update homeassistant example to actually work
This commit is contained in:
parent
052a805679
commit
ea08aec4a7
9 changed files with 341 additions and 53 deletions
|
@ -1,51 +1,164 @@
|
||||||
# Use a VM to run this example
|
# Home Assistant Example
|
||||||
|
|
||||||
|
This `flake.nix` file sets up Home Assistant server that uses a LDAP server to
|
||||||
|
setup users with only about [15 lines](./flake.nix#L39-L55) of related code.
|
||||||
|
|
||||||
|
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
||||||
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 5 commands.
|
||||||
|
|
||||||
|
## Launch VM
|
||||||
|
|
||||||
Build VM with:
|
Build VM with:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nixos-rebuild build-vm --fast -I nixos-config=./configuration.nix -I nixpkgs=.
|
nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=.
|
||||||
```
|
```
|
||||||
|
|
||||||
Start VM with:
|
Start VM with (this call is blocking):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-nixos-vm
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||||
```
|
```
|
||||||
|
|
||||||
User is `nixos`, password is `nixos`.
|
User and password are both `nixos`, as setup in the [`configuration.nix`](./configuration.nix) file under
|
||||||
|
`user.users.nixos.initialPassword`.
|
||||||
|
|
||||||
Ssh into VM with `ssh -p 2222 nixos@localhost`.
|
You can login with `ssh -F ssh_config example`. You just need to accept the fingerprint.
|
||||||
|
|
||||||
If you get into issues with ssh trying too many public keys and failing, try instead: `ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -p 2222 nixos@localhost`.
|
## Make VM able to decrypt the secrets.yaml file
|
||||||
|
|
||||||
For more information about running this example in a vm, see [NixOS_modules#Developing_modules](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
|
||||||
|
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will add
|
||||||
|
secrets to that secrets file and when deploying, it will be decrypted and the secrets will be copied
|
||||||
|
in the `/run/secrets` folder on the VM. We thus need one private key for you to edit the
|
||||||
|
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||||
|
|
||||||
For more information about writing tests, see [the manual](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
|
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||||
|
creating the VM in the step above, a new private key and its accompanying public key were
|
||||||
|
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
||||||
|
public key.
|
||||||
|
|
||||||
Create your secret key which prints the public key used for `admin`:
|
With the VM started, print the VM's public age key with the following command. The value you need is
|
||||||
|
the one staring with `age`.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nix-shell -p age --run 'age-keygen -o keys.txt'
|
$ nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age'
|
||||||
|
# localshost:2222 SSH-2.0-OpenSSH_9.1
|
||||||
|
# localhost:2222 SSH-2.0-OpenSSH_9.1
|
||||||
|
# localhost:2222 SSH-2.0-OpenSSH_9.1
|
||||||
|
# localhost:2222 SSH-2.0-OpenSSH_9.1
|
||||||
|
# localhost:2222 SSH-2.0-OpenSSH_9.1
|
||||||
|
skipped key: got ssh-rsa key type, but only ed25519 keys are supported
|
||||||
|
age1l9dyy02qhlfcn5u9s4y2vhsvjtxj2c9avrpat6nvjd6rjar3tflq66jtz0
|
||||||
```
|
```
|
||||||
|
|
||||||
Get target host age key which prints the public key used for `vm`:
|
Now, make the `secrets.yaml` file decryptable in the VM.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nix-shell -p ssh-to-age --run 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age'
|
SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \
|
||||||
|
--config sops.yaml -r -i \
|
||||||
|
--add-age age1l9dyy02qhlfcn5u9s4y2vhsvjtxj2c9avrpat6nvjd6rjar3tflq66jtz0 \
|
||||||
|
secrets.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
Update `admin` and `vm` keys in sops.yaml.
|
Later on, when the server is deployed, you will need to login to the LDAP server with the admin account.
|
||||||
|
You can find the secret `lldap.user_password` field in the [`secrets.yaml`](./secrets.yaml) file. To open it, run:
|
||||||
Edit secret itself with:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nix-shell -p sops --run 'sops --config sops.yaml secrets.yaml'
|
SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \
|
||||||
|
--config sops.yaml \
|
||||||
|
secrets.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
Deploy with:
|
## Deploy
|
||||||
|
|
||||||
|
Now, deploy with:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nix-shell -p colmena --run 'colmena apply'
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
|
||||||
```
|
```
|
||||||
|
|
||||||
Took 12 minutes for first deploy on my machine. Next deploys take about 12 seconds.
|
Took a few minutes for first deploy on my machine. Next deploys take about 12 seconds.
|
||||||
|
|
||||||
|
## Access apps through your browser
|
||||||
|
|
||||||
|
Add the following entry to your `/etc/hosts` file:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
networking.hosts = {
|
||||||
|
"127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
Which produces:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ cat /etc/hosts
|
||||||
|
127.0.0.1 ha.example.com ldap.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||||
|
- username: `admin`
|
||||||
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file.
|
||||||
|
|
||||||
|
Create the group `homeassistant_user` and a user assigned to that group.
|
||||||
|
|
||||||
|
Go to [http://ha.example.com:8080](http://ha.example.com:8080) and login with the user and password you just created above.
|
||||||
|
|
||||||
|
## Prepare the VM
|
||||||
|
|
||||||
|
This section documents how the various files were created to provide the nearly out of the box
|
||||||
|
experience described in the previous section. I need to clean this up a bit.
|
||||||
|
|
||||||
|
### Private and Public Key
|
||||||
|
|
||||||
|
Create the private key in the `keys.txt` file and print the public key used for `admin`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
||||||
|
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
|
```
|
||||||
|
|
||||||
|
Update `admin` and `vm` keys in `sops.yaml`.
|
||||||
|
|
||||||
|
Then, you can create the secrets.yaml with:
|
||||||
|
|
||||||
|
That file must follow the format:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
home-assistant: |
|
||||||
|
name: "My Instance"
|
||||||
|
country: "US"
|
||||||
|
latitude_home: "0.100"
|
||||||
|
longitude_home: "-0.100"
|
||||||
|
time_zone: "America/Los_Angeles"
|
||||||
|
unit_system: "metric"
|
||||||
|
lldap:
|
||||||
|
user_password: XXX...
|
||||||
|
jwt_secret: YYY...
|
||||||
|
```
|
||||||
|
|
||||||
|
You can generate secrets with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix run nixpkgs#openssl -- rand -hex 64
|
||||||
|
```
|
||||||
|
|
||||||
|
TODO: add instructions to create ssh private and public key:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
```
|
||||||
|
|
||||||
|
You don't need to copy over the ssh public key with the following command as we set the `keyFiles` option. I still leave it here for reference.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
|
||||||
|
```
|
||||||
|
|
||||||
|
### Deploy
|
||||||
|
|
||||||
|
If you get a NAR hash mismatch error like so, you need to run `nix flake lock --update-input selfhostblocks`:
|
||||||
|
|
||||||
|
```
|
||||||
|
error: NAR hash mismatch in input ...
|
||||||
|
```
|
||||||
|
|
|
@ -1,21 +1,35 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
boot.loader.systemd-boot.enable = true;
|
imports =
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
[ # Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/vda";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
|
# Options above are generate by running nixos-generate-config on the VM.
|
||||||
|
|
||||||
|
# Needed otherwise deploy will say system won't be able to boot.
|
||||||
|
boot.loader.grub.device = "/dev/vdb";
|
||||||
|
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
|
||||||
|
# the available disk space to install home-assistant.
|
||||||
|
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
|
||||||
|
|
||||||
|
# Options above are needed to deploy in a VM.
|
||||||
|
|
||||||
# As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user
|
# As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user
|
||||||
# ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm
|
# ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm
|
||||||
users.users.nixos = {
|
users.users.nixos = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||||
initialPassword = "nixos";
|
initialPassword = "nixos";
|
||||||
|
# With this option, you don't need to use ssh-copy-id.
|
||||||
|
openssh.authorizedKeys.keyFiles = [
|
||||||
|
./sshkey.pub
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.extraRules = [
|
security.sudo.extraRules = [
|
||||||
|
@ -28,8 +42,14 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.openssh.enable = true;
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
nix.settings.trusted-users = [
|
||||||
|
"nixos"
|
||||||
|
];
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [ 2222 ];
|
||||||
permitRootLogin = "no";
|
permitRootLogin = "no";
|
||||||
passwordAuthentication = true;
|
passwordAuthentication = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,38 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"flake-utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1694529238,
|
||||||
|
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-flake-tests": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1677844186,
|
||||||
|
"narHash": "sha256-ErJZ/Gs1rxh561CJeWP5bohA2IcTq1rDneu1WT6CVII=",
|
||||||
|
"owner": "antifuchs",
|
||||||
|
"repo": "nix-flake-tests",
|
||||||
|
"rev": "bbd9216bd0f6495bb961a8eb8392b7ef55c67afb",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "antifuchs",
|
||||||
|
"repo": "nix-flake-tests",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687681650,
|
"lastModified": 1687681650,
|
||||||
|
@ -57,6 +90,8 @@
|
||||||
},
|
},
|
||||||
"selfhostblocks": {
|
"selfhostblocks": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"flake-utils": "flake-utils",
|
||||||
|
"nix-flake-tests": "nix-flake-tests",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
],
|
],
|
||||||
|
@ -65,8 +100,10 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687501773,
|
"dirtyRev": "052a80567948d3dad69d016bfd0a139b0f75fbd9-dirty",
|
||||||
"narHash": "sha256-NtASNHmf+WeVMoGDUk8cMZLEHIOzs9DAaTafWtt9PhY=",
|
"dirtyShortRev": "052a805-dirty",
|
||||||
|
"lastModified": 1700293838,
|
||||||
|
"narHash": "sha256-iHQPbRA47mA1yGgCIrb4S9AuDC+RfvtvqOqOr+asBe0=",
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "file:///home/timi/Projects/selfhostblocks"
|
"url": "file:///home/timi/Projects/selfhostblocks"
|
||||||
},
|
},
|
||||||
|
@ -93,6 +130,21 @@
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
|
@ -19,9 +19,9 @@
|
||||||
specialArgs = inputs;
|
specialArgs = inputs;
|
||||||
};
|
};
|
||||||
|
|
||||||
myserver = {
|
myserver = { config, ... }: {
|
||||||
deployment = {
|
deployment = {
|
||||||
targetHost = "localhost";
|
targetHost = "example";
|
||||||
targetPort = 2222;
|
targetPort = 2222;
|
||||||
targetUser = "nixos";
|
targetUser = "nixos";
|
||||||
};
|
};
|
||||||
|
@ -29,14 +29,35 @@
|
||||||
imports = [
|
imports = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
sops-nix.nixosModules.default
|
sops-nix.nixosModules.default
|
||||||
selfhostblocks.nixosModules.default
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||||
|
shb.nginx.accessLog = true;
|
||||||
|
shb.nginx.debugLog = true;
|
||||||
|
|
||||||
|
shb.ldap = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "ldap";
|
||||||
|
ldapPort = 3890;
|
||||||
|
httpPort = 17170;
|
||||||
|
dcdomain = "dc=example,dc=com";
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
shb.home-assistant = {
|
shb.home-assistant = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.httpPort}";
|
||||||
subdomain = "ha";
|
subdomain = "ha";
|
||||||
sopsFile = ./secrets.yaml;
|
sopsFile = ./secrets.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
nix.settings.trusted-users = [
|
||||||
|
"nixos"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
64
examples/homeassistant/hardware-configuration.nix
Normal file
64
examples/homeassistant/hardware-configuration.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
# This file was generated by running nixos-generate-config on the VM.
|
||||||
|
#
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/16ea7c88-d9d2-41bd-9698-d280700d4bcf";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/.ro-store" =
|
||||||
|
{ device = "nix-store";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/.rw-store" =
|
||||||
|
{ device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp/shared" =
|
||||||
|
{ device = "shared";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp/xchg" =
|
||||||
|
{ device = "xchg";
|
||||||
|
fsType = "9p";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix/store" =
|
||||||
|
{ device = "overlay";
|
||||||
|
fsType = "overlay";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/A462-8553";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -1,3 +1,3 @@
|
||||||
# created: 2023-06-26T21:31:39-07:00
|
# created: 2023-11-17T00:05:25-08:00
|
||||||
# public key: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
# public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
AGE-SECRET-KEY-1RE30YJ76UHS0FF3GVL0894SG9J67RRFWT0YQ8K6QGTTS4FDK5QEQRV2436
|
AGE-SECRET-KEY-1EPLAHXWDEM5ZZAU7NFGHT5TWU08ZUCWTHYTLD8XC89350MZ0T79SA2MQAL
|
||||||
|
|
|
@ -1,30 +1,42 @@
|
||||||
home-assistant: ENC[AES256_GCM,data:SnkutANfqF2KZ6fpg1S4yBoeEbXBGZ97doxgiP7GVcsf/w7t1ajP0z6vJ7idBTKZ51t8vlRGr4Bq3RzLsqUlQpxjdFDcGGe506EDZhMQUvr4bn2C9gc=,iv:YYkHnNBmd8J1GAL4EW+SAlb9ILbIxevmk/yhLrwnchw=,tag:owP/F/NC4WUpUkNhCkAclw==,type:str]
|
home-assistant: ENC[AES256_GCM,data:WspkheMuZIF+UWf74XAZx4zpDJHeBb5zG4lGDrSS7sGcG1LrjZOUym1SKlOJEvJhjDVXaaY3AnwX/7ALo0m3gpS0zqkdF5QSWYLMXOoiKWi9H04eI3+WsLlZ8V42oBZGa9spsqAV7ISuiXi6Y6+vp81p5Q==,iv:BGUg9GBEyzukk+s7jIMt42Y3GLxmRKU++CPu3XV9WVc=,tag:JBMdqLpnXVC+XHYS57rVSw==,type:str]
|
||||||
|
lldap:
|
||||||
|
user_password: ENC[AES256_GCM,data:Mcbh0ZrcnmR8FuT97OdoS2vAHzGdOrEOTlNKaoLa9hk=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:sGzhdhEDt0quZwgi+4QDfw==,type:str]
|
||||||
|
jwt_secret: ENC[AES256_GCM,data:a2CG5iGvVf7jz/JVP1RBDww+joT1TbJkXgsAyD1I00VTQZhkX04mb6wwDfFkATnhBn7GkP++nz+1YBirVWQV3wFfZ3ZufHwS+lQ0VTO6dcjLuTjuLnqprNjp/1cMQeu3vYADA3R7fuqEo/g3QUJzJJeGI48he5c/Cff0hQYgBRU=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:Os6U0AvkkROuXWC7y6JMaw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age:
|
age:
|
||||||
- recipient: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU0NGVE9ubkFQN2kvK1Vo
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWG1tK1duS2ROZFZ3SnFs
|
||||||
SHVIaVZrN2VobkpXMzZPVFdHcVVqdlpTeFJzCjBXbHVuUTJ5S0MrNkVRcWFhWVE0
|
djRxT2xVZ2RzZ1FrNHRjalVjOVp6MVNxem1NCmRWMlNrWUVRcWx4QTI1M0tMMlNh
|
||||||
MVRDZ0lOWi9ZeFN6WFQxUUhSVlNCbGcKLS0tIE9YWmtmSTFkZU9CWWp6V3g0ejJS
|
Q0dseklJR1V2WGo3em1WVVMwTGVFVEkKLS0tIEZ1cDhWM0dNS25LZlNSNllCdXBT
|
||||||
RS9oRDdZdGkrNGlCZU12TDBCSEtkTFUKIROyBC1UFg4AHz6LgqwPIaZzeDunQSYB
|
V3VueVVyWW9SMHB1L2VzVGJQQUNkVWMKd7TymvawidPiW417fbC88NojEhfux/dp
|
||||||
7MiIp74icMSsl3P3r+6K/brQ5e3DPNvdttr6Q1FhGYfEj55xFqcLMg==
|
Op2cayvqIt2LI2yG+8u2fPbLsdwwg2ybxccIBqTldIbcELAsBruQkw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
|
- recipient: age18jrfv0ndtrad7ee4dzdfhhuca4wuce059txltdaxuxcnjkc37s5qj9mapm
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cTY5b3F3WkJjc3NzcW1X
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucFViZUJ6eWhOd3dNUDEw
|
||||||
SkZxdUdaMkNzQXk2Tng3dHNscFpDR0x0amwwCjhkUGRkRnhiWlZEWVU2UVZseTZh
|
RmtZK05aUE5pemFEendTQkgwZHFaUHh5akhZCnpFeVRIMlNrcWNFYUpJeGI3dXZG
|
||||||
V1FoYjVtd3JIMm8rTHBySThYRWFOMVUKLS0tIDV5ZDRkQitOTFNHOFlYdFEzUUIv
|
bWFObU12Y2FBS3lTcmZmZmNEMjY4YlEKLS0tIDZzN2xQcytlVUc3UVFkcTYxNks2
|
||||||
R0N4T1BKRGNkOS95Y1Y2MU10cWR5UWcKpiJ3S1aJOR+jUnVS7u1FaSUo828ZJWGA
|
OVMrQXJCQ05vcHhnb2NkaDFJSVd5ZFEK7kztu81Q0513qsbfoh8OO4HOkJQyXRvY
|
||||||
YAjb1G749UxZmUHA7wV4W7oBW3TcBml9HmLyyUjefX6MEPadflp8rQ==
|
zEt70F5F7zxckbFHNIwSujt34+XY9Etl2CnoIVKa54KslyGqTuzECQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-06-27T05:02:12Z"
|
- recipient: age1sk9w5g0xnszvhpdj3w72pw6fe3d7znxmmh29c8dqvzxqv0lwtpxqj69fxc
|
||||||
mac: ENC[AES256_GCM,data:w/FOB/hc5MUfu0c6+NvLWXG+wNAzD4VZSb44WXXWDxT/Twhb5ASSAXLM6YxCbKGTuug7BiEEPQkBZHEQATuwLmc04R3yKDq4ocyPTI7vbARgwuh/hqw3nAVLi76tH5v2lJLVBFvOzJxB8JBkJgs3VbSlh3APLncvb5+KivPIqis=,iv:zVbMO8zr4uXlZTEin5JsLCos1vOrCKWSDo3Nf3JygXQ=,tag:zMG3D8m2fGa6KMkRrBfffA==,type:str]
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeFNuNVF3bU9NOHJONnRo
|
||||||
|
WUowOWQ1Rjl5OC9GV2hNZXlEZ0JMTUNvUWhVCnFDa3RVelNZTWg4aktkSGMxOTh0
|
||||||
|
aVlIQWJ2Y0czam01a2xQUDhyMG1ZVGMKLS0tIFdaZExoUEdMa3l3L1lXS1pDSkRB
|
||||||
|
QzluL1V5dXJ1L0ExdTlwam5JSjBCSUEKtjTJiBDg+t6EUkQQhDFybPmZV3SJrYxt
|
||||||
|
QGbE+S0AcckxHa+jDpBFm8hBroJ6Gxk9dPkZxfEeltyQgqMjOfVKcQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-11-18T17:58:16Z"
|
||||||
|
mac: ENC[AES256_GCM,data:6STySfiWarnv+CHAY4AbxJBfHVwfafPcAxnt3Miy+XrJYd0TAMCv3XUojEZzMc55XOnihnErQvdGsGUwDU3Rb3b7G6xvXi+MYcSL5/sxCp+NHXZ+uzxEm/X6pNk6k584vKnZo2a/O4VyC9Uz6jbFmJiFNct9zLIc+/XvS4RO2ps=,iv:7ZNywMCVxh4MaZJAT1wN5joNp4LbbaY582bnQH8sHFI=,tag:0S/ngGQK/jp7LHP6sUhiVg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.8.1
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
keys:
|
keys:
|
||||||
- &admin age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
|
- &admin age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
- &vm age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
|
- &vm age18jrfv0ndtrad7ee4dzdfhhuca4wuce059txltdaxuxcnjkc37s5qj9mapm
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets.yaml$
|
- path_regex: secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
6
examples/homeassistant/ssh_config
Normal file
6
examples/homeassistant/ssh_config
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
Host example
|
||||||
|
Port 2222
|
||||||
|
User nixos
|
||||||
|
HostName 127.0.0.1
|
||||||
|
IdentityFile sshkey
|
||||||
|
IdentitiesOnly yes
|
Loading…
Reference in a new issue