJHBqJUqbwD8xhbN8sClOsaNANP+evax0zRnh8fx3ojMASVYrDbpt6AUGGrJY32PVjd55NFQalK/D57pNKqIos8A0zqD6aQXoo/jziyFQCNs5QCr07bsHza+ghQN5A==,iv:8BAMrNWFiidQKJ7huyxG7FTvBt0seBIg3RhoRRkmCtQ=,tag:SpNRNZ1i5Fo8EUAivph98w==,type:str]
borg:
repos:
host:
password: ENC[AES256_GCM,data:EEHtGBASOY1t1hGmtNZ7/Edc01v4yNZgpcycT04=,iv:pgQ43gqx9iYk+SfGkPQfknTixn0MLkeTJzhUhOzjw6A=,tag:ihuKeJnY/L5iBfx/pvBRYw==,type:str]
patterns:
keys: ENC[AES256_GCM,data:u+oNQAUoPVIZHAtjNhjg+P/n2XGLpFZGPKxgxwbkaCGXvTg5femyjPTghFKypeANfK13AuPu7RjjG68S/5+HfiB3,iv:zlicZvzURkhY2XIYLO1QFavV4gikZWRyL5BXZ7Oax7E=,tag:QWhMGYgUKkoocAFJW0GICQ==,type:str]
services:
password: ENC[AES256_GCM,data:FDzK9Iv1iAhbRoSOiW1c0G5lW39BcivDAp0QzaW/XT2y,iv:VD/coWjhdsYAi8R03AqSH2kcqHHdqiXuxGINuWAwVek=,tag:mBLwdJGdOEEHO82rsvCYiw==,type:str]
ssh-key: ENC[AES256_GCM,data:XiI8QkWMzAB0Vs7rASp8Y1l+rBRWDyNZG7tM8mpetfkcOfUK9mOwzSeAkaivY73P7h7wlvwyz7rTGDdyoLd5707udIG8UfWnaZ80MQHFiB7INBm5Jccw9F1tHJaiUOXd8xPlthiq+QpBvg292cXGUfjNubjzJhJqLMfJQGJcsaQ0f0khSShMwA2x2kV4dRzdscuzbDTzPuWBTMJuGwkYSrq67d8lyoOYmZ4LuymofDgBh5d4i0Tg9IQAWyT24nCbtVfN4DJW9bXQ5aNyPbqTiTOHdRjuvKnyLMhX536rrrMH575nIOHH167f57bEzqMu9jvcHGFL41lZrAuKKyj9PdUhGHsvHl/H3spqI67B6BA8MnBAQTez5DiekmKiq0mwUQ1HUFR7Kf+RonZbiHJhw35J82Njt+OxbMjHFg6Ag4tG+GBBBBO+eRb7EkFXmSawl4XxLCdiYsXGSTI1qj+ei0poREWVy+mJ25YX61H+6UZrIOwGQe+PrIkfwjLktWMxny4WvuHyGkmGV6yw/+/sIKDCzcAvcQ/plmW60DL7hrACJIOFSzEe2MUDJx7wAv2o,iv:bw/ut6GXEYwSCafnEgYC2narGRQmL2lotD6ezZGl7+A=,tag:dxjER1TDJwXWPtKJb+UK9Q==,type:str]
wireguard:
private-key: ENC[AES256_GCM,data:6mrCsG7CSK7vTuG6kctevPPpIUKDPrHHfZJEPBfVq9AbuDkghT0jOy0nx+E=,iv:fEYzTOYWYIpfRIEBd0rxDc8uUCb1d1IyByguDXk9sVg=,tag:79miZddF6Sr4CwW/980HOw==,type:str]
preshared-keys:
ni: ENC[AES256_GCM,data:NAgNnVtPKCaaSagWCIet5pd5ZehymJPmhQShoO/ktqa1pl6MtzJsygbTktk=,iv:2/sOdNN6QX1Rou5xnq87t/m/kguPTthOXD8oXJfvM90=,tag:F/I2CYR9O1LAlLs/9LaXGg==,type:str]
phone: ENC[AES256_GCM,data:3wIv8mE7eYhvSjwcE9fwsUZhh2Svmzg+RFjJzvjvMyB9V3uvBYG8vmB751w=,iv:iSm4dXNVqFa52eq0Hhct1MGSoq4x7FFzWdjXHlkGTW8=,tag:Lr463ee5r/ZhEC78uYyzfQ==,type:str]
dns:
foodogsquared.one:
mailbox-security-key: ENC[AES256_GCM,data:CmiAcewC47dTlKX+PmWJrnSM7dreMImEL3nw6+MnJ2MCwcnakT8zUw==,iv:tRh4d+QUUqxzz+c0r6NLnnPOgqtYZNdE3RgCa7MbvE4=,tag:RHkPwRVt8+YCw61RwBZZzg==,type:str]
mailbox-security-key-record: ENC[AES256_GCM,data:vXwTyZEsov20GDkg/X2P/MJFKWkrijnNNHrGRp0AMJORh0H5/mnshQ==,iv:7BKnkKj1vwLYCcm1uoHF+Ndunl2enSoXRpReW/uuaAo=,tag:KTzU1MMwXard4+Ar4WrJhA==,type:str]
keybase-verification-key: ENC[AES256_GCM,data:HyNegHeHJCl39MV6RRpz2MmFXGfyp/riNnwWXTXGJye2wULe+y19DGPVdBSm9IaJKwK2CYtGDAQhD9OUw0MheQ252Xe3,iv:Lt/nKV++KjHaXip3zy3bB5oNPzO3Z5mIdZZEtDBKwLY=,tag:OpNhjpsUbBnGSJNYwlqDbQ==,type:str]
rfc2136-key: ENC[AES256_GCM,data:K6CRj09oQA/po/IYfM/LH1y8Hjt/gXewUxfDcEzZVsFCYs4CEpysnhFlu6P9Srwy0lXapZI+4x4kB0mY5TarxZc5OFpx+6Xslw964x10Eot1sTFn8Y7Mrogh8VwHFXdtKuvHKkHcW2nZshBnKv0FPsy6Wvv79NUwEfc=,iv:TJiq+z552fT0vVT1WKJUUwB+oP/sUGIav1ab8G/1ENc=,tag:aqpBcdWh2i551p8aAzsUXA==,type:str]
vouch-proxy:
client:
secret: ENC[AES256_GCM,data:mrmoCG5BLwh6t64GdqQAk8l1FmbFkFjc+8bxWuw3gWsEtSqFhWh8kkqSkEqxNPZe,iv:PM0aypX0v0rGaCMSiCJByjmPeeItnf88Q9JJD2kH+b4=,tag:782GJQGbW1ix/JWkvVYelw==,type:str]
jwt:
secret: ENC[AES256_GCM,data:umnvHy65jaY2zO064MuV2Fdmgkk4L6UO3ZHq031Bc4SssAKyZxD/7WmECU6m6JxHTlZHaUUYWwANvpM8pdeDDjM=,iv:fy8FbeWNsYiCioatBV0iTWsJzu6zU6Y4wluYjO4fRvs=,tag:D9jWFwl0F8e6ou5ZEPfzyA==,type:str]
password: ENC[AES256_GCM,data:oc+KxvGhTRPC7SbTSw0yTXOwyoemgPk0O9a3qK17,iv:vTeP9cRyrQaPSv1SvKhJSjBPrbDP3hd0FNtkfMNhTiY=,tag:RhG+d2iZZKyHs0g35UYd3g==,type:str]
grafana:
database:
password: ENC[AES256_GCM,data:G4pInfXbNdQyXb5KelZUQbuPwmjcYenEajuwUlBkusqkAGN7vImvkTaJtA==,iv:VrAYl2TNMjsGXWj+MHxxqJeK6TO3fmVrvjdTDMpKrUI=,tag:a5oy3rJV7BX3UfsWFaH2lw==,type:str]
password: ENC[AES256_GCM,data:FMuKd7qN3swSgth2bQD8pBB9xz92No/EzxeM,iv:rU1u9IrI3hdX305NlZryr/5dlsSgHEpNFwwEzpmCjII=,tag:IMJ6lSVQVYZUn3b8Ld8F6g==,type:str]
users:
admin:
password: ENC[AES256_GCM,data:+YTRP/+zoCyU6RoRCLpEy1lgOPguBUmw8A==,iv:MBvjmtHZdWvEmUVe5X5UQE/uOwr7sOPlAgpEj9NLV9Y=,tag:i3Y0sSINf8u4v0M7j8NySQ==,type:str]
password: ENC[AES256_GCM,data:OaOZRG+RzyHS74mluFQdQ5sbAz1tLflBpR6NAQ==,iv:yPalKMaZBbmDn8IdazywdTtRuv0Ebn5UL+NaQb+vQx4=,tag:uNxU+mpgrXakZzCT0hNnGw==,type:str]
vouch-proxy:
domains:
foodogsquared.one:
jwt-secret: ENC[AES256_GCM,data:wbl9lLyv2fY5tNNUm6k2RcsOb/2Qklrlq0QyThoiBBXKHQWOVOzGJnWgf/fa+EmpBnGOaN+SW0ZJragNYqFZpw==,iv:7fUWHUF9gnXdBUw32cfXCTMGqv3q2gwA+r/ybi3W5ro=,tag:nROn69VULdWDt6jIa5W2YQ==,type:str]
client-secret: ENC[AES256_GCM,data:9MdP5wSTLI3MiwTkDOytj5jR1iM=,iv:pBwC+KElxqg+9rYfQ9gOHL/hs8dCoWmvnDonC6gOpxQ=,tag:krN4rGgkzfskdEn0v3Q2Zg==,type:str]
lego:
env: ENC[AES256_GCM,data:v2WzqI7gU9A7N0R+/j4O5tbVHqk3Kdfd3JMMUvg9bGFHC7XnqsRIsuDptkuwHuGdeB8n0es0YABfPC28qIMrySZlyK0jXGZPED9zJSSvyGGz5Am5dM8HpG4sa7stGp4KylHlydB9Dj+MWL7iUEurssBszUzws0hgyMivAPV8Ff0g8JE2I8lCg562hn9qEsfe0uvCLKe7D4QYAKxa0+QEE5XhqqcQ,iv:m/c/YUIWUEk7tSx0utixw6c/SolxHnZfSj8U/1NTLhI=,tag:QmAAohBmTQMysDx4kZO1lQ==,type:str]
ssh-key: ENC[AES256_GCM,data:1YT7wI4ykEi1dis8+MlkLStri2vuHJs9tHefMNEdc1hA7/1KeS5KE7QHyn5xOSvBd9kO/mUjVptxfGiooqRy6dMN4U0JG+Akr+Ybsr5F1+ZltDPKwOYcnBpK47S5wm70OM4f9oiki8hJ4i0LrtuQq1L2x0pCCLuH2kNxbMgOomaRl8zW9vgR2B1lisRMv4pugCrNRkhqT9K2WTO3wOCZu9wj/C0IQwg07G0fW7Vuvt/p0/+rktRKDtm5F0aR4h8A+fbU6BxCfaQjHvu+A5aVCb2nvPTPtX80pOTerrcSTZe6bG5biN0n1Rq6xm9TtHLXvqFDTc1ES6dlAs0P4IgipGOeaCEvhkp+zCBF7iBg9Xj0kIJlXU1v36W8Xu7az+8fgYZXmizwgkw2eVJYpAnPx6oRmXQYpvHgzZJuVdvH/33E7Lg7j067bKC73fbQwtV97vBHfF+rrtr7w6IYwmxpRavyuB5Ze7xx48oVvMCInIk09KV2W3+ad+dZxrtOyVJHXzvh+H1UJeuAHIbsoH1b2C1sqOuhgu2BtmKIrfW8hX8Tjfc=,iv:XZtcySi+/XwPstuNyGa/nubABg+SE1r6iIfM/4n1+8Q=,tag:19W88F4xAxujD7VYtuVjBg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sj497yr895335rk77qqnrqyx9f7462ma3lz0a0x3w5cnla5uqgpspgggtz
- recipient: age1yftkhugwrdnlpl45lthrhvvk720zza2nd085sxvjcxg2guavz3kquktplx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMWVHc0J6OUhUSXN1V0hy
YmQxZ0QvVVd4UjJ5bDYyWGN0U1cwM1ZVckZZCmdsK2hjTThPUVRqcjBJR291Rjgv
NkwreGV5UlFQRCsrMCtFdVlBK2R6ZlkKLS0tIDJXOTBzZVdEa3NJU0MvT3RYd3NM
ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBia2xBRHdNTDRwdWQxS1VS
WWlid21PQjhwSG9YN0ducEFSUFdENmFiNmhRCjduZm9wSHZmelNETlRncTB3RlNX
YzNnSWhvVkRIUE1QNmFJQ3hKMUJVOFUKLS0tIE1lbVg0cUNsWVE2NTRxUnVLU3lF
UDZXbzZzTUJKWHFBNGxjcy9UdGxMSzAKtMdXLsuvsmpjoDAK1GZSDHBWTLAl5iJY
NRGL2GSkh72m1tQ5AXma34DR7WBNgwSkedLP6p/TR/J1ABpMJa551Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-07T13:04:41Z"
mac: ENC[AES256_GCM,data:Xr2f4SvYYeofp5OtBwQSkDkhzRsnT8JyPBd64CtVmiY9jxLq9afZqtfYmXifsX4MUxe2ilXOau1Af/zZVi7B3hdF5fE44QLSZL5sOra0NMO5YdHANAAXPBQ/CWhpt53SOOqT/prDR48qSTIk/vzhcOIVfaz9ypfFu3h7PdnWI4w=,iv:oFAHucurSOABGa0LqeuUA1xvgL0uVl4791G+6PN1uaA=,tag:bHlaVuHggjLONVoYWYA8IA==,type:str]
lastmodified: "2024-09-23T11:21:52Z"
mac: ENC[AES256_GCM,data:D8UBtJUtHNUkTm8g/Or6ammv1ertDzgOCIZc4q0+BtACfi+snTKa2o1kaoC+ERVBSKPbeTIpWcoYaC3fk8TuFxEzKXMlK7FLswThoYv8Pphn8Yas4nb6181R0pZkczULn4U3wB40d4g/Q4bhoZwpc3outrULWQy+JDejxXBjyvI=,iv:OrK42DziAuioX6RpCfnrHoUXVSiUelraCuuU/FSl3u4=,tag:zmjhRvsuxizPIBg5KXibqQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.0