Add sops secrets and miniflux

2025-03-23 22:33:20 +01:00 · 2025-03-23 22:33:20 +01:00 · 0f10949aa2
commit 0f10949aa2
parent 21d138dfaa
5 changed files with 87 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,8 @@
+keys:
+  - &admin age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+creation_rules:
+  - path_regex: hosts/dalinar/secrets.yaml
+    key_groups:
+      - age:
+        - *admin
+        - age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
--- a/flake.lock
+++ b/flake.lock
@ -452,7 +452,8 @@
        "home-manager": "home-manager",
        "lanzaboote": "lanzaboote",
        "nixpkgs": "nixpkgs",
-        "nixvim": "nixvim"
+        "nixvim": "nixvim",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
@ -476,6 +477,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742700801,
+        "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -26,9 +26,11 @@
        treefmt-nix.follows = "";
      };
    };
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, ...}:
+  outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, sops-nix, ...}:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
@ -58,6 +60,7 @@
          inherit system;
          modules = [
            disko.nixosModules.disko
+            sops-nix.nixosModules.sops
            lanzaboote.nixosModules.lanzaboote
            ./hosts/dalinar
          ];
--- a/hosts/dalinar/default.nix
+++ b/hosts/dalinar/default.nix
@ -58,6 +58,17 @@

  time.timeZone = "Europe/Berlin";

+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [];
+  sops.age.keyFile = "/etc/age/keys.txt";
+  sops.secrets."miniflux/ADMIN_USERNAME" = { };
+  sops.secrets."miniflux/ADMIN_PASSWORD" = { };
+  sops.templates."miniflux-admin-credentials".content = ''
+    ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
+    ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
+  '';
+
+
  i18n.defaultLocale = "en_US.UTF-8";
   console = {
     font = "Lat2-Terminus16";
@ -206,6 +217,11 @@
    };
  };

+  services.miniflux = {
+    enable = true;
+    adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
+  };
+
  services.caddy = {
    enable = true;
    virtualHosts = {
@ -219,6 +235,11 @@
          reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
        '';
      };
+      "http://feeds.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:8080
+        '';
+      };
    };
  };

--- a/hosts/dalinar/secrets.yaml
+++ b/hosts/dalinar/secrets.yaml
@ -0,0 +1,32 @@
+miniflux:
+    ADMIN_USERNAME: ENC[AES256_GCM,data:k27rrjZWxPI=,iv:JlGrbUxf2kpiQ3pOtrYGEXsCZbn4IJqoeOhoJ4QMaCI=,tag:iduP6v0IWBNYRM8FhUeBww==,type:str]
+    ADMIN_PASSWORD: ENC[AES256_GCM,data:6bctOmg79yyM8oNyTZ+9SQ==,iv:z0ldWb1PtWqmCHFFJkVJh3JUKqRmFm4olIkK4/ciq3Y=,tag:k04RksQJdOOeBPEI+HpSFw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUk9VN1dCMzNoWVozMzZR
+            MG1rTkF6STRiK200b1FFZW8zQjRMeFRoUUVJCms3UHBPODA1MHBxdjBpVHBFdlVu
+            KzRoVGErSjRkTStIMVVUYm9GbmVJMm8KLS0tIEhoVWRhaVB3d2c3Rk15YlI5NlE5
+            ZWpJbnJCK3VSMzJUa1hXSmdNOUoreUEKfsW5cJgy1TibKfZ/pGUtlSlsnmtaj9mF
+            T2RImHfCA0ek2rCaK/VrRs8mvQCCMxWKOqwd7Fc1L+htrDzZOPv6fw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VFg1ZTQxOFBOSjVKR0Q4
+            Y2J0dU5odDdudS9VYzU5WmZkOGdSQnlwNDIwCjEwWjQzWVk4MldjcXE3Q045ZE5t
+            YUhJR3o4d0xwOVk5MmlNbzNORjUvcXMKLS0tIHN6b2R3bDNXSk9BS1dnc0JweW1C
+            SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
+            bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-23T21:30:34Z"
+    mac: ENC[AES256_GCM,data:rFYQ3Zm+ooTpxnWpJ1XdlZsGH9h1CLUfbDUZrQZZYOkZVNnnkJgbHYcSt6cv0iwCsktC6g/Hp3eiA4+oXXLm/viJ1EvSprIdYvhfdsK3qR/sw08tqn9a97yfxYlo79gu/JkMusXZ4gLSJiKwJJ79ohiBBeMGQcUfETalDZpx+mU=,iv:DEv8Qy2wPqUC45dhx32hlBWK3bfcANPjARuxWbnnrY4=,tag:wSpTKcZX9ocz07g1AQ2NBw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4