From 0903e94482459b9b84342b140cef065c76ff0851 Mon Sep 17 00:00:00 2001
From: Adrian Gunnar Lauterer <adrian@lauterer.it>
Date: Sun, 10 Dec 2023 01:20:18 +0100
Subject: [PATCH] moved nginx secret to sops and basicAuthFile

---
 machines/feanor/README.md         |  5 -----
 machines/feanor/configuration.nix |  0
 profiles/sops.nix                 |  9 +++++----
 secrets/secrets.yaml              |  8 +++++---
 secrets/secrets.yaml.dec          |  0
 services/nginx.nix                | 16 +++-------------
 services/podman.nix               | 12 ++++++++++++
 7 files changed, 25 insertions(+), 25 deletions(-)
 delete mode 100644 machines/feanor/README.md
 delete mode 100644 machines/feanor/configuration.nix
 delete mode 100644 secrets/secrets.yaml.dec
 create mode 100644 services/podman.nix

diff --git a/machines/feanor/README.md b/machines/feanor/README.md
deleted file mode 100644
index 61d41e1..0000000
--- a/machines/feanor/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-gitserver with gitea
-webserver with homepage
-
-webserver implementation is in works
-thinking of doing something like 
diff --git a/machines/feanor/configuration.nix b/machines/feanor/configuration.nix
deleted file mode 100644
index e69de29..0000000
diff --git a/profiles/sops.nix b/profiles/sops.nix
index 0ddbf93..65f4381 100644
--- a/profiles/sops.nix
+++ b/profiles/sops.nix
@@ -14,10 +14,10 @@
   sops.validateSopsFiles = false;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
-			 "/etc/ssh/nixos"
-			 #"/$HOME/.ssh/nixos"
-		         #"/home/gunalx/.ssh/nixos"
-			 ];
+			  "/etc/ssh/nixos"
+			  #"/$HOME/.ssh/nixos"
+        #"/home/gunalx/.ssh/nixos"
+			];
   # This is using an age key that is expected to already be in the filesystem
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   # This will generate a new key if the key specified above does not exist
@@ -26,5 +26,6 @@
   # This is the actual specification of the secrets.
   #sops.secrets."myservice/my_subdir/my_secret" = {};
   sops.secrets."acme/certs" = {  };
+  sops.secrets."nginx/defaultpass" = {  };
 
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 8dbccba..4c11cd0 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -2,6 +2,8 @@
 #ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment]
 acme:
     certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str]
+nginx:
+    defaultpass: ENC[AES256_GCM,data:z1z1u7ujZzOdESyWbpQMNnxO2dgadgwt3dg+xNB5tTnWQpHqCb0y/fJs1TUAbp9oCKYeR/QUVuL34WUeuRQkW0jL6EvPYgE=,iv:O8Mc23CWZwkgjPOwj8YfQqbs1gujnd/ekkDmal2iGNw=,tag:UX2CNlxHDwKsSPbwa0HePQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -17,8 +19,8 @@ sops:
             Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn
             gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-24T01:30:23Z"
-    mac: ENC[AES256_GCM,data:4ji9jVU4oILYTr3Hfd3Ic1XsxFrOnKTyTY88p9WCO8SaWDqzu2e/W3O8tiMgeZChTLLi0pK6t2hUgLI9XAQFQswMi56Ues1XdR+a8SsQmsMb0oGDzd6/Nhe39G0Q9raAy0XC+j9lBapOgKPKLGlDXRlllA050nFkTWEhKCQJmg8=,iv:FPYTaoDZjsbu6Oc0qu35jHq/AUhbfbnirutmcKDuUG8=,tag:JeQB+Fs2WOdlV7XoBFi3ag==,type:str]
+    lastmodified: "2023-12-10T00:13:23Z"
+    mac: ENC[AES256_GCM,data:hr9fOX7cVLYHOqBppCWf2+YqJt7UMdGNRfAhlNSH4ZWCEwzQhrZcbZ8C/Ge4zkfQS6nQNYZIMulxv4oZjZdeX7B0Km92CRxmZ9nmk3TFtykivTmJgkHqMsWIS+aqtgBilrP2EstUoiQfEvDECwIKyCUu29C7iRxdpt5lEIDUT1M=,iv:cES0q8aRkt0OkkJj12ko7liqxYBaxXAQMtfPpxTQliU=,tag:7KyV+WmjUjTu6ari5Yza4A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.0
+    version: 3.8.1
diff --git a/secrets/secrets.yaml.dec b/secrets/secrets.yaml.dec
deleted file mode 100644
index e69de29..0000000
diff --git a/services/nginx.nix b/services/nginx.nix
index 543f207..318be26 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,8 +1,4 @@
 { config, pkgs, lib, ... }:
-let
-  basicAuthUser = "guest";
-  basicAuthPass = ""; 
-in
 {  
 
   #acme and certs helpful blog https://carjorvaz.com/posts/
@@ -47,9 +43,7 @@ in
         proxyWebsockets = true;
         proxyPass = "http://100.104.182.48";
       };
-      basicAuth = {
-        guest = basicAuthPass;
-      };
+      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
     };
 
     virtualHosts.${"funn-nas.lauterer.it"} = {
@@ -59,9 +53,7 @@ in
         proxyWebsockets = true;
         proxyPass = "https://100.104.182.48:30044";
       };
-      basicAuth = {
-        guest = basicAuthPass;
-      };
+      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
     };
 
    # virtualHosts.${"vpn."+config.networking.domain} = {
@@ -90,9 +82,7 @@ in
    #   locations."/" = {
    #     proxyPass = "http://jellyfin.galadriel";
    #     proxyWebsockets = true;
-   #     basicAuth = {
-   #       guest = basicAuthPass;
-   #     };
+   #     basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    #   };
    # };
   };
diff --git a/services/podman.nix b/services/podman.nix
new file mode 100644
index 0000000..f47552b
--- /dev/null
+++ b/services/podman.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  # Arion works with Docker, but for NixOS-based containers, you need Podman
+  # since NixOS 21.05.
+  virtualisation.docker.enable = false;
+  virtualisation.podman.enable = true;
+  virtualisation.podman.dockerSocket.enable = true;
+  virtualisation.podman.defaultNetwork.dnsname.enable = true;
+
+  # Use your username instead of `myuser`
+  users.extraUsers.gunalx.extraGroups = ["podman"];
+}
\ No newline at end of file