secrets, flexget

This commit is contained in:
Peder Bergebakken Sundt 2023-10-15 00:43:59 +02:00
parent 8e86842fab
commit d75734ec59
7 changed files with 171 additions and 21 deletions

View File

@ -4,7 +4,7 @@ include = []
[pull]
exclude = ["*"]
include = []
include = [ ".sops.yaml" ]
[both]
exclude = [ ".remote.toml", "result", ".direnv"]

57
.sops.yaml Normal file
View File

@ -0,0 +1,57 @@
key:
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
creation_rules:
# # global
# - path_regex: secrets/default.yaml$
# key_groups:
# - age:
# - *user_pbsds_sopp
# - *user_pbsds_nord
# - *host_sopp
# - *host_nox
# - *host_bolle
# - *host_garp
# - *host_nord
# sopp only
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_sopp
# nox only
- path_regex: secrets/noximilien(/[^/]+)?\.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_nox
# bolle only
- path_regex: secrets/bolle(/[^/]+)?\.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_bolle
# garp only
- path_regex: secrets/garp(/[^/]+)?\.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_garp
# nord only
- path_regex: secrets/nord(/[^/]+)?\.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *host_nord

View File

@ -64,8 +64,8 @@
* [ ] zfs, declarative pools?
* [ ] some tunneling for NFS hosts
* [ ] transgui config
* [ ] secrets - nix-sops ?
* [ ] flexget
* [x] secrets - nix-sops ?
* [x] flexget
* [ ] transmission
* [ ] transmission remote gui
* [ ] domeneshop

38
flake.lock generated
View File

@ -173,6 +173,22 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1696717752,
"narHash": "sha256-qEq1styCyQHSrw7AOhskH2qwCFx93bOwsGEzUIrZC0g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2f3b6b3fcd9fa0a4e6b544180c058a70890a7cc1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1686582075,
@ -235,9 +251,31 @@
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"pbsds-papers": "pbsds-papers",
"sops-nix": "sops-nix",
"unstable": "unstable"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1697321388,
"narHash": "sha256-3TdXq13fSYIj3BGo320vuGFjDQUJPQUrhXJ5jaMk7lo=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "7711514b8543891eea6ae84392c74a379c5010de",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1697059129,

View File

@ -20,12 +20,11 @@
nixos-generators.url = "github:nix-community/nixos-generators";
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
#TODO:
/** /
# https://github.com/Mic92/sops-nix
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
/** /
matrix-next.url = "github:dali99/nixos-matrix-modules"; # see https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/flake.nix
#https://github.com/considerate/nixos-odroidhc4
#https://cyberchaos.dev/cyberchaoscreatures/musl-nixos/
@ -69,6 +68,8 @@
nixos-hardware,
nixos-generators,
home-manager,
sops-nix,
#flake-programs-sqlite,
...
} @ inputs:
let
@ -103,8 +104,19 @@
flakes = flake inputs system;
};
/**/
imports = [ ./base.nix "${self}/hosts/${hostname}"] ++ modules;
#++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
imports = [
./base.nix
"${self}/hosts/${hostname}"
sops-nix.nixosModules.sops
] ++ modules;
#++ flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
sops = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) {
defaultSopsFile = ./secrets/${hostname}.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
age.keyFile = "/var/lib/sops-nix/key.txt";
age.generateKey = true;
};
# still needed even if using networkd
networking.hostName = hostname;
@ -198,6 +210,9 @@
pkgs.home-manager
pkgs.nix-output-monitor
pkgs.cachix
pkgs.age
pkgs.sops
pkgs.ssh-to-age
];
in {
envrc-local = mkShell envrc-pkgs;
@ -208,6 +223,8 @@
]);
remoteenv = mkShell [
flakes.self.pkgs.nixos-rebuild-nom
pkgs.age
pkgs.ssh-to-age
];
});

View File

@ -1,27 +1,21 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
cfg = config.services.flexget;
in
{
# Flexget
# Multipurpose automation tool for all of your media
sops.secrets.flexget.owner = "flexget";
sops.secrets.flexget.group = "flexget";
services.flexget = {
enable = true;
user = "flexget"; # The user under which to run flexget.
homeDir = "/var/lib/flexget";
interval = "30m";
config = ''
tasks:
shanaproject:
rss: 'https://www.shanaproject.com/feeds/secure/user/35853/J98B7OXAHO/'
accept_all: yes
no_entries_ok: yes
transmission:
host: 192.168.1.3
port: 9091
path: '/Reidun/shared/Downloads/shana project/'
username: pbsds
password: spismeg
'';
config = "";
};
users.groups."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable { };
users.users."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable {
@ -31,5 +25,10 @@
group = "${config.services.flexget.user}";
};
# TODO: https://github.com/NixOS/nixpkgs/pull/208199
systemd.services.flexget.serviceConfig.ExecStartPre = lib.mkForce
"${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml";
systemd.services.flexget-runner.serviceConfig.ExecStartPre = lib.mkForce
"${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml";
}

39
secrets/noximilien.yaml Normal file
View File

@ -0,0 +1,39 @@
flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OGQ4cVBHMlJiYXVYLzlC
TERQbm5ja0RiWUYvcVhSYzJURkE2SkxuZGxBCkgvNW9acEh0WGVEK1pDaUgrTUVz
M2NzY1RESHk2UUVoZFRvY1BYckVpYkkKLS0tIFVwNWl4NGU5VXNIRHByR2Vkb0hU
SWFEZW82QXZMRkVISGY1MU9jaEJLNm8KoHLDKI69uPhaIydeC18HTuOaWwDtyoUn
hGTcZDPDP8yw1+/zH1lGn865STnZGI0GO+kh2s2DWLEUXHK9GMrnJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDZ6YkdrYW1pRHlZMU8y
cER1NHRtQVZpY3VtSTRXUkhYckRZZWZuZ0RBCnZrdEZ0NzB6SHlxU1FhOWRLa0NL
Vk50YllpdVVEQUkweHFRNUZuSXVEdk0KLS0tIERGTzBxTXpoN2E4b1ZtQm9zd1g0
OUNXcUZrMFFEazRUa2lsSWRCQkkxblkK2s2Msm7k0qj08WqVnKR9IvU1vAa57/Ew
wGTVMlWaoUPXJ5CkpAG+PEoDbVaZDISyap7PAKUjMBTMh6T/jBhExw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZE5GQ0JYWGtONFNGaEla
dFg2ejJxaUdwOXhDVWdxanNkeG0vOFFEcURNCjVpcFFMc1h5cG1yZTFHWk9ETnNq
VlBvUERpQWxMRndYcDdqTTB1Y3hKb1EKLS0tIE9iT0loSS9Gcyt3ZElVSm9YODZ6
SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-14T23:43:49Z"
mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3