diff --git a/.sops.yaml b/.sops.yaml index 13faa67..8f66ba8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,7 +6,8 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763 + - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 @@ -20,6 +21,8 @@ creation_rules: - *steveej-t14 - *sj-vps-htz0 - *srv0-dmz0 + - *elias-e525 + - *justyna-p300 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - pgp: diff --git a/flake.nix b/flake.nix index 2777c01..6e57bee 100644 --- a/flake.nix +++ b/flake.nix @@ -107,8 +107,8 @@ "sj-vps-htz0" "steveej-t14" "srv0-dmz0" - # "elias-e525" - # "justyna-p300" + "elias-e525" + "justyna-p300" ]); # this makes nixos-anywhere work diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 3bf0b63..6ebd687 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -5,9 +5,7 @@ imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: let - passwords = import ../../variables/passwords.crypt.nix; -in { +}: { config = { pkgs, config, @@ -22,7 +20,9 @@ in { ../profiles/common/user.nix ]; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately # sops.defaultSopsFile = ./mailserver_secrets.yaml; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets.email_mailStefanjunkerDe = { sopsFile = ./mailserver_secrets.yaml; @@ -44,6 +44,15 @@ in { domain = "mailserver.svc.stefanjunker.de"; }; + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; services.dovecot2 = { enable = true; @@ -55,8 +64,8 @@ in { enablePAM = true; showPAMFailure = true; mailLocation = "maildir:~/.maildir"; - sslServerCert = "/etc/secrets/server.pem"; - sslServerKey = "/etc/secrets/server.key"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; #configFile = "/etc/dovecot/dovecot2_manual.conf"; extraConfig = '' @@ -79,9 +88,6 @@ in { ''; }; - # environment.etc."dovecot/users".text = '' - # steveej:${passwords.email.steveej} - # ''; environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; systemd.services.steveej-getmail-stefanjunker = { @@ -154,14 +160,10 @@ in { inherit autoStart; bindMounts = { + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; - isReadOnly = false; - }; - "/home" = { hostPath = "/var/lib/container-volumes/mailserver/home"; isReadOnly = false; diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index b6c0363..fc19f84 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -1,6 +1,8 @@ -email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str] +email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] +dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] +dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +18,8 @@ sops: bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-02T21:16:00Z" - mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str] + lastmodified: "2023-07-09T17:29:20Z" + mac: ENC[AES256_GCM,data:EUW7B78IB2vRGOwPM4bRoz7kYO9xHGMepF0aCOUVBFL0JCmzZyP9/bWWHYVR2SrQ29P8YgvpF32gWPEdidPReW59QRU1IXpMxnZ20Xoa+8y8H2Pj5w9cs+km6jXtphTcxDdZhQVJfXVyQH6qNb9Ypc9myhVypA2Dp/GLQ8SokoY=,iv:PDhP1TGvSS73RhkjsM2Zc0cGT8o06QVsxwO6tPKFzuQ=,tag:cy6fi3BHIN0c/c2sLVVmhg==,type:str] pgp: - created_at: "2023-07-02T20:30:30Z" enc: |- diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 80a714d..0ae87c4 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,12 +1,11 @@ { + repoFlake, hostAddress, localAddress, httpPort ? 80, httpsPort ? 443, autoStart ? false, -}: let - passwords = import ../../variables/passwords.crypt.nix; -in { +}: { config = { config, pkgs, @@ -15,7 +14,11 @@ in { }: { system.stateVersion = "22.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; networking.firewall.enable = false; @@ -33,6 +36,12 @@ in { # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; + services.nginx.enable = true; services.nginx.recommendedProxySettings = true; services.nginx.virtualHosts."www.stefanjunker.de" = { @@ -81,21 +90,26 @@ in { defaultPermission = "private"; allowEmailRegister = false; - # oauth2 provider config - inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; + # these are set via the `environmentFile` + dropbox = { + appKey = "$DROPBOX_APPKEY"; + clientID = "$DROPBOX_CLIENTID"; + clientSecret = "$DROPBOX_CLIENTSECRET"; + }; uploadsPath = "/var/lib/hedgedoc/uploads"; }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; }; inherit autoStart; bindMounts = { - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; - isReadOnly = true; - }; + # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host + "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; + "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml new file mode 100644 index 0000000..9f8e118 --- /dev/null +++ b/nix/os/containers/webserver_secrets.yaml @@ -0,0 +1,36 @@ +hedgedoc_environment_file: ENC[AES256_GCM,data:yPR7lnSssSTc3lvN4fSI5UXIfZHL8bMS0lcHC61aBz2ozjkSOTVUgYOD5XJbijfMCW9UWKLvItboo/nd8iLb3S+/DX4XZfAq8Bt+ootKsneIj9rJgw7bH3HYQnzmtWoFjoXSmLM=,iv:CVbXTlAafaXpo5G6F5CtJiq2LDa/48972kRnGOmhDJI=,tag:FaoL/8SdspZWXbATXPOazg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-09T17:55:21Z" + mac: ENC[AES256_GCM,data:RIJuExrlGxcMMY2oofqyC9tZxqi/Tnt548cfrVe6UZ7HthlkaU/XkzGH/tw7kk28iiV5fbDRycg3xuOsh30BuHwVzguEdOH5RU8GivAOxRbEr1vxdCUs6x5Zs7PcQktRXXIv6rjJ70uVIO34f15oVE8Ag5nlUHc3lZLabCWs7Ag=,iv:lVD903ph9Mx/wbwsPIcqJi9yfgmX97XNgGB7F6N7xOE=,tag:IhdYpIgV4UzVRtwUs4wf+Q==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 7896d56..c169019 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -1,11 +1,13 @@ -{repoFlake, ...}: let - nodeName = "elias-e525"; +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; + inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; @@ -13,17 +15,15 @@ in { inherit system; }; - # TODO: build a module with "meta" and "freeformtype" for all the others - ${nodeName} = { - deployment.targetHost = nodeName; + deployment.targetHost = "192.168.15.198"; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix ]; }; } diff --git a/nix/os/devices/elias-e525/flake.lock b/nix/os/devices/elias-e525/flake.lock index fc1b46a..dc66cc4 100644 --- a/nix/os/devices/elias-e525/flake.lock +++ b/nix/os/devices/elias-e525/flake.lock @@ -4,36 +4,35 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1681696129, - "narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -43,21 +42,6 @@ "home-manager": "home-manager", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 7e29283..81d8a95 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -1,8 +1,8 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index 851f526..e119032 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -17,15 +17,9 @@ home.keyboard = keyboard; home.packages = with pkgs; [ - rhythmbox - lollypop dia rustdesk - - kotatogram-desktop - jitsi-meet-electron - signal-desktop ]; }; in { diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index c2087da..6763062 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -43,4 +43,6 @@ in { services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 564151e..196c96a 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -4,19 +4,30 @@ lib, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; in { + sops.secrets.sharedUsers-elias = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + + sops.secrets.sharedUsers-justyna = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + users.extraUsers.elias = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.elias; + passwordFile = config.sops.secrets.sharedUsers-elias.path; }; users.extraUsers.justyna = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.justyna; + passwordFile = config.sops.secrets.sharedUsers-justyna.path; }; } diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 639a8cc..907e60b 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -1,12 +1,13 @@ -{repoFlake, ...}: let - nodeName = "justyna-p300"; - # system = "i686-linux"; +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; in { meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; + inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; @@ -14,17 +15,15 @@ in { inherit system; }; - # TODO: build a module with "meta" and "freeformtype" for all the others - ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; # deployment.allowLocalDeployment = true; imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix ]; }; } diff --git a/nix/os/devices/justyna-p300/flake.lock b/nix/os/devices/justyna-p300/flake.lock index 3a1d8b0..87729c0 100644 --- a/nix/os/devices/justyna-p300/flake.lock +++ b/nix/os/devices/justyna-p300/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1682299489, - "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=", + "lastModified": 1688544596, + "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=", "owner": "nix-community", "repo": "disko", - "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a", + "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692", "type": "github" }, "original": { @@ -24,36 +24,35 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1682303062, - "narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=", + "lastModified": 1688939073, + "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f5364316e314436f6b9c8fd50592b18920ab18f9", + "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -64,21 +63,6 @@ "home-manager": "home-manager", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index a64a7ba..3e68abe 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -1,8 +1,8 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 3e86629..d8f2d52 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -18,15 +18,9 @@ home.keyboard = keyboard; home.packages = with pkgs; [ - rhythmbox - lollypop dia rustdesk - - kotatogram-desktop - jitsi-meet-electron - signal-desktop ]; }; in { @@ -55,11 +49,15 @@ in { variant = ""; }; - home-manager.users.justyna = homeEnv { - layout = "de"; - options = []; - variant = ""; - }; + home-manager.users.justyna = + lib.attrsets.recursiveUpdate (homeEnv { + layout = "de"; + options = []; + variant = ""; + }) { + services.syncthing.enable = true; + services.syncthing.tray = true; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 8b27cb7..e5b3100 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -41,4 +41,6 @@ in { services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 9e8226e..6d86c59 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -3,19 +3,30 @@ pkgs, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; in { + sops.secrets.sharedUsers-elias = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + + sops.secrets.sharedUsers-justyna = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; + users.extraUsers.elias = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.elias; + passwordFile = config.sops.secrets.sharedUsers-elias.path; }; users.extraUsers.justyna = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPassword = passwords.users.justyna; + passwordFile = config.sops.secrets.sharedUsers-justyna.path; }; } diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock index 422bef4..7bca561 100644 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ b/nix/os/devices/sj-vps-htz0/flake.lock @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688109178, - "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688246754, - "narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=", + "lastModified": 1688925019, + "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b9b176f8b8155c122e01a336b439ce57b2485b40", + "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688180391, - "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=", + "lastModified": 1688891216, + "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd", + "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00", "type": "github" }, "original": { diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 0efc091..8a38227 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -73,6 +73,8 @@ webserver = import ../../containers/webserver.nix { + inherit repoFlake; + autoStart = true; hostAddress = "192.168.100.12"; diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock index 5c8b195..ec2c263 100644 --- a/nix/os/devices/steveej-t14/flake.lock +++ b/nix/os/devices/steveej-t14/flake.lock @@ -39,11 +39,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688722718, - "narHash": "sha256-Uralooke0g1EgrNDjboSiqc0BHOCgiugL43JAA1ncDA=", + "lastModified": 1688969282, + "narHash": "sha256-Ti0dejGXXvhEDATY5nJB0GdKM6AdVwJNTp6LWx8pHyw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5cbff28ae66e5a98386bcbea29f5a7252c33c808", + "rev": "9d6e454b857fb472fa35fc8b098fa5ac307a0d7d", "type": "github" }, "original": { @@ -71,11 +71,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1688590700, - "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "lastModified": 1688918189, + "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1688640665, - "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=", + "lastModified": 1688951312, + "narHash": "sha256-0oG4uv60m5+oOMqgYYQ3ao3OK3YP3n3t7nWFtuyR/uQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712", + "rev": "2a5f6cac357616d2596167d0631b4ca729e9a3ea", "type": "github" }, "original": { diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 7762fab..06cc7d1 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -269,6 +269,7 @@ in { users.mutableUsers = false; users.extraUsers.root = { + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.root; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" @@ -279,6 +280,7 @@ in { isNormalUser = true; home = "/home/steveej"; extraGroups = ["wheel" "libvirtd"]; + # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index c694a35..7ac124c 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -4,7 +4,6 @@ ... }: let cfg = config.services.ddclientovh; - # passwords = import ../../variables/passwords.crypt.nix; in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; @@ -19,8 +18,6 @@ in { ssl = true; domains = [cfg.domain]; use = "web"; - # inherit (passwords.dyndns.${cfg.domain}) username; - # passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path; }; }; } diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 9d7b45b..bed6c26 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index bbd501f..f64bef7 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,46 +16,64 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUGxsbitMNnlTZlRZQVJl - RVc3TUtHaWpQdk5RVFkvS0MxSkVxWHQ1MFZvCmw0M2M4VGRxb21nVzkrNWIzK3Aw - dVB6bWEvQ0dtbjZobTVCeE9DUEpGV2sKLS0tIGhya2RMM2w5VHlHNUdGK1FNZit3 - OWUyYnZhSEhtMzhTenZMRU1yRis0WkkK/iDe1XgGJumprZU23G/Imhbqpp5ehfMe - I+XlSGn0/ry1SpEV0bQi7ZMzFxEfhX0avLsmxTeoxQJuN2m7ZOQCdQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov + TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho + TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3 + b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh + 7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OVJ5d1p1RURkTjdzaWpv - OXViZkhzZEZwYzNIZHdpeUVNWlM5SWJGYkFjCnRrQWV6UUM0akIzaFVxY1dzaUNa - OVFRczZaUjRXSGphcTJ5TGtZOHlSeHcKLS0tIG5QTWMyTzFlZkdIdnVGT2lpTXR4 - TXJybjNjdmwxRVMxdERIS25wRTRCV0UKy/N8YBkxD3f5qTBOPj/iysFr/Ona1p9H - JYhjZCojB4Ua1b2Tv4Gz2Fvi9B2fOWBy0/LSPA6CRchG3IWgKm/B6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4 + aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo + RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP + V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH + 8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA== -----END AGE ENCRYPTED FILE----- - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNVJBRlptQ2hWVy9MRGhj - MVduVkl3YXZEVlMzNksybkZjR1Z6VnQ1MGdRCjRTWjY3RTlpY096c3UrMHlaUms0 - MDc3V0dTUnpWTjcxcGZNSmVkUElLMjgKLS0tIGFkMzZ1eVh1a1ZzckxseFh5T1VK - eDZSbXdzSmJ3dkJHSkU2R3JTRjlxNDAK1k/SYCf1nWEHKRzlJbvx1U5NKYSEzi0/ - wE4SdLjMi4io2ThNif4gqVRCiRQupiILx4VnlM4lN6Fk924zATUUYA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM + ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK + cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02 + TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+ + q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU + ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1 + SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW + QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F + rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB + dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG + S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq + RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz + wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-07-06T18:55:17Z" + - created_at: "2023-07-10T08:17:16Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAo5WdFio56L/EtWKV590N9QQ9Gjm9IWm0G+H6YHTNlpfO - erhl1AZds+MNrInw0uSW7Mx/wZ4awv8+JVkMN43qupmDIcgHmWmVoqB2SaUA60qd - gkFYP2fWlmgzihl/DnWUn1M4WrD8sGJIwkulg8FX9h40f7mEhb0MsftsUuhmxOBp - GTJDtT/A7wHMRY71mEzIyem8XOA7nAIO7r802Tyni6H7zP1qG00vF/sastbbzB26 - +7MTpSZz8AuNPG/P7rue7J2BL0S8ldwcPsGX9XGt2qFbeNbsOUfJn12miPSEZHWU - jIYC1rWLVJ110O0ZDDMJXyfBW5XrFAkA6XkCzzPgodJRAYKzTD+bMg44vuwTCRmG - wcdv71+hBJeXtF1g8/YueaTWpPJ5j8m6Ntp1d5pYPetlRmhwLzfSoY1BUXA6YkGb - Qeqr3q7oGL91sjasjZQorc3h - =6rU4 + wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm + dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98 + OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP + sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf + q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx + YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW + w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c + OUwOtIhmRp4PNBU+402xfgYI + =X23Q -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted