secrets in domeneshop-updater

This commit is contained in:
Peder Bergebakken Sundt 2023-10-15 03:35:35 +02:00
parent d75734ec59
commit 2df8c52bcb
4 changed files with 107 additions and 23 deletions

View File

@ -1,25 +1,38 @@
key: # sops updatekeys <fname>
keys: # https://github.com/getsops/sops/pull/1123
user_pbsds: &user_pbsds
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt # test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
hosts: &hosts
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age # ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3 - &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 - &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg - &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf - &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5 - &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
# https://github.com/getsops/sops#key-groups
creation_rules: creation_rules:
# # global # global
# - path_regex: secrets/default.yaml$ - path_regex: secrets/default.yaml$
# key_groups: key_groups:
# - age: - age:
# - *user_pbsds_sopp - *user_pbsds_sopp
# - *user_pbsds_nord - *user_pbsds_nord
# - *host_sopp - *host_sopp
# - *host_nox - *host_nox
# - *host_bolle - *host_bolle
# - *host_garp - *host_garp
# - *host_nord - *host_nord
# dns
- path_regex: secrets/dns.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_nox
- *host_bolle
- *host_garp
# sopp only # sopp only
- path_regex: secrets/sopp(/[^/]+)?\.yaml$ - path_regex: secrets/sopp(/[^/]+)?\.yaml$
key_groups: key_groups:

View File

@ -68,7 +68,7 @@
* [x] flexget * [x] flexget
* [ ] transmission * [ ] transmission
* [ ] transmission remote gui * [ ] transmission remote gui
* [ ] domeneshop * [x] domeneshop
* [ ] webdav * [ ] webdav
* [ ] code-remote * [ ] code-remote
* [ ] add .netrc * [ ] add .netrc

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, inputs, ... }:
let let
cfg = config.services.domeneshop-updater; cfg = config.services.domeneshop-updater;
in in
@ -12,7 +12,18 @@ in
}; };
}; };
config = { config = lib.mkIf (cfg.targets != []) {
users.users.domeneshop.isSystemUser = true;
users.users.domeneshop.group = "domeneshop";
users.groups.domeneshop = {};
sops.secrets."domeneshop/token".sopsFile = "${inputs.self}/secrets/dns.yaml";
sops.secrets."domeneshop/token".owner = "domeneshop";
sops.secrets."domeneshop/token".group = "domeneshop";
sops.secrets."domeneshop/secret".sopsFile = "${inputs.self}/secrets/dns.yaml";
sops.secrets."domeneshop/secret".owner = "domeneshop";
sops.secrets."domeneshop/secret".group = "domeneshop";
systemd.services.domeneshop-updater = { systemd.services.domeneshop-updater = {
description = "domene.shop dyndns domain updater"; description = "domene.shop dyndns domain updater";
@ -24,14 +35,18 @@ in
name = "domeneshop-dyndns-updater.sh"; name = "domeneshop-dyndns-updater.sh";
runtimeInputs = with pkgs; [ curl yq ]; runtimeInputs = with pkgs; [ curl yq ];
text = '' text = ''
test -s /var/lib/secrets/domeneshop.toml || { test -s /run/secrets/domeneshop/token || {
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!" >&2 echo "ERROR: /run/secrets/domeneshop/token not found!"
exit 1 exit 1
} }
DOMENESHOP_TOKEN="$( tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_TOKEN --raw-output)" test -s /run/secrets/domeneshop/secret || {
DOMENESHOP_SECRET="$(tomlq </var/lib/secrets/domeneshop.toml .secrets.DOMENESHOP_SECRET --raw-output)" >&2 echo "ERROR: /run/secrets/domeneshop/secret not found!"
exit 1
}
DOMENESHOP_TOKEN="$( cat /run/secrets/domeneshop/token)"
DOMENESHOP_SECRET="$(cat /run/secrets/domeneshop/secret)"
${lib.concatMapStringsSep "\n" (target: '' ${lib.concatMapStringsSep "\n" (target: ''
curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=${target} curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname="${target}"
'') cfg.targets} '') cfg.targets}
''; '';
}; };
@ -52,9 +67,6 @@ in
Unit = "domeneshop-updater.service"; Unit = "domeneshop-updater.service";
}; };
}; };
users.users.domeneshop.isSystemUser = true;
users.users.domeneshop.group = "domeneshop";
users.groups.domeneshop = {};
}; };
} }

59
secrets/dns.yaml Normal file
View File

@ -0,0 +1,59 @@
domeneshop:
token: ENC[AES256_GCM,data:oBI/EV6++KALnb8PHSTaig==,iv:KIjkdB1YoI2TNHOcWCfAs0jUvUMFW6+on6RkQxciwo4=,tag:GvX0yD2iVqupcR3nFkhHyQ==,type:str]
secret: ENC[AES256_GCM,data:xjcSZ7Qjubos8GT6W9MRpsQ1+ZUcQt+pbhB233p7+0jGbNI17imbeX2seVneaQl1/BUgRtesotkxSYZZJdGhew==,iv:RUDjftpHo2nBHleCYgXATLoLFntFNjV4FssXviqZLzg=,tag:7qFoalSPO+A8Xhvc7GUgSQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNng3M1ZNY0I5V1ZGcm5U
b1RJck5LcCtLelZGUzIwbWFqcTlTQ2h3NXhNCkpaSE9CWTdsV3pHM0FNRFcwekth
dGFUaEVIdEFjaWQ1Q0dkdWd2ZHpDMWcKLS0tIFZ4VUd6enJwejc5OTBsbmIvWUFm
a2NNUHRnVFViV2JpTDZLMU0zaUxpQVkKxgz4avHqZjtsjm7igvwm51NGt1IzIQsL
0IScUFg53W11BNwoTXDNWT7Kb3pk03QSMd57ldk3me2VJ4BNopen3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSnpwTlh4bjFLd29Sc2VM
T1dITlBRUnZuaE9yd2ZMaTlIeDNYZEZTeXgwClJvNGwxNmxxYmZPYlNjbzlIeS93
Z0VpUXNXNXpocXl6a25pMklOR21QbG8KLS0tIHJOVUVHUGw5RE1XQ0tUSUhFVW5j
YjIrVVI1TnozZW5WU3dybjNmWTRya3MKon/o6kl/F7PpPn+fs1BeUs3mejM6EH5S
muw0/UWsb5a5q/7Gzp3340PKrXfNWvU4wveXpWN6aWfUOwRWY3c7Kg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySDhuNWtYWHJhRlRaWWt5
NUkzUGd4d0VmVW1BRzNKQmJTZVpQYmVqc1dnClg5N1lMRlM4alFad0NJVE9jZVo4
VVBVRnRKM3hEZ0F5UXRvV094aEtaazAKLS0tIG5Uc2p2MUI5dFZsaXhtUzFUaGE1
ZlpYcWE5MXlFMHlCaW5jdmt5NzRGUFUKocHdzkY8M/6h2EyM7bujwAHyMi/E41Cb
WkKCaAKkailS+GkM/TweI16OqT93jduFnl8uTPAvbPLHy0GyDVjNrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUE1RmlHQ0tucUQxREJk
Wkxtc21PS3R6bHoxL1JLcm15bXBvSXdHeXdBCkxGMFhzUlpJeEdYcVlRY3B2ckY1
ODJIYWR1SjlOdTNxOGRDZTVHNnpZMjgKLS0tIDEvRVBld0Iyc1RlVWJvdy9USTBo
STVJTUgvRUFBWjc3SndYdXJsbmFLR2cK1OqMn3+n6gAza3zhQOqzo64eW5tdfLo0
KKkujO4USdicxVgVlo6sxYiSqTUSxZPXyuu0NE5yx7tYbIWyAgjumg==
-----END AGE ENCRYPTED FILE-----
- recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0kyZWNucW5QQnB2dzNX
clJISStmUlNuMGc1N01hYytDU0FORStJZFE4CmlydE90d2I5eTVvdFpxYUFHSkxH
bU81SGxLYXA3Ukx3Mm5lV2RCajdOU2cKLS0tIGRHYzRFZEUxdTIxS2gzY1VEZ2Jv
c1BTeXpyRGZtQU1LUm1iMzErMDluSDQKBu9cm3fTH8gKi6kHUC/RIxMnSRyHYWRU
e5SXS9RtstQAPGcBt3677iZJrgAXJwB61OPUn8WIDpV6wckx32JLsg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-14T23:49:28Z"
mac: ENC[AES256_GCM,data:R8cw4lMSaI3Gjmii1rimQ0GEC3VK4eARjPpGehE/GoNMoFGMracnOwEToBAK9iQQwtHp3i48Bc0LoUt/xhG5ajbTUW7x/HzxnzFsRfrfTizfe4C7fc4B6gIp7Jhw3RVxOODVZHlbWcIJbQRJ4quS5vLnj8yGO29E+cDWrkqB3Gc=,iv:EkV1MXpJNdL2gY5s76QwvaFeb6jS7XDDhJ53RnRrofY=,tag:EH+1IuBztv7JUaNLwu7ZOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3