diff --git a/REUSE.toml b/REUSE.toml index 85c9476..a2a3e41 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -14,7 +14,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "La Délégation Générale Numérique " SPDX-License-Identifier = "CC-BY-NC-ND-4.0" -path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-notify/ntfy_sh-systemd_passwd", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"] +path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-notify/ntfy-sh-systemd_passwd", "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index a555fa1..78c3bd9 100644 --- a/default.nix +++ b/default.nix @@ -92,7 +92,7 @@ let "modules/nixos/dgn-backups/keys/*" "modules/nixos/dgn-netbox-agent/secrets/netbox-agent" "modules/nixos/dgn-notify/mail" - "modules/nixos/dgn-notify/ntfy_sh-systemd_passwd" + "modules/nixos/dgn-notify/ntfy-sh-systemd_passwd" "modules/nixos/dgn-forgejo-runners/forgejo_runners-token_file" "modules/nixos/dgn-records/__arkheon-token_file" "modules/nixos/dgn-s3/garage-*_file" diff --git a/machines/nixos/web01/ntfy-sh/default.nix b/machines/nixos/web01/ntfy-sh/default.nix index f090386..acfb080 100644 --- a/machines/nixos/web01/ntfy-sh/default.nix +++ b/machines/nixos/web01/ntfy-sh/default.nix @@ -38,7 +38,7 @@ in } ]; users = { - "systemd".passwordFile = config.age.secrets."ntfy_sh-systemd_passwd".path; + "systemd".passwordFile = config.age.secrets."ntfy-sh-systemd_passwd".path; # TODO: through meta "catvayor" = { @@ -49,6 +49,8 @@ in }; }; + age-secrets.autoMatch = [ "ntfy-sh" ]; + dgn-web.simpleProxies.ntfy-sh = { inherit host port; proxyWebsockets = true; diff --git a/modules/nixos/dgn-notify/default.nix b/modules/nixos/dgn-notify/default.nix index 02389d9..ef52f99 100644 --- a/modules/nixos/dgn-notify/default.nix +++ b/modules/nixos/dgn-notify/default.nix @@ -69,11 +69,11 @@ in ${getExe pkgs.jq} \ '.title |= $title | .message |= $body' \ - <(echo '{ topic: "monitoring", priority: 4 }') \ + <(echo '{ "topic": "monitoring", "priority": 4 }') \ --arg title "[$HOSTNAME] Systemd failure: $1" \ --rawfile body <(systemctl status --full "$1") | \ ${getExe pkgs.curl} https://push.dgnum.eu -d @- \ - -u "systemd:$(cat ${config.age.secrets."ntfy_sh-systemd_passwd".path})" + -u "systemd:$(cat ${config.age.secrets."ntfy-sh-systemd_passwd".path})" '' ); }; diff --git a/modules/nixos/dgn-notify/ntfy-sh-systemd_passwd b/modules/nixos/dgn-notify/ntfy-sh-systemd_passwd new file mode 100644 index 0000000..08905ce --- /dev/null +++ b/modules/nixos/dgn-notify/ntfy-sh-systemd_passwd @@ -0,0 +1,64 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZIo4kw /vCX1cst2/IfRYgjytUqKar9nvLwanXftEg2Tnv4GF4 +m6IL7hx/a8kLZeXrfpI4wEQia2TsSK8aoczvMDiN+dQ +-> ssh-ed25519 9/PCvA ynVPgQIUAnX9hCGlx6+alSi9i+lsfC+tHIIRjuFsC1E +63MiBEM8pLCWw1FvIjTpALECIQmPbbucdBtkaf2Zl8o +-> ssh-ed25519 jIXfPA xoVetmOG10fh+ZDfuaJq46dAo/ROHPIvJDWF/kknZEg +eHwocHO2umlRnBHIjaV5O93RYmgRXsk52lecyC3twuA +-> ssh-ed25519 QlRB9Q 3l6d6IMFUgjmaZLUKci34SPkSl+QErieE4aZikqFrGM +aG2yHooYgMuMMXM44f4gZKU+8DKcGE/zXzAWWL0MoF0 +-> ssh-ed25519 r+nK/Q faNMozUNG4ODsMV5MQtcx3E61iTicp2YpFlGnK4ZW1Q +j8DwTirU1AuOooY3LOS6xR5UlaRiVZPTfT6oV7tQBSg +-> ssh-rsa krWCLQ +acGlomsef9kSxyX2luCJjrW8Jf0Xf/0wYJKhSp6ElDAc/cLCdsycNy/tYeEDZQYJ +3NbFJ9Xm4mS10hsiwKGVK0lHvfsqTvLlLmEGnatb/hlPd8UyJ09CGI4aTFl+FSdD +JjNfZBJJqkkVAgLN+H7mBNQlPkBnaa4Rzb+w+yA2j7fG0rnM+0+TCNVLQbzsdWDV +/VfofqsOKOG18VjRttFWgD5SR3prFcn8LVCrTSQqQ84hRA/E660cjFcOs+/0n/aA +K1uOEJYm/AQl8cB5SQ6VuHRzQ6ow97j8f7kGmd3ByojzhODIG9nAV4m+ttQKTRL1 +W8qb386IkF0MO0ME+1hJ3A +-> ssh-ed25519 /vwQcQ rcU+0AqBKB1LSTJyLkcXDETX9+5EEOK9ilIYRFinKUM +eW3aKdgRIk+0X4VL4kwIs0OrlNCD3yrvCZpkeHUo83U +-> ssh-ed25519 0R97PA z1PiXZaq+d2pUkFZFTxU6XEtGt99QKOZwG2GdNod9mE +zHo7Vn43kM++ksThfTRenh5OgBRAFwdPpJXTaaKIo2o +-> ssh-ed25519 JGx7Ng HL15rzdWfpvGbaRJZCxKi402Xw+IPTDOqoXXHe+RCyk +oSm7yF745lnmBlrb335L8R4hoQqpJXFL824C8fh2qc4 +-> ssh-ed25519 bUjjig H3d5iSjblMkrC+YXybEilE/ad3Ki3qf3YdmfjCOwoA4 ++JAmp7/tmikEc5oTt5Yt/GuJtRi1Gk1sPKy8umzENZY +-> ssh-ed25519 DqHxWQ K4C8ucGgEYLB0rGUcyMohXCcRlswE9SBmGccXemrA0Q +r8PzcQmWqIYeKRnDLZCWcelVirn9ylUwruSxOU79hQ8 +-> ssh-ed25519 IxxZqA Hnsl5lhANjbkt2SOotgevJHuko0ZPrbpaj+THdvC7GM +PvH1x+PTiErwWagejtOLt916tGu2+ZUnjNZg87fcX8w +-> ssh-ed25519 /fsvPA vfLM3KlAQ7kWXP8rjbvjHUQnYDPBBDm46lXcsZkj9HA +W28VyuU50aYkJIQKMSpWrsml9osp3Xh4y71Vkt4ixsQ +-> ssh-ed25519 tDqJRg slvxcW7Dk8kBC4vDqkB+oO26py2d+XJkri6hSyFY3Bw +VpPY/QVEohOpYUCtqT6A6v/A9ehG+FShIhwMeaSkG20 +-> ssh-ed25519 9pVK7Q FjkiavyKruqyWcOJZFckSXp/mMHVNvSTtbtOLJvMT3Q +b7tV92zKa6K4kbb4fFvMfyEw2ZcKlwEt6HfCu97m4cY +-> ssh-ed25519 /BRpBQ TY+GlLdL9btJUd5aawMR8FyMv446qw0i9VILOt5sfjM +4TJqKu6ArxIiAwj4y7QA/9Ae3Si9n5BCGvy2uSZteTA +-> ssh-ed25519 t0vvHQ Q8glq3+dtNt8EdUjR3GHRDqyRjGy6VbOMGrdyQT7Fn8 +ZCY815CBUcWmfQedZM5Fz4S07YnhJ0u1cnPjMA7gUEE +-> ssh-ed25519 E6cGqw sFBSoOmjVWn4hq874CpnqX0KWNAIpIsir/zjdAEobgk +0Hiq0XSwrUokKzT5c3E2FgSdYUGokBwuWMejBblyYRE +-> ssh-ed25519 EEPmeQ yrg3ijttuMg7/nI4zGKaF4/R1Qm6Soy5wxtR5kHfbmU +rmfB33kZ6FQSZZKZrLvfJaStUFxzU/BFaPV33MF0VS4 +-> ssh-ed25519 /x+F2Q mh+XGtsJJJ6hofaXuC+fJCB/JMAcNcgL1iNUbBJ6gWg +W40ec8qKQ0oqGynUqSIIpub+spxTs2uBOWqBxvnIA9Y +-> ssh-ed25519 +MNHsw PQHHZTbDn3APsjbv7JBJL8Y1l1k7baHKhYomd/8qjkI +sZAvnuWYmh9xyfRQwymgj0/jMUbQpJimfXq5jqcLKdA +-> ssh-ed25519 rHotTw rQQQI+Uq7BPUjzxb/Eg47vbxIBncymuHTHLfuIJto1M +MmDgHmZ7W7G6XJW5wSaZ4LQfsj879fhsPCDuhWCiE7E +-> ssh-ed25519 NaIdrw owPLPaxO53AOJDKrcX4/jAoM/YigsMTVoUqNWhhb7XQ +1G1S7CNEKiNZG/Lm8u8mKv9LbZ6b5ZozFIirZgqzoJw +-> ssh-ed25519 +mFdtQ d8XMK+HzfseHJc9jgGMrPJuxgL5x76PFjxD45ZLdZkY +JwpwP6hOLGMbOzJ6e+SkPgRm+lYBCDjNCYDhksFgCp0 +-> ssh-ed25519 0IVRbA Cp7aESgB0Vy8kxtpsj9Ir8tNGfhskmqwgYs2YmVEti4 +XKohsYMcsfTHkW10Z4GhQXhzYV/zCN9+Fds2QSY3/Os +-> ssh-ed25519 IY5FSQ eNrFwrMtMGohRm3M1jYrdFaYwEUQhJ3SQa5V5+0lF08 +obVQ34czAIbNfVASCqY7jZrzTbKZGByElRdjjFwLgw0 +-> ssh-ed25519 VQSaNw ZPlbcDvtlhq1hucmNvhWUyoIjSuKrwHRFA2KcxxG6E4 +5Hn+z4h8E1f5vCRxPWeewJqZqyNWKKRjNcDc3ZtTefQ +-> F(+y[k(-grease n! ej +V3zMd0eK7BpMvoPXEQ +--- M1aBoNB2qmOHMDu1eSvUM7m+8pQRCxy0QHSPeHcDfXg +=e>"]q.ȪN`YXy: YYy\{mb;-z \ No newline at end of file diff --git a/modules/nixos/dgn-notify/ntfy_sh-systemd_passwd b/modules/nixos/dgn-notify/ntfy_sh-systemd_passwd deleted file mode 100644 index 69c31fa..0000000 --- a/modules/nixos/dgn-notify/ntfy_sh-systemd_passwd +++ /dev/null @@ -1,60 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 jIXfPA fliq4UcU2T15wd/CEB5NYk9+0cNpA8higneZUX9uY2I -ui9Ii+fWdvyAjeireGBE1EiHhpuhl8N1GO8krhi3Wuo --> ssh-ed25519 QlRB9Q y9MDkopaEWegSkuB+XqwWOro3lC4Em7Eb+sN8rg8oUE -khM4m4lpDkR1JbwDUwfTwLBRlSCEehHD7mOnQnz61Lo --> ssh-ed25519 r+nK/Q f4nQQYqyR9y4wt9IuyFhMoiw1JowiK8TAY1qmekK4lI -4xIGaCr/1WeTMW1uCdnIMMm6ZGCtTjJt9AKWWk8oByk --> ssh-rsa krWCLQ -Vr8FpWnZQniLGaYH4Uq+u9kROYunor/ScH/68PObnlsM/BSukBhNT0lgGEbvms2l -3FT0W9T4/9m2A8XnEHKOQ5sZNp7wQQbqBqoDmpdSBTqY+FIQrz+0srJ7tiGiybhJ -cKm1lgHShfuv4+Pe0QNgg/UwyhNv8j7tf7VYqSWiMqULbrHPXk2yyHQfT5UtrnlL -c106eoI8o6OMViGbKbHWJlRe65zhO4iV2tVjWq61UpvGK4PjLKH/XKZ2lDbUNnO+ -eTHjWf3he9SpgdoO6CyK+h9+c9o6BgHGpDlo5Lgl5nL2xXmD1RRQQR+kHRKliuLf -prMc4d9vXxAx4PHqe4XrMg --> ssh-ed25519 /vwQcQ bApaXrSD43O8sNpxyg+VjR/HvDLLk600yJjXuFUKHTU -lCy9D1Yx0nuTlaX0Uh/0ZqKbCgRBAKSqCytmu+GTA8Y --> ssh-ed25519 0R97PA 2AL2O7dV8YzAUwc27TRWF4YtST4MChprpPBG75NX2Q0 -oBPbVy5JngLoHrQG4FdQSv8RcXw0yJ/vWQHsA6N8JCI --> ssh-ed25519 JGx7Ng C7gFRz4NMrLzAPfCI5EY5CpUvQ/u4V59NbKZYJj4LD8 -SxM40YJcPX/iL4szqs7M6VZJyaNmj2xUcunoyouXfgU --> ssh-ed25519 bUjjig hy0Tj8gXPuwpq3sBHOQ8JXAz0xg/s3doqOfbC2C7i3g -5KVwYkZp3XkCprFHhKJu+WUAgAKrFpga6BOwMS218w4 --> ssh-ed25519 DqHxWQ mzemsdxZ9mmQUHb3K0CCN4nbgaWWC/XfMFclVf5VH3k -H4zzq3ra6WAupZh1WTvdxqu5U9MaKdHQZ26fqUwHXTs --> ssh-ed25519 IxxZqA UKjyIDwJSWOG6M9jNvQOL+fDEpnTuIpCVUaLe1o7YWg -DHBp7hyl9ViLeM4EKIrqGTtO/jrBofBA1qkog1OnSfY --> ssh-ed25519 /fsvPA QIkPRMMVzTkX5GEsFxSnNGeICn7gCguPHVK1FLlbFU8 -YK+pz/tmNYV1XRU5JC1dDIOonq5D86J9X3hmJgJTlcg --> ssh-ed25519 tDqJRg I4b5qLm6/c7kZD14FFgv/Y1lpAnMl+hSAurzNcjRHmA -Q6A+6M9I1atpMyaE+rIXt68Xco9sCX1lySDnNmwxnpw --> ssh-ed25519 9pVK7Q sBP87Q+34Pgx2/uIOcvcu3Amf78Clj9BZfQ4FhjVAEg -7TMI1cmEBJm1uDoXlE18lPmOAV+cJKuXtNnRxWOmf4Y --> ssh-ed25519 /BRpBQ bGI32xEyyM1hJ4pQV1VOgjJYkOu5HIzNGpBgZJGPLic -CmJf02BnchNgyy5uUEPO4GLn+XZ08PuVyrBqKir5/Xg --> ssh-ed25519 t0vvHQ RpEDX65fLny4bm2vUvvV8cSvFS5vRCL3LyZVBw392j8 -NWQd/7kUHKEi919cOOOYHGGn9FdoyKMOhHjBu84/Z4A --> ssh-ed25519 E6cGqw ItjYI/zA8VklrSAsp+X4CkVGj/wBf6Bga722fwKEoCU -+DXH2k8vW+xdJwg+VEaC3re9ikAwGcIzc00a1OpW0MA --> ssh-ed25519 EEPmeQ xeSzsHR8qA+qwFhQP83S3ANg484KbkppW+51fpP05VE -oC5xLk0nstn0zzT8jAfC+fZc7FLIR43QjEGxBHXy7eM --> ssh-ed25519 /x+F2Q 7YNTNvaZsXhQVz70ZLNrTthtLByqyTmz0i4jMtdasR4 -6lCNttcesatKVzFBAI8BCHU1KKE01vJVAiSMhkg+M2U --> ssh-ed25519 +MNHsw K++mpX4PIlHN4om/zVJXmmMd+oV7GZEXO4FVT5vT2AQ -YEU316rCwxr+XS0TU2k9PurHF05S36rXJkaaLMqxW38 --> ssh-ed25519 rHotTw VeSoOZpNUWekWyzY8cQdrggg5CQffYZMwdenHoCETE0 -dWTaT+PUd/U93VDaIwck/mo0hMYaV+S7H5EE8vL+nUo --> ssh-ed25519 NaIdrw AEvxg0Ef0mcakpx+FY6MyniVHrseG6XLWCkU4JYeXn0 -iSRU4r/LdQppgn9VCUQ9WZoyVGHI81AcaAz6oTCl3v8 --> ssh-ed25519 +mFdtQ keWGRyoODhSW0cSazXshktZAIP5NUOpKJ2kwVu4ffic -mm1aPpst94ZGnnMl7PxbgPPD0s4BkIR3g3YT2bhyIDA --> ssh-ed25519 0IVRbA iEzMhoRhacu7KEbZC5AwGhIM4LPqZkTU6uiIVwm5wEg -dbxRMrEpLMXOECfCvGgBgZvn3pGX9+DxRzSjZANJbP4 --> ssh-ed25519 IY5FSQ BUmBe3r7emA3bUEvUpNanyLzxVmAjZyHWVGSQStvdgo -V7W+sevmsGDBrOsyWM3CRSiZrW0gPyV5v/IrfqcdbFw --> ssh-ed25519 VQSaNw KqPjcuCZvM/Ao54AYHJHlZ9tLoUstwzsAESqlS/g12M -6nVO0c0g+ULE0A1POGFaylpLR+HwRSnfkdXl0vR0FQw --> %Oq`'8n+-grease HV" C5b[8N -ncBsUWVkkJ4UvIaxFWwN8SXvMUrk1J5pCAeRg2e1bHp75RkGd6apUWdg ---- IpyGgm4d6PctYg3NCJ1FTHR9RSVh4dX+ERhj75xRH/4 -wM?8NwV(ɧ]ǨO \ No newline at end of file diff --git a/modules/nixos/dgn-notify/secrets.nix b/modules/nixos/dgn-notify/secrets.nix index f8f5d3f..7eae1ae 100644 --- a/modules/nixos/dgn-notify/secrets.nix +++ b/modules/nixos/dgn-notify/secrets.nix @@ -4,5 +4,5 @@ { mail.publicKeys = (import ../../../keys.nix).machineKeysBySystem "nixos"; - ntfy_sh-systemd_passwd.publicKeys = (import ../../../keys.nix).machineKeysBySystem "nixos"; + ntfy-sh-systemd_passwd.publicKeys = (import ../../../keys.nix).machineKeysBySystem "nixos"; } diff --git a/modules/nixos/ntfy-sh/default.nix b/modules/nixos/ntfy-sh/default.nix index 878e692..22ac19e 100644 --- a/modules/nixos/ntfy-sh/default.nix +++ b/modules/nixos/ntfy-sh/default.nix @@ -11,6 +11,7 @@ let inherit (lib) + getExe' mapAttrsToList mkEnableOption mkIf @@ -38,6 +39,7 @@ let inherit acl_file; user_db = settings.auth-file; + ntfy = getExe' config.services.ntfy-sh.package "ntfy"; name = "ntfy-acl"; src = ./ntfy-acl.py; diff --git a/modules/nixos/ntfy-sh/ntfy-acl.py b/modules/nixos/ntfy-sh/ntfy-acl.py index 4df5dca..4ff5d1a 100644 --- a/modules/nixos/ntfy-sh/ntfy-acl.py +++ b/modules/nixos/ntfy-sh/ntfy-acl.py @@ -9,7 +9,7 @@ import subprocess def ntfy(*args: str, env=None): - subprocess.run(["ntfy"] + list(args), env=env).check_returncode() + subprocess.run(["@ntfy@"] + list(args), env=env).check_returncode() def create_user(u: str, role: str, passwordFile: str, hashedPassword: str): @@ -62,7 +62,7 @@ with open("@acl_file@") as acl_fp: # Connect to the db to recover the list of current users with sqlite3.connect("@user_db@") as con: c = con.cursor() - existing_users: set[str] = set(c.execute("SELECT user FROM user")) - {"*"} + existing_users: set[str] = set(map(lambda e: e[0], c.execute("SELECT user FROM user"))) - {"*"} wanted_users: set[str] = set(acl_data["users"].keys()) @@ -82,7 +82,7 @@ for user in existing_users & wanted_users: ntfy("access", "--reset") for rule in acl_data["access"]: - ntfy("access", rule["user"], rule["topic"], rule["permission"]) + ntfy("access", rule["username"], rule["topic"], rule["permission"]) # Write the new ACL file path with open("/var/lib/ntfy-sh/.acl-path", "w") as f: