make letsencrypt use sops for secret
This commit is contained in:
parent
b44da6f303
commit
5db376a330
5 changed files with 73 additions and 10 deletions
18
docs/examples/vaultwarden/.sops.yaml
Normal file
18
docs/examples/vaultwarden/.sops.yaml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# This example uses YAML anchors which allows reuse of multiple keys
|
||||||
|
# without having to repeat yourself.
|
||||||
|
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
|
||||||
|
# for a more complex example.
|
||||||
|
keys:
|
||||||
|
- &me age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
|
||||||
|
- &machine1 age16yraj9xdpjqazwakcy4fs9gcxu75el3yefpzudhv7zu9pn6jsvtqeee23r
|
||||||
|
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *me
|
||||||
|
- path_regex: secrets/machine1/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *me
|
||||||
|
- *machine1
|
|
@ -11,7 +11,13 @@ When that's done, explore the files in this folder.
|
||||||
To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md).
|
To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md).
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nixops set-args --arg domain '"dev.mydomain.com"' --network dev
|
nixops set-args --network dev \
|
||||||
|
--arg domain '"dev.mydomain.com"' \
|
||||||
|
--arg sopsKeyFile '"$HOME/.config/sops/age/keys.txt"'
|
||||||
|
```
|
||||||
|
|
||||||
|
You can use the `info` subcommand to print the values of the arguments:
|
||||||
|
```bash
|
||||||
nixops info --network dev
|
nixops info --network dev
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -26,5 +32,5 @@ nixops create ./network-virtualbox.nix -d vaultwarden-staging
|
||||||
nixops deploy --network dev
|
nixops deploy --network dev
|
||||||
nixops reboot
|
nixops reboot
|
||||||
|
|
||||||
disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix
|
disnixos-env -s services.nix -n dev/nixops.nix -d distribution.nix
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
domain ? "dev.mydomain.com",
|
domain ? "dev.mydomain.com",
|
||||||
|
sopsKeyFile ? "",
|
||||||
}:
|
}:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -24,6 +25,9 @@
|
||||||
["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"];
|
["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"];
|
||||||
in
|
in
|
||||||
recursiveUpdate base {
|
recursiveUpdate base {
|
||||||
|
imports = [
|
||||||
|
<sops-nix/modules/sops>
|
||||||
|
];
|
||||||
deployment.targetEnv = "virtualbox";
|
deployment.targetEnv = "virtualbox";
|
||||||
deployment.virtualbox = {
|
deployment.virtualbox = {
|
||||||
memorySize = 1024;
|
memorySize = 1024;
|
||||||
|
@ -31,5 +35,18 @@
|
||||||
headless = true;
|
headless = true;
|
||||||
vmFlags = concatMap mkPortMapping vbox.portMappings;
|
vmFlags = concatMap mkPortMapping vbox.portMappings;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# This will add secrets.yml to the nix store
|
||||||
|
# You can avoid this by adding a string to the full path instead, i.e.
|
||||||
|
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||||
|
sops.defaultSopsFile = ../secrets/linode.yaml;
|
||||||
|
# This will automatically import SSH keys as age keys
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
# This is using an age key that is expected to already be in the filesystem
|
||||||
|
sops.age.keyFile = /. + sopsKeyFile;
|
||||||
|
# This will generate a new key if the key specified above does not exist
|
||||||
|
sops.age.generateKey = true;
|
||||||
|
# This is the actual specification of the secrets.
|
||||||
|
sops.secrets.linode = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,13 +83,6 @@ rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
# deployment.keys = {
|
# deployment.keys = {
|
||||||
# linode.text = ''
|
|
||||||
# LINODE_HTTP_TIMEOUT=10
|
|
||||||
# LINODE_POLLING_INTERVAL=10
|
|
||||||
# LINODE_PROPAGATION_TIMEOUT=240
|
|
||||||
# LINODE_TOKEN=383525f4d58919d43506e6ab43a549a6eda6491eccb8e384d43013f0bcf45d47
|
|
||||||
# '';
|
|
||||||
|
|
||||||
# keycloakdbpassword.text = ''
|
# keycloakdbpassword.text = ''
|
||||||
# KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}"
|
# KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}"
|
||||||
# '';
|
# '';
|
||||||
|
@ -129,7 +122,15 @@ rec {
|
||||||
email = "ibizapeanut@gmail.com";
|
email = "ibizapeanut@gmail.com";
|
||||||
dnsProvider = "linode";
|
dnsProvider = "linode";
|
||||||
dnsResolver = "8.8.8.8";
|
dnsResolver = "8.8.8.8";
|
||||||
credentialsFile = "/run/keys/linode";
|
|
||||||
|
# For example, to use Linode to prove the dns challenge,
|
||||||
|
# the content of the file should be the following, with
|
||||||
|
# XXX replaced by your Linode API token.
|
||||||
|
# LINODE_HTTP_TIMEOUT=10
|
||||||
|
# LINODE_POLLING_INTERVAL=10
|
||||||
|
# LINODE_PROPAGATION_TIMEOUT=240
|
||||||
|
# LINODE_TOKEN=XXX
|
||||||
|
credentialsFile = "/run/secrets/linode";
|
||||||
enableDebugLogs = true;
|
enableDebugLogs = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
21
docs/examples/vaultwarden/secrets/linode.yaml
Normal file
21
docs/examples/vaultwarden/secrets/linode.yaml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
linode: ENC[AES256_GCM,data:Rg/k/gmBJ8iBP9KW8Zom7gGecNG404v9oQ85MuXPB+fjKowmm36YJ61tiVhUADPsFMWezulJG3RpvpoqZLPU+8cCX1KPsfJgUN77MlQRjjdraqVMq/opcEXfwIs3g76y9hDvbTMVIGpKCVE8hl7N5XTRPkQPSpracj+papL0bdFLhmsDgGi/vmaH7zs9K6gwYQv/mzz2oy6oZh8NoAlF,iv:2Z4NLAQmf/m5oemdM7Z+MAAyVUBVZoA4Zia/bqcW8u0=,tag:WeVnU4swvvQdA7QU9Ax4Xg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweERHTXJWU1BWNXJJUVNM
|
||||||
|
WUZObm82a0JHSWM2cWdBQTI2ckRvMnRGMDIwCm9TZWtTTUlaTTRuYVcvd1J3TnVF
|
||||||
|
dUN0NFdtaTZWL2IraE5BcE43WWdXcmMKLS0tIDFyQ3FGT1F4dkVtU0U5R2FNNlRa
|
||||||
|
dXB5OEx1clZiMktxdkFVUVpWOUtleU0Kb4E+x2cxcOayFigQDo9dv3e/si9a19YJ
|
||||||
|
mw2PUTb1Tm3PQ/ZXW6R6y5CfzFf7FhBTpRas84sPDg9MrOrWLygUgw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-04-09T05:03:49Z"
|
||||||
|
mac: ENC[AES256_GCM,data:t03zcu+puxqs6bqb+7MJDY67UXJVN4RP48VSY2aBYtzRp4tcZ0zKpqGDJ2y9sFkLkUu5Mvha68g5Bd6uylQFwVyks2HQyyT0UFsQWJfpk9WGXElmJ+BeU4m51QFLK17rAFGSqvlHjbo3U47IgySlr4vViIyikOxY/UAUI0r2jsQ=,iv:Q5QgjDszLKbcqN415YLdqMGLa0b3Cy4WbXOtkT4HKBs=,tag:Cgpox1V73/UU4kg+dLgyWA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in a new issue