From 6d5e9fe4ae294a9038b2bf957a803caecebd8d5a Mon Sep 17 00:00:00 2001 From: Alexander Szczepanski Date: Sat, 31 Aug 2024 19:31:37 +0200 Subject: [PATCH] vps-arm-2024-08-31-19-31-36 --- hostkey-to-agepub.sh | 3 +++ machine/desktop/configuration.nix | 9 +------ machine/vps-arm/configuration.nix | 42 +++++++++++++++++++++++++++++-- services/frigate.nix | 2 +- 4 files changed, 45 insertions(+), 11 deletions(-) create mode 100755 hostkey-to-agepub.sh diff --git a/hostkey-to-agepub.sh b/hostkey-to-agepub.sh new file mode 100755 index 0000000..9590591 --- /dev/null +++ b/hostkey-to-agepub.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +nix-shell -p ssh-to-age --run "cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age" \ No newline at end of file diff --git a/machine/desktop/configuration.nix b/machine/desktop/configuration.nix index ce51000..f2a8056 100755 --- a/machine/desktop/configuration.nix +++ b/machine/desktop/configuration.nix @@ -35,7 +35,7 @@ in ]; sops = { - defaultSopsFile = ../../secrets-desktop.yaml; + defaultSopsFile = ../../secrets.yaml; validateSopsFiles = true; age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -50,15 +50,8 @@ in group = config.users.users.alex.group; }; - borg-repo = { - sopsFile = ../../secrets-desktop.yaml; - owner = config.users.users.alex.name; - group = config.users.users.alex.group; - }; - hashedPassword = { neededForUsers = true; - sopsFile = ../../secrets.yaml; }; }; }; diff --git a/machine/vps-arm/configuration.nix b/machine/vps-arm/configuration.nix index 6c0a174..4822149 100755 --- a/machine/vps-arm/configuration.nix +++ b/machine/vps-arm/configuration.nix @@ -17,6 +17,7 @@ in imports = [ ./hardware-configuration.nix + inputs.sops-nix.nixosModules.sops ../../configs/common.nix ../../configs/docker.nix ../../configs/user.nix @@ -31,6 +32,43 @@ in ../../services/goaccess.nix ]; + sops = { + defaultSopsFile = ../../secrets-vps-arm.yaml; + validateSopsFiles = true; + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + secrets = { + borg-key = { + owner = config.users.users.alex.name; + group = config.users.users.alex.group; + }; + + # webdav-password = { + # owner = config.users.users.alex.name; + # group = config.users.users.alex.group; + # }; + + # goaccess-password = { + # owner = config.users.users.alex.name; + # group = config.users.users.alex.group; + # }; + + frigate-password = { + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; + + hashedPassword = { + neededForUsers = true; + sopsFile = ../../secrets.yaml; + }; + }; + }; + boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -165,13 +203,13 @@ in compression = "auto,zstd"; encryption = { mode = "repokey-blake2"; - passphrase = secrets.borg-key; + passCommand = "cat ${config.sops.secrets.borg-key.path}"; }; extraCreateArgs = "--stats --verbose --checkpoint-interval 600 --exclude-caches"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; paths = [ "/home/alex" "/var/lib" ]; - repo = secrets.borg-repo; + repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm"; startAt = "daily"; prune.keep = { daily = 4; diff --git a/services/frigate.nix b/services/frigate.nix index 1abb41c..30fe397 100644 --- a/services/frigate.nix +++ b/services/frigate.nix @@ -9,7 +9,7 @@ in "frigate.szczepan.ski" = { forceSSL = true; enableACME = true; - basicAuth = { alex = secrets.frigate-password; }; + basicAuthFile = config.sops.secrets.frigate-password.path; }; }; };