public-cof: secure nextcloud using agenix
This commit is contained in:
parent
bb89a44d87
commit
f5eafee411
5 changed files with 70 additions and 3 deletions
|
@ -1,4 +1,4 @@
|
||||||
{ ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -11,8 +11,8 @@
|
||||||
dbtype = "pgsql";
|
dbtype = "pgsql";
|
||||||
dbhost = "/run/postgresql";
|
dbhost = "/run/postgresql";
|
||||||
|
|
||||||
dbpass = "TODO";
|
dbpassFile = config.age.secrets.nextcloudDatabasePassword.path;
|
||||||
adminpass = "TODO";
|
adminpassFile = config.age.secrets.nextcloudAdminPassword.path;
|
||||||
|
|
||||||
defaultPhoneRegion = "FR";
|
defaultPhoneRegion = "FR";
|
||||||
};
|
};
|
||||||
|
|
5
machines/public-cof/secrets/default.nix
Normal file
5
machines/public-cof/secrets/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age;
|
||||||
|
age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age;
|
||||||
|
}
|
24
machines/public-cof/secrets/nextcloudAdminPasswordFile.age
Normal file
24
machines/public-cof/secrets/nextcloudAdminPasswordFile.age
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0
|
||||||
|
66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I
|
||||||
|
-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE
|
||||||
|
cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs
|
||||||
|
-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00
|
||||||
|
WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g
|
||||||
|
-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8
|
||||||
|
zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw
|
||||||
|
-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw
|
||||||
|
Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4
|
||||||
|
-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU
|
||||||
|
haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh
|
||||||
|
9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57
|
||||||
|
yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk
|
||||||
|
uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1
|
||||||
|
vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB
|
||||||
|
HDLu5vZddUtV7Wwm9Wa6Cw
|
||||||
|
-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x
|
||||||
|
5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/
|
||||||
|
--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc
|
||||||
|
(þ¾}$è11¯¹E-(»Sþr¾ÂlGb3`>óKÒ6BŒeé‚” ÊjÉ“o"{G¦G=F7í¼
|
|
@ -0,0 +1,25 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ
|
||||||
|
3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs
|
||||||
|
-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4
|
||||||
|
7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU
|
||||||
|
-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA
|
||||||
|
sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg
|
||||||
|
-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY
|
||||||
|
zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI
|
||||||
|
-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0
|
||||||
|
Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0
|
||||||
|
-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc
|
||||||
|
CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT
|
||||||
|
pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4
|
||||||
|
vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw
|
||||||
|
+Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3
|
||||||
|
auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv
|
||||||
|
daiVtfDwNwoGbEmpw0iVCA
|
||||||
|
-> ;LK-grease H638S/n
|
||||||
|
76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux
|
||||||
|
RvrDH2Qa7jGT0F86FTwrWK7fKQkT
|
||||||
|
--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ
|
||||||
|
Ž-zÆyl¾ç§,“˜ýj>8Ѐ¶Ô’ØÂÊ%‚>œM<C593>q<EFBFBD>o±)ÛDi0Èï YªžÇLçÌ©Ñ
|
13
machines/public-cof/secrets/secrets.nix
Normal file
13
machines/public-cof/secrets/secrets.nix
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
let
|
||||||
|
pkgs = import <nixpkgs> {};
|
||||||
|
lib = pkgs.lib;
|
||||||
|
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
|
||||||
|
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd");
|
||||||
|
public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg";
|
||||||
|
systems = [ public-cof ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
|
||||||
|
"nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue