From 22836a44d739720875f1fb4f7ec7ce1b1968dc37 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Thu, 16 Sep 2021 13:41:55 +0200 Subject: [PATCH] Remove some git-crypt usage --- machines/lasting-integrity/default.nix | 67 +++++++++++++++++- machines/lasting-integrity/secret.nix | Bin 1964 -> 0 bytes machines/urithiru/default.nix | 18 ++++- machines/urithiru/secret.nix | Bin 487 -> 0 bytes modules/base/ssh/default.nix | 6 +- modules/base/ssh/hosts.secret.nix | Bin 761 -> 0 bytes secrets.nix | 2 + .../files/programs/ssh/host_configuration.age | Bin 0 -> 3141 bytes 8 files changed, 89 insertions(+), 4 deletions(-) delete mode 100644 machines/lasting-integrity/secret.nix delete mode 100644 machines/urithiru/secret.nix delete mode 100644 modules/base/ssh/hosts.secret.nix create mode 100644 secrets/files/programs/ssh/host_configuration.age diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 6c17d8e1..84abd8aa 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -8,13 +8,27 @@ time.timeZone = "Europe/Berlin"; - networking.hostId = "b352adfe"; + networking = { + hostId = "b352adfe"; + firewall.allowedTCPPorts = [ 25 143 465 587 993 4190 ]; + }; # Machine-specific module settings chvp = { stateVersion = "20.09"; base = { - network.ovh.enable = true; + network.ovh = { + enable = true; + publicIPV4 = { + ip = "54.38.222.69"; + gateway = "54.38.222.254"; + }; + publicIPV6 = { + ip = "2001:41d0:0700:1445::"; + gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff"; + }; + internalIPV4 = "192.168.0.2"; + }; nix.enableDirenv = false; zfs = { backups = [{ @@ -33,6 +47,55 @@ games.tetris.server = true; services = { matrix.enable = true; + nginx = { + extraPostACMEScripts = [ + '' + cp fullchain.pem /data/root/mailcow/data/assets/ssl/cert.pem + cp key.pem /data/root/mailcow/data/assets/ssl/key.pem + pushd /data/root/mailcow + ${pkgs.bash}/bin/bash -c "source mailcow.conf && ${pkgs.docker-compose}/bin/docker-compose restart" + popd + '' + ]; + hosts = [ + { + fqdn = "vanpetegem.me"; + options = { + locations = let matrixRedirect = { + proxyPass = "http://127.0.0.1:8448"; + extraConfig = '' + proxy_read_timeout 600; + client_max_body_size 10M; + proxy_set_header X-Forwarded-Ssl on; + ''; + }; in { + "/_matrix" = matrixRedirect; + "/.well-known/matrix" = matrixRedirect; + "/".return = "307 https://www.vanpetegem.me$request_uri"; + }; + }; + } + { fqdn = "www.vanpetegem.me"; } + { + fqdn = "cvpetegem.be"; + options = { + locations."/".return = "307 https://www.cvpetegem.be$request_uri"; + }; + } + { fqdn = "www.cvpetegem.be"; } + { + fqdn = "chvp.be"; + options = { + locations."/".return = "307 https://www.chvp.be$request_uri"; + }; + } + { fqdn = "www.chvp.be"; } + { + fqdn = "mail.vanpetegem.me"; + basicProxy = "http://127.0.0.1:8080"; + } + ]; + }; nextcloud.enable = true; syncthing.enable = true; }; diff --git a/machines/lasting-integrity/secret.nix b/machines/lasting-integrity/secret.nix deleted file mode 100644 index c82d826872634e13128f3b30ae49f23dc1e43b5d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1964 zcmZQ@_Y83kiVO&0a9q1ag-^_TUD@QwSgPBu@e ztUpj7T(FRN+k9I`_RO72Pue}4#dSD9C!by5mgYmTXYTtC=Cs{n{@Z@2Vw&{2H^nQT z^`)G7$Hi!K%`sU2RgdoFtq0U@C1X0~i= zab3p#S2(2jT&IiUdOeY|>=p0cslO?dJbr?2dEWZ3*BR%2dbH)#k_B%Wg_l|CG3{WT zD*Es9<-N1FyA?a^3zna{uJc%}uxU)@OUa%`u4n#u=^7k9wnjJbk)ep>o*(S~4wY*& z_J=Rho#mF_zUjpAjV4>{bhd;hMf?khp62j8L{2H#=C#~I4fA;^tTDe@=P5o}nzry} z)Rcwthc?U>S@rVpm0GEg@9HNf?>(M3iEDw7<(hnzxY{<{D2_8b3AXH0pzJ<@z8x9-_FTip0% z{bH$&hfnqeCTZ@KTQpJqqRlU}Zx2n`52R%ZPGDBmPtYz8Y~B?aDtY#=bcN%F_{YzW zIG@z&QvNwrTh3jJOWa+&`G2R}s)p_RyxPp~w}<`OkQwdf8!Rz*S-{(`?XoozqB%F6 zy%x#}y*R4yEBuw}mKTbvZ%A7*wQ1+=e6%w1`C2v>i}^hEw_h1PyPzTQ>GwLvqkcAf z3=i+oSoy`{Z`75)_tvYGPUQ=q_gFuv)-L0<$H_-;ZLDlI>C6gDntI`DCI7p=p1p zZ62Th;l;0xUgym)R^{2ZiOJ;gvIh+QJv^sXCTt0|;N8!$UGQ|D$d$&Op?f5v=kk4x zjoP?&*VP?OY}bB&omlu#_JHbNt8QT&1OEDRpK)bJyW@zh?3ZerF3g zUZy+ys`h{N&0fEr?s}&vBIwMop6=?De&)PRx^0q!@1)>GeA}n@tTbCD74T49?D*dn z@r;}atM)L5a8`3T=+4a0n{j!SQtbU3jl~ZC=0^3NS(&17kJ)oa<eJZiX*< zTN7R`zR56YTXjKw&+F=Hh3SQnb1#O;PO0LWeyy{;ev{hAcN@ZTT36@rC#P33OZqED z#m5;f4Yx`NS{f@@BEy^TaKG@f)VIbQ4^E_)TzKHDoDsnzo-}ja>bLSWx4hHm@NSHF zo8J4R?5{}Gy3MDe70$Pb_SEXjHl64`do+CIj*C~P?-J^a3EcR z*p0txTV0Mlyj?84WpD5@V<(r59TBy0!LfH=o_1;!Jh5Z*of5_tjqAH!d)^eVnOgPs zq?uKh{rtkjz{uR}jx_)DHIstsW*ibw-+g20jdkG*C1$^?x9{EUp3e6w)F<*xnSNCN z$|EOk%`!CLo7=Q*{SqyG8Z`SJV6bebw8nPo!y{j(J(T&p*m$5rb32 z@&}IoRrjXo%w&(?xUyuz$;_!-Ve)av1d37?KjuW@IB-d0R3Wq}Lh(r0?zw_Jv@LoF0=yH|R(u8z=ZA}|@$<-n`qS@=R z=Eb^*@4YMV{q5Xk{%_T!*c4XHEaI7#-0#QsBJ38+DV2Z<(X^?~rr$39%SaI3aiut0 zUe?KC{`BozTcxz^6^p!cI;G8}j$X?6FHkgR$*Q$i{};F}H@%r4`*n_#-ns>O((@+l z3*WN*n5*2MQZ+xl4KKZB$9~?NwB(rOZeMfdhx+TSmdf9pS&>{MBQE$S%SETLEBks& zWph&JmJ7G)!bD3E%VF z=Ix7TLrZ>1XKQ%J1CXr=T#l61~ zlejOQ3k&sclb4#L_9S;%?Min!g`hPX&x<5JUy$s{n=SjJ(=2?&o|n=JEH}zdC+;@B z^1X9vw3v_NO0`J!v@+9gk5_HT^-w?Da`o}Xtt zDmBp}_U9GTJsFppepu7>;pn%kEsn>Y{b4v8?Q&&R`W)NWDsx|54tO&?&iur+S5YD} zRU(C%U&}{bzV>3r8(GVhOI>bF+0^XFDORBKJMj1S?UvbJzCN7W_3*^3g0-caR&Dv| z8e5m|zqZ@FaA982`tPNz)e8@`c0SR~($Jmr)JiJS{G9rP=S_c>w@qW3cv|W3#Tqq< zDaCE4t8#>EKbsi|i602Fiuo=avf|y`DeNVM$>u4Z`y+&(C9Rsr&WEz>fX8v zr~dKSo#mgiUh>4ZL>^9->t$;54}acYw`R6s+};YF{4)jD*Y5bJw@YF7y^l^d9e`y}$H^m}XH_3NjJ%dD9$zV&jJ!*aK`6XXrK06tUm A#{d8T diff --git a/modules/base/ssh/default.nix b/modules/base/ssh/default.nix index 3226a200..5d06fcbe 100644 --- a/modules/base/ssh/default.nix +++ b/modules/base/ssh/default.nix @@ -22,10 +22,10 @@ let userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts"; serverAliveInterval = 10; extraOptionOverrides = { + Include = config.age.secrets."files/programs/ssh/host_configuration".path; IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519"; HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"; }; - matchBlocks = import ./hosts.secret.nix; }; home.packages = lib.mkIf config.chvp.graphical.enable [ ssh pkgs.sshfs ]; }; @@ -33,4 +33,8 @@ in { home-manager.users.root = { ... }: (base "/root"); home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + age.secrets."files/programs/ssh/host_configuration" = { + file = ../../../secrets/files/programs/ssh/host_configuration.age; + owner = "charlotte"; + }; } diff --git a/modules/base/ssh/hosts.secret.nix b/modules/base/ssh/hosts.secret.nix deleted file mode 100644 index 76622f368e01a9724fcdc702a71c102209efb4ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 761 zcmZQ@_Y83kiVO&0Fqf`%bS-|NaIxvl!P(k;(<~PCXiO?8p2pbtXp>9K47t43COx;z z?%s20p0b9&O{3I-XF;$}Z%C)1+rz%KJ2~&{iBWDW?S1rCyz6KFkNDM|MxRes)a;x7 zOiN$ixyjSEOjBCo@Ha>MuzYFH>y6=)=ka`~(%;2+Y(d}Gk{SDFv8)uI;8{t8VGtx8z@hOnpwqkw0@v^_v)5CI3vFHf{d@ zV>UcaZzkKRhTlwzRBTuveea4+>)Y8$NB(Zl7kkbglfT9#>D0f@Ige9&HkHo&b^Y~f zq3zGy;%~KndQ-G+L6c+qjG1g=&)wpfLbh2Ye7tnsb|HewG&LWP5Uc#+Dj~^1tb) z-l#MR-DQ|LWu9*OLY|0yA6pZ}Cze>2u3+GLz1(n0<-{4?R%@?IgrCo5TiUBCdWV0( zUBySaf$MiD9+s7yet_Xkq5byv!57Y7z5j?UYwK;xr&6<sZ)JqT>8cq*;3Mhw^pZ&?yRAA6c0DI;O$;(+l-i zM;5Qibonx|JgJALFWdLvExDP?&&b!h{oTs_>v@dknM|Wix%1i|S6OWLY~!2zhI!8G zqc&KqbGqy}=n!Nv}-7DRj(0x|I>+7wV6RNH?%C2topDJ=N-23cd zmOlB@f3!GPp1t<@%*`E~T2qcaQ1q~l*#E0r#Ix_=fk{4Ju5Er|adC;_<&*PLR{2b+ zWmtCj{l(00`M((^-znNH+?bl&KD9KT)AQ3bsi}9Drn^1-Z5YCEJy#&()h)H8rIvQA epAvnNPITlkOg`zjK3LOZ^JR16l{1*G>;(Xj8G6(J diff --git a/secrets.nix b/secrets.nix index 4a3b2330..19e700e5 100644 --- a/secrets.nix +++ b/secrets.nix @@ -46,6 +46,8 @@ in "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; + "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users; + "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; diff --git a/secrets/files/programs/ssh/host_configuration.age b/secrets/files/programs/ssh/host_configuration.age new file mode 100644 index 0000000000000000000000000000000000000000..552fcbd1506a51afa89d15d974c72b76d916fb3d GIT binary patch literal 3141 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&2@{)cT{lJ4oEig zN%b~NG{{KGG&FK9j_?W0Dl96`*Z0UzFUT?Qw=}8ph%idcu;5Bc3rW(CD#;7aGfj2$ z$kTRCG54xWF0QgLC@}YTPV|g2Fe#|a$}~4GN=COWF*L=}FI^$0Fw!C<*d;O|G$S<3 zz(PCUGsMEO(5$f3C*L$L)7zlfJuI`>E8X42Et|{C)Xgo`vn(Uj$*Cx#D%;Z{BF)63 z)VRDdDk`cV+$(9pEPEXP!X661)d$cU^e=j@8qG*i#KVAE1V zv%t!-A~O#YXaA7k&|-AkECbS9odOm7Jl(U5P0|f=5_7yPeTs8Ei_EG#oeHzf-ILrh zw4FRHv(ggvo$_5wva`8dEkpfEa?%RYQmc$JLJB-eEDQ6}vMNgRy{gPS0(|pxOT4QJ zJ#*cILbK6rE4D03vPf6(H1y2!uuRR(_e=N4&C2(5iSl)h@+dVgcGPz9OgC{Wk4g)4 zEHX&U2rK8(&+#yij7T*OFpkLZ36FFSEl$pIa&b4zH7)maHPB0MCN##NtE)zYKE=GiMj~aHqm3ZSNp$&oI|eQ|%J7++waQ z9}_pf^d#4^oZ{R(L-VQ}!$bpPPrvfi9Iv2E)2O7(a3_DWstiMe6a$doA`1%DR1|%6 z(~D9Qi&GWSJQCvFgB=_ctV3OG6m;~A>dFk9xymAQf-^I!d{e6|{hUgjQu0$%3&R5< zE2Aue(km-N3?oYe4E%Eg%8U)e3KG5i{6qA!4J$GdExB}cbrph~91R1CwSE1=L$$Mv zT`Egm(kzU8GYwLLOAAxYv%?I_tI{KLEEB7oBf0v&zKpqJ?wJ&^abCyE?YgEyJ9Brw zSU(}$yyjw|O{sDAgzhsPTGe?!A4NZpP7T`HSuGsZ^?%(C3B3)E*Eb#CzT~pte!sGH z?i0BZWEL%$QOmNV;K3Hjs`%+jdDdzc@~3VU6mmS>&Z2C-{7uG#Wfs#Cc7OG~{j=U= zPyf9Vg%fc%7T4UGk@^0(l~Cy}wP&F_S$Dko@A7x?hMhhiLS`E``%QOFVPA6bp#1;E zAH!^~Zdji`cYTFo#TLa|Au5q^@ytpWKW@)F_-Ep`8IocR6F*s97Gd_hrS!jw_d-m^ zs!vV&w*>qYJlOTVpOIL+Jo0bip#$FcOj^Z%M;^@BQn&np{gSsOW?IW%H^&8Q%fEj# zo5eScY0;uxk6jCY%LPj^y`16Bb7S82*}-YoM4jFp&pL6?_;rh~#;<)dx7vvdI!W>8 z?8yD}(DG@6w^~Bd^Z64O%NiRS)`TRosGct^5%Ax3prYgbHLE#?GXASH9i3b_@9w9( z(=HAZZhfA4^|JbuO*>8ey#ps-;A#7)QM}wfsCmMc%>4Yf??ieuX4wZ`zGgLZ(UjTi zRa#F@Te|B)?o_u-r8g)0N)J4bGWlft*KW#@A2G8Q>z^v;PHFitMQ=h{Ny@UevYSyy z{}qdD%-DW->IS_8`L@fquZBoTT(DWL_3YP!pZwA54{|8>r{F>+oNe`iK;}>4C9C} zo=dA00(SeJo_L#e;oYP!CwgxD|ER&k^WndnaYi1?b>qgu7jGrHKN&39^HSqirCQmA zC%J82D^%|&udVyiBU&EZ-dZ=sc3Rzb+kTu`Rw1!Ctgp}qpwSc zRZc!Hqt1Ha?a`?-?ks&Zk^koGC!+69e*G5wfAgJh4kvE&e{T!TnHqiZp4;sQrm9jW zFD!dGqjJv{8z)r*$(SV}hkflnSWeg#=K1)_iT{TWuM&!>+Y$7(?N++`0{3gjuJnb5 z|1~YD%(Xs`Q0vFzl@s1{Z(1wwTsi?+rn>j zS#!D0emLy=LgUx6(%fR5nRD+(#+~GgWMx|Q;OEmzl}F{*_P+YWapnH0o<&WH8zx;n zar^wFU0s$v<_X_!9CxeNW_Yn$^je3B@Xj2Y`ZfO|QdU0A`I>)q)$N;CPjJpq%8LGZ z^@n3;bjRPb%brTfF6G{J^@m5-5^ufo&tF!pPd?kr7pXUCKhvAPU$&Tu@E4!AZM%>y zT@a)(bzj)D*e3@zYWW8?t`%ajntDz=)nW2&wJ&)gKQ1}VEUaWtWWAM|I{SL7%^uMQ z4TksII3FEc7C2eWuSbRZNt?@@-ghULHX7~W`6%)n4V|vrQxG#ThGCD|RZwnSntW;;7 z_D3&sBYV=H`t^YtD{|u!=PiEm=yPBhyY!tStX5e(;4%`E`v0yOtg0`yRDV==I-oy=%SAqbug8o^kr{ zqg9;WiQ$VYhnr~ilD{&qO473R7%OTcj>K}vZE1LFnDdr%@3ht%{yS?v8Ps0M2-eh` zsLZ;uBQBukYu@s;zjCgZZ!&CpzhU*+-ebW!4Ib0gez1wHoX*tf`1rI+Nnl`X_UV9$ z3nW8NTJalib(sCM(M9G?yQ0qQ5XnYrJR79ZJ?syxX^#^jn)(R|73crMX1TbS=2 zkqnJgPqoSqW9l+{GEG$3O5?q6Rm1#d?E;l7gU)0wkDt>WCnjA8v7YE=d%V}`j?_!8 z-Tka78~@MlXV|<;w7Yg`OYsD)HyO{rS~{L6x)EUaY-^`q!MQgV4}WCcTmH_)=#fRm z%m7|f>$vab(-lNsxRmBBSR?Z^UFKE2?}~{n6&aj)zn0Bi&#qx(8g$6=QTM?Gul)Bs zs=U9GecIVgY3dzT zyB{1i-fliw_DR_)t`eEHjfa>w$X?!a+-t4ssi$j~{FN*4dp!TtyCtb5<~Cc-iC4+p zyLVtGrvt|n&HEt?T;G2yuHt_uWHd?O{*n1lWt-Nh{XZwfn40qb?jH4KkQ&`USHE+W-tV$`z2`ls=tKLN${JEs<`}hnb`6-mT&O*rWr~3cizs{l%ri?lZU$CQ+3WvNJ^8cU(%=he z0bkEgdKGebamtxzP2M&goL$nNn@=a&_$fA7P2w!F36fMun$Gmye8Gmz7EFx2%MBiU jEd9sR-TUU++V$=Htm-LO-#l5xsPbWFO;5e{+YMF#(bb^3 literal 0 HcmV?d00001