adriangl
/
nix-dotfiles
mirror of https://github.com/adrlau/nix-dotfiles.git
1
2
Fork 0
Code Issues Packages Projects Releases Wiki Activity

moved nginx secret to sops and basicAuthFile

This commit is contained in:
Adrian Gunnar Lauterer 2023-12-10 01:20:18 +01:00
parent 564e04229b
commit 0903e94482
Signed by: adriangl
GPG Key ID: D33368A59745C2F0
7 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
machines/feanor/README.md
View File

@ -1,5 +0,0 @@
gitserver with gitea
webserver with homepage
webserver implementation is in works
thinking of doing something like

0
machines/feanor/configuration.nix
View File

9
profiles/sops.nix
View File

@ -14,10 +14,10 @@
sops.validateSopsFiles = false; sops.validateSopsFiles = false;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [ sops.age.sshKeyPaths = [
"/etc/ssh/nixos" "/etc/ssh/nixos"
#"/$HOME/.ssh/nixos" #"/$HOME/.ssh/nixos"
#"/home/gunalx/.ssh/nixos" #"/home/gunalx/.ssh/nixos"
]; ];
# This is using an age key that is expected to already be in the filesystem # This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist # This will generate a new key if the key specified above does not exist
@ -26,5 +26,6 @@
# This is the actual specification of the secrets. # This is the actual specification of the secrets.
#sops.secrets."myservice/my_subdir/my_secret" = {}; #sops.secrets."myservice/my_subdir/my_secret" = {};
sops.secrets."acme/certs" = { }; sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = { };
} }

8
secrets/secrets.yaml
View File

@ -2,6 +2,8 @@
#ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment] #ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment]
acme: acme:
certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str] certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str]
nginx:
defaultpass: ENC[AES256_GCM,data:z1z1u7ujZzOdESyWbpQMNnxO2dgadgwt3dg+xNB5tTnWQpHqCb0y/fJs1TUAbp9oCKYeR/QUVuL34WUeuRQkW0jL6EvPYgE=,iv:O8Mc23CWZwkgjPOwj8YfQqbs1gujnd/ekkDmal2iGNw=,tag:UX2CNlxHDwKsSPbwa0HePQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -17,8 +19,8 @@ sops:
Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn
gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA== gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-24T01:30:23Z" lastmodified: "2023-12-10T00:13:23Z"
mac: ENC[AES256_GCM,data:4ji9jVU4oILYTr3Hfd3Ic1XsxFrOnKTyTY88p9WCO8SaWDqzu2e/W3O8tiMgeZChTLLi0pK6t2hUgLI9XAQFQswMi56Ues1XdR+a8SsQmsMb0oGDzd6/Nhe39G0Q9raAy0XC+j9lBapOgKPKLGlDXRlllA050nFkTWEhKCQJmg8=,iv:FPYTaoDZjsbu6Oc0qu35jHq/AUhbfbnirutmcKDuUG8=,tag:JeQB+Fs2WOdlV7XoBFi3ag==,type:str] mac: ENC[AES256_GCM,data:hr9fOX7cVLYHOqBppCWf2+YqJt7UMdGNRfAhlNSH4ZWCEwzQhrZcbZ8C/Ge4zkfQS6nQNYZIMulxv4oZjZdeX7B0Km92CRxmZ9nmk3TFtykivTmJgkHqMsWIS+aqtgBilrP2EstUoiQfEvDECwIKyCUu29C7iRxdpt5lEIDUT1M=,iv:cES0q8aRkt0OkkJj12ko7liqxYBaxXAQMtfPpxTQliU=,tag:7KyV+WmjUjTu6ari5Yza4A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.0 version: 3.8.1

0
secrets/secrets.yaml.dec
View File

16
services/nginx.nix
View File

@ -1,8 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
basicAuthUser = "guest";
basicAuthPass = "";
in
{ {
#acme and certs helpful blog https://carjorvaz.com/posts/ #acme and certs helpful blog https://carjorvaz.com/posts/
@ -47,9 +43,7 @@ in
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://100.104.182.48"; proxyPass = "http://100.104.182.48";
}; };
basicAuth = { basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
guest = basicAuthPass;
};
}; };
virtualHosts.${"funn-nas.lauterer.it"} = { virtualHosts.${"funn-nas.lauterer.it"} = {
@ -59,9 +53,7 @@ in
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "https://100.104.182.48:30044"; proxyPass = "https://100.104.182.48:30044";
}; };
basicAuth = { basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
guest = basicAuthPass;
};
}; };
# virtualHosts.${"vpn."+config.networking.domain} = { # virtualHosts.${"vpn."+config.networking.domain} = {
@ -90,9 +82,7 @@ in
# locations."/" = { # locations."/" = {
# proxyPass = "http://jellyfin.galadriel"; # proxyPass = "http://jellyfin.galadriel";
# proxyWebsockets = true; # proxyWebsockets = true;
# basicAuth = { # basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
# guest = basicAuthPass;
# };
# }; # };
# }; # };
}; };

12
services/podman.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
# Arion works with Docker, but for NixOS-based containers, you need Podman
# since NixOS 21.05.
virtualisation.docker.enable = false;
virtualisation.podman.enable = true;
virtualisation.podman.dockerSocket.enable = true;
virtualisation.podman.defaultNetwork.dnsname.enable = true;
# Use your username instead of `myuser`
users.extraUsers.gunalx.extraGroups = ["podman"];
}