From a1345f916e2025f5e4eab13f007d2a83c8a8b366 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Thu, 12 Oct 2023 21:54:05 +0200
Subject: [PATCH] caveman: set a redis password

---
 hosts/caveman/default.nix  | 26 +++++++++++++++++---------
 hosts/caveman/secrets.yaml |  7 +++++--
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/hosts/caveman/default.nix b/hosts/caveman/default.nix
index 8bdf0fa3..a5bf09f7 100644
--- a/hosts/caveman/default.nix
+++ b/hosts/caveman/default.nix
@@ -26,21 +26,29 @@
     secrets = {
       "restic/password".owner = "root";
       "restic/repositories/server8".owner = "root";
+      "redis/caveman/requirePass".mode = "0444";
     };
   };
 
   services = {
-    # Override default backup schedule to reduce I/O
-    redis.servers.caveman.save = [
-      # Every 2h if at least 1 entry changed
-      [ 7200 1 ]
-      # Every 30min if at least 10000 entries changed
-      [ 1800 10000 ]
-    ];
+    redis.servers.caveman = {
+      # Listen on the public network
+      bind = null;
+      # Override default backup schedule to reduce I/O
+      save = [
+        # Every 2h if at least 1 entry changed
+        [ 7200 1 ]
+        # Every 30min if at least 10000 entries changed
+        [ 1800 10000 ]
+      ];
+    };
 
     caveman = {
-      # leave 4 GB for caveman services
-      redis.maxmemory = (config.microvm.mem - 4) * 1024 * 1024;
+      redis = {
+        # leave 4 GB for caveman services
+        maxmemory = (config.microvm.mem - 4) * 1024 * 1024;
+        passwordFile = config.sops.secrets."redis/caveman/requirePass".path;
+      };
 
       hunter = {
         enable = true;
diff --git a/hosts/caveman/secrets.yaml b/hosts/caveman/secrets.yaml
index 804e27ea..26bb60b1 100644
--- a/hosts/caveman/secrets.yaml
+++ b/hosts/caveman/secrets.yaml
@@ -2,6 +2,9 @@ restic:
     password: ENC[AES256_GCM,data:f1kQylVfzI1v+W2P+IklKw==,iv:A72uGclgNYtDyTr8EQVgLZ4Ej1qVRWL6DvmmXExXXVI=,tag:kFhaxLWi89tWNoNtbE/FUQ==,type:str]
     repositories:
         server8: ENC[AES256_GCM,data:itNCMHwwyUdoGfNEtixByu+BmOU2Z7JhgzUoRENY1pcYHNlbWUbf6/c6Ui9+xNnnEmMldq599RJNYCxDaavQjtk/HwHGYvzqI5L7uVxFlK0d0GDo,iv:kV62vUokW/n1ixu5vVjYkzXUZERGVn0J/C9Y6tgLIfw=,tag:MKnSHZfRFm1mdkIAUZGqmw==,type:str]
+redis:
+    caveman:
+        requirePass: ENC[AES256_GCM,data:08V/ZSarIx+lpGSx5Su0A4Jveejxi83+jj1+Wcqf+nY=,iv:lm412YmiV6rVn5LGx1O5/kCGO457yohieu+UgB5b230=,tag:4cQ7mIlxJh7rGMZqmGIPMQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -26,8 +29,8 @@ sops:
             U1RTTGtmNEJLZVQ0dXU1d1VjNk1kbm8Kbn1V7apdbkDhu8xhedIrpZGRcMzyB2do
             x3SHunmMJzqtB3KsVhgIo8TcQyRqGMn2BRFHMGtYUtgRvOT/tKibcQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-08T22:44:39Z"
-    mac: ENC[AES256_GCM,data:a3bnihJKmhmroeZbVFSWo2fMa4AINuGH3fsOObugmaM2Vbs1eqmrslV7h5rmRv0LmzQYlKoSSkKQ6Pn6ofhq/uwCf34PnpyOvRQP1BL1PH5s1EaIXDx3RhnaaAxFOwnvi3/zO0BZ1PgUUkLm4owXMbERmbvg1iXR6+QrJySfPJ8=,iv:BKYHqW9tErFaVPc3x4xmdqVUYexzgXnfCyg7IR92bAQ=,tag:T6c3EidOT1UWy5+XfNkY8g==,type:str]
+    lastmodified: "2023-10-12T19:53:12Z"
+    mac: ENC[AES256_GCM,data:FyW0rehjvX7BNNh0mQ9kG1CEZJxgzIc4I+41F0hhfmNTwQr0PR7e+0nnL/SrgIlCm1IBshCYncYTOJHOz2cjlouGJg+w3NPrAegOwtP7HBERedcGdktFFxVPprnspKH1RmOGUk+JAcpnZVh5KraGc8uNCdMXPZ+hlEsEMde3JQk=,iv:rBnXl5jjwLIPp8F+Q6jIaxljuCxYIHc0cQqCVZB4EXw=,tag:EI247Fmnmp2jyqIk6Htsig==,type:str]
     pgp:
         - created_at: "2023-08-08T22:43:30Z"
           enc: |-