Move sopsDefaultFile into hosts
This commit is contained in:
parent
6c6a889775
commit
f2bd987f1e
20
flake.nix
20
flake.nix
|
@ -440,9 +440,6 @@
|
|||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/broker
|
||||
{
|
||||
sops.defaultSopsFile = ./hosts/broker/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -454,7 +451,6 @@
|
|||
nixpkgs.overlays = with secrets.overlays; [
|
||||
freifunk ospf
|
||||
];
|
||||
sops.defaultSopsFile = ./hosts/freifunk/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -479,18 +475,12 @@
|
|||
nixos-hardware.nixosModules.common-cpu-intel
|
||||
nixos-hardware.nixosModules.common-pc-ssd
|
||||
secrets.nixosModules.admins
|
||||
{
|
||||
sops.defaultSopsFile = ./hosts/glotzbert/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
hedgedoc = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
{
|
||||
sops.defaultSopsFile = ./hosts/hedgedoc/secrets.yaml;
|
||||
}
|
||||
./hosts/hedgedoc
|
||||
];
|
||||
nixpkgs = inputs.nixos-unstable-sandro;
|
||||
|
@ -509,7 +499,6 @@
|
|||
({ modulesPath, ... }:
|
||||
{
|
||||
nixpkgs.overlays = [ heliwatch.overlay ];
|
||||
sops.defaultSopsFile = ./hosts/radiobert/secrets.yaml;
|
||||
})
|
||||
./hosts/radiobert
|
||||
];
|
||||
|
@ -570,7 +559,6 @@
|
|||
./hosts/dn42
|
||||
{
|
||||
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
||||
sops.defaultSopsFile = ./hosts/dn42/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -591,7 +579,6 @@
|
|||
inherit self;
|
||||
inherit (inputs) hydra-ca;
|
||||
};
|
||||
sops.defaultSopsFile = ./hosts/hydra/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -685,9 +672,6 @@
|
|||
self.nixosModules.plume
|
||||
self.nixosModules.microvm
|
||||
./hosts/blogs
|
||||
{
|
||||
sops.defaultSopsFile = ./hosts/blogs/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -717,7 +701,6 @@
|
|||
./hosts/oparl
|
||||
{
|
||||
_module.args = { inherit oparl-scraper; };
|
||||
sops.defaultSopsFile = ./hosts/oparl/secrets.yaml;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -759,9 +742,6 @@
|
|||
modules = [
|
||||
self.nixosModules.microvm
|
||||
./hosts/mediawiki
|
||||
{
|
||||
sops.defaultSopsFile = ./hosts/mediawiki/secrets.yaml;
|
||||
}
|
||||
];
|
||||
nixpkgs = nixos-unstable;
|
||||
};
|
||||
|
|
|
@ -19,10 +19,13 @@
|
|||
envFile = config.sops.secrets."plume/env".path;
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
};
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."blogs.c3d2.de" = {
|
||||
|
|
|
@ -118,6 +118,7 @@ in
|
|||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = let
|
||||
perms = {
|
||||
owner = config.systemd.services.mosquitto.serviceConfig.User;
|
||||
|
|
|
@ -37,18 +37,21 @@ in {
|
|||
|
||||
# SSH for deployment
|
||||
services.openssh.enable = true;
|
||||
sops.secrets = builtins.foldl' (result: name:
|
||||
let
|
||||
conf = neighbors.${name};
|
||||
in result // (
|
||||
if conf ? openvpn
|
||||
then { "neighbors/${name}/openvpn/key" = {}; }
|
||||
else if conf ? wireguard
|
||||
then { "neighbors/${name}/wireguard/privateKey" = {}; }
|
||||
else {}
|
||||
)
|
||||
) {} (builtins.attrNames neighbors);
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = builtins.foldl' (result: name:
|
||||
let
|
||||
conf = neighbors.${name};
|
||||
in result // (
|
||||
if conf ? openvpn
|
||||
then { "neighbors/${name}/openvpn/key" = {}; }
|
||||
else if conf ? wireguard
|
||||
then { "neighbors/${name}/wireguard/privateKey" = {}; }
|
||||
else {}
|
||||
)
|
||||
) {} (builtins.attrNames neighbors);
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
|
|
|
@ -94,11 +94,14 @@ in {
|
|||
|
||||
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf bmxd ];
|
||||
|
||||
sops.secrets."wireguard/vpn6/privateKey" = {
|
||||
group = "systemd-network";
|
||||
mode = "0440";
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."wireguard/vpn6/privateKey" = {
|
||||
group = "systemd-network";
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
# unbreak wg-vpn6 ingress path
|
||||
boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;
|
||||
|
|
|
@ -18,7 +18,10 @@
|
|||
maxJobs = 4;
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
};
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
|
|
|
@ -89,6 +89,7 @@
|
|||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"hedgedoc".owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||
};
|
||||
|
|
|
@ -132,7 +132,10 @@
|
|||
resolved.enable = false;
|
||||
};
|
||||
|
||||
sops.secrets."nix-serve/secretKey".mode = "0444";
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."nix-serve/secretKey".mode = "0444";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
hydra-evaluator.serviceConfig = {
|
||||
|
|
|
@ -34,21 +34,23 @@
|
|||
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
sops.secrets = {
|
||||
"mediawiki/adminPassword" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
};
|
||||
"mediawiki/upgradeKey" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
};
|
||||
"mediawiki/secretKey" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
path = "/var/lib/mediawiki/secret.key";
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./hosts/mediawiki/secrets.yaml;
|
||||
secrets = {
|
||||
"mediawiki/adminPassword" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
};
|
||||
"mediawiki/upgradeKey" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
};
|
||||
"mediawiki/secretKey" = {
|
||||
owner = config.systemd.services.mediawiki-init.serviceConfig.User;
|
||||
path = "/var/lib/mediawiki/secret.key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
services.logrotate.checkConfig = false;
|
||||
|
||||
services.mediawiki =
|
||||
|
|
|
@ -23,7 +23,11 @@ in
|
|||
"C ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - ${config.sops.secrets."users/oparl/id_ed25519".path}"
|
||||
"z ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - -"
|
||||
];
|
||||
sops.secrets."users/oparl/id_ed25519" = {};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."users/oparl/id_ed25519" = {};
|
||||
};
|
||||
|
||||
systemd.services.oparl-scraper = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
|
|
@ -91,7 +91,10 @@
|
|||
maxJobs = 2;
|
||||
};
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "radiobert"; # Define your hostname.
|
||||
|
|
Loading…
Reference in New Issue