Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add wrwks secret to fw

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-11-10 19:27:52 +01:00
parent 3d7c7e41b3
commit d0ddc3f8be
4 changed files with 44 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml
View File

@@ -11,8 +11,8 @@ keys:
- &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t - &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
- &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3
- &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
- &fw age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
- &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
- &phone age12zmq67s0cykfxw9st9j4qqsus4saye96lsv3dpkmhfwsw325rvgst56hj3
creation_rules: creation_rules:
- path_regex: ^[^/]+\.yaml$ - path_regex: ^[^/]+\.yaml$
key_groups: key_groups:
@@ -91,6 +91,11 @@ creation_rules:
- age: - age:
- *dominik - *dominik
- *web-01-server - *web-01-server
- path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$
key_groups:
- age:
- *dominik
- *fw
- path_regex: utils/modules/promtail/[^/]+\.yaml$ - path_regex: utils/modules/promtail/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:

5
README.md
View File

@@ -13,6 +13,11 @@ nix-shell -p sops --run "sops updatekeys -y secrets.yaml"
./install.sh example.com ./install.sh example.com
``` ```
# 2. Sops command
```console
nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml'
```
# 2. Web Server specific # 2. Web Server specific
- change the permissions for /var/www - change the permissions for /var/www
```console ```console

4
hosts/fw.cloonar.com/modules/openconnect.nix
View File

@@ -1,8 +1,10 @@
{ ... }: { { ... }: {
sops.secrets.wrwks_vpn_key = {};
networking.openconnect.interfaces = { networking.openconnect.interfaces = {
wrwks = { wrwks = {
gateway = "vpn.wrwks.at"; gateway = "vpn.wrwks.at";
passwordFile = "/var/lib/secrets/openconnect-passwd"; passwordFile = config.sops.secrets.wrwks_vpn_key.path;
protocol = "anyconnect"; protocol = "anyconnect";
user = "exdpolakovics@wrwks.local"; user = "exdpolakovics@wrwks.local";
}; };

30
hosts/fw.cloonar.com/secrets.yaml Normal file
View File

@@ -0,0 +1,30 @@
wrwks_vpn_key: ENC[AES256_GCM,data:gGipXC8JJO59b4KWMSo0+r761raQl7RzgBuUbXmPEKlZR21bs5XRAQalzDCFNtjcpNkXiGqAHCLkDTtjPagMsw==,iv:MH1EBJEOdQDEgm9E0F884fynhsH8KiS5QSc605XbASQ=,tag:FUM1eptHS0rpt6ILyQjGOg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaExBbWFIRlRFMFBCQUdt
MElGZkpqWDcyNkY0dnd6QkVRenJNUWFGWDJzCnNYZWdtMkhLemlVbzh6TXREMG5p
SE5Bc1RaZ3ZlQnVVc0pmOFNTYkZ1alkKLS0tIGxGSiswRkxOdlR1ZkdUY1JHV1Ux
TGphL2Q3eFVRZUllRUtrd0s2eHUwc0UKz/PVi6nnhO3+Y5wnvsfu80vpdgvIZKEc
XGI21VBqDS6qetrlPoU2L0Ta729rs6PAeoAhiY+z7cXxgzaDvWONCA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU2RWbDZoemRUTjlpTklI
R1JyMTQ5OE50bHBHR25LSVdXdHBoSys2MXdjCnRNN2RhRis1dmdwcEJ5anp3eEEv
U2VQcXBkQXRNaE1Na2ozV1VuRzVJdkEKLS0tIGxRa2pDS2VGUGNjblM1Smt6dy85
dTNvbDlqMmYyQXJsTlFWWHpVZlZzWEUK18tC5iPbbcr9pNvPy67XzQttnizp8huI
faFSGZLKdc7F32F39yw9hAu8QpYBQ+Sb6ucYxZ4pIAKNX+9ICGcnTA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-10T18:21:41Z"
mac: ENC[AES256_GCM,data:ejqFUPuyQC5YC5zcB/T8MwpUnb9JE9kCaWelzKf5qceXjD2XbcYHVbFAV2mNb+VwFTRCWAazNzIXGB3KiS9FBts2LfGbuzmjxN3WzcnW9n5oWSME9DMdnYzpI6Rkz35coIFZglaEx+m/DCXzVWTzah/I+zxtK3EiXFNhkCHxlCs=,iv:XK0iRQ/l4eHemzbMHFJ2Y6yW9Ar1GGYBkoYUzxO7k8w=,tag:lfxNcfuktoioXDa0SmDFXw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3