From d4f506e08a62c342ce1c4ed5ee72dd5b13d5facd Mon Sep 17 00:00:00 2001 From: Joshua Potter Date: Thu, 18 Jan 2024 06:21:11 -0700 Subject: [PATCH] Move all services with some data store to the same machine. --- hive/thebe/default.nix | 2 ++ services/boardwise/default.nix | 5 +++-- services/boardwise/secrets.yaml | 35 +++++++++++++++++++++------------ services/plausible/default.nix | 9 ++++++--- 4 files changed, 33 insertions(+), 18 deletions(-) diff --git a/hive/thebe/default.nix b/hive/thebe/default.nix index 9334749..681d6d5 100644 --- a/hive/thebe/default.nix +++ b/hive/thebe/default.nix @@ -3,6 +3,8 @@ imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ sops-nix.nixosModules.sops ../../digital-ocean/configuration.nix + ../../services/boardwise + ../../services/forgejo.nix ../../services/plausible ]; diff --git a/services/boardwise/default.nix b/services/boardwise/default.nix index e554519..d5bb427 100644 --- a/services/boardwise/default.nix +++ b/services/boardwise/default.nix @@ -48,7 +48,8 @@ in ]; sops = { - defaultSopsFile = ./secrets.yaml; - secrets.BOARDWISE_SECRET_KEY_BASE = {}; + secrets.BOARDWISE_SECRET_KEY_BASE = { + sopsFile = ./secrets.yaml; + }; }; } diff --git a/services/boardwise/secrets.yaml b/services/boardwise/secrets.yaml index 93c6605..78184db 100644 --- a/services/boardwise/secrets.yaml +++ b/services/boardwise/secrets.yaml @@ -1,4 +1,4 @@ -BOARDWISE_SECRET_KEY_BASE: ENC[AES256_GCM,data:cXN04jWbIZOYxf5BJNtnebAFBDDn2b/Rj3d5LVZ028Q12y8KLmEuaj+s43Pcmgypvo7xQGhjT89p7TWkiciIzbNFTN0hrvQP3qpQCFWtrf0=,iv:obSPCWPoFLYvj9MulY4lBJnmaMlQsuM1NHsrCJnfywY=,tag:vrZgceJ9VRRgQjBF7FnXBA==,type:str] +BOARDWISE_SECRET_KEY_BASE: ENC[AES256_GCM,data:2Fsko9ufmsk/WxOyoGOHaWRup2mSKOElzcfdG00PZfmb4aAoFUpNbeScVl/YxjFOO5rD1a2OfRZga/r9uVX6fd0vqGWggRA1OyGYSRwx74E=,iv:obSPCWPoFLYvj9MulY4lBJnmaMlQsuM1NHsrCJnfywY=,tag:5Rd7OBDO2ssvAPjAIOx7KA==,type:str] sops: kms: [] gcp_kms: [] @@ -8,23 +8,32 @@ sops: - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvalIvZDJGbTl6bW1yRWxN - MTUzOG5NTEV4YUZYYU1jajhrc25GaVJ2SzIwCm1NN0Z4TFFyRFpwUTgvRTBIVzFo - dUhLSytmc3h2WmI5d29ueFdJU1hxSlkKLS0tIEdxN3FHS0IxMGtHMTBqRVNkQkdt - aXdEZWttYm9nK0NGQ3FnNHozWkRYcE0KLYe1ObAipGDJlP51n6p9i5cUuyv2yGob - BkAb0MKZSe3itmr2YCvdq4ZhR6HEO56DDdOgWA7lN62Aml8L4y51IQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaXlaTkxmOVJqV1JKL0tx + anFiSzZ3by9YY0VYMnZLazcvWnBwV2JvWkg4Cm5XOTVBbFo4WVNuN0hMZ1BGTmlD + UnBIc09YeUZHN1YyR1lRWkFGNFlpR00KLS0tIFZWN0tHNGFUaGI0cCt3aU5YSW4w + NEpGV1cvRkxXaENnUXRFNTQwWWk0T1kKkgAKg3+PeGsw0znQy/e1Fu2yRhOm5FA5 + dshbwxtW7g5dJbrP1JIKRSA+JAYvnOSuOlu4T5MuCUbJd/HXiAJKGQ== -----END AGE ENCRYPTED FILE----- - recipient: age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZDJHOFd6STlZM1ZSc1pX - bmh0eXNDQ1FvZlpLWkpQcGxrMXVuSXUxaUFrCkc5QjdEM2xlV1N0K0MxUi9MeVhU - dmp3U2lBQVcrTld2T2RHR2t2UjVJd3MKLS0tIHJhamRwQ3ZmZWFrSFA5dEpDVm1n - eVRiNzAyRk9mUXpPZmRCcU5BVitjQW8KPFKtQSwOKtp5pLI2mlAXtkc8nJYoXjo0 - jdqxptc4a7uKywi8s1lffUSkV/ifMxVc9uH2M+0ry227aU+r2Lk0tA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBobEloNFpxTHpDQkovZDI5 + aXFYVFgxdzVUNlJPMytHclBzWXBTdERZSWpBCjlVRldUaitTMHdwaUVhZEZWL3hP + L0s3ZG5yamhMRnlpUG4rUTU4Z1NWR1kKLS0tIDRQdUQ4V0dNbmlkZmpKcE5oWXQ5 + akdvdDU4by9aTjIzOFRySTk1dFRGUGMKOxLXlJHptJ++8yVN7JmLyAUWgs4Ff/3t + QYy/XBotUqC84nSZnS11dZvoApyogcQ1azirXqahLgvz/OsvgWo0NA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-10T17:43:15Z" - mac: ENC[AES256_GCM,data:YzJ0VhC1TIcnRdBT05NjnAihcfDwuDBYqCabOG0Z5yPqBH5GgChQ9TKxWQ9kVV9PSRr9cvJdVr5LxasjcmxMpCYDFP1EytikX3N47GXK6Y2ydnZ+Z5YMJLYMFAuEiePZvI7ksrQVISKDoZzzMV37gRn70aovWQBG0O9mo/2INiM=,iv:hE7z2YB8exHVJDRybeHObefOfRGkAt9I9pdovIEYgH0=,tag:hzZ1CoG+PjBSyCkFH3VwQw==,type:str] + - recipient: age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybDFOSzR5ZWFjbitmRFNW + UmZoU1BKaGhKNWJWM2FJR1VTK2M4QkdIVEFFCmwvYmdpaENBaFJSY3oyaVVnSXd0 + WWhQV3A4T2FLV0tlU2ZGZmdhc2daWnMKLS0tIFU0MEI1RDJySVpYNk5Gc2UwYWQ1 + Nk4yYnl6Q2hBNFR1ZWY3bmlnL0VvODgKnHD8IEneA19BOzpKYyNprU+rMukGlahm + V2l7y4FJZwlhlAChDSzKZXCRVV816pdAm96URJ07WRzlOfLD5NErqA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-18T13:20:52Z" + mac: ENC[AES256_GCM,data:UDjPQO+Uc6LpozNHBRd4uYU3Ohrz9ZWCzQkeyPGeSB0qaMASz3sHTmMbgkPGrGAgN9rlyVnohV8c5aimCcfSw8LcmPcSKwqhIiS7Wn6BIgZ8JgMV3/ymeMYdSE+9Mm5UoxT+cxeBrPlo2FaXIjk3s30D3xjVoNdjMOmCa1PDTUA=,iv:E3zD57d19lBaHVOt/ka+hLdor9ckcJ3vcJDEMmbF07s=,tag:rtjDJDA41Oo/4eicy2FruA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/services/plausible/default.nix b/services/plausible/default.nix index dfb1bdc..6af0055 100644 --- a/services/plausible/default.nix +++ b/services/plausible/default.nix @@ -27,8 +27,11 @@ }; sops = { - defaultSopsFile = ./secrets.yaml; - secrets.PLAUSIBLE_ADMIN_PWD = {}; - secrets.PLAUSIBLE_SECRET_KEY_BASE = {}; + secrets.PLAUSIBLE_ADMIN_PWD = { + sopsFile = ./secrets.yaml; + }; + secrets.PLAUSIBLE_SECRET_KEY_BASE = { + sopsFile = ./secrets.yaml; + }; }; }