From 58bc17919285e5f41fae36ff044263f2770993c5 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 23 Dec 2023 22:49:50 -0800 Subject: [PATCH] add nextcloud demo fixes #62 --- demo/nextcloud/README.md | 219 ++++++++++++++++++++++ demo/nextcloud/configuration.nix | 65 +++++++ demo/nextcloud/flake.lock | 170 +++++++++++++++++ demo/nextcloud/flake.nix | 64 +++++++ demo/nextcloud/hardware-configuration.nix | 64 +++++++ demo/nextcloud/keys.txt | 3 + demo/nextcloud/secrets.yaml | 42 +++++ demo/nextcloud/sops.yaml | 7 + demo/nextcloud/ssh_config | 8 + demo/nextcloud/sshkey | 7 + demo/nextcloud/sshkey.pub | 1 + 11 files changed, 650 insertions(+) create mode 100644 demo/nextcloud/README.md create mode 100644 demo/nextcloud/configuration.nix create mode 100644 demo/nextcloud/flake.lock create mode 100644 demo/nextcloud/flake.nix create mode 100644 demo/nextcloud/hardware-configuration.nix create mode 100644 demo/nextcloud/keys.txt create mode 100644 demo/nextcloud/secrets.yaml create mode 100644 demo/nextcloud/sops.yaml create mode 100644 demo/nextcloud/ssh_config create mode 100644 demo/nextcloud/sshkey create mode 100644 demo/nextcloud/sshkey.pub diff --git a/demo/nextcloud/README.md b/demo/nextcloud/README.md new file mode 100644 index 0000000..171f8f2 --- /dev/null +++ b/demo/nextcloud/README.md @@ -0,0 +1,219 @@ +# Nextcloud Demo {#demo-nextcloud} + +**This whole demo is highly insecure as all the private keys are available publicly. This is +only done for convenience as it is just a demo. Do not expose the VM to the internet.** + +The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15 +lines](./flake.nix#L29-L45) of related code. + +This guide will show how to deploy this setup to a Virtual Machine, like showed +[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 6 commands. + +## Deploy to the VM {#deploy-to-the-vm} + +Build the VM and start it: + +```bash +rm nixos.qcow2; \ + nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \ + QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm +``` + +This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will +need to run the rest of the commands in another terminal. + +The nested command, the one in between the parenthesis `$(...)` is used to print the VM's public age key, whic. + +With the VM started, make the secrets in `secrets.yaml` decryptable in the VM. This change will +appear in `git status` but you don't need to commit this. + +```bash +SOPS_AGE_KEY_FILE=keys.txt \ + nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \ + --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \ + secrets.yaml +``` + +If you forget this step, the deploy will seem to go fine but the secrets won't be populated and +Nextcloud will not start. + +Make the ssh key private: + +```bash +chmod 600 sshkey +``` + +This is only needed because git mangles with the permissions. You will not even see this change in +`git status`. + +You can ssh into the VM with, but this is not required for the demo: + +```bash +ssh -F ssh_config example +``` + +Finally, deploy with: + +```bash +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply +``` + +The deploy will take a few minutes the first time and subsequent deploys will take around 15 +seconds. + +## Access Nextcloud Through Your Browser {#access-nextcloud-through-your-browser} + +Add the following entry to your `/etc/hosts` file: + +```nix +networking.hosts = { + "127.0.0.1" = [ "n.example.com" ]; +}; +``` + +Which produces: + +```bash +$ cat /etc/hosts +127.0.0.1 n.example.com +``` + +Go to [http://n.example.com:8080](http://n.example.com:8080) and login with: + +- username: `root` +- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`. + +Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you +might see errors loading scripts. + +## In More Details {#in-more-details} + +### Files {#files} + +- [`flake.nix`](./flake.nix): nix entry point, defines one target host for + [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for + setting up the Nextcloud service. +- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena + to deploy to the VM. The file has comments if you're interested. +- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout. + This was generated with nixos-generate-config on the VM. +- Secrets related files: + - [`keys.txt`](./keys.txt): your private key for sops-nix, allows you to edit the `secrets.yaml` + file. This file should never be published but here I did it for convenience, to be able to + deploy to the VM in less steps. + - [`secrets.yaml`](./secrets.yaml): encrypted file containing required secrets for Nextcloud. This file can be publicly accessible. + - [`sops.yaml`](./sops.yaml): describes how to create the `secrets.yaml` file. Can be publicly + accessible. +- SSH related files: + - [`sshkey(.pub)`](./sshkey): your private and public ssh keys. Again, the private key should usually not + be published as it is here but this makes it possible to deploy to the VM in less steps. + - [`ssh_config`](./ssh_config): the ssh config allowing you to ssh into the VM by just using the + hostname `example`. Usually you would store this info in your `~/.ssh/config` file but it's + provided here to avoid making you do that. + +### Virtual Machine {#virtual-machine} + +_More info about the VM._ + +We use `build-vm-with-bootloader` instead of just `build-vm` as that's the only way to deploy to the VM. + +The VM's User and password are both `nixos`, as setup in the [`configuration.nix`](./configuration.nix) file under +`user.users.nixos.initialPassword`. + +You can login with `ssh -F ssh_config example`. You just need to accept the fingerprint. + +The VM's hard drive is a file name `nixos.qcow2` in this directory. It is created when you first create the VM and re-used since. You can just remove it when you're done. + +That being said, the VM uses `tmpfs` to create the writable nix store so if you stumble in a disk +space issue, you must increase the +`virtualisation.vmVariantWithBootLoader.virtualisation.memorySize` setting. + +### Secrets {#secrets} + +_More info about the secrets._ + +The private key in the `keys.txt` file is created with: + +```bash +$ nix shell nixpkgs#age --command age-keygen -o keys.txt +Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 +``` + +We use the printed public key in the `admin` field of the `sops.yaml` file. + +The `secrets.yaml` file must follow the format: + +```yaml +nextcloud: + adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 + onlyoffice: + jwt_secret: XYZ... +``` + +To open the `secrets.yaml` file and optionnally edit it, run: + +```bash +SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \ + --config sops.yaml \ + secrets.yaml +``` + +You can generate random secrets with: + +```bash +$ nix run nixpkgs#openssl -- rand -hex 64 +``` + +If you choose a password too small, ldap could refuse to start. + +#### Why do we need the VM's public key {#public-key-necessity} + +The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the +[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add +secrets to that file and when deploying, it will be decrypted and the secrets will be copied +in the `/run/secrets` folder on the VM. We thus need one private key for you to edit the +[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets. + +Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when +creating the VM in the step above, a new private key and its accompanying public key were +automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the +public key and add it to the `secrets.yaml` which we did in the Deploy section. + +### SSH {#ssh} + +The private and public ssh keys were created with: + +```bash +ssh-keygen -t ed25519 -f sshkey +``` + +You don't need to copy over the ssh public key over to the VM as we set the `keyFiles` option which copies the public key when the VM gets created. +This allows us also to disable ssh password authentication. + +For reference, if instead you didn't copy the key over on VM creating and enabled ssh +authentication, here is what you would need to do to copy over the key: + +```bash +$ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example +``` + +### Deploy {#deploy} + +If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input +selfhostblocks`. + +``` +error: NAR hash mismatch in input ... +``` + +### Update Demo {#update-demo} + +If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy. + +If you update the `configuration.nix` file, you will need to rebuild the VM from scratch. + +If you update a module in the Self Host Blocks repository, you will need to update the lock file with: + +```bash +nix flake lock --override-input selfhostblocks ../.. --update-input selfhostblocks +``` diff --git a/demo/nextcloud/configuration.nix b/demo/nextcloud/configuration.nix new file mode 100644 index 0000000..a63c4ac --- /dev/null +++ b/demo/nextcloud/configuration.nix @@ -0,0 +1,65 @@ +{ config, pkgs, ... }: + +let + targetUser = "nixos"; + targetPort = 2222; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + boot.kernelModules = [ "kvm-intel" ]; + system.stateVersion = "22.11"; + + # Options above are generate by running nixos-generate-config on the VM. + + # Needed otherwise deploy will say system won't be able to boot. + boot.loader.grub.device = "/dev/vdb"; + # Needed to avoid getting into not available disk space in /boot. + boot.loader.grub.configurationLimit = 1; + # The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase + # the available disk space to install home-assistant. + virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192; + + # Options above are needed to deploy in a VM. + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # We need to create the user we will deploy with. + users.users.${targetUser} = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + initialPassword = "nixos"; + # With this option, you don't need to use ssh-copy-id to copy the public ssh key to the VM. + openssh.authorizedKeys.keyFiles = [ + ./sshkey.pub + ]; + }; + + # The user we're deploying with must be able to run sudo without password. + security.sudo.extraRules = [ + { users = [ targetUser ]; + commands = [ + { command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + + # Needed to allow the user we're deploying with to write to the nix store. + nix.settings.trusted-users = [ + targetUser + ]; + + # We need to enable the ssh daemon to be able to deploy. + services.openssh = { + enable = true; + ports = [ targetPort ]; + permitRootLogin = "no"; + passwordAuthentication = false; + }; +} diff --git a/demo/nextcloud/flake.lock b/demo/nextcloud/flake.lock new file mode 100644 index 0000000..439f3f4 --- /dev/null +++ b/demo/nextcloud/flake.lock @@ -0,0 +1,170 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nix-flake-tests": { + "locked": { + "lastModified": 1677844186, + "narHash": "sha256-ErJZ/Gs1rxh561CJeWP5bohA2IcTq1rDneu1WT6CVII=", + "owner": "antifuchs", + "repo": "nix-flake-tests", + "rev": "bbd9216bd0f6495bb961a8eb8392b7ef55c67afb", + "type": "github" + }, + "original": { + "owner": "antifuchs", + "repo": "nix-flake-tests", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1687681650, + "narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1687031877, + "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1686628398, + "narHash": "sha256-jXEuS/dex59Oon4tll+Jb8aVl6B8HX/aREigHjt2S6E=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "202850e1a11a939364cef0f326cb1352b3f2d8cd", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nmdsrc": { + "flake": false, + "locked": { + "lastModified": 1701431551, + "narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=", + "ref": "refs/heads/master", + "rev": "f18defadcc25e69e95b04493ee02682005472255", + "revCount": 65, + "type": "git", + "url": "https://git.sr.ht/~rycee/nmd" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~rycee/nmd" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "selfhostblocks": "selfhostblocks", + "sops-nix": "sops-nix" + } + }, + "selfhostblocks": { + "inputs": { + "flake-utils": "flake-utils", + "nix-flake-tests": "nix-flake-tests", + "nixpkgs": [ + "nixpkgs" + ], + "nmdsrc": "nmdsrc", + "sops-nix": [ + "sops-nix" + ] + }, + "locked": { + "lastModified": 1703412385, + "narHash": "sha256-nPOnGY7V54rZezB0RelV2Kvqtv7yd84247y8AJg66rY=", + "owner": "ibizaman", + "repo": "selfhostblocks", + "rev": "40f0f233c247b26f98b8912ffab0feb8283744d1", + "type": "github" + }, + "original": { + "owner": "ibizaman", + "repo": "selfhostblocks", + "type": "github" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1687398569, + "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2ff6973350682f8d16371f8c071a304b8067f192", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/demo/nextcloud/flake.nix b/demo/nextcloud/flake.nix new file mode 100644 index 0000000..981596f --- /dev/null +++ b/demo/nextcloud/flake.nix @@ -0,0 +1,64 @@ +{ + description = "Home Assistant example for Self Host Blocks"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; + + selfhostblocks.url = "github:ibizaman/selfhostblocks"; + selfhostblocks.inputs.nixpkgs.follows = "nixpkgs"; + selfhostblocks.inputs.sops-nix.follows = "sops-nix"; + }; + + outputs = inputs@{ self, nixpkgs, sops-nix, selfhostblocks, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + specialArgs = inputs; + }; + + myserver = { config, ... }: { + imports = [ + ./configuration.nix + sops-nix.nixosModules.default + selfhostblocks.nixosModules.x86_64-linux.default + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + + shb.nextcloud = { + enable = true; + domain = "example.com"; + subdomain = "n"; + dataDir = "/var/lib/nextcloud"; + tracing = null; + + # This option is only needed because we do not access Nextcloud at the default port in the VM. + externalFqdn = "n.example.com:8080"; + + adminPassFile = config.sops.secrets."nextcloud/adminpass".path; + }; + + # Secret needed for services.nextcloud.config.adminpassFile. + sops.secrets."nextcloud/adminpass" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "phpfpm-nextcloud.service" ]; + }; + + # Set to true for more debug info with `journalctl -f -u nginx`. + shb.nginx.accessLog = true; + shb.nginx.debugLog = false; + }; + }; + }; +} diff --git a/demo/nextcloud/hardware-configuration.nix b/demo/nextcloud/hardware-configuration.nix new file mode 100644 index 0000000..b94f3e7 --- /dev/null +++ b/demo/nextcloud/hardware-configuration.nix @@ -0,0 +1,64 @@ +# This file was generated by running nixos-generate-config on the VM. +# +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/vda"; + fsType = "ext4"; + }; + + fileSystems."/nix/.ro-store" = + { device = "nix-store"; + fsType = "9p"; + }; + + fileSystems."/nix/.rw-store" = + { device = "tmpfs"; + fsType = "tmpfs"; + }; + + fileSystems."/tmp/shared" = + { device = "shared"; + fsType = "9p"; + }; + + fileSystems."/tmp/xchg" = + { device = "xchg"; + fsType = "9p"; + }; + + fileSystems."/nix/store" = + { device = "overlay"; + fsType = "overlay"; + }; + + fileSystems."/boot" = + { device = "/dev/vdb2"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/demo/nextcloud/keys.txt b/demo/nextcloud/keys.txt new file mode 100644 index 0000000..d350313 --- /dev/null +++ b/demo/nextcloud/keys.txt @@ -0,0 +1,3 @@ +# created: 2023-11-17T00:05:25-08:00 +# public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 +AGE-SECRET-KEY-1EPLAHXWDEM5ZZAU7NFGHT5TWU08ZUCWTHYTLD8XC89350MZ0T79SA2MQAL diff --git a/demo/nextcloud/secrets.yaml b/demo/nextcloud/secrets.yaml new file mode 100644 index 0000000..19f89a3 --- /dev/null +++ b/demo/nextcloud/secrets.yaml @@ -0,0 +1,42 @@ +nextcloud: + adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str] + onlyoffice: + jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk + c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI + amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0 + QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7 + WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2 + bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT + VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx + U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY + D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov + b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk + WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM + aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH + oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-22T07:04:41Z" + mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/demo/nextcloud/sops.yaml b/demo/nextcloud/sops.yaml new file mode 100644 index 0000000..b9f8700 --- /dev/null +++ b/demo/nextcloud/sops.yaml @@ -0,0 +1,7 @@ +keys: + - &admin age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *admin diff --git a/demo/nextcloud/ssh_config b/demo/nextcloud/ssh_config new file mode 100644 index 0000000..2717f97 --- /dev/null +++ b/demo/nextcloud/ssh_config @@ -0,0 +1,8 @@ +Host example + Port 2222 + User nixos + HostName 127.0.0.1 + IdentityFile sshkey + IdentitiesOnly yes + StrictHostKeyChecking no + UserKnownHostsFile=/dev/null \ No newline at end of file diff --git a/demo/nextcloud/sshkey b/demo/nextcloud/sshkey new file mode 100644 index 0000000..626256a --- /dev/null +++ b/demo/nextcloud/sshkey @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIwAAAJiBL8xSgS/M +UgAAAAtzc2gtZWQyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIw +AAAECzMZfgJIQJUVgyKZ3IYnEVvwnYXJ8nstc4/g1H41dC/vueAR1wO7hRVt7ZnMGEqfYe +E9bQ+USaASlv+SQyJ4UjAAAAEWV4YW1wbGVAbG9jYWxob3N0AQIDBA== +-----END OPENSSH PRIVATE KEY----- diff --git a/demo/nextcloud/sshkey.pub b/demo/nextcloud/sshkey.pub new file mode 100644 index 0000000..685f78a --- /dev/null +++ b/demo/nextcloud/sshkey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueAR1wO7hRVt7ZnMGEqfYeE9bQ+USaASlv+SQyJ4Uj example@localhost