Move most of seed config out of sops

This commit is contained in:
Sandro - 2022-12-24 00:11:52 +01:00
parent c82eeb32d4
commit d2dd70c48b
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
3 changed files with 64 additions and 5 deletions

View File

@ -43,14 +43,15 @@
suffix = "dc=c3d2,dc=de";
tls = true;
};
seedPath = config.sops.secrets."portunus/seed".path;
seedPath = ./seed.json;
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."dex/environment" = libz.sops.permissionForUser "dex";
secrets."portunus/seed" = libz.sops.permissionForUser "portunus";
secrets."portunus/users/admin-password" = libz.sops.permissionForUser "portunus";
secrets."portunus/users/search-password" = libz.sops.permissionForUser "portunus";
};
systemd.services.dex.serviceConfig = {

View File

@ -1,7 +1,9 @@
dex:
environment: ENC[AES256_GCM,data:X213Nj0ftMSdEG7Z18hceghX3w9wBV2q4Z/q7enbZm/rbZKM2L2SBZnCtf7NGoFuZbePe95HR+puKCzmHKHt891So6Uq11OA5DvMvl3IdNKkXpHwS8HicIZWTGwtle0CaESzJqI7LJl1ajzXFX/fo3RClGz8V9D5cFza54N/29xKrxyRd+vu9zlXN6ZX/w==,iv:wHLq9shvvrzImMRoYInlWQVACNGqazDEHqkcp25zHHw=,tag:xhaX0oK0qxuQigWXrwRfwQ==,type:str]
portunus:
seed: ENC[AES256_GCM,data:bF4cxon5Wy9+i9jib+JfzW7++mMWYbt5U85S9b1YK6YYsvF2/4LKW8BwsCBsECKCqicSvejDID9DEGMXRhcojUWu07q/LBI8ADYhw8siBeTMYgb5V433Nt8EODJa8XUhpxWSl/PgLNZKw0+vSK4hQRZjAcmWl6Djy01LD0kyhU4rAwxY8FozlfaLtJN007LHhhGFA+r/l+nHuW+wBg7XVC3/7d0THS6krf44USBEyIdoYPbpLOhkyitcmGxHlT+AknUvgghyTnqxUIsPdhFq9LWPRSpxaCcH6mbFFsqBfQwfZ58BOW3Oqz3e7RDm4Z8LOJSL/3RDgEBJ3sNKHvPZp8x6lCaV9PZZGSKIOhp6534fY2s1LuPqIQGW+Qf+08j3XlpUuFkEURP+IdkEiJtk952cMN6SnN/QFhxM6Nr+s1JRzwbtuvmjQSPWQHC484XsizqVbyiLFMjX9QsKvnHeZeACspnZKdFSTWRZ2reRa1Lv6acIjWn+uv8S4sUt1o3zfcWFb5xG95NYhyBLFExsVzC/RWD/fD4jR/1ZAUF+vGl20SZzlj7MbRLg7JIwxVFoFgZLz915ZTbHbxDeX/OOhqd+GOBe8wsm+DJf8H939jNo+iPTWlHfY8zZOFQpdtkpt3uISpGBsBfMFtYInrBDXDNPr1SEbQPEAgjbYJWPC/FIgcIkGtRu4mN8Cl4IgPnTgSJ9WYpGkfuxb/PNvR4XN9bbjE4h9i7bCeA7nNPSFa3vItbVps0jM7TyWyha168K/gJ+nk9+iqK79m6SxaAHQ6A5P60V7XZpIDteWKuxV/I/1Tty1JLsN8khiHnrrqMqrxX3vyjXCwX1N16w7gMwLnQJkMO3M5pRhUsfaRm+lyBLWDVrN8o5PqZ+KZtldvqeZW+tknmvvUtYB6lYbcEdy9/4W6oNLBvINodKijQmOO66/RhiAu8q4qNI6JIpqdzl0CdKI86xoykfUGXbqm1heEloutcNxkEfR8D3Vn98rKc0IVB+uD8XROD53ZV1w2LbpzjHNJMITCebKufRjBZvVfMl8Q==,iv:xIAxj2D3HurNzQg/JjKCQ4KEwjKJ/PuDGM2RLRFuMX4=,tag:i5s0OMkvIgY4rgLQygVsaQ==,type:str]
users:
admin-password: ENC[AES256_GCM,data:Hxcj/ZxBeUmUDh+R6NWGe2fVTtd56d1VgPGKUG5mIf4=,iv:X6/3hk1SylA9xWNkrE7Ynu7jgY7YDU/rmJeALKfDVRU=,tag:y8RUy45n0EcpsYCrmjLrPQ==,type:str]
search-password: ENC[AES256_GCM,data:RsAdOdPYRv5uFiAAEtNHpiPOFV8Qq2ie1a3LWq8CX4A=,iv:jU1EknnTCuivYeZep3+/Fz0TaGVHinwrqXpZRVV1P48=,tag:+gl4bLr8xlCW4Yb2Q6fXcA==,type:str]
sops:
kms: []
gcp_kms: []
@ -26,8 +28,8 @@ sops:
OHlKSmZ0WGpJNTNlbGJZdWsvV2JVSjQKChNZeeT4l/ZiBMC0SZXY8wsNnZBtM9vw
WfVljqnQTMODkoLjfxcvET2xZjSHSI0wjULjMAgg67lRUEG2bxMp3g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-23T05:29:41Z"
mac: ENC[AES256_GCM,data:PgiZ9mg5ffLrkLO4RhxRScDiL0SQoF60cTMzxITOx1UtIjXWqmB/OM7rnOwlwVtyHY0OLe5XTVQ+yjVRD2Zv6ri0EJKU/0NZperunFdp/91iIswmzWJjwxD9luRw2h5Fjnq64xgWDJtpIMDIJy5PtxiTh1hO3p38m572BWiQPFI=,iv:8IXRzC61ZXZBnxoiULTWO6dnAPUAEqOuuLnBWHCrQ5k=,tag:N7zTvbL8qTJOi8YC6DKNGA==,type:str]
lastmodified: "2022-12-23T23:08:05Z"
mac: ENC[AES256_GCM,data:rhV9INEgilWifP2XH+9wB1kiYOc+syjHBvhewpoukpbFsUYgLW9ISPjIlTFlAEP85dlCl0FwhR0SA/uJjC7rZOjVbmn4Dj81E+gB/3MfxTqHuAce3tPDdOc5KJrFr8EMw7K3F/sGXeRsfi/rmqDg5dY3KxfD2BYJs1SCbdM5dGw=,iv:b3Gncab2ASlyu5Z8X1JHd490eK8XEf4sFd6Y5X3OYng=,tag:Di0zen2aMdZtvGO+JAG30Q==,type:str]
pgp:
- created_at: "2022-07-31T16:18:25Z"
enc: |

56
hosts/auth/seed.json Normal file
View File

@ -0,0 +1,56 @@
{
"groups": [
{
"long_name": "Portunus Administrators",
"name": "admins",
"permissions": {
"portunus": {
"is_admin": true
}
}
},
{
"long_name": "Search",
"name": "search",
"permissions": {
"ldap": {
"can_read": true
}
}
},
{
"long_name": "Gitea Administrators",
"name": "gitea-admins",
"permissions": {}
},
{
"long_name": "Grafana Administrators",
"name": "grafana-admins",
"permissions": {}
},
{
"long_name": "Hydra Administrators",
"name": "hydra-admins",
"permissions": {}
}
],
"users": [
{
"family_name": "Administrator",
"given_name": "Initial",
"login_name": "admin",
"password": {
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ]
}
},
{
"email": "search@c3d2.de",
"family_name": "-",
"given_name": "Search",
"login_name": "search",
"password": {
"from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ]
}
}
]
}