From 91259d02e71a10c4bab531a89e40864df2bd02bc Mon Sep 17 00:00:00 2001 From: "xyno (Philipp Hochkamp)" Date: Thu, 14 Sep 2023 15:50:04 +0200 Subject: [PATCH] desec --- hosts/ds9/default.nix | 18 ++--- hosts/picard/default.nix | 70 +++++++++----------- lib/options.nix | 2 +- nixos-modules/services/authelia.nix | 41 ++++++------ nixos-modules/services/hedgedoc.nix | 19 +++--- nixos-modules/services/tailscale-to-vpn.nix | 68 +++++++++++++++++++ secrets/autheliaEmail.age | Bin 1211 -> 1154 bytes secrets/autheliaHedgedoc.age | Bin 1618 -> 1589 bytes secrets/desec.age | Bin 0 -> 920 bytes secrets/hedgedocSecret.age | 34 +++++----- secrets/secrets.nix | 1 + 11 files changed, 154 insertions(+), 99 deletions(-) create mode 100644 nixos-modules/services/tailscale-to-vpn.nix create mode 100644 secrets/desec.age diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index c5444ce0..b094da64 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -25,9 +25,9 @@ in services.syncthing.enable = true; services.syncthing.user = "ragon"; - ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; }; - ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { owner = config.services.syncoid.user; mode = "444"; }; - ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; }; + ragon.agenix.secrets."ds9OffsiteBackupSSH" = { }; + ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { }; + ragon.agenix.secrets."gatebridgeHostKeys" = { }; ragon.agenix.secrets."borgmaticEncryptionKey" = { }; # services.syncoid = # let @@ -79,7 +79,7 @@ in }; exclude_if_present = [ ".nobackup" ]; encryption_passcommand = "cat ${config.age.secrets.borgmaticEncryptionKey.path}"; - compression = "zstd,10"; + compression = "auto,zstd,10"; upload_rate_limit = "4000"; ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}"; before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ]; @@ -130,22 +130,16 @@ in boot.kernel.sysctl."fs.inotify.max_user_instances" = 512; services.openssh.sftpServerExecutable = "internal-sftp"; - services.openssh.extraConfig = '' - Match User picardbackup - ChrootDirectory ${config.users.users.picardbackup.home} - ForceCommand internal-sftp - AllowTcpForwarding no - ''; # Backup Target users.users.picardbackup = { createHome = false; group = "users"; uid = 993; - home = "/backups/restic/picard"; + home = "/backups/picard"; isSystemUser = true; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0" + ''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0'' ]; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 20da0cca..64808563 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -42,10 +42,6 @@ users.mutableUsers = false; services.postgresql.package = pkgs.postgresql_13; - ragon.agenix.secrets."picardResticPassword" = { }; - ragon.agenix.secrets."picardResticSSHKey" = { }; - ragon.agenix.secrets."picardResticHealthCheckUrl" = { }; - ragon.agenix.secrets."picardSlidingSyncSecret" = { }; services.nginx.recommendedOptimisation = true; @@ -76,14 +72,15 @@ ]; credentialsFile = "${config.age.secrets.cloudflareAcme.path}"; }; + ragon.agenix.secrets."desec" = { }; security.acme.certs."xyno.systems" = { - dnsProvider = "ionos"; + dnsProvider = "desec"; dnsResolver = "1.1.1.1:53"; group = "nginx"; extraDomainNames = [ "*.xyno.systems" ]; - credentialsFile = "${config.age.secrets.cloudflareAcme.path}"; + credentialsFile = "${config.age.secrets.desec.path}"; }; services.nginx.appendHttpConfig = '' @@ -111,38 +108,36 @@ access_log /var/log/nginx/access.log anonymized; ''; - services.restic.backups."picard" = { - passwordFile = config.age.secrets.picardResticPassword.path; - extraOptions = [ - "sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'" - ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 75" - ]; - initialize = true; - repository = "sftp:picardbackup@ds9:/restic"; - paths = [ - "/persistent" - ]; - - }; - - - systemd.services.restic-backups-picard = { - # ExecStartPost commands are only run if the ExecStart command succeeded - serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" '' - ${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path}) - ''; - unitConfig.OnFailure = "backupFailure.service"; - }; - - systemd.services.backupFailure = { + ragon.agenix.secrets."picardResticPassword" = { }; + ragon.agenix.secrets."picardResticSSHKey" = { }; + ragon.agenix.secrets."picardResticHealthCheckUrl" = { }; + ragon.agenix.secrets."picardSlidingSyncSecret" = { }; + services.borgmatic = { enable = true; - script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail"; + configurations."picard-ds9" = { + location = { + source_directories = [ "/persistent" ]; + repositories = [ "picardbackup@ds9:/backups/picard/borgmatic" ]; + }; + exclude_if_present = [ ".nobackup" ]; + encryption_passcommand = "cat ${config.age.secrets.picardResticPassword.path}"; + compression = "auto,zstd,10"; + ssh_command = + let + pks = import ../../data/pubkeys.nix; + hst = pks.ragon.host "ds9"; + lst = map (h: "daedalus ${h}") hst; + s = lib.concatStringsSep "\n" lst; + fl = pkgs.writeText "ds9-offsite-ssh-known-hosts" s; + in + "ssh -o GlobalKnownHostsFile=${fl} -i ${config.age.secrets.picardResticSSHKey.path}"; + before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start" ]; + after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})" ]; + on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail" ]; + postgresql_databases = [ "all" ]; + }; }; + nixpkgs.overlays = [ (self: super: { zfs = super.zfs.override { enableMail = true; }; @@ -163,7 +158,8 @@ gitlab.enable = false; # TODO gitlab-runner synapse.enable = true; tailscale.enable = true; - hedgedoc.enable = false; + hedgedoc.enable = true; + authelia.enable = true; ts3.enable = true; nginx.enable = true; nginx.domain = "ragon.xyz"; diff --git a/lib/options.nix b/lib/options.nix index 6576b37a..74ead231 100644 --- a/lib/options.nix +++ b/lib/options.nix @@ -25,7 +25,7 @@ rec { in if hasDomain then { forceSSL = true; - useACMEHost = "${domain}"; + useACMEHost = "${outerDomain}"; } else { forceSSL = true; diff --git a/nixos-modules/services/authelia.nix b/nixos-modules/services/authelia.nix index 1b3f6a59..4370fb78 100644 --- a/nixos-modules/services/authelia.nix +++ b/nixos-modules/services/authelia.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ... }: let cfg = config.ragon.services.authelia; - stateDir = "/var/lib/authelia"; instanceName = "main"; + stateDir = "/var/lib/authelia-${instanceName}"; in { options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server"; @@ -13,12 +13,12 @@ in }; config = lib.mkIf cfg.enable { - ragon.agenix.secrets.autheliaStorageEncryption = { }; - ragon.agenix.secrets.autheliaSessionSecret = { }; - ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { }; - ragon.agenix.secrets.autheliaOidcHmacSecret = { }; - ragon.agenix.secrets.autheliaJwtSecret = { }; - ragon.agenix.secrets.autheliaEmail = { user = "authelia"; }; + ragon.agenix.secrets.autheliaStorageEncryption = { owner = "authelia-main"; }; + ragon.agenix.secrets.autheliaSessionSecret = { owner = "authelia-main"; }; + ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { owner = "authelia-main"; }; + ragon.agenix.secrets.autheliaOidcHmacSecret = { owner = "authelia-main"; }; + ragon.agenix.secrets.autheliaJwtSecret = { owner = "authelia-main"; }; + ragon.agenix.secrets.autheliaEmail = { owner = "authelia-main"; }; services.authelia.instances.${instanceName} = { enable = true; secrets = { @@ -28,38 +28,35 @@ in oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path; jwtSecretFile = config.age.secrets.autheliaJwtSecret.path; }; - settingstFiles = [ + settingsFiles = [ config.age.secrets.autheliaEmail.path ]; settings = { theme = "auto"; default_2fa_method = "webauthn"; + access_control = { + default_policy = "one_factor"; + }; authentication_backend = { file = { path = "${stateDir}/users.yml"; }; }; + session = { + domain = cfg.domain; + }; storage = { postgres = { host = "/run/postgresql"; - }; - }; - notifier = { - smtp = { - address = "smtp://smtp.ionos.de:465"; - sender = "xyno.systems SSO "; - username = "machdas@xyno.space"; - subject = "[xyno.systems SSO] {title}"; - startup_check_address = "autodelete@phochkamp.de"; + port = "5432"; + database = "authelia"; + username = "authelia-main"; + password = "dosentmatter"; }; }; }; }; - systemd.tmpfiles.rules = [ - "d ${stateDir} 0755 authelia authelia -" - ]; - ragon.agenix.secrets.autheliaSecret.owner = "authelia"; services.nginx.virtualHosts."${cfg.domain}" = { locations."/".proxyWebsockets = true; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.authelia.instances.${instanceName}.settings.server.port}"; @@ -71,7 +68,7 @@ in ensureDatabases = [ "authelia" ]; ensureUsers = [ { - name = "authelia"; + name = "authelia-main"; ensurePermissions."DATABASE authelia" = "ALL PRIVILEGES"; } ]; diff --git a/nixos-modules/services/hedgedoc.nix b/nixos-modules/services/hedgedoc.nix index 3dbae3d7..e8b234ea 100644 --- a/nixos-modules/services/hedgedoc.nix +++ b/nixos-modules/services/hedgedoc.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: let cfg = config.ragon.services.hedgedoc; - domain = config.ragon.services.nginx.domain; in { options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server"; @@ -11,14 +10,14 @@ in default = "md.xyno.systems"; }; config = lib.mkIf cfg.enable { - ragon.agenix.secrets.autheliaHedgedoc = { user = "authelia"; }; + ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; }; services.authelia.instances.main.settingsFiles = [ config.age.secrets.autheliaHedgedoc.path ]; services.hedgedoc = { enable = true; environmentFile = "${config.age.secrets.hedgedocSecret.path}"; - configuration = { + settings = { protocolUseSSL = true; sessionSecret = "$SESSION_SECRET"; allowAnonymous = false; @@ -26,12 +25,12 @@ in allowFreeURL = true; email = false; oauth2 = { - clientID = "$OAUTH2_CLIENT_ID"; - clientSecret = "$OAUTH2_CLIENT_SECRET"; + clientID = "$CLIENT_ID"; + clientSecret = "$CLIENT_SECRET"; providerName = "xyno.systems SSO"; - authorizationURL = "https://sso.xyno.systems/oauth2/authorize"; - tokenURL = "https://sso.xyno.systems/oauth2/token"; - userProfileURL = "https://sso.xyno.systems/oauth2/userinfo"; + authorizationURL = "https://sso.xyno.systems/api/oidc/authorize"; + tokenURL = "https://sso.xyno.systems/api/oidc/token"; + userProfileURL = "https://sso.xyno.systems/api/oidc/userinfo"; scope = "openid profile email"; userProfileUsernameAttr = "sub"; userProfileEmailAttr = "email"; @@ -47,9 +46,9 @@ in }; ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc"; - services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = { + services.nginx.virtualHosts."${cfg.domain}" = { locations."/".proxyWebsockets = true; - locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; + locations."/".proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}"; } // (lib.my.findOutTlsConfig cfg.domain config); services.postgresql = { diff --git a/nixos-modules/services/tailscale-to-vpn.nix b/nixos-modules/services/tailscale-to-vpn.nix new file mode 100644 index 00000000..9c0652aa --- /dev/null +++ b/nixos-modules/services/tailscale-to-vpn.nix @@ -0,0 +1,68 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.ragon.tailscaleToVpn; + ovpnConfigPath = cfg.ovpnConfigPath; + stateVer = config.system.stateVersion; +in +{ + + options.ragon.tailscaleToVpn = { + enable = mkEnableOption "tailscale-to-vpn. you need to enable nat to ve-+ able to use this"; + ovpnConfigPath = mkOption { + type = types.str; + default = "/etc/openvpn/client.conf"; + description = "full path to the OpenVPN client configuration file, is expected to be in /run"; + }; + }; + + config = mkIf cfg.enable { + networking.bridges.br-ovpn-ts = { + interfaces = [ ]; + }; + containers.TSTVPN-openvpn = { + ephemeral = true; + enableTun = true; + interfaces = [ "br-ovpn-ts" ]; + localAddress = "192.168.102.11"; + hostAddress = "192.168.102.10"; + + config = { config, pkgs, ... }: { + system.stateVersion = stateVer; + networking.interfaces.br-ovpn-ts = { + ipv4.addresses = [ "192.168.101.1/24" ]; + }; + services.openvpn.servers.bridge = { + config = '' + config /host${ovpnConfigPath} + dev ovpn-bridge + dev-type tun + ''; + }; + networking.nat = { + externalInterface = "ovpn-bridge"; + internalInterfaces = [ "br-ovpn-ts" ]; + }; + }; + privateNetwork = true; + bindMounts = { + "/host/run" = { hostPath = "/run"; isReadOnly = true; }; + "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; }; + }; + }; + containers.TSTVPN-tailscale = { + enableTun = true; + hostBridge = "br-ovpn-ts"; + localAddress = "192.168.101.2/24"; + privateNetwork = true; + config = { config, pkgs, ... }: { + system.stateVersion = stateVer; + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + }; + }; + + }; +} diff --git a/secrets/autheliaEmail.age b/secrets/autheliaEmail.age index 5f9a03eadd084965eac6e3dcc03eea92e789da70..e572f1a38543858b028ca92cfc908c2830b61377 100644 GIT binary patch delta 1068 zcmdnZ*~B?Pr#>P*$v?t8s3^U{tJJt8+cm{Cxx&57CoRR@t;#T~s zsj@u7%f&sC%RkFKBsDqQ(95YTIUqgXrOYig*WEI`D7!K-Hzmo>udu)*z#uRq(LXJ8 z;z#lD;4*#fu#{5gG~=pZQ)8nDBloEA%E&^Wilm5?qWoh00HYk^w4kV*%qmx|Add*& zOz#jE%i_v>qi~BvANSy@5N*#$Z?{s9$Z-8sS6_pYa{r>@a&v>p@r>f(7W$T@1|9|m z#)+oIQTfT~rDZ-z=Hbqj-pNtUM($NvrtWFl#zv{;6^7|t#-8N?6&1xfiJs1x21!mP zVTE44hMDG0C1sTnJ{c~_p%G@DsrjDC1=`7z&oYYFJ4O|Il@|NzXO?CZyZIy~W`>ki zCK`I?n>q&NMI^eGWP3U%C1vNjcvQM_6=o;8W&0QA=vP=;ni?78r27||C%XkZ7l#*` zq#EYAX`6Tk>w5&cWLpHH$AGz?kEvg}f~B8Faj2zdW@1EEhEaBDR#APfQ&3T%r+%1! zUb$05X=tUXK}33fmZ5)MAXjouN=2k)exZAAiHEDXPiUounRBJ7Us-u%vR9-SY)?A*V$XG`ctk15G&n`^e_zTS~H&A&8SgjMe2w`uifGat-wU1i30<6|U~ z*_A7~ZzSYB^V;@(dfPkk`&NyDTNj<{W+fJU|C}A7?=yQ{>B$3=`aXV~apm3rT!tpO z;*}5bX4%CyujiT=61wu`q4^v)V{S4y2fTWBy{U5kymdc3ZteR$O~&rWDFa= zii-_(1^OiRe=$BgF5 delta 1125 zcmZqT+|4;br{1J8F<(0($S<`b-#O4Z(>OH1t;)wQH#M=u#4o_5($X{A(WfjhAk)jy zg3G1Ipxn{I+&$7FB&)>2DI=uZz%nW&z|GI!JvqxGA}J%UFfgUu+%wBFolDnFp}06h zH#Nn`)YQ;Yp)}niJiJ`N*up*3(xfuc(#On8zr-l0*e#+oDJs!R-zV2J%|FV;%ro80 z#kADO+1$y5%fuimFt;?YFtR*2AjriqvN9|%xxmCD-8iB$C@`%u)Xb?U(XiY#J18lA z;z#jt<5VyAP`9+y+=|ekFbh+^q>w6$#4K-jcfTZm{S4PKmr}EAQv+X@%3u>N|H}LV z6Ze#);G&XH7Y_@|D9g0af}pgjO23LSZv!(!i!A4q;FLgf(1r_>!?%w8U zE(JOH?jfn3{-#lu;ri~zUb#LV27%t$rtX#nS)M*gUXJBlkuH&y`tI3jNhT>tdC8IC zfu*Tck>Q0=fx$+pWq!V8<(1CnnIUNwAx5E-&oYYF8<=J$hqxG*6?yoZ76ylS87HT^ z=NMOdMj3f$TjqNB82E)HItKf=7CR<$x#qiN1g4u9=w}<|Mj2+O2bx8gySTe&h8yW; z7!{O8CZ$+77kP%|XCz0W$AGz?kEvg}f@h$gYgw_OVR&#+UZiJ5Kx%zzYH41wua99^ zx?g#5QDu~wer1`7S+Q$SGM9IVNoAr(XQIe&7F8d2~?h>4UZJ_b&d>*XaMQ^e}JCu~>mBSs}g0CAoU>JMU^-+Q=`nKic~I z1CGWy_tsDSpT2a$W5xQ@Yfm-bY;jWSd;6E~Shl#1z>fd2>{7g*mYP28uj~3!>ldZ= zZ9jaxUGnx{spC@9?;bkgb^P=`#z%7hr23xnn?=2NoUT8)BH{H%5k2$7jM4-8CfS#> zgBkB1*tpSo3Gd@CcAR~4)$hBWxLpx-HOaNNir>`a!YbQcUni+4;>YVRQNw}{*msiPrSL`dm10ya{PJo r$H{qaB!Ztd17Ueg=c9Wqv+EQ9cFU`r0me2ENV)<*uHAW>rQ3u6b2P$u61h0p$i) zN6a*bU=g9@U&(*r}oBSJFG0{zPj@~aFcpJf!U&-G2swTR5fE%ElRNKUN^adykK zjB*Pot*Xk1%+(H04NfjL%5@C$a||=!%J=nmbsxN%8tg z9;rE)Ea7zTk;$49twxpImo9f`tdmMu`>gDd!f)v(cbPVo%G}!6md<6rBDiZ>>HDdR zcGn7>`f}$GgMYY;zSPz^txb~W@4d-M*4UGx*|q0vLczga%ObZpy=jm6Px%TIDj7YR zUjOuNPg_K=mcH6;OT`2KS?c8%T#0(ZnebwxmDZG3@rzG89KL;OiN#_&p~_V)fioPp ze^EMcr|97PUYlbjQKu*8O#3RiM&+(ar)~G<*0PZBZ?73^ORG38UZ}j+@3A>D`%YgA zk9e?5U5BIk2Z?(Je{@_rasM5A_a#QPJM#}S$f|eWd~(K^Rf{QhU(|u5ReRp&)o=gZ z^CCohT}0W<^L>uavd%t6Xu?)0`-Zc6p`BlnCLWD?^dyM&*wQ;{`}gm=Z!fAA^cV{Oy~FaWLAqVTpF}Avr$!^>19}PprYX-SwS^ph6$Fx zFKi5Lo2bce*ArOI+r^+RJ$3&c?XW8uZW|^l`x%QzNX}SymCO3^Ql+2=yi+$TJy^PP z`NtG@jh6a^1^>($#n1kakGkl1J3%nF!S-J6Yjwrf2b^5;)J`TY-}A%r!QYRM@{8A7 z>rN0<G~h19E%z{Vj@Zczr?S zCqti>>Fu?fdhb;qUn(OJV>k7o?>SdVn^M+d<1fmB2C??nBiA^$xoT_b=xsLf3sva) zAt%WEGUMi4JL!Kb^MCY49;%&s?ahbMcS~NJ^*T`%Kl|~TC7!Dat#@{d=1mih$%wpQ f`{Q5Xftl@x1^bjzw(;y0{1xH+IzafIoz-3dG^c9` delta 1535 zcmdnWbBSkyPJL;5R&Hozfk(QzNl9vQKyYM6R!+HZn0u~gii>Ztky)i-xR1W4dA4&^ zAeUEmreD5)KtWiNhmU8LnUkw`Xh}|qbFzO>XW?5ljN>-MspKo%$Pl0!_ zM_HwJlCN_pmszP}aj1tuVL@1urGAyayLUllreAT8L1ubxP>DfhzL}RxZb7ksnQxZC z#E;_PshRmnIi&^}iOB|qPI;jr5mDIz&c;SL{>g=@=B63Rxk+Z0scvSeNmcn=re+nH zX08^=F6r(8p_X~UK6#dfDTQH)?#Y$8M(%FLl{t>im6cu|VUgLB;~B-nea+HCDk3vV zvr9`ek`f(#9J4E;O7-)-OrkQh4U94jOTr_!m?8`LX3(c94)-dN-ZrWpJf!U*ESAvj&e0fGIA^SD@ZBOxA63E z@pTLePIC(^DoQjg_ll^9$Ott}Ni<03O3iW4vPjGEOHD7za5D8P@HehVH*zh^(vEQV z3{EO7^(_hTFia_ObWF)cj{$Q(A5*_{g`zyy2-70poHC1$;LwuP)QI}5B41C_utLu~ zgUBd9eSgDji-2I$jGVj*S1w1huoUBpj4+>EqcW3{Jl~8;?ey?WgQO7G+_X^BvM|47 zGs9vN^N7HpWRP_>x=vcU=|!oD#i?B08O~wa?uqGzF52lurV)j{NuE{4p2is#et{{8 z+TNy4g=OYxex~NG^)8X&K8gAvA*JDNsa2lYi7BQf`Htx&T!mp_PLTy+k!AVX9xka) zVcr?WC51&*p3XsjrhZA`Aw`Z{y1Kdw<%Y?DNoCq@?giz>MZr#GzByGyQMGViU8uSH?6PIK zkCz|&Ev{T?`Rx6^Lmygw=I-VGxji8#$W3jI=Ha04uRol5_N1_ynMMAwQ@#D#$-xEd zI(3}`KL=TMzB293?BsT-e=;Mw-gECM#jpTY=>w7~k3Qy$c)gEZwlIcw+ADRREB!Oy zq!pcDT(PLwaD(0}KGX8o*JQkYd|_fw2o7$PvSGe&e5E8o;QiSNMbqB4uXvl;`~6+Q z{DZ0QLjRnV-Nde+{Odweov`y^_TaM@c7%VO)_OVWTfvsrJ8?NR{qO(GUcat>e|enA zkHV;}Cl5D>ZW6ep{yuol`9&vr%e^wBj&?uMIbiU&X#2TioA_!Q^PKXJ{SLotW%NT# zVeN$lVYz%j+Nh-u*~!PL}iCOFQ#!t&X_DsC9Mw=Ul0O z-XXi2+pB7JeptrPyVvk)(N_c3rgtsBgu9t$FW2W=FeC1uW)joJ1SQ*7o<+CLO}+fE z%jn|8ykD}`X%iT(&QRQV;91!F!xgV*a=ww*U!grCZp!TQGK(Mmnh=*;`r$>4^lAHN zx`IWm-|Lfo8mp^&J;bA;c0INV?O$|~O)1df=7ugewWaf=s}}BN_NXq`KDlz=jTgV9 z()Y~}TK8?2lJ>1O3qui?)ZBurPFwxI9xLEJ!K?F>J63ddM{>#wJ@Y^Jcf4m~YcyFY z{E;alxa4b~ZvHXB;DCqG{b3oJ*G?Hk%#FMD=X^=lYVX@+Qtb(y8!ramd25qeEm&M> za_EAUW}oM5i6@s!jhqrr?%A-=dFQ<~7r7S+1b3VeJ#<3p#t&Z}@0HUl+1Xc3nYe3$ zz)bnuLX5`m_c0g9@8(|ptM<=l$NTy_pNKrH{3dCJ>0M|Goqr*HImD_tfbP*&@tEDDJMMLxHQSaFCaPD zJt{LGxiruu->Aa5ILFb&$2T?6)CAqO&``^uU`GX?++3py=R^zd3`c$VEMKl7W3$2>?WojJpUf!VsDKDVUuP48$UsB=$iTEH z$AH41+z^9MZwqq^|7>*Ig1kJ9og5YP!vZQwd_r?A(<1U*e7wz#v-7=+d_oI~{Yvx7 z(#=x6GK@^~3p3mz^Fp~yjH)6l@d-CO{*#kD?IbOoell` zTyiT@QasUZi^wbU@-A1f%m_|1&&aO~GBZmI@J$}I}=FH6f$ zE;0!SDNp9g^eZw-4>l_?bj}PaHq%cEb+XKgtSs;g&a|}1EOIJ$%JT4ZvnX~CbuC7> z&D_t&)GuA3qO{7qw5%vQAju^#u+-eIBu6_U-M1tl$vxk&EXyFsvC=&&z%4D&(YTl^ zz$+rz*gr5eIlVMJB`Gk=zaq<}ASE#0EUn7e*U~53tfbVeEZ46f#XJ;bTbgcqQEFmw zDwnH^fse0ANky5HtA3$&j(JjQdQM_ks+(z{Td1$0Yf+K6c|@{)QbwLpRaknCQ*xod zvwLbto_~mCVL(BNV=innE;VO4I0afn-R zjwhF{uC9VxaafMGUtWfOU|42pc!pzPNwSGsN~vjbo~LD)MOKPydPKgTiBq_LVma4o zAJz0_ZeJJ7-odMBRKmyQ|9t-$^Ne}iZ_dwLm7=re7e`YpNAcgA#kcdsMSWL9^)ESC c&u_oFn_+f=dDt_ftuG#}PFvw} ssh-ed25519 WceKOQ GcDlLhmeGS/8+Ys+yg4y5HrtrWmTZPpK5CJaJS9Vf2o -dBv7O2071zyETP7YBULVb93piXcmJLlUr6KQ1yh3YGo --> ssh-ed25519 ugHWWw HL7ah8Ph+OvzyAkWes7emassnvg0mb2BFjS3lENOOXo -f55TwOwdzDOB8WAI0YI1mRGJCkoogzKO4uY8se0HIxo --> ssh-ed25519 UU9RSA PWutyEvhn9RFJl1WVo20EM3nZ8y45Hws/iKoLx5DLDg -i2z5zpJjtH2U8dyxBMs35psqWX30voIZrq6S4SfIZWY --> ssh-ed25519 RJI3BA zbta8hMmFRNuRzZ8wW1A9UlOOZPkEHyNAXkGBvfzsi0 -dSHHJejtCyOd26ghK7bf6xIbONL1CqhOxiXOYaUKmjQ --> ssh-ed25519 XnvJKw lKCzLY6byaLljPQoSgjs/g00lOKFqj4cTqiy5G6J8yI -aGwmKCRNm45f0514aA0KtdadW52SrdXkDz5XfYntaPc --> ssh-ed25519 7NL5Ng U5fh3TxL66KG6aIomhOPiICDD2pjqvPXE359f6U0Q0A -AzKIYGHxHKfH4aSCfGofzoxD+Ha8ECNms4G3TM58vxA --> ?.M5S&-grease -sdkHMhaSu82PCOdggWv/mrAe0eJtFbtzPRJki/jDp1Cd38UqcVJWLNku5FXMoB2h -rQYqNZY ---- /uvXrkejiMZSC9NRjFym9u48TAQr1Dk4smBjqnJVWmw -IcysV#\  c `3IxqLSkʐ(<(;"H^oЩy@E>ǘLWbq1U}TcIoq}Y) >]8$q$;d ?[]:,ƘoJm=1#cTcWHt;u&3U1 `j1I}L)e! } i?TAHVKԋ;ľ+eI vR2ŅyWP̦J&zdaDx#[PC iKcN#_ᆇ?0>P xa \ No newline at end of file +-> ssh-ed25519 WceKOQ 6ebLhKuQn8Fk7/+XdPUa7JQHU7P7Vmn9X9OrL6Q/I3Y +ix7aAfsC7z61AXifvYEukna5DU5MLwend7mSakjVXU4 +-> ssh-ed25519 ugHWWw HhRMxpmNBXz1jvGEtn8tYeDu9Vj/XnG+i4Env9jY63g +kC9Fzp6x4Q2JbMQAMKOaaADrc9AJorXe5Du8vsAsUvw +-> ssh-ed25519 UU9RSA d4jm9JBpsbvrCpTBP6QZFepbVsWFEuzzzQUi+wxdLyc +r65piB4wLsaWuFRFc3VVLRUJKOK9H8sXolCslgBBDSA +-> ssh-ed25519 RJI3BA uCiUzUC/xtpnnXdUCNxyslvF0UWgCzVIyXLUxNhuvjM +v7fNePcgjSQ7CH7SJyAa0MXBYwxqZemTDaXlrwUn5vQ +-> ssh-ed25519 XnvJKw mEfaPU/XCI4XiD0HnA5GgqsOCp6K5LfI1XbRC+vn7wk +p0uxLfIIsh5TUlVOx1+D7CxugiX+qJG8sLpjnkligy8 +-> ssh-ed25519 7NL5Ng C8noYIrcAYxqZrr+iNHrVIGv9wLB7XQ6TVlbbtH6pzs +jmW5O2PN8K0JLPgLky/va0tUgopZwULeMEC24xhhIP0 +-> )R]<#-grease X]~$Bl|F +5PW3yj3XspbEEtzrEyFg+bJSsxeVnu3DAPwk0UZ0RUvNyqTfZwhButEokYqk3Y9e +BaYsEzZPCw8hfclEqk8 +--- xdvVLx/w1FbAuKxygp2zsfHb0BKBymAFlBcQFobLgcY +I۴iղ @^)[M">wtr$ u 5ݥF֝0ܬnڻ1s @?WyA3') շ盧GR2i݋1e[UJ*gTˌ-STؘ Ks)P:{+0{OWE;Kgҵڤd(')JujxVn, w]1%f)s CV5*SyއB#ǏO^Qq ^緔"8WEaYn \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6ae1aff8..3e6e222a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -38,6 +38,7 @@ in "picardSlidingSyncSecret.age".publicKeys = pubkeys.ragon.host "picard"; "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard"; "picardResticHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "picard"; + "desec.age".publicKeys = pubkeys.ragon.host "picard"; "autheliaStorageEncryption.age".publicKeys = pubkeys.ragon.host "picard"; "autheliaSessionSecret.age".publicKeys = pubkeys.ragon.host "picard"; "autheliaOidcIssuerPrivateKey.age".publicKeys = pubkeys.ragon.host "picard";