sops-nix bootstrap + Forgejo at git.tyrolize.ch
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
tyrolize
parent
59d742f4ba
commit
1f9c2669a2
8 changed files with 145 additions and 7 deletions
22
.sops.yaml
22
.sops.yaml
|
|
@ -1,14 +1,24 @@
|
|||
# sops-nix encryption rules.
|
||||
#
|
||||
# To get started:
|
||||
# nix-shell -p age --run 'mkdir -p ~/.config/sops/age && age-keygen -o ~/.config/sops/age/keys.txt'
|
||||
# Then copy the public key (the line starting with "# public key:") into the
|
||||
# placeholder below.
|
||||
# Recipients:
|
||||
# - laptop: the age key in $REPO/.sops-age-key.txt (gitignored).
|
||||
# To recover: keep a copy of that file in your password manager.
|
||||
# - watcher: derived from the watcher's SSH host key
|
||||
# (/etc/ssh/ssh_host_ed25519_key). If the watcher is rebuilt without
|
||||
# restoring that host key, regenerate the recipient with:
|
||||
# ssh tyro@<watcher> cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||
# and update this file accordingly.
|
||||
#
|
||||
# To edit an encrypted file: `sops hosts/watcher/secrets.yaml`
|
||||
# To re-encrypt all files for new/changed keys: `sops updatekeys hosts/watcher/secrets.yaml`
|
||||
|
||||
keys:
|
||||
- &laptop age1REPLACE_ME_WITH_YOUR_LAPTOP_PUBLIC_KEY
|
||||
- &laptop age12hw3c0qfhl2ezk4aawgax3qu3a6gt5vm300xqtzwsl5l7mj903pq4kw8pf
|
||||
- &watcher age1ck8zheqpudkc6zsgfujyf287zte3q07fa05wkqwfv3raz7snsf9sk7s8zf
|
||||
|
||||
creation_rules:
|
||||
- path_regex: hosts/watcher/secrets\.yaml$
|
||||
key_groups:
|
||||
- age: [*laptop]
|
||||
- age:
|
||||
- *laptop
|
||||
- *watcher
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue