From 0f10949aa2006c3b8136ee549c131aa0d545b749 Mon Sep 17 00:00:00 2001 From: Johannes Rothe Date: Sun, 23 Mar 2025 22:33:20 +0100 Subject: [PATCH] Add sops secrets and miniflux --- .sops.yaml | 8 ++++++++ flake.lock | 23 ++++++++++++++++++++++- flake.nix | 5 ++++- hosts/dalinar/default.nix | 21 +++++++++++++++++++++ hosts/dalinar/secrets.yaml | 32 ++++++++++++++++++++++++++++++++ 5 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 hosts/dalinar/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f4d3f6d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &admin age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul +creation_rules: + - path_regex: hosts/dalinar/secrets.yaml + key_groups: + - age: + - *admin + - age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7 diff --git a/flake.lock b/flake.lock index 8b1fe23..ff86cd9 100644 --- a/flake.lock +++ b/flake.lock @@ -452,7 +452,8 @@ "home-manager": "home-manager", "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", - "nixvim": "nixvim" + "nixvim": "nixvim", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -476,6 +477,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742700801, + "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 882e88b..281f986 100644 --- a/flake.nix +++ b/flake.nix @@ -26,9 +26,11 @@ treefmt-nix.follows = ""; }; }; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, ...}: + outputs = { self, nixpkgs, home-manager, deploy-rs, disko, nixvim, ghostty, lanzaboote, sops-nix, ...}: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -58,6 +60,7 @@ inherit system; modules = [ disko.nixosModules.disko + sops-nix.nixosModules.sops lanzaboote.nixosModules.lanzaboote ./hosts/dalinar ]; diff --git a/hosts/dalinar/default.nix b/hosts/dalinar/default.nix index f5bc1b7..16293fd 100644 --- a/hosts/dalinar/default.nix +++ b/hosts/dalinar/default.nix @@ -58,6 +58,17 @@ time.timeZone = "Europe/Berlin"; + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = []; + sops.age.keyFile = "/etc/age/keys.txt"; + sops.secrets."miniflux/ADMIN_USERNAME" = { }; + sops.secrets."miniflux/ADMIN_PASSWORD" = { }; + sops.templates."miniflux-admin-credentials".content = '' + ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"} + ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"} + ''; + + i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; @@ -206,6 +217,11 @@ }; }; + services.miniflux = { + enable = true; + adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path; + }; + services.caddy = { enable = true; virtualHosts = { @@ -219,6 +235,11 @@ reverse_proxy localhost:${builtins.toString config.services.prometheus.port} ''; }; + "http://feeds.dalinar.home.johannes-rothe.de" = { + extraConfig = '' + reverse_proxy localhost:8080 + ''; + }; }; }; diff --git a/hosts/dalinar/secrets.yaml b/hosts/dalinar/secrets.yaml new file mode 100644 index 0000000..bd0be1b --- /dev/null +++ b/hosts/dalinar/secrets.yaml @@ -0,0 +1,32 @@ +miniflux: + ADMIN_USERNAME: ENC[AES256_GCM,data:k27rrjZWxPI=,iv:JlGrbUxf2kpiQ3pOtrYGEXsCZbn4IJqoeOhoJ4QMaCI=,tag:iduP6v0IWBNYRM8FhUeBww==,type:str] + ADMIN_PASSWORD: ENC[AES256_GCM,data:6bctOmg79yyM8oNyTZ+9SQ==,iv:z0ldWb1PtWqmCHFFJkVJh3JUKqRmFm4olIkK4/ciq3Y=,tag:k04RksQJdOOeBPEI+HpSFw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUk9VN1dCMzNoWVozMzZR + MG1rTkF6STRiK200b1FFZW8zQjRMeFRoUUVJCms3UHBPODA1MHBxdjBpVHBFdlVu + KzRoVGErSjRkTStIMVVUYm9GbmVJMm8KLS0tIEhoVWRhaVB3d2c3Rk15YlI5NlE5 + ZWpJbnJCK3VSMzJUa1hXSmdNOUoreUEKfsW5cJgy1TibKfZ/pGUtlSlsnmtaj9mF + T2RImHfCA0ek2rCaK/VrRs8mvQCCMxWKOqwd7Fc1L+htrDzZOPv6fw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VFg1ZTQxOFBOSjVKR0Q4 + Y2J0dU5odDdudS9VYzU5WmZkOGdSQnlwNDIwCjEwWjQzWVk4MldjcXE3Q045ZE5t + YUhJR3o4d0xwOVk5MmlNbzNORjUvcXMKLS0tIHN6b2R3bDNXSk9BS1dnc0JweW1C + SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0 + bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-23T21:30:34Z" + mac: ENC[AES256_GCM,data:rFYQ3Zm+ooTpxnWpJ1XdlZsGH9h1CLUfbDUZrQZZYOkZVNnnkJgbHYcSt6cv0iwCsktC6g/Hp3eiA4+oXXLm/viJ1EvSprIdYvhfdsK3qR/sw08tqn9a97yfxYlo79gu/JkMusXZ4gLSJiKwJJ79ohiBBeMGQcUfETalDZpx+mU=,iv:DEv8Qy2wPqUC45dhx32hlBWK3bfcANPjARuxWbnnrY4=,tag:wSpTKcZX9ocz07g1AQ2NBw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4