summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Vink <mike1994vink@gmail.com>2023-10-18 01:48:42 +0200
committerMike Vink <mike1994vink@gmail.com>2023-10-18 01:48:42 +0200
commite4a3e449cd964cf565307f8c004fb48e00ebbbb3 (patch)
treee8661b56778bc87d36fd9bd399a5ce606367c4f5
parentc04fe2d9fbeb1891309d70459e248ecf3b037d3a (diff)
add porkbun secret
Diffstat
-rw-r--r--.sops.yaml6
-rw-r--r--machines/serber.nix47
-rw-r--r--secrets/serber/porkbun24
3 files changed, 65 insertions, 12 deletions
diff --git a/.sops.yaml b/.sops.yaml
index b70f499..dcc4cf5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,5 +1,6 @@
keys:
- &ivi age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0
+ - &serber age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m
creation_rules:
- path_regex: secrets/[^/]+\.?(yaml|json|env|ini)?$
key_groups:
@@ -9,3 +10,8 @@ creation_rules:
key_groups:
- age:
- *ivi
+ - path_regex: secrets/serber/[^/]+\.?(yaml|json|env|ini)?$
+ key_groups:
+ - age:
+ - *serber
+ - *ivi
diff --git a/machines/serber.nix b/machines/serber.nix
index 10a15c3..48ccf27 100644
--- a/machines/serber.nix
+++ b/machines/serber.nix
@@ -1,10 +1,38 @@
-{ config, pkgs, sops, ... }: {
- imports = [
- ./hardware-configuration.nix
- ./networking.nix # generated at runtime by nixos-infect
- ];
+{ modulesPath, config, pkgs, sops, ... }: {
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
- sops.age.sshKeyPaths = [];
+ networking = {
+ nameservers = [ "8.8.8.8" ];
+ defaultGateway = "172.31.1.1";
+ defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+ dhcpcd.enable = false;
+ usePredictableInterfaceNames = lib.mkForce false;
+ interfaces = {
+ eth0 = {
+ ipv4.addresses = [
+ { address="65.108.155.179"; prefixLength=32; }
+ ];
+ ipv6.addresses = [
+ { address="2a01:4f9:c010:d2b5::1"; prefixLength=64; }
+ { address="fe80::9400:2ff:fe53:8544"; prefixLength=64; }
+ ];
+ ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
+ ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
+ };
+
+ };
+ };
+
+ services.udev.extraRules = ''
+ ATTR{address}=="96:00:02:53:85:44", NAME="eth0"
+ '';
+
+ boot.loader.grub.device = "/dev/sda";
+ boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+ boot.initrd.kernelModules = [ "nvme" ];
+ fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+ sops.age.sshKeyPaths = [/etc/ssh/ssh_host_ed25519_key];
system.stateVersion = "23.05";
boot.tmp.cleanOnBoot = true;
@@ -13,18 +41,13 @@
networking.domain = "xyz";
services.openssh.enable = true;
- sops.secrets.porkbunCredentials = {
- format = "binary";
- sopsFile = ../../secrets/credentials/porkbun;
- };
-
security.acme = {
acceptTerms = true;
defaults = {
extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
email = ivi.email;
dnsProvider = "porkbun";
- credentialsFile = config.sops.secrets.porkbunCredentials.path;
+ credentialsFile = config.secrets.porkbun.path;
};
certs = {
"vinkland.xyz" = { };
diff --git a/secrets/serber/porkbun b/secrets/serber/porkbun
new file mode 100644
index 0000000..bd610cc
--- /dev/null
+++ b/secrets/serber/porkbun
@@ -0,0 +1,24 @@
+{
+ "data": "ENC[AES256_GCM,data:p2Xf9Pnmpus9cL4+lZmLtSQCDROwE+xpqAPx29eWqfgMRGTJGREbF3fqBO76CV1KU/KmY0UxazMGBf2ErkMuCbx49sNskOD2PHFpakG6B31Qn9akIvGOk6rJZuQMtOjtcKsOg4nK8eVy182eCpuSOt91dJUy3XgpxieNhUDSc+SjXfn5vpoJic3SHKK6ZxXFagXxId2FenGYUlCWzwywXCiL4CEJjzHYJnhO3GC7VAYg,iv:K0NdPIGJFaO7Gq2K80tjAUfnp9+KmOCefmVG85nnPgY=,tag:+gPX3MfK4bDdGyhQ6N3Vog==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZ3BXYmNCa0xFL00yQ1pJ\nY2VabkVkdDMvYytvdFM1MFlxVHJPdmJOUUNNCjRERHJrRURyMm5UM1RhQ05nTi8z\ncnpxczl5TFBtbHVRSjdJSjBneThrVE0KLS0tIEpUTmlUVXdTelYxUGhJdWFoTXds\nUDM4bHpmQUJId1M1RE0yeDRKNzlSV3MKbTSttMmQmALfvl4V/HfAtIsXqf0BxEaU\n9cZ1ip+600vmTqifYqCYF7uf4pGlwpkHu68gEsZakBjUX8uSK8JRRQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eG1ZT0Zqd0R6NjZ1S005\nM3ozcm9IbjREV3dnUkhmZndxVjlhalZzY1dNCjlrQncyV2JzbERsbFNrSlJWZDRK\nZ0RSMU41WTk2MWtZVmszQ3FMdGpjcnMKLS0tIGtNU0Q5VGwwMHd3TEJBNlcrNTdY\nSk5xQ0NnUUhyVDAzZGhXdXRvOFhWYjAKfveW9AxWCX1VjlIr6Ung3jMjou2Yiyvn\nP9o1yP9nu1nWdSfoHjuIlv3epDVIkq0s/Xq/Vl0Af4/FACPEUhOeLw==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2023-10-17T23:45:30Z",
+ "mac": "ENC[AES256_GCM,data:MtQ/ILhaNPFkxeEa/3hJV7sZ3S2qRVsYRcrvpvVyQzeBKHaG4Z61qQBlqkdUy1VWVc6te+B8eeMS5oexsP1ztGHsary715U5xUmHW1jiz8mITGfq5KOi91Xh54+v08mAexVZeEzZFxGpqkgyPY/UjFOnmeALGsEZLi0NL923/TQ=,iv:EzHS6yu3bjHNKSyOXqyeXDsQeOPUxpkORrTVVp5uQkg=,tag:gX+mf4S0QWUMkVBfU1R1zg==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.0"
+ }
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-12 16:48:38 +0000