From d6bdadef6143e0b12041bb1025fcb0af753de0bb Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 14 Aug 2024 18:46:14 +0200 Subject: [PATCH] Add nyastodon secrets --- .sops.yaml | 7 ++++++ config/services/nyastodon.nix | 25 ++++++++++++++++++++++ secrets/services/nyastodon.yaml | 38 +++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 secrets/services/nyastodon.yaml diff --git a/.sops.yaml b/.sops.yaml index 2d3cd07..0a7fd5f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5 - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn + - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf creation_rules: - path_regex: secrets/services/dns-knot.yaml key_groups: @@ -39,3 +40,9 @@ creation_rules: - *emily age: - *seras + - path_regex: secrets/services/nyastodon.yaml + key_groups: + - pgp: + - *emily + age: + - *girldick diff --git a/config/services/nyastodon.nix b/config/services/nyastodon.nix index 457043e..54ef396 100644 --- a/config/services/nyastodon.nix +++ b/config/services/nyastodon.nix @@ -1,4 +1,24 @@ { config, pkgs, ... }: { + sops.secrets."services/nyastodon/extraEnvFile" = { + sopsFile = ../../secrets/services/nyastodon.yaml; + owner = "mastodon"; + }; + sops.secrets."services/nyastodon/secretKeyBaseFile" = { + sopsFile = ../../secrets/services/nyastodon.yaml; + owner = "mastodon"; + }; + sops.secrets."services/nyastodon/otpSecretFile" = { + sopsFile = ../../secrets/services/nyastodon.yaml; + owner = "mastodon"; + }; + sops.secrets."services/nyastodon/vapidPrivateKeyFile" = { + sopsFile = ../../secrets/services/nyastodon.yaml; + owner = "mastodon"; + }; + sops.secrets."services/nyastodon/vapidPublicKeyFile" = { + sopsFile = ../../secrets/services/nyastodon.yaml; + owner = "mastodon"; + }; services.mastodon = { enable = true; package = pkgs.nyastodon; @@ -6,5 +26,10 @@ configureNginx = true; smtp.fromAddress = "webmaster@girldick.gay"; streamingProcesses = 16; + extraEnvFiles = [ config.sops.secrets."services/nyastodon/extraEnvFile".path ]; + secretKeyBaseFile = config.sops.secrets."services/nyastodon/secretKeyBaseFile".path; + otpSecretFile = config.sops.secrets."services/nyastodon/otpSecretFile".path; + vapidPrivateKeyFile = config.sops.secrets."services/nyastodon/vapidPrivateKeyFile".path; + vapidPublicKeyFile = config.sops.secrets."services/nyastodon/vapidPublicKeyFile".path; }; } diff --git a/secrets/services/nyastodon.yaml b/secrets/services/nyastodon.yaml new file mode 100644 index 0000000..2846f6f --- /dev/null +++ b/secrets/services/nyastodon.yaml @@ -0,0 +1,38 @@ +services: + nyastodon: + secretKeyBaseFile: ENC[AES256_GCM,data:VywfWY41tcM6zDCMlCLnOh5hRCkb3dLCmfDgcT0QoKTqlV2QqlutQMOAG4DA06HuIyext6DGOkvAsDGLIHb7SWblU6UaQgpoUCp+WpHqCc/fxzg9EsOy9ApF4ESCj/Fb+l55eRS7QlC7isU9zxWW5H9ccMxbmZcGePN8aGyZbaU=,iv:GHg1/Q64uuxFmbt9X/+WbmuHUVlXcK7fd0W+flYoxVs=,tag:8tlsSUXfyb67Cx4Eejmg9A==,type:str] + otpSecretFile: ENC[AES256_GCM,data:Gu0MAnP4E+oTNtVeqeKpI3RceCotoqo2kVKJXiCEUtw3Sm206nDIyfdcX7r7Ho+nlpwe05gYFYSb+ISgmz8p8bTxmAc2J/1fFnmC+6V/3d5sNP+a0KIdA0xVZ+HRTqe+N8X1n8n0FzbBvps5IZ4Y02Jvf7dK5QQyxj6H5fFzdhs=,iv:QrO78qm4jCBbdDPqoprVUHMM6XC9YTQ+U4zAnMVaHcM=,tag:HIzQUwsYi3i+SoDbbuaMUg==,type:str] + vapidPrivateKeyFile: ENC[AES256_GCM,data:YhT0xABuEa8VIlpzl1IAd5Jkni9xKBazF0EJssDfRfry7RHvrj5qyMkK17w=,iv:cfbspnityKGgGOohXcwGY6h8k2VbW35wa+Lzc/Z71mc=,tag:bK02soRkqcmkPKB/n2w/ug==,type:str] + vapidPublicKeyFile: ENC[AES256_GCM,data:CIv5x7oG4oJ13suTlMUEDnih26rQ6XhHFiyXz3kRjVkNiWFylLxRvpmCRvgogFQoH05MRTTm50qPK7GTFc0N/XMucGSS4bHpZFc/g/OJJAfjHWUixamK0w==,iv:Vo9txxYAY0YOmv23w94S7K0vh8QntCKiK7/VwA439P8=,tag:UtJmMFnnyYPgypDFBtgKjQ==,type:str] + extraEnvFile: ENC[AES256_GCM,data:kaMYIkHq7TluFww4SnQiVrEgm0+yIbXFucbMWRzdpq0KSrBD2Wim014KljfnGC6udMGApzhACHCRx0K5HtjxUW0dtoasQOregHZQL8peuvm8hWwsvAm4Y+uNY4zz6XU+2vZgUFLFWkJdRjWngc4Va2lLn0rGGV1GtGHUJrvCjNz931XGjVERaSqfBbcJ5YzrevIreixCqcqTPWm5VlpGYtzS3dQptqRb/fu/x3ewZIRUV0pwDCZC4x0PNTI7I2fEyWrNEqwaA/7gPIwu600PGYf5gIP+1UNLhbhdGJjCl6PKL2srNs8=,iv:3Dfw5FEGvHzvCIslTFAoy0Y6Vzp/KjT4sAJq7nWgBSs=,tag:CZmVCBJrxVyCvtV03qaP7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUTdsY1F6bXFtNWcvTlEw + YVBSUHFKOFVaUTBBNDQ1YURrTDcyTkMrcndzClRZbkw1a2xzU2lwZDM3QVE5dFhs + ay8rYmt5QUFVTGpNVzJkTzlTOElSZVUKLS0tIGYwUDFKazhNcFZvNVEwT3R3K2FM + Y0RKVmdleHJBZ0lkNzNJbVc2UzY5dU0KEK8p4FnlZ5LRXl4LAYBnhKssxS5wVOzn + sK+T3B6sduuFsCDtKj8PslRHqhqUzKx9zHnmEzVdknz5lMu3VR8dig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-14T18:02:20Z" + mac: ENC[AES256_GCM,data:M5jjc6EjOS07PEc36z5Bj5wKYcIILFH34AWgdQDWsST4xeyFl+I0nDBJNxfsHuh9j5DOiqVSQsgGVww5ldb491JC6CDwAbjU/vAU9qmncBU6QGH3li/iqUQgL5i6JRBwdiuaDG+MUG9uYuyJoQrFFY64ysKcZEu50Uz3ZFE4zzA=,iv:EIewnDy+oBC1x/TMLbF7qwrjvq/eRW6D5VXOpmWQUf0=,tag:E7OQfoVQFABZw6CrFpBb0g==,type:str] + pgp: + - created_at: "2024-08-14T17:48:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdAjC0ApM8rgWrRJZNhQp67X7SsTM3bR6eG39MKdzyDIXYw + pXMhu4F75V2X22ptlUfvIyCZWk2Xo4O3DvyjjTPXPucvgKDq3sCrUZ5s7PzuSPkL + 0l4BybEwUNioL8xs8+Mft6kFAXiXQX3f4Y5IYNi2L5uboDEASyXpmwE14FAITeIO + XAsG0U6WAh/GtOtaP4R7samvM67e4CSbijxM4FaITZa1K4LcmSeVGl3SgiSAuDj2 + =KquB + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.8.1