commit da71d81d257a2c1809eb1be646cc66041012407e
parent ecf831c5ec9fa9f3ec1b9300da9fbd5062bd490a
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 1 Mar 2025 17:07:17 +0100
parent ecf831c5ec9fa9f3ec1b9300da9fbd5062bd490a
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 1 Mar 2025 17:07:17 +0100
use acme dns-challenge on all hosts
36 files changed, 230 insertions(+), 144 deletions(-)
diff --git a/configurations/linux/default.nix b/configurations/linux/default.nix @@ -14,6 +14,7 @@ ]; age.secrets.katja-systempassword.file = ../../secrets/passwords/katja.age; + age.secrets.acmeTSIGKey.file = ./. + "/../../secrets/${config.networking.hostName}/acme-tsig-key.age"; deployment = { buildOnTarget = lib.mkDefault false; @@ -112,9 +113,30 @@ }; }; - security = { - acme.acceptTerms = true; - acme.defaults.email = "letsencrypt@ctu.cx"; + security.acme = { + acceptTerms = true; + defaults = { + email = "letsencrypt@ctu.cx"; + keyType = "ec384"; + dnsProvider = "rfc2136"; + environmentFile = pkgs.writeText "acme-dns-env" '' + RFC2136_NAMESERVER=ns1.ctu.cx + RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName} + RFC2136_TSIG_ALGORITHM=hmac-sha384. + ''; + credentialFiles = { + RFC2136_TSIG_SECRET_FILE = config.age.secrets.acmeTSIGKey.path; + }; + }; + certs."${config.networking.hostName}.${config.networking.domain}" = { + group = "nginx"; + extraDomainNames = ( + config.services.nginx.virtualHosts + |> lib.mapAttrsToList (key: config: [ (if config ? serverAliases then config.serverAliases else []) key ]) + |> lib.flatten + |> builtins.filter (val: val != "default") + ); + }; }; users.mutableUsers = false;
diff --git a/configurations/linux/services/prometheus-exporters.nix b/configurations/linux/services/prometheus-exporters.nix @@ -42,9 +42,9 @@ in { nginx = { enable = true; virtualHosts."${config.networking.fqdn}" = { - enableACME = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false)); - forceSSL = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false)); - kTLS = (lib.mkDefault (if (config.networking.primaryIP != "") || (config.networking.primaryIP4 != "") then true else false)); + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/node-exporter".proxyPass = "http://${toString config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}/metrics"; locations."/systemd-exporter".proxyPass = "http://${toString config.services.prometheus.exporters.systemd.listenAddress}:${toString config.services.prometheus.exporters.systemd.port}/metrics"; locations."/scaphandre-exporter".proxyPass = lib.mkIf config.services.prometheus.exporters.scaphandre.enable "http://[::1]:${toString config.services.prometheus.exporters.scaphandre.port}/scaphandre-exporter";
diff --git a/configurations/linux/services/restic-server.nix b/configurations/linux/services/restic-server.nix @@ -34,9 +34,9 @@ in { nginx = { enable = true; virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { - enableACME = lib.mkDefault true; - forceSSL = lib.mkDefault true; - kTLS = lib.mkDefault true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = lib.mkDefault true; + kTLS = lib.mkDefault true; locations."/" = { proxyPass = "http://${toString config.services.restic.server.listenAddress}/"; extraConfig = ''
diff --git a/configurations/linux/services/syncthing-nginx.nix b/configurations/linux/services/syncthing-nginx.nix @@ -26,9 +26,9 @@ in { nginx = { enable = true; virtualHosts."syncthing.${config.networking.hostName}.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://${toString config.services.syncthing.guiAddress}"; }; };
diff --git a/machines/briefkasten/gotosocial.nix b/machines/briefkasten/gotosocial.nix @@ -67,10 +67,10 @@ in { ''; services.nginx.virtualHosts."fedi.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + locations = { "= /".return = "307 /@leah"; "/" = {
diff --git a/machines/briefkasten/smarthome/influxdb2.nix b/machines/briefkasten/smarthome/influxdb2.nix @@ -26,9 +26,9 @@ services.nginx = { enable = true; virtualHosts."influx.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://${toString config.services.influxdb2.settings.http-bind-address}/"; }; };
diff --git a/machines/briefkasten/smarthome/mqtt-webui/default.nix b/machines/briefkasten/smarthome/mqtt-webui/default.nix @@ -12,9 +12,9 @@ in { nginx = { enable = true; virtualHosts."smart.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations = { "/" = {
diff --git a/machines/briefkasten/smarthome/zigbee2mqtt.nix b/machines/briefkasten/smarthome/zigbee2mqtt.nix @@ -35,9 +35,9 @@ nginx = { enable = true; virtualHosts."zigbee2mqtt.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.zigbee2mqtt.settings.frontend.port}"; proxyWebsockets = true;
diff --git a/machines/briefkasten/websites/audiobooks.home.ctu.cx.nix b/machines/briefkasten/websites/audiobooks.home.ctu.cx.nix @@ -12,9 +12,9 @@ services.nginx = { enable = true; virtualHosts."audiobooks.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations = { "/jdfoniobhfijnfoilp[dfponbiuyfbu/".alias = "/mnt/audiobooks/";
diff --git a/machines/briefkasten/websites/music.home.ctu.cx.nix b/machines/briefkasten/websites/music.home.ctu.cx.nix @@ -19,11 +19,11 @@ in { services.nginx = { enable = true; virtualHosts."music.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - root = "/mnt/music_originals"; - locations = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + root = "/mnt/music_originals"; + locations = { "~ ^(.*/)$".extraConfig = '' autoindex on;
diff --git a/machines/briefkasten/websites/storage.home.ctu.cx/default.nix b/machines/briefkasten/websites/storage.home.ctu.cx/default.nix @@ -6,9 +6,9 @@ services.nginx.virtualHosts = { "storage.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; basicAuthFile = "/var/src/secrets/nginx/storage.htpasswd";
diff --git a/machines/hector/default.nix b/machines/hector/default.nix @@ -112,4 +112,3 @@ home-manager.users.katja.home.stateVersion = "24.11"; } -
diff --git a/machines/hector/fedi/gotosocial.nix b/machines/hector/fedi/gotosocial.nix @@ -78,19 +78,19 @@ in { ''; services.nginx.virtualHosts."ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; locations."/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; }; services.nginx.virtualHosts."fedi.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + locations = { "= /".return = "307 /@katja"; "/" = {
diff --git a/machines/hector/git.nix b/machines/hector/git.nix @@ -171,9 +171,9 @@ in { enable = true; virtualHosts = { "cgit.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations = { "~ '^/[a-zA-Z0-9._-]+/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$'".return = "307 https://git.ctu.cx$request_uri"; "~ '^/([a-zA-Z0-9_.]+)/*$'".return = "307 https://git.ctu.cx/$1"; @@ -191,10 +191,10 @@ in { }; "git.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - root = "/var/lib/stagit"; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + root = "/var/lib/stagit"; locations = { "@redir".return = "307 ../log.html"; "~ '^/([a-zA-Z0-9_.]+)/commit/.*$'".extraConfig = "error_page 404 = @redir;";
diff --git a/machines/hector/grafana/default.nix b/machines/hector/grafana/default.nix @@ -71,9 +71,9 @@ nginx = { enable = true; virtualHosts."grafana.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://[::1]:${toString config.services.grafana.settings.server.http_port}/"; }; };
diff --git a/machines/hector/grocy.nix b/machines/hector/grocy.nix @@ -4,10 +4,18 @@ dns.zones."ctu.cx".subdomains.grocy.CNAME = [ "${config.networking.fqdn}." ]; + + services.nginx.virtualHosts."grocy.ctu.cx" = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + }; + services.grocy = { enable = true; hostName = "grocy.ctu.cx"; - nginx.enableSSL = true; + + nginx.enableSSL = false; settings = { currency = "EUR";
diff --git a/machines/hector/mail/default.nix b/machines/hector/mail/default.nix @@ -106,13 +106,13 @@ in { enable = true; virtualHosts = { "${config.networking.fqdn}" = { - enableACME = true; - forceSSL = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; }; "autoconfig.ctu.cx" = { - enableACME = true; - forceSSL = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; locations."= /mail/config-v1.1.xml".return = "200 '${mailAutoConfig}'"; }; };
diff --git a/machines/hector/matrix/synapse.nix b/machines/hector/matrix/synapse.nix @@ -67,9 +67,9 @@ matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; }; in { "ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/.well-known/matrix/server".extraConfig = '' add_header Content-Type application/json; return 200 '${builtins.toJSON matrixServerConfig}'; @@ -81,10 +81,10 @@ }; "matrix.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + locations = { "/_matrix".proxyPass = "http://[::1]:8008"; # "/_synapse".proxyPass = "http://[::1]:8008"; # "/admin/".alias = "${pkgs.synapse-admin}/";
diff --git a/machines/hector/prometheus.nix b/machines/hector/prometheus.nix @@ -68,9 +68,9 @@ nginx = { enable = true; virtualHosts."prometheus.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://[::1]:${toString config.services.prometheus.port}/"; }; };
diff --git a/machines/hector/radicale.nix b/machines/hector/radicale.nix @@ -37,9 +37,9 @@ nginx = { enable = true; virtualHosts."dav.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://[::1]:5232/"; }; };
diff --git a/machines/hector/vaultwarden.nix b/machines/hector/vaultwarden.nix @@ -47,9 +47,9 @@ nginx = { enable = true; virtualHosts."vault.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; locations."/notifications/hub" = { proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
diff --git a/machines/hector/websites/bikemap.ctu.cx.nix b/machines/hector/websites/bikemap.ctu.cx.nix @@ -84,10 +84,10 @@ in { nginx = { enable = true; virtualHosts."bikemap.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - root = "/var/lib/bikemap/"; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + root = "/var/lib/bikemap/"; }; }; };
diff --git a/machines/hector/websites/ctu.cx.nix b/machines/hector/websites/ctu.cx.nix @@ -2,17 +2,17 @@ { - dns.zones."ctu.cx" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); + dns.zones."ctu.cx" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); + dns.zones."katja.wtf" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); services.nginx = { enable = true; virtualHosts."ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations."/".extraConfig = '' - return 307 https://katja.wtf$request_uri; - ''; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + serverAliases = [ "katja.wtf" ]; + kTLS = true; + root = pkgs.ctucx-website; }; };
diff --git a/machines/hector/websites/default.nix b/machines/hector/websites/default.nix @@ -3,7 +3,6 @@ { imports = [ - ./katja.wtf.nix ./ctu.cx.nix ./things.ctu.cx.nix ./bikemap.ctu.cx.nix
diff --git a/machines/hector/websites/katja.wtf.nix b/machines/hector/websites/katja.wtf.nix @@ -1,17 +0,0 @@ -{ pkgs, lib, config, ...}: - -{ - - dns.zones."katja.wtf" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); - - services.nginx = { - enable = true; - virtualHosts."katja.wtf" = { - enableACME = true; - forceSSL = true; - kTLS = true; - root = pkgs.ctucx-website; - }; - }; - -}
diff --git a/machines/hector/websites/photos.ctu.cx.nix b/machines/hector/websites/photos.ctu.cx.nix @@ -87,10 +87,10 @@ in { services.nginx = { enable = true; virtualHosts."photos.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - root = "/var/lib/ctucx-gallery"; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + root = "/var/lib/ctucx-gallery"; locations."~* \.html$".extraConfig = '' add_header Last-Modified $date_gmt; add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
diff --git a/machines/hector/websites/things.ctu.cx.nix b/machines/hector/websites/things.ctu.cx.nix @@ -16,11 +16,16 @@ paths = [ "/var/lib/ctucx-things" ]; }; + services.nginx.virtualHosts."things.ctu.cx" = { + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; + }; + services.ctucx-things = { enable = true; storagePath = "/var/lib/ctucx-things"; nginx.enable = true; - nginx.enableACME = true; nginx.domain = "things.ctu.cx"; };
diff --git a/machines/trabbi/gotosocial.nix b/machines/trabbi/gotosocial.nix @@ -79,7 +79,7 @@ in { ''; services.nginx.virtualHosts."zuggeschmack.de" = { - enableACME = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; forceSSL = true; kTLS = true; extraConfig = '' @@ -132,7 +132,7 @@ in { }; services.nginx.virtualHosts."client.zuggeschmack.de" = { - enableACME = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; forceSSL = true; kTLS = true; root = pkgs.masto-fe-standalone;
diff --git a/machines/wanderduene/rclone-restic-server.nix b/machines/wanderduene/rclone-restic-server.nix @@ -55,9 +55,9 @@ services.nginx = { enable = true; virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/" = { proxyPass = "http://[::1]:8000/"; extraConfig = ''
diff --git a/machines/wanderduene/websites/ip.ctu.cx.nix b/machines/wanderduene/websites/ip.ctu.cx.nix @@ -7,9 +7,9 @@ dns.zones."ctu.cx".subdomains."ip6".AAAA = [ (pkgs.dns.lib.combinators.aaaa config.networking.primaryIP) ]; services.nginx.virtualHosts."ip.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/" = { extraConfig = "types { } default_type 'text/html; charset=utf-8';"; return = ''200 ' @@ -51,9 +51,9 @@ }; services.nginx.virtualHosts."ip4.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/" = { return = "200 '$remote_addr\n'"; extraConfig = '' @@ -64,9 +64,9 @@ }; services.nginx.virtualHosts."ip6.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; + useACMEHost = "${config.networking.hostName}.${config.networking.domain}"; + forceSSL = true; + kTLS = true; locations."/" = { return = "200 '$remote_addr\n'"; extraConfig = ''
diff --git a/secrets/briefkasten/acme-tsig-key.age b/secrets/briefkasten/acme-tsig-key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UHp5ZFlmMGorcmNNUUJa +dzFPSkJCQkZET1BpVDFmbXlFQnlWSjBMTjE4CmVGU0dXM3g0a1pVUHhrODlzVlRp +WTdPRnd0N0UyLzZKL2ordWZsd0JERWsKLT4gc3NoLWVkMjU1MTkgNGhLQ013IEFW +SGQ5SUZYZ0RIdWlWa3RCYkovcE1ta0k5RGIwOEVwUEtIeGhEbndNVGcKNlRFU3Ba +K2ZFMmk2MjNoeU9pc0xpQnlpR1B0Mm05YUVnVHpzdzdRL0RzbwotPiA6ey1ncmVh +c2UgK0IKTGNsU1NIZW5vWC9MN0lRRnN3U0VIS3ZqSjVxc05UT0k3QTVqTFBDbG1y +bllCM2cvalppQXlieU4vOGQvT2JVLwpZT2Q1MlkzQVlLSDcKLS0tIGloSWFmWS95 +ZVNIMi9nUnBvM1c3eEN1K0k4cUxhbUoxUVhhU3hDWVVON28K/uVr7q+i/aVU3Y5I +kQSh91FgMuqKuEDkaUjWeaFAL30KpUQ6S8PFbQyvet7JTr9iQZRSbGSpJZglMlpf +CW21c8QBuOi/QyE0o6dssaKAPTZXM9FobQwL1/TyjxVDIhcs +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/acme-tsig-key.age b/secrets/hector/acme-tsig-key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkK2pOZy9PRFA2SGdaU1k1 +Mll4NWZlSGV3TVMyTjZaOWt3MlZwUHUvVGkwCnpPdEprK1JvL0FBUWZaWjU3bmZ6 +NU91aE5MeEtVdWJKekY5b1VxQnRLb28KLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFZD +RU5NOFlQeGYrMCtUOFdVTFBZSkNVemltTldpZjZlenNjbmtYME1BUkkKME5zWXBH +NVkyTExmaG9paFVVUUhpY0ZLMWh5QlFhY1Z4MGZJbVZvUVFJawotPiA7P3Z+MlQq +LWdyZWFzZQp6UDFValJWbVFXVCtDUUpDRUZYL3R0NXlTRm1ka3gwbXFjUXBGdmJ0 +UkxwcjVRTTRwNUt0dEtoQnJsd2NlU0NlCk9HancvMTh1YVBlbjFmamgvOGt2RlpU +ZVpSS01WTTd1empTRGpBeHQrOVpCSzFVCi0tLSAzcElKekl5Q1N4SytMOXhBVjd4 +ZHc2VDB6Mlg5M1lSTHV2NmdQdWJ6OUNVCq6M67Y6dTMDyNVI2RAtabhjg4lvJqAg +yxC1pX8D9nrzUJFqEZtrkIErxsOa7bd5gabbX54px2gKMCGPKsGUd35CyL2k/Bwd +RbaeAv1vHjS1qJ0XE2Au+FkVHxbDwaxAow== +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -23,34 +23,40 @@ in { "blechkasten/syncthing/key.age".publicKeys = [ main-key blechkasten ]; "blechkasten/syncthing/cert.age".publicKeys = [ main-key blechkasten ]; + "coladose/syncthing/key.age".publicKeys = [ main-key coladose ]; "coladose/syncthing/cert.age".publicKeys = [ main-key coladose ]; + + "seifenkiste/acme-tsig-key.age".publicKeys = [ main-key seifenkiste ]; + "seifenkiste/syncthing/key.age".publicKeys = [ main-key seifenkiste ]; "seifenkiste/syncthing/cert.age".publicKeys = [ main-key seifenkiste ]; - "briefkasten/syncthing/key.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/syncthing/cert.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/syncthing/htpasswd.age".publicKeys = [ main-key briefkasten ]; + + "briefkasten/acme-tsig-key.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/wireguard-privkey.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/restic-server-htpasswd.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/pppd-env.age".publicKeys = [ main-key briefkasten ]; + + "briefkasten/restic/gotosocial.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/restic/influxdb.age".publicKeys = [ main-key briefkasten ]; "briefkasten/influx/grafana_token_mqttData.age".publicKeys = [ main-key briefkasten hector ]; "briefkasten/influx/telegraf_token_mqttData.age".publicKeys = [ main-key briefkasten ]; "briefkasten/influx/master_token.age".publicKeys = [ main-key briefkasten ]; "briefkasten/influx/backup_env.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/mosquitto/passwd-katja.age".publicKeys = [ main-key briefkasten ]; - - "briefkasten/zigbee2mqtt/secrets.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/zigbee2mqtt/htpasswd.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/mosquitto/passwd-katja.age".publicKeys = [ main-key briefkasten ]; "briefkasten/telegraf/secrets.env.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/wireguard-privkey.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic-server-htpasswd.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/pppd-env.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/zigbee2mqtt/secrets.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/zigbee2mqtt/htpasswd.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/gotosocial.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/restic/influxdb.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/syncthing/key.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/syncthing/cert.age".publicKeys = [ main-key briefkasten ]; + "briefkasten/syncthing/htpasswd.age".publicKeys = [ main-key briefkasten ]; "briefkasten/restic/syncthing-audiobooks-orig.age".publicKeys = [ main-key briefkasten ]; "briefkasten/restic/syncthing-audiobooks.age".publicKeys = [ main-key briefkasten ]; @@ -65,10 +71,12 @@ in { "briefkasten/restic/syncthing-blechelse.age".publicKeys = [ main-key briefkasten ]; "briefkasten/restic/syncthing-wiki.age".publicKeys = [ main-key briefkasten ]; - "wanderduene/syncthing/key.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/syncthing/cert.age".publicKeys = [ main-key wanderduene ]; "hector/knot-keys.age".publicKeys = [ main-key hector ]; + "hector/acme-tsig-key.age".publicKeys = [ main-key hector ]; + "hector/radicale-users.age".publicKeys = [ main-key hector ]; + "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; + "hector/gotosocial-env.age".publicKeys = [ main-key hector ]; "hector/restic/radicale.age".publicKeys = [ main-key hector ]; "hector/restic/vaultwarden.age".publicKeys = [ main-key hector ]; @@ -88,22 +96,22 @@ in { "hector/mail/password-vaultwarden-ctu.cx.age".publicKeys = [ main-key hector ]; "hector/mail/password-mail-zug.network.age".publicKeys = [ main-key hector ]; - "hector/radicale-users.age".publicKeys = [ main-key hector ]; - "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; - "hector/gotosocial-env.age".publicKeys = [ main-key hector ]; - "hector/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key hector ]; - "trabbi/restic/gotosocial.age".publicKeys = [ main-key trabbi]; - + "trabbi/acme-tsig-key.age".publicKeys = [ main-key trabbi ]; "trabbi/gotosocial-env.age".publicKeys = [ main-key trabbi ]; + "trabbi/restic/gotosocial.age".publicKeys = [ main-key trabbi]; + + "wanderduene/acme-tsig-key.age".publicKeys = [ main-key wanderduene ]; "wanderduene/wireguard-privkey.age".publicKeys = [ main-key wanderduene ]; "wanderduene/restic-server-htpasswd.age".publicKeys = [ main-key wanderduene ]; "wanderduene/rclone-config.age".publicKeys = [ main-key wanderduene ]; - "wanderduene/matrix-dendrite/private-key.age".publicKeys = [ main-key wanderduene ]; + "wanderduene/syncthing/key.age".publicKeys = [ main-key wanderduene ]; + "wanderduene/syncthing/cert.age".publicKeys = [ main-key wanderduene ]; + "wanderduene/matrix-dendrite/private-key.age".publicKeys = [ main-key wanderduene ]; }
diff --git a/secrets/seifenkiste/acme-tsig-key.age b/secrets/seifenkiste/acme-tsig-key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOFMxM1NVMmpGVkc4Kzl5 +VCt6RW1HajVLR3RDRU4xMXhXTCt1ckFjMmhrCmtaeEhDZXE3MnZkZ25zMWxpV0Uv +SjltQndDZXJ4ejZyKzcrS3pSNkRxWncKLT4gc3NoLWVkMjU1MTkgU1lqNklnIC9O +MWhscnhva1ZFT2pkQmQwM0FDOXVROGdsNUY0WmFtY01YR3R0ZXNDQ1UKMytYVzFX +WG9mMm1TMzVxbm5DUDNRbEpQbmpMVHRIdHk2NXJrWng1MW9DSQotPiAkNHgyLWdy +ZWFzZSB2RApnejF0dXV3dHVYTFd6TlhzMlVubUU1YWRHY2trK1NKeFplYTl4RGlS +WVBsRDczWlJheldQS3VNaWJvQWNUN1JwCitHcTN6bUs5UWhvMjBKUmZiYjRrOFBJ +Z1lzRDV0YWVJRVRoaVBsLzI0cm81VFEwNkkwbXV2UQotLS0gdk9KZDJUQlhoRjgw +cFl3QlFMdXpEeWszT2xwb2JWMWd0U2ovck1UN2FPNApMoGU/khHmNt0ljraoHDdk +66zCodtdocMBMNtEdS2lVFxlE+pQwycU7VlU2nOXPLKqGsK98BNSlNvhhzkszErk +jgUS+/mumeQRL99kyU5mu9PvAw8GdPXJdISmnRioUks= +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/acme-tsig-key.age b/secrets/trabbi/acme-tsig-key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MThLbzhwRzNwSDhPZFhz +TVV6RkI5MEp5b1A2S0ZjbnFEaWlQMloxK1FZClZ5dE9mOUhta0JZcHF0VGVkdzB2 +cEpYMk15WURYendXeGNhZHF4ZFVsRkUKLT4gc3NoLWVkMjU1MTkgcThvY3pnIG9J +ZEV0NkE3bStEZWU3QUpTb2tuWG93KzBhRFlQc0w4R01kSHhGSDdWazAKdzAzbU1y +bW56dWZvUDFBbTJTNk1tWWIyTitJWkhNMlh1WVVLK2I2YTgwYwotPiAsVS1ncmVh +c2UgT0d7IHIKY0J1WkdJc0FxRlZXbDZZVTZhUzBmenRnWDFsTWRQN1BXcGNKcUhj +TmVkK0lkVnI5YzJKYmprSU5VaDAKLS0tIFlUUGlYMjRVS3B6VE5NRzJqMXBaOWdH +ZHc2Z3gycGtaNzJDeHkxUU1SNnMK2ZJdzQH7l0KpQfPQuWQxYcIzO8SuC0yKduGZ +0yF4FqH1CLtyYEy2Uso8QOInxaMAOhv2/Ei+xCBVX5I17WzpIhN/oUKpzkEwCWz6 +i10Nh/dopBWCyB35EGzaM90F6SgD +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/wanderduene/acme-tsig-key.age b/secrets/wanderduene/acme-tsig-key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMHdUZnhMb1hoVmNhbkx5 +NWRnazJldi9JMlFBUm51SURvVHFCUmNrY2pNCmRZRythNS9aUUdxMzNvUEJicElm +TE1CZWkwQU16WjljcDV2cEo3MDR4aW8KLT4gc3NoLWVkMjU1MTkgT0pRVkRRIGRu +WVJ3amFIZERJZVVjU3h6NDBIcG92R2J2QlNRV2tGSnNGZGM3UnVqMWMKTG15WUZt +T1lDaklGSGV0RFYxUXBaWU9xaFFGbGR4VFg2NEEwL0k3K1ZaQQotPiAiQm0iQEgt +Z3JlYXNlIDtddGcnMSAnM2tWIGghcnYjPCBEcGgjRmkKN1psOWl1d3g1QnM4dldW +S3FaeS9LaXYyd0RIY0VTSUpqZUxwNXU3dVR4YS9ReUk0d3kwWjFnCi0tLSBBd05T +NnlGTGxXREl5aGFpTGh5S2JMbVJkL3Nhc0FVbnFudE5Pc2xJdHA4Cs4KWWhf3KVq +UzctwmhClrdS+v4BnocLwOnFYd98C9PIeZLlqqwgoVPV/m5GNKfqyoPMk4/uH/Sy +2baF0Z7/fv5luGcwXve+qTfxINqsiLd08jS7GDNY4ZvzO6cI53PoTg== +-----END AGE ENCRYPTED FILE-----