diff --git a/.sops.yaml b/.sops.yaml index 077d3cdd..a16eb0b4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -329,6 +329,14 @@ creation_rules: age: - *mobilizon - *polygon-snowflake + + - path_regex: hosts/mucbot/secrets\.yaml$ + key_groups: + - pgp: *admins + age: + - *mucbot + - *polygon-snowflake + - path_regex: hosts/oparl/secrets\.yaml$ key_groups: - pgp: *admins diff --git a/flake.lock b/flake.lock index 5eb8632f..593c6946 100644 --- a/flake.lock +++ b/flake.lock @@ -816,15 +816,16 @@ "tigger": { "flake": false, "locked": { - "lastModified": 1712348405, - "narHash": "sha256-CF7eygcN0ZwWeXgfJrK6hNctk7Nm3pPg3XcwSrqwVdc=", - "owner": "astro", + "lastModified": 1713187505, + "narHash": "sha256-Iq5K+wJazHMPeqtC/KXQ6bvWjhgWmmL7fAswUewBkmo=", + "owner": "SuperSandro2000", "repo": "tigger", - "rev": "a39fb1248521d6f6b2f8a193c884b4d7c7d7002c", + "rev": "ea49c444dc5a494f00d5d6d23aad97fd76bc1ec3", "type": "github" }, "original": { - "owner": "astro", + "owner": "SuperSandro2000", + "ref": "password-file", "repo": "tigger", "type": "github" } diff --git a/flake.nix b/flake.nix index 0f768581..fb49b0f7 100644 --- a/flake.nix +++ b/flake.nix @@ -197,7 +197,9 @@ }; }; tigger = { - url = "github:astro/tigger"; + # url = "github:astro/tigger"; + # https://github.com/astro/tigger/pull/45 + url = "github:SuperSandro2000/tigger/password-file"; flake = false; }; tracer = { @@ -500,10 +502,6 @@ mucbot = nixosSystem' { modules = [ "${tigger}/module.nix" - { - # TODO: migrate to sops - nixpkgs.overlays = [ secrets.overlays.mucbot ]; - } ./hosts/mucbot self.nixosModules.cluster-options self.nixosModules.microvm diff --git a/hosts/mucbot/default.nix b/hosts/mucbot/default.nix index e14934ca..31d61eb3 100644 --- a/hosts/mucbot/default.nix +++ b/hosts/mucbot/default.nix @@ -1,24 +1,35 @@ -{ pkgs, ... }: +{ config, ... }: { c3d2.deployment.server = "server10"; networking.hostName = "mucbot"; - users.users.tigger = { - createHome = true; - isNormalUser = true; - group = "tigger"; - }; - users.groups.tigger = { }; services.tigger = { enable = true; user = "tigger"; group = "tigger"; jid = "astrobot@jabber.c3d2.de"; - inherit (pkgs.mucbot) password; + passwordFile = config.sops.secrets."mucbot/password".path; mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ]; }; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "mucbot/password".owner = "tigger"; + }; + }; + system.stateVersion = "18.09"; + + users = { + groups.tigger = { }; + + users.tigger = { + createHome = true; + isNormalUser = true; + group = "tigger"; + }; + }; } diff --git a/hosts/mucbot/secrets.yaml b/hosts/mucbot/secrets.yaml new file mode 100644 index 00000000..a8753afa --- /dev/null +++ b/hosts/mucbot/secrets.yaml @@ -0,0 +1,180 @@ +mucbot: + password: ENC[AES256_GCM,data:v1nRBPi20vZvPw==,iv:EByBbBWMw1cEDHhUSQuLktzaSK4Pbikb23xkfRk24KA=,tag:qUMfpJHT0+Y8tq1JpJAShA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVUcxVHpDWCtjMGdLQmxs + TGd1S1JQb1NJb1o1ejlabHRVQzhmNzRqS1FjCkxjRkR2N3QyVFNrb2FmK2NsaWlE + Y3orMGNZcTZqSW9FUXlCZmFBY0gzOHMKLS0tIEJ5RmtaQUI3M1EwbjA3cDZlTnFj + MWxtVVRHcGJkYWx1TURjeWlQY00rbTQKIQ6Whb5dySsrsnQnWOGieUBUxzCK8Z2S + m+XW4LMbbVCAQ1HxiHlu01MfeAjWapUa/qwshJaaL1/z9NGRFojukA== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDejZGWm5lWHY1bXp0cFQ0 + Zk5UR1NVVzk1ZndRNkZZaGRXYm5tT3pIVDJzCnh1UEdwdmJpOXpvdStkenpvazRw + ZGluRVVtVEQ3bzZzOWExN0ZJeG5Dc0EKLS0tIEVkd3lKR0tiaGZsaDlNOUhQeXdG + TXZyQWtCK3VZNm1hZHYwTHBSRkRFelEKobyicCt7iO9QFUBZ2XnavxaNI9m0wd4H + 9GgiDLYbMvkJpKuXj7L50LUmpYjIdIvOk70VbMgAD38RlyT/xUgf7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-15T13:31:21Z" + mac: ENC[AES256_GCM,data:Y1tnGTS3Wr3zbpZej+5wlIy1jaOoqHcKHP00hmKpWWR39RberESVkPQViPhP8DmwkKdbU/k+HRgb9Pn+1wgTwv8dFQyYmtWWQ3QHtB6exP3DGvQfI1Jms1Y8FaBIcFyv0BP0Fc8XipKyTG4K+T2j8TPszBCqRrUzgqiezj5Pei0=,iv:8dTU5Hi9qyx5VIGdouR2FVbc9VE4j16tiliv7KvZ0Zs=,tag:zfm2pKWmA0t2tccNinpaNA==,type:str] + pgp: + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ//VIhYHVy0KRL1r0+UWbpQBxOMVmHpgkXo+ztVWEZkb5Gg + h6UBJehzjPh5FnKTbgAUabVYsD4AC/sUd9nwKWwYFog/YmuPvChdb5D8ItLvFfZa + /Ksc7IUbKCfirXMQGXG6GIB1HvFu7qWdg/oxz0BLkf18A/e21EzypaTLJt6Z4vQE + gIbPddxZR9lKeo4Hzp62AGtpAMorDKuUhSH6zyf1Xhap8/BBzR+5lGGxGWuX4+nx + E8gyv8ZMGYIODYwyNRzuNr+R11AcNwnLjQHFL20wAwqvPnSnEDPEBRxYGIcGkMP4 + VFzAvWPAmUapuzsyjVMUuZj/DcmM+E9gJFw/Rewp6kE6nvOBTJWxSzuN3ZQ4jKMu + skfc+MXxMnW90mxcELWCuCWyQ4NVO5YQyT+uV87iRQqz8d1l1FPFSbI2FSOIcoj4 + VLw86wCrzt+3MTTDdYL8XCwoIUFR1Or5Zlrs/zS7R6W5TbURNUKa5ZQGEO3OO+qD + SZx5zRNL752Giq24ThbRF1WycEbKTLBc5RU3bGeMbDKU6AiPY8xsY0Q+PFIJ6JVp + cd6tBjJBjXhKQoKtYB5WPXOOUJkM6S4yYv3CWzIdpeL1Lqw8pwJQeMiutwCp7Lho + /2GZJiGWeGAfdYfWcxmvS+L5Sk/D4ziL4UDB/JUXaSnY1608Enw0CzLyVg06G4/S + XgHQn4BYNMQ8c7Cx236lIyH8d77YM542o6F25lZZ3goBxKmtVOf0WwQ3Jgpyhax2 + dDYR6vUFuo/koqbmi88TSILF2wW4wK+/+FFXudb4eR5CuR5xwiInWTbPk4S5rKs= + =JJfN + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6j84+xkv3y7AQ//fBBalBW+GS0LMIla3ycuxhfqr242nHFR568nekJb9Nhr + BNL1ihgszHCr4pwQafUrMP3Fcb9lu55A0oVsLQSmsoIH+S+iGDW0I3mKZrEqn8B/ + 4/ihY9RjY81ECUyIhp7NbnmL0yRLI6DpxmwDsp5kcy+oG3CYIGVNvupFAkVdlK05 + 4h95zNpDWhp2hAZAaS6iSGS+a1ivdqf8cKBW4B1Hl2kP1yFIwhlTZ6V8MrAIPEJd + STwbInoqk3Rt1s7omc/tmEwEy0p8xPro35DkrUJwRkINdX96zneYu6i+w28YNDAK + h7olqaShVE/DQThkYBD9NDynDvoCVdiAD99qdeWoZ2ZXuUgabbl7VmFLuUYYRdA/ + 5LJBWydMr3vqUx1oFLbJtXAepE4xfEBRsWSfnLBstW+dCS2FCwBdZdj+HZQw+I// + E4wOngvk4FnOWJi/buniyGBbXIfxW1u2qDOSwhZ4WnHG2xHB27F/6H5X9mwupI/6 + Vcws2ETNJr736ZDFc/B9dsY/OEkzxpVSYRK8B+jPiKcVD6TvwlzCCT3zh67mObC2 + 9AQOdKBp079HQ/G0QMaFOO2sRoS/c8WTg2mPt1nDnhKsk/d27lxk9CtrGAbxqjLR + 8YYTLKMGeKw/ZBf3fOftaVa3/jfr3gbSHX9dlcY9KkrJ23V7JP5Z0S++3YwWIWHS + XgHFMAaTOdpqhhBTvluO9kWmX+SUb95j83+Y+Lt/EtP0bjxRu7vNyq7WTdWFh3IU + m73iUTA0PPEUcLRUlfLwtOtzaZk+zlcMGBVK89A7ZZxNwhN3Gfqws5djO+B0BkU= + =TfwI + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DqDJbhoEBo+ISAQdA23U0ZOjdeyNq3YQib4t3T/cxbkVQlMcdjrdsJXvUuAkw + 2zDmbO+qBpKFH9iwI0yt9oRCGTjwVuK0G4e8OOqwdAwYV3KylJxh7gZ5FvsBBa2A + 1GgBCQIQx1Cnctk1OiUbCoKQPK2gyYj8p755lfKYGwwEv5pdNGcwh5QgHHUTkBFg + VWtuGi6kJy1O9V6vJoZfsqXsJ9YzxdZzyFlC38xlwCHYShpFEICOvSBJjlaBlGfb + ZpItK61mI3bUyA== + =cgA3 + -----END PGP MESSAGE----- + fp: 8F79E6CD6434700615867480D11A514F5095BFA8 + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwMCBBrc/JA6ARAAuQlOImp2nIx3iyZWFpbvuZDZpBn6wjU2fCdKhJ4zGJXT + U3GX4/PZkdhPdHrjq0/zJq+UNgSWJUeoVTzmhCsp4+N8zGlwZvbFCFevlf+xnr7w + Q1NUdrRXi67A6az6+ARmRxASt3RP0HIDPjhJ9cZBffq1BNpfGLC9pULyCUV+hMJu + dtnGV3ZacTyKJ4yc7OXhhbBV0dg9kDz9ATmetOutwbXic5YJt2e5nRyMtdawj4IJ + JYyY5QVBNgOTchURRN1M9EuHmjXstDcrcGdhqCsNhRZZHBGAE/tRoggsA2VdYiQo + 2kRP+w5zxji2tLoxSluZ6HovX/kpfMkFLwfcEs3aBdPZTfzrNuAPlU27FePGeDt9 + slH7UIhGP+6lpRod2UHrQtrpvjhX/rT/9tJJNUIIuRLHc2GqG+6VUxj2Uc010P8I + 4nYYWmNrXVfpcXUXRKasguyRqDd9X3wkBFBF5kv+/rU7bZLP2t1LcWaXmhcLUgYP + z8Gljwuu9ankVzHU6Yp2wsL2SJn9w0wis0kJ2glMsrlFqBGatFgul9CCnqYEJsVD + OQEYns9InDCfbbr9EUh85ioHXXMoZVfKXubbqO/5MdyWDFssWLr6keUL0HpS6SrU + vAqmA+9xo5zAlzcFSTBdD/Pg+Q5iEIquOnDRA9P7BeVnqRMbhn/udcH0h15cEkXS + kgHg1m8+EZsVbSOX3C6/m/u1KzRlhRQcF1IIGJcEbSggtlf4X3rbbIU5SRsllCUQ + Bo6abk9ugX8L7wApgt9HQYpArrqQhaTEjDM1GYpxAGtrg9p87S5l0kSFHHJaFQ6J + qKczePCWhOpIFaGc8Qbn50yZIhJRBtiElwV6iHDVfHdyCQe/XnXEvbECgwC7hMgn + KHOg + =JGrE + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ/9FHse931rENsf8w8nRMSFqu0tzbUBBp9cUlxzqN4uspaZ + 0tqL2ozA2P+g+/gtrrMvJ4kDn5EXWdCypub8WVl2HGt1+VqxTV+20M+W/158kwcw + VbUlYgO3RxS7FTV9gkGPcSE7lJ+GmjmXQyjTPD4PmLmS/m9OxVBLysCZiWqp4Cg1 + vwxmrnsXfomq1GLYTY5CMutrrk4SXqfQSmlP7hJz17eKIbbh56RZRw+IrqHcJtuC + XJAvCJiQrXyOHDNc76mTvGn+tgCV0aZIxnE6wLfO/JpETWyBN2riady04Sk+Hl9T + tjQ9PUP7zgKX0DUW6U7rinI4myGVoWhpY98yqSBcwkpuBsq6nGrpNlvkw0IwQuDp + Z3mdgpUHEcyQZmfSUQNlfIG9ErihYgX8derZjHoeajkfAX0+pAbzOZOt22EhG/sq + u/opsw1nD/gJd+nxC2v48lrHAX832gF8xN9aU7xXPqaoGCz8xAXzh8RFu7DhPYmp + knKrT4YJgmynSFwj6O4hU2fkKbr3QQ6jLWGUDI+ypwgU0XCDV5KwTDL8ev84swV5 + FBwPHXeZn/ZCEZYjpG//kCn5/kxCbBSoLvz+c6yYxKf5h8PgBBbCFku4QgQYVIDW + JE4Qm/JDaO/eNkz8xq/TnS9ptysf5LnKD9nkg/NsHnLq76OaiMl1/6rC0MyiKVXS + XgGxCUddQq+8xAJ+pyNs08qBMbjbe+XA/boNxmbQA8RX6oGPNIdo6bsoC8g7c+/D + 5X5bHrTdIvBRwQBkzGEhwDS5ERsB7gUGx6n42ueahSZesm+Iehv8ihmMfgj4sJY= + =czRd + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9qJIVK2WMV7AQ//WmLkcPFb3MlTs4+uVbq/w2qKxK4C6Mp++CreylCv5Zo/ + 2ueemyY5MwVzLrwgHTU9KaTEfdvHzWPeiojG/JqUucctoN8iD7nHVN9DDKZ9hWqG + dfXs6rQ4nqBYlxsWH2xeYl2jpqkzpPFy5HDEU7aWvAhxnGdM3GW4NHuCUengDCDk + T5yc+LmNKXZoZUev6qhI2mCM2xA3EZFnVhw2hswA/SLqlvYxRxD0tnDXjzGWWMMH + nxakQmxHR9q1ZUwrjtlaeOQJG52Qcq720LhzLLZdnfLAlgarQSgnr84CICHBGmXX + VtFhnedzBYPkriUN3RctT0ISIQDmxzH7h0ha3Y5iezTy0cLo/hIGsr+RtnoWEAny + 6EmNOJx7PTY3yHiGMJ32AC2VDVhX2DGO/oHDLU7FPgC1BM0FzVjZI+vpUpMc5ZRA + vl8pyHqrvK8iGAcYna0NZWwOSj0tQ60hJFwMqRG/5LV+SW88KNnh5QQESrIyIV2g + voZAyKLKHbDiZtosu2VnI6lyELEKDHF4gQHINrpEBw6FOAnQrtJ9HKJQkiouX9t4 + jLmtNiI91zb1iczeR5bc0pOlWJuvSHRG/GX+04wB1Zv9uMb91Beh1T+TB2P+LRmk + +l/yrEL0UFWkEN5nGUH6D9QTTw2yNJbLIiNapfb4AqrRQfq3uvK/Q8hoDZgfw4HS + XgGJYUHKEpkRJDdFhJPbpIf7WHKlKmbdN8ceMro2hPBKDjGrdduRG/PdmlJcucZ3 + 9Aawfm9fo3RJ9/jAeWl2Jdu6v8/qnSY0sAQ5vzQXxqpeGsIjxc2XOZmd/M50XSY= + =MlEi + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9XEenRNYVGHAQ//V0OzBwN3EHPPNdhxCGS64/Pk+02FX2iX1jhcXl1EVv0l + bO2NpPe18y9UF4UUy2xnjcZHvWI1boFYYvuG+16RiViZKruUmfUoWKeG38t+F9OX + 14B28iwPJDJrFMEkUOy3fX2UdAeC2XMirxxJTs4y09FruGL19yCf7QIjudzgXcqS + V5QWN43RPvVMD10XfN1qGv41C8NwCOch0RCAE8m70PkA39905QQVg+ORFWqV+oOP + Rq4QrFsArJnnvESnSWZkj6SOO/rJBgythiUMJsDodG7E0Yh/Z37vQ+89En9Ei6Ht + DSPpJh5zO7Wl9CH3TRi+AkAX0R//jMqLOlNfKLecYK8hGvj8cvdHpAB/mRva3rz1 + QRd3SxhDMFehtMlS/KSIhbMInILY0LpNZQXHe9IXFEljjOR26tNkhQkLHdSCnrPS + Frj+cN8an1Gg31zWcMIIAOTPYX+GAiURfWbqRKEkNK6ZZEsr1DJew++O50XfcVl+ + dAlmTp2GjvARTRKQoF5fl4Ln7NSH1nDl7HZsIHU0KbBs9cs6zo2WMTnlbS9TVGbg + Kb8QNf7QVXONsTDe52AuL5nnVLn277ZkIEV6HJ4axtioxfl6uPZGFEI3tca0U2GX + ZBDz0xpyfdLbCsdGC66Ds96KjQi3Hn1rwU1FwrsYKLnnvHexPkYJvr+vxWBXgDjS + XgFFzTgljq7dguSIG660lUP9kLhOC/152a9Fwri4sNHIv9UsyMZ4VMhg9CP4Ocf0 + spUzcaUXBUrep/UlQ0Pct4mQhVATQtU1EklndJrvoWSjR3x90BIr2PAV6yGCjng= + =nhtZ + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2024-04-15T13:30:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA45bZkLXmBFpAQf+I3J99YpcXxnfeWxv/VfeP0myHDP5J/YCT1Si3sOk3wRZ + uYhTLnFXdaIkuzLFiH+Ygf0jTpLTMRQz26h3/r5om/XuTyT4J9sf8Xf0+V0S95JA + rS86HFypq4UuoiKAbsTXmdCEX04SGnZXbeEFaNrHD7s07mdw5wvtDK3S777hnGEG + ipq6cr7XosdQ2M69OGKIIoCL/YMUxjHYJbzWy+DmKgkVmDR4ksEyx1LPKZGAVYZY + kQOvpy/KMQjJaLH8PZNq6Q7Zk3qUTQT8vhaJcpHAO60de116zf8kOekgcHmle/v1 + PX+DPTZ/2hpBI+4Wij7WHlrziy7vfMgklo1UarUkCtJeAQNqPmw9VtzEFCd9b9T7 + HoLKa9FYrjuyGq3c/0LNQb+0AJIqYZ0qqzDn+wRtZ7mPx9WW4oW4LHt4hcIDx+q1 + xBW+ZRneSCqvp/MBptLn4TVrhUbgYNkTL2BAlVMWqQ== + =zqg8 + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + unencrypted_suffix: _unencrypted + version: 3.8.1