cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

secrets: migrate ytnix to new structure

Browse source
This commit is contained in:
cy 2024-12-16 21:45:58 -05:00
parent 59fc4229a0
commit ed8a15bfea
3 changed files with 16 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

28
hosts/ytnix/default.nix
View file

@ -11,15 +11,19 @@
../common.nix
];
sops.defaultSopsFile = ./secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/yt" = {};
"azure" = {};
"ntfy" = {};
"wireguard/private" = {};
"wireguard/psk" = {};
"services/borg/yt" = {
sopsFile = ../../secrets/services/borg/yt.yaml;
};
"services/ntfy" = {
sopsFile = ../../secrets/services/ntfy.yaml;
};
"wireguard/yt/private" = {
sopsFile = ../../secrets/wireguard/yt.yaml;
};
"wireguard/yt/psk" = {
sopsFile = ../../secrets/wireguard/yt.yaml;
};
};
boot = {
@ -183,7 +187,7 @@
repo = "de3911@de3911.rsync.net:borg/yt";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/yt";
passCommand = ''cat ${config.sops.secrets."borg/yt/rsyncnet".path}"'';
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@ -195,7 +199,7 @@
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus
${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy/ntfy".path}) -d "ytnixRsync: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
@ -284,14 +288,14 @@
# wireguard setup
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
privateKeyFile = "/run/secrets/wireguard/private";
privateKeyFile = config.sops.secrets."wireguard/yt/private".path;
peers = [
{
publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
allowedIPs = ["0.0.0.0/0" "::/0"];
endpoint = "31.59.129.225:51820";
persistentKeepalive = 25;
presharedKeyFile = "/run/secrets/wireguard/psk";
presharedKeyFile = config.sops.secrets."wireguard/yt/psk".path;
}
];
};