1f9c2669a2
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 lines
948 B
YAML
24 lines
948 B
YAML
# sops-nix encryption rules.
|
|
#
|
|
# Recipients:
|
|
# - laptop: the age key in $REPO/.sops-age-key.txt (gitignored).
|
|
# To recover: keep a copy of that file in your password manager.
|
|
# - watcher: derived from the watcher's SSH host key
|
|
# (/etc/ssh/ssh_host_ed25519_key). If the watcher is rebuilt without
|
|
# restoring that host key, regenerate the recipient with:
|
|
# ssh tyro@<watcher> cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
|
# and update this file accordingly.
|
|
#
|
|
# To edit an encrypted file: `sops hosts/watcher/secrets.yaml`
|
|
# To re-encrypt all files for new/changed keys: `sops updatekeys hosts/watcher/secrets.yaml`
|
|
|
|
keys:
|
|
- &laptop age12hw3c0qfhl2ezk4aawgax3qu3a6gt5vm300xqtzwsl5l7mj903pq4kw8pf
|
|
- &watcher age1ck8zheqpudkc6zsgfujyf287zte3q07fa05wkqwfv3raz7snsf9sk7s8zf
|
|
|
|
creation_rules:
|
|
- path_regex: hosts/watcher/secrets\.yaml$
|
|
key_groups:
|
|
- age:
|
|
- *laptop
|
|
- *watcher
|