From ea08aec4a7c808194f77212fd5d5d709d7d38db8 Mon Sep 17 00:00:00 2001 From: Pierre Penninckx Date: Sun, 19 Nov 2023 09:06:53 -0800 Subject: [PATCH] update homeassistant example to actually work --- examples/homeassistant/README.md | 153 +++++++++++++++--- examples/homeassistant/configuration.nix | 34 +++- examples/homeassistant/flake.lock | 56 ++++++- examples/homeassistant/flake.nix | 27 +++- .../homeassistant/hardware-configuration.nix | 64 ++++++++ examples/homeassistant/keys.txt | 6 +- examples/homeassistant/secrets.yaml | 44 +++-- examples/homeassistant/sops.yaml | 4 +- examples/homeassistant/ssh_config | 6 + 9 files changed, 341 insertions(+), 53 deletions(-) create mode 100644 examples/homeassistant/hardware-configuration.nix create mode 100644 examples/homeassistant/ssh_config diff --git a/examples/homeassistant/README.md b/examples/homeassistant/README.md index 0e84ca9..719e82d 100644 --- a/examples/homeassistant/README.md +++ b/examples/homeassistant/README.md @@ -1,51 +1,164 @@ -# Use a VM to run this example +# Home Assistant Example + +This `flake.nix` file sets up Home Assistant server that uses a LDAP server to +setup users with only about [15 lines](./flake.nix#L39-L55) of related code. + +This guide will show how to deploy this setup to a Virtual Machine, like showed +[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 5 commands. + +## Launch VM Build VM with: ```bash -nixos-rebuild build-vm --fast -I nixos-config=./configuration.nix -I nixpkgs=. +nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ``` -Start VM with: +Start VM with (this call is blocking): ```bash -QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-nixos-vm +QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm ``` -User is `nixos`, password is `nixos`. +User and password are both `nixos`, as setup in the [`configuration.nix`](./configuration.nix) file under +`user.users.nixos.initialPassword`. -Ssh into VM with `ssh -p 2222 nixos@localhost`. +You can login with `ssh -F ssh_config example`. You just need to accept the fingerprint. -If you get into issues with ssh trying too many public keys and failing, try instead: `ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -p 2222 nixos@localhost`. +## Make VM able to decrypt the secrets.yaml file -For more information about running this example in a vm, see [NixOS_modules#Developing_modules](https://nixos.wiki/wiki/NixOS_modules#Developing_modules). +The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the +[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will add +secrets to that secrets file and when deploying, it will be decrypted and the secrets will be copied +in the `/run/secrets` folder on the VM. We thus need one private key for you to edit the +[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets. -For more information about writing tests, see [the manual](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests). +Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when +creating the VM in the step above, a new private key and its accompanying public key were +automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the +public key. -Create your secret key which prints the public key used for `admin`: +With the VM started, print the VM's public age key with the following command. The value you need is +the one staring with `age`. ```bash -nix-shell -p age --run 'age-keygen -o keys.txt' +$ nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age' +# localshost:2222 SSH-2.0-OpenSSH_9.1 +# localhost:2222 SSH-2.0-OpenSSH_9.1 +# localhost:2222 SSH-2.0-OpenSSH_9.1 +# localhost:2222 SSH-2.0-OpenSSH_9.1 +# localhost:2222 SSH-2.0-OpenSSH_9.1 +skipped key: got ssh-rsa key type, but only ed25519 keys are supported +age1l9dyy02qhlfcn5u9s4y2vhsvjtxj2c9avrpat6nvjd6rjar3tflq66jtz0 ``` -Get target host age key which prints the public key used for `vm`: +Now, make the `secrets.yaml` file decryptable in the VM. ```bash -nix-shell -p ssh-to-age --run 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age' +SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \ + --config sops.yaml -r -i \ + --add-age age1l9dyy02qhlfcn5u9s4y2vhsvjtxj2c9avrpat6nvjd6rjar3tflq66jtz0 \ + secrets.yaml ``` -Update `admin` and `vm` keys in sops.yaml. - -Edit secret itself with: +Later on, when the server is deployed, you will need to login to the LDAP server with the admin account. +You can find the secret `lldap.user_password` field in the [`secrets.yaml`](./secrets.yaml) file. To open it, run: ```bash -nix-shell -p sops --run 'sops --config sops.yaml secrets.yaml' +SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \ + --config sops.yaml \ + secrets.yaml ``` -Deploy with: +## Deploy + +Now, deploy with: ```bash -nix-shell -p colmena --run 'colmena apply' +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply ``` -Took 12 minutes for first deploy on my machine. Next deploys take about 12 seconds. +Took a few minutes for first deploy on my machine. Next deploys take about 12 seconds. + +## Access apps through your browser + +Add the following entry to your `/etc/hosts` file: + +```nix +networking.hosts = { + "127.0.0.1" = [ "ha.example.com" "ldap.example.com" ]; +}; +``` + +Which produces: + +```bash +$ cat /etc/hosts +127.0.0.1 ha.example.com ldap.example.com +``` + +Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: +- username: `admin` +- password: the value of the field `lldap.user_password` in the `secrets.yaml` file. + +Create the group `homeassistant_user` and a user assigned to that group. + +Go to [http://ha.example.com:8080](http://ha.example.com:8080) and login with the user and password you just created above. + +## Prepare the VM + +This section documents how the various files were created to provide the nearly out of the box +experience described in the previous section. I need to clean this up a bit. + +### Private and Public Key + +Create the private key in the `keys.txt` file and print the public key used for `admin`: + +```bash +$ nix shell nixpkgs#age --command age-keygen -o keys.txt +Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 +``` + +Update `admin` and `vm` keys in `sops.yaml`. + +Then, you can create the secrets.yaml with: + +That file must follow the format: + +```yaml +home-assistant: | + name: "My Instance" + country: "US" + latitude_home: "0.100" + longitude_home: "-0.100" + time_zone: "America/Los_Angeles" + unit_system: "metric" +lldap: + user_password: XXX... + jwt_secret: YYY... +``` + +You can generate secrets with: + +```bash +$ nix run nixpkgs#openssl -- rand -hex 64 +``` + +TODO: add instructions to create ssh private and public key: + +```bash +``` + +You don't need to copy over the ssh public key with the following command as we set the `keyFiles` option. I still leave it here for reference. + +```bash +$ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example +``` + +### Deploy + +If you get a NAR hash mismatch error like so, you need to run `nix flake lock --update-input selfhostblocks`: + +``` +error: NAR hash mismatch in input ... +``` diff --git a/examples/homeassistant/configuration.nix b/examples/homeassistant/configuration.nix index 54b40e5..99acf5a 100644 --- a/examples/homeassistant/configuration.nix +++ b/examples/homeassistant/configuration.nix @@ -1,21 +1,35 @@ { config, pkgs, ... }: { - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; boot.kernelModules = [ "kvm-intel" ]; - fileSystems."/" = - { device = "/dev/vda"; - fsType = "ext4"; - }; system.stateVersion = "22.11"; + # Options above are generate by running nixos-generate-config on the VM. + + # Needed otherwise deploy will say system won't be able to boot. + boot.loader.grub.device = "/dev/vdb"; + # The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase + # the available disk space to install home-assistant. + virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192; + + # Options above are needed to deploy in a VM. + # As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user # ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm users.users.nixos = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. initialPassword = "nixos"; + # With this option, you don't need to use ssh-copy-id. + openssh.authorizedKeys.keyFiles = [ + ./sshkey.pub + ]; }; security.sudo.extraRules = [ @@ -28,8 +42,14 @@ } ]; - services.openssh.enable = true; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.trusted-users = [ + "nixos" + ]; + services.openssh = { + enable = true; + ports = [ 2222 ]; permitRootLogin = "no"; passwordAuthentication = true; }; diff --git a/examples/homeassistant/flake.lock b/examples/homeassistant/flake.lock index d52ee13..a9a4fb9 100644 --- a/examples/homeassistant/flake.lock +++ b/examples/homeassistant/flake.lock @@ -1,5 +1,38 @@ { "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nix-flake-tests": { + "locked": { + "lastModified": 1677844186, + "narHash": "sha256-ErJZ/Gs1rxh561CJeWP5bohA2IcTq1rDneu1WT6CVII=", + "owner": "antifuchs", + "repo": "nix-flake-tests", + "rev": "bbd9216bd0f6495bb961a8eb8392b7ef55c67afb", + "type": "github" + }, + "original": { + "owner": "antifuchs", + "repo": "nix-flake-tests", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1687681650, @@ -57,6 +90,8 @@ }, "selfhostblocks": { "inputs": { + "flake-utils": "flake-utils", + "nix-flake-tests": "nix-flake-tests", "nixpkgs": [ "nixpkgs" ], @@ -65,8 +100,10 @@ ] }, "locked": { - "lastModified": 1687501773, - "narHash": "sha256-NtASNHmf+WeVMoGDUk8cMZLEHIOzs9DAaTafWtt9PhY=", + "dirtyRev": "052a80567948d3dad69d016bfd0a139b0f75fbd9-dirty", + "dirtyShortRev": "052a805-dirty", + "lastModified": 1700293838, + "narHash": "sha256-iHQPbRA47mA1yGgCIrb4S9AuDC+RfvtvqOqOr+asBe0=", "type": "git", "url": "file:///home/timi/Projects/selfhostblocks" }, @@ -93,6 +130,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/examples/homeassistant/flake.nix b/examples/homeassistant/flake.nix index 192de3c..d48501e 100644 --- a/examples/homeassistant/flake.nix +++ b/examples/homeassistant/flake.nix @@ -19,9 +19,9 @@ specialArgs = inputs; }; - myserver = { + myserver = { config, ... }: { deployment = { - targetHost = "localhost"; + targetHost = "example"; targetPort = 2222; targetUser = "nixos"; }; @@ -29,14 +29,35 @@ imports = [ ./configuration.nix sops-nix.nixosModules.default - selfhostblocks.nixosModules.default + selfhostblocks.nixosModules.x86_64-linux.default ]; + # Set to true for more debug info with `journalctl -f -u nginx`. + shb.nginx.accessLog = true; + shb.nginx.debugLog = true; + + shb.ldap = { + enable = true; + domain = "example.com"; + subdomain = "ldap"; + ldapPort = 3890; + httpPort = 17170; + dcdomain = "dc=example,dc=com"; + sopsFile = ./secrets.yaml; + }; + shb.home-assistant = { enable = true; + domain = "example.com"; + ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.httpPort}"; subdomain = "ha"; sopsFile = ./secrets.yaml; }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.trusted-users = [ + "nixos" + ]; }; }; }; diff --git a/examples/homeassistant/hardware-configuration.nix b/examples/homeassistant/hardware-configuration.nix new file mode 100644 index 0000000..fd95aa7 --- /dev/null +++ b/examples/homeassistant/hardware-configuration.nix @@ -0,0 +1,64 @@ +# This file was generated by running nixos-generate-config on the VM. +# +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/16ea7c88-d9d2-41bd-9698-d280700d4bcf"; + fsType = "ext4"; + }; + + fileSystems."/nix/.ro-store" = + { device = "nix-store"; + fsType = "9p"; + }; + + fileSystems."/nix/.rw-store" = + { device = "tmpfs"; + fsType = "tmpfs"; + }; + + fileSystems."/tmp/shared" = + { device = "shared"; + fsType = "9p"; + }; + + fileSystems."/tmp/xchg" = + { device = "xchg"; + fsType = "9p"; + }; + + fileSystems."/nix/store" = + { device = "overlay"; + fsType = "overlay"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A462-8553"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/examples/homeassistant/keys.txt b/examples/homeassistant/keys.txt index 54b906b..d350313 100644 --- a/examples/homeassistant/keys.txt +++ b/examples/homeassistant/keys.txt @@ -1,3 +1,3 @@ -# created: 2023-06-26T21:31:39-07:00 -# public key: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft -AGE-SECRET-KEY-1RE30YJ76UHS0FF3GVL0894SG9J67RRFWT0YQ8K6QGTTS4FDK5QEQRV2436 +# created: 2023-11-17T00:05:25-08:00 +# public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 +AGE-SECRET-KEY-1EPLAHXWDEM5ZZAU7NFGHT5TWU08ZUCWTHYTLD8XC89350MZ0T79SA2MQAL diff --git a/examples/homeassistant/secrets.yaml b/examples/homeassistant/secrets.yaml index ab9cc6e..ce5b0a3 100644 --- a/examples/homeassistant/secrets.yaml +++ b/examples/homeassistant/secrets.yaml @@ -1,30 +1,42 @@ -home-assistant: ENC[AES256_GCM,data:SnkutANfqF2KZ6fpg1S4yBoeEbXBGZ97doxgiP7GVcsf/w7t1ajP0z6vJ7idBTKZ51t8vlRGr4Bq3RzLsqUlQpxjdFDcGGe506EDZhMQUvr4bn2C9gc=,iv:YYkHnNBmd8J1GAL4EW+SAlb9ILbIxevmk/yhLrwnchw=,tag:owP/F/NC4WUpUkNhCkAclw==,type:str] +home-assistant: ENC[AES256_GCM,data:WspkheMuZIF+UWf74XAZx4zpDJHeBb5zG4lGDrSS7sGcG1LrjZOUym1SKlOJEvJhjDVXaaY3AnwX/7ALo0m3gpS0zqkdF5QSWYLMXOoiKWi9H04eI3+WsLlZ8V42oBZGa9spsqAV7ISuiXi6Y6+vp81p5Q==,iv:BGUg9GBEyzukk+s7jIMt42Y3GLxmRKU++CPu3XV9WVc=,tag:JBMdqLpnXVC+XHYS57rVSw==,type:str] +lldap: + user_password: ENC[AES256_GCM,data:Mcbh0ZrcnmR8FuT97OdoS2vAHzGdOrEOTlNKaoLa9hk=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:sGzhdhEDt0quZwgi+4QDfw==,type:str] + jwt_secret: ENC[AES256_GCM,data:a2CG5iGvVf7jz/JVP1RBDww+joT1TbJkXgsAyD1I00VTQZhkX04mb6wwDfFkATnhBn7GkP++nz+1YBirVWQV3wFfZ3ZufHwS+lQ0VTO6dcjLuTjuLnqprNjp/1cMQeu3vYADA3R7fuqEo/g3QUJzJJeGI48he5c/Cff0hQYgBRU=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:Os6U0AvkkROuXWC7y6JMaw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft + - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU0NGVE9ubkFQN2kvK1Vo - SHVIaVZrN2VobkpXMzZPVFdHcVVqdlpTeFJzCjBXbHVuUTJ5S0MrNkVRcWFhWVE0 - MVRDZ0lOWi9ZeFN6WFQxUUhSVlNCbGcKLS0tIE9YWmtmSTFkZU9CWWp6V3g0ejJS - RS9oRDdZdGkrNGlCZU12TDBCSEtkTFUKIROyBC1UFg4AHz6LgqwPIaZzeDunQSYB - 7MiIp74icMSsl3P3r+6K/brQ5e3DPNvdttr6Q1FhGYfEj55xFqcLMg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWG1tK1duS2ROZFZ3SnFs + djRxT2xVZ2RzZ1FrNHRjalVjOVp6MVNxem1NCmRWMlNrWUVRcWx4QTI1M0tMMlNh + Q0dseklJR1V2WGo3em1WVVMwTGVFVEkKLS0tIEZ1cDhWM0dNS25LZlNSNllCdXBT + V3VueVVyWW9SMHB1L2VzVGJQQUNkVWMKd7TymvawidPiW417fbC88NojEhfux/dp + Op2cayvqIt2LI2yG+8u2fPbLsdwwg2ybxccIBqTldIbcELAsBruQkw== -----END AGE ENCRYPTED FILE----- - - recipient: age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v + - recipient: age18jrfv0ndtrad7ee4dzdfhhuca4wuce059txltdaxuxcnjkc37s5qj9mapm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cTY5b3F3WkJjc3NzcW1X - SkZxdUdaMkNzQXk2Tng3dHNscFpDR0x0amwwCjhkUGRkRnhiWlZEWVU2UVZseTZh - V1FoYjVtd3JIMm8rTHBySThYRWFOMVUKLS0tIDV5ZDRkQitOTFNHOFlYdFEzUUIv - R0N4T1BKRGNkOS95Y1Y2MU10cWR5UWcKpiJ3S1aJOR+jUnVS7u1FaSUo828ZJWGA - YAjb1G749UxZmUHA7wV4W7oBW3TcBml9HmLyyUjefX6MEPadflp8rQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucFViZUJ6eWhOd3dNUDEw + RmtZK05aUE5pemFEendTQkgwZHFaUHh5akhZCnpFeVRIMlNrcWNFYUpJeGI3dXZG + bWFObU12Y2FBS3lTcmZmZmNEMjY4YlEKLS0tIDZzN2xQcytlVUc3UVFkcTYxNks2 + OVMrQXJCQ05vcHhnb2NkaDFJSVd5ZFEK7kztu81Q0513qsbfoh8OO4HOkJQyXRvY + zEt70F5F7zxckbFHNIwSujt34+XY9Etl2CnoIVKa54KslyGqTuzECQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-27T05:02:12Z" - mac: ENC[AES256_GCM,data:w/FOB/hc5MUfu0c6+NvLWXG+wNAzD4VZSb44WXXWDxT/Twhb5ASSAXLM6YxCbKGTuug7BiEEPQkBZHEQATuwLmc04R3yKDq4ocyPTI7vbARgwuh/hqw3nAVLi76tH5v2lJLVBFvOzJxB8JBkJgs3VbSlh3APLncvb5+KivPIqis=,iv:zVbMO8zr4uXlZTEin5JsLCos1vOrCKWSDo3Nf3JygXQ=,tag:zMG3D8m2fGa6KMkRrBfffA==,type:str] + - recipient: age1sk9w5g0xnszvhpdj3w72pw6fe3d7znxmmh29c8dqvzxqv0lwtpxqj69fxc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeFNuNVF3bU9NOHJONnRo + WUowOWQ1Rjl5OC9GV2hNZXlEZ0JMTUNvUWhVCnFDa3RVelNZTWg4aktkSGMxOTh0 + aVlIQWJ2Y0czam01a2xQUDhyMG1ZVGMKLS0tIFdaZExoUEdMa3l3L1lXS1pDSkRB + QzluL1V5dXJ1L0ExdTlwam5JSjBCSUEKtjTJiBDg+t6EUkQQhDFybPmZV3SJrYxt + QGbE+S0AcckxHa+jDpBFm8hBroJ6Gxk9dPkZxfEeltyQgqMjOfVKcQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-18T17:58:16Z" + mac: ENC[AES256_GCM,data:6STySfiWarnv+CHAY4AbxJBfHVwfafPcAxnt3Miy+XrJYd0TAMCv3XUojEZzMc55XOnihnErQvdGsGUwDU3Rb3b7G6xvXi+MYcSL5/sxCp+NHXZ+uzxEm/X6pNk6k584vKnZo2a/O4VyC9Uz6jbFmJiFNct9zLIc+/XvS4RO2ps=,iv:7ZNywMCVxh4MaZJAT1wN5joNp4LbbaY582bnQH8sHFI=,tag:0S/ngGQK/jp7LHP6sUhiVg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/examples/homeassistant/sops.yaml b/examples/homeassistant/sops.yaml index ec5f7c0..d2d10b2 100644 --- a/examples/homeassistant/sops.yaml +++ b/examples/homeassistant/sops.yaml @@ -1,6 +1,6 @@ keys: - - &admin age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft - - &vm age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v + - &admin age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 + - &vm age18jrfv0ndtrad7ee4dzdfhhuca4wuce059txltdaxuxcnjkc37s5qj9mapm creation_rules: - path_regex: secrets.yaml$ key_groups: diff --git a/examples/homeassistant/ssh_config b/examples/homeassistant/ssh_config new file mode 100644 index 0000000..1bbe8c4 --- /dev/null +++ b/examples/homeassistant/ssh_config @@ -0,0 +1,6 @@ +Host example + Port 2222 + User nixos + HostName 127.0.0.1 + IdentityFile sshkey + IdentitiesOnly yes \ No newline at end of file