secrets in domeneshop-updater
This commit is contained in:
parent
d75734ec59
commit
2df8c52bcb
37
.sops.yaml
37
.sops.yaml
|
@ -1,25 +1,38 @@
|
||||||
key:
|
# sops updatekeys <fname>
|
||||||
|
keys: # https://github.com/getsops/sops/pull/1123
|
||||||
|
user_pbsds: &user_pbsds
|
||||||
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
|
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
|
||||||
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||||
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||||
|
hosts: &hosts
|
||||||
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||||
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
|
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
|
||||||
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||||
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
||||||
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
||||||
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
|
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
|
||||||
|
# https://github.com/getsops/sops#key-groups
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# # global
|
# global
|
||||||
# - path_regex: secrets/default.yaml$
|
- path_regex: secrets/default.yaml$
|
||||||
# key_groups:
|
key_groups:
|
||||||
# - age:
|
- age:
|
||||||
# - *user_pbsds_sopp
|
- *user_pbsds_sopp
|
||||||
# - *user_pbsds_nord
|
- *user_pbsds_nord
|
||||||
# - *host_sopp
|
- *host_sopp
|
||||||
# - *host_nox
|
- *host_nox
|
||||||
# - *host_bolle
|
- *host_bolle
|
||||||
# - *host_garp
|
- *host_garp
|
||||||
# - *host_nord
|
- *host_nord
|
||||||
|
# dns
|
||||||
|
- path_regex: secrets/dns.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *user_pbsds_sopp
|
||||||
|
- *user_pbsds_nord
|
||||||
|
- *host_nox
|
||||||
|
- *host_bolle
|
||||||
|
- *host_garp
|
||||||
# sopp only
|
# sopp only
|
||||||
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
|
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
|
@ -68,7 +68,7 @@
|
||||||
* [x] flexget
|
* [x] flexget
|
||||||
* [ ] transmission
|
* [ ] transmission
|
||||||
* [ ] transmission remote gui
|
* [ ] transmission remote gui
|
||||||
* [ ] domeneshop
|
* [x] domeneshop
|
||||||
* [ ] webdav
|
* [ ] webdav
|
||||||
* [ ] code-remote
|
* [ ] code-remote
|
||||||
* [ ] add .netrc
|
* [ ] add .netrc
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, inputs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.domeneshop-updater;
|
cfg = config.services.domeneshop-updater;
|
||||||
in
|
in
|
||||||
|
@ -12,7 +12,18 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = lib.mkIf (cfg.targets != []) {
|
||||||
|
|
||||||
|
users.users.domeneshop.isSystemUser = true;
|
||||||
|
users.users.domeneshop.group = "domeneshop";
|
||||||
|
users.groups.domeneshop = {};
|
||||||
|
|
||||||
|
sops.secrets."domeneshop/token".sopsFile = "${inputs.self}/secrets/dns.yaml";
|
||||||
|
sops.secrets."domeneshop/token".owner = "domeneshop";
|
||||||
|
sops.secrets."domeneshop/token".group = "domeneshop";
|
||||||
|
sops.secrets."domeneshop/secret".sopsFile = "${inputs.self}/secrets/dns.yaml";
|
||||||
|
sops.secrets."domeneshop/secret".owner = "domeneshop";
|
||||||
|
sops.secrets."domeneshop/secret".group = "domeneshop";
|
||||||
|
|
||||||
systemd.services.domeneshop-updater = {
|
systemd.services.domeneshop-updater = {
|
||||||
description = "domene.shop dyndns domain updater";
|
description = "domene.shop dyndns domain updater";
|
||||||
|
@ -24,14 +35,18 @@ in
|
||||||
name = "domeneshop-dyndns-updater.sh";
|
name = "domeneshop-dyndns-updater.sh";
|
||||||
runtimeInputs = with pkgs; [ curl yq ];
|
runtimeInputs = with pkgs; [ curl yq ];
|
||||||
text = ''
|
text = ''
|
||||||
test -s /var/lib/secrets/domeneshop.toml || {
|
test -s /run/secrets/domeneshop/token || {
|
||||||
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!"
|
>&2 echo "ERROR: /run/secrets/domeneshop/token not found!"
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
DOMENESHOP_TOKEN="$( tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_TOKEN --raw-output)"
|
test -s /run/secrets/domeneshop/secret || {
|
||||||
DOMENESHOP_SECRET="$(tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_SECRET --raw-output)"
|
>&2 echo "ERROR: /run/secrets/domeneshop/secret not found!"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
DOMENESHOP_TOKEN="$( cat /run/secrets/domeneshop/token)"
|
||||||
|
DOMENESHOP_SECRET="$(cat /run/secrets/domeneshop/secret)"
|
||||||
${lib.concatMapStringsSep "\n" (target: ''
|
${lib.concatMapStringsSep "\n" (target: ''
|
||||||
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=${target}
|
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname="${target}"
|
||||||
'') cfg.targets}
|
'') cfg.targets}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -52,9 +67,6 @@ in
|
||||||
Unit = "domeneshop-updater.service";
|
Unit = "domeneshop-updater.service";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
users.users.domeneshop.isSystemUser = true;
|
|
||||||
users.users.domeneshop.group = "domeneshop";
|
|
||||||
users.groups.domeneshop = {};
|
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
domeneshop:
|
||||||
|
token: ENC[AES256_GCM,data:oBI/EV6++KALnb8PHSTaig==,iv:KIjkdB1YoI2TNHOcWCfAs0jUvUMFW6+on6RkQxciwo4=,tag:GvX0yD2iVqupcR3nFkhHyQ==,type:str]
|
||||||
|
secret: ENC[AES256_GCM,data:xjcSZ7Qjubos8GT6W9MRpsQ1+ZUcQt+pbhB233p7+0jGbNI17imbeX2seVneaQl1/BUgRtesotkxSYZZJdGhew==,iv:RUDjftpHo2nBHleCYgXATLoLFntFNjV4FssXviqZLzg=,tag:7qFoalSPO+A8Xhvc7GUgSQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNng3M1ZNY0I5V1ZGcm5U
|
||||||
|
b1RJck5LcCtLelZGUzIwbWFqcTlTQ2h3NXhNCkpaSE9CWTdsV3pHM0FNRFcwekth
|
||||||
|
dGFUaEVIdEFjaWQ1Q0dkdWd2ZHpDMWcKLS0tIFZ4VUd6enJwejc5OTBsbmIvWUFm
|
||||||
|
a2NNUHRnVFViV2JpTDZLMU0zaUxpQVkKxgz4avHqZjtsjm7igvwm51NGt1IzIQsL
|
||||||
|
0IScUFg53W11BNwoTXDNWT7Kb3pk03QSMd57ldk3me2VJ4BNopen3w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSnpwTlh4bjFLd29Sc2VM
|
||||||
|
T1dITlBRUnZuaE9yd2ZMaTlIeDNYZEZTeXgwClJvNGwxNmxxYmZPYlNjbzlIeS93
|
||||||
|
Z0VpUXNXNXpocXl6a25pMklOR21QbG8KLS0tIHJOVUVHUGw5RE1XQ0tUSUhFVW5j
|
||||||
|
YjIrVVI1TnozZW5WU3dybjNmWTRya3MKon/o6kl/F7PpPn+fs1BeUs3mejM6EH5S
|
||||||
|
muw0/UWsb5a5q/7Gzp3340PKrXfNWvU4wveXpWN6aWfUOwRWY3c7Kg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySDhuNWtYWHJhRlRaWWt5
|
||||||
|
NUkzUGd4d0VmVW1BRzNKQmJTZVpQYmVqc1dnClg5N1lMRlM4alFad0NJVE9jZVo4
|
||||||
|
VVBVRnRKM3hEZ0F5UXRvV094aEtaazAKLS0tIG5Uc2p2MUI5dFZsaXhtUzFUaGE1
|
||||||
|
ZlpYcWE5MXlFMHlCaW5jdmt5NzRGUFUKocHdzkY8M/6h2EyM7bujwAHyMi/E41Cb
|
||||||
|
WkKCaAKkailS+GkM/TweI16OqT93jduFnl8uTPAvbPLHy0GyDVjNrA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUE1RmlHQ0tucUQxREJk
|
||||||
|
Wkxtc21PS3R6bHoxL1JLcm15bXBvSXdHeXdBCkxGMFhzUlpJeEdYcVlRY3B2ckY1
|
||||||
|
ODJIYWR1SjlOdTNxOGRDZTVHNnpZMjgKLS0tIDEvRVBld0Iyc1RlVWJvdy9USTBo
|
||||||
|
STVJTUgvRUFBWjc3SndYdXJsbmFLR2cK1OqMn3+n6gAza3zhQOqzo64eW5tdfLo0
|
||||||
|
KKkujO4USdicxVgVlo6sxYiSqTUSxZPXyuu0NE5yx7tYbIWyAgjumg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0kyZWNucW5QQnB2dzNX
|
||||||
|
clJISStmUlNuMGc1N01hYytDU0FORStJZFE4CmlydE90d2I5eTVvdFpxYUFHSkxH
|
||||||
|
bU81SGxLYXA3Ukx3Mm5lV2RCajdOU2cKLS0tIGRHYzRFZEUxdTIxS2gzY1VEZ2Jv
|
||||||
|
c1BTeXpyRGZtQU1LUm1iMzErMDluSDQKBu9cm3fTH8gKi6kHUC/RIxMnSRyHYWRU
|
||||||
|
e5SXS9RtstQAPGcBt3677iZJrgAXJwB61OPUn8WIDpV6wckx32JLsg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-10-14T23:49:28Z"
|
||||||
|
mac: ENC[AES256_GCM,data:R8cw4lMSaI3Gjmii1rimQ0GEC3VK4eARjPpGehE/GoNMoFGMracnOwEToBAK9iQQwtHp3i48Bc0LoUt/xhG5ajbTUW7x/HzxnzFsRfrfTizfe4C7fc4B6gIp7Jhw3RVxOODVZHlbWcIJbQRJ4quS5vLnj8yGO29E+cDWrkqB3Gc=,iv:EkV1MXpJNdL2gY5s76QwvaFeb6jS7XDDhJ53RnRrofY=,tag:EH+1IuBztv7JUaNLwu7ZOQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in New Issue