M .sops.yaml => .sops.yaml +7 -0
@@ 4,6 4,7 @@ keys:
- &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
- &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
# LXCs
+ - &alderaan age1h57c3pw5y450yeex3yhlarkaeur5n3le09lm4frf8d3q3qpagfzqdqxm83
- &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4
- &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
- &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05
@@ 23,6 24,12 @@ creation_rules:
age:
- *alice
+ - path_regex: secrets/alderaan/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *alderaan
- path_regex: secrets/auth/[^/]+\.yaml$
key_groups:
- pgp:
A hosts/alderaan/default.nix => hosts/alderaan/default.nix +17 -0
@@ 0,0 1,17 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.liljamoPwd.neededForUsers = true;
+
+ roles.base = {
+ root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ primaryUser = {
+ username = "liljamo";
+ hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+ };
+ };
+
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+}
A secrets/alderaan/secrets.yaml => secrets/alderaan/secrets.yaml +34 -0
@@ 0,0 1,34 @@
+rootPwd: ENC[AES256_GCM,data:OS9UCh+udl5QZYra5fRcc3K/Am5DGoWQCkZrTSvcIWtOa91oDKmw2TrZgA0XPwaNJ2ITey5Vuv70mECUDoK7/sp+DjG7MVSQD3s6voGgY0dqejhTHa3QxlctYZOgm56iDtX2ZnhYccN/gQ==,iv:oUkGiow2INe2PCAM+ESAV8wSG+K42KA8uaCKHMi5bT4=,tag:RX9Q0Wv2aEViqh2Jz4DTPw==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:b2+rZmgDR5CEH4iMZxHR8MOslHPlm1jEEEX7Jllxu76wT0++cJOXIBJpOit4otiP4wC88fL+Fzu156+EfQg/mP5r6nuf9Khqaopj89nhekRugX1HEcF75h9rz1h5FfNyIqLfVi2zS7Xo7Q==,iv:aJZEVWRcn70zQlLOvsWPPqlvjYMGule+li6U7Word3k=,tag:shJIG0arysR8ioVaSiqw9Q==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1h57c3pw5y450yeex3yhlarkaeur5n3le09lm4frf8d3q3qpagfzqdqxm83
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTmVCVkdNQzN6ODRrVHdL
+ NVVYSEhOejhnSENvOUpGN2duenZNNURuYm53ClFPVVBxek1TZkdvVWxORitQMEw4
+ ay9Nc2FYYVpXc1poZjFWazdYY3JCam8KLS0tIHk0TVJFQlVwcjdmRzNLK3NiSThW
+ Y2JlckFMRTY2V1cwbXFOUkdJY0lHYTgK1woaffGvotjBZ9N71vt9JHScT8NLV57x
+ o6xlyMw4+RaJS7XXKJBLDQrp18eiWDKX+gZXl5x8T4IQS2X58LmJOQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-05T16:21:41Z"
+ mac: ENC[AES256_GCM,data:S+8vu/q2HtjUkN8h8gGIO/REm73fW8Pxu8S23l4CFbTaV92PB+Cqf9r77QLn4bgZ5BOsfjXOaP+ocPkvi+H7IyIoN56BsS1GfEjzsXL4sYZZqhTXalk3+JpBhGn+n+yOB5lc8s42ZF1wfk9N2Nas2Ko6x+JZSdm88l3QCwbI34E=,iv:doN8qm/1O/+d/FNbQhNsGV2xKd4GUotIfzIHfwac81w=,tag:VYRLuqyNt04MKstCmOaCCg==,type:str]
+ pgp:
+ - created_at: "2024-09-05T16:20:16Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdAGMh9/JmFqPuYr6FIVm7IbbZvHrpcp5v+xADwZrHoM30w
+ JqBOy+uQnrEtgcl0lXEBIVGI6p2wx820UxgXIhh2P/nK5JZUWaLh5k0PgkrU3Rai
+ 1GgBCQIQr252MQFyU5YooUGx/6qRB++Vr2U6ODBrUe3j5o7HMFvvJcbRaWALrQjA
+ xlcgjVWI1MphkMVzTW6/qvzDqOzepMKL67VODIT2vReTeG4/1iyeAEVB2U9mQIpd
+ PPc/XFh8gKYNag==
+ =pHOu
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
A systems/hosts/alderaan/default.nix => systems/hosts/alderaan/default.nix +27 -0
@@ 0,0 1,27 @@
+{...}: let
+ conduitPort = 6167;
+in {
+ networking.firewall.allowedTCPPorts = [conduitPort];
+
+ services = {
+ matrix-conduit = {
+ enable = true;
+ settings = {
+ global = {
+ server_name = "alderaan.fi";
+ database_backend = "rocksdb";
+ port = conduitPort;
+ max_request_size = 50000000;
+ allow_registration = false;
+ allow_federation = true;
+ allow_check_for_updates = false;
+ enable_lightning_bolt = false;
+ trusted_servers = ["matrix.org"];
+ address = "0.0.0.0";
+ };
+ };
+ };
+ };
+
+ system.stateVersion = "24.05";
+}
M systems/hosts/default.nix => systems/hosts/default.nix +5 -0
@@ 17,6 17,11 @@
};
# LXCs
+ alderaan = {
+ system = "x86_64-linux";
+ profile = lxc;
+ modules = [];
+ };
auth = {
system = "x86_64-linux";
profile = lxc;