diff --git a/flake.nix b/flake.nix index 8fab2a2..f0e8afe 100644 --- a/flake.nix +++ b/flake.nix @@ -95,8 +95,6 @@ crowdsec.nixosModules.crowdsec-firewall-bouncer "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-image.nix" "${inputs.self}/systems/minimalVMConfig.nix" - "${inputs.self}/services" - "${inputs.self}/modules" { networking.hostName = "nixos"; } diff --git a/secrets.nix b/secrets.nix index 172437c..593a27e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,16 +7,14 @@ let postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMf3Cc/S0p/LFcW+RLMEqpxOOv8q/HrKO4I9joHmRxl root@forgejo"; nginx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX2wkS9bpMy1+ITPtQclRkthOwksWBZOLa3bT9oLAe1 root@nixos-nginx"; - jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin"; - systems = [grafana onlyoffice postgresql forgejo nginx jellyfin]; + systems = [grafana onlyoffice postgresql forgejo nginx]; in { "secrets/initialPassword.age".publicKeys = users ++ systems; "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; - "secrets/grafana-lapi-key.age".publicKeys = [tbarnouin grafana]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; @@ -32,6 +30,4 @@ in { "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; "services/minimalConfig/secrets/cs-lapi-key.age".publicKeys = users ++ systems; "secrets/cs-lapi-key.age".publicKeys = users ++ systems; - - "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin]; } diff --git a/secrets/cs-lapi-key.age b/secrets/cs-lapi-key.age index d9230b0..167fee1 100644 --- a/secrets/cs-lapi-key.age +++ b/secrets/cs-lapi-key.age @@ -1,25 +1,23 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBmVzdO -Umd0L2ZLSksvK3Y3bjhUaGtQZ25iOUVwbHJ6aUdyUkZ3L3FWWGdZCklqUkEzZEcy -cWgxaTFMclp0ZlJxUU9maVArelNkVEdqa2I2cjVSMUtIUUUKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEYwZ1JxVWVWd0thc3ovV1FFTnozL3dBd1ZJSnArT0FpNXNwZEtm -VXZBa2cKTzdGM1E0dlorMDh3d041THNxaXBjSStJUkc3Sk8yUDNvQXpQTEZJOElE -awotPiBzc2gtZWQyNTUxOSBubUtTK0EgWVZYOWpZa0VHYnh0Tnc4OUlwLzArKytz -V2hwS0FtV3BVTlFsRTRKdVUxawpZb2VQZzA3UGxIbWEzamRMZnV5R1IzL3hMNjYw -U20vcFUrOFNWbk1VNUFZCi0+IHNzaC1lZDI1NTE5IHNpbmd2USAvajlPaUk1dlVG -NFdLdVdxOVpvaGhTQXdTZVNHSUlDYUtjR1h4RE1GcTEwCjZkNEVlVDhDbjFoK1Z5 -TFFxelh3bFE3TEx3eW9tczVpVk5lYTl1eWY0VjAKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIHU4dmlwcXBLSHFFVXJLV3JLdHpuWU5FNWZNRFNicC9DbVFuMVRkWG42QVUK -eDFZR2svdk1XVnJYQ01kTjBPZFhGUVBKVXNkRUNGWWZQVjNVaVZRTFlqbwotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgUVdnWmNuMEl2WWVSYVJwS2N0cHRJcFFDNU9GdUU0 -RFlCYjN3MDZ2bm9uNApHMlg5eWd4VDFaR3FTRHNFczZ4Q0xabkd5QkZMQXg0cWVr -a0NQYlZBdzZFCi0+IHNzaC1lZDI1NTE5IHVmRGxIQSBUaFgwbU5xU3JPQmhYRmZ6 -YnM4Z0F6NW51R0dHMENhVUVFdlNpOHRZWnhNCkFXUTRNZVNGK1NOMHBMOGN0UHRJ -d2pQN3dCcEwwaExEN3phRmM5czVCRGsKLT4geXstZ3JlYXNlID5TLnBFMC0wIGM3 -ZWEgXU5HCkdXT29ZSEhqNzlKL09FdkxrS2RhOXdLSVR1WjArRWJ5WnNmeVI3Zy9o -dUIwVnlZZmxtdTJHTm1HQVZOV3ZBCi0tLSBtZmVwbThNenNHcnBrUThKd3JycjMr -MVJzWU1ZWHJtYjF5alVoVXlVZ2tzCnuhBvhFuByb20r6nfVQlyM1PgxGD86x37lo -dy3AIYpG5Z3lEqWNMomMU+8EI6hAArLwWmyi0yWirJKepsSkuSfEF8jMOUIzdhD7 -fPvkvq5Mrk3T2zulRcxC4eLCpNDG7orlg3hKVmyHvdfoQadBLbe7kuwfiVEgTBh8 -0KIPAP3JQ1AMGkfBe+Ii +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBLZUNM +VWJ2TVRoSVp0amJaQmhpZGdKRXpHc0ErM1BoRlhNODJGa3VDWG1ZCnVycGRWQnhP +SU14VUpRanNUc1lzT3dXak5tMGVROVJOVXFaNjh1MUZjcFUKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IE16anVFaFFGRmlZVkY5SDlyWW1nckxoZUd3Z1YvdStEOGNXdS9O +WkNlUVkKZHYrZ05QeGc5bS9UWFRLellPQnptem5TQ21NY0NXUFVJSkY0RHdsdHNy +UQotPiBzc2gtZWQyNTUxOSBubUtTK0EgRkk2MWU5b0lPMEFlTXNRWWNWaTFaS0NL +RkN4eitLbnp2OTRlOHFvVVRDdwozR2p4SEJoNndobTBQeWRLYy9ONGxXcEZTZU5L +bW1remcyUDRqRDBGdDhjCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBBQXk0b1BCTkgz +VG1CbDB6QVBreXFIQS9wRG9nYUUxWnF4YzhGM1NFTTFJCk55UkF6NWdPeVUvL3ZC +anFSdTFFaGJQQjJtQ0l1ZEpUQmZkS3BVc1c5aUkKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIDMvOGJZV1o1aE5jYWdVUDhRR3BZd2pxY1FvQVJUS1JTZktrbThjS3BRMkEK +R2dXcHN6MVk0UGlNZERRbHpiWFBuVkw2KzJwejJCV1FSbG5JTVg4WnVRNAotPiBz +c2gtZWQyNTUxOSBtdTBmbkEgaU8zcGVhK1BrUWplcVJIRGh1R0N5U1VGZTA5Tlpj +R2g4RWhBYnBNQVltNAp1Lzc1WlpSWjc1RGdCenVEQ2x2cTZtY3ZwTnFuVkR2RjRI +d0xYM25MSGFnCi0+IDdYSyV+QT5OLWdyZWFzZSBDJCdsIGxaZnsKMXZFY0x4Q0hT +QVNXd1RHWFpJZml0ZzBsbHhNWmNORVZjUWxmQ2ltZGxFUm1WdmVsMENSMDFmRGJ5 +dVpsUDlGSwprSTA1Q0JSczloNjFuT3B2Ci0tLSBEWGFMYTU1aTJvdE53dk1qRlpu +Y2tOVDVUcDRIaG52bmhMa2N5Z0xNWUI0Cjy/5eYpl5iwNd2YwC0o1lO2eTr2ggPs +Xq2JxNg5IbFYkBqMiw68yEtMmQf243rvGn8h9jQxL1VnSi+wpueZqxgczICzcqGn +OPOa08liEIvA+UtU4+z11c2fIiZ/BdfzF/s0wzB9uEChpOHSOf0SX8hrwlkq6fIr +w4z9OXceDiUQ5ITlBCl+Kaeb -----END AGE ENCRYPTED FILE----- diff --git a/secrets/grafana-lapi-key.age b/secrets/grafana-lapi-key.age deleted file mode 100644 index 4b7bdc5..0000000 --- a/secrets/grafana-lapi-key.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBUancv -V2ZKVW5JN0RGSVVhZFZNaFlrVDdGWkFFQWZhVE1aUUFBcmk1ZUVjCnlsRCt0QUtx -d1Z6aFhLQVNwSFl6U08zdlBHU2FWNEVmaHRwTzdWNkZxRncKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IHY5N3AvMjBxL1ZZTjNxQzhjYWN3UVVXdEZ5eHZGTUQ3NVk4QmMy -bmp4bTQKcEhiejF4cGRDRkhwdkdNL3BRN3Y2dVkwWGtKTFdVRnJ4ZktNdDJzRWND -YwotPiBiRGgtZ3JlYXNlIEh7cU13IDNhezQ/VGIKS0pXcDdQTjZYMXRwdTUrcHBU -bTZjOHVBZ095aEo1am1sM1ZLNEpKbWJxVDcwOVFMZExxdlVFSXZDc2hBcHBKVQp5 -K1VpZk5MZFpiRWxtYkhrRkJTaGVmaXhkZ09sYkhod1pnN3k2cFc4bGUydzNGV0Rh -ZFBjCi0tLSBydmFoY2NXdUtEM2xSbGJQNWkyeEprZ0RpM1lTN05QQkM2QmdsenlI -YWxJCtcFRV2NtwE7vA6zkN8WsD8g3MlTGyP4IJ32yznEVOANgSUm4utbnntuP6oF -tByB3CY9pVGWphn16iB1+tvuYK8ZvegqJ2M77wJEiEwancwN9Lhkjp1RAXrHcfsj -t8petIZqKpQOpcsAT9ekPnPT7wVpCwDMrN5VQx/cL3cWPKoy+wllDYT+csFPZwQF -D96CQX7nMOwml0Em ------END AGE ENCRYPTED FILE----- diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index aa612bd..bea0f06 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,24 +1,21 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA2K1Iz -bUdCaXF2dGJrYjkvaGhrYXBQMnJDZ2c1bVg0MjhiS0lFVDVxTUVVCllDbWhnZENy -anorM1g2TUo1S2RESklDTFFxN0hhd0VZaGNkcWlEa2F4a3cKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDdSUGJuVk54bGp0bHdHTnZxb1pjYWJZMGs5b3MwNk1TY01vWjJL -VTJseVkKckNOQW9BdHpRS1ZxTTY1V2d3VjRNZkhPNEwwTXVKRWdqOUx4eEl5NlFU -dwotPiBzc2gtZWQyNTUxOSBubUtTK0EgUUVhUkdSOHM4L3NQQUN4MWlFZDhTNzRX -RlZkV3hYOXM5dndjTmRhd3cxVQpGcHBjODZHNWd5c1BPVmxNeXdIWlFINExKQkR5 -emEvZUh6dWdCMzlsUXRVCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBuQ3crNjdhYlpW -bUlGY1dFUnpTUi9rdDdEMjJSRmFrOUlDaXR4cGJmbjJzCk5zV1hYc1JVQm5qL1lG -THIzOWNRbUVZeGxHcmhaYVB6bmRRQUsrdXkraGcKLT4gc3NoLWVkMjU1MTkgeHFt -eWpBIEVwUGFJUkRWcDVoZVBseS91U0ZveVgvZHJ6eTR2U0tsanQ2N3FzMUU3UXMK -cGY5b3hlMFJnZlFKNTlEdTZDRHpiNm0vbG9iMzhiZEpzUTFwK2x4ckRCNAotPiBz -c2gtZWQyNTUxOSBtdTBmbkEgbERlc01iSmpENWJPazlMZURTKzMzaFlXaW0rZzIr -WnMrUGtlSnBaVUpEUQovZ3FiNmg0R3d5SnlYYlZSd3B2YWZjWFFicTJPL2ttVWFD -bmtVMFNkalc4Ci0+IHNzaC1lZDI1NTE5IHVmRGxIQSB0aytTNHlvYUJGcEZNdUEz -UWFJM2NHUnEzbkpiQVFTUmh1Zm1NRmJlL0dNCmRmVXMvTXBLRE80WHQydHptVTlV -UVJvVEZLc2o4UjhiWE90ZGxqdUhyQkkKLT4gWThwSFNIPz4tZ3JlYXNlIHUqNWRO -IyA1JWk4dGsgbSAqdQphRk5RK01oSWtzdnBlaExmZndqUHBDOEsrQ09tWFpaRVp1 -N01WQnlEWmpvNzMzbHJxZlhmcWtuSXFmVHh4bUpXCk4wWG9YVEsvcVpGcAotLS0g -RTc2cm5iUXVydVkzMS85U0h4Mmt4eGVnT2hnM1pIKzRkR0JkYzNIYlg2MArwHWYb -drwThiGw2mBcQQu6o8tkZWej7EeEVRhqYCIUYguwAXSkaWm3hJn6QxMDCSy9bxtq -xg== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1QzZE +cHhwUnk5dm8xU29CNlhlU1JsV0tYaDVHV3g2MzI1dnZsVUxVODNNCjFwanh0aUhT +c016dUpONndPL0pRVUtBY2dNZCtYMk1Va2hoaUpsL3I4cjAKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IFhIVExqYlhTTWt1Q2l5T0RFRWdPN3dRdXVrbjNZTFFXV3pVZ0p5 +TldNU0kKZXdpZ3I1MEk1VzVsNXBuMmlZZjl6YmVKTmNwMDU2VFVSYUhMeURJSjh1 +NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgSVpFeUpySkdsTldpamFqdGJaV3d3ZmU3 +S1VvU3JkTzAyZk5vRXMranIxSQpQYTFRcmlYWFFldFJKelNEVU0rQU5zNDN6bjVq +ZkxBL0E1UTNVVC9DK1hrCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBsVWhhdUVxUnBB +Nzk0OEJrY1V4UkpMNlVvWG95Z0hlSDNIaWQzNjNReXl3Cm1RdlJxRzBNaTQvUmlP +V0hhZXNhVUJrRklNc3U4dURsYkpjdHErNUljTUkKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIDVKdjA5S0Z5cU5OeTMzL2crN2c4bW9VQm12SUJiMGZ2ZUI0bFB6emNyM2sK +T2o4UUJBYTNzNlp2L0IwSE9yZVJQWnJJdVh4Q0c0ZlcvMSswOHJJM1VzZwotPiBz +c2gtZWQyNTUxOSBtdTBmbkEgellndXoxbmRyV2YrLzZNTnBTeHF6Q2RhQnE4R0NB +L0VSOGVLaDRzYlcyNAplbnNtb1JzN2hUOThQT1ZFcHNvNUlJeVZnT1dudjI1RDdC +T0hSakZ5Qk1nCi0+ID40MHUtZ3JlYXNlIHcjSCwgQApBWERhZXJKbEFsN0NUdjRp +M3RJbWtUV1dSZVBNQWtTbFIrZEhHZmRpVW9TckR5U0RVeDZvSWZDN0o4VTY5T3Ew +CjlORWpkOUhVdkFYTWpSNUdoVHA5VVAyK1dSYlc3RnhKSmcKLS0tIGlqcnAxK1da +QkFqdG0zOVgvWmhmUVNacVZnaUliSUpEeEN2U3Q1cXZHV3cK/UjHuI4IFTOckk9c +KvePereu3ontxUGl393gcI9x1Eacg0b9HZEfwnDKT4dIX2vGXx2aMLo= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/jellyfin-lapi-key.age b/secrets/jellyfin-lapi-key.age deleted file mode 100644 index 041c0a4..0000000 --- a/secrets/jellyfin-lapi-key.age +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDeldJ -eHEzcnZqUGJhYUQ5YW9IODhnei96RW9sOGgzR2JjZUJ6Ri9WU0JJCkFFei92cGlW -aGFkT21TRmw3SEhpbXFLOW04dGRndm8xaTBSVjhXeExVL1UKLT4gc3NoLWVkMjU1 -MTkgdWZEbEhBIHZ5VEhPZHI4UjVFVGpMUGFhcnMwckJLcGV5VG81aUw1NG13a3ZE -aHVyd0kKOWsrcWZwRmg0RnRRMTI4b1I5YkdrUkJ3cWxrUjh2ZmQwMVgyQUczcWlh -bwotPiBTLWdyZWFzZSBSYyNYczUrIHdmPi8KUnNocDNseDgrcUh3dklmd09Tbndn -NEI0MFh6MWgxSksKLS0tIEpXTksyN1hONXF5WlBZVUF3R3lEUWN2Z1ZMazVkMzRU -bzlKZ1dRTVdsbHMKvxu1ACFSn1ewARMkyz6gjIF+XI9mXvNgj6+b52YyFvlUE1Se -kOzvnFxjEjAXtV6sKVSMNBHhgLmwOBPi5/xuSsYsxZjwE4X3RtNCKcgScAJ49LLD -RnlwMTiwmst38zECSoArPw//C7zCDZHqmkxcP9m9+MHyF0P5vg8zM57lVlfX0zkp -BxKgqHu/yuqFhAWfu0edyuLj+AVh ------END AGE ENCRYPTED FILE----- diff --git a/services/forgejo/secrets/forgejoDBPass.age b/services/forgejo/secrets/forgejoDBPass.age index 3652221..b7e6965 100644 --- a/services/forgejo/secrets/forgejoDBPass.age +++ b/services/forgejo/secrets/forgejoDBPass.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBZaFRY -OUhPcDZNVzJqTGNmN2Vvb283UkJTNjdwOHRnT2NNQUN0TGhJRXhRCklMMnF2bnZO -WlRHY0lPaTlTMDJvTmdFVUpoOXgzUzI2dlFIQnJrenBxRm8KLT4gc3NoLWVkMjU1 -MTkgeHFteWpBICsrQmZVa1JYM0pWLzkrOFc4ZTdhYjU0UmpMQzFQMWVNbm4xOHVZ -VEFXWHcKdWpyOUpDR0w3czRvajJsTnlyQjE0Tmd3anBsbjY1Z1RrcytOYjVHZDBR -cwotPiA1Ri1ncmVhc2UgKkggMjh4Cmg0QmVleFVmNWNkbFh2YTF5TlM1NGdNallh -YWF6clJoUTZyTGx6c2cvU1dCRnR1S1gvczViWU5wRlVLUzdmck8KQjZ1ZFhVZTdJ -SklMbUQ3M3MrR0lMSXg5bitiUWgyejkyVlFYQWJXbnlhUFd1b3AvCi0tLSB2TGlI -QWxDSTNhamgraXV4cXYyZTBFNWRGTmxFWG5OQU5TQVo0YlVCdk1ZCkmrWfQ69I9m -GStHKT+fzTMRSjMN/0z2DoPkyZYLSxHQyhFywOhs0GAV2/6h +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2R1B1 +TXQzcHZLOVpqeXU4dE4rdks5S0tRVjlpVGF0K0w4U2hsRlBJU1VrCnNmSGdNNmxt +TlRhbzdWSzlnbDk4dTZPSitpT1NoU2cwWWlmd3FSSGdmek0KLT4gc3NoLWVkMjU1 +MTkgeHFteWpBIDZjZU5uWWlHME1OVFAzV1QvVjdaS1I2UjNyaTFYS090TUJUaWQx +TGJZUm8KdlVNM1dKQzdKcTEwZHRvWWQvVTVXT1huYkZqalF5cWZ5dkNCU2Q2YUp4 +SQotPiB7VD9eMCwiXC1ncmVhc2UgIkhYIENabi1iYTogOUoKaEo2N0QvZUVzTGY0 +eEhyTFp6QWNCQ3YxcmtacXJqZnpRYnhjRmdZdGl1ckNNSGxxU01HcDdWZ255QXFX +M3YrZgpDVVVWbjlmQmY1Zk9mTXZIZ3ZTTG9aaUExZwotLS0gb3A5RUpiYkVxVzRW +Tm1NMkJjMW5yQ2x3MzhvQWNGbXhyVEFEN1BJUS94OAqqLC4vCYHEG5CWZjtEdAu8 +ekrBlJWaVOdA1nV2rCOciHc+p0/QI74zmzQ1eA== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 05bdb2f..0bfa2ba 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -23,10 +23,6 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { - grafana-lapi-key = { - file = ../../secrets/grafana-lapi-key.age; - owner = "crowdsec"; - }; grafana-db = { file = ./secrets/grafana-db.age; owner = "grafana"; @@ -39,7 +35,6 @@ in { }; services = { crowdsec = { - settings.lapi.credentialsFile = "${config.age.secrets.grafana-lapi-key.path}"; hub.collections = [ "LePresidente/grafana" ]; @@ -49,7 +44,7 @@ in { source = "journalctl"; journalctl_filter = [ "_SYSTEMD_UNIT=grafana.service" ]; labels = { - type = "journald"; + type = "syslog"; }; } ]; diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index cd88684..7beaeb4 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAzSlVh -RXNZeml2TzQzQ0tjaXBkMEpLaWdWcjQ4VGZJdSsrYzExZi9DMWdzCjJsK0c2SWh5 -SmtwcUc0TlFCYnA4eVNjdDNQNmNheG1CR3AxNlBzbzJFRWcKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IGhNWGhFYk4yZ29zV3pjdzEwbEduYmJUc1hQTDM1NlU5U2FwakVk -K0o4eUEKWHpxRkFJYWxUcm11MSt1bTUzVlNIdXc0R1RCNzlLNDR6ak02T2kxdG1v -MAotPiAsMD0tZ3JlYXNlIHAmLEEgYgp2N0IvdHYxUFlMT002ejV3cmljWTArRkpt -c0JqTkZSdXJCdmdKL0JXVDlPVG9nZC8rZDhybWR1SXUwd2tTRk4yCnlTakVLYTEz -YjBENGFPVDczOEh0V3hXQwotLS0gZkM4ekZkZ1NNQXp2UCthUGxVRHFOZkhWMjBN -bXpTWm9vRTU4MThYWmhCQQqLbdyPOKCHNIXbKmcKpsdu8lt8qj0lhZwQHIfUsQmX -tNbaKGog6SYKuvB1SMN3 +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTTDNK +K3Z0alIwY0FzQlBCeTQwTS9oQ3U4dThSUUZMSXBIcU55em1KSmdnCnBWN2FaZnhs +N1NLdk0xQ09PMTFwb1FEMjJDNzg4bzBEL0p5aGh1MEs4b0UKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEIyL2VrYlVrazJTdktJbUVOUzZySlhZbnNvNlIrY0dlckZrdlE4 +Q2E1RFkKZFFlUUZoRmUxck5OZjZwVmZQbklzdDZ5Q0xpd3dyTTVEdjFOQ3pGMGxN +ZwotPiBVLWdyZWFzZSBHbiA7OApIeEE5RWx1ZjFkZ3Z6TDMwcnRJSGNFVXo2UUdT +VVdNaTJQUmllSnVWeng0SmVmaCtiUXMKLS0tIC9GVjdhQWFyK09xcmQ3OFZWUUdT +cG5OTWs5QU9JOHorMFhuYUkraWFVc2sKXuXtNqrwCgD4SmTo9caBnH5Ieaotok43 +rzPGYHVRNma0rlEZpXh4K1RiC4GPDw== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 7718f59..43e229a 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,12 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4d3Fr -V3lsc3N5UWo1dFdYNWNQSG93NU9ETndkVGlSVnVrZHlwTWcreVFVCmY5SFBRY0hh -dVlVYWEzQ0xVVHVlTEFGWWFPaC9LSjNuOTdRRmRNTnV1bFUKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEhSblV0bWo4Zk9WcllLeVRjNk1IczZkcVBEcmhDNTJ6dXRGN0ZX -UE1NSDgKMEM2VmFlS1BtWUJaOWpla0lIalNaWG91OW93L3lvbkd4N2lxY3l3QTNv -QQotPiAyLWdyZWFzZQpxM2tLaGI1NWo2VDEKLS0tIHc3S1hiQXkvS3ZPN3NDQVlM -aCs4TlNjL1JEeTZDRmlqejdGWi9Oemt4UVUKXxAAsXEtAnN2jiLNEqxQ8s4Ny8Jo -EyrtR9cIW8MfAjQ5861M291rKgW82aDIqkwrN7B0MT/2X3UdIS6AJtHGagcvyX+w -xORCRqnILu+w9lce2qBKhleR8qGsU7hUrgd0Tn0y00bNnu/6lPE+ahu8j/UxTldi -L9zEnRtyIkagdrJON/CY8YzsNvvn9ic+Kv5e/m6PIZpz8j+GIK1lTgIEKoM= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA5K1k4 +eTYzME9YYkVKc09uL0IwSkVoL2tXODdJSWt4MEdSR29QOXZMWkdrCnJqS1pYa3d4 +TUJUN3d1N0tPNTN0eDd6Z1B5RXlVWFkxMk10STF1Zi9jY1kKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IDZqVDh0YS9iWDFMbmtDamZQYjc3MGk0QXZJVnlKRmR3MmI5bGNH +bEkzUWcKTkZpejZkRTcxbEw2dk8xaEFQempHekRtcnROR0FHTi9BMjhhZnZBWnlY +cwotPiA5OHYtZ3JlYXNlIEQ/IDcmIE1WICIKWEF1VC8zOXdkdlpZMEV3SlF6RDg5 +Z3k1V3lzclVVbkplYkdoTlhOL3VSUFk2a0g5TlpyTzB2WGE2QQotLS0gb1ByMTZT +V2NyRnJ5ZVpqc3NGbTNhTFhZK0gvTUN5YStzVXUyMmlwMDlBWQoCsJBEa8QT1b3E +8uCGIuxq1OvWfq3CHSnIHtVPPPz9Dwdp2XZ9XGN1mwGOcDWvnn6xVedeHXk95vNw +79Dx6bMfB9O3TmS4CyQ4UdFKt7ysjuDXw5LIe3FvpjmbRRJGKw+t8pDNFUi7MGif +/y00Ss8yI9xEatUXBUCfO8pMqoBqbzA2xfsAZ+FTYOELZppZhlp6c1+b30gyzNEx ++QdkVxVX9g== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index 99be3e4..6130f1b 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBmbkpK -M2RZd1NQV3lvZlozWFIzSXA5Y0dqUW5TVnNIS2wvQS9IaTBhRlJFCmovQTlZRW9Q -Y1ZDZkJpMFRoT3ZqTndweEhaVWdicDdpRitRVkFGY1pYMXcKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDN0RFRCQmFybzhSTzBpRFJFVzl2N0QwTHhSVnl4S0lhZG9Tc1pS -a3FvZ1UKUDloaWVMdE9rSmJIMHFkdGpFaXdjSitKQ0IreG1RL2haZTJScUhQWDc5 -NAotPiA7TU05LFE0Xy1ncmVhc2UKK2JsV1ZDN1VsZ3htYmtpc2ZxZXpxQVovZEZB -a3dFNXlIaGh0ckZXa0lGY29yOXB6SmRTRUhzdUNGNm9ZWWRJYwpLQ2lVa2gzT0Qz -citnaVUKLS0tIDJSZ2RjcWFaT1NBclFpWHVGalZIRW5vaU5YNkZOUEV4ZGQvUVV0 -ajR5Y3MK33Fd98LOcGOaXrgIuT7/WrhqiJF99gfbhVwQxf8v+DNOWWakVsF4YG1s -Fc5p0vdQgx+Z7S6iF1/KLV8isFKnARM1WueUjNpCluH2294= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPbktx +UWlmTXJOYnFDSjBMUUZJZzN1R09ldWpHdlVONzJOR0NwODdsRzFJCkdPT1R6b1lx +dThHczN0WWJaOENiTW0wRnI0OG5PeTllVXBUWkhVVVlkeFEKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IFJrV0FkUERiZkVJNmZWUUZWRytHTTM0RHN4MzczalM4VDVsMmtt +S2dVVkkKdXZFRitOYSt1M1IwbXlZNDNCOEpkbDA5MzVrV3NPWHA1a3NXSXhVM0Vw +UQotPiBgby1ncmVhc2UgRiw3Cktud3Izd21LNGJiMXVrQi9sWVB5T1VoMVhEZ1JX +bVh6eWZMWHN3Ci0tLSBId2M0T1d1ZkxQK0ZMcHJBRHRwQ2drT1RHSWhJbnd6YTR0 +T0tGNmtCTE44CiymjrDgkjwfLRhDCKZin3sV5je3Ho3fUyMu6vHp1ybmlYZxPXa9 +996BaKlD5RQWjAXyWRFVFQzVwnP8iNULxA0Uo3a5SUxQ5YlQPf+V -----END AGE ENCRYPTED FILE----- diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix index e135fbe..7bc005a 100644 --- a/services/jellyfin/default.nix +++ b/services/jellyfin/default.nix @@ -10,10 +10,6 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - age.secrets.jellyfin-lapi-key = { - file = ../../secrets/jellyfin-lapi-key.age; - owner = "crowdsec"; - }; systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; environment = { sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; @@ -44,7 +40,6 @@ in { hub.collections = [ "LePresidente/jellyfin" ]; - settings.lapi.credentialsFile = "${config.age.secrets.jellyfin-lapi-key.path}"; localConfig = { acquisitions = [ { diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix new file mode 100644 index 0000000..d90a32e --- /dev/null +++ b/services/minimalConfig/default.nix @@ -0,0 +1,151 @@ +{ + config, + pkgs, + lib, + inputs, + modulesPath, + ... +}: { + imports = [ + ./lxc.nix + ./vm.nix + ]; + + nix = { + settings.experimental-features = ["nix-command" "flakes"]; + settings.trusted-users = ["root" "@wheel"]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [22 9002]; + }; + }; + + time.timeZone = "Europe/Paris"; + console.keyMap = "fr"; + i18n.defaultLocale = "fr_FR.UTF-8"; + environment.sessionVariables = rec { + TERM = "xterm-256color"; + }; + + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-old"; + }; + + security.sudo.wheelNeedsPassword = false; + users = { + users.tbarnouin = { + isNormalUser = true; + extraGroups = ["wheel" "video" "render"]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" + ]; + }; + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + }; + + programs = { + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + }; + ohMyZsh = { + enable = true; + plugins = ["git"]; + theme = "bira"; + }; + }; + tmux = { + enable = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + environment = { + localBinInPath = true; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; + + age.secrets = { + cs-lapi-key = { + file = ./secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; + + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + fail2ban = { + enable = true; + }; + crowdsec = { + enable = true; + package = pkgs.crowdsec; + autoUpdateService = false; + openFirewall = true; + settings = { + general = { + prometheus.listen_addr = "0.0.0.0"; + }; + lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; + }; + hub.collections = [ + "crowdsecurity/linux" + ]; + }; + rsyslogd = { + enable = true; + extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; + }; + prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + }; + }; + }; + }; + + system = { + stateVersion = "24.11"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; + }; +} diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix new file mode 100644 index 0000000..fe92334 --- /dev/null +++ b/services/minimalConfig/lxc.nix @@ -0,0 +1,26 @@ +{ + lib, + config, + modulesPath, + ... +}: let + cfg = config.services.lxc; +in { + options.services.lxc = { + enable = lib.mkEnableOption "Enable LXC container config"; + }; + config = lib.mkIf cfg.enable { + boot.isContainer = true; + proxmoxLXC = { + enable = true; + privileged = false; + manageNetwork = false; + manageHostName = false; + }; + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + }; +} diff --git a/services/minimalConfig/secrets/cs-lapi-key.age b/services/minimalConfig/secrets/cs-lapi-key.age new file mode 100644 index 0000000..a1f7f2a --- /dev/null +++ b/services/minimalConfig/secrets/cs-lapi-key.age @@ -0,0 +1,22 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3eCs0 +Nk9UMzBuKzh0MHdNQW9sM2JRZUFjS3lXRm13U2F0SmxwM0szcG04CmkrMm1BRlls +bXZacTIyR3RWMWlGSUMxcytYRGUzSExYd055emNEQTVuc00KLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IGNuRmFFa1lYd0xsV0d2WkRhYmFEVjlkc1g4NWJURitnNzBhMHBj +WWhnWFEKSkw1K0V2WXdpT2krQ3ZtbHJZT0hGczJ3ck00SC92TFZVdWIwYmoxRDlP +NAotPiBzc2gtZWQyNTUxOSBubUtTK0EgcGJyTXpoTkF1Z212ZHUrVDFoVXFualNM +MkNyQXpNWmJReGoxWGF6N2dHMAppY0ZiVWVMNkp4eVB0VGsxUmRmaDN1RG0wRXM0 +QkhyYUF1OGdPdHN4dUpJCi0+IHNzaC1lZDI1NTE5IHNpbmd2USBuSHpPaG91UXZG +YmdvQUNVQTlEeG5DTWtiSDJCQ3dzeWM3RXlCQW9kMXpFCkw0bUxuVzZlMThXUytT +Znd1MlE1WnpOQlg2bCtnT21pVGwyYTdjb2xGNlkKLT4gc3NoLWVkMjU1MTkgeHFt +eWpBIHNqUUxQM2QvSkV6Y0FucU5kSWd5SURObXN4czJiN29ISW11UTJjOTB4azQK +ekN0RUkwVWsxSHhqelNueGNGOTNoMWExNkxRd3RaVkluNmpIYnk1WXY3awotPiBz +c2gtZWQyNTUxOSBtdTBmbkEgSm50VlB2NEh5ZzBmNVpaTE5sbHZEcnE2ek43T2RH +M1hwOFRIN3ZXcmx4YwoyK3QzeU1ZT2F5MUM3blg3aytLTGsxSmtxZ3VDUkNFVjZs +eFdjMTBSeHVFCi0+IDk4cFViLWdyZWFzZSBYekczVnVnbCBpfXpGIC5HClRvVDlB +R09XcDYxQzNWOVBhU256a2MwRHlxK3VJd25teDJZMDBRCi0tLSBBZXdLcy9sVTFn +TEpESU1IWE1aOGowcjlGQW5wZEhwZjFMaWxMZmN2MC93Cic+Mcw6l7P3Pog/UL3J +M2HIcSjqjtLKtk52uNIb8b7A/fOdrUhogyYVfAt7nWhQ0CCE+cE/Z+JnI3g8skG5 +4ZGF/r9Y+9orKLdskFdrkWBYX1jx3Xcwme+Kg86AO9P3Os3thXo8iDctAFFiAWvo +AgOOjmobsPfXKQfRZw84nDB1CXzFZkDngYrB +-----END AGE ENCRYPTED FILE----- diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix new file mode 100644 index 0000000..cfe1faa --- /dev/null +++ b/services/minimalConfig/vm.nix @@ -0,0 +1,53 @@ +{ + lib, + config, + modulesPath, + ... +}: let + cfg = config.services.vm; +in { + options.services.vm = { + enable = lib.mkEnableOption "Enable LXC container config"; + }; + config = lib.mkIf cfg.enable { + security.sudo.wheelNeedsPassword = false; + + networking = { + dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + services = { + qemuGuest.enable = true; + cloud-init = { + enable = true; + network.enable = true; + config = '' + system_info: + distro: nixos + network: + renderers: [ 'networkd' ] + default_user: + name: ops + users: + - default + ssh_pwauth: false + chpasswd: + expire: false + cloud_init_modules: + - migrator + - seed_random + - growpart + - resizefs + cloud_config_modules: + - disk_setup + - mounts + - set-passwords + - ssh + cloud_final_modules: [] + ''; + }; + }; + }; +} diff --git a/services/nginx/secrets/cs-lapi-key.age b/services/nginx/secrets/cs-lapi-key.age index f6d3616..46606e3 100644 --- a/services/nginx/secrets/cs-lapi-key.age +++ b/services/nginx/secrets/cs-lapi-key.age @@ -1,14 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBEUUkv -d2dNTFhwYzJhc1M5cTJWOW5wRzJKS0tVcGZXaHlDakJKTWJpRnhzCkdyZDF2MVRL -L2F5MlV1eXloenk1dFFqYzY2RWltSTBMUkJUV08zUTVMMG8KLT4gc3NoLWVkMjU1 -MTkgbXUwZm5BIHNoQU9FRzVhcVp1WWxJdStvUDg3THp6T1NyYmlTbnBsSnpxVnpi -Vkl2bk0KMVV2ODJtT0ZFSkt1N3R5MlFpRHF5NEtYN3lSckRpelBVaElSTmhJQWp3 -OAotPiBJLXprdC1ncmVhc2UgRX57QCB1SiggLjcsKCosIG5JUS5+eW1rCmM0SDlT -Smhtb2pVWGF4SEtjL3VlK1pHMjJHeWdqRDRmOWdwYTFLODJ6dU0zOUJLaXI2Uk1N -Y1FPL3dhTEpVTXUKWDRrUEVJeTM4ZmtiL3Rvd0lIcTg1emsKLS0tIGI4bGZtSTg3 -WTdEZlliMndyWG51SUpVYmdiK3NnbWY3L0VWNjZYbFpEelEKfQXj149IwP7mpv3o -UNd2GAuTY2/vDDo6KnDYehOu2T8r3Q3qatddLRkcMjRbrn7wtX7GPo8IPQ4M+weH -SR6RJzU+lbBewkKxigTrbDKizYCj0K3itYv7ch98UPWp4284amz4ltvOkaSmwxYL -RIMfrVTxGDanXIRqWXOO4Oz5l/DrNYrhcpGEFDA= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBCRlBx +TDRERktFbE1xSXNpUXd4UE5vdHJpWmRNQUdjZ3hLejlmaWVjd2lRCm10aStweldV +aE5lWnJ4T3l3dTFlYWR2eUtjZHYrdTJ1VmFQMFc2UlIxUWcKLT4gc3NoLWVkMjU1 +MTkgbXUwZm5BIFh5dDY0c1hMTDE5aTFsRU5JbERvTXlWSDZwZGgzaExraitLSmQr +Ukp5VkEKT0ZQS1AzQTFWRGJneWVjaU5sbHVaME83RnZuQzBPNCtzb20yNWtNR0Rk +ZwotPiBwdygwZ11ZLWdyZWFzZSBEXGFWV2JvCjZPenNoMVhjbHZycjhqZURQWExi +NmZkZDdJaTQ5NkFCZmtmWU1zZEdrQndnSnBkNmZhY1dOeENqeTNpL3BlcXMKN0VQ +VmgvaWdONzF2TWFuS0tTQ2Y5M0NUMGJkOFVaMi85K01vdHNRRUJ3d1VLbmxUN0cv +SVIvcwotLS0gOW9sZjBuUmxRK1JMZ1NYWlRiL1BMZGd1SmJML0I5SlpLMWlOakhR +L01DdwpzAKzZ6lqTmdlFPWlj3ElxZJhWKZI9iPpP9QW/TzrAAAmHivSmSfLrAKwE +uBgXo+unc+c9KUCypY8z1nMzbmijDKhMrryBsj7++IyfG5cqhX4J+Y73mdutKtfY +JzsfH7ku3cvSxl1MypQdj7+F//7hkcn5IoSKLT/AcTqqFEcoUorf5QYaD5Rnrg== -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index b7f0c84..c54ba53 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAwUldC -Q2hQdjJienMwRHQ0eGVKRHVSeHpuTnoxR294NWtZSkZvNjRNVXpzCmpGWTByZlVo -UXdyT1RyamtvUjF1WEFMenZwOTdyK1ZLOFVoY1BxdGlGeUkKLT4gc3NoLWVkMjU1 -MTkgbm1LUytBIE5KNUZ0bTRKa3QzejhZUUtrb3pKdno3YU5KQW1oWDNWeUJvUUY5 -UUFNUmsKc09VUFFIRm5NRkhsNnFqZVl0RnZnL3I5S0M3cWFFaXBOUENiZHBqMWho -bwotPiA4XEYtZ3JlYXNlICUKd3ZCRWdFVFhkY3FrZEJZV3pzMGp0M25hVFJOOEZq -U2JoN0xyUUdhZG5ZZlFZdkRyY2UzSFV3Ci0tLSB1bmlQTC94MmxWc0F2SXkzWFh0 -S1Ntc2twRVl4a0lBTTVNZ3Z3V3RTUFNnCmo6bFgO8jfb8wrj/r7hNTpJkafrlj+g -7/83lr9qCVqGLk39aIKFzf0mN0M/1fP+8w== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlRXJL +U09lMEFhTm14UDBvK0RneU1rUEExOW1XLzBYaFVIUE11WnhXT2pnCkVSYTlxT0pC +dEdhTlp6MnhVVGdjaU5sNkw4UEJqRDh0S2VjMXFpbVdDaE0KLT4gc3NoLWVkMjU1 +MTkgbm1LUytBIFEzTldxVFNPQ0k4anI3eGtROHh5K2NDNE9vbGRKdGpZdmZONFJF +Z3E4aE0KeFlSTkliYldSeGkvOWJtVGNJaDIrbnFWT3kzUVh3T3pRMEFQVUptSDhs +YwotPiBrd3ZcWDBdeC1ncmVhc2UgfApURFdhNmlIOVR0T1c5ZFhHbURNbkx3YnhS +L1ZMWjg5dGlZM0FCZUJ3WVpYTU5HRjV6cTllYkxmcVNXWFJQeUlOCnlKcwotLS0g +RUIxbW1BVW05WGlRZlVJcDNINGRQTU8zSytqZGU3aVNldkNGakdFYllRVQpyT8qx +VmPmwWiaRIx1JjhOPLnLnK3x2h2FepWW37HPANVrD51o8x9PPzbzpe/j+DI= -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index ae1209f..429ab29 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,10 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4dE5y -OE1LWWRUOWNoLzVvbC85QTB2VVF1SDluYUdEMDY1VkpwY1N0bFNBCkZ0ZURUVzZs -VmFERTlOTjdkVVdjL2lqUVQwQzFZR2krM1pNZm9vdDFyTEUKLT4gc3NoLWVkMjU1 -MTkgbm1LUytBIEhHK1F4a2Q5NW5QZWZiQmNQSEg1RVgwZnhJejAxSlZwdDl6ZXcw -Q0pjaGsKL2tjYXF6cHpBemxSdFFyMVRDY1NuK2lidFhTT1AwNVp1SExsK0YwM2pJ -NAotPiAoc3wncS1ncmVhc2UgUyEKSkEKLS0tIFREYm9USGhqNXlhMUQ1VExkcktB -cENBWHpZVVZJK3hNNVpTSG90SXU1aVkKPLlmlZ4esC7DLLt/mtGFFJkR9OMH9GyV -v7tvQag2HtLDzdR0U8CgLqae4R0YUuYa4g== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6YTZF +SSt4bEFvY0xCT1ZTUldNSkdveG44cWZYei9DdDhRQnlId2xnM1M0Cnp1T0dlWFZz +b2FBOUMwT2dKaEpxU0c4aWQvRTBaVFV5L2ZWdDYzUjQvaTQKLT4gc3NoLWVkMjU1 +MTkgbm1LUytBIGl1VHJLN0JOZUhuUmtQbnF5b3Q5QVF6eEFvREFSaG5VTS9yWDJP +TXdDSFUKS1k1M211ZWNLeXVHYWlzeDJwQWJBLzlZUWI3TkNzVTVyTHNWdkxlWkRN +TQotPiBaP2E+MlctZ3JlYXNlIFNzYiBjKnI1fkEgO1pgIDw+CkN2aktUQ1FoMDlv +VHpHSEVuaW1ORE14dWRyS0U1amY5Ny9HV3hpODVnNUY5T3lXdGdMMS8zNy9xUXVV +QUhXNEsKekR2SytYcWlHY0VScXZhWUw0Ty9Qd2t6VWcKLS0tIFRCWW9KTWUxNXJv +NC9rTWpnNTdPbitqL1RtQWRxTFYyaXVzcmptdWpVaVUKHjTjNodh7Gq5bTJ0WXAo +DbfiQMUsv90ipf+og4AkLfVzSkcNrpNeREzCj7wZvPE6LA== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age index 3bdb09d..f92c43f 100644 --- a/services/postgresql/secrets/authentikDBPass.age +++ b/services/postgresql/secrets/authentikDBPass.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA1STRT -ZXlpMkZHQkZ5THNJL010eHR5ZmdVRnNETGNmcWp5bDdZTHZMVFNjCmliOVBUVGdh -S0p4bWp2ZDhiVml6Y1kxVElHZ05td0VKaGtBYnU2cEhjQUUKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIDEzQkVjNUFSYUQ0amRCRnduMFppOExhb3lpWk1hL2VtNWUzTHlL -T0JUQ1EKZkJkMkNldVdqM3NxVFhRbHpLZ0dQN0RFWWtVY3V3Y0F3RUtSRVYyUlhn -OAotPiA0MS1XKF1KLWdyZWFzZSBAbDA7LVggPwppdndhdXdkenZ4TGsrdm5rVzZX -WmRleFhtRm1kUkhna3ZTbDVPcHlyR3VaYit3Y0t1RStFWlNQNEZQdnVWN0JpCnBZ -amc3QQotLS0ga1lYU01rc2VDZTVMY3UxeHdPM1lnUDltU0FCeGlGZDE0OG9EN2Uz -MDdCVQpigLxsnezDdq9kcgYStrQ2jgL+f/mTTrM9KuQUWkYCzQ965bcsaMwpUwJY -cD2N/oY= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBnSGtm +R1dGQlBySDlVTy9Mb1QraTZLRFFPSmRqYUF3cTNRbmNnV2VUQlVzCkxKcjRHN0p3 +SUlnSUpXVXc5VURRSEVMWEF0bHZkRGQ0VHZLcnJPV3pkMVEKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIEJGUlB4N3l1Zlc4bkNQRVBxK0QyNU1GZUQrQmw4d3NHYkNDelR3 +QmVGUWcKSGJ3MUZLNjZqbWUrc0l5aEpHYWNyY0p5SWpGcGxqMG4rd1BaaG8vQUlD +OAotPiAsOTV1LWdyZWFzZSAoU3tAUUIgIjx1IEpeIHkmXU8KNlpiUC9ZNVR0a2Uw +NHp5dC9oRUZQMWRPT2lMRHZXWUFMZjhVQW04NUlsNWd3YjRzc1h2bGQ1QmdEaDgK +LS0tIGk5dXBuV3hsOEUxUWtmbjFsTVNqUXdlaSthd0VBMFh1NkFYQ0hGZXhaOEEK +xLmozB0O+dnzu9y/M0BNrl+FrZlxFfZUTaGRpD4VhQF+xmA5JhRFDre0fflnBkZF -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age index ee12c0e..d11fcdc 100644 --- a/services/postgresql/secrets/giteaDBPass.age +++ b/services/postgresql/secrets/giteaDBPass.age @@ -1,10 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB0VU5p -ZnZqblRDNmpVeFBmRnJ3a09zdEFHK0JLOXFLWTdqaDNRSEYrVUZVCnZ4QWxJWXMy -aTRaMFNDZEViM1Z5bWZZVVdDbXc0WkhrU0FNUEFkaEhLancKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIDhrU2NqNVIwcE9qQStWbklpellRdTNjL3J2K0lMTkdhLytXNjNG -bzM1QkkKWVJHRkk1YlYrdHFjdXNNSVJDUzk1TmxQaUpvb0VtMWIzT1FHNGxGZUpQ -cwotPiAifCdTWiM/Ry1ncmVhc2UKK2xIWnZSOVMwN0VBd3pNM0VaTmZkdWV6dlcw -Ci0tLSB2bVJLRnIzc3JrTm9ud214N0JLbDEwSnZZaXNoL0I3Z1huWURlQVpIajFV -CoYOF0L2BJYmkCTDWOO8zPUgDJw2ZgvE5UcwKF5pNOlYihSNEKRkFSQ+UNCO +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6K3RY +Qy9yU0ZkVG9mSGRvOFQ5aUozNHNGVUpMTGUvOGU4US9yeWExaWtnCnkyTDlXQUE4 +K01scktWMTJkWldUOTQzUUZNWHQrcHlNeElwVG1vL0hDQlUKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIE1qclVJYlQ3UHhXaE5ub3JWNDVUVTB4c0Y1c2NSSno2aDNkVCts +S054RzAKclljZkJoSUhtUXp2dng2eDJlUkphMXRFbXJQdUxPYm1OTUtMQkxZaWcz +OAotPiAmbi1ncmVhc2UgU2NUIHluCnp4TjhnVk01OWRVZUJVMnlPNmlzNWNJZk5J +OHpsTnpGLzA4eE0zNitKSWF5d05BcEhjU0xCd2lRMXpLVXB1TlgKLzB2VFMzcmJo +aThSMDQrU0JaSWNUMVZnOXRUNlhDVVoyVkRRTndUS1pnMUhhSTQwKzdXVFIwTFFi +NkdTYkZScQpaRHp6Ci0tLSBRVFlXSGpLYzd1QXNkRlJjdDFkejdyM1ZzelRIN05o +UkR4a3JTSWhIQlN3CtTJA3S9lKiHg1j+GiDIZtbLjWlnCQG6R8XbApPIWPPNm+wt +mtCq8RC9uHH+ -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age index 9da4d86..273e1b6 100644 --- a/services/postgresql/secrets/grafanaDBPass.age +++ b/services/postgresql/secrets/grafanaDBPass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBSeE1L -K0kyVXZrd2xmc1NieFZHdXpSZHVxbGV0YTRkV20wa3l5RlA1dWxjCnAzWWFHNFpt -WGVSOUU5MVpvNXZseWdXVkxEYzlJQ0V2WmpIUTBFRVg0MzAKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIE04Z2VycjBYc1hLakdvWnVTR0w0MlRLSENGVTdGMGp6UWkvZFk0 -bUFSbUkKUmVpSXJLK1hudlcwRzh1bm1EeE8xdHQ1K1A5ck1LNnpRazg2RzE3dzJC -YwotPiBWZGl4Kj0tZ3JlYXNlClZ6UXI3S2RpWWZTaEg1aTlsN1dOdGYzNUU4aTln -eWpBNTFZOGJCWmZFMjQKLS0tIEJudnJERVBGck10MW9JVFpQZGd4ZDVpTHgrd2Q4 -enNqdDk1enV2QXBhZlkKvGdV5BA2Rk9Nl6d/+khd+JdGvlKX2Vl5qkYI5ZAIWbSq -cjp67Qbe9UcsztFwBA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBneXc1 +enhZNFEwV0xNbWhqVTl0VlUvZ1E4V3RlZElDNEFTeUh5alFqdkg0CmxjV0d6QXJm +cXovM25wM1VHdG5wbVJhZytMUEpSU3VvYXUvaGpJTC9ocDgKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIDY2OGJGUENPckxrcnNKMFlWNC8yOGgwUDJUcDMyS1VnSC93dXpw +UWo0U1kKbnQ1TUlZc2RrbTRuRmVhVlNwUVpBMkc3Ukl1dXR1RzNKK3ovUnR6UWln +cwotPiBwSlU2ci1ncmVhc2UgPFRSdjkgKlAzUyBQYXhVN3MgQGwKMWdWOWYyRUFK +MC9ETEg0QgotLS0gZGtTdHVBbm9KeUxDYVUvQjlTb3Q5UllFb2F5YU5wUXhEc1Bs +RTJXaUI2RQoYkHT7kLqp50j9knk/D14UTvt0FJQO7NpmhISbCoeXQ+X9Y7td4P4J +s8VDQLEe -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age index a51af13..aab9aa5 100644 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ b/services/postgresql/secrets/nextcloudDBPass.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBkWmxN -UXhJVjFoVGd5LzVUdjFmaVRvRnRycEx6SmxVTHRORUVyQXVtVmx3CmV4WnlYc2xr -R0hEdWp1RlUwNEZnUUpMRmo0MVZNNUNSR3ZmK003M3hvMEEKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIHl6RWhQdDFUR3VMcDU2ZW9jeDFld2pXak1LVzNpeDVWQlN0WjBF -em8zaGcKRmkreGl1NTlhT0h3NUNhZmt5U3piQWhPYlo5Y0FadGQ5dEVLcGw0Y1hE -TQotPiA+S0hgNFtDRy1ncmVhc2UKTnhYM2xyNWdqQ2t6bEVuM1FDa0hoZklNeTJZ -eUIxSnFrajIvak93dE52Z0ZELzhXZUg3dC9DQmlvNVJ5L281WAp4TjJ5YjZxT0lz -MnlxUzdJQlVZCi0tLSBob085MDZSSFpNdjNvOXl1eGFyTDV1TG9sNVlyVkhSZWpZ -K1RrWmN2WHVrCo0WCDxqTqQBRkmUjIhRzmDopdlZevkMWiHfXcl8MGHRGYe5EYwc -Ke3xE9pvZBm+Bw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4Wm9k +YlJJbUswNjcrQkVHdk0wc0g0ampYb1Mvbzd4Rk5IVW9ZS0RSTlZrCjdjK3BhYjdV +cWQ1NUh3bi9ZakxOajIxbDRST0FwQ0R0c3BHY1BGNXY5UHcKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIGtDSlZkUm5DTEpPdXJsTCtQSHA2ejdtRU9WU3ZJdGtaRVdScUNj +TFg1VDAKcWs0S0s5REgreG5PZDZkM0lGQ0RBdDR3R2kwY2tmK1RmaWE0R2pJb05j +UQotPiA5OVMxUkVhXy1ncmVhc2UgK0xfdnUoOgpnbVFETkc1ZS81Kyt4U1NoOWJv +L1NVM1BzeGdQRDg0Ci0tLSA3VnpKZTRBbWN6NGMxWnNobHVEdDUyRTJORTlabXRH +UllITmVGVHlrSGlNCoMnkbrU86Cjj6jnsZjSPwKIzLpdyzxYBQDxoj9mv139Rdae +bFLdtG8sIabo6hNIxg== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/onlyofficeDBPass.age b/services/postgresql/secrets/onlyofficeDBPass.age index 0a517da..7c6628d 100644 --- a/services/postgresql/secrets/onlyofficeDBPass.age +++ b/services/postgresql/secrets/onlyofficeDBPass.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDTm1X -aTB5SXpwTDRHS1dlMm1LaEpKQkViYlUwZE0xNE04d0dWOVErYVFvCnAvK096M2Np -WWxZUUZGYWZjc0ZtTktSMlFNbjBzU1A2U282VHZWdFNrMEEKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIEpiR2FpR2ltelBwbVhKRTZpRzdLM2U4bGZwc0kvMU1rSlNwb1NR -UVlKV28KV3pEblFFN3hZeEd5TG4yVXRFeHhabVJweGpWejY1eTUveTdYU1ZTRUJl -YwotPiBHbWZPdC1ncmVhc2UgRjJyeiYjTyBCR20hUFsqIC4gMTQqPy1zRwo0NFFS -Rm1HYlUwOXhNenlKcW90MEJOOEFtTjROU1JMWWEzMHJFRVUvS0phY1cxV09abG5a -TkEKLS0tIG1EZnJGanhDUjVRUm5sRTlaVWtFQUN1Q3QrVm1GQnkvVm42eUxWSGNq -M2sKXJmL2j6j+iA26zzQ/rLZrQTXRyIFZ3EvAgpbidiCDqefQrtlSXeQXjiaYI53 -AWK6 +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBvWEZM +MTJGUzQ2a3Q2SE9QeE1hWUxDRmMvODhxRVFOQlcxaVYvZEFaNFRnCnZWME02QVlH +TU1lUUt4TnhabzBkNGJVS2pxaytPY0tic1NRR29Ka0k5em8KLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIDAvTVFwR3VOWUVpZk5xUkJsZW9CMVhzYkd1ejhwUHhGejNQc1hG +eXVqbXcKM282Z3JlUS9yMURSa3lnaitpZ3NhMTVvamR4MGV2USttcmp1bDNEYXVP +bwotPiB7MHlWLWdyZWFzZSBqW2hxWm0/SSA2Klh8OyBOOiBtbFlTJjAKVkhZcFla +VVdsbnRlRUI1bzdNWEJUNjNEdWpZY3JBWlduQUxrRU4xdG1kWU8zSjExbUd6UlNG +clZYQTVMVkNFNAp5dlcwZmhxQTNKN1h0dUhUM1prCi0tLSB1UXlaQUd3b1JkM29K +bjFJTVpzUTk1MjZIbEhmTkVXYlNtN3k0OW50TTJBCoB7YGQ+R1yzNbS9ZiTcgoZk +LGeyAB/x+izkhu54XzrxpjQKeXAQftnHks6lzzqZ5w== -----END AGE ENCRYPTED FILE----- diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index cf89677..13bb00b 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -99,6 +99,13 @@ ]; }; + age.secrets = { + cs-lapi-key = { + file = ../secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; + services = { openssh = { enable = true; @@ -124,6 +131,7 @@ general = { prometheus.listen_addr = "0.0.0.0"; }; + lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; }; hub.collections = [ "crowdsecurity/linux" diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index e802fa4..7fbe700 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -1,5 +1,6 @@ { - config, pkgs, + config, + pkgs, lib, inputs, modulesPath, @@ -85,6 +86,13 @@ ]; }; + age.secrets = { + cs-lapi-key = { + file = ../secrets/cs-lapi-key.age; + owner = "crowdsec"; + }; + }; + services = { cloud-init.network.enable = true; openssh = { @@ -111,6 +119,7 @@ general = { prometheus.listen_addr = "0.0.0.0"; }; + lapi.credentialsFile = "${config.age.secrets.cs-lapi-key.path}"; }; hub.collections = [ "crowdsecurity/linux"