clean up and move acme to each host
This commit is contained in:
parent
96af04f592
commit
358929aafa
SSH key fingerprint:
SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
6 changed files with 26 additions and 103 deletions
|
|
@ -32,15 +32,8 @@ in {
|
|||
|
||||
shellAbbrs = {
|
||||
nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config";
|
||||
nfc = "nix flake check --show-trace --accept-flake-config";
|
||||
nvdiff = "nvd diff /run/current-system result";
|
||||
# rook & ceph versions.
|
||||
rcv = ''
|
||||
kubectl \
|
||||
-n rook-ceph \
|
||||
get deployments \
|
||||
-l rook_cluster=rook-ceph \
|
||||
-o jsonpath='{range .items[*]}{.metadata.name}{" \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{" \trook-version="}{.metadata.labels.rook-version}{" \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
|
||||
'';
|
||||
};
|
||||
|
||||
functions = {
|
||||
|
|
|
|||
|
|
@ -50,6 +50,10 @@
|
|||
"sambaCredentials" = {
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
};
|
||||
"security/acme/env" = {
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
restartUnits = ["lego.service"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -70,11 +74,26 @@
|
|||
};
|
||||
};
|
||||
|
||||
# ACME (Let's Encrypt) Configuration
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "admin@${config.networking.domain}";
|
||||
|
||||
certs.${config.networking.domain} = {
|
||||
extraDomainNames = [
|
||||
"${config.networking.domain}"
|
||||
"*.${config.networking.domain}"
|
||||
];
|
||||
dnsProvider = "dnsimple";
|
||||
dnsResolver = "1.1.1.1:53";
|
||||
credentialsFile = config.sops.secrets."security/acme/env".path;
|
||||
};
|
||||
};
|
||||
|
||||
# System settings and services.
|
||||
mySystem = {
|
||||
purpose = "Production";
|
||||
system.motd.networkInterfaces = ["enp1s0"];
|
||||
security.acme.enable = true;
|
||||
services = {
|
||||
forgejo = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str]
|
||||
security:
|
||||
acme:
|
||||
env: ENC[AES256_GCM,data:LMrK8IIpx1d5Jl60VHDdwVLm4lyFDSELX1pF9wvFrNY0OJZ1EuHQ7Jgtf1wZ/cNy3XYFRxD9lEuNPJd0UN4vCw==,iv:2WEiipdYcsPX4frAvO7Iyp8zKWtydYlaPPKBd/1SFDM=,tag:G0Va5OcgSEO5E+m8jxsrFA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -50,8 +53,8 @@ sops:
|
|||
UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1
|
||||
9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-03-09T06:33:41Z"
|
||||
mac: ENC[AES256_GCM,data:z2v8UbTtkDjf06VyxCNhldcSCHSfyFBsNbUJqwKD7mwlZTJZY2Nhe18FxX2QVX9BbA6etPhIgDANmJsZCc02vSpF5/d943AZm0B26D4c0XuUxZuhkUSdsfmmUFCuS6WksSNEXAGMuDagaut5yla6GuaRAzFWZW8JBgSmWAcT9f8=,iv:NnyWRN1rGlESQUCRW3iP2BL6SG/ke5ZHNN3OjCvOiEA=,tag:/8kpGVAMT5kmjQ8s7U4k/w==,type:str]
|
||||
lastmodified: "2025-03-09T17:15:11Z"
|
||||
mac: ENC[AES256_GCM,data:8nCX56znsRy2y1NmkCBJ5e/szd8CTJ1BIbNew40hdT50EruedQTmQWrOhql+na3ZDSWOfPHwufgX6hFwA6UHuOYZCswsS0ST2vtV1Y/f7Y0i20q7jAxslDxUt8MT94Z+WunZ7OgZn+3DVCSVkwtc3VqLT/gcATaA3KgbHTsiEFQ=,iv:PSkQC6oIlKAkwyVrwHJBLNVnhGVkSkVhtOyoV0FwPdY=,tag:bszELdBw3HnK9g5rPaocMQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.mySystem.security.acme;
|
||||
in {
|
||||
options.mySystem.security.acme.enable = mkEnableOption "acme";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
sops.secrets = {
|
||||
"security/acme/env".sopsFile = ./secrets.sops.yaml;
|
||||
"security/acme/env".restartUnits = ["lego.service"];
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "admin@${config.networking.domain}";
|
||||
|
||||
certs.${config.networking.domain} = {
|
||||
extraDomainNames = [
|
||||
"${config.networking.domain}"
|
||||
"*.${config.networking.domain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
dnsResolver = "1.1.1.1:53";
|
||||
credentialsFile = config.sops.secrets."security/acme/env".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
security:
|
||||
acme:
|
||||
env: ENC[AES256_GCM,data:+7NAKL4Q7RVOPbCqXsYxFobhkbw9Yd30bMnsqb/CSe6VhgIF1QSXEZhkV9DJhT1gEC4q/afdXS6E7H5uluELJ9c=,iv:5mka4nY40Eb//VOIBpBfoh7Fl/aZR3lefD0fDBo90OI=,tag:CLws//UGztDC4q9NP3D8eQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Mk0zN0NXZytFeWdkUi9h
|
||||
NFVuaml0eC9xUnhIRUZUTHNYZHAzSC9Sd3hVClliWWdHaExValVLQnJOZi9sZWF5
|
||||
WTd1L1g4eTlFRGxLNU9iOERGbjFnQXcKLS0tIFhjM0dGa2ppVnJtTlhHOFpmWm5q
|
||||
N0hrSE1uMnNRaC9aSjhhdHBWSkQ1dXcKnicEEcrhkb3aS7YDzoS57pgcQqidlvab
|
||||
NISShay1dbjHV+ig6TuNRGUczRs3tztNkx3WGdwvd1wK22xsIYw7Xg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNld6YXpZYWJBOFhOdEI1
|
||||
ejhXczRVODFaSVEybTNZOGE3RlE2OGZBd1VVCmt3cFBRNWVXMytRL3RKRVRacmdo
|
||||
ZldrbFFjZHJaODFIanBsUVQvNTg3WEEKLS0tIDRjTzJUQUt0Vkd2bElxZzhrb3I1
|
||||
VEpISGRkTkRqUDQrSHlSamNJcXdWazQKOJb8o9yei4273lcEW5fmh9sxEE1T0if/
|
||||
l3t/FON3u2MYi5GOTZWvrB7GQ+lAacFd8mNZ0VtKGH7B81cArZQKDg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUE5xeWt3bEwyK2tzdVNm
|
||||
VlZwcStjeGRVQW42QmFkZHFQTm1YOTNhbW5nCmV4dVROUjI5RjVzOTNrcHNzVExv
|
||||
amhVZTRrendEQU9NaFFTeUtoM1ZieTAKLS0tIHdpRlZKZmlhbkJvVmJkck5vYTNK
|
||||
OWl5aFZRNk1uU3VxOXZwNU1nNVV4VFEKwuz7865A0F6eCvJo7xc/Cls+GhWxjc/0
|
||||
VWp53OIUQg84tRkqGbzxdUxYy4W0lYNcKu0vqaW4OOFpQ7AO3onZTA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUEVaaTFjQjJSYy9mVlBZ
|
||||
bW9SNWhLSWhrNy9jdUJ3c05EZFJFVEJucWtZCkdXWGtqNTBNRkdZNHFsdlYySXRu
|
||||
ZE43djJmcFh0VGltQXJFUGN1cUkzRWsKLS0tIDhVV3NrTEhjNExXbmxxTEdDNUtW
|
||||
UXd5em9rVzFoaHVZTHBHS3l0R2dJVGsKT45QUbMhhMhQb5Cw0vj6fVtNIEGWnM7g
|
||||
uvXl6zjliAYY2lz18FsMZHoX5MtJhadQf0d03Og8x+qdEAS0/1nxow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM3F6UTU1ZFk1bVp0RlJW
|
||||
TjVya3Y0MXpUMlBkSnhhaTFZTkZtck1hM3dvCi9aN0hCYVBHalJCSEV0TGRoREpZ
|
||||
Wit0Q254RlJvYlpQUjZ4QWdpZ0M5N2cKLS0tIFVUM3BNSW9HZnh6dzVITDhjTzlm
|
||||
MkgzdmJoSWowaWltWkp3UUg3dWhHY0UKc/VSN0fuVAsN0/6IZ08PgzTPo3lNzlzW
|
||||
Dbl4ke6G6svwE9XgPve2FLFGgkqow5p7/IbvPEm1ePK7909Cqt+DZg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-03-09T06:33:41Z"
|
||||
mac: ENC[AES256_GCM,data:Sif35KFzzKXoEYmKEwd6X9tjJWTIYVwNnPbzyIS4yzrnRPp8gaMJb2+oP+W445qyX84BpFH9IF1fNJ0uCZPKoUkSetkJc77lz7Xe3iJdIhWneqBQH3HUGozA5iEG29WMQwAqHr/ji4JnHf6RgmME5+sgvTqSzs6lvzZREEHgQ4k=,iv:kl1gB6R2xG1Y+n9Sv713yBcgmoONEWhz+tElFpcWdKU=,tag:XkSJ7mgCrpwhrIGPvkiJaA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
|
|
@ -1,6 +1,5 @@
|
|||
{...}: {
|
||||
imports = [
|
||||
./1password
|
||||
./acme
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue