diff --git a/.sops.yaml b/.sops.yaml index 15f49165..09ddb5fc 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &mew 65BD3044771CB6FB - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 +- &utsuho_osh age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k - &aya_osh age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt @@ -22,6 +23,7 @@ creation_rules: age: &reisen_common - *hakurei_osh - *reimu_osh + - *utsuho_osh - *aya_osh - *tei_osh - *mediabox_osh @@ -39,6 +41,12 @@ creation_rules: - pgp: *pgp_common age: - *reimu_osh +- path_regex: 'systems/utsuho/secrets\.yaml$' + shamir_threshold: 1 + key_groups: + - pgp: *pgp_common + age: + - *utsuho_osh - path_regex: 'systems/aya/secrets\.yaml$' shamir_threshold: 1 key_groups: @@ -79,9 +87,9 @@ creation_rules: - path_regex: 'systems/keycloak/secrets\.yaml$' shamir_threshold: 1 key_groups: - - pgp: *pgp_common - age: - - *keycloak_osh + - pgp: *pgp_common + age: + - *keycloak_osh - path_regex: 'systems/[^/]+/secrets\.yaml$' shamir_threshold: 1 key_groups: diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix index 3af5778d..e8da84be 100644 --- a/nixos/access/unifi.nix +++ b/nixos/access/unifi.nix @@ -10,11 +10,6 @@ in { options.services.nginx.access.unifi = with lib.types; { global = { - enable = - mkEnableOption "global access" - // { - default = access.useACMEHost != null; - }; management = mkEnableOption "global management port access"; }; host = mkOption { @@ -28,22 +23,6 @@ in { type = port; default = 8443; }; - domain = mkOption { - type = str; - default = "unifi.${config.networking.domain}"; - }; - localDomain = mkOption { - type = str; - default = "unifi.local.${config.networking.domain}"; - }; - tailDomain = mkOption { - type = str; - default = "unifi.tail.${config.networking.domain}"; - }; - useACMEHost = mkOption { - type = nullOr str; - default = null; - }; }; config.services.nginx = { access.unifi = mkIf unifi.enable { @@ -54,43 +33,29 @@ in { proxy_redirect off; proxy_buffering off; ''; - locations = { - "/" = { - proxyPass = access.url; - }; + locations."/" = { + proxyPass = mkDefault access.url; }; + name.shortServer = "unifi"; + kTLS = mkDefault true; in { - "${access.domain}@management" = mkIf access.global.management { - listen = - map (addr: { - inherit addr; - port = access.managementPort; - ssl = true; - }) - nginx.defaultListenAddresses; - serverName = access.domain; + unifi'management = mkIf access.global.management { + listenPorts.management = { + port = access.managementPort; + ssl = true; + }; + ssl.force = true; default = mkDefault true; - forceSSL = mkDefault true; - kTLS = mkDefault true; - useACMEHost = mkDefault access.useACMEHost; - inherit locations extraConfig; + inherit name locations extraConfig kTLS; }; - ${access.domain} = { + unifi = { + inherit name locations extraConfig kTLS; vouch.enable = mkDefault true; - local.enable = mkDefault (!access.global.enable); - forceSSL = mkDefault access.global.enable; - addSSL = mkDefault (!access.global.enable && access.useACMEHost != null); - kTLS = mkDefault true; - useACMEHost = mkDefault access.useACMEHost; - inherit locations extraConfig; + ssl.force = mkDefault true; }; - ${access.localDomain} = { - serverAliases = mkIf tailscale.enable [access.tailDomain]; - useACMEHost = mkDefault access.useACMEHost; - addSSL = mkDefault (access.useACMEHost != null); - kTLS = mkDefault true; + unifi'local = { + inherit name locations extraConfig kTLS; local.enable = true; - inherit locations extraConfig; }; }; }; diff --git a/nixos/secrets/dyndns.yaml b/nixos/secrets/dyndns.yaml index 8a181b8d..46cb54a6 100644 --- a/nixos/secrets/dyndns.yaml +++ b/nixos/secrets/dyndns.yaml @@ -12,66 +12,111 @@ sops: - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETlJsejAwYnpFRnhDbERM - d0cxcTZjMkp4MDFkTk8yZyt1RVZ5SUJNbEZFCkVSS0k4MGhqK2NzZjdlcCtWTDBw - TzgzQnloRmZXZll6UE1JOEdxaUxvbjgKLS0tIGNMdmw4WmhtblFzcHBHZXFRVFJr - NXZvN2xVVXdGaE10aVZ0NXhGT01OTlEKIoPZUHbWi12tiQ5te5K4ttoICk5k2ZBJ - htYByCo+7/w8qet0HrrxaXNy7z1dm86aipAFI3rlpdVWctnBO7jr5A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOHNodVJjejlrdFlPcC92 + WitxdUN1d0VaRzJQMjd0eG8zK2Zoclkrekd3ClIxU01YMXhJSVZwRHJHaVZzVE5R + ZDJ3Qmx0MWFiVHlzVGJIRjhnclVXQ0EKLS0tIHBzQWVKQzMzOERIYzM1R3M5aFk0 + WFg5ekVrSXEvQXJDem1zNnpMblR2SVUKFpcnCnUMDLi9sv3VI4j2Z+/clMKmKdy+ + +tTvVvfHPHFwxQ8Dhd235QRw9zBBIZQ12eQhj5DxZqDGPdpiccbR8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTVo2alZ2QTFSYk9qTUl2 + ZnB5Q21NZEdrYTdQWkI3aWNYNUZ6S2kzbTBJCk9pQzVPZFFQR1Azc3ZKanNTOUxl + UjcvWjFaV0ZIVSsvS1dpVjMwRVNFOUUKLS0tIHF6SXJhdHZtck1pQ1ZQaDdvblZr + YWc2K25ZSWM3anNJY1BrQ1JrcjVleTAK2ybMS+w4G25ciGwwKvFUGewTFAwDyuD1 + +hKSm8iFp1nKpAQLoKENA0n/EY/XYV2BEdbJfmoZHTf1p8Onn3RXyA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UFhwSE9rYXBDeTc1S3Ji + NEdXTEdSSWE2ekQ0dGh3RGpvdFNpVFZWb2lBCk5SYmI2dnlNYTQ0QVY4N0ZabkRN + Ym96Y1ZsZDI0SFNHZmtEYlphT2hJanMKLS0tIDdrQUxsUkNYNTdTbWtYNFo0bjQ0 + bE9xbTYxMUJlUEYrUExWLzdZQjN5elUKy5tQkh9mJ1msXmrxTPojHYMMELKeLXbx + PdY8uWLr+Y/iR0SZ5LEmOjk4u7dG8Mk45I9C20TsyI4U6s74PVHXxA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQmxQY1BSVm5razY1WXZm + UGpkb3FyYVBOU2t3ZEZvUFppYk1PS25pa1VFCllta044TDVGV3l6ZS92YWVEcGVQ + SEI0dW0vRXo4Q2VNdUNGK3RUeTd5UmMKLS0tIGFlV2hTVVgraDU3aUJKc0t3RWh6 + aHczU1dzdzJjejlUZE90SDV2YVhqYWMKoJKzzru19z95LCLXniriSgvbEEk7CWZI + gBDEWJgvbmfSz/NnCv7GDYwpGyOeak5GWTuCSwYzulaPat6E4bB1JQ== -----END AGE ENCRYPTED FILE----- - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa1RQcWQrcjNRa2RoMWhq - WEQzZDJDSVlZTkZzcGcvSEZySmpkZi93MzJjCjZuYzBZUmVPRTFOZCtZR0tEL3dO - L2xhWHZUVmM2K0ZjaWpjem00L3BLLzgKLS0tIFVJalNsNjZIT3dYRnNaWVBUdC9y - cU9KU25rOHBVZDVDNS9TVG5qTFhNRFUK/MVX3YnjN83/iCIXliidnGVikdQG3Ek2 - lDT5s2jCzf1ENs+0B4kQJJrpz9Gsm1Dn1O3czXdl5StN0U7VXCWRhg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWVEzZkNpaTNRUE9kdDgx + d3BxcDFFcmY0MkE2SFdrZ1VEdjVpcGI4UUdVClIvMlBZUzRZYWhvSUhyKy9SWW1G + eG42UXQxQ0VQeVZ0YS8vSUtuSytwcFkKLS0tIEZ3Uk5Xc294TmpNdDVtMm9NNFhR + aUZXaEVETitUSjZheWdSQ29vZjhXWEkKkFSTKR7rWUgdLTg0487RUlXuRJPwgvF8 + 7EdY/cWhfKmGiUqF9kumrBpkR9Y8Aq0E94srBjUp9FrtyyxMRUEy9g== -----END AGE ENCRYPTED FILE----- - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRGk4cEtnaU91NGlZVUlO - ZTRzQ1NiYkl4My9yUFI1WkRWcUoyWDNjREdZCjFQWGUyaVhRbkQyMjVLU3B2R1hP - RldVSmxaYnBBdVRmZEVucFhzQVVram8KLS0tIHo2UHVXNmFwTmt5TjRKM3VkVGNR - L3IwMW84SUJRNGtOa3FFUWU1QUdwMlkK3deMhJC9PiugMcwFDVZZ9E3FKn4tyi1C - G3b/Rq5xPpfixiQY/Z2bmulDKPxmVijLeqbfDJdX9z3eWjbHFZQ8Og== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcmxvOGRoL3JBMytRY3RD + U0NpQnRRcEdJQ3NiVzJvQnZiS0VISjhOMFhnCkdzRFp3VXdwYlh3cVNsNElWdGpw + K00zUEJ4WnBJRzJabWlENXlZd1gyYlUKLS0tIE9zTGNDNjlkMUp3ZmxydkZRTUc0 + aDQ1emk4cXlnSTJGbTFDM1JBL2dUdzQKg/GfIhdYPe9GSehm8IvqfnMyAUmTCyjM + Z4IKXyJofqhdYhinbY2suxD1OqEJZdCq1KbkVeeuxmwmQFSpXjoMMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTmpxT00yOUU5aVVUUFVM + d2xTRGFrVDZFdm9iVE85MUw0UHovenN1SlhVCkRDWFBsMmMwQnJLTXNUcml2a2hu + NU1wK2tOQ05ZWitmc3BrUFFGS3JkaFEKLS0tIGFXSmdUSElXZkNmckpCeUdqR2F1 + amFqYUkxOWtIWk9YWlkvS2RDbmdySGcKc9M8uzBHOdPqObtsRHK8Hp9zJyD8zv0O + D3Dy1RbYc3LqSNQ/C1ReczcSzMSVvNFAv7HNTfrHUNhq5G0Nn9f0Kg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UnAzV3lqQWlRRkpDaEVo + QXpnQUFGcVcvV2hnR3FaMlZ0NVo4U0cvbGtRCnhTOUFReXRTRWNlWU5PVGxpcUNq + S3cranJOb1lMSHlhMEowajFRdXZHdjAKLS0tIDZKUmU4LzhsTkhRdkVMNzV3dUtD + SmdmSGRVTkdmTWVULytyWW52UzNTUlkKAsuNbGkuH6HyMCTtlzYCdGfCWHMnu8TF + PHFUMXlehd8u+WrDVxpITmPi9uUvgIU6tE1JTPuTmz/JY5q4dtwB6g== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-23T20:22:51Z" mac: ENC[AES256_GCM,data:GKlI3gU2or3XWNgQlwRhYUPrPuc7UM+KcSDlQ90gvEY7av9e9KYqk2dtia8xicpKy+TagXg5p0BgkWpIXScUunf2srLwcZF2TH7Ycbhj1SOjlCU+MH2oJs4Qt7QDweXWUspG1YrWy9yS5xknXwd6mCeGAEynqbXq/veuumSAjfo=,iv:LTuguxgxPXf9wrj8QrI8w6JzowLJLQUvkLlI/lbsEuY=,tag:rFA5fN0gCeCB2MFyNDHkNg==,type:str] pgp: - - created_at: "2024-01-23T19:59:03Z" + - created_at: "2024-03-21T17:42:43Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA82M54yws73UARAAqr1vzzQnzPlC9TBsIcfuzuYy+GwAu1Dg66IyhLFsM+id - vzi2V99fyZVqDPn0aoSd5QENzXdsyMqz5Gixb5MeUWiKDG6ommKS1TlypKe0MbH6 - ggnYY+1mORcQ2o4yMc2yhACEfpdlsiycickmWhBR1V8uhr7GH0FeHNCb54LQZ25u - 28W6V2AeMKyGqQ2EWcpMQqQdGyC1bQkPoTar26HkiamoKSLVa5McWATJmgd2a1QT - OHsNw1aE1r1tNacs+Ia6VTqBVM9eLVJVxlAqdfDkd/WWAjoHn3Xmj+7VcrDVJ6HB - 3oJCSiFktLwVflhZS8MEGerNHvp8RvG2AORBQQ1EDUPiR9sW0ROUkwn8LamU92h2 - Jv382pDraSjOeHYfVyW6iK+c8nrtOl2+R5j/qNsejwNR3uo3mjbd5Ayf2hgJA632 - KS6Wg55DXoJO/L1tjXCmry2CVn8fBbY25g+PKUkQ9xlUrOlVcHtlHybJGuYvW+fC - NPM5okLGiqTpidf3J8t251vTzW8AUtB3gmf4dA5Kj2huPo5rbsvwA2MCgLvTCYKL - bGxKfBnPeKT8WE1Ep2fAaRyjxuNRDRM96uCTTnpTGrdss0TGXpZDi3KhExTqJN/z - pgi+PkU2n9YE0GXykDdkoK2M/IsR0n5Mk6Af5Kdzgr1AOHb8j8dRsQ7gxCNdVinS - XgGqFLM4Xzr8Jjq780nWzAcX36Xm5NJVdrv0pa171SDYBOnB3MAOVqYkRiOrDpQ2 - QgvKYF3uAWhPO/bpdelkZkVrFWROpC9nb888LcIkvYc4FePcATZ9jIrfTXugzvA= - =CAIG + hQIMA82M54yws73UAQ//RD43ID6mMP5G4h/NWI8Rdr5OMKb0Imm02FR3WrQfnuyU + SMuOOXifoDmt3Xz4twQ5eCHme1Q5XLijJDvuKraDdHAxvytHsA/LQX3gBY+n85a5 + KbrMsGAJT6dVTxdX/fiOdhurK38HxDad+OxccvjcUFqAzEQ0ZaO+KTPPAOu7EMCg + qqKkfbq4rtETiuoPypR5S8nBgf63eZnSsfF5Ffq8QBniRzcsa6UrAPqq8SLKaGHn + V7D3u36IM1wx3d1N+9hwmnKI4YbcUaCfURM3deAPQcS77JcCJqZqLzAUlsu3kOCS + TILFZPY61Cix+tby+I8VhLnTET51Mindq3VaYS0ruhNygFicKIeb6eT3oho6eAnb + KG7wj/8WggppVV2XioYuwG87+3ghKqk+8YoYn6mRkq10eCCTSHeNJgc9Cp+Aurhx + JYYbry+BRkKw8JVMa4whuWinQOrE8qmWGzHEjshZHTQFYB4JvUE8KqNCgovnkpeB + 03ISW1hENm7Q2QA3iVJdX+Lb2t6fN98gSJyW3Y/r1DNZoJ0zXtJnY9y61XhukXLd + AA/hZB/h3f8Z91KAMwAxA/5OFFnqW3Ox5RMvsMUYsiaQnoSwQeZ5ELR8OiaFVBQv + GpO4PdXrTD+C5DcgNXA62k0PR5N++/+cXpB2TotuAx9xrG24lCLSb/LeRdD3WSDS + XgHHKcc/AEVL8Oo8QAsbSN2mQZYjlX/3002xEbPyZvO15kTALkjF52MhNi7aerpU + bk3wE965mt5UB7tFJJVEIFuJ5zoH0c2NwnbKzjFdZxBMxwFfgCjGdJTkLl4L8Mw= + =HxeZ -----END PGP MESSAGE----- fp: CD8CE78CB0B3BDD4 - - created_at: "2024-01-23T19:59:03Z" + - created_at: "2024-03-21T17:42:43Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA2W9MER3HLb7AQf/XjK2wv7gxUsVN5l5f1IOF0cOM7sOXNy54sxPUL917kEN - n2xe2jYd+HLe4BzOgQjHrMK3VZcv6lhHi7TqF5SmapK3yB+MBQfM5IwXsfF4wR+g - REZPYgj+EwamSydZ6Dt7j5V8o6HL+UMiMWk3IyNFVyN5Gx7ZQuLrCWrUZMA2FlP8 - 5C3uDYZZIv/NuS5EKAFZJ7lnMBCvDpsiGBmyUP6pMdBq5ZXCegZT4LELbtkAl3Af - 7iWag4pnpWvDo/TLLy+7camf7xRS6Tz6Em7hUdzl+EPGzG830K1duhU/65wKsrfk - zhkoyI3Hx84MsNy4h20oNKTKf19U/SGYt2mOCUrfStJeAZxToUDSiZHvQpmLssjm - 8usBJPfYuu/FYrBhFTlh1YwLaJShr6+NSJv3USngJYJFpOgw7LA0qg75+93gQD3L - w93BrVl28iUt9XO3Yj1zOdfVyASg2z9c4e32x6ZV2w== - =cUs0 + hQEMA2W9MER3HLb7AQf+L+YtbFJqn06stWhFoIQ+r9SmOEe4dXidLbwP25LJpr9q + CaaoZ9Rvq6QJ/9TXimwzcQK5RW5HsorzWWbj6vg0tvWaBproblIm2jNBEP4rd+jK + 3EYmezNUcJ/3SD/W1hGOvDFCRpvrkc3U2wGsbILPRsThpVnWM9hf6EtAmalpYxsW + Ok1Wa5ReTBrPRk98W881+XPu9LL0eju7pSyX+SFH6/hahEewR5GPwgffSSgb63Yw + zwfR3TOoFwQ/8NglRM4Qk0SLnvWF6weeyG4Cp4WfBvTHnNMBvvsv0gkoprz4I3V2 + Ib33oC60SX4WJGDD8Ju15I/HJ3pgb5BYoAgOYBBkT9JeAdmd+zksJOYfgbXbjrXV + Ydn6r+oJy97ZsfQJsfdfog7ahosEt96F4HkSTP5RUPS1iEBbWznr2l7WZkxDT8J4 + WwaoCKHMiF/NoKZoPdf/U0Xfjfs98LeMt/ziSfTxSg== + =GROT -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted diff --git a/nixos/secrets/nix.yaml b/nixos/secrets/nix.yaml index 395616e3..fc86c6cb 100644 --- a/nixos/secrets/nix.yaml +++ b/nixos/secrets/nix.yaml @@ -9,102 +9,111 @@ sops: - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTU42azF0ZGdCbHRmTHRt - U1JKeXBmclhZOGFsTGhWcG5TNk1wQUNtMVNjCkwzZ3NyYzE1MFp5S1Q2YjQ0NjRI - K1pncjZ5R1FBY0JYbytZb281ZEFkSEEKLS0tIFdkQ1FDcHNlZ2VkdGk2T0tMUFpM - ZGpxRzRPdDM4V0h5clJjVVd1NDdNak0KtmHrhUM7K1Ao0HAS6tvWBP4dFzROT5R3 - V8lJR+1ip2827TdMyQ1YXwrjIKLve0F7cMbALluRk600bbc/WZO6rA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbTV3OUJSTlJXd0VyQWhu + Y1JiZUJhUzhBUWQ3YUNROGs2MkE3Y1pJSVJBCkgvcFpKOGw0WXdiNnFwcHRzMVVW + T2dRdjM2bFB3Z1pzOEF4Nlp0MXBkMkEKLS0tIGlYb0EyNUtzWWI5ZkZoWEFDaVVm + bjROajY4Tlh5NmJkOFJlbnJuY2NlUjQK7VgmH6UvjgM2+aIlbcAtN0WTundKZlOM + Wpe9t1lY1foUA4claxTtfw0iSOPi0z6mUpeJUOFayzIHm9oBXetQMA== -----END AGE ENCRYPTED FILE----- - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNHRnbVNLaDYrQWdZWm4w - dUVLUHl4UzNxT29GSGtoRlFHL3VNYXhFUmdvCldGRkpKZnphQVF3OVJTZk5iZjU4 - b0crVDgrVGRDN2lPd1ZKcTBEU3d0ZmMKLS0tIGVCTXFpYlBJbXhzb1JkeGFuOTZ4 - OCtkT0hvZUtMVXRUclYvQ1hOekY1YjAKsXVBtK+a0jui+DcAG8WTcLaPq6okhmqE - CCKsH6S90qOwz1OQp6dmEC4CkXNQdqRD5GDYWQ7cQooD/5HRc8L27w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYkw1YU05WVpZamFxSXdQ + RHN2Nnl0UkJqQkhXbFE4eUxQV0s0Q1ZSS0djCnVRcytxa3B2dThodEFzN3R3QWJ3 + bjJkTEJhUFBiV21sYXJ4dlpGVzFQOVEKLS0tIGF2VmN0VWJTeTVmSGhBY2N2Wmc2 + TjVBQ1VlZ1UrZTZLMGVBODdLU3dsazQKz6oDD5kcyZci0Gbxpfu6bRTKbsj69jyA + 4uYy8XM22YxIKe2y9P2BqEUYVTumCPdt27qSbFj8CftfwWDKb7WRlw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNkM0cFFGaDFmZWNZZXVu + eXNWOW9kcWEvSkZyUHJXTjdVQnN1TVREOG5BCncxVU5tUEgvR3IxY01Iek4xSWdP + SUtuTEhucTlqUTc1Y01hZXd3c3NkVTgKLS0tIHdEWTdYYVh1TzB3dzVMdEZSZ1or + ZVd1QmVOR3hveTdJSXB5T2hXamxTNm8K1/Em/Q1A1PxvmJ1zofd2Rh1h62oNXnEJ + qb9r7ktbcnO5t5lSQQGNPmZapkRlVy5sV0toDkDCBppeAfMkt0PP7Q== -----END AGE ENCRYPTED FILE----- - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MkkxUm5zMlkwZlJHdnRm - K2JMb0NtRUVHdC9USHRkOG1qS1J2S0ExbEdFCkpFK0xPcVZ0bDJ1S05PYWlXaFJz - U3R5Tk15MGErdzM2Z1VIOE1Xc1hGaWMKLS0tIENvM0UvVEFUZzBqUm9ka3VjRit0 - Y1VUSjVIR0lSak9vVXVTWEZDK1FpWU0KEGwee3Yoe9F7srK1KD9YarqXDgdS7WNS - CvDa0BpDAuRUMmptjHLygvioIR4WV5a8wnkFzcKsjHWCpv3J9YIaiQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L0J5YXluMEtQRFh2T29q + cmtHM1Mzd0FPVHpGcndrbVVBUHhUQ3dndG13ClUwU0NuMit6UHVDWkRVaU1COWVN + bjhsVU52ODNtVE9jMVlENWsyaHdrUGMKLS0tIGova1pUbXNFa2dMYjhFU1FjWG9t + bi96VSsyaEs0c3loQ1U5c2EwbWRRdUUK2ohDFtsQzl9cWxB8eVlggfLtQmMEVRvK + 9b5YPZmQEOmMhgCfXi30wXxUhpckL8v/x7zmojNOoSF8OaLY1xc4TA== -----END AGE ENCRYPTED FILE----- - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcnRyUFlwVmtlNWgxY0p6 - Z0hWUko3cHlEU1dMZnZZSE5pRDJsaUZoMmlZCllSUFQzcGVhWFQ5amYwY2pEeUpH - UUlKOUV4d1B2QmxURTZuYldUOEE5VXMKLS0tIG1RL0I5Mmlld3QxZHlXTnVWS0sx - QTFxcTIrTzZDQ1FBelgzRnBQQURqcGsKjt2F5Q7hdfTq1Px1jH0hiZQgqqMxV8nz - 9FY3wEKvf2w72t3kwjHFEfoFZx/95G/UTGNgW/floKOWdINB2lTTfQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTk15YlM3QVFaRkw3bnAv + ZFlwZGwxdzJEQmlWWkFQL2xmTEVqVHdqYTM4CmFCYmhUQWJQZzZERDA5TlRpWWx0 + Z3lpQlpFbm5EZFdvbldFaE9tcitKcHcKLS0tIDBGZG9PdWN6NHB6MlB4MVdudU9u + UnJCVUdBWSs5aU5FZk5NbU13a2ord0EKrZNqN9rCLM/0EpaHkHldeHWBO0/O8m6S + N9b90JTgysNyYUQ8Nxp2AP4npqJZutxnwmrlwrYjnrWur2pp5iHiEA== -----END AGE ENCRYPTED FILE----- - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVEpBc20zd2k4NG9sRW5K - K3Y4WHlOZk5MUHFLNnhKc0E3cWhVRDhWdkJJCmFreVV0R3dkeE1TRFlXWUZVbDZQ - NVdNYll3THhpY0R3Z1phRXViNHY5QUEKLS0tIE9ORkdzcUM5ZWVjTjkrZjltRHFY - b3hSN0REekNWTFVwZVU5TnB2Y250UncKmxrH/KPEc0yKsXbf9Qi56RqzXM6RI32g - dYUEErzZ8GmSfGJ4LyjIjG3YBU+bX8KROhaQ7LQ6PEp6Fjj1tG8NBA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYWc1aWkxZHBZaVBLUWxo + cmQ2YmVwYUtZcUY5djRQMTRZLy8xYWs5S1NRCkxLMW1rZjd6UVM4dWpGZ08ybDV6 + OEcwbE9mN0FXTHV3V0VsaVJSUWJ2OGMKLS0tIHlFQiszVW5RMjgwL3BCQlIrdUND + MTJyYnpBTU9xSDVlU3F2d1o1WFl1bU0KsbTa67oHd26ECBKUMBBa7AwVci+H9U59 + g6jo9SQXpvG0ot6vT6azMTXpbcVBqxupJ+JxXALCY+Hv+9VPDBZj0g== -----END AGE ENCRYPTED FILE----- - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTExyenRsTWRVRmRJZjJa - TTFqK0hRRW0zYzREbnRwNytSUk4wSEl0Z1RFCmpIS0V4TTJvbWFvQXZ6ZW9wNmRR - K2dkSWFEcEFYb3ZiaC9GK29BbVlQMjAKLS0tIFl3bmJJOHJvZFlEdkNFYkR2RCtH - Qkg0Rng0eDZ2VFFUQUxyMU5xN1ppWmsKpTKcua6Za0OTF4aBDbOetSrgHtCei3B3 - H11BX78Wu1i6FzRXSkE3gXIejrZErN4zeXgzfJENIBeazh/RRn9KpA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUWR2ZHVuMFpaQ1c4M2th + R0RRNW1nMGJ2d25LSU9HMXcxUkp3WTNYb1hRCkhLRzlTam5wTGlxR3hISEQ5aXNM + bUo3NzJ4N0krMzVaMDZiU25VaE95eFkKLS0tIHhOYzZYSGZ5bTU5aXBQeHZoQks3 + bVp5OTgxSzhlbEtBUG5Ycm1lWEwxWGMKF84ttcAW6sPkoOieod8m8eXdsP47WH/f + WE9DcU+Bxi8Fgr5fwjMnG1R/WZZM5APZdmKyUb0VRKbBB5ZNbbFXAQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SzM1NlJRNStlckVQek4y - Q0tVbzZYSEVkOHM3OWdMRWU1bGExcXFsaWtJCkZTd1owWllFbU9SMnFjQlBjQkRl - eERFNlVtMVRBR1NTdmkvdk9yWVpaMG8KLS0tIERXS2g0VUkvd0hhT2hKVnlFd29i - dWlaK1FGRWNka3FxZ3VzQWNpdFVFMmcKDsIj7ShC+0ATr04M/XADSUqIPY/79Xjz - PtnjkbyRSCHZzA8JV9v6xJ6XoDlBNimIg4vJ6C4EQM4gqePytEUj0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU3ZOdkpGdUJqdk5GMyta + VktNN0FoS0dzUnNTMXlFM1ZEcDJEZzJLMmtBCnV6eDZ2WmJ3bGJYVHVFaHoxTXhh + eHVhQ1RqazI2YWczTUd0eDd5dm1tY3cKLS0tIHZtRDJiQU5ncFZEbXowYjVvN0xm + SHVTbGlMbkszVVYrSGRiWGxnWGpiUjQK9QyHonMrnHZ5pYUr4JORFl6rE9xWds/M + 9Afb8CpvVTFHRFRDxmv+4CmZajYfwrLmZcatvVLgPuxTnoFuMMjozQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-03-14T03:48:48Z" mac: ENC[AES256_GCM,data:u7G4YsCFxUkgOsKLRurxlEl358aLdBdFOrOtO9TUu0JUHRx8QjPcYgfHgHFXqNTfJs+0kVvcbAzNJxNAIMWRQrVDy3+i3YFlyTcDAh6CufkIXRM6fxnX1YHzZGEtC7bpBASTpSgGJzVt7XqGrqE7v8H+q63MugjHYsKtmIG7lO0=,iv:0Zrw4+Cmfv6bjn3lYoinkYdj/TinALpyOFP7Nd8w9MA=,tag:8gi04GcF6JCBwfmVEulSmA==,type:str] pgp: - - created_at: "2024-03-14T04:19:04Z" + - created_at: "2024-03-21T17:42:29Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA82M54yws73UARAAr6EQyWBlFp59eiqHdBvER7LGbL9BJm0NiWNlVoFKVLgW - kFmnH+uSpe2NcFKJ4azPGGIAJFrQjtcrYYew1xizXInhHEigDC3J1YQmG4SWWRnc - 6ILEDRbvHFHTElWUTD4H/qHuRv1Wq2XJboG3armIdUeQEZPtDkn3sGBPQmL+AaNc - a1eH8sNuU0q6Xi4SsIzLDRE0w+9RhTk5/aJWM4lAzehFJ8puA3Sban8If3avDaEb - BG6oHvl1N97WQE/fC8Aui/8tAmzFKp0I7Vl4HIuZycv1fIlRa5HHqyVwK2sN+VlS - mBQBd3GZyMS3hZsjvCsctPTl6DYpKNtacZUhqkUp39exhhSNW4T1pKXurIaZumRa - w8V5zh1nusJNQhOmdTLDegCfGGSgRMx/HFxRZ6BxfXJVrZglff/icc7LhHaXpHz7 - rWtCb/nRnrxPh/h0K5Zzr5CGv5HsFM52CI2DI7U3cst6mCIZx8lkVT7PpJ1T7IKO - WTdVIsSlPBdmuvMS25mM9rP7ArpNv0rdv5COxOq+L7Xg6NahnIG6guxiBreyfQ+i - se05E+i4vC6J1WGv0932aE/oJ4VNLHrTPKh9sRsX7HtCxsbpyHgkc0rVsZWg1s/o - 1uII1Let92uB2uu4GdIgvKDr9CUf2Z4/lCXKfbc/u3D9hJEJDDQoRYL8bJiimPTS - XgH2S/xsgoOxRXpR5KJtOAgfJF+uFtCW8f4AfP8/Sg2/vgoEx1pKTvQxydYbjzH1 - bzykN6/QG1bROINImt8cPPFJCHcWf3CFhih+G8TLcQfPLhkIZpfUYJs5qi0pOsg= - =13CN + hQIMA82M54yws73UAQ/+LqogxiRV/yhn33FEzz0GXJ68Bkrhioqvivpf/pB27k9R + tx2hqp+RzYWwcXMTlHe9bDJErknZWRhLXthXer2l01eugheOT+BhYRuolM1Ib55c + aFLJ9zeqr/U4N8qcq43mQw6D+GnbS4ccXju3fzVmq1xB39fEVhu/+xyCTYSaQcXJ + XvCks6KkcHQBQGaz2Bm1CluJ6jRvovh+gEKQsPKZ6gIGu241VXfgOPCFnOqHqrEE + rEJ9BLVBraalojhoRjC6fg7KBOxt9LP4BGWIvbp4xqTN3pk36vZOGkxVxtkPB45J + cyDgAFm1CJan2hNMeNWFZsc4em1ECbOe97vTN3sSwWa14h8tuFISfe+Y9RXyjFMp + +joJ3l9/weh8rBppcdLIRKpfTeLRIyUpkB/uFZLyxAnroHva35/b86bxb4cv2ChQ + XoMZbrzKJstMSqrreDrWf0KK1qfm4yjVvG79fXhNlXRCKotjLvDdAmgef7WNgjS4 + WtozlQNGppIGv26ZrUSxvuJ4Rj4Tplmv2+ZCHrWVql4AqFijLCH7YmAOIAz/4nhY + BdhFvG87USbMowgl865U6IxTYFfEHcnnxPyk7eLK4oEih+F6XNA8+AyoynEVKl+p + n9mx/94P4KbysF6lK9EclyuFkKuFmU00qAGF2CyBhsbAZQ6ap0VTQzMvIKVZN/vS + XgEyuU+6dgwQ2W92IEmNkqLCqqL2ou2MaQ5nqeCLkK4BK6TVfKBHVJ8gOxqxPrNV + nNURna/Hd6q4Pl9knhiPj4IYIWbJdMYjc9ypYyl056Qn7dwgEQ25+f4bkwzAc48= + =3fm0 -----END PGP MESSAGE----- fp: CD8CE78CB0B3BDD4 - - created_at: "2024-03-14T04:19:04Z" + - created_at: "2024-03-21T17:42:29Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA2W9MER3HLb7AQf/alwWkMoN3dhAATZJkMbSyUOtHA5oIDkZjgex1yqS11NA - /1l++ilh4qPArnnnoxUy3xVwffpKp1ifpVkqk7589gu2BRx0MWA0Vf3Jn2Bk4sVn - 7/EE8Ri21dsEaWsIAjS8gywXKyOo6d+cIWp9jXwGB4aMFbf85ti0Ki7ngWzvRu8d - L1VMoi5jhNHuF48qvkkvJajnXZ6qrtEHTY/nxoK8Pv3r/OMU6rUdGbCeFhv2WuQZ - J9Q6iO3h+vyOnj+pVhXxsTJZ+KQOZVJlS7sTKIJ117dmc07ujHt6RAM/5coU6okw - IzrWSfSTA8vwlOCbZy5sGO77z22zyBjrIvl+gKMBJtJeAe3M4YO7zWO2PkwluZoc - AwPnhV7opdwVsyPIX740TmG+3Er6/PgA4dqcjhdw7QbngghNtJNRfyLPp0Gr7ZNu - /ak67nZJTrqTgHXeJXLccxGu6yqnyrBzZASRFnu8TQ== - =a8aH + hQEMA2W9MER3HLb7AQgAkNNAoVsyQsOftg7A7/Mh8HR2attXDr1vbkVr1Z4b90rd + S0JL6EakdQeoHI2V4ieYIIDZVKX1q7E3hhAZbfaVQVIRCbhTGfQh3i9V3KtgAiwg + 9AuHSilMTkIUXdJeqE5/SJcNw1DMIzCImTE8iqYDEY6T/QuGjkYhLHiTgOAf2gwi + Amhwx0kuTcJ9XZ9TJXO3DCQ+joaahXtT8tX5elw5DAWWh+lREyi2a7CksZ8CkDLD + aHid7ULCV9UMNhqqPj6WNgseyaGvABiJLd87OxaQWfzOZdW3B/Vpjg0bR9JClP7x + jTOgxg1jc3ydEoOvuJZCmugV6oE/zKBsO5N/Niiv/dJeAcLfwtL8Nt/03O0ZZmuv + ZV1Gnjj6nB6cduvVW8aLSxiLlyJCkTGgtitFDYfi+c2gyaFiSn574rMkPlZJPI1w + X1kbflBqftsyNcpouY5QkH3qjihZeLeGOT90LTgLpw== + =eT3V -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted diff --git a/nixos/secrets/postgres.yaml b/nixos/secrets/postgres.yaml index 60c27c43..13695c9b 100644 --- a/nixos/secrets/postgres.yaml +++ b/nixos/secrets/postgres.yaml @@ -9,66 +9,111 @@ sops: - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc0FYcS9QN2dIdERqSTVF - SmdlREJHcisyUTkzelZHdFJvMmVCeEY5eDB3CkVTQkdaMjE1dHlzSkwva1RUVmNp - a1JLeDJ5YnJoTEQ0YXkwbzgyY2pHaGMKLS0tICtXcEwrUzB6SkdwVnNUOWFqaFZr - WHQwekF0WXJVT0NJQmw4aUJCelRId00KxUZ94aCHnWyyQovSqDV29E07Z8UcTt3b - Lc7cjDyi5K2c2p3izgok9bUei2My/BcZVmBHXGj1QV/9o6r78pGdmA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WUh3cGZ2MmlRSGs4eXJH + bUdoa0F0RE9idzdCQjk1NmJvTVNXcTQxNkVnCmZwQ1N1RGJ2akdKazBBTGNkeW9w + MVFMVm5OVy9ZZlc2YXlldEZJaVQ2am8KLS0tIG5aY1FMYlVERTJ0SW9RclJ3enlR + TlU5STkreXFnM1lVQ1d3ZkV4KzVoTTQKQCd491bVPweIaMzN2TlnJkbhd2SgwBd+ + m35+UjAUVTKCbs3QqUhDDGqKglzbKWllNLoO7XzIPvbZkJCJapZ91w== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObC8yL3dtTDJBaytDd1Ji + ZFBOR0ZYU2lSREN1elFUcUJ2Zy8xaHNjZ2dnCnpoK2M2VnNqSkdGTFNCL1hHc2FM + UFdMYmVjUXF3NGVrWlhYSFhDUVVPWG8KLS0tIENCQTNjcmYwR1lUd2c4WmNpeWxy + SlRic0I4WkxtcUFkSjZPMWNGdlQ4ekkKFHEJC4k2ft9CAeYPOMXA/FGQ4ELLhYrp + LT4B8HMlvk7ZRL6+JeR3AtAe1nY8yCmdhNvHgxd0G/nUnUzGySRZMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ejE0YXRrK2h6b1k4MFRJ + bjFRQlc0bWZSalkzKzhOUktDc3E0ZVZyb0FrCnFQTUJ1QlRkSGp2MGpEMjRweGQ1 + OHZSM1hqN2tmSWVCSVFKTGRqYXh3dTgKLS0tIEJvWXRNTm5HVFl1WXZOc2Q4L1Rx + ajllalpwNmxvVXdSYUxBNmJOSXl6MDQKBPd1eaAy0jLlXE+mb1gdyDeLkbhT1/Jo + TUjg5leRzXiSm2rDeQ8O7Cd8Eg4k58czEZ9wiTq0vkLtIyKJ/BiGBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K01ULzBxREUwb3dIc2lv + RnFnNGtEbndSQzFzRlVOUUx3YmtvZmJhVTJNClhTR3VNSWVDVFhMSU52UHVjRWF5 + cENYMXRWODkxOHJObDMzK2lXQk5Id0kKLS0tIFYwNUZaZ1RqN0VFeWNiK3VHdFEx + bUVjUWlXMW1aODFVSFFEZUhBdXRrbnMKDL8xYOUESEjMGKhz3D4YWygjW8BN0cKV + AdHNeE15stxADGA679nlossXNA7zC1uDERNKHXgO4ZntN/tpNouD8w== -----END AGE ENCRYPTED FILE----- - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQODhwWGpHL1ZSZ2c2YzFU - alpleFpyVzROeXFSY2F6dUpTS3Bod0FhbVRvClhMWXA2eittM0NlbVhsS3ZxWkgw - L3Y2V0p0MHorTFN5NTZKKzBiRmdMNkkKLS0tIEZDZVp5QU1kQ2NQcmlVczBTbEdC - eXoxcUFKajE4Y0dheFFheWpmOFhsb3cKnnkCqy9YlL5wJBnFD7+Tghh6TYwGJlFM - 4Q+tSl6Ou7j8+pltr60A65RH/8/1dXihOIOFSlgqGNBIGYT3Y/E+Gw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWUo2SjRMQ2djWXhMcWU3 + Q2xJVHgvaExjclREOS95K1dNa2tiZWhRU0FJCkZqUEZZN3hRQnk5OUlzd2FKeVBG + TWgreVBxV2Y2OFFvdVhIbEpzZEZtKzQKLS0tIDh2NitCelExQ1doZXlKci9OOUtB + Mk9UUGpMZERqV2xpQStndGRXMkthdEUKEUqOdCACJV2D4sYVwo+BibxZAaDI31IC + 5yNs3ApZXgJ90smpN/4Uiezl1F2PyvtlTQ42FasqAUlyhoAJZpT6GQ== -----END AGE ENCRYPTED FILE----- - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaTJ6M1lIT3pvRWQ4dG9I - VFk1OENraENRMW12Zk54dng2YU9ZZEhtNlJnClJGWW8xUDVOb0pLMTI3aFhEU2Rm - TXNXREhDT2V4Y3pxYkFCQzgycG9hMXcKLS0tIDlCd2dpV240MUVTOHFHcHhLM0dp - a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L - rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNTR1U2pyUGxYQ1l6VjlB + aFJHNDNvTHprUXZTVVRqMUdkeEZmeCtnNG5FClJyV0J6ZS9pb2xkLzZxdldYcUtV + L2dwSndJQmxFOXZvSUJRRWV5bGowRWMKLS0tIFJCR2ZLVlB5Mi94a0lZeGR1V1kw + WEcrRTJlU3hzcndSZW8rR05sZzB2dVkKXhQwyOt0+95+H2ui9FdUyQrkDDU9Z1jn + mxC1qGFzCJxCmW6RbdREURVsoSTNfUQt0+ruHSyFlA9IH8LbYhURZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWXJLV00wVzhCYXJIRUo1 + S1E4a29JRzBSZjBlR0wyQ0RGaHY3d2dpQURRCkVXSnNzV3VINFNJYVBPd2VMOEd6 + OE9na0NnOXFyR01vVTdTZnJHV1pnanMKLS0tIE43VExnVjA1ZFVxKzIrRVVTUFNJ + Zzg4czM1SXJ2TW15VWhadmhpeFlEa2sKN5VvYX+4I6rVsxfm8nPOGTgIo2wtjt8U + ujm4PKbl1SlIczkbcIO8/kAxCaXr3SzpZSVtybKvlsXeL/Tz9b2G0Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc3RGNEJqNTJzUG9YaDgr + UW1zYjZrSW9MSVR3bE1oK0ZEc0lCWTNpSUJBCjdIMmFVNnZGTks5dXlDemJaM0Rh + VTczSjRRWkxPby9ScmM5eG9GYzg3dG8KLS0tIHlBWGo5ZXNndllOemdvY2t0RDVV + NVg3YVJ0eDFDZTZuSjIzdlVWZnI0OVUKMZ0vG0GIfyGtmNZQ6C94bABpI6Fb6VVJ + 8vGv1rf2kxJXy9dktQs1pvgP6CD1ZQu9qCGvd+UjQgrgmqy0HABhKA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-03-13T21:46:56Z" mac: ENC[AES256_GCM,data:rEtRHX3PH1B+uoR82lDH3ACKHPbhxy+y7B9YgR6TzPSU4yIaTSqSK51eLJZoUtW6UTl6QDcTrsKDA8lGu9M/Ohfx8ayp6rkX63H/hkl0h6YaQmWDAQoNAAEWqfJ9r8O8tKKpE6qF/rw4c4KpuA5ONufOl9qj1KSgFzz0WHaKtWk=,iv:TUBAe62dmF6FAjZOPaxwzQjWL21TdWQG0YyuXJGgtk8=,tag:dewWivfnZO30Np2gajwLIw==,type:str] pgp: - - created_at: "2024-01-19T19:08:55Z" + - created_at: "2024-03-21T17:42:39Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA82M54yws73UAQ/8CB9fEBmQNuvN4kAxgBHU/4uOrEAvxFFYjsBXiOglaIYS - UxVdHwR5inoh8xQBNcl+v1/34jQe627ppSedYXF9ZzRoWShJTDhw0ArBsRbJwN3Y - Bk8YZd8F32zFh/+npCMee5PuWtkfBVwqQaccDpi9fCpBIedEAqgY0VPD40ydGseq - ZLx54MufKXOjnYR7BjVI9inzfUsGNWhI12haTOkcE4mFb4Ni5bQmt9qG3Oie3Q6a - TL06Dejfy5JPWemYoi3rD04MQ9HW+LmvLVxe8VfJrtDbvjhDwERzrO1GwLc+39kX - ArEcFAfbb8EQQ2serpfSGtZN/6UMVbIkT5VHA7iDzqXgBS2GKyOAitIMiXGGTN21 - /zv5cXQen3W1nezSD1jdEFL5oXhEpCwZsTi3L8RKCs53/u5hGVq98Bch1/+qAn7Q - jrGPEey5lwnocic5BMR2S0qbVX0xOByqx0BsJpJUOLDVZHSZjwHvZ7V11+D9gaJf - DLd5MrapLcYB9F3OYxX8toTaavJTKC1FTAcIkh9+7yD3OXw2iS/DLZzgiEdPeWRo - 3pxJB+MHRIb92+YN+tPb4OfCm2dTVwlI8E5CD+aqmp8axOjFYJ30BtybKqxyDK/1 - lqnKd8uwH94LUErwkv8h+P32m3W6FfhEzPp166RKEp7yBK2P5wh8VcPr0iIYRJzS - XgExy3cR7RC/E+WVfJY+RJL0jjS9mpRfkdyfjXCfHtAu+KSG5/SOLW3gLdQN6x8k - gQNKD699kZv5UbmFyW3UjcvqCfWixOLGqprjxvYZvlYcNBlqpZ4nVENRCPSfRgE= - =c/9s + hQIMA82M54yws73UARAAr2Q3f1PP9b5UDCzP5+3P3h1m8LnBRff/yVD+P9LQJVbs + YuxEfAqkxln/Dov4Pj0ZUrS+e32CgsKinNVEHL9ZU1R7MCFgLQKjYctdCXcisb0a + c+IAAHk/4ETRnMPSn0bS79s8AOqWv4bpKBOe9dpTWFVhqVatruCYh0iyNbKiYeFN + dqNskwyQD3xgD2sWvFZxUko8REX1vyAfJfvSnr18fTvOFNqslgY1O9Kkc3gHWz3Q + EHaJeTeOkCQGeMMQNvXAKrUYCE5VoaIl/iBy/r+L9evNDwtiEAuOp2QtL5RmLBGh + UkppvMaQSleULbHQm1dqBoURyUnwdYMj5WuoJvkzH0TJYmQ2avmyeU+HWwiWtpXo + cqkxH1ex48HKeQfqccWfn7yE3950onA8/ky2/Exm00VR1zB+iDXBV3n8Y4IfgXOs + vZvKngoL5ksxcWcK6Iw8iFKZSp3NLO0okkI0H/THp7j3egKFYPDVw4+pasN7n0qR + qyiBjed4aN2TX5yDhO3bksLRl+Xllwv6+E9sB00z+AkE83Mp8QAYvKuo/oztGzNp + WmQOCWvFSNFNyGHd5lr9o/pVEZHQTDPVbcvQN1ykPBNlbtMoec98bONHOHKNlEdM + BJTW7rAIop2OcqnCaLpL1qgV65OAnefYsHnT0rpfEJsQIv3mJ9KyTHZRtvYPPWXS + XgFOxR6b8ZLNPijME1kcSZ1sLOB0qF6vJreZUeBw/AwZjEhA62gWJI0UJ70+jSwh + 9QTKyxrDArtjhb3Js+10reE81u0OZ4njI+Out51JhIZqfB3DNCPsGn3J4OLaXYs= + =i//U -----END PGP MESSAGE----- fp: CD8CE78CB0B3BDD4 - - created_at: "2024-01-19T19:08:55Z" + - created_at: "2024-03-21T17:42:39Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA2W9MER3HLb7AQgAuwdTlGN9e6nlYW1tU4H52joJMjzUovWbZ+bl/8+Xlr3d - C8U3lLRHgwmZ9M1tGnpB1tn1L8bloScyqmuNF/J5kbKkMrauEl61UEPLCahvBeas - HSzHNrkzK5yqc0k4KW+av8HChe9LvqjFXu4DHEz8cmOiCOhMGlnBl/8Dp0fS/n9c - OqgGVY/D3O7y5+vWnI6ZmRdMFT7ZZ88OwMMTvuH4DH5bBvAVVQVrisefVlNRYsSX - n3cOPweYbkEFlVykZ0aBpgwJGZlpottGAmWia1wAHyGw26qZrY9cwixBWTuCX+dn - G1dhb6uwi+t9cB0J0c5HSsbQmie8Er7dy11MFzNdCtJeAd552I2cJZsEdMojpYjQ - 0EZXu7UJ3j8cOIjktD6zQQmJ5zVrGTF5DWW8UT5aBFz+G6ZPisnjUbuPnJRXDJbt - yLiQ7t08bXNamLt9AKBp9l2mGvVvbUlyyJf3fraAUA== - =QI8Y + hQEMA2W9MER3HLb7AQgAtH75b57lYYW6hibZFdsm6UpGUDTe8NUQNVMu2EVRD6z7 + b6izbXXL3CSwM45uBUuxyqwcxyDPPldCR3wfzMRiQba2anwZGdau46Ow1M0JxsBg + Xl/luKR4Yqlg4Rz80yIzhIRF9RcapmmiZFsp8EM0bhXFAUiEdArNS76YTFsenofj + 2h2JCa3fWy4vLKmZNMvTnGGnNsip7mML2cQ9hYvSTmfIwKTCM9U9fjwMEUwEvJUt + 33poeAaMeXWsAW9utX1vpzTrf+Bd02jHFYyfyww1kHr5aF20PTJHJ9/SJs6IrEKY + D261rf0k7P9rkf9Tztfk0UDyGeAa6v5FiCYaPYTbstJeAebtqMXwPWG+KF6JLb3j + /WAlwZQBC+WO8LB0f7eanjmy4SrtY/WURQC9ee4ta0OzknIK09jbGDIgtxgUjEsI + dqFy6zHWx6y7Ww6c2YrBp3p4pob+tlp4ePKaJiQdnA== + =CjpC -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 79eed6a4..796a5ef5 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -109,13 +109,12 @@ in { (mkIf tailscale.enable virtualHosts.vouch'tail.allServerNames) ]; }; - ${access.unifi.domain} = { + unifi = { inherit (nginx) group; + domain = virtualHosts.unifi.serverName; extraDomainNames = mkMerge [ - [access.unifi.localDomain] - (mkIf tailscale.enable [ - access.unifi.tailDomain - ]) + virtualHosts.unifi.serverAliases + virtualHosts.unifi'local.allServerNames ]; }; ${access.freeipa.domain} = { @@ -195,7 +194,6 @@ in { }; access.unifi = { host = tei.lib.access.hostnameForNetwork.local; - useACMEHost = access.unifi.domain; }; access.freeipa = { useACMEHost = access.freeipa.domain; @@ -224,6 +222,12 @@ in { vouch'tail = mkIf tailscale.enable { ssl.cert.name = "vouch"; }; + unifi = { + # we're not the real unifi record-holder, so don't respond globally.. + local.denyGlobal = true; + ssl.cert.name = "unifi"; + }; + unifi'local.ssl.cert.name = "unifi"; home-assistant = assert home-assistant.enable; { # not the real hass record-holder, so don't respond globally.. local.denyGlobal = true; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index f98c2126..9608e83c 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -53,10 +53,6 @@ in { host = nginx.virtualHosts.zigbee2mqtt.serverName; inherit hostName; }) - (ingressForNginx { - host = nginx.access.unifi.domain; - inherit hostName; - }) (ingressForNginx { host = nginx.virtualHosts.grocy.serverName; inherit hostName; diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index 1dd3ec1f..f9eff658 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -1,11 +1,47 @@ -{meta, config, ...}: { +{meta, config, access, ...}: let + inherit (config.services.nginx) virtualHosts; + tei = access.nixosFor "tei"; +in { imports = let inherit (meta) nixos; in [ + nixos.sops nixos.base nixos.reisen-ct + nixos.cloudflared + nixos.nginx + nixos.access.unifi ]; + services.cloudflared = let + tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path; + ingress = { + ${virtualHosts.unifi.serverName} = { + service = "http://localhost"; + }; + }; + }; + }; + + services.nginx = { + access.unifi = { + host = tei.lib.access.hostnameForNetwork.local; + }; + virtualHosts = { + unifi.proxied.enable = "cloudflared"; + }; + }; + + sops.secrets.cloudflared-tunnel-utsuho = { + owner = config.services.cloudflared.user; + }; + + sops.defaultSopsFile = ./secrets.yaml; + systemd.network.networks.eth0 = { name = "eth0"; matchConfig = { diff --git a/systems/utsuho/secrets.yaml b/systems/utsuho/secrets.yaml new file mode 100644 index 00000000..5187abf9 --- /dev/null +++ b/systems/utsuho/secrets.yaml @@ -0,0 +1,57 @@ +cloudflared-tunnel-utsuho: ENC[AES256_GCM,data:GqhrwmOjfmj4VhecMS8765MPBq0URQlW64Hs7ljLVKFZdUKOz4trT+GusDEmTnHTSo+Tl24Bd6Z6TdyFKgacVOUFaPhO3EBkMrZ0rjFWVib4LsH3IH3/hctLiGJDbXLpu3WGnY/lYopPWr5870gzRfJCvbQecrFibsD9osksScttKOUVziTKSmYeOWHiTzI/ZrMUa3HMH3+O6rfajY2qq+v3O31/PS1cHEl+A2zfdmKVMbF/ugyVn/8cveYQGz5fsIDm11i5J9BrbWvaTH8=,iv:d9bW/dYRgk6QzWzUXu6IXUuwQo+Ghm1OPqU/lQLlss0=,tag:NNAOb/QUM41x/1Qhp2MWqw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK2ZGOWJvbXNRTlVJNkNR + STlHNjg3SXlWcFJGQ2ZSVDJ0UytRUFYycVFrCnFaTjJ5T2dQNnNTak8yZ2VFZ2U1 + U3lpVHhlcUl6cGNTSVRpT1VTczJBOGMKLS0tIGVlQW91bmZoclNpRkVWRk8xR29n + aGMvcU4xQVNuczB5NGhZMnFlWnlkSGsKm8Z3rSM/uNN1522p0inM5vQ8+OY83FDI + I69BH9qL2ekRG2e2Qw+bjeHOUm9Qe9QSRsQPW3Z3XDdxEVxRgE9Avw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-21T17:43:11Z" + mac: ENC[AES256_GCM,data:g/e7TsFAbKZZpbbJyKZxbyjJ0fIDoPA+hrh7NbuJKJw8sSVBnhxbDBVzMELpekRg/HuXlYB9vf/2tVgIrDdSN8oF+JP6E5O5i7pebDSibpQ2aAsUadWBQfuzaCAu/jfbKbe7lAfU631nnkVP0K9wdj2aRRjElr68sbdfeSFIeBs=,iv:5Zr5dWk63ebyxNwXBOTjjmBg9UBJqB7BOQKtrJUafYM=,tag:D3gz/tEyZY6IIHhT19x/cw==,type:str] + pgp: + - created_at: "2024-03-21T17:32:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//TULZQkT0H8Wit0cjltcimg4JPaeiWHKoe7CdjwWJ94u2 + G7IqyYFg/BdZG45C2BFno5gH/xl4JIfuCHrqWqmpAUy5h+wTC9jWZE717YxYXv+Z + yoIo713u5+1zJ4U/LuXzxxgTdL6niuOMii6u3PCP3AuyvEg5zbCoTJ317y9TE67Y + o5OXjo02JP/UVbU66HGMOXhj5dSqss34QSdIen7atUWoLLa9hmtKvCBUKj49niaN + FRK/UTEi2D/C0Hm6qmpNWdT9XxXSPpYSKm9YSl0qatsIhxKxyg69Zb9WRQwc/MS2 + D4ioH3uViOBOGMfJNqUSQoB5f0OpN2iDPWnmXymgCbDvnhZ3jOGhK+xOI7RotUj+ + lTQ+iMzsOh5pVgdINLk8sak/ZUaURy5Wro+mbr0HErgqR9TX1BgmmLHgSY5NqjVL + z6YLmvZbyrio1033ulaqOhRnBfO2yILobjaRweA+fDqtRD8MhljuYzz4VN6Su1L4 + 7oFEqSeTDKb9x2ZU7NQcOPIg4LwXhkdQvTP5k33BtwA9oZbk3iSQ8eSsbRlrRXos + YWVlyM5JWLFoNrE+sXFPYSHx4WbZ3QmSvPLjTOLSfMYLXQi+ZnYX09bzOTU3tqPG + JH2dIMWdHLaN3BpnG6SZol2kh2Yv9Kh3UUDbzjRzisSwW7jdrY4G/dz0UG2lyljS + XgGbjRzz9LmzX7g5Jse74MLcJyyRO8CiRb3J6niKyQ5sCK8Cd+hoosIeGYvIYkjE + JtGkN54B7BZcqOx03LyLQcSr7trfOD8dmmHpjUdfxyy33T2iTkH3qaHX8IGLL/Y= + =gsOE + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-03-21T17:32:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf+OxaKJJ2PbrHc+gnstVKXXk5PrUBxxPE5a2SmVxAS25IH + 5pRpRBsXMsdeIbX5N0FPxE+6ry1+hSbzfQaFfaOBdrWcvPAj7S2LbckhR3QKEydI + tHxjhsNVDGL9zUe5cHc8+1lXylB0rZeYNXrttv9tk6k17FgxBOs2nGqVBE4qMcHK + oubUZ2JAvz4iMcbTCM/2gotf5dC2j5tyPserLJzZvgjOP7c2PWlIeauulIa+zmw0 + xLqUR2mk3T/IuIAsmKMeG6MBCkcEuK3bSJwvuf8MId+nJMG75hQ0O8LiafVEsROa + QGv6MGdSsN4fPAD7KEkf3CvWYjdhmx1eLDu7VLSzXdJeAV64z11mXomX2R4D5zb2 + 9u+U5FhLt7atr6YmTz7E3x3hytcKp8jXc2q4WMibw34bs6wFuOtey/2CAJWzp9Ba + 19oU8CuAoFGxHo9SGqweuqU7qrF2bjmFyGJzPiNJYA== + =AWUc + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/tf/cloudflare_tunnels.tf b/tf/cloudflare_tunnels.tf index f5b5eb21..825917c9 100644 --- a/tf/cloudflare_tunnels.tf +++ b/tf/cloudflare_tunnels.tf @@ -70,6 +70,7 @@ module "utsuho" { account_id = var.cloudflare_account_id zone_id = cloudflare_zone.gensokyo-zone_zone.id subdomains = [ + "unifi", ] } @@ -101,7 +102,6 @@ module "tewi" { "home", "id", "z2m", - "unifi", "grocy", ] }