moved nginx secret to sops and basicAuthFile
This commit is contained in:
parent
564e04229b
commit
0903e94482
|
@ -1,5 +0,0 @@
|
||||||
gitserver with gitea
|
|
||||||
webserver with homepage
|
|
||||||
|
|
||||||
webserver implementation is in works
|
|
||||||
thinking of doing something like
|
|
|
@ -26,5 +26,6 @@
|
||||||
# This is the actual specification of the secrets.
|
# This is the actual specification of the secrets.
|
||||||
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
#sops.secrets."myservice/my_subdir/my_secret" = {};
|
||||||
sops.secrets."acme/certs" = { };
|
sops.secrets."acme/certs" = { };
|
||||||
|
sops.secrets."nginx/defaultpass" = { };
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
#ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment]
|
#ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment]
|
||||||
acme:
|
acme:
|
||||||
certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str]
|
certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str]
|
||||||
|
nginx:
|
||||||
|
defaultpass: ENC[AES256_GCM,data:z1z1u7ujZzOdESyWbpQMNnxO2dgadgwt3dg+xNB5tTnWQpHqCb0y/fJs1TUAbp9oCKYeR/QUVuL34WUeuRQkW0jL6EvPYgE=,iv:O8Mc23CWZwkgjPOwj8YfQqbs1gujnd/ekkDmal2iGNw=,tag:UX2CNlxHDwKsSPbwa0HePQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -17,8 +19,8 @@ sops:
|
||||||
Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn
|
Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn
|
||||||
gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA==
|
gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-09-24T01:30:23Z"
|
lastmodified: "2023-12-10T00:13:23Z"
|
||||||
mac: ENC[AES256_GCM,data:4ji9jVU4oILYTr3Hfd3Ic1XsxFrOnKTyTY88p9WCO8SaWDqzu2e/W3O8tiMgeZChTLLi0pK6t2hUgLI9XAQFQswMi56Ues1XdR+a8SsQmsMb0oGDzd6/Nhe39G0Q9raAy0XC+j9lBapOgKPKLGlDXRlllA050nFkTWEhKCQJmg8=,iv:FPYTaoDZjsbu6Oc0qu35jHq/AUhbfbnirutmcKDuUG8=,tag:JeQB+Fs2WOdlV7XoBFi3ag==,type:str]
|
mac: ENC[AES256_GCM,data:hr9fOX7cVLYHOqBppCWf2+YqJt7UMdGNRfAhlNSH4ZWCEwzQhrZcbZ8C/Ge4zkfQS6nQNYZIMulxv4oZjZdeX7B0Km92CRxmZ9nmk3TFtykivTmJgkHqMsWIS+aqtgBilrP2EstUoiQfEvDECwIKyCUu29C7iRxdpt5lEIDUT1M=,iv:cES0q8aRkt0OkkJj12ko7liqxYBaxXAQMtfPpxTQliU=,tag:7KyV+WmjUjTu6ari5Yza4A==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.0
|
version: 3.8.1
|
||||||
|
|
|
@ -1,8 +1,4 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
|
||||||
basicAuthUser = "guest";
|
|
||||||
basicAuthPass = "";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
|
|
||||||
#acme and certs helpful blog https://carjorvaz.com/posts/
|
#acme and certs helpful blog https://carjorvaz.com/posts/
|
||||||
|
@ -47,9 +43,7 @@ in
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
proxyPass = "http://100.104.182.48";
|
proxyPass = "http://100.104.182.48";
|
||||||
};
|
};
|
||||||
basicAuth = {
|
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
guest = basicAuthPass;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualHosts.${"funn-nas.lauterer.it"} = {
|
virtualHosts.${"funn-nas.lauterer.it"} = {
|
||||||
|
@ -59,9 +53,7 @@ in
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
proxyPass = "https://100.104.182.48:30044";
|
proxyPass = "https://100.104.182.48:30044";
|
||||||
};
|
};
|
||||||
basicAuth = {
|
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
guest = basicAuthPass;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# virtualHosts.${"vpn."+config.networking.domain} = {
|
# virtualHosts.${"vpn."+config.networking.domain} = {
|
||||||
|
@ -90,9 +82,7 @@ in
|
||||||
# locations."/" = {
|
# locations."/" = {
|
||||||
# proxyPass = "http://jellyfin.galadriel";
|
# proxyPass = "http://jellyfin.galadriel";
|
||||||
# proxyWebsockets = true;
|
# proxyWebsockets = true;
|
||||||
# basicAuth = {
|
# basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
|
||||||
# guest = basicAuthPass;
|
|
||||||
# };
|
|
||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
# Arion works with Docker, but for NixOS-based containers, you need Podman
|
||||||
|
# since NixOS 21.05.
|
||||||
|
virtualisation.docker.enable = false;
|
||||||
|
virtualisation.podman.enable = true;
|
||||||
|
virtualisation.podman.dockerSocket.enable = true;
|
||||||
|
virtualisation.podman.defaultNetwork.dnsname.enable = true;
|
||||||
|
|
||||||
|
# Use your username instead of `myuser`
|
||||||
|
users.extraUsers.gunalx.extraGroups = ["podman"];
|
||||||
|
}
|
Loading…
Reference in New Issue