Add nyastodon secrets

This commit is contained in:
emily 2024-08-14 18:46:14 +02:00
parent decd75c77d
commit d6bdadef61
Signed by: emily
GPG key ID: F6F4C66207FCF995
3 changed files with 70 additions and 0 deletions

View file

@ -2,6 +2,7 @@ keys:
- &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5 - &emily B04F01A7A98A13020C39B4A68AB7B773A214ACE5
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
creation_rules: creation_rules:
- path_regex: secrets/services/dns-knot.yaml - path_regex: secrets/services/dns-knot.yaml
key_groups: key_groups:
@ -39,3 +40,9 @@ creation_rules:
- *emily - *emily
age: age:
- *seras - *seras
- path_regex: secrets/services/nyastodon.yaml
key_groups:
- pgp:
- *emily
age:
- *girldick

View file

@ -1,4 +1,24 @@
{ config, pkgs, ... }: { { config, pkgs, ... }: {
sops.secrets."services/nyastodon/extraEnvFile" = {
sopsFile = ../../secrets/services/nyastodon.yaml;
owner = "mastodon";
};
sops.secrets."services/nyastodon/secretKeyBaseFile" = {
sopsFile = ../../secrets/services/nyastodon.yaml;
owner = "mastodon";
};
sops.secrets."services/nyastodon/otpSecretFile" = {
sopsFile = ../../secrets/services/nyastodon.yaml;
owner = "mastodon";
};
sops.secrets."services/nyastodon/vapidPrivateKeyFile" = {
sopsFile = ../../secrets/services/nyastodon.yaml;
owner = "mastodon";
};
sops.secrets."services/nyastodon/vapidPublicKeyFile" = {
sopsFile = ../../secrets/services/nyastodon.yaml;
owner = "mastodon";
};
services.mastodon = { services.mastodon = {
enable = true; enable = true;
package = pkgs.nyastodon; package = pkgs.nyastodon;
@ -6,5 +26,10 @@
configureNginx = true; configureNginx = true;
smtp.fromAddress = "webmaster@girldick.gay"; smtp.fromAddress = "webmaster@girldick.gay";
streamingProcesses = 16; streamingProcesses = 16;
extraEnvFiles = [ config.sops.secrets."services/nyastodon/extraEnvFile".path ];
secretKeyBaseFile = config.sops.secrets."services/nyastodon/secretKeyBaseFile".path;
otpSecretFile = config.sops.secrets."services/nyastodon/otpSecretFile".path;
vapidPrivateKeyFile = config.sops.secrets."services/nyastodon/vapidPrivateKeyFile".path;
vapidPublicKeyFile = config.sops.secrets."services/nyastodon/vapidPublicKeyFile".path;
}; };
} }

View file

@ -0,0 +1,38 @@
services:
nyastodon:
secretKeyBaseFile: ENC[AES256_GCM,data:VywfWY41tcM6zDCMlCLnOh5hRCkb3dLCmfDgcT0QoKTqlV2QqlutQMOAG4DA06HuIyext6DGOkvAsDGLIHb7SWblU6UaQgpoUCp+WpHqCc/fxzg9EsOy9ApF4ESCj/Fb+l55eRS7QlC7isU9zxWW5H9ccMxbmZcGePN8aGyZbaU=,iv:GHg1/Q64uuxFmbt9X/+WbmuHUVlXcK7fd0W+flYoxVs=,tag:8tlsSUXfyb67Cx4Eejmg9A==,type:str]
otpSecretFile: ENC[AES256_GCM,data:Gu0MAnP4E+oTNtVeqeKpI3RceCotoqo2kVKJXiCEUtw3Sm206nDIyfdcX7r7Ho+nlpwe05gYFYSb+ISgmz8p8bTxmAc2J/1fFnmC+6V/3d5sNP+a0KIdA0xVZ+HRTqe+N8X1n8n0FzbBvps5IZ4Y02Jvf7dK5QQyxj6H5fFzdhs=,iv:QrO78qm4jCBbdDPqoprVUHMM6XC9YTQ+U4zAnMVaHcM=,tag:HIzQUwsYi3i+SoDbbuaMUg==,type:str]
vapidPrivateKeyFile: ENC[AES256_GCM,data:YhT0xABuEa8VIlpzl1IAd5Jkni9xKBazF0EJssDfRfry7RHvrj5qyMkK17w=,iv:cfbspnityKGgGOohXcwGY6h8k2VbW35wa+Lzc/Z71mc=,tag:bK02soRkqcmkPKB/n2w/ug==,type:str]
vapidPublicKeyFile: ENC[AES256_GCM,data:CIv5x7oG4oJ13suTlMUEDnih26rQ6XhHFiyXz3kRjVkNiWFylLxRvpmCRvgogFQoH05MRTTm50qPK7GTFc0N/XMucGSS4bHpZFc/g/OJJAfjHWUixamK0w==,iv:Vo9txxYAY0YOmv23w94S7K0vh8QntCKiK7/VwA439P8=,tag:UtJmMFnnyYPgypDFBtgKjQ==,type:str]
extraEnvFile: ENC[AES256_GCM,data:kaMYIkHq7TluFww4SnQiVrEgm0+yIbXFucbMWRzdpq0KSrBD2Wim014KljfnGC6udMGApzhACHCRx0K5HtjxUW0dtoasQOregHZQL8peuvm8hWwsvAm4Y+uNY4zz6XU+2vZgUFLFWkJdRjWngc4Va2lLn0rGGV1GtGHUJrvCjNz931XGjVERaSqfBbcJ5YzrevIreixCqcqTPWm5VlpGYtzS3dQptqRb/fu/x3ewZIRUV0pwDCZC4x0PNTI7I2fEyWrNEqwaA/7gPIwu600PGYf5gIP+1UNLhbhdGJjCl6PKL2srNs8=,iv:3Dfw5FEGvHzvCIslTFAoy0Y6Vzp/KjT4sAJq7nWgBSs=,tag:CZmVCBJrxVyCvtV03qaP7A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUTdsY1F6bXFtNWcvTlEw
YVBSUHFKOFVaUTBBNDQ1YURrTDcyTkMrcndzClRZbkw1a2xzU2lwZDM3QVE5dFhs
ay8rYmt5QUFVTGpNVzJkTzlTOElSZVUKLS0tIGYwUDFKazhNcFZvNVEwT3R3K2FM
Y0RKVmdleHJBZ0lkNzNJbVc2UzY5dU0KEK8p4FnlZ5LRXl4LAYBnhKssxS5wVOzn
sK+T3B6sduuFsCDtKj8PslRHqhqUzKx9zHnmEzVdknz5lMu3VR8dig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-14T18:02:20Z"
mac: ENC[AES256_GCM,data:M5jjc6EjOS07PEc36z5Bj5wKYcIILFH34AWgdQDWsST4xeyFl+I0nDBJNxfsHuh9j5DOiqVSQsgGVww5ldb491JC6CDwAbjU/vAU9qmncBU6QGH3li/iqUQgL5i6JRBwdiuaDG+MUG9uYuyJoQrFFY64ysKcZEu50Uz3ZFE4zzA=,iv:EIewnDy+oBC1x/TMLbF7qwrjvq/eRW6D5VXOpmWQUf0=,tag:E7OQfoVQFABZw6CrFpBb0g==,type:str]
pgp:
- created_at: "2024-08-14T17:48:29Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdAjC0ApM8rgWrRJZNhQp67X7SsTM3bR6eG39MKdzyDIXYw
pXMhu4F75V2X22ptlUfvIyCZWk2Xo4O3DvyjjTPXPucvgKDq3sCrUZ5s7PzuSPkL
0l4BybEwUNioL8xs8+Mft6kFAXiXQX3f4Y5IYNi2L5uboDEASyXpmwE14FAITeIO
XAsG0U6WAh/GtOtaP4R7samvM67e4CSbijxM4FaITZa1K4LcmSeVGl3SgiSAuDj2
=KquB
-----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted
version: 3.8.1