secrets, flexget
This commit is contained in:
parent
8e86842fab
commit
d75734ec59
@ -4,7 +4,7 @@ include = []
|
||||
|
||||
[pull]
|
||||
exclude = ["*"]
|
||||
include = []
|
||||
include = [ ".sops.yaml" ]
|
||||
|
||||
[both]
|
||||
exclude = [ ".remote.toml", "result", ".direnv"]
|
||||
|
57
.sops.yaml
Normal file
57
.sops.yaml
Normal file
@ -0,0 +1,57 @@
|
||||
key:
|
||||
# test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt
|
||||
- &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||
- &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||
# ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||
- &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
|
||||
- &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||
- &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
|
||||
- &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
|
||||
- &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
|
||||
creation_rules:
|
||||
# # global
|
||||
# - path_regex: secrets/default.yaml$
|
||||
# key_groups:
|
||||
# - age:
|
||||
# - *user_pbsds_sopp
|
||||
# - *user_pbsds_nord
|
||||
# - *host_sopp
|
||||
# - *host_nox
|
||||
# - *host_bolle
|
||||
# - *host_garp
|
||||
# - *host_nord
|
||||
# sopp only
|
||||
- path_regex: secrets/sopp(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_sopp
|
||||
# nox only
|
||||
- path_regex: secrets/noximilien(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_nox
|
||||
# bolle only
|
||||
- path_regex: secrets/bolle(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_bolle
|
||||
# garp only
|
||||
- path_regex: secrets/garp(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_garp
|
||||
# nord only
|
||||
- path_regex: secrets/nord(/[^/]+)?\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *user_pbsds_sopp
|
||||
- *user_pbsds_nord
|
||||
- *host_nord
|
@ -64,8 +64,8 @@
|
||||
* [ ] zfs, declarative pools?
|
||||
* [ ] some tunneling for NFS hosts
|
||||
* [ ] transgui config
|
||||
* [ ] secrets - nix-sops ?
|
||||
* [ ] flexget
|
||||
* [x] secrets - nix-sops ?
|
||||
* [x] flexget
|
||||
* [ ] transmission
|
||||
* [ ] transmission remote gui
|
||||
* [ ] domeneshop
|
||||
|
38
flake.lock
generated
38
flake.lock
generated
@ -173,6 +173,22 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1696717752,
|
||||
"narHash": "sha256-qEq1styCyQHSrw7AOhskH2qwCFx93bOwsGEzUIrZC0g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2f3b6b3fcd9fa0a4e6b544180c058a70890a7cc1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1686582075,
|
||||
@ -235,9 +251,31 @@
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"pbsds-papers": "pbsds-papers",
|
||||
"sops-nix": "sops-nix",
|
||||
"unstable": "unstable"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697321388,
|
||||
"narHash": "sha256-3TdXq13fSYIj3BGo320vuGFjDQUJPQUrhXJ5jaMk7lo=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "7711514b8543891eea6ae84392c74a379c5010de",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1697059129,
|
||||
|
25
flake.nix
25
flake.nix
@ -20,12 +20,11 @@
|
||||
nixos-generators.url = "github:nix-community/nixos-generators";
|
||||
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
#TODO:
|
||||
/** /
|
||||
# https://github.com/Mic92/sops-nix
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
/** /
|
||||
matrix-next.url = "github:dali99/nixos-matrix-modules"; # see https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/flake.nix
|
||||
#https://github.com/considerate/nixos-odroidhc4
|
||||
#https://cyberchaos.dev/cyberchaoscreatures/musl-nixos/
|
||||
@ -69,6 +68,8 @@
|
||||
nixos-hardware,
|
||||
nixos-generators,
|
||||
home-manager,
|
||||
sops-nix,
|
||||
#flake-programs-sqlite,
|
||||
...
|
||||
} @ inputs:
|
||||
let
|
||||
@ -103,8 +104,19 @@
|
||||
flakes = flake inputs system;
|
||||
};
|
||||
/**/
|
||||
imports = [ ./base.nix "${self}/hosts/${hostname}"] ++ modules;
|
||||
#++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
|
||||
imports = [
|
||||
./base.nix
|
||||
"${self}/hosts/${hostname}"
|
||||
sops-nix.nixosModules.sops
|
||||
] ++ modules;
|
||||
#++ flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work
|
||||
|
||||
sops = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) {
|
||||
defaultSopsFile = ./secrets/${hostname}.yaml;
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
age.generateKey = true;
|
||||
};
|
||||
|
||||
# still needed even if using networkd
|
||||
networking.hostName = hostname;
|
||||
@ -198,6 +210,9 @@
|
||||
pkgs.home-manager
|
||||
pkgs.nix-output-monitor
|
||||
pkgs.cachix
|
||||
pkgs.age
|
||||
pkgs.sops
|
||||
pkgs.ssh-to-age
|
||||
];
|
||||
in {
|
||||
envrc-local = mkShell envrc-pkgs;
|
||||
@ -208,6 +223,8 @@
|
||||
]);
|
||||
remoteenv = mkShell [
|
||||
flakes.self.pkgs.nixos-rebuild-nom
|
||||
pkgs.age
|
||||
pkgs.ssh-to-age
|
||||
];
|
||||
});
|
||||
|
||||
|
@ -1,27 +1,21 @@
|
||||
{ config, pkgs, lib, mkDomain, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.flexget;
|
||||
in
|
||||
{
|
||||
|
||||
# Flexget
|
||||
# Multipurpose automation tool for all of your media
|
||||
|
||||
sops.secrets.flexget.owner = "flexget";
|
||||
sops.secrets.flexget.group = "flexget";
|
||||
|
||||
services.flexget = {
|
||||
enable = true;
|
||||
user = "flexget"; # The user under which to run flexget.
|
||||
homeDir = "/var/lib/flexget";
|
||||
interval = "30m";
|
||||
config = ''
|
||||
tasks:
|
||||
shanaproject:
|
||||
rss: 'https://www.shanaproject.com/feeds/secure/user/35853/J98B7OXAHO/'
|
||||
accept_all: yes
|
||||
no_entries_ok: yes
|
||||
transmission:
|
||||
host: 192.168.1.3
|
||||
port: 9091
|
||||
path: '/Reidun/shared/Downloads/shana project/'
|
||||
username: pbsds
|
||||
password: spismeg
|
||||
'';
|
||||
config = "";
|
||||
};
|
||||
users.groups."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable { };
|
||||
users.users."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable {
|
||||
@ -31,5 +25,10 @@
|
||||
group = "${config.services.flexget.user}";
|
||||
};
|
||||
|
||||
# TODO: https://github.com/NixOS/nixpkgs/pull/208199
|
||||
systemd.services.flexget.serviceConfig.ExecStartPre = lib.mkForce
|
||||
"${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml";
|
||||
systemd.services.flexget-runner.serviceConfig.ExecStartPre = lib.mkForce
|
||||
"${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml";
|
||||
|
||||
}
|
||||
|
39
secrets/noximilien.yaml
Normal file
39
secrets/noximilien.yaml
Normal file
@ -0,0 +1,39 @@
|
||||
flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OGQ4cVBHMlJiYXVYLzlC
|
||||
TERQbm5ja0RiWUYvcVhSYzJURkE2SkxuZGxBCkgvNW9acEh0WGVEK1pDaUgrTUVz
|
||||
M2NzY1RESHk2UUVoZFRvY1BYckVpYkkKLS0tIFVwNWl4NGU5VXNIRHByR2Vkb0hU
|
||||
SWFEZW82QXZMRkVISGY1MU9jaEJLNm8KoHLDKI69uPhaIydeC18HTuOaWwDtyoUn
|
||||
hGTcZDPDP8yw1+/zH1lGn865STnZGI0GO+kh2s2DWLEUXHK9GMrnJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDZ6YkdrYW1pRHlZMU8y
|
||||
cER1NHRtQVZpY3VtSTRXUkhYckRZZWZuZ0RBCnZrdEZ0NzB6SHlxU1FhOWRLa0NL
|
||||
Vk50YllpdVVEQUkweHFRNUZuSXVEdk0KLS0tIERGTzBxTXpoN2E4b1ZtQm9zd1g0
|
||||
OUNXcUZrMFFEazRUa2lsSWRCQkkxblkK2s2Msm7k0qj08WqVnKR9IvU1vAa57/Ew
|
||||
wGTVMlWaoUPXJ5CkpAG+PEoDbVaZDISyap7PAKUjMBTMh6T/jBhExw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZE5GQ0JYWGtONFNGaEla
|
||||
dFg2ejJxaUdwOXhDVWdxanNkeG0vOFFEcURNCjVpcFFMc1h5cG1yZTFHWk9ETnNq
|
||||
VlBvUERpQWxMRndYcDdqTTB1Y3hKb1EKLS0tIE9iT0loSS9Gcyt3ZElVSm9YODZ6
|
||||
SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
|
||||
jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-14T23:43:49Z"
|
||||
mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue
Block a user