secrets in domeneshop-updater
This commit is contained in:
parent
d75734ec59
commit
2df8c52bcb
37
.sops.yaml
37
.sops.yaml
@ -1,25 +1,38 @@
|
||||
key:
|
||||
# sops updatekeys <fname>
|
||||
keys: # https://github.com/getsops/sops/pull/1123
|
||||
user_pbsds: &user_pbsds
|
||||
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
|
||||
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||
hosts: &hosts
|
||||
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
|
||||
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
||||
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
||||
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
|
||||
# https://github.com/getsops/sops#key-groups
|
||||
creation_rules:
|
||||
# # global
|
||||
# - path_regex: secrets/default.yaml$
|
||||
# key_groups:
|
||||
# - age:
|
||||
# - *user_pbsds_sopp
|
||||
# - *user_pbsds_nord
|
||||
# - *host_sopp
|
||||
# - *host_nox
|
||||
# - *host_bolle
|
||||
# - *host_garp
|
||||
# - *host_nord
|
||||
# global
|
||||
- path_regex: secrets/default.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_sopp
|
||||
- *host_nox
|
||||
- *host_bolle
|
||||
- *host_garp
|
||||
- *host_nord
|
||||
# dns
|
||||
- path_regex: secrets/dns.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_nox
|
||||
- *host_bolle
|
||||
- *host_garp
|
||||
# sopp only
|
||||
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
|
@ -68,7 +68,7 @@
|
||||
* [x] flexget
|
||||
* [ ] transmission
|
||||
* [ ] transmission remote gui
|
||||
* [ ] domeneshop
|
||||
* [x] domeneshop
|
||||
* [ ] webdav
|
||||
* [ ] code-remote
|
||||
* [ ] add .netrc
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, inputs, ... }:
|
||||
let
|
||||
cfg = config.services.domeneshop-updater;
|
||||
in
|
||||
@ -12,7 +12,18 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
config = lib.mkIf (cfg.targets != []) {
|
||||
|
||||
users.users.domeneshop.isSystemUser = true;
|
||||
users.users.domeneshop.group = "domeneshop";
|
||||
users.groups.domeneshop = {};
|
||||
|
||||
sops.secrets."domeneshop/token".sopsFile = "${inputs.self}/secrets/dns.yaml";
|
||||
sops.secrets."domeneshop/token".owner = "domeneshop";
|
||||
sops.secrets."domeneshop/token".group = "domeneshop";
|
||||
sops.secrets."domeneshop/secret".sopsFile = "${inputs.self}/secrets/dns.yaml";
|
||||
sops.secrets."domeneshop/secret".owner = "domeneshop";
|
||||
sops.secrets."domeneshop/secret".group = "domeneshop";
|
||||
|
||||
systemd.services.domeneshop-updater = {
|
||||
description = "domene.shop dyndns domain updater";
|
||||
@ -24,14 +35,18 @@ in
|
||||
name = "domeneshop-dyndns-updater.sh";
|
||||
runtimeInputs = with pkgs; [ curl yq ];
|
||||
text = ''
|
||||
test -s /var/lib/secrets/domeneshop.toml || {
|
||||
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!"
|
||||
test -s /run/secrets/domeneshop/token || {
|
||||
>&2 echo "ERROR: /run/secrets/domeneshop/token not found!"
|
||||
exit 1
|
||||
}
|
||||
DOMENESHOP_TOKEN="$( tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_TOKEN --raw-output)"
|
||||
DOMENESHOP_SECRET="$(tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_SECRET --raw-output)"
|
||||
test -s /run/secrets/domeneshop/secret || {
|
||||
>&2 echo "ERROR: /run/secrets/domeneshop/secret not found!"
|
||||
exit 1
|
||||
}
|
||||
DOMENESHOP_TOKEN="$( cat /run/secrets/domeneshop/token)"
|
||||
DOMENESHOP_SECRET="$(cat /run/secrets/domeneshop/secret)"
|
||||
${lib.concatMapStringsSep "\n" (target: ''
|
||||
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=${target}
|
||||
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname="${target}"
|
||||
'') cfg.targets}
|
||||
'';
|
||||
};
|
||||
@ -52,9 +67,6 @@ in
|
||||
Unit = "domeneshop-updater.service";
|
||||
};
|
||||
};
|
||||
users.users.domeneshop.isSystemUser = true;
|
||||
users.users.domeneshop.group = "domeneshop";
|
||||
users.groups.domeneshop = {};
|
||||
|
||||
};
|
||||
}
|
||||
|
59
secrets/dns.yaml
Normal file
59
secrets/dns.yaml
Normal file
@ -0,0 +1,59 @@
|
||||
domeneshop:
|
||||
token: ENC[AES256_GCM,data:oBI/EV6++KALnb8PHSTaig==,iv:KIjkdB1YoI2TNHOcWCfAs0jUvUMFW6+on6RkQxciwo4=,tag:GvX0yD2iVqupcR3nFkhHyQ==,type:str]
|
||||
secret: ENC[AES256_GCM,data:xjcSZ7Qjubos8GT6W9MRpsQ1+ZUcQt+pbhB233p7+0jGbNI17imbeX2seVneaQl1/BUgRtesotkxSYZZJdGhew==,iv:RUDjftpHo2nBHleCYgXATLoLFntFNjV4FssXviqZLzg=,tag:7qFoalSPO+A8Xhvc7GUgSQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNng3M1ZNY0I5V1ZGcm5U
|
||||
b1RJck5LcCtLelZGUzIwbWFqcTlTQ2h3NXhNCkpaSE9CWTdsV3pHM0FNRFcwekth
|
||||
dGFUaEVIdEFjaWQ1Q0dkdWd2ZHpDMWcKLS0tIFZ4VUd6enJwejc5OTBsbmIvWUFm
|
||||
a2NNUHRnVFViV2JpTDZLMU0zaUxpQVkKxgz4avHqZjtsjm7igvwm51NGt1IzIQsL
|
||||
0IScUFg53W11BNwoTXDNWT7Kb3pk03QSMd57ldk3me2VJ4BNopen3w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSnpwTlh4bjFLd29Sc2VM
|
||||
T1dITlBRUnZuaE9yd2ZMaTlIeDNYZEZTeXgwClJvNGwxNmxxYmZPYlNjbzlIeS93
|
||||
Z0VpUXNXNXpocXl6a25pMklOR21QbG8KLS0tIHJOVUVHUGw5RE1XQ0tUSUhFVW5j
|
||||
YjIrVVI1TnozZW5WU3dybjNmWTRya3MKon/o6kl/F7PpPn+fs1BeUs3mejM6EH5S
|
||||
muw0/UWsb5a5q/7Gzp3340PKrXfNWvU4wveXpWN6aWfUOwRWY3c7Kg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySDhuNWtYWHJhRlRaWWt5
|
||||
NUkzUGd4d0VmVW1BRzNKQmJTZVpQYmVqc1dnClg5N1lMRlM4alFad0NJVE9jZVo4
|
||||
VVBVRnRKM3hEZ0F5UXRvV094aEtaazAKLS0tIG5Uc2p2MUI5dFZsaXhtUzFUaGE1
|
||||
ZlpYcWE5MXlFMHlCaW5jdmt5NzRGUFUKocHdzkY8M/6h2EyM7bujwAHyMi/E41Cb
|
||||
WkKCaAKkailS+GkM/TweI16OqT93jduFnl8uTPAvbPLHy0GyDVjNrA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUE1RmlHQ0tucUQxREJk
|
||||
Wkxtc21PS3R6bHoxL1JLcm15bXBvSXdHeXdBCkxGMFhzUlpJeEdYcVlRY3B2ckY1
|
||||
ODJIYWR1SjlOdTNxOGRDZTVHNnpZMjgKLS0tIDEvRVBld0Iyc1RlVWJvdy9USTBo
|
||||
STVJTUgvRUFBWjc3SndYdXJsbmFLR2cK1OqMn3+n6gAza3zhQOqzo64eW5tdfLo0
|
||||
KKkujO4USdicxVgVlo6sxYiSqTUSxZPXyuu0NE5yx7tYbIWyAgjumg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0kyZWNucW5QQnB2dzNX
|
||||
clJISStmUlNuMGc1N01hYytDU0FORStJZFE4CmlydE90d2I5eTVvdFpxYUFHSkxH
|
||||
bU81SGxLYXA3Ukx3Mm5lV2RCajdOU2cKLS0tIGRHYzRFZEUxdTIxS2gzY1VEZ2Jv
|
||||
c1BTeXpyRGZtQU1LUm1iMzErMDluSDQKBu9cm3fTH8gKi6kHUC/RIxMnSRyHYWRU
|
||||
e5SXS9RtstQAPGcBt3677iZJrgAXJwB61OPUn8WIDpV6wckx32JLsg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-14T23:49:28Z"
|
||||
mac: ENC[AES256_GCM,data:R8cw4lMSaI3Gjmii1rimQ0GEC3VK4eARjPpGehE/GoNMoFGMracnOwEToBAK9iQQwtHp3i48Bc0LoUt/xhG5ajbTUW7x/HzxnzFsRfrfTizfe4C7fc4B6gIp7Jhw3RVxOODVZHlbWcIJbQRJ4quS5vLnj8yGO29E+cDWrkqB3Gc=,iv:EkV1MXpJNdL2gY5s76QwvaFeb6jS7XDDhJ53RnRrofY=,tag:EH+1IuBztv7JUaNLwu7ZOQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue
Block a user