Add sops secrets and miniflux

This commit is contained in:
Johannes Rothe 2025-03-23 22:33:20 +01:00
parent 21d138dfaa
commit 0f10949aa2
5 changed files with 87 additions and 2 deletions

8
.sops.yaml Normal file
View File

@ -0,0 +1,8 @@
keys:
- &admin age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
creation_rules:
- path_regex: hosts/dalinar/secrets.yaml
key_groups:
- age:
- *admin
- age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7

23
flake.lock generated
View File

@ -452,7 +452,8 @@
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"nixvim": "nixvim"
"nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
@ -476,6 +477,26 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1742700801,
"narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

View File

@ -26,9 +26,11 @@
treefmt-nix.follows = "";
};
};
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, ...}:
outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, sops-nix, ...}:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
@ -58,6 +60,7 @@
inherit system;
modules = [
disko.nixosModules.disko
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
./hosts/dalinar
];

View File

@ -58,6 +58,17 @@
time.timeZone = "Europe/Berlin";
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [];
sops.age.keyFile = "/etc/age/keys.txt";
sops.secrets."miniflux/ADMIN_USERNAME" = { };
sops.secrets."miniflux/ADMIN_PASSWORD" = { };
sops.templates."miniflux-admin-credentials".content = ''
ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
'';
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
@ -206,6 +217,11 @@
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
};
services.caddy = {
enable = true;
virtualHosts = {
@ -219,6 +235,11 @@
reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
'';
};
"http://feeds.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy localhost:8080
'';
};
};
};

View File

@ -0,0 +1,32 @@
miniflux:
ADMIN_USERNAME: ENC[AES256_GCM,data:k27rrjZWxPI=,iv:JlGrbUxf2kpiQ3pOtrYGEXsCZbn4IJqoeOhoJ4QMaCI=,tag:iduP6v0IWBNYRM8FhUeBww==,type:str]
ADMIN_PASSWORD: ENC[AES256_GCM,data:6bctOmg79yyM8oNyTZ+9SQ==,iv:z0ldWb1PtWqmCHFFJkVJh3JUKqRmFm4olIkK4/ciq3Y=,tag:k04RksQJdOOeBPEI+HpSFw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUk9VN1dCMzNoWVozMzZR
MG1rTkF6STRiK200b1FFZW8zQjRMeFRoUUVJCms3UHBPODA1MHBxdjBpVHBFdlVu
KzRoVGErSjRkTStIMVVUYm9GbmVJMm8KLS0tIEhoVWRhaVB3d2c3Rk15YlI5NlE5
ZWpJbnJCK3VSMzJUa1hXSmdNOUoreUEKfsW5cJgy1TibKfZ/pGUtlSlsnmtaj9mF
T2RImHfCA0ek2rCaK/VrRs8mvQCCMxWKOqwd7Fc1L+htrDzZOPv6fw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VFg1ZTQxOFBOSjVKR0Q4
Y2J0dU5odDdudS9VYzU5WmZkOGdSQnlwNDIwCjEwWjQzWVk4MldjcXE3Q045ZE5t
YUhJR3o4d0xwOVk5MmlNbzNORjUvcXMKLS0tIHN6b2R3bDNXSk9BS1dnc0JweW1C
SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-23T21:30:34Z"
mac: ENC[AES256_GCM,data:rFYQ3Zm+ooTpxnWpJ1XdlZsGH9h1CLUfbDUZrQZZYOkZVNnnkJgbHYcSt6cv0iwCsktC6g/Hp3eiA4+oXXLm/viJ1EvSprIdYvhfdsK3qR/sw08tqn9a97yfxYlo79gu/JkMusXZ4gLSJiKwJJ79ohiBBeMGQcUfETalDZpx+mU=,iv:DEv8Qy2wPqUC45dhx32hlBWK3bfcANPjARuxWbnnrY4=,tag:wSpTKcZX9ocz07g1AQ2NBw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4