Migrate ikiwiki to sops-nix
This commit is contained in:
parent
668f2ef4d8
commit
bff3401ada
SSH key fingerprint:
SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
6 changed files with 52 additions and 12 deletions
12
.sops.yaml
Normal file
12
.sops.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
keys:
|
||||
- &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
|
||||
- &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
|
||||
creation_rules:
|
||||
- path_regex: config/hosts/ikiwiki/.*
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_age_fi
|
||||
- *host_age_ikiwiki
|
||||
stores:
|
||||
yaml:
|
||||
indent: 2
|
||||
|
|
@ -4,5 +4,6 @@
|
|||
./configuration.nix
|
||||
./ikiwiki.nix
|
||||
./nginx.nix
|
||||
./sops.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ in
|
|||
tryFiles = "$uri $uri/ =404";
|
||||
};
|
||||
"~ .cgi" = {
|
||||
basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
|
||||
basicAuthFile = "/run/secrets/auth_file";
|
||||
extraConfig = ''
|
||||
gzip off;
|
||||
fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
|
||||
|
|
@ -45,4 +45,11 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."auth_file" = {
|
||||
mode = "0440";
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
restartUnits = [ "nginx.service" ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
{ keyCommandEnv, ... }:
|
||||
{
|
||||
deployment.keys."ikiwiki-auth-file.secret" = {
|
||||
keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
|
||||
destDir = "/secrets";
|
||||
user = "nginx";
|
||||
group = "nginx";
|
||||
permissions = "0640";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
}
|
||||
25
config/hosts/ikiwiki/secrets.yaml
Normal file
25
config/hosts/ikiwiki/secrets.yaml
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3
|
||||
eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j
|
||||
UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5
|
||||
b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu
|
||||
zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
|
||||
- enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp
|
||||
RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j
|
||||
ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1
|
||||
b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY
|
||||
xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
|
||||
lastmodified: "2026-05-16T22:13:21Z"
|
||||
mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.13.0
|
||||
6
config/hosts/ikiwiki/sops.nix
Normal file
6
config/hosts/ikiwiki/sops.nix
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
{ ... }:
|
||||
{
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue