Compare commits
14 commits
1873bb7170
...
f390d41955
| Author | SHA1 | Date | |
|---|---|---|---|
|
f390d41955 | ||
|
|
4f0d0f7f0e | ||
| 47df6b544a | |||
| 34fd079fb7 | |||
| 5f0f986c59 | |||
| fe628075d9 | |||
| dd9e79b889 | |||
|
|
352c057652 | ||
|
|
e3ae7220d3 | ||
|
|
e9fef516ec | ||
| 40da937ee0 | |||
| e17b144c9f | |||
| a8dbf792e3 | |||
| b11a33de6e |
10 changed files with 180 additions and 88 deletions
9
.just/machine.just
Normal file
9
.just/machine.just
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
@_default: list
|
||||
|
||||
[doc('List machines')]
|
||||
@list:
|
||||
ls -1 ../systems/x86_64-linux/
|
||||
|
||||
[doc('Update the target machine')]
|
||||
update machine:
|
||||
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
|
||||
28
.just/vars.just
Normal file
28
.just/vars.just
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
base_path := invocation_directory() / "systems/x86_64-linux"
|
||||
sops := "nix shell nixpkgs#sops --command sops"
|
||||
|
||||
@_default:
|
||||
just --list
|
||||
|
||||
[doc('list all vars of the target machine')]
|
||||
list machine:
|
||||
{{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
|
||||
|
||||
@edit machine:
|
||||
{{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
|
||||
|
||||
@set machine key value:
|
||||
{{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
|
||||
|
||||
git add {{ base_path }}/{{ machine }}/secrets.yml
|
||||
git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
|
||||
|
||||
echo "Done"
|
||||
|
||||
@remove machine key:
|
||||
{{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
|
||||
|
||||
git add {{ base_path }}/{{ machine }}/secrets.yml
|
||||
git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
|
||||
|
||||
echo "Done"
|
||||
21
.justfile
21
.justfile
|
|
@ -1,7 +1,18 @@
|
|||
@_default:
|
||||
just --list --list-submodules
|
||||
|
||||
try-again:
|
||||
nix flake update amarth-customer-portal
|
||||
nix flake check --all-systems --show-trace
|
||||
[doc('Manage vars')]
|
||||
mod vars '.just/vars.just'
|
||||
|
||||
update machine:
|
||||
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
|
||||
[doc('Manage machines')]
|
||||
mod machine '.just/machine.just'
|
||||
|
||||
[doc('Show information about project')]
|
||||
@show:
|
||||
echo "show"
|
||||
|
||||
[doc('update the flake dependencies')]
|
||||
@update:
|
||||
nix flake update
|
||||
git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null
|
||||
echo "Done"
|
||||
11
.sops.yaml
Normal file
11
.sops.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
keys:
|
||||
- &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
|
||||
- &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
|
||||
|
||||
creation_rules:
|
||||
# All Machine secrets
|
||||
- path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *ulmo_1
|
||||
- *ulmo_2
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
keys:
|
||||
- &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/secrets.yml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *primary
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
|
||||
example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
|
||||
#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
|
||||
#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
|
||||
example:
|
||||
my_subdir:
|
||||
my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
|
||||
ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
|
||||
YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
|
||||
dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
|
||||
Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-03-09T11:37:49Z"
|
||||
mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
|
||||
zitadel:
|
||||
masterKey: thisWillBeAnEncryptedValueInTheFuture
|
||||
|
|
@ -31,7 +31,9 @@ in {
|
|||
base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml";
|
||||
image = ./${cfg.theme}.jpg;
|
||||
polarity = cfg.polarity;
|
||||
|
||||
# targets.qt.platform = mkDefault "kde";
|
||||
targets.zen-browser.profileNames = [ "Chris" ];
|
||||
|
||||
fonts = {
|
||||
serif = {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{ config, lib, pkgs, namespace, system, inputs, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair;
|
||||
inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length;
|
||||
inherit (lib.${namespace}.strings) toSnakeCase;
|
||||
|
||||
cfg = config.${namespace}.services.authentication.zitadel;
|
||||
|
|
@ -129,21 +129,19 @@ in
|
|||
withName = name: attrs: attrs // { inherit name; };
|
||||
withRef = type: name: attrs: attrs // (mapRef type name);
|
||||
|
||||
# this is a nix package, the generated json file to be exact
|
||||
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
|
||||
inherit system;
|
||||
|
||||
modules =
|
||||
let
|
||||
inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length;
|
||||
|
||||
select = keys: callback: set:
|
||||
if (length keys) == 0 then
|
||||
mapAttrs' callback set
|
||||
else let key = head keys; in
|
||||
concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set;
|
||||
in
|
||||
[
|
||||
|
||||
config' = config;
|
||||
|
||||
# this is a nix package, the generated json file to be exact
|
||||
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
|
||||
inherit system;
|
||||
|
||||
modules = [
|
||||
({ config, lib, ... }: {
|
||||
config = {
|
||||
terraform.required_providers.zitadel = {
|
||||
|
|
@ -181,6 +179,15 @@ in
|
|||
|> withRef "project" project
|
||||
|> toResource name
|
||||
);
|
||||
|
||||
zitadel_smtp_config.default = {
|
||||
sender_address = "chris@kruining.eu";
|
||||
sender_name = "no-reply (Zitadel)";
|
||||
tls = true;
|
||||
host = "black-mail.nl";
|
||||
user = "chris@kruining.eu";
|
||||
password = "\${file(\"${config'.sops.templates."kaas".path}\")}";
|
||||
};
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
@ -214,7 +221,6 @@ in
|
|||
${lib.getExe pkgs.opentofu} init
|
||||
|
||||
# Run the infrastructure code
|
||||
# ${lib.getExe pkgs.opentofu} plan
|
||||
${lib.getExe pkgs.opentofu} apply -auto-approve
|
||||
'';
|
||||
|
||||
|
|
@ -250,14 +256,14 @@ in
|
|||
SecretHasher.Hasher.Algorithm = "argon2id";
|
||||
};
|
||||
|
||||
# DefaultInstance = {
|
||||
# # PasswordComplexityPolicy = {
|
||||
# # MinLength = 0;
|
||||
# # HasLowercase = false;
|
||||
# # HasUppercase = false;
|
||||
# # HasNumber = false;
|
||||
# # HasSymbol = false;
|
||||
# # };
|
||||
DefaultInstance = {
|
||||
# PasswordComplexityPolicy = {
|
||||
# MinLength = 0;
|
||||
# HasLowercase = false;
|
||||
# HasUppercase = false;
|
||||
# HasNumber = false;
|
||||
# HasSymbol = false;
|
||||
# };
|
||||
# LoginPolicy = {
|
||||
# AllowRegister = false;
|
||||
# ForceMFA = true;
|
||||
|
|
@ -266,15 +272,14 @@ in
|
|||
# MaxPasswordAttempts = 5;
|
||||
# MaxOTPAttempts = 10;
|
||||
# };
|
||||
# # SMTPConfiguration = {
|
||||
# # SMTP = {
|
||||
# # Host = "black-mail.nl:587";
|
||||
# # User = "chris@kruining.eu";
|
||||
# # Password = "__TODO_USE_SOPS__";
|
||||
# # };
|
||||
# # FromName = "Amarth Zitadel";
|
||||
# # };
|
||||
# };
|
||||
SMTPConfiguration = {
|
||||
SMTP = {
|
||||
Host = "black-mail.nl:587";
|
||||
User = "chris@kruining.eu";
|
||||
};
|
||||
FromName = "Amarth Zitadel";
|
||||
};
|
||||
};
|
||||
|
||||
Database.postgres = {
|
||||
Host = "localhost";
|
||||
|
|
@ -330,6 +335,9 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
extraStepsPaths = [
|
||||
config.sops.templates."secrets.yaml".path
|
||||
];
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
|
|
@ -364,10 +372,37 @@ in
|
|||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
# Secrets
|
||||
sops.secrets."zitadel/masterKey" = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"zitadel/masterKey" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0
|
||||
};
|
||||
|
||||
"email/chris_kruining_eu" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
restartUnits = [ "zitadel.service" ];
|
||||
};
|
||||
};
|
||||
|
||||
templates."secrets.yaml" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
content = ''
|
||||
DefaultInstance:
|
||||
SMTPConfiguration:
|
||||
SMTP:
|
||||
Password: ${config.sops.placeholder."email/chris_kruining_eu"}
|
||||
'';
|
||||
};
|
||||
|
||||
templates."kaas" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
content = config.sops.placeholder."email/chris_kruining_eu";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, namespace, inputs, ... }:
|
||||
{ pkgs, config, namespace, inputs, system, ... }:
|
||||
let
|
||||
cfg = config.${namespace}.system.security.sops;
|
||||
in
|
||||
|
|
@ -13,10 +13,14 @@ in
|
|||
environment.systemPackages = with pkgs; [ sops ];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../../../../../_secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml";
|
||||
|
||||
age.keyFile = "/home/";
|
||||
age = {
|
||||
# keyFile = "~/.config/sops/age/keys.txt";
|
||||
# sshKeyPaths = [ "~/.ssh/id_ed25519" ];
|
||||
# generateKey = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
30
systems/x86_64-linux/ulmo/secrets.yml
Normal file
30
systems/x86_64-linux/ulmo/secrets.yml
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
email:
|
||||
info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str]
|
||||
chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str]
|
||||
info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str]
|
||||
zitadel:
|
||||
masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx
|
||||
ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q
|
||||
cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv
|
||||
RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK
|
||||
6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV
|
||||
eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS
|
||||
NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG
|
||||
TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
|
||||
Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-23T14:25:59Z"
|
||||
mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.11.0
|
||||
Loading…
Add table
Add a link
Reference in a new issue