diff --git a/flake.lock b/flake.lock index b4bad41..a22cd33 100644 --- a/flake.lock +++ b/flake.lock @@ -387,21 +387,6 @@ "type": "github" } }, - "impermanence": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, "lanzaboote": { "inputs": { "crane": "crane", @@ -623,7 +608,6 @@ "hercules-ci-agent": "hercules-ci-agent", "hercules-ci-effects": "hercules-ci-effects", "home-manager": "home-manager_2", - "impermanence": "impermanence", "lanzaboote": "lanzaboote", "lix": "lix", "lix-module": "lix-module", diff --git a/flake.nix b/flake.nix index f893d9b..1fa7e0d 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,6 @@ srvos = { url = "github:nix-community/srvos"; inputs.nixpkgs.follows = "nixpkgs"; }; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - impermanence.url = "github:nix-community/impermanence"; lanzaboote.url = "github:nix-community/lanzaboote"; hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent"; hercules-ci-effects = { url = "github:hercules-ci/hercules-ci-effects"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-parts.follows = "flake-parts"; }; diff --git a/hosts/hetzner/default.nix b/hosts/hetzner/default.nix index e1a56ac..0363d28 100644 --- a/hosts/hetzner/default.nix +++ b/hosts/hetzner/default.nix @@ -1,13 +1,15 @@ -{ inputs, ... }: - +{ lib, inputs, modulesPath, ... }: { imports = [ ./hardware-configuration.nix ./hosted - inputs.self.nixosModules.profiles-impermanence + inputs.srvos.nixosModules.server + "${modulesPath}/profiles/minimal.nix" ]; - security.sudo.wheelNeedsPassword = false; + time.timeZone = "UTC"; + + networking.useDHCP = lib.mkForce true; - system.stateVersion = "23.11"; + system.stateVersion = "25.05"; } diff --git a/hosts/hetzner/hardware-configuration.nix b/hosts/hetzner/hardware-configuration.nix index 16e803e..b96a94a 100644 --- a/hosts/hetzner/hardware-configuration.nix +++ b/hosts/hetzner/hardware-configuration.nix @@ -1,67 +1,44 @@ -{ modulesPath, inputs, pkgs, ... }: +{ inputs, pkgs, ... }: let device = "/dev/sda"; in { imports = [ - (modulesPath + "/profiles/qemu-guest.nix") + inputs.srvos.nixosModules.hardware-hetzner-cloud inputs.disko.nixosModules.disko ]; - disko.devices = { - disk.${baseNameOf device} = { - inherit device; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; - }; - ESP = { - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - nix = { - size = "100%"; - content = { - type = "filesystem"; - format = "xfs"; - mountpoint = "/nix"; - }; + disko.devices.disk.main = { + inherit device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/"; }; }; }; }; - nodev."/" = { - fsType = "tmpfs"; - mountOptions = [ - "size=2G" - "defaults" - "mode=755" - ]; - }; }; boot = { kernelPackages = pkgs.linuxPackages_latest; initrd.systemd.enable = true; tmp.cleanOnBoot = true; - loader.grub = { - enable = true; - inherit device; - efiSupport = true; - }; }; zramSwap.enable = true; powerManagement.cpuFreqGovernor = "performance"; + + services.cloud-init.enable = false; # We don't make use of cloud-init at the moment. } diff --git a/hosts/hetzner/hosted/default.nix b/hosts/hetzner/hosted/default.nix index 9ae7a0e..9f60288 100644 --- a/hosts/hetzner/hosted/default.nix +++ b/hosts/hetzner/hosted/default.nix @@ -6,11 +6,8 @@ ./grafana.nix ./prometheus.nix ./homer.nix + ./ntfy.nix inputs.self.nixosModules.hosted-nginx inputs.self.nixosModules.hosted-node-exporter ]; - - environment.persistence."/nix/persistent".directories = [ - "/var/lib/acme" - ]; } diff --git a/hosts/hetzner/hosted/grafana.nix b/hosts/hetzner/hosted/grafana.nix index a021dd1..a8a569d 100644 --- a/hosts/hetzner/hosted/grafana.nix +++ b/hosts/hetzner/hosted/grafana.nix @@ -81,17 +81,4 @@ in proxyWebsockets = true; }; }; - - environment.persistence."/nix/persistent".directories = [ - { - directory = config.services.grafana.dataDir; - user = "grafana"; - group = "grafana"; - } - { - directory = builtins.dirOf config.services.postgresql.dataDir; - user = "postgresql"; - group = "postgresql"; - } - ]; } diff --git a/hosts/hetzner/hosted/kanidm.nix b/hosts/hetzner/hosted/kanidm.nix index b060fb5..8e1cecc 100644 --- a/hosts/hetzner/hosted/kanidm.nix +++ b/hosts/hetzner/hosted/kanidm.nix @@ -48,6 +48,7 @@ in preferShortUsername = true; allowInsecureClientDisablePkce = true; scopeMaps."tailscale_users" = [ "openid" "profile" "email" ]; + basicSecretFile = config.age.secrets.kanidm-oauth2-tailscale-basic-secret.path; }; "nextcloud" = { displayName = "Nextcloud"; @@ -55,6 +56,7 @@ in originLanding = "https://cloud.ilanjoselevich.com"; preferShortUsername = true; scopeMaps."nextcloud_users" = [ "openid" ]; + basicSecretFile = config.age.secrets.kanidm-oauth2-nextcloud-basic-secret.path; }; "jellyfin" = { displayName = "Jellyfin"; @@ -65,6 +67,7 @@ in originLanding = "https://jellyfin.ilanjoselevich.com"; preferShortUsername = true; scopeMaps."jellyfin_users" = [ "openid" "profile" "groups" ]; + basicSecretFile = config.age.secrets.kanidm-oauth2-jellyfin-basic-secret.path; }; "grafana" = { displayName = "Grafana"; @@ -72,7 +75,7 @@ in originLanding = "https://monitoring.ilanjoselevich.com"; preferShortUsername = true; scopeMaps."grafana_users" = [ "openid" "profile" "email" "groups" ]; - basicSecretFile = config.age.secrets.oauth2-grafana-basic-secret.path; + basicSecretFile = config.age.secrets.kanidm-oauth2-grafana-basic-secret.path; }; }; }; @@ -89,13 +92,15 @@ in locations."/".proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}"; }; - environment.persistence."/nix/persistent".directories = [ - "/var/lib/kanidm" - ]; - - age.secrets.oauth2-grafana-basic-secret = { - file = ../../../secrets/${config.networking.hostName}-oauth2-grafana-basic-secret.age; - owner = "kanidm"; - group = "kanidm"; - }; + age.secrets = lib.genAttrs [ + "kanidm-oauth2-tailscale-basic-secret" + "kanidm-oauth2-nextcloud-basic-secret" + "kanidm-oauth2-jellyfin-basic-secret" + "kanidm-oauth2-grafana-basic-secret" + ] + (secretName: { + file = ../../../secrets/${config.networking.hostName}-${secretName}.age; + owner = "kanidm"; + group = "kanidm"; + }); } diff --git a/hosts/hetzner/hosted/ntfy.nix b/hosts/hetzner/hosted/ntfy.nix new file mode 100644 index 0000000..c2fd518 --- /dev/null +++ b/hosts/hetzner/hosted/ntfy.nix @@ -0,0 +1,70 @@ +{ config, ... }: +let + domain = "push.ilanjoselevich.com"; +in +{ + age.secrets = { + ntfy-sh-firebase-key.file = ../../../secrets/hetzner-ntfy-sh-firebase-key.age; + grafana-to-ntfy-ntfy-pass.file = ../../../secrets/hetzner-grafana-to-ntfy-ntfy-pass.age; + grafana-to-ntfy-pass.file = ../../../secrets/hetzner-grafana-to-ntfy-pass.age; + }; + + systemd.services.ntfy-sh.serviceConfig.LoadCredential = [ "firebase-key:${config.age.secrets.ntfy-sh-firebase-key.path}" ]; + + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://${domain}"; + behind-proxy = true; + web-root = "disable"; + enable-signup = false; + enable-login = false; + auth-default-access = "deny-all"; + firebase-key-file = "/run/credentials/ntfy-sh.service/firebase-key"; + }; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.services.ntfy-sh.settings.listen-http}"; + proxyWebsockets = true; + }; + }; + + services.grafana-to-ntfy = { + enable = true; + settings = { + ntfyUrl = "${config.services.ntfy-sh.settings.base-url}/grafana"; + ntfyBAuthUser = "grafana"; + ntfyBAuthPass = config.age.secrets.grafana-to-ntfy-ntfy-pass.path; + bauthPass = config.age.secrets.grafana-to-ntfy-pass.path; + }; + }; + + systemd.services.grafana.serviceConfig.LoadCredential = [ "ntfy_password:${config.services.grafana-to-ntfy.settings.bauthPass}" ]; + + services.grafana.provision.alerting.contactPoints.settings = { + apiVersion = 1; + contactPoints = [{ + orgId = 1; + name = "ntfy"; + receivers = [{ + uid = "ntfy"; + type = "webhook"; + disableResolveMessage = false; + settings = { + url = "http://127.0.0.1:8000"; + httpMethod = "POST"; + username = config.services.grafana-to-ntfy.settings.bauthUser; + password = "$__file{/run/credentials/grafana.service/ntfy_password}"; + }; + }]; + }]; + deleteContactPoints = [{ + orgId = 1; + uid = "ntfy"; + }]; + }; +} diff --git a/hosts/hetzner/hosted/prometheus.nix b/hosts/hetzner/hosted/prometheus.nix index 6307cea..dda45cd 100644 --- a/hosts/hetzner/hosted/prometheus.nix +++ b/hosts/hetzner/hosted/prometheus.nix @@ -36,10 +36,4 @@ orgId = 1; }]; }; - - environment.persistence."/nix/persistent".directories = [{ - directory = "/var/lib/${config.services.prometheus.stateDir}"; - user = "prometheus"; - group = "prometheus"; - }]; } diff --git a/profiles/agenix.nix b/profiles/agenix.nix index d312d06..bf9e7f8 100644 --- a/profiles/agenix.nix +++ b/profiles/agenix.nix @@ -1,12 +1,7 @@ { inputs, ... }: - -{ config, options, ... }: - -let - sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; -in +{ config, ... }: { imports = [ inputs.agenix.nixosModules.age ]; - age.identityPaths = if (options ? environment.persistence) then (map (x: "/nix/persistent" + x) sshHostKeys) else sshHostKeys; + age.identityPaths = builtins.catAttrs "path" config.services.openssh.hostKeys; } diff --git a/profiles/flake-module.nix b/profiles/flake-module.nix index a07b31e..7b38dff 100644 --- a/profiles/flake-module.nix +++ b/profiles/flake-module.nix @@ -7,7 +7,6 @@ profiles-audio = ./audio.nix; profiles-cachix-deploy = ./cachix-deploy.nix; profiles-docs = ./docs.nix; - profiles-impermanence = lib.modules.importApply ./impermanence.nix { inherit inputs; }; profiles-laptop = ./laptop.nix; profiles-misc = ./misc.nix; profiles-nix-nixpkgs = lib.modules.importApply ./nix-nixpkgs.nix { inherit inputs; }; diff --git a/profiles/impermanence.nix b/profiles/impermanence.nix deleted file mode 100644 index 899bb5e..0000000 --- a/profiles/impermanence.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ inputs, ... }: - -{ config, lib, options, ... }: -let - sshHostKeys = builtins.catAttrs "path" config.services.openssh.hostKeys; -in -{ - imports = [ inputs.impermanence.nixosModules.impermanence ]; - - config = { - environment.persistence."/nix/persistent" = { - hideMounts = true; - directories = [ - "/var/lib/nixos" - "/var/log" - "/var/lib/systemd" - "/tmp" # Make builds not crash by running them on disk instead of RAM (We still clean /tmp on boot) - ]; - files = [ - "/etc/machine-id" - ] ++ sshHostKeys; - }; - } // (lib.optionalAttrs (options ? age) { age.identityPaths = map (x: "/nix/persistent" + x) sshHostKeys; }); -} diff --git a/profiles/tailscale.nix b/profiles/tailscale.nix index 52612b3..7b558ae 100644 --- a/profiles/tailscale.nix +++ b/profiles/tailscale.nix @@ -1,21 +1,15 @@ -{ lib, config, options, ... }: +{ lib, config, ... }: { - config = lib.mkMerge [ - { - services.tailscale = { - enable = true; - useRoutingFeatures = lib.mkDefault "client"; - extraSetFlags = lib.mkIf (lib.elem config.services.tailscale.useRoutingFeatures [ "both" "server" ]) [ - "--advertise-exit-node" - ]; - authKeyFile = lib.mkDefault config.age.secrets.tailscale-auth-key.path; - }; - age.secrets.tailscale-auth-key.file = lib.mkDefault ../secrets/all-tailscale-auth-key.age; - } - (lib.optionalAttrs (options ? environment.persistence) { - environment.persistence."/nix/persistent".directories = [ "/var/lib/tailscale" ]; - }) - ]; + services.tailscale = { + enable = true; + useRoutingFeatures = lib.mkDefault "client"; + extraUpFlags = lib.mkIf (lib.elem config.services.tailscale.useRoutingFeatures [ "both" "server" ]) [ + "--advertise-exit-node" + ]; + authKeyFile = lib.mkDefault config.age.secrets.tailscale-auth-key.path; + }; + + age.secrets.tailscale-auth-key.file = lib.mkDefault ../secrets/all-tailscale-auth-key.age; } diff --git a/secrets/all-tailscale-auth-key.age b/secrets/all-tailscale-auth-key.age index 5a3cf08..d1e2ac7 100644 --- a/secrets/all-tailscale-auth-key.age +++ b/secrets/all-tailscale-auth-key.age @@ -1,16 +1,16 @@ age-encryption.org/v1 --> piv-p256 gEKqGQ AmwTib9gd05G+69de8qaRxr/6XbsLD1EGNFMc4F7Fz50 -HJcCci+p6Bw+q/VFnbl8XmNC/G1+0u9dMj6lRoQ+Blk --> piv-p256 kHSiOQ At2Cicsgth/kHMJNvyY/+DQ/fjUsHxggvdrfLlLlQDEe -nkpO9liZDuPSRKK95iDZ/4/fEueIYI1bgXoZWopUB3c --> ssh-ed25519 yj96aQ 4o3S4f3XP6MeYZbZ4s3XnZL8dhf985zuRFjLQAHki2I -jEfJ6esGcOTFpqWn3ba75Ox+xgIDKrIMQXbYnrsRo9c --> ssh-ed25519 xbow1Q nrCb0UPCzpTU1uTDH9vuJ1vtmQhr1dbNX59nOjl2wlA -l7YR/pZMAvJ2/XCk0HfNYF0VDxhJm0ml5A0a/a9LBLg --> ssh-ed25519 kdNx3Q d2kFy6UnHxt40M2G+aLqITOg5EK1gGo+INAyNbcPGBI -C5yMnWzmoYVMj7WnYiWoCogT/uNkmaTfEsiKHz8L00Q --> ssh-ed25519 sDP8sQ 8xtAoAAK23jY/HrJJ8622d++BXP65aS5ypoZWvzHb24 -RzS0nQdYXs3HI+CptLNXzQSXjcMPyqjNtvQiuQeqHDk ---- xOxQWIntjwPhMJ5NlR/g7At8gNVfNquUuV+F+9BBaUE -icWĆOT$_C| s0УzƔ -뼰տV7x<:"`'\pÜv[9za_tݝvm`^; \ No newline at end of file +-> piv-p256 gEKqGQ AlECnKX4LDW0dlRPpPL3hCKuNXMlK5FBkrWIqO7W7T7p +qTg7DHUP2f67OAnkuI3G4iZRZGKt6sjdUDl3s4vg5gw +-> piv-p256 kHSiOQ AshGsxqTh1CQb7oKIpG6AJRBTUzj2ZRfvbWxXcDW76OF +NBUbw2lBrl1jfmT3/yEI50mG3kx7pXTatJzuG3of4f8 +-> ssh-ed25519 yj96aQ XwiETT/o+A3woKUV3zTsjQxSNvd6VaEwnyBB5DBLuTE +UTviCt715omI4G9mWcYXWDYdA73YV2XZaDkVNOg949w +-> ssh-ed25519 bE1RAg DmJ04oIaua4fRuxH8+bfFgSZog3b87UVeQqRrMeMnw0 +VaWazKrK/MYcaC2VmwlwFnxl4S/pHG++NFAex9/G3ds +-> ssh-ed25519 kdNx3Q UmqF8hEGN2Q329wimYXYf6O8KEWKs/5vePdgreGseF8 +pHsyV7On/Gs5fYxwQObd78Of1NHg7nw+Uf5c8t3jBNc +-> ssh-ed25519 sDP8sQ vLZbwDV6NSwRf9fXDDqZZ41qEzZt4IneKGQrGb6XCWM +G9p/S4G7Qaohd7Fqv67t+kc0tRwTyhm3vIppV7fe38Y +--- b+RuWIyMDzp1RNPfuudo4dfzd6pQmw9siZIADYM7k1A +`PxH:/b#F ]?"gbR01S`e0xf%>y( +1!I~MC4Ǖn piv-p256 gEKqGQ A7nF7YPSYW6+x+g6tDGSKO5jIytzLcP1ek1qGUkd89ae -hlk+GLUjvct6Akd7hstvm3pZ3TkgMlzyBgc5yskVtog --> piv-p256 kHSiOQ A8dm5C1IIQ2AxMzdH7nbYLO2lg+ylYy9pHiumYsBbIbV -AmQNfftO9Zb9TO8u8JD854HAw4YiTPgHDJYS/r8YqyU --> ssh-ed25519 yj96aQ mXTN6N2+DO8eh2FnpVEgUmNZ7CCav7o4AW/9KZiA91k -7oHb5i/1ghRME7qyIFYC3r0dYjtP2QrYZfBWenNWODU ---- vDUzxdKydHxCu178FMxzsr9M12htz1wzyTB4irlwT8M -{h}{{YFxK;\ qW^tZU-oʆ[bkVÊ9X#5Tdj8/0fQ/-Mް|? piv-p256 gEKqGQ A2RDgX2hQ1uQyvS78bRyU75pARU0MYcxcB0f+DGX3uE7 ++G7rxO/ubQdbKffNhWeJYjZRse06HvwSoVXhznfIbr4 +-> piv-p256 kHSiOQ AoRDGHv9ZNFLiJ7Dy6NrV/dvxHbkSMmYEnx4b53do5XN +GRlsaM3Cp3DPGdrqzrasJrwAMtvCZfd3g+URqyuGLog +-> ssh-ed25519 yj96aQ ygX51z8X5C16r7jNtETJyOQJEXOCzsvB85d42qhstF0 +9CnDjXLsrfuhVoD5+Lys4kqHGK6laWZJiOT4y0ZNzvQ +--- cFneXS7XPMjKZ3qtgB42gBjI7xse7ehDTuobxv9qqrM +V I.aC}w"7Fva}m-K\\2O^t\^ +RlΫsF aK۩.TGA@\T>A!dfUP˷<6XI褠buH'<_2{ h8*p TD +(-=+|H x)5W)g5^#YУ-9z \ No newline at end of file diff --git a/secrets/hetzner-cachix-deploy-agent.age b/secrets/hetzner-cachix-deploy-agent.age index 29f0bd5..224c66a 100644 --- a/secrets/hetzner-cachix-deploy-agent.age +++ b/secrets/hetzner-cachix-deploy-agent.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> piv-p256 gEKqGQ Ah+nJirfuqwa9dSxqEqLP0Q3uhPLYzt2DraSgXbIBXi+ -xdtr/gUvEkrw1+HcUZWKFpIf29dB7GGV2XbAd3PIdPk --> piv-p256 kHSiOQ A7XWHKvM2F5YUJ1qc2p0Ac3NlKBSNmB4zhvUPREjOKfn -6RvlfeyVeuCs2/aVeJHWtF0Kh4dEiq7nYVfm5fBt6B4 --> ssh-ed25519 xbow1Q VXt6vQwRyaB/gazzpMKCBalxogHggTKb4uz05RI7dxA -4kFVGSz36x4KI9s9KB6mBF7HE6LW1ciYsLSoYQV9RPc ---- sBeC+jQhtvv6sPMtH2DOf9lAx1IWu1wqyjKcCTqCf/A -gEГ 3.050ݮ>3U@H-3oI{?""~#o -@7Tc1LЭ2AP2Gw C+-"tBU}aAﯽ/;H]>nn4* -0ZUa}';0]/yi90: \ No newline at end of file +-> piv-p256 gEKqGQ Ap9tGsOG2blE6tB78jZqTTP19WuiOSuTTLt0gOqy6xbL +l7Tj/W6Vii7NaAMUO+Ks+X3hoI6DUEwe/J6QqpjRiRo +-> piv-p256 kHSiOQ AhIV5VF1C9ACTswsFkJEnsI+1UcHo00bySoFnbgKGAgN +XYxaqqRCJ5oJ/8Gq92ZmeOvWdDynb5XmodNmGxl99vQ +-> ssh-ed25519 bE1RAg fMKTZGHH49XEkmObMf+9ac+EFV0aWYzhBsuZxOeHp3w +BFe6WOOEw6hUk2jHfkPpAvejRQI4za4Ud0QJcPXSh+I +--- UMC8ye6c2Pr5aXbk4zXyyZHvTDv+GbAhxjHliDdFlnw +\{cz䜡=I2D t +:6&5k8T, JMޡ!H'(63}zdEIgkL[_9w)NTֆZ8FCl+[9ֽ26 +iוQeC! .KQ}"T;!ߵ73tA5dy+N'_Et| \ No newline at end of file diff --git a/secrets/hetzner-grafana-signing-key.age b/secrets/hetzner-grafana-signing-key.age index b8d4aea..1ac52e6 100644 Binary files a/secrets/hetzner-grafana-signing-key.age and b/secrets/hetzner-grafana-signing-key.age differ diff --git a/secrets/hetzner-grafana-to-ntfy-ntfy-pass.age b/secrets/hetzner-grafana-to-ntfy-ntfy-pass.age new file mode 100644 index 0000000..1244a96 --- /dev/null +++ b/secrets/hetzner-grafana-to-ntfy-ntfy-pass.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ A9QbHJanIQvfDXisE6zl+uYXvdIhvugO/YLhWtZZTRk+ +EH0S5wGg9phO/CVM0b92i5LGgG8ijsRwoGW9/j4Q/4Y +-> piv-p256 kHSiOQ AxfjBZz7sAR0BsBQ1zaMRwviIXGV2hsx+pWryPprzp1+ +ZGt6iWqdLSQKF2aPhFSw+4gXgK+JKtrk7+c4zMsmfNg +-> ssh-ed25519 bE1RAg Bp1CKK7xEv1wjx9Yank4eUrg+vcl3E4aqfosrPy2jXQ +UOg2hrxoz8DKApqMJLaAvZt05STztKqbeCnjdWgnuBI +--- cbJ4j4L4szVeIKxkWylEkg0eMiUSQmqbs7VtB0UpIFU +b Jt&XsR$ҙD(|$Vp;ܗΎVJDw Ouj9A93; fvYT-W \ No newline at end of file diff --git a/secrets/hetzner-grafana-to-ntfy-pass.age b/secrets/hetzner-grafana-to-ntfy-pass.age new file mode 100644 index 0000000..258ef6a --- /dev/null +++ b/secrets/hetzner-grafana-to-ntfy-pass.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ Aw44iUld+39v6o7eIq/EeAj3UhLBVKqTv+wNr/Lhy78x +xzeHOfkvUPUe8AFa811lFzdyWOwGnVDs1a5As2LC9+w +-> piv-p256 kHSiOQ A+3n6Lf2StY0MsNDXl+PGJBPzeQbh0PVgEy0rlAiEvW1 +u8YNuUN4ZXberDx+QJYL60//lO/L1U/qAhtbz7/irgg +-> ssh-ed25519 bE1RAg 3bnb8VvxWrN3dve+P2edxfK84nof+inpASYKumO/1ls +A8YNWoioSnBM+Ki05FhZJW2BhaWGPDkouS+4XiAxDGM +--- aW6PI39Ri5+jw4osyNqOjpjDAsm0/xRIOjEKmDGEJr4 +=nx@zL.äc5ޗψ|駇"r!/s!r As"KCVVC}+:MP?c}"-f{VM,x)M \ No newline at end of file diff --git a/secrets/hetzner-kanidm-oauth2-grafana-basic-secret.age b/secrets/hetzner-kanidm-oauth2-grafana-basic-secret.age new file mode 100644 index 0000000..9fae34b --- /dev/null +++ b/secrets/hetzner-kanidm-oauth2-grafana-basic-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ AvEPLmRAu60fBYHswl0j+pGkfLlxyGxaSe5ztRgc0qZP +vkvcyWlsKxt0FnPbyG0GQrI4kRPNsJ1g6XCYA+pBSbU +-> piv-p256 kHSiOQ AxwbL7AafU1s+R2Xjs3NPdRAlruaOUPsSmCbfczxotGQ +YotYUZUNLj23xaoQ2F5AfxGJvxaa0V/FoqnVtAPmg0Y +-> ssh-ed25519 bE1RAg u7sW2ZjWIx8DPLLZUui4r5CcL0PfCXKy5/B+tlUqTjA +vkhOB5R9WPD8IxlBpNg56C34VfsM7gmCedpSAltn68M +--- 9ZTUztQtsr3COLtbCRUrlnC1ybLRxIWA8CN6i4YvCUk +hꈂjU禉HJ!&_Gѐ{sQDL pPDc|Tc\5[I~'"8Ya88q6mP-]Iڦjs3)fUOURTi7[Lm$"]zoe=50;- \ No newline at end of file diff --git a/secrets/hetzner-kanidm-oauth2-jellyfin-basic-secret.age b/secrets/hetzner-kanidm-oauth2-jellyfin-basic-secret.age new file mode 100644 index 0000000..0e92637 --- /dev/null +++ b/secrets/hetzner-kanidm-oauth2-jellyfin-basic-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ Ao3zem1DBV6oaMSl6gg32Ab0Z9A5tAe7v2DX8TjVo3sh +F8sBII+E92M7yX1GQ5j60ea0QO/lnGnpnrMrQke23Do +-> piv-p256 kHSiOQ AgwxVMIXXIqMjT0uv4DZVMkdMsVEhmGORUUk+QUPAf2w +JOZjrpikuhpJUWkc3iWcCIe22/dxF1xxQUvX6ls0oPU +-> ssh-ed25519 bE1RAg STaZerm5DbR8HO/bM2LHgosDh/65xeFzXbBESi7ockw +DOv/FHrY3xVKbvIk5kDBW5MzdJn60qmmhkEi9SXvKy0 +--- vcGYglAKa1sG2BcMQ6Fd0Vns2J3EHPk2iBgsfvYOrv8 +̸;|%<5.W3v:savPh C&s8EVm|^'G+69+(n-j_:NF%B Z1xzV, ;<mڠw Pmի K7aKxpsf>8U+B{Oovw \ No newline at end of file diff --git a/secrets/hetzner-kanidm-oauth2-nextcloud-basic-secret.age b/secrets/hetzner-kanidm-oauth2-nextcloud-basic-secret.age new file mode 100644 index 0000000..a8e1960 Binary files /dev/null and b/secrets/hetzner-kanidm-oauth2-nextcloud-basic-secret.age differ diff --git a/secrets/hetzner-kanidm-oauth2-tailscale-basic-secret.age b/secrets/hetzner-kanidm-oauth2-tailscale-basic-secret.age new file mode 100644 index 0000000..f931d9d --- /dev/null +++ b/secrets/hetzner-kanidm-oauth2-tailscale-basic-secret.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ AiRRHX8lQ6ICBdXIeeCEqMX1H5Vri+TjUINmNfz5IYkW +pJXEB8+bKTY5pGVkk4TCb6eeh1i573ityl/fsmnOILY +-> piv-p256 kHSiOQ A3xBh/n/2rrm17p59ySzbUkV9FvXfMTmegPcI+iK32dU +reIYI/LdQyXckPKcFwk6NlixIo7+7zE7M66fT4DWQKU +-> ssh-ed25519 bE1RAg LLLW4ezU8xcn07P69uoqTxKMRQAsnA0vqGj7UfyO8iU +sitUZo8nTfzUFYloeo0skInvgazt5u9b7M7A8Dhu0vk +--- Jc8eMUrx6Tob2VcliSmkeTCFPbZ8kTFITyZyl/1cs7U +a)ўG8i9=( Ү0eV@ +^ND +zQ0 ׅ\aTDTi@ئ j;@H^PJex=ׄ;ZP_\]>Ӱ" G͞n5~TÕ4jã7Vs`lMU(6ڹ \ No newline at end of file diff --git a/secrets/hetzner-ntfy-sh-firebase-key.age b/secrets/hetzner-ntfy-sh-firebase-key.age new file mode 100644 index 0000000..f77ecec Binary files /dev/null and b/secrets/hetzner-ntfy-sh-firebase-key.age differ diff --git a/secrets/hetzner-oauth2-grafana-basic-secret.age b/secrets/hetzner-oauth2-grafana-basic-secret.age deleted file mode 100644 index 8273bb5..0000000 --- a/secrets/hetzner-oauth2-grafana-basic-secret.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> piv-p256 gEKqGQ AlfL3I14Ooc74JjA/N4dQYYqCRl+heFG6psOe1oXgO1+ -VtBvJNfvtdrJ+2xPl+JnrBEauH1jtOQ/PkGK6EyDsqQ --> piv-p256 kHSiOQ Av0JHIPQONBbhXEfVJdBPI4TJfxmNdy4CPvuzSM4pwze -9ozj9iIFEZnHSs/ZByT5ILxa/R31+6ry5+D3Kl6cVtk --> ssh-ed25519 xbow1Q fNLWV87Oc4Hl/5UIWq+xr1bLc9ocvcUGJn9oLWxZvx0 -gT+6qGDHF3dJugkICnKRZT3Scf8NA3XgRdO1fvX6ZWQ ---- wfJSdhRejgkp7DuhkGyOO2tEY7Uiq6UHqhHej3c7ZqA -'4f jn!KX%s\'FJ2N'hF/b -p0 zC -KZ'yˢ̺WX+ \ No newline at end of file diff --git a/secrets/pan-cachix-deploy-agent.age b/secrets/pan-cachix-deploy-agent.age index 69b7ad3..5f5a2d9 100644 Binary files a/secrets/pan-cachix-deploy-agent.age and b/secrets/pan-cachix-deploy-agent.age differ diff --git a/secrets/pongo-cachix-deploy-agent.age b/secrets/pongo-cachix-deploy-agent.age index 60b6907..c29ae77 100644 Binary files a/secrets/pongo-cachix-deploy-agent.age and b/secrets/pongo-cachix-deploy-agent.age differ diff --git a/secrets/pongo-kranzes-hercules-binary-caches.age b/secrets/pongo-kranzes-hercules-binary-caches.age index dd65b85..2d05f7e 100644 Binary files a/secrets/pongo-kranzes-hercules-binary-caches.age and b/secrets/pongo-kranzes-hercules-binary-caches.age differ diff --git a/secrets/pongo-kranzes-hercules-cluster-join-token.age b/secrets/pongo-kranzes-hercules-cluster-join-token.age index 32acb86..16f8f56 100644 Binary files a/secrets/pongo-kranzes-hercules-cluster-join-token.age and b/secrets/pongo-kranzes-hercules-cluster-join-token.age differ diff --git a/secrets/pongo-kranzes-hercules-secrets.age b/secrets/pongo-kranzes-hercules-secrets.age index ad978d1..b4b3f0a 100644 Binary files a/secrets/pongo-kranzes-hercules-secrets.age and b/secrets/pongo-kranzes-hercules-secrets.age differ diff --git a/secrets/pongo-nextcloud-admin-root-pass.age b/secrets/pongo-nextcloud-admin-root-pass.age index 98747fd..d623bc0 100644 Binary files a/secrets/pongo-nextcloud-admin-root-pass.age and b/secrets/pongo-nextcloud-admin-root-pass.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 82e2aa0..35c5693 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,7 +2,7 @@ let systems = { pongo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOq0cqSiwsTj1ktlr70ToobLXD9JIRQynTuOpmwpYilB"; gorilla = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDTblFcEmy7kyJRgZ43BWmNk22TE4N+xyTDeJC7jpwc"; - hetzner = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICd6HBMr+HEX0i8ZVN7QLeLo1+z+OkDjESDw1nc5IGqP"; + hetzner = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrnR6feQwB8GCASDES3hujWI4fZBtbBbwWf7Hrq8Aon"; pan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/SSCGsV61hZy5NVzjeA07PufZIHufUIeCD6id9orKF"; }; users = { @@ -25,8 +25,14 @@ in "gorilla-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.gorilla ]; # Hetzner "hetzner-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.hetzner ]; - "hetzner-oauth2-grafana-basic-secret.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-kanidm-oauth2-tailscale-basic-secret.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-kanidm-oauth2-nextcloud-basic-secret.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-kanidm-oauth2-jellyfin-basic-secret.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-kanidm-oauth2-grafana-basic-secret.age".publicKeys = allUsers ++ [ systems.hetzner ]; "hetzner-grafana-signing-key.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-ntfy-sh-firebase-key.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-grafana-to-ntfy-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-grafana-to-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ]; # Pan "pan-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.pan ]; }