moved nginx secret to sops and basicAuthFile

2023-12-10 01:20:18 +01:00 · 2023-12-10 01:20:18 +01:00 · 0903e94482
parent 564e04229b
commit 0903e94482
7 changed files with 25 additions and 25 deletions
--- a/machines/feanor/README.md
+++ b/machines/feanor/README.md
@ -1,5 +0,0 @@
-gitserver with gitea
-webserver with homepage
-
-webserver implementation is in works
-thinking of doing something like 
--- a/machines/feanor/configuration.nix
+++ b/machines/feanor/configuration.nix
--- a/profiles/sops.nix
+++ b/profiles/sops.nix
@ -14,10 +14,10 @@
  sops.validateSopsFiles = false;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
-			 "/etc/ssh/nixos"
-			 #"/$HOME/.ssh/nixos"
-		         #"/home/gunalx/.ssh/nixos"
-			 ];
+			  "/etc/ssh/nixos"
+			  #"/$HOME/.ssh/nixos"
+        #"/home/gunalx/.ssh/nixos"
+			];
  # This is using an age key that is expected to already be in the filesystem
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  # This will generate a new key if the key specified above does not exist
@ -26,5 +26,6 @@
  # This is the actual specification of the secrets.
  #sops.secrets."myservice/my_subdir/my_secret" = {};
  sops.secrets."acme/certs" = {  };
+  sops.secrets."nginx/defaultpass" = {  };

 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -2,6 +2,8 @@
 #ENC[AES256_GCM,data:whBqc+AeZpCDo/caKJQm3Wan3RiAvQwQ0v4fgmdZhMTu+5QeTTqb1L1M6ZUnNnQS1tc9wjaWfXby/2T0zLDM+Yl3yuHSfK1rkBbC4GwL83tSM4lbDE7+spSKxb2VrOZqozKpL6zQnWJB0COJfC5KqlHJCiM=,iv:M1KPhEQS/l4OFwAClqr7L2Jf73/tkpBBmXEPjGI7faU=,tag:A5x4nCDbnOLplGh7xqdN2Q==,type:comment]
 acme:
    certs: ENC[AES256_GCM,data:glU5Kl4wiChxuQJq2ppCP4sJlutJkK1RgV0FloMNe/W8rV/mHcg8FcffotNYVZw87mqWz3N4jMgMVwnmXU0uObhV+W6L0mMb9U7akhXIuJQfiwaTeHZV48DPzDBzIDHUrsPZfxm6vfBlJltk9dH/43lytyMJqSeV3nWW4rA=,iv:Nz2pDdPdVbZK6BuYJrPcZ/LnnruvuMlhMJeowUPADj0=,tag:YNtlgq04iJxnZL76ESsQaQ==,type:str]
+nginx:
+    defaultpass: ENC[AES256_GCM,data:z1z1u7ujZzOdESyWbpQMNnxO2dgadgwt3dg+xNB5tTnWQpHqCb0y/fJs1TUAbp9oCKYeR/QUVuL34WUeuRQkW0jL6EvPYgE=,iv:O8Mc23CWZwkgjPOwj8YfQqbs1gujnd/ekkDmal2iGNw=,tag:UX2CNlxHDwKsSPbwa0HePQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -17,8 +19,8 @@ sops:
            Vmg2SkZBdjFYM1MzdVhmRVVNYjg3MlkKPbXkDdChq+GqqZuwQ2rj5LIP1gA44Qxn
            gI66sDKkBwkAx7EkvUejGXK4pqPPvRwDUZFoSowIOSGaxF7CKdayBA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-24T01:30:23Z"
-    mac: ENC[AES256_GCM,data:4ji9jVU4oILYTr3Hfd3Ic1XsxFrOnKTyTY88p9WCO8SaWDqzu2e/W3O8tiMgeZChTLLi0pK6t2hUgLI9XAQFQswMi56Ues1XdR+a8SsQmsMb0oGDzd6/Nhe39G0Q9raAy0XC+j9lBapOgKPKLGlDXRlllA050nFkTWEhKCQJmg8=,iv:FPYTaoDZjsbu6Oc0qu35jHq/AUhbfbnirutmcKDuUG8=,tag:JeQB+Fs2WOdlV7XoBFi3ag==,type:str]
+    lastmodified: "2023-12-10T00:13:23Z"
+    mac: ENC[AES256_GCM,data:hr9fOX7cVLYHOqBppCWf2+YqJt7UMdGNRfAhlNSH4ZWCEwzQhrZcbZ8C/Ge4zkfQS6nQNYZIMulxv4oZjZdeX7B0Km92CRxmZ9nmk3TFtykivTmJgkHqMsWIS+aqtgBilrP2EstUoiQfEvDECwIKyCUu29C7iRxdpt5lEIDUT1M=,iv:cES0q8aRkt0OkkJj12ko7liqxYBaxXAQMtfPpxTQliU=,tag:7KyV+WmjUjTu6ari5Yza4A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.0
+    version: 3.8.1
--- a/secrets/secrets.yaml.dec
+++ b/secrets/secrets.yaml.dec
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,8 +1,4 @@
 { config, pkgs, lib, ... }:
-let
-  basicAuthUser = "guest";
-  basicAuthPass = ""; 
-in
 {  

  #acme and certs helpful blog https://carjorvaz.com/posts/
@ -47,9 +43,7 @@ in
        proxyWebsockets = true;
        proxyPass = "http://100.104.182.48";
      };
-      basicAuth = {
-        guest = basicAuthPass;
-      };
+      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

    virtualHosts.${"funn-nas.lauterer.it"} = {
@ -59,9 +53,7 @@ in
        proxyWebsockets = true;
        proxyPass = "https://100.104.182.48:30044";
      };
-      basicAuth = {
-        guest = basicAuthPass;
-      };
+      basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
    };

   # virtualHosts.${"vpn."+config.networking.domain} = {
@ -90,9 +82,7 @@ in
   #   locations."/" = {
   #     proxyPass = "http://jellyfin.galadriel";
   #     proxyWebsockets = true;
-   #     basicAuth = {
-   #       guest = basicAuthPass;
-   #     };
+   #     basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
   #   };
   # };
  };
--- a/services/podman.nix
+++ b/services/podman.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  # Arion works with Docker, but for NixOS-based containers, you need Podman
+  # since NixOS 21.05.
+  virtualisation.docker.enable = false;
+  virtualisation.podman.enable = true;
+  virtualisation.podman.dockerSocket.enable = true;
+  virtualisation.podman.defaultNetwork.dnsname.enable = true;
+
+  # Use your username instead of `myuser`
+  users.extraUsers.gunalx.extraGroups = ["podman"];
+}