diff --git a/.sops.yaml b/.sops.yaml index e95a1af8..c86b8620 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -136,6 +136,12 @@ creation_rules: age: - *buzzrelay - *polygon-snowflake + - path_regex: hosts/c3d2-web/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *c3d2-web + - *polygon-snowflake - path_regex: hosts/dn42/[^/]+\.yaml$ key_groups: - pgp: *admins diff --git a/hosts/c3d2-web/default.nix b/hosts/c3d2-web/default.nix index 5e04a872..f433ab33 100644 --- a/hosts/c3d2-web/default.nix +++ b/hosts/c3d2-web/default.nix @@ -1,7 +1,6 @@ { config, hostRegistry, pkgs, ... }: let webroot = "/var/www"; - geminiRoot = "/var/gemini"; deployCommand = "${pkgs.systemd}/bin/systemctl start deploy-c3d2-web.service"; in { @@ -109,7 +108,7 @@ in "[::]:1965" ]; certificatesDir = "/var/lib/agate/certificates"; - contentDir = geminiRoot; + contentDir = "/var/gemini"; language = "de"; }; @@ -173,7 +172,7 @@ in systemd.tmpfiles.rules = with config.users.users.c3d2-web; [ "d ${webroot}/c3d2 0755 c3d2-web ${group} -" "d ${webroot}/log 0755 c3d2-web ${group} -" - "d ${geminiRoot} 0755 c3d2-web ${group} -" + "d ${config.services.agate.contentDir} 0755 c3d2-web ${group} -" "d ${home} 0700 c3d2-web ${group} -" ]; @@ -193,7 +192,7 @@ in status() { curl -X POST \ - "https://gitea.c3d2.de/api/v1/repos/c3d2/c3d2-web/statuses/$REV?token=${pkgs.c3d2-web.giteaToken}" \ + "https://gitea.c3d2.de/api/v1/repos/c3d2/c3d2-web/statuses/$REV?token=$(cat ${config.sops.secrets."c3d2-web/gitea-token".path})" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d "$1" @@ -236,7 +235,7 @@ in # gemini status "{ \"context\": \"c3d2-gemini\", \"description\": \"building...\", \"state\": \"pending\", \"target_url\": \"https://c3d2-web.flpk.zentralwerk.org/log/build-gemini-$REV.txt\"}" - make -f Makefile.gemini -j$(nproc) export DESTDIR=${geminiRoot} \ + make -f Makefile.gemini -j$(nproc) export DESTDIR=${config.services.agate.contentDir} \ &> ${webroot}/log/build-gemini-$REV.txt if [ $? = 0 ]; then @@ -271,6 +270,11 @@ in } ]; } ]; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."c3d2-web/gitea-token".owner = "c3d2-web"; + }; + systemd.services.webhook = let hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ { diff --git a/hosts/c3d2-web/secrets.yaml b/hosts/c3d2-web/secrets.yaml new file mode 100644 index 00000000..86648b57 --- /dev/null +++ b/hosts/c3d2-web/secrets.yaml @@ -0,0 +1,203 @@ +c3d2-web: + gitea-token: ENC[AES256_GCM,data:W5NC7+7F2HSwRRyFdqkxwZVdW14PfG8PTJ4RI6UWyv262GMqgLbA1Q==,iv:mW5ahfvdzIng0dqphtZtZwOgF5W5s3rbP0AF0GxmcjQ=,tag:sYyMsqrKerxHcDRM4OkEMQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18h6vmfduhmj28wxdgur8wugn7scm5vwvwkj5sr4f7nl0czr2zvaqscsdsv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkdlVCsyOTNlckZpbzh5 + QmtUOTA4ZjhCQVJXaUsvRWRvemE4SkI3OHlJCkRJQnhXNmU0dklRV1RGNXR6YU5z + cHZSMlVsSjVIZVBna3BDSmUzUFFjb1EKLS0tIFZYWmlYZURoUE5uSVVpc1d2cFUz + dStjVFRYMGFFeWhUTWlnSmk4YmI0bncK+8y/yyFf3L2zxjgDzQoV3lKFaCyPZ51f + UwFhDop+wcR59B1mxTRRYqzfSH9WBOx0NkabxSYMYTGPqn4j9vOJ/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaHA5YW0zblB4ZFNMK0V0 + aXJseW13OHZLcFY5NVpiSWtwa1VhU1VLMndZCjVuSDRDbWxZYmdGVy9leFFnZFF3 + V1g2NE5oTFRxekdRTUZWb1hOcXo5QVEKLS0tIGlCb1RXZlpyTE54cDhWRk9rdGRV + OWtJZ2pzSXpTVnNrYTY1bGJCQ2lYZFkKerY4F/HPsr9vrMxu68FRVNVEKysE1M+q + zOY/n3CNAdlVjnWt6D60BpEHIpDhO5dvBvvqLwsOizI7fgfmwFnGDw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-26T22:08:37Z" + mac: ENC[AES256_GCM,data:v1goHC28SBz5G2FtCl/Iwbc3t6piDbNXYsUmXzuXcZrS4wr4e7KpXIXwYnNwMTrEBJ4O3ML734i8qx5BHDTS6FiTgvYSQnDR/cWXmiaVFoPAZDP4Cdx+eUYtmnZ2g8gUmpa2Swpp4gDlm3Rdab+R6mkAfDVcjCcgnxB6eSIk28g=,iv:Ao4+gCGNOOKiFLATBygGvf2E7GfPCyt/fJ1R+nuYsU8=,tag:NBZzrWzpm/fyahzE/27Q0Q==,type:str] + pgp: + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6j84+xkv3y7AQ/+P/ISjuyybDfX7stUpWwtY1v/aAe8NvOJaHIJTnDdyjRX + emtzTmsLyqj09IFUCg2sh2B6sRvBbQFsXMT6pIN89VYklJmvvkGqvp/z5ve8skTw + ntgaINZxK/ibJkkFAh93TgcAILWZg/e2DSTy2WHRlR+4Y6BiT5JFyJ92AUbUITo5 + gs3iEyowMcInqNkWYdEqnr8wgWNVQrtWz/LIAkbLYho60x0g5DYg9rbvDURFTTYH + EfDfZMrYGAlJgzVtKxdK+dttlS7+rPc8YRu7xMc7kNRx8cv2YIEnPaRYczRgXATd + XqlnA08jJZnZNv5muuwP9NunQwg/NjHwUOcSUDwUYg5CT6zZsA2MnT+7BEJt8Eli + 6gGHLCdmtAVzJqICgUc+kbqxaxB4SQ7hlpbPt9C+of0priT44N7A6T1mWbeplFst + UCutK8Igd+U0p2qvxJsEoA40qD8Jzh6qRTlUtV1WdsdqHkenHGaUvKfF58lxA7Ch + GAE/2JS65mp/aHAKdYpZMIeAVxEoRgrUlK1T0Sst+AT18nF2gPuvuduAOcmAP61r + WIBc8J7nsyMpcFJQ3J4AMX70XVfszb8xZLNB9cg4iGEPNkmjALPVtFlj2fG9hVj/ + 5SpQLDROHtdg0i7XLy14Dd6SIhnPycIcEdfMSSdYEOIAwMIjhO6i+X428/oaFs/S + XAEk3xSwH28GFgHpIWoPONwUmETij/+CUrfSakqPukjSIWxzab1BpCJJs9nd1P3K + 1YDIjyOgQvRNEozcL3tVIcHj0EMJJ5LRUyry0U4ubuSNNijD2r5gXfeymqbu + =D2GR + -----END PGP MESSAGE----- + fp: A5EE826D645DBE35F9B0993358512AE87A69900F + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8zMZ+ak7y/zAQ//YdneFU7q64yfM6TbxzMmTlZ2IFq1aO+RkTodCjN2Ros4 + FW84FAlZk2Pr0657+EvkPNlrqOkkiMhHFZToYK8BDIvYmJ7SuVMqDc0rxRk/SYX7 + Luj3KE7mZd7yCgAQVQR2cqQS+nnlQDlWRjdY3iDpkABiCdbTMONp/blnA3QesBZs + 2GqX6GhpEDs7LJvGq8ZfDb6T6mH42waya6UnXl0NSN1ka+A4s/OBY/PCQ1Ofn6g7 + RwLO2e9OptlUAmxlMUNRFA7GfQMLZcKWmtDAL3UWmohutE8Yq4gT5qjqVRYqrZYL + sInlq8d7MYbuCqUcejCXME89lRQZq8QIyV8L3+I4ZmijrgrB0OeiBtqXPcDZa/p7 + Rl/qbgpWrbZsSQM+44w9jWf5IF7bQ0slHFFwh4uHNr+sL0HqUX92g9m/wNTj1pq8 + o64FigY32LmDUMicrciOvx0D2g326aRd2pFkix/H+kFefri9c5tkUXRmJ/VrXsOM + CKvXtAA16X1nFNL5DdIJeXlBR72QsCYuH/2wtC78eMGCpM1L2KGyaIjp2WQ9IzRf + t99djxNkgZOpLLfmjInYl9dRcqOZObARYnYZMFz0z1fRUvSzSNsINRrwFgCZE5WA + 2qv/1WF4Nd3dox/JCLlHH1HZYWyO/RQhRkXbDLIEVVnoUdLBoBZEyOt1+x4eAYjS + XAERS+kXlaGXmzt3vYeoH3xWZC1S4BbfgBogdOvYMxVwoKgysWhWI8qBg1XGGpER + N6dmPm7gxh2MMCjHP2zQB0Ki+SDQre3QX9NMKzU+sJEPJFJiHZXu2yUFYanU + =+j8c + -----END PGP MESSAGE----- + fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA45bZkLXmBFpAQf/RNgivYpm1j2Otu5pbObIAjFRbveX5anM7AHZVt3XcX25 + eroD+6Ts+qjELICo40/NYinYhB3U6NqOOBZjrtJ3B39CZUdsprZQ8JOg/7qBWrzY + EgkQgLoEx//aCVmBjqiRS+c4onpfcnckrhbqOoCtRvBfKjfwq8VWE7SRr1Bx59Zk + nuA3QtI+ZdrtPcQLHdXsORfzAPa2JuTSpILN7QCGGXtc6mzUvxo4NrLzAEKAJNQR + Yu9E4lUfzPDlYv0MFYvLDgDrcxRF0Bwuwnlr+4LFPBlEH2K0EEkEUCQm/w3EiSiU + 7lVZZQ7Gt85TjwfPOfoBohN9ONvXhUub6eD8ow/MZ9JcAUQi6h01BRVSE+gQ6tG3 + 5YdZB4XLXmI0caLrald5jckJH89DwYJP8g41KRWMYo9NjI78FAJRkmD7USagNdxf + LRlQ1CZSngvW7pYbWQthu7hXzostd3Rn9MqqmhE= + =iUxu + -----END PGP MESSAGE----- + fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9 + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwMCBBrc/JA6ARAAiqatrSJ7nArZVXkb7i//nuPxk2GIBb3LCnAblbATbNm7 + LVQjjwebv4td3c5ubMr0oQiA1l93rrGn2/10Gw2kpAC3zeGMdcM0kAmKe6QdVOhl + ZEhVzWva8YcmgWBAVQb+R0IRVjTN8Ps6wkjlN5JB4xiEnSiKzHb/Uh8fNsaJ0Iv7 + VOhUn7tmwgcj36yQjvk6QcW8OTw1F14Bles44Urgm0F3EwkktQPR9xD2UjpFRpgl + ZQhaRctyDBPvVhTucFTvuzTaYuqr7YI85//B4+jA7dwXG/UIRORhvCSLMu8L3Xtq + dhH1ZUYqKZ6ddB9qlDGRJEcSVRRVDjzHf8AJ7LGCK/vxN4JWh9rOB9fUJ2zqFAF+ + ciav2TGR/qo5Qrx8254EagKYDamzIeN17KaOLGezUGYTT38JqXwomcRroSNuCHew + 6G/6n7xsWXONUFFHtb28jLHPyQj+6uRGjTIinkzIFD8YUVp2Ccs8Sdj4R7BPZlUQ + Fm2uZhmDxH4MjDvLtJ7++cIht+k+TUPhMZqHkyj5mhz90oZHYBomYnY31pvKzStP + C1yIoe+JLLvaQw8LW9/WWGC+AglBYrwnU+zDct4EL0mtnMkF4zfNbWHQrL/90g21 + KTkDLylJJ6osAtB1kYv37/0iyAwi9nDVULfDFMjbe6bPflxni7/JfbJC26WdCbDS + kgHr/UyOvx8S7oPkkgBMwdPS1aWJITciJMSt+Hsz4pxZT+vR+YZ45kUpYYOG+782 + d71smhlKbXmP25lCJW6URxPJ4ipAO/Wb2HZqDkvGxrtsWTNb2Exug4RYDMw6cCK2 + L5NghVWZ068kJqoIdBRZfFSuCkc/mM7PSjGTyT+y0D8ner6DA/91oJIEuD3T/7sC + 1jut + =pZ9f + -----END PGP MESSAGE----- + fp: 4F9F44A64CC2E438979329E1F122F05437696FCE + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA9XEenRNYVGHARAA1kNzZ/1SYg9ZDpxBHqfNYOoSwfXbrncNv5mPOO16uwxT + +uCmCV3OHDuchQHgezpMm8ImcvqjcprRMHyOeB3jrMewDnxyPFYgheQjz3hTiHPb + 5pA7s/W1Zew0EbqsQ+GWtwIWbdYpPRVbhRInolczerFHBp7gg4JEqUAgiYaAlzxV + a7BQlFOQ4R0q0IBK15L4hQhzdxJ9gQRr320K0F3cKdPpn+i1GrAUID1Jnrmz5yCK + 6XwHnRThjZorYLPLXfrZtj4/VBSGWbdUF0B1DwQB0Y6tLn9KblNkyrSpKg3h+klB + h0dYii1hwdGG6ndDCb0WplGzXRvl0/s318ySbpuYyTbqj4rgCYzQdgboH5KzhYE7 + dGNfacYDaFCBs8/dzFiGKIsscnXctTkoTGrXY5XV6DJ1qbPozRyk+4wShUsbthtJ + u5qPPR8oj3Yc2hhg4eeksZYc12dQgLBiOD+aCtdn8egy/nPlRlLJiQS0ipWlNWGK + J8IlNHgEHkfiopiWP4BH6KrzXDyEPiOU3G7rX3GGzUrYXj50vDSzTC85X+3ZohDs + lwzbQaoDw19OGjQ+Loy/uVNYgOw5g+nsr3KhmeF4NECi8mkLgs3NkVPJLecT1v47 + PFIGdUykCS4LRtzocVVfxdl4jbimgpuP4nUGGqk8tzlN2iRgc8LDCRM/81SD/MPS + XAHF6r6Od0UL66/lhIqzrP1mtH+A5Eg2sVssw+2MoJV6r/5mmlieaLq3jISrN0UY + N8dOUukcHEWvFNjvoh+R/qnh7D0FbFKcGZ40fIP1oWNkwcXVEILPgRaYCBty + =MrBV + -----END PGP MESSAGE----- + fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA + - created_at: "2022-12-26T22:07:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/Z87ylQaotQAQf/aWmXByWNmb20LH8gUxizjxYjk5NC8wf7LGGPF7+NDBFd + vMVUn6ybTJEOTACm1BqxkGn70oMrgFSiMsM1L8mqHQmN9WehDnuQ2rb2rIijRD53 + iJUPJBQsAsVkQpn9StfTh8Zznd7l9ladsU7VHgjKwzdi6EK2NgZCtIcENgEdnjf9 + tVAsSCb/IbCG3rIT7dD2tO9QWBAtd7JyflrP1DXRlnRtEBCXETCSlmYczuBSFvWb + ARXvyvzoWJuXFzXQpSZNylLNc8fuz5C2KO1PfjqRCOc3gaf8J9Tbc/Q3PTEcSHhr + WMbqug3sX4eYPRjpdMqyQSVvB3dxVLznfJawc2hQ8NJRAcdNahwu8S+Bnq1XF2CQ + sXNxt0ig83HT5CoeReQ6/mJ6JVK9Gr01dz02BR25OzR4jLXpsCi81e1/ulWyjL4J + uP5CL+mjsQS5pyOmS5krBkGV + =qUv2 + -----END PGP MESSAGE----- + fp: 9EA68B7F21204979645182E4287B083353C3241C + - created_at: "2022-12-26T22:07:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9qJIVK2WMV7AQ//S/k0Ipr8MxFSJ0QantzbcP3VUj+QkJZJtVomKM7e049V + ha2nujXdLA7Y5QNYZask4W7l0OBNE8aWQLWjYEe6lxc7PRy4lph/yKXJ3PJH9B+p + diPDbjaHu2EqG0p+csqV7eUDjRsXAGF9/prXXUSP6iicIOLTBSwW/+3LZgbtfRsl + /K3UCyUgSTr4FAtuHS2wVa2GplOd6JYt/O3h8XY8cy08H5EFnLRBo71CbGRgYvSM + uPvEgEdc0bWRE2hNIQMIGOSGIiEOK9E9NKNDdqozu+Z0OnG9cRdnEpgMmNAH4yaC + Ie9qRrxOc+HI+IrpmjhWJlgKRns3kCedpFL4IsQtgGxOUJ7EeTJHi+68gPNc0PMV + jwOUNVRaDtsAujt1pJS8pnzhX3R3f0MRUJ2JLrsw6EZQ8dj1IMrC0UKeJOcvpFro + sVq+TKt3movkWrL6i3D8ujb7PnR50FBku5wxpOROjk4J80cH29amnPZC70WipjKz + /60gqyk6awwIqinevP/SRUQXSZaqLYgMJFUNhZ7BURbeafRwS2z52wNec+qEfxZl + WdvatEgvejIdRzl6d0Ed78vQX4O2LPCBMSHCz1VLRt61xvTgnT5S4Mglb5oSiDcQ + hXQqDmr3J3fyJyzDmUmKsedonlvQm9kGm9Qc08xNPVe1yYyd3s3D3csqO7MTZKbS + UQEAffU/Nq6pZxBJWAoVor3hjIeD4NuQge/3UmmAGLmjys3Ig0vvWvTmW7D8GMEv + 7BqgmbKCWg+eCp5z1ekSEEzjbkN756RuWJLQoQiD5aKK5w== + =+0sR + -----END PGP MESSAGE----- + fp: 53B26AEDC08246715E15504B236B6291555E8401 + - created_at: "2022-12-26T22:07:00Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAArRKKQRXwoRQ5HdE2BUezkB7nenUZ6keq62Pu8qF4kEJ4 + MrZlWr0PscyWY6GHGXtabOrmzbXlrGCDDXvP6qwBlR0/2W3uLkLMkGupfVx8wlGJ + Iet4RWAInEtWx6pWnuLjakGV9XbXzCDmZRQPKchwhks0jQktjJIIWnk07y2oKBAj + PeS2bqlqidMyBjhw/akIVMfP1rPNfor8XP+/2tygiQk5NrCTG2kSCkEaiCCDNrA5 + u6E0lwtREYrvzaxxGCBWaDszxbRUn8ig1RglElCDgG+Hkco5jV8/Rqv09FdZYAki + xWZcsYE6fXHlsm4UEdzKuwiea7bAMYU+0L00so/IeU0zotmYaQqtKnS1YfUE7IVl + AUkVg8WB6AM/rDG0SsqGPzL1n/j+jlOytFnYTWFjlFhD+ex9W6VYEVe10xg+FVIH + DEn6gY+9j8vGnqsybgEYo91xToVlBgyVTkgY5UuPLzfyxgIWuA1tPLV/3owAkMx2 + HiOMOXNhZ2ouvmgCfzzB/VM37lgaAooNs4cOSxgBhG9lSuPT4/J1IU0Tr7A5KaJK + cUs1uAWYKxaRLq6golK/6lq4nwYooyrDxt2Iuh191iOdEO0+3ny3rjBISukxr3F4 + /l25T2YZw7fpW15wlUJOVAiwM5iDkd9jFhkdXh8r5uf7HSyrxzQBGUhWaEZuVbLS + XAGyJnbR44ghnrRAGaXU9n7Z12M/4P2EYKHQCtYgIIXw/4vXFamxzcGMaIbnTy73 + PV6wC/P3Tuyy0s+vKKQiHbxw3hAJhYc90n27rvst3v+PkuFfsIl/082dLXFA + =9Q+A + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-12-26T22:07:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ/7BtP9J4wt5AibAZxSfB9HH/HWZ1tfken+TOufxslEMvMz + NCkNTbS3A/AqzFJazIfkJPyu6jWx/eVG8d6xclQnZNpzOVbUjQdgkwEJpq2gb/FU + eN2HEckYR4fj2psonHJz+YSM045jdeRX1TBG0y+9EAvZjHiNjdKWewYUsSRFR9DT + OlneCihUCYTFXEbLACQg6VzBwswNnmyOKxhc09hsVdtZq/ABTVhu0KtwSDgl9zcO + 7zDokKl7dr4dCQFa+uNPSVQpgIYHxGUuHqM5VOfxYGGPAA67cUArnMa0f/8b3fcX + B0NTK3z9inL3cYu6xkGkgaPHx5NcEXyD3lG4LEylhL12VI1SLam54ArJXxjyzgUh + ZX8GjCa2dLGGW62kRdtHESnWoHvznJsYTvlO2vpWmMo7E/4pk9EXFNp9Xbdtw+3n + oobSjkTl3rtx3lzNgfWpn5VZw6TJSD4umlWypi+1OQe4T7KXWmMCYqM9W5yrdQzR + x1XeBkke/dHIs8hXSNcm4aPiGg6NU0ahR5d1WR5NwSPKDfHvlL5r33VKPLESaOJ2 + b0MQnryIeRNo9xvjvNSVPiBDI+o76WzH9fZxNQo78L0tbu0+lDNelf44NrmRxgLO + +5NyJMbub3pEzWCaNtSwQW7vxZY2c5ddojZgbb75+pSwj1rQpbTFFQwjzmWRt4zS + UQGwvsCH3sg///YRoRVs/mKatZIuYRuPUlG94kASzKWYVi3+2X0DSsrX3EqNmEsR + ZC+BUKM/CJiXJcnzGTIBQ2VfOOWKEPkHdOLhdDAE475X5Q== + =0jHj + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.7.3