From 4207a3666c8143c14836de3acc13634c615cea95 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 17 Dec 2022 22:00:57 +0100 Subject: [PATCH 1/3] Simplify nginx on ildkule --- hosts/ildkule/services/nginx/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/ildkule/services/nginx/default.nix b/hosts/ildkule/services/nginx/default.nix index 03f3687e..99dfbd8d 100644 --- a/hosts/ildkule/services/nginx/default.nix +++ b/hosts/ildkule/services/nginx/default.nix @@ -4,14 +4,12 @@ security.acme = { acceptTerms = true; - defaults.email = "danio@pvv.ntnu.no"; + defaults.email = "drift@pvv.ntnu.no"; }; services.nginx = { enable = true; - defaultListenAddresses = [ "129.241.210.187" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::187]" "[::1]" ]; - recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; From 57ff1fa17a73d4c5e4bb29f2ce722f3b99f758cc Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Sat, 17 Dec 2022 22:53:26 +0100 Subject: [PATCH 2/3] Add oysteikt to secrets --- .sops.yaml | 9 +++++++++ keys/oysteikt.pub | 41 +++++++++++++++++++++++++++++++++++++++ secrets/jokum/jokum.yaml | 42 +++++++++++++++++++++++++++++----------- shell.nix | 1 + 4 files changed, 82 insertions(+), 11 deletions(-) create mode 100644 keys/oysteikt.pub diff --git a/.sops.yaml b/.sops.yaml index d0058462..636c6011 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608 creation_rules: # Global secrets @@ -9,16 +10,24 @@ creation_rules: - age: - *user_danio - *host_jokum + pgp: + - *user_oysteikt # Host specific secrets ## Jokum - path_regex: secrets/jokum/[^/]+\.yaml$ + shamir_threshold: 1 key_groups: - age: - *user_danio - *host_jokum + pgp: + - *user_oysteikt - path_regex: secrets/ildkule/[^/]+\.yaml$ + shamir_threshold: 1 key_groups: - age: - *user_felixalb - *user_danio + pgp: + - *user_oysteikt \ No newline at end of file diff --git a/keys/oysteikt.pub b/keys/oysteikt.pub new file mode 100644 index 00000000..9d71c150 --- /dev/null +++ b/keys/oysteikt.pub @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEYuaF5BYJKwYBBAHaRw8BAQdAyCMRV/dIW4dIbUqMNP6nWiyAnB/a4iAtTaEn +idcbAdy0JGg3eDRhYmszZyA8aDd4NGFiazNnQHByb3Rvbm1haWwuY29tPoiQBBMW +CgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7j2ICGwEFCwkIBwMFFQoJCAsF +FgIDAQACHgECF4AACgkQRrkijoFKKqxIlQD9F0EedrFpHAVuaVas9ZWRZb4xv3zM ++CPpeegRw646eC8A/0l4JRHplPClB4MQfsc3N/0TDbCT4PaEhls9eJQ2KbUKtBRo +N3g0IDxoN3g0QG5hbmkud3RmPoiTBBMWCgA7AhsBBQsJCAcDBRUKCQgLBRYCAwEA +Ah4BAheAFiEE99N4kCKKkHRA4f1IRrkijoFKKqwFAmL7l8ACGQEACgkQRrkijoFK +KqxI4wD9EIGpb3Gt5s5e8waH7XaLSlquOrW1RID3sSuzWI4DvikBAMncfBbtkpzH +EYU2Ufm8VxzgJDnyeB+lcdeSJXWaIwYLtCZoN3g0IChhbHRlcm5hdGl2ZSkgPGg3 +eDQuYWx0QG5hbmkud3RmPoiQBBMWCgA4FiEE99N4kCKKkHRA4f1IRrkijoFKKqwF +AmL7j0oCGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQRrkijoFKKqytywD+ +IdHIxbjRcDEJYOqFX1r4wrymTvnjz/kp0zUSrymwMUoBAP8huPK/YpujNF6/cwwB +3A5WwpWjjV+F/uq2ejqFOocNuDMEYuaGRxYJKwYBBAHaRw8BAQdAsmc0GTQIszpk +jDYwgSt6zI81P2+k9WvBg6IEISnyuVWI9QQYFgoAJhYhBPfTeJAiipB0QOH9SEa5 +Io6BSiqsBQJi5oZHAhsCBQkDwmcAAIEJEEa5Io6BSiqsdiAEGRYKAB0WIQTzzahs +xVqfENegaYGfL32CUPNRRgUCYuaGRwAKCRCfL32CUPNRRhWYAQCzfkYeJt9t02jO +c3SXwk1e1dGj9ydEXSprSr8/2PWu7gD+KD/FJWzPbnMhtudoGfCIzNFaazcz/QqT +ZeBs6Q+AkQ7ueQD/ZqQMkaCrd8o2L02h89U6bFxy86nyTurGAUVx92F8jUwBAKa7 +Zp/0vR5bR4o57C7NTxB5kbmteF0AXS9R7sxSA/AEuQINBGLmhnoBEADa1yBK0NKx +VIto3hSh21hooYpWcEXWqMPXHO34rcAhktVFOOHIl2bFGScQAZXtjAcqUmMyC+PM +s1DZoocFk+9PJt17hAa/s6CRrw8vK+1fVqhj0XOLtevGV9iC6IRvhPxzTsOaeOss +gMGIU8xDmMKT2nGHGNUkqOXGld63E3NKsK3lnl+BCdpJ0f3GEB7aSQ+pk6k1uzOD +XX/mhAUJmL1MkVZ6jJA3vhsre0Kfa9p+C5mP4hLJ6jF+oESvA4HC+LuCSGm66gID +MC39jnLo6hwYEEjfPXD7CUAN4S2eISSFd+ZclN2vYcrKYgsCZS0hBFOgDhKKCHBu +MwP12AIM8y8L64/eOWFpR7s2StAPjjYbZeZECHLWZt1zGVvkS7Xp6lsAg6/T8Eys +KG7vTl2Qq9W0BmzNgk2ODTZkhv0gqqXppdr8eRiq+h0qMfJptG0GycOvqb9PoEO2 +dfNCjjII8VfaSGfSEYo8UwsqYTtfgdoNnFCXKd1r7QmvrdbNsFDRmkv+wWJoipwU +aVquyb2KN652jSlpwMECW6fSEsT/5C3mJLgAmi6l6yosw6HdIY6jgpCGtxnHW2zR +eIS6ezZdtxYBCkEHK70yASyaIHrLLDknw+DuKvXAWOAecob8GNBHOjXZe3LzBt2r +VgOCRa+W7milNgjUCsz+R3rM8XfR+wNEGwARAQABiH4EGBYKACYWIQT303iQIoqQ +dEDh/UhGuSKOgUoqrAUCYuaGegIbDAUJA8JnAAAKCRBGuSKOgUoqrDE0AQDBxRsm +W9L60mxGCp1CpNWBXD2T6D605PlNiNCcM+cOCgD/c2OitSSG50M0YRbyh1LPYL6Y +QePL0dQkYsjm6XVmrAK4MwRi5obFFgkrBgEEAdpHDwEBB0BYP2r4I9LGW8ai+fLW +RKXGonni9TljqFVN5mV/yuxlPoh+BBgWCgAmFiEE99N4kCKKkHRA4f1IRrkijoFK +KqwFAmLmhsUCGyAFCQPCZwAACgkQRrkijoFKKqzeYwD/emjtDBD0EiCnS2mvfopa +T6foJSfXbiCe83UdFNebTjQBANFqnkXPCYb9dFIyM/0N1JXH7yj81VuslSqPi4NR +SNkE +=oTMO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/secrets/jokum/jokum.yaml b/secrets/jokum/jokum.yaml index d3f4114b..f499103e 100644 --- a/secrets/jokum/jokum.yaml +++ b/secrets/jokum/jokum.yaml @@ -16,23 +16,43 @@ sops: - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOU56dFpuZ0QySnZFK0k1 - MTl1blEzclZBa1dZV1NGYUVBa3hyRmR4WlYwCnRHdXd1TzZQdjAwTGJ5aHYxVS9H - M3Rzd082QVliMzBCdGZ3alZVYlY5cUEKLS0tIER6WWNhWUZuZmI5QXlkazdZTllI - OUN3Z21WQ010ZjlMamVwK0VsYkM4TjgKR+cv3y7rSJ7UwaE3fl42jBV43lG4OU0n - atbZeUj+i2SmaFIE+MoyckbygtFZOvs93xwuMDJjkD7a+EGfCz2ggw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K29HWS9ZRWxpbzQ3d1V2 + OEZwYjA5eEE1Z0YrM1o0YnlGbGt3QmQ2YkdBCkpnZHN1TE45dWxqY3lndjBYcWVQ + cFdoUi9WaVNibndWdTcwTDRiOTBtWXMKLS0tIGNIYkdIZWo4cUlrM094Qi9KTnJa + ZXI1bnZlbmZZQ2dvLys4YllYRG9jNlkKn2UbGP+TOUU5+Q3OQuZTQvr8S5oDX/aN + a7iaQn2z/Y5M3tGvFBOiaWZjqtoCHgtZL56LKAaF60yLeUIPnKylbg== -----END AGE ENCRYPTED FILE----- - recipient: age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cGpSa0NZeGQ4K0w3elhJ - WG5VNkxsT3FERXRZUkt3VEJtRlhSRThSemo4CnlFcjN4UUgrUTN5MHdoZEhyaTdL - OFM4MXFrbnp0MmJCOXRPcFljZVcwdkUKLS0tIFoxelA4Z3lycUY5SzdqTVZ3aW1r - cGFFU3RzU200b0x3M2dkbFJWU0ZVSzAKSg7ZlRvgJshAJxXiXgT+b4nhFe4MjVRY - n7+Ld+SdXJvGtZsH4IObkVYgj16d3SFBs87yWA+NExUoEuQb97fa7Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzh3QmlzempEMDNsaTQy + bGxFZlNLdURhY0NzcjhjdlgzZlFxV0R6cURnCnhqRUlpcFNPUWd0YmF6TjYvK0t4 + UDVlcFFTbDByTkRZTW9ITC9yVVlzYUkKLS0tIGtkWHF4enhrK004RG00NUt5ZlND + TFBiblFGNkdHZkk1L2RXdkpHSGQ1U2cK/mBTDDHOWSGZRflIsxOyDWShQH2EILJr + jCrLGbIaGgphIgLCHVmMV8QLRPK+8f9t8KZg7sczRViuDwZsAx5vPA== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-12-09T05:16:09Z" mac: ENC[AES256_GCM,data:MSKUQkCDCEOcl9Eh2VH9ccZ3Ux0eIyJFyjFVaJZ5WQA4fIB1J6Y/EoK/q7iaLFIH8YkeVPIvXVu9eCXjIyQkSugJwQXk+gSFtssjegUBTcZkRJJ0Lo48IWO4yVFXnDYzyFjcgH4TBmL0uco3BkWHfLHR46fQUJIco9yYlVKtsFU=,iv:d3uWCTVV8o1Nx6WJCF/YQHOeGjTzJk6xaDxMTWeUINU=,tag:KOi1naN2Uhe0NcMl6oW/6A==,type:str] - pgp: [] + pgp: + - created_at: "2022-12-17T23:05:08Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYARAAvQ3TCvGiu75Swvd9hyY8rw2TeXiKPbHESzXFSZdR3+wk + XkaRTPuxMot5IUmUhC4EWxzUrKKyPsfw685FpojHDUeOWzaAcnbTT3NVg+VoSIAl + pDnt7BUZ/23Hd0tYt+VJuX8S4Iqny6xnhzWTaFNrLFhPGvIN3XbDqEsWRLQk9s46 + rMht6DJkz8itsFTJrwmg52oXP0mIlZkaGFvWBNZlLf/0PiEET4sjZ3cn4rRGRNhf + Zk7u7ZgrBFRib0OO/edN6zFh9+/zbculXucqlnvccm6BQluHj2Z66++cyyzEL2xY + eU+8sBNWWKHPusPhKNWZsUGQ30fM7Ctdri5PWOzglJ0Ah+lAFgmbqdcSHjAuF9f7 + 9YVA5G4b7B1vT0dCv3MZ3419Gqa9Vimi1xUw+9SbZjACpMraovUKshTsKN/9rBzY + YkojmBdaneMoFGvo+aj5vMxG8CJbPV3Oiq1+G0E/fj53W1Qi8boeqcLxw5IbJIbq + 27hQYm2L1gNBg84cEJfzjtxqPkP4IMb5DOZYo8hNVbXCP4AYjgyecw4tkSnbRkB9 + GaRYSx2b1HMOxrDnzRUx8cX26a/eNlLhictPUy10Dvcs/xfWzGytL/3AtiAeaIY9 + 4G6rWuUv6XqYMM20bMc+HnKaFpYq2Y98DuLCqddrek8UaMX2b1p1Kw1ebC1i56fS + XgFIdcQDWiMi8rsWjAoFE7CDe/FvyCNSE88pvwhH2/BQjowUeMLqqqCHbrEj8sgo + icW/6tsXZ5ShJ5bi56Hal5FsAdR6sXTTdm8nYSFdmIfSHUz+auZ41WkLJYXpuFU= + =EVJD + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/shell.nix b/shell.nix index 7179e77f..6158abe0 100644 --- a/shell.nix +++ b/shell.nix @@ -2,5 +2,6 @@ pkgs.mkShell { nativeBuildInputs = with pkgs; [ sops + gnupg ]; } From d52a7295b52fb295456444776a96406cb82975ac Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Sun, 18 Dec 2022 10:58:00 +0100 Subject: [PATCH 3/3] sops: shamir secret setting does nothing --- .sops.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 636c6011..b657e5fd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,7 +15,6 @@ creation_rules: # Host specific secrets ## Jokum - path_regex: secrets/jokum/[^/]+\.yaml$ - shamir_threshold: 1 key_groups: - age: - *user_danio @@ -24,7 +23,6 @@ creation_rules: - *user_oysteikt - path_regex: secrets/ildkule/[^/]+\.yaml$ - shamir_threshold: 1 key_groups: - age: - *user_felixalb