gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

sops

Browse source
This commit is contained in:
arcnmx 2023-03-10 09:00:46 -08:00
parent 84925bfa31
commit 827d638f3a
13 changed files with 256 additions and 336 deletions
Download patch file Download diff file Expand all files Collapse all files

8
nixos/sops.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib, inputs, ... }: with lib; {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
age.sshKeyPaths = mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

133
nixos/systems/tewi/home-assistant.nix
View file

@ -20,83 +20,20 @@ in {
];
};
secrets.variables.ha-integration = {
path = "gensokyo/home-assistant";
field = "notes";
};
secrets.files.ha-integration = {
text = tf.variables.ha-integration.ref;
owner = "hass";
group = "hass";
};
secrets.variables.latitude = {
path = "gensokyo/home-assistant";
field = "latitude";
};
secrets.variables.longitude = {
path = "gensokyo/home-assistant";
field = "longitude";
};
secrets.variables.elevation = {
path = "gensokyo/home-assistant";
field = "elevation";
};
secrets.variables.iphone-se-irk = {
path = "gensokyo/home-assistant";
field = "iphone-se-irk";
};
secrets.variables.companion-pixel6 = {
path = "gensokyo/home-assistant";
field = "companion-pixel6";
};
secrets.variables.tile-bee = {
path = "gensokyo/home-assistant";
field = "tile-bee";
};
secrets.variables.tile-kat-wallet = {
path = "gensokyo/home-assistant";
field = "tile-kat-wallet";
};
secrets.variables.tile-kat-keys = {
path = "gensokyo/home-assistant";
field = "tile-kat-keys";
};
secrets.variables.mpd-shanghai-password = {
path = "gensokyo/abby";
field = "mpd";
};
secrets.files.home-assistant-secrets = {
text = let
espresenceDevices = {
iphone-se-irk = tf.variables.iphone-se-irk.ref;
companion-pixel6 = tf.variables.companion-pixel6.ref;
tile-kat-wallet = tf.variables.tile-kat-wallet.ref;
tile-kat-keys = tf.variables.tile-kat-keys.ref;
tile-bee = tf.variables.tile-bee.ref;
};
in builtins.toJSON ({
latitude = tf.variables.latitude.ref;
longitude = tf.variables.longitude.ref;
elevation = tf.variables.elevation.ref;
mpd-shanghai-password = tf.variables.mpd-shanghai-password.ref;
} // espresenceDevices // mapAttrs' (key: device_id:
nameValuePair "${key}-topic" "espresense/devices/${device_id}"
) espresenceDevices);
owner = "hass";
group = "hass";
sops.secrets = {
ha-integration = {
owner = "hass";
path = "${config.services.home-assistant.configDir}/integration.yaml";
};
ha-secrets = {
owner = "hass";
path = "${config.services.home-assistant.configDir}/secrets.yaml";
};
};
systemd.services.home-assistant = {
# UI-editable config files
preStart = lib.mkBefore ''
cp --no-preserve=mode ${config.secrets.files.home-assistant-secrets.path} ${config.services.home-assistant.configDir}/secrets.yaml
cp --no-preserve=mode ${config.secrets.files.ha-integration.path} ${config.services.home-assistant.configDir}/integration.yaml
# UI-editable config files
touch ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
'';
};
@ -329,55 +266,7 @@ in {
wake_on_lan = {};
zeroconf = {};
zone = {};
sensor = let
mkESPresenceBeacon = { device_id, ... }@args: {
platform = "mqtt_room";
state_topic = if hasPrefix "!secret" device_id
then "${device_id}-topic"
else "espresense/devices/${device_id}";
} // args;
in [
(mkESPresenceBeacon {
device_id = "!secret iphone-se-irk";
name = "iPhone SE";
timeout = 2;
away_timeout = 120;
})
(mkESPresenceBeacon {
device_id = "!secret companion-pixel6";
name = "Kat's Pixel 6";
timeout = 5;
away_timeout = 120;
})
(mkESPresenceBeacon {
device_id = "name:galaxy-watch-active";
name = "Galaxy Watch Active";
})
(mkESPresenceBeacon {
device_id = "3003c8383b6c";
name = "MT7922 BT";
})
(mkESPresenceBeacon {
device_id = "d8f8833681ba";
name = "AX210 BT";
})
(mkESPresenceBeacon {
device_id = "md:03ff:6";
name = "Kat's Smartwatch";
})
(mkESPresenceBeacon {
device_id = "!secret tile-bee";
name = "Bee";
})
(mkESPresenceBeacon {
device_id = "!secret tile-kat-wallet";
name = "Kat's Wallet";
})
(mkESPresenceBeacon {
device_id = "!secret tile-kat-keys";
name = "Girlwife";
})
];
sensor = {};
};
extraPackages = python3Packages: with python3Packages; [
psycopg2

55
nixos/systems/tewi/mosquitto.nix
View file

@ -6,48 +6,11 @@
];
};
secrets.variables.z2m-pass = {
path = "secrets/mosquitto";
field = "z2m";
};
secrets.variables.systemd-pass = {
path = "secrets/mosquitto";
field = "systemd";
};
secrets.variables.hass-pass = {
path = "secrets/mosquitto";
field = "hass";
};
secrets.variables.espresence-pass = {
path = "secrets/mosquitto";
field = "espresence";
};
secrets.files.z2m-pass = {
text = tf.variables.z2m-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.systemd-pass = {
text = tf.variables.systemd-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.hass-pass = {
text = tf.variables.hass-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.espresence-pass = {
text = tf.variables.espresence-pass.ref;
owner = "mosquitto";
group = "mosquitto";
sops.secrets = {
z2m-pass.owner = "mosquitto";
systemd-pass.owner = "mosquitto";
hass-pass.owner = "mosquitto";
espresence-pass.owner = "mosquitto";
};
services.mosquitto = {
@ -59,25 +22,25 @@
];
users = {
z2m = {
passwordFile = config.secrets.files.z2m-pass.path;
passwordFile = config.sops.secrets.z2m-pass.path;
acl = [
"readwrite #"
];
};
espresence = {
passwordFile = config.secrets.files.espresence-pass.path;
passwordFile = config.sops.secrets.espresence-pass.path;
acl = [
"readwrite #"
];
};
systemd = {
passwordFile = config.secrets.files.systemd-pass.path;
passwordFile = config.sops.secrets.systemd-pass.path;
acl = [
"readwrite #"
];
};
hass = {
passwordFile = config.secrets.files.hass-pass.path;
passwordFile = config.sops.secrets.hass-pass.path;
acl = [
"readwrite #"
];

14
nixos/systems/tewi/nginx.nix
View file

@ -3,15 +3,6 @@
with lib;
{
secrets.files.dns_creds = {
text = ''
RFC2136_NAMESERVER='${tf.variables.katdns-address.ref}'
RFC2136_TSIG_ALGORITHM='hmac-sha512.'
RFC2136_TSIG_KEY='${tf.variables.katdns-name.ref}'
RFC2136_TSIG_SECRET='${tf.variables.katdns-key.ref}'
'';
};
networks.gensokyo = {
tcp = [
443
@ -41,9 +32,4 @@ with lib;
virtualHosts = {
};
};
security.acme = {
defaults.email = config.network.dns.email;
acceptTerms = true;
};
}

16
nixos/systems/tewi/nixos.nix
View file

@ -5,8 +5,7 @@
(modulesPath + "/installer/scan/not-detected.nix")
hardware.local
nixos.arc
services.cockroachdb
services.minio
nixos.sops
./kanidm.nix
./vouch.nix
./home-assistant.nix
@ -19,6 +18,8 @@
services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}";
sops.defaultSopsFile = ./secrets.yaml;
networks = {
gensokyo = {
interfaces = [
@ -59,17 +60,10 @@
};
environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce {
source = config.secrets.files.openscsi-config.path;
source = config.sops.secrets.openscsi-config.path;
};
secrets.variables.openscsi-password = {
path = "gensokyo/tewi-scsi";
field = "password";
};
secrets.files.openscsi-config = {
text = "InitiatorName=${tf.variables.openscsi-password.ref}";
};
sops.secrets.openscsi-config = { };
fileSystems = {
"/" = {

76
nixos/systems/tewi/secrets.yaml Normal file
View file

@ -0,0 +1,76 @@
espresence-pass: ENC[AES256_GCM,data:gAD3mMxPChrO0qPnmyvQvg==,iv:47xDnibBt5pLzvWJXSa56dU1uBA3Wu8wl6k8CTOS/O4=,tag:3oW6bJPVS3PnWrpaxFj5bw==,type:str]
hass-pass: ENC[AES256_GCM,data:LvoI4sQ77HpYdmNoPLQ=,iv:oAQGTqBh1sf4fbuWGs9AqCE1yS8IApyhEQDUG+yQk7k=,tag:sBPdLuLTJ8OMoZYzUdmnAQ==,type:str]
systemd-pass: ENC[AES256_GCM,data:3bEqqWsnBHOgzD95YqwDvg==,iv:ack6EGhE2GzxwRi3gwj1A19Tzi2PJ9iiisMrKozPV/M=,tag:uCR51yn9dAG2x9DCfo1mGQ==,type:str]
z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHwm4IGwUu+67O4gPYZmd1h4=,tag:iceTSLsRuADiOgZ5cnlnjw==,type:str]
tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str]
ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a0xYL1ZUemk0NzExb0N0
Z1lGcEpTL3Q5U1BHUnJjVktrQUFrNjZKRnhrCm41MW9tbUFzbCtrem5JMXBuMGRv
Tk1kaWdaYU8yT3F0NmdHWVA1SlNmQU0KLS0tIGlmM2ZlSFBpc1RCRHhKb21iVVNZ
OS9BSForMEJPaUtaNi8rYXJRV3dJZXMKfz+v2KzomXM+OZL43AGyYt05oIuh0OTM
jZ4CbkL93bVw+IWY7iZumAskBJycBR2BwOnBlza/1e/jjLeRxkziew==
-----END AGE ENCRYPTED FILE-----
- recipient: age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeWhlWEI5N2w5S2gyMjhi
MjBMRDRIdktSYmxEQ1k4ZDh3dmg0TTdzdVFBCnRtMTFjVDdaNEpFckpyeUc5cFRH
Q2xsV04zODVTV0t1bURDK0ptejE1VTgKLS0tIFluUTVmQnpvUUVPZzdKWkZxdnB0
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-10T17:59:59Z"
mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str]
pgp:
- created_at: "2023-03-10T17:06:53Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAnk1rE3kQa0KYvvdn335ekY7m9pp3CraVVckOTi7Jkbhr
Fud8P7EmF4pp1O/ibQXRChK3xUVPrO8v3tIMFSVeRPyeE/8Seo/cINSKpBZbC3LA
eKekxl1GzNVzrhEZjZ/Huu9o8qtih5lFwqKbNrB3HGh7NnkFycf0gLMNod++I5Eh
ib+LdMJA/R5oudPKp46P0NFY+/TjB6lfV/AQC3GtxcKJ9tAECH5CHhN67pthkhQ4
F2nJEPl0XD64U7FVpPBXUl1t03X1W33Z6EK6RWsQkb+JS3IegyutKnrWZbyz243f
MKmhbZEQ4gJjz6FZBH2rMD0E0YuH+OZsC+YMgMw2gRgd7RIzoO1ipOu4EKYHoB9s
oVoC8J/qvtP1UJgfXUnRA7rk9X9qaxk/1kKUiwiyx2NQo/tX3shcemXKjoYQMHW7
6opIe2PFEoOktbdewR3gZbkKPNHw+s6ajgCgoAWije9flouS39hhr0c9z/2FOjDk
nK29r3A7xsthZebRzs37075b/ZlynUhiWBKjZzJ5WW70XSve9om9T5vasjxk7/uA
Hi4bKltNrlbzqoqiDB0JgOTnns98azerCa7SwEgmO475Se344XY5KoxJS1WApsqB
Pe41SjVbhrinpVEy9we4ZBr1BHu9WEF844+yPBpLgARrF0R6GIqD6RDgfo71cDHS
XAGaHnj5eMdjEASeJ+KHR5zbwWeUssyeJWdzpK0MJcr9ItLt6LMD3brbvlacCGMY
P+DuHm5No7rWNWATykRQ3bBF3v1IEPh1wa7MLLjtQfvEEwfQD0l8Bgou1Sft
=eZUS
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2023-03-10T17:06:53Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAt7a6OVIgJo8NHx7atPm68MckNqvYCs61jZUyEEZcrktc
ZkgGhR9IK5jSRZYYCVkZgfj1fikdAv6fF7GotEIJmdgcrQml3VzpAjpIyYuu1ilt
bybLp+ryoiE0pK9YF5Bl9vnZ4R+5m8SeAy6Z9WS7O7phxLCkAQ+dCQByyGD1Q4Zn
RRF+jIG6o2DnVu3wvkIs6s7dVWEDWJKh8sui97aOAzL5sLevT07WaeDC6LIikkhi
KMmvm3HgWghklDvMUTjw0MG3/k9qvg1kW5pQ2ZWivuCeMXA+NFAX1Epx61uZmgxf
8313IEfv4gXDXC2xCwmdOn0G6swktqdkY02t8ldFeNJcAXQ8PpieQ3aadGTvK6R9
0SgQ4MifOqnNMUDn1FvrfvrXRYHkc7qoyU+8PTzlQ1WCWYJvkrHS1ufFubeA57oJ
Kbf3xIXqe/8xP6uOw1/MEh4c3HeGbY7+ieW8miI=
=3NVV
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.7.3

38
nixos/systems/tewi/vouch.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, tf, ... }: {
{ config, utils, pkgs, lib, tf, ... }: {
options = with lib; let
origin = "https://id.gensokyo.zone";
in {
@ -62,24 +62,9 @@
};
};
config = {
secrets.variables.gensokyo-id = {
path = "secrets/id.gensokyo.zone";
field = "client_secret";
};
secrets.variables.gensokyo-jwt = {
path = "secrets/id.gensokyo.zone";
field = "jwt";
};
secrets.files.vouch-config = let
recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets;
in {
text = builtins.toJSON (recursiveMergeAttrs [
config.services.vouch-proxy.settings
{ oauth.client_secret = tf.variables.gensokyo-id.ref; vouch.jwt.secret = tf.variables.gensokyo-jwt.ref; }
]);
owner = "vouch-proxy";
group = "vouch-proxy";
sops.secrets = {
vouch-jwt.owner = "vouch-proxy";
vouch-client-secret.owner = "vouch-proxy";
};
systemd.services.vouch-proxy = {
@ -87,9 +72,18 @@
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart =
''
${pkgs.vouch-proxy}/bin/vouch-proxy -config ${config.secrets.files.vouch-config.path}
ExecStart = let
recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets;
settings = recursiveMergeAttrs [
config.services.vouch-proxy.settings
{
oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
}
];
in pkgs.writeShellScript "vouch-proxy-start" ''
${utils.genJqSecretsReplacementSnippet settings "/run/vouch-proxy/vouch-config.json"}
${pkgs.vouch-proxy}/bin/vouch-proxy -config /run/vouch-proxy/vouch-config.json
'';
Restart = "on-failure";
RestartSec = 5;

28
nixos/systems/tewi/zigbee2mqtt.nix
View file

@ -6,26 +6,9 @@
];
};
secrets.variables.z2m-mqtt-password = {
path = "secrets/mosquitto";
field = "z2m";
};
secrets.variables.z2m-network-key = {
path = "secrets/zigbee2mqtt";
field = "password";
};
secrets.files.zigbee2mqtt-config = {
text = builtins.toJSON config.services.zigbee2mqtt.settings;
sops.secrets.z2m-secret = {
owner = "zigbee2mqtt";
group = "zigbee2mqtt";
};
secrets.files.zigbee2mqtt-secret = {
text = "network_key: ${tf.variables.z2m-network-key.ref}";
owner = "zigbee2mqtt";
group = "zigbee2mqtt";
path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
};
users.groups.input.members = [ "zigbee2mqtt" ];
@ -40,7 +23,7 @@
mqtt = {
server = "mqtt://127.0.0.1:1883";
user = "z2m";
password = tf.variables.z2m-mqtt-password.ref;
password = "!secret z2m_pass";
};
homeassistant = true;
permit_join = false;
@ -52,9 +35,4 @@
};
};
};
systemd.services.zigbee2mqtt.preStart = let cfg = config.services.zigbee2mqtt; in lib.mkForce ''
cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-config.path} "${cfg.dataDir}/configuration.yaml"
cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml"
'';
}