diff --git a/hosts/firgu/default.nix b/hosts/firgu/default.nix index be23e47..2c83ceb 100644 --- a/hosts/firgu/default.nix +++ b/hosts/firgu/default.nix @@ -3,7 +3,6 @@ let metadata = pkgs.callPackage ../../ops/metadata/peers.nix { }; in { imports = [ - ../../common ./hardware-configuration.nix ./matrix.nix ./shellbox.nix @@ -34,6 +33,12 @@ in { system.stateVersion = "20.09"; # Did you read the comment? within.services.snoo2nebby.enable = true; + age.secrets.snoo2nebby = { + file = ./secret/snoo2nebby.age; + path = "/var/lib/snoo2nebby/whurl.txt"; + user = "snoo2nebby"; + group = "snoo2nebby"; + }; within.users.enableSystem = true; boot.kernel.sysctl = { diff --git a/hosts/firgu/matrix.nix b/hosts/firgu/matrix.nix index 7e49f08..531d5a2 100644 --- a/hosts/firgu/matrix.nix +++ b/hosts/firgu/matrix.nix @@ -96,4 +96,9 @@ in { extraDomainNames = [ "matrix.within.website" "element.within.website" ]; inherit extraLegoFlags; }; + + age.secrets.cloudflare = { + file = ./secret/cf.env.age; + path = "/srv/within/cf.env"; + }; } diff --git a/hosts/firgu/secret/cf.env.age b/hosts/firgu/secret/cf.env.age new file mode 100644 index 0000000..c3327ba --- /dev/null +++ b/hosts/firgu/secret/cf.env.age @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-ed25519 extxyg nHfHVcsv2e5aa8Le8x84zdWQfE3TiUbTMM4RAK/8HXw +GWaA8XNg/w6qS7K5064jU6fZqeVniUNK2El/NIFUFwE +-> ssh-ed25519 0rx8bA 3xxBfxdgl2WC59+BToWEDNRzLPdeOb/6f/Tytvc+K2g +1mfkd3thjBMED7fS1UJMPgTGywgxjiasdllpIsgsefk +-> ssh-ed25519 ZvILxA V1TM0aSacrOe6VGF6m0vQBoqKfg6Z6YQHpCoKg2TlVE +XBPWPzUEkazB1f1uxQXLaKLi8TtOQ9moxG7DtUk9lRk +-> ssh-ed25519 x40ZwA rmQEFwaxgLWoX3hPQzQ9n7gY0N48BRxzq9GUFJJRUno +OgUyl1S216E4BWppFjT/MMoy9Hpf1TODW9siEaNLffY +-> ssh-ed25519 Cb6l4g yTsovU8vVFe9P/DpzzY2983GWPB0MjW1apDL04E3ZBQ +QxscEqibJqsgcgPFKStHXmcvX9HbwpPRcb76/ol8dGA +-> ssh-ed25519 6Sqpww dImNfMzyWtDdaebp1XGVFojAMETDazTpNLYDHhpLsnw +DLcQlK4mn5HzAf3MXzR+hqQqvvw/Uonbx8SfFTaeUO8 +-> ssh-ed25519 H5HtPA W5K0snFwGGN+iTn4prC5tns8Nl7Hryi8QrqZ/MrZPEo +h4AAu4jKiFpcTtuN5G7NfRqB6Fm84KYnKJM0njuAVWQ +-> ssh-ed25519 YcYwVA S/N6GvXHURyHnp47G7tiVdDPEMA7pV6Dbl99P5nYRjg +Ody+QTg/m+iTKB/s8r7pXIe7BdcpD41zJJ5H5YWPOgU +-> ssh-ed25519 6Mkn0Q 7lZpuleWSq5ucceHAB4wTjllAz6NfVrqqEmEWeJO1zM +JSUBNOUHhCZBV2ty5/Zi27ocYsxu/oQwT6MHRxphuwk +-> ssh-ed25519 jO2MvQ RpYqccGjW6Uqdi31cnpNhUjm2yEuWn5YBQ8XTpwYkAU +PIn6XNeZS45wjZXsO3N1NxKe7thERAPZTru7+o19tJg +-> X6Q0-M_-grease ^QO^ O(~7'@^ $Ma r3 +1XVvy8GtDMuAsaSDl++SuDy61M+aS4AYR4h9C2Ub/b7jh2U8l2DEr8N2EkJhVYKo +aqmQ0DzgV9mxFPK2vl6zr04fGON+4+KfsyQgen5uQaBsawLn2MsFvARy3A +--- uXGb+F9FfmNq9E/26j6+XCLYmXuJIbKRRxgliZB7XBg +-t4vKd+QrÖ`_+K"tQ{T>s| 6Qz1dB B3ra))hiWD#Tcؕ#ޜ?X݃7@!ʨ&[5ٚ',}a7̶> 6ڳ \ No newline at end of file diff --git a/hosts/firgu/secret/snoo2nebby.age b/hosts/firgu/secret/snoo2nebby.age new file mode 100644 index 0000000..ab90b2b --- /dev/null +++ b/hosts/firgu/secret/snoo2nebby.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 extxyg 8bh9qqxT8ONVQFEuETptWXm7dNhEws65uzT/qa/qewY +LJDsWf4inwYUuA9+tEp1zo5coaldAzHL6gL5TV6O82M +-> ssh-ed25519 0rx8bA uPlLodKVRUG/qzcx16a3+/659feslmZ3x4/Lt+b6dnI +eprTco5qrva2RYEs3W2E6gFigR7bCXYpFXGDEamf4Lo +-> ssh-ed25519 ZvILxA oUmNooEA+bAHhzXvFdl31ih+tcDg/CKk42fHZSPSdVg +pgDMzgtpWvYg+jnP+FHTsuj9ZcYuGLHVOw4ZIRPF0i4 +-> ssh-ed25519 x40ZwA Yl+mVvmy+MA0c2napnHeG0UAvKeoyqjYCnDQ5p/n/RA +zfC81V/5qp8VXPV4z5UufDa/haEvPQm/Mr3Q8MW46Bs +-> ssh-ed25519 Cb6l4g L7RTEqOYLnXuwjn1Uz+nkov5k/VKB96PlWMbA1pr9jI +9sQ7hROXXI5dQJVdee1LQQqkC6EbAzsNwJrc2nDoWuw +-> ssh-ed25519 6Sqpww qH0AmWWcPsqROahcEHjfEKr95NcBAShfY9ocC52oqwY +WEYfeyJuJNWgZ1DkQOSoL/B8PBS3zRaUsrHC9LZVH0s +-> ssh-ed25519 H5HtPA e/pN1CYVsJ6sPOhUTXj7S/cNTENJNzdK9nYQt/U66AM +11knvZvdDUOLhoHx5dkP3UtDFDtU4dFvVvfFGogavsg +-> ssh-ed25519 YcYwVA BQ39UnwIOWL656MJfqS2il/XkRGJArkkLujuvqyGmyU +4/pbDp5NTcyL7rW1ufge3WWHfQx1Nbd2XjGljkdyNPY +-> ssh-ed25519 6Mkn0Q o0nOEYWMC/pt8PuGiM6ZSZxoX/XDE7xpH5VQ5Ucv4GU +dhspWlY99db6p2FJ8LJIMb1EvZ2ePvzbNLpaPgPoRZc +-> ssh-ed25519 jO2MvQ JeBNrhVMZuCpoY2dIFE8cPUsGanBZTX7gKAITnwQiEM +jkRMfNQtEU/kts5nHP/QnQh4xkV/Kw7U+XHGqSIMm20 +-> ;Bp}r-grease )M*/ +KJKydWSfJaRZ5VzwpvLgF2Xvny6JvkZT1CjZf+S5O8f0cHyZJ7H/QeB60cswkMMr +b7IEAgrjB/pElp0PWtAmAgIi2H0V +--- tt38NrseQLBdPe1FOZAz0jC75BHHCSrStimqLjoZVD4 +lk,ǧU +<䋾T vC"֠:_9r@ -VTEe=8ݯZlS^J&mg͉ 3$ʈ z| + pa(A[{2 \ No newline at end of file diff --git a/hosts/firgu/shellbox.nix b/hosts/firgu/shellbox.nix index 73369ec..9956e38 100644 --- a/hosts/firgu/shellbox.nix +++ b/hosts/firgu/shellbox.nix @@ -84,7 +84,7 @@ in { }; security.acme.acceptTerms = true; - security.acme.email = "me+firgu@christine.website"; + security.acme.defaults.email = "me+firgu@christine.website"; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; services.nginx = { diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..ebf366b --- /dev/null +++ b/secrets.nix @@ -0,0 +1,35 @@ +let + xe = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYr9hiLtDHgd6lZDgQMkJzvYeAXmePOrgFaWHAjJvNU cadey@kos-mos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOyr7PjUfbALe3+zgygnL0fQz4GhQ7qT9b0Lw+1Gzwk cadey@lufta" + ]; + + hosts = [ + # chrysalis + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDA5iXvkKyvAiMEd/5IruwKwoymC8WxH4tLcLWOSYJ1" + + # itsuki + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0eD0K2FqhkkIsUrYfmHigwbaUgOSotdSsNlLMRJiqx" + + # kos-mos + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT+TxO1wYtifFcd7b5+asgImZb5ReLV1dTj6C2qgKzK" + + # lufta + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMADhGV0hKt3ZY+uBjgOXX08txBS6MmHZcSL61KAd3df" + + # logos + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/P13gDGzvfbCRwLD6hXnnH8VRYLOCiQ7kbIMTK9I2w" + + # ontos + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ0MKlPgIfnS9T/sh57tz4pL5DND4RU7bXvhNCLo+8g" + + # pneuma + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMYB+fI24NlIA+Zc7G/3whu8vK4+EdGKkygrE++zTXq" + ]; + + publicKeys = xe ++ hosts; +in { + "hosts/firgu/secret/cf.env.age".publicKeys = publicKeys; + "hosts/firgu/secret/snoo2nebby.age".publicKeys = publicKeys; +}