public-cof: secure nextcloud using agenix

This commit is contained in:
Raito Bezarius 2021-11-15 00:11:19 +01:00
parent bb89a44d87
commit f5eafee411
5 changed files with 70 additions and 3 deletions

View file

@ -1,4 +1,4 @@
{ ... }: { config, ... }:
{ {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
@ -11,8 +11,8 @@
dbtype = "pgsql"; dbtype = "pgsql";
dbhost = "/run/postgresql"; dbhost = "/run/postgresql";
dbpass = "TODO"; dbpassFile = config.age.secrets.nextcloudDatabasePassword.path;
adminpass = "TODO"; adminpassFile = config.age.secrets.nextcloudAdminPassword.path;
defaultPhoneRegion = "FR"; defaultPhoneRegion = "FR";
}; };

View file

@ -0,0 +1,5 @@
{ ... }:
{
age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age;
age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age;
}

View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0
66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I
-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE
cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs
-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00
WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g
-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8
zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw
-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw
Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4
-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU
haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM
-> ssh-rsa krWCLQ
pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh
9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57
yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk
uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1
vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB
HDLu5vZddUtV7Wwm9Wa6Cw
-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x
5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/
--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc
(þ¾}$è11¯¹E-(»Sþ r¾ÂlGb3`>óKÒ6BŒeé” ÊjÉ“o"{G¦G=F7í¼

View file

@ -0,0 +1,25 @@
age-encryption.org/v1
-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ
3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs
-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4
7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU
-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA
sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg
-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY
zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI
-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0
Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0
-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc
CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY
-> ssh-rsa krWCLQ
IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT
pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4
vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw
+Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3
auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv
daiVtfDwNwoGbEmpw0iVCA
-> ;LK-grease H638S/n
76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux
RvrDH2Qa7jGT0F86FTwrWK7fKQkT
--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ
Ž-zÆyl¾ ç§,“˜ ýj>8Ѐ¶ÔØÂÊ%>œM<C593>q<EFBFBD>o±)ÛDi0Èï YªžÇLçÌ©Ñ

View file

@ -0,0 +1,13 @@
let
pkgs = import <nixpkgs> {};
lib = pkgs.lib;
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd");
public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg";
systems = [ public-cof ];
in
{
"nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
"nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
}