jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

clean up and move acme to each host

Browse source
This commit is contained in:
Joseph Hanson 2025-03-09 12:53:38 -05:00
parent 96af04f592
commit 358929aafa
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
6 changed files with 26 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/home/modules/shell/fish/default.nix
View file

@ -32,15 +32,8 @@ in {
shellAbbrs = { shellAbbrs = {
nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config"; nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config";
nfc = "nix flake check --show-trace --accept-flake-config";
nvdiff = "nvd diff /run/current-system result"; nvdiff = "nvd diff /run/current-system result";
# rook & ceph versions.
rcv = ''
kubectl \
-n rook-ceph \
get deployments \
-l rook_cluster=rook-ceph \
-o jsonpath='{range .items[*]}{.metadata.name}{" \treq/upd/avl: "}{.spec.replicas}{"/"}{.status.updatedReplicas}{"/"}{.status.readyReplicas}{" \trook-version="}{.metadata.labels.rook-version}{" \tceph-version="}{.metadata.labels.ceph-version}{"\n"}{end}'
'';
}; };
functions = { functions = {

21
nixos/hosts/varda/default.nix
View file

@ -50,6 +50,10 @@
"sambaCredentials" = { "sambaCredentials" = {
sopsFile = ./secrets.sops.yaml; sopsFile = ./secrets.sops.yaml;
}; };
"security/acme/env" = {
sopsFile = ./secrets.sops.yaml;
restartUnits = ["lego.service"];
};
}; };
}; };
@ -70,11 +74,26 @@
}; };
}; };
# ACME (Let's Encrypt) Configuration
security.acme = {
acceptTerms = true;
defaults.email = "admin@${config.networking.domain}";
certs.${config.networking.domain} = {
extraDomainNames = [
"${config.networking.domain}"
"*.${config.networking.domain}"
];
dnsProvider = "dnsimple";
dnsResolver = "1.1.1.1:53";
credentialsFile = config.sops.secrets."security/acme/env".path;
};
};
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Production"; purpose = "Production";
system.motd.networkInterfaces = ["enp1s0"]; system.motd.networkInterfaces = ["enp1s0"];
security.acme.enable = true;
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;

7
nixos/hosts/varda/secrets.sops.yaml
View file

@ -1,4 +1,7 @@
sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str] sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str]
security:
acme:
env: ENC[AES256_GCM,data:LMrK8IIpx1d5Jl60VHDdwVLm4lyFDSELX1pF9wvFrNY0OJZ1EuHQ7Jgtf1wZ/cNy3XYFRxD9lEuNPJd0UN4vCw==,iv:2WEiipdYcsPX4frAvO7Iyp8zKWtydYlaPPKBd/1SFDM=,tag:G0Va5OcgSEO5E+m8jxsrFA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -50,8 +53,8 @@ sops:
UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1 UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1
9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw== 9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z" lastmodified: "2025-03-09T17:15:11Z"
mac: ENC[AES256_GCM,data:z2v8UbTtkDjf06VyxCNhldcSCHSfyFBsNbUJqwKD7mwlZTJZY2Nhe18FxX2QVX9BbA6etPhIgDANmJsZCc02vSpF5/d943AZm0B26D4c0XuUxZuhkUSdsfmmUFCuS6WksSNEXAGMuDagaut5yla6GuaRAzFWZW8JBgSmWAcT9f8=,iv:NnyWRN1rGlESQUCRW3iP2BL6SG/ke5ZHNN3OjCvOiEA=,tag:/8kpGVAMT5kmjQ8s7U4k/w==,type:str] mac: ENC[AES256_GCM,data:8nCX56znsRy2y1NmkCBJ5e/szd8CTJ1BIbNew40hdT50EruedQTmQWrOhql+na3ZDSWOfPHwufgX6hFwA6UHuOYZCswsS0ST2vtV1Y/f7Y0i20q7jAxslDxUt8MT94Z+WunZ7OgZn+3DVCSVkwtc3VqLT/gcATaA3KgbHTsiEFQ=,iv:PSkQC6oIlKAkwyVrwHJBLNVnhGVkSkVhtOyoV0FwPdY=,tag:bszELdBw3HnK9g5rPaocMQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

32
nixos/modules/nixos/security/acme/default.nix
View file

@ -1,32 +0,0 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.mySystem.security.acme;
in {
options.mySystem.security.acme.enable = mkEnableOption "acme";
config = mkIf cfg.enable {
sops.secrets = {
"security/acme/env".sopsFile = ./secrets.sops.yaml;
"security/acme/env".restartUnits = ["lego.service"];
};
security.acme = {
acceptTerms = true;
defaults.email = "admin@${config.networking.domain}";
certs.${config.networking.domain} = {
extraDomainNames = [
"${config.networking.domain}"
"*.${config.networking.domain}"
];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
credentialsFile = config.sops.secrets."security/acme/env".path;
};
};
};
}

59
nixos/modules/nixos/security/acme/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
security:
acme:
env: ENC[AES256_GCM,data:+7NAKL4Q7RVOPbCqXsYxFobhkbw9Yd30bMnsqb/CSe6VhgIF1QSXEZhkV9DJhT1gEC4q/afdXS6E7H5uluELJ9c=,iv:5mka4nY40Eb//VOIBpBfoh7Fl/aZR3lefD0fDBo90OI=,tag:CLws//UGztDC4q9NP3D8eQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Mk0zN0NXZytFeWdkUi9h
NFVuaml0eC9xUnhIRUZUTHNYZHAzSC9Sd3hVClliWWdHaExValVLQnJOZi9sZWF5
WTd1L1g4eTlFRGxLNU9iOERGbjFnQXcKLS0tIFhjM0dGa2ppVnJtTlhHOFpmWm5q
N0hrSE1uMnNRaC9aSjhhdHBWSkQ1dXcKnicEEcrhkb3aS7YDzoS57pgcQqidlvab
NISShay1dbjHV+ig6TuNRGUczRs3tztNkx3WGdwvd1wK22xsIYw7Xg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNld6YXpZYWJBOFhOdEI1
ejhXczRVODFaSVEybTNZOGE3RlE2OGZBd1VVCmt3cFBRNWVXMytRL3RKRVRacmdo
ZldrbFFjZHJaODFIanBsUVQvNTg3WEEKLS0tIDRjTzJUQUt0Vkd2bElxZzhrb3I1
VEpISGRkTkRqUDQrSHlSamNJcXdWazQKOJb8o9yei4273lcEW5fmh9sxEE1T0if/
l3t/FON3u2MYi5GOTZWvrB7GQ+lAacFd8mNZ0VtKGH7B81cArZQKDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUE5xeWt3bEwyK2tzdVNm
VlZwcStjeGRVQW42QmFkZHFQTm1YOTNhbW5nCmV4dVROUjI5RjVzOTNrcHNzVExv
amhVZTRrendEQU9NaFFTeUtoM1ZieTAKLS0tIHdpRlZKZmlhbkJvVmJkck5vYTNK
OWl5aFZRNk1uU3VxOXZwNU1nNVV4VFEKwuz7865A0F6eCvJo7xc/Cls+GhWxjc/0
VWp53OIUQg84tRkqGbzxdUxYy4W0lYNcKu0vqaW4OOFpQ7AO3onZTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUEVaaTFjQjJSYy9mVlBZ
bW9SNWhLSWhrNy9jdUJ3c05EZFJFVEJucWtZCkdXWGtqNTBNRkdZNHFsdlYySXRu
ZE43djJmcFh0VGltQXJFUGN1cUkzRWsKLS0tIDhVV3NrTEhjNExXbmxxTEdDNUtW
UXd5em9rVzFoaHVZTHBHS3l0R2dJVGsKT45QUbMhhMhQb5Cw0vj6fVtNIEGWnM7g
uvXl6zjliAYY2lz18FsMZHoX5MtJhadQf0d03Og8x+qdEAS0/1nxow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM3F6UTU1ZFk1bVp0RlJW
TjVya3Y0MXpUMlBkSnhhaTFZTkZtck1hM3dvCi9aN0hCYVBHalJCSEV0TGRoREpZ
Wit0Q254RlJvYlpQUjZ4QWdpZ0M5N2cKLS0tIFVUM3BNSW9HZnh6dzVITDhjTzlm
MkgzdmJoSWowaWltWkp3UUg3dWhHY0UKc/VSN0fuVAsN0/6IZ08PgzTPo3lNzlzW
Dbl4ke6G6svwE9XgPve2FLFGgkqow5p7/IbvPEm1ePK7909Cqt+DZg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z"
mac: ENC[AES256_GCM,data:Sif35KFzzKXoEYmKEwd6X9tjJWTIYVwNnPbzyIS4yzrnRPp8gaMJb2+oP+W445qyX84BpFH9IF1fNJ0uCZPKoUkSetkJc77lz7Xe3iJdIhWneqBQH3HUGozA5iEG29WMQwAqHr/ji4JnHf6RgmME5+sgvTqSzs6lvzZREEHgQ4k=,iv:kl1gB6R2xG1Y+n9Sv713yBcgmoONEWhz+tElFpcWdKU=,tag:XkSJ7mgCrpwhrIGPvkiJaA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

1
nixos/modules/nixos/security/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./1password ./1password
./acme
]; ];
} }