From 2f472230fdd2328211606be7fa8edbf4c57c7770 Mon Sep 17 00:00:00 2001 From: Truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 30 Mar 2024 09:50:30 +1100 Subject: [PATCH] fix: dns01 firewall (#35) * feat: add overlays * Auto lint/format * feat: fix dns01 firewall ports --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> Co-authored-by: truxnell --- .sops.yaml | 2 +- nixos/hosts/dns01/default.nix | 2 + .../cloudflare-dyndns.sops.yaml | 60 +++++++++---------- .../services/dnscrypt-proxy2/default.nix | 2 + .../dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml | 58 +++++++++--------- .../modules/nixos/services/maddy/default.nix | 2 +- .../nixos/services/maddy/maddy.sops.yaml | 58 +++++++++--------- nixos/modules/nixos/system/openssh.nix | 2 +- 8 files changed, 95 insertions(+), 91 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 80c5f71..6ed1353 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,7 @@ keys: - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - - &dns01 age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y + - &dns01 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index ddb6605..d463b1e 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -12,6 +12,8 @@ ]; mySystem.services = { + + openssh.enable = true; maddy.enable = true; dnscrypt-proxy.enable = true; cfDdns.enable = true; diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index cfabdef..c38c011 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -1,8 +1,8 @@ system: networking: - #ENC[AES256_GCM,data:WxRtq7uNi6m6b4GMGqvt+qkj1X4BZaynNDeEWMOH2u09x+IuYMiXXTJEGeKkf70eKjLZo0cD3HIzXNUr54SPP8jPmLqyRoS3Z+ggJg==,iv:EJPZQ9YSgs1JTKsZG1P6oMgxqNp2T7yha7UZwqAwzB4=,tag:toctJWuRe2viNF2crW1n4w==,type:comment] + #ENC[AES256_GCM,data:bHeRWJyZgBuMalt5K3j4xtffim6aSCq+/c4+t1pxIlr2JAI+i+PO3S09GVahSGlUpn4buJbkE1H80/w0UrdPWtR/ZAn1ZMoXCuKnXg==,iv:f1MerFEkn76dNWwYNVGotKfDbaSy2ndvt8q4ul53HGw=,tag:eNjmJtRMxbu5j2rssXHYHA==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:yTuSA7Zteaq4ufbLq0Ri+JDosNtVHudtRGSnLXzX2IFtGlzPNfrU0shIHpbicFZ+JS9x71a37sNt7gab1AZ5dJLxe2YVNVeJ3GFCFf7QNSI4GjOjzIUFSdHHhV+xGhtrL6h4SZTnh6iKqdU2iY1pAGT9Kw==,iv:gns8r/UhIXRIO+x08ZcrpuCFtwcUcC8HWjPfdJbkfRg=,tag:FAhAsUXzNOhEix+VBSu0Dg==,type:str] + apiTokenFile: ENC[AES256_GCM,data:t2SR+EyOzBW3+5bZE/4Kpa4kpyZi7IErHDkjyC6r6su8thstVynSpfWDCi4Xj4Th11kU0YO3h8RBqAmss1wHTPGti+1ha3LlSJfemKWIN2qtYfJLeZ5ZBoC+xctW8u5+ahur/3tjUjsXgERCUuQiuMe5Tw==,iv:CTWKFyIi/mYu6eW6WMFWsF2ds3lkqqcQcE/5xy9qQac=,tag:muZ1RC2M3fB7vjissXCPtQ==,type:str] sops: kms: [] gcp_kms: [] @@ -12,50 +12,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YlEvN1JNa01odlZTeDhB - Y3ZEdlIvbUlFZm96NDZBeWc2MnRMMzlRYmxvCkh0L2NsNUdFbnM2OW8xSUlpQmwz - NjAyRnRLV1JRRkhyL2xLNXExS25MUGsKLS0tIDVwYmhkNXp3WVhNVkhkaTk1UDZn - UFNhQXJ5akZIY0ZiRmdDMUJGZXdCMlkKf3zA9MkZ/J2CUURvzZdtn4vSeYwiIAR9 - SLWB6O7ykkjZyhe40lJMdVb7OVqXUnAf4Ic0VpYVwLeAXjPEi2anBA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbVFkcXJoWjJweUowdDU5 + bTdTSVBDK041MVFoclRiRk1tYjBvVGFCTUhjCkhZbXB0ZURua0Yvb0EyV3ZzWEJ6 + NU1LaUgwZ1NjWEd3K3VWNEY0d1dkc2cKLS0tIDRHMDk5TFdCRk5jNVNPd2srT1ZY + VVBMZFJzVGcweUErRGpyWm5JU2M0YmsKiqThEaJubMZalyA/7nhh0L1IK0Ro0y5X + 8mgZh6rx8BzZJodiuRjGeCgsVnUREX4Mr1IKaFtG9GFyzc0yeTStjQ== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSXBZZzBkdWFVT2tYZTZh - cVhIOUgzeUZ5QWQ4d0oxMGdxb2c0ZGpITVFBCkdRV00zSU1QYy9heHk2VlA1YjZI - VEFlTHhZN3VKTExEQmRJYmJleDNIY28KLS0tIFpjM0lIdDdIaTJoemNvUlEyWjFI - cDNuaXc0QXgrNGpaV1kvWXpBL2pwZWcKkde/Ka84e6AVbzxr9zY0zVIYotZEofei - rPzQMsJ8x2+PLKRnOtny+He18E3AXN4G2KdbkkAaulFtPnodaXCWvw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aE92YzM2WmlRK01qZ3RC + dHBhc1dvSG1ReGdrZzkyUUtPRVYraGFScHpnCjRGaTM2KzRxTGFkN05mc0xFSGxO + MkVrYVZkWlFoWmEzSWhQTTZZK0dwREUKLS0tIGRhenlKV29WbkJVVVlEaUkrNUpl + c1hEMnBuVFBKUjl2ZHM0OXAwcnFJZzAK+Pf1YDIbiqsKGsA3geTbP9alkBG2uomZ + KeY+goK6MwNcZwKkSd83Lf6j6Fezv9C+gR2lTdZ4EFITlRWaxt6nmA== -----END AGE ENCRYPTED FILE----- - - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsN1l4MWE3Wm9qZzN5TWNJ - MG9QN1J6SW1GNHFxSW4rdHFTWG40emthL1RRCmFiaGU3dVJTNzhaL0dabExRWVB2 - V0tLd1kzZjVIWDFrdURtRTJDck41SVEKLS0tIHJvRmg3Uk1BWmRMcnFMTDRoM0Fq - aWE3ZVRqczl6NklQMEZpTnpvbzhMYWsKzTdBC6weGhLESyrGZXbaFclG0lo3aqoi - NHD2vuWcJexro3FPsBEce8yTCKi6VIBYQqntst0K4rE/7SLuMaqJVg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MGhXMS9FbUdqckdqcUhs + aE1qL1lydy9VVWMwYlNrZTJrVVNxOW5hTWhvCkVGbjZ1RHJLc05HaFJkWm9VNzB0 + T3dzbTU5YysvclQ5OHVaNU00bmRSWEUKLS0tIFF1cnVqVndtYXNrWWt5OU1IYjd5 + bUhRTVFad0pCSFhweUNkSElVSUI5SGsKccyy6u6aJagRn7OYlBpbfnzkaD/qYRt+ + oct41POm3gi8QQ6TYMT/xa0UlOCS9CnvjE4ZV8W5cWyvEEyPEez+Qg== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTGxCNmhYRnQ5elRMV0Nt - bG1aZ255Y0pyYXhXWllVbDR0dWErUmRWWWlFCllRQm1jUU81MkhpdHdSdGhEWWpK - Zm5JaVE4LzJrRmVRR0ZQR0VuYmpLYlUKLS0tIEVIVVg2WVRnVEFQbXBGZDVLWTY0 - NXpWZHc1NzVoWEN3cWlPZmRtdW9MWkkKi6DbXhf5+zZH4rdnksT8swUHF9ZHu5Gp - jWbed3DahkwWAyMFD9SufGlgndRjqxHuyRa5EbBA4kyjYXvF5KjeCQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbWtjd3o3anJqRHI2cWx1 + NFp4dnF4UzdxODRLek8yeWc3NXMvYXg3Y2pZCmZ1bkg4Y2htRUQ5Kzd1ZlFSRlNv + dHJ6UTRUVGlzL0VQRXpLQjJMSGtQT1kKLS0tIElxcGRHUTZxdzd6U0J2cHVad2Z6 + d0I5T1prNkJtU3dOK2dLU0FQYWl6Y3MKWtTVfqZqwO1DWcqCX3zQKJw+Iru9uYLL + oaDFNp7BkyHGAgUGlnryhpHqk/Mfiaz9F3+7E7yxPGmBL5/XGcfYzg== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajM2QjlyMzlHMDh0WjZP - eTBIWGpFVzl1MHpkWUUxMnovaHhGZnNPK3hRCm1NamVabWY0RjZ6Tm5Lbjg3eXBn - ZWVSMVUyRm1kc3dTbDl5YWx6ZnNhVlEKLS0tIFA0UU43ZnBMdDUyYXV1dlZNRVJZ - VE1jekkrU0FEVWVSaHI0OUtMRk9Za0EKZWiqeBmuKDQK4mSUWptPoMIYNQdTtxoy - /6Wr7QlnduC9Z+8OQuNNx5EC47DUSLmT8Zt2aP1wuolbEcQQkpNm2g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZC9xSVVuV1QyaWxQN09F + YVplRmZFOFJ2dGJPeS9iTVZpU3lqZk9Pc3kwCmdTV3B3WllwN3Z2dDI5aVl1OUtJ + Z0IxRHgxRjROdHE4RmpvOThuZmx4VHMKLS0tIFNJRXRsQ2lRRjB5ZTByczg0ZWg5 + elVTbm96S2tpb3hPNHc1OU0yZ2FUNVUKCikEO6z7kpDmFlc9JldOSlGXv4JhFh/u + 8sQSl3jF58lCBllOfM5T0crwbDHGlKI7JQ2H8vhZKk8TfiH3hGWxpg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-29T12:22:04Z" - mac: ENC[AES256_GCM,data:kPlrDIly/XpIlocuyviHIhtts6GZaslNH5F5Pnm0fiwXm/cDGxDftkpIE1eEEVxkhkOd5Vml5ppfhngMu1pJgoyEgZnW+Ej0yGc7wa1cM3Iu5yqzDy60V/D638S58wiyi4wP+MN/hXbKjC/jh05hh3vDH1b6OH3YRCRIS4R+ZSE=,iv:cy2Hgnww4u/4FqlnoYa/E1vbmx+spIRgkiSfCdIqie4=,tag:iugVVWzxDxbR0tIRnjzD3g==,type:str] + lastmodified: "2024-03-29T22:45:28Z" + mac: ENC[AES256_GCM,data:tPhORuf+63E68CdAdSsA/NgdBG9GrnmpVKVLo0O1ibaUDk6WblcmMoFROIo8BuciaUZsEf30NF9lVC/QgsZ35sHc/WcX4Ze80LyhBVgf0wgpy5xSjWLnYHCgFMA/TuYX7lJBLJVFZ3VAdwWp4XznGdlBHulQFM6jBEHz8wW749A=,iv:3aHdxUNfZinz13HRTtb7376era8Hont39C6pa0jnRAk=,tag:zza2Dy6I9R3C+xqEehgRfQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix index 99431f9..ac017be 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix @@ -18,6 +18,8 @@ in # causing a risk of no dns if service fails. networking = { nameservers = [ "10.8.10.1" ]; # TODO make varible IP + firewall.allowedTCPPorts = [ 53 ]; + firewall.allowedUDPPorts = [ 53 ]; dhcpcd.extraConfig = "nohook resolv.conf"; }; diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index 01d7f3a..abf9780 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -1,7 +1,7 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:7TUg3UiXZG25FhvxS8Mkg2ZlvLpMx05u+8yqQ3EyBXwFtXrVUvI3TM3L0NJr8c1MmimslpK7w+Xs9GphJfr4UaNV6m5A2kipA1v85AbL/rrEAvi9xRty3yqX1+vYtN1xa5Il3p0PeWkR3Q/LMW1ZfWXLu7FHyuitJaOIfySwyeK5njcHHsBtjQGNZcyg6oWxs6XdTLhrPwYMQvxrZ/l7mhxFOLIwuq9rlyVTw+SenKaZisW7TjksQtGvi3NmFARCPYSmyCH2/X/1OfPIomoUFTOAXC56mTFXrAf3TytkyOyysJsl/8S2mx6xrgbT+J09SRL9JTtQHi4iZaXS6tPFiCL6JtOzPMBdMrWdqWC/gI4Av8EemNVYu37oP5BUYsCOGOoKFMwuHSxiJCqNmR/im+cnP2tXwYwOhHmDxRNeVA6Wxt/4AktKhTHWkm/TLHshceOm+3liS+D0t+Q2/ybdy28=,iv:ejTYzQ/6qjX77GJmUKz/L/8/66fh0P7ORNqeKK4sgdE=,tag:fWugmMTlzLwdtx0sOrcv5Q==,type:str] + forwarding-rules: ENC[AES256_GCM,data:ZoVm64ORJw1H7fglwN/d9juRkmpblAFT3uoBh3TI//2iZ8Al3mlqdXaC72Rn4FVQh6MZA/xYXMsh3rfgZF45gb9b8YwmDA+8F3vaHo13FkwKcAsx0IMcdKJdPkOVrWXsLmvppli/z5IfyZqamLVvexqNM3QwDC5Zfi1YBQGinygYLW6ayFjWEEbW3T4pdeehhhDZW9MSutvGu+lCpQ+w2qzlqMnYCoo+k9Y+9oOBDGWwzXjfg9ry0AOhOokrQuSqTx7i8s5ERZIJ3SvG89q2O4E9PCdj9HbZfXoQwEoknfPtm/+cDcaOOxcd7FvYKH6wlOjH2ow/E6pUjiS9/BS5ht7vlBjl8sk/hSswL0EQllb6ggjH2JVp7UgHxL8moLusixHDLzCt5asIhuCqn+E2QEs1nCEdXvoLNL/ytJwP51BVQolA7KRFVYb4vA16Egz/ttjqxIAASSdGFfQesB6T6Aw=,iv:uy5lYl1kN4LXT81hx1OsrCkRgYVg6QyjAofDowXCeb0=,tag:b5PoXYgkyIiru9cDB4irBw==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWm9iUWwvbWZNSCs2SUVw - ZUxDNFFoQXRPVUg0bmN3dDlnNzBBRUNUNWp3CnhheUloZzFOZzc5S3pmaDQybGlX - TnEyMi9XbGgyRkdpditQVkdMb2RMMk0KLS0tIFpveHp6STZWc0NRK3JlRm01NE8z - R1dRdnNmeDBRVmMwMzNnMHZBNE54T1UKEMjcJFqKoBvw5PA4HkGrhMXDG3RABwNI - S084C00I8qvLn769vsaaSMYm5He31CQ9qDGhDhMXFTIsBbI+jegWKA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWGR5YzNVbWw5eEUyNE02 + d2xkR0dlbGVrdEk0VG9HNU9zS0FNazFWczNzCng1b25sdFhBZ1p0S3Q2Vys4Mnlu + RDdUQnY5amRUNng5TzlEZUhEakw2akUKLS0tIEFXVHBUcnY4RnlSbERRcUFMK2JZ + U3ZrSXVURnh2ZHg0eC9UcnZjZ2txeE0KHRyC65nWKwuSMroEyDMKBXSg9q+yAzhe + kBBUkasGdSAESM8cvMVbLoyn7RTRcMbuAFeZPkwcJu3pUc6IdWARdw== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdUlWK3A5TjhOUW1mbm5X - SVFac2o3eU5NUTVkVVBqcjgvTVdlU2N0U1hBCjRrY1dGNU1UOVpWN2gzdXBUejdR - VmF6VUIxdnBEODI1dnVVQ0FXaE4rcXMKLS0tIDg0NmVyYTg2bFozcjQvMWoyU0FK - QmtYTHUrL3RxOEQ4aE5vNi9IVWRvbmcKZEP7E8756mvvZOdhCstv2DzUsmEeZcp6 - Ts88FAsQHsF4RZLfFodKx+C1QGfA/O50MGTE5e4c2tpIuMjmCuPRLg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYWhtUXZDSCtVWTFIZy8v + WFJTZ29jU1pHSURkSmU4M3FvWVBHeXJFcjJJCkVYTzM1bXJnVjZmalZYUTlTaCtH + M2FaYUhodU5ZdWdNT0ZXaDJIcS8vYWcKLS0tIGg0MjdqaG5VcElYaVNodXgyZkty + Y1Nxa3JkVVZxcVNucEdQdjdsTUovRFkKk4PMs41Wlw3vvrcR0kREyZiP4TIDRYQm + FfVPJ1CV3oZcDuDQMJmU0zh5uFJRB5INXXNnB2ULjnqq/PNnKuHXtA== -----END AGE ENCRYPTED FILE----- - - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLL1NkWkd0L29WbnNpQTh1 - Rkp1MmRqTkN4WGNMMHJhR0YvL2Y0eEtIWGgwCmlQZTAxei9aa3FPTWZLTXAvK3VF - WXk3NzMzd0hHNlJvd1dmckcvRm5rZGMKLS0tIHQ2bVRrRkJrV2E5MXc5Vm1tVWxj - RWhoMkVhVzdyaEtZVk9Ncll4S0VqOVkKwmcv1yi15ZUIUuamKXX9Ye76jGb3UMYY - tM0dcX49n4jCzexhU5wu2Fax4EADpiJzGVK0iZ+8+oWedbBHyVudJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSEFMOGJtSXBCUEdGWHRy + d1E3MGRkUG5sUnJzNktwUnZMLzdMU3NOeUNJCkVvNDhDSE1wZWpycTVwbkxWRmww + VmFVQklLWFZSaTJlUFdLWFZIditpelUKLS0tIFdVRnpwK0RLR0E4d0xzN04yWlp4 + YkNQVkpUeDdDaUo3OGFibnZUcW5pSWMKzHh01qkxst4+3HUaqZaPAQqLV95mrUs7 + cToOnz8gj4gPUxz7mKFkkHeIev/D/1kc0aDx5KPRQc7VGsLPaKkUtA== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU1A0OTFYSUVPV3R3b0N4 - aE00UEZRTE1wN1NGdzhkdkJEQ2NuYzN3VDNRCldQTEN4Umw1ZnlhV1k3dVBjamxK - Qk9qenlsZDQ5dVdjenU0cHVlVXkzTjQKLS0tIDhaMHRuZWhrWlMrMDRuY2xnTDNy - M0Z0SHJZTi9tYXU3cEdrc2Y1NUtrY0UKt4y5CrmBbhTqB4Ksdf4fO69aukVUlz19 - 9yFqWtsnt97jldYKXG8WH9koyJvW6ZLIX+he89s0JCue518tf00bJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYTRpYnhZWENyM3RQdDdj + TzF0UUJsOU4yQVhLeUhzT0R2a3hjWnBMV3prCkN4NVRDbjdIZ1BtS3VpSXZlTkFC + MlA3dDExRytDSlpFQmFyS2NtUVJZVm8KLS0tIGhlRXZBQ0tEbHFnQlRkTmVzSnlZ + M0UwN3lTbFBiV3NjZnpUeHEzVnQ1SjAK+z6YMA4SKGcmrL77FEPAEGQeCPeLnWwy + ubU4c+wRqNYkPlKnt/qy5Fj0qlA9wIDo54kqEuqehnn8XzgLCBZVyg== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNXloZlZ6ak40ckdCZjV1 - OWlhaHp5M2tpMTEyN05DcHJvZGlLbXFBaHdzCnZ4ZHROZkRUMGplNmpQa1ZiUC9w - RVNIVWRqSTZFUHNFQ3JDdXd4dStPdDQKLS0tIEhqamZ5cm9aak1OV2lwTW9MMnZw - dFNyUENxTUQrUWI5ZHZhekp6d1o5T3cKDxaiMjGDb1EbdobP2E9WDn7YfO6J7BMU - sFAh+u38crXiEG24wxNl/Ps7z3oMPtmM7KRQ3hM753lBenuL7vXvMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmckhLaVorclNudHNJVU1w + VEpRWWFYL2JGUktCaXk5TXlSQjhCd0ZhQ1FrClU3R0ZuN0NoZ0cwYXZORkZ2OTll + akM3YjhtZHFNeHNEUkNmZVhLUVJDSmMKLS0tIEg0UnRBQTdPRnNOMnRack8vS1RT + WFBhZmwzQWhLVm9CaUtpVDdnOHdCemMKUV3IpFvZdm42PbL/kOLQKpFe4bld6S/q + b5sIdEDAp98aNAcvAjnJJWgIcWqhFFvM2UT7QFpCcvLg3njOfJo0IQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-29T12:22:04Z" - mac: ENC[AES256_GCM,data:hsDY1SO1nIe7J3mpMNJsxG2R+3N7AgUxoqqfvs2V4pO8SZnx5SvBqyIdGKcUOFgY66jtvAxwXULkl0J/TFj8A+MG5BkH/IAjDrWD0czYuUogtxik4DstyUXLSSM5zFP9niOmowsvK+1u/VpBrb+OlZNYiEHYKtY7+DhVJqDnQVc=,iv:iBxfpElahoJTXld45hpZXblTStQjm0WQpYmmv5wlpNg=,tag:caPwVlvCmRzm2as7ECbXgA==,type:str] + lastmodified: "2024-03-29T22:45:28Z" + mac: ENC[AES256_GCM,data:ZmLhNLQvLG6foHvCadUTw0Ws3TrVkSv93/8sS5UmC0DxwHl9s8IieTS/Otk/tu89twgLv/hI+gMWZf+L8WkaMYU0dGq0d/NSB5+Pyd1hEyHOHkUQImBz+EKj2qk9m8f5+HDnb+RpUnpMJLpjv4Fayzg9A7Ox4MfPyaPUSHUNsDQ=,iv:55ao8R/DONq6JUQLoMr/7g4qhDpOVDBP0VpwGZKkteM=,tag:DDmIi2F0L//eahBuxlVWLQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/maddy/default.nix b/nixos/modules/nixos/services/maddy/default.nix index 7850d22..c0b081e 100644 --- a/nixos/modules/nixos/services/maddy/default.nix +++ b/nixos/modules/nixos/services/maddy/default.nix @@ -22,9 +22,9 @@ in services.maddy = { enable = true; + openFirewall = true; secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ]; config = builtins.readFile ./maddy.conf; - openFirewall = true; }; }; diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml index afd6dcc..79f948e 100644 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -1,7 +1,7 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:pGs56ZvCfX42FcmOSQvg/hXIWDs/HrLrto50lP8DxWHBBrE1Mm/BJ1GWlz8CHrwTIwDOTZCbxfbZlQhr0ofuusf3AIYdTX3dtckCK+K0FVPIXenc/b0QotKeCWCbQj4mMZJCmlu3Yot2yP+SnxXQsl41yUEQsjiXmUVnbiXGlTnvLg4=,iv:V8sOvvt2lqXRpzbL6UilZE4PdwEOnX+LPJygVy0wmk0=,tag:1EEjTETv7ADYx8H2suxM6Q==,type:str] + envFile: ENC[AES256_GCM,data:fSlitO+c4atrjmTJwqQQ1MgSJXUQ8taaGxhw8sATuYVXnmFTFe5nfGGu183RXOP5ZobyTydDgxl3FA4yGVAUdH55oAiikO6H2+n8BAUQdtkzdUR4jOtl5cukn01PoTbAuAj0OX1s3rCf7INPDqCydb5IuuUrW81mS7CCH/eoNyUSRFo=,iv:0CVGfwu8GJTR5QoAfSd6tLbGtkzwNb6fB+gHwiZiiws=,tag:0VrK08F/Fmx1WeqkdldBCA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTEx5K29rV2Z3TmFZNG1h - NnR5UFJjWnFNMkYzN05WaVhsUmxHZkVwMURZCjVCMFRFcGJyMmlsVDNKL0FhSmFG - RHh4NVlNQWJzTGxLTkRrTkZWdll3blUKLS0tIGxqckF0cWlhMGpyanhPM29YMDVr - Zi9ZRXZiUVZzOUlwU094eDNTaC80UVUKNovl0feqw/7Yv8TjKdj8tCXkWvUqC76/ - VX64fgAiC+BGbygPJ5wEVkQKH8OWSmgOIvqfvSYrga8AHsLgYPMm3A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNitqWUlhK2tLSHYzZndT + R2MyVEcwc01JWEY0MWMzblNqcEszeDFjdmxFCmpjWnRoM1BrU0lHWTQrbWZvVnlG + QzlvOG9uQjRBZGE1OVgzRWFET2ROWFkKLS0tIDROUnlTYS83SGdkaVV1SWJpcGVB + c0RiMmVNaW9XMWtBT3IydmNRcnFabzQKKshKR6aVRlDfj+AWYJAd/x+3b9JcMhEm + uTFP003ENqVR0Mxozz7rOWToaUid5kvLKqiEWwenXu9RQmwNINl9dA== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRURSNjVydlVRdGFEcDFL - U2lLWW0xNkhTR3NtRUN0OUE3UjViYW9RNVRnCmo4Tks1NWgzTHV2QXlZVmJESU9i - cVZ0ekJCTHdhVWVyTTRFMEJJa080MDAKLS0tIG5CVE84K1dQMTg2WHhnYnBMdDZT - dloxME9lajd3YW9Bbk9qUzVVa2UrYVEKUMlgxX2REGuvkpXwFhClOllkuUf/8E3v - 9QpcjUSWmExHTJcxvSUkEYL5C6lODL4172PfnQLt9QkdX7sYQUOFuw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aCtOS3lvM0pHU05oMnFU + VUZFaHNid2RESDhOVFFRR0dZQ2NsU1NvaVRrCkRHZ2lWZjBoa0Q4TWpaR0dFb3Jz + NjZMcFdRNThtTDJrWERVa0lSQlUwODAKLS0tIC9nSkdXRU40Vm9QMldYRUdFS095 + YWxmTEE4RktDakJGTHVsOURUUDExZjgK5ML6rKmO4rRcV6mFVhA3mjtXne9luTAi + 6lmVdYKIvKz5mQT2TqickgEDAdLcziz5e9xxwq5Nojf5V5obtCJs/g== -----END AGE ENCRYPTED FILE----- - - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMTZRRlRUOVowT01vUVVm - aGNUQVllVVNKcVVoVXIyWmRLUEd5bzFVSjEwCm5iUUo3WWtEdHA4Wm1kSk8vcmRM - ZzJGSk51UnU5d2pjVzZiZGt3dlZETHMKLS0tIGw3cDdnNWxiZXdtMmhuRUpwV1Y4 - RXRvL2F0TkxGNm1LejR1bHFCYjkyU2cKn7QMPuwZ8ermG59uK3rHrJkuDZ2US0JG - Oj/ts8DXuu71TpTiiCXumThs+IjKQgARyv5P/jP/Souq9LppDtEDnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbjhvcDAzU0Y4Mkc3Z1JP + QWI2ZCtJRHhzNTM0Zm5Gb0lCeng2bE1nOG4wCkFVTXZPcm5yS3FOQkVqN0NYTFZB + QmJIVTNSNDBRaDduUmJTbFVQV2R2eWMKLS0tIFlzbS8xcDhrb2pFc1dPaUorc1U1 + YWg4dDE2UzY1b1VldzBaSHc0dDgxemMKuQ7RXTLwKwrcNDv2tNmCTYcTnzOY1jO5 + 2m9CUSqeDRgMDfxO24Pt7Zk0YuGDdFONNMsBX8nm2RhCUhVM0nVmVQ== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSlVlMG14cUxUcDRseDBC - YXBtRk5oRlJ3dS83TDFicFM4WVZMT1VwelZrCkl5V01BbzRVa3RLWTF4U0ExRmR3 - cU9XMFZRQ2l6V0k1aFlucjlGL0d3V3cKLS0tIDJGWlE1Y1hhcjhUT1BsTXBtQTFH - bEJka0pvUUM0OTV3QWdNWWRhcldTSEkK/yRrMYy2YC7NTzir/LL97PV9LxvW/fm1 - 2YQIlSs6amPT32U46tnpqytVs0iR9Jobd153oAJjfhrAsGGP/msgsQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMlpYOXZIcUdHU20yTzRG + ajcwTk9HT3lxM3JxbG1GMitQQnVHenFQRFdFCnFhK1RxT3lUVE55M09HOTZQTzJF + QlpWOXBtOGNWamxDdVRFcHlGRm5DeXMKLS0tIEkyK2Y5S2h5d0JBS3pJaXBVb0ow + dUhCRVh6eTkxMy95MjlkVlFVZVZGazgK6HewYdcLC1q/NY6ysanj2pQogpxQVWxh + +LrDzvjMeYOrQD2bC3rVBEnM4IFIur9RKg1JLPkrNI/bONX+Tsk52g== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUTJvUnE5V3NYNmZ0dERi - emh0ell0N0xBMkhjL3kxdkIyRWs4UWpYTVFNCnlqaVhiWUNXa0l1Qk1peHlxdDdQ - aEdkdFdFWW5zUlVBT1F0aERVQndheTgKLS0tIE83UXA1V21qbzFiQ3NFRnRiaS9i - TXEvWDRXMTZuellnT1BKRWs4a1VkaFkK8Sls0BOhgCj36HhFIlRclBltqXrcR7cU - POkvvHVfEXzZ8GzKOx3tyZZ7fnksNM9XFbofZ9/apGR9FP9mepnrdA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTWtEYnVJdWkyTVFSQkMz + ZWVKeE1hdlF5bXZHaWxJUVVWbzlnZ2JYVWp3ClpJc3JOZjZ0bktTdUlNZHcxNm5y + TDBJcTUvSG5mcyt1KytlQmViR0FXdVUKLS0tIGR3M3BhdkJqdElEN09QTXJVbFpS + eUZCVlh3YlRVTzU1YjZZaVd1U0ZLZW8Kr5wh1mo7P9dhUcQWGSDtY09uqC+aEYAF + Fo+1RM0vaZJ90MUygERU+tZsjoZuD+XL+ckdCquPLRypuidZvfeh0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-29T12:22:04Z" - mac: ENC[AES256_GCM,data:XncWerMNxizmY29/ktbk6qyENQ75RJ11x7STemdtds9+0g24pyRpuHV0oocetDRLmUN6Cg6qXwCkJ2cgR5MMzjUYsYRP2VlzGPwQpr+L6dmvYp+j+70X9Qk7bRfj0cRJn+gHhfkWSxpAvows0/9+wJcsFhowS/vihVoz2xjLoZU=,iv:yH0wEYRX0uuJeyf9+5E9qpwr8S5lUXpB9K5aWnHJShY=,tag:6aIhVuQOtfbWggdnF7zw2g==,type:str] + lastmodified: "2024-03-29T22:45:28Z" + mac: ENC[AES256_GCM,data:oU8t0LUz/gSpABrHfQi6uazu0hen7Z1Bu+LlBPWxc2hGOV+Et1YF2VZY11uA0th0aZ6t1sFA+DvBDuKKBv/S70qhz1KB5MYTmGfcHMWmLNTzoO35u5FSVRbrcWDX8Simj2Mfpxksphr9xzqlbCaMKiCj6ZrUFDKAfPPe+KPjJwg=,iv:8AKTtwoTHQbfjXwrozBiytUn4jGWKbBJLTzkod2Cdlw=,tag:XqBX+pA9x+m4Cl+NVZx0Lw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix index 8b4f7b2..575fdf9 100644 --- a/nixos/modules/nixos/system/openssh.nix +++ b/nixos/modules/nixos/system/openssh.nix @@ -9,7 +9,7 @@ let in { options.mySystem.services.openssh = { - enable = mkEnableOption "openssh"; + enable = mkEnableOption "openssh" // { default = true; }; passwordAuthentication = mkOption { type = lib.types.bool;