tyro/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/hosts/watcher/secrets.yaml
tyrolize 1f9c2669a2 sops-nix bootstrap + Forgejo at git.tyrolize.ch 
sops:
- devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to
  $REPO/.sops-age-key.txt (gitignored, generated locally).
- .sops.yaml lists laptop + watcher recipients. The watcher recipient is
  derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the
  watcher decrypts using its SSH host key as the age identity at boot.
- hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install-
  secrets surfaces it at /run/secrets/example (root-only).

Forgejo:
- modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz
  dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000.
- modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to
  localhost. Caddy gets a Let's Encrypt cert automatically.
- terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group.
- Admin user `tyro` (role admin) created out-of-band via the gitea CLI.

Both services live on the watcher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-16 23:59:55 +02:00

27 lines
2 KiB
YAML
Raw Blame History

#ENC[AES256_GCM,data:Di03efwg2Ta3FDvLeHf9axkamX/MZ6IUDRL+aAEXol4J+RNZh1zF0Q7OydzL0DNp/GO5+mbeV412C03QqcNw/LyoOvr0tQax5gvb1qOXQ3ZoBE8=,iv:Ekyjlc2DQhF2g4wBq0mism7xgA4ijIu0tR5XbqfH8Fs=,tag:PC5mxMSQA4oEEKiibzLO6A==,type:comment]
#ENC[AES256_GCM,data:hUylzsdMw2FqS3dZgEJID6t0K1faXXXqpuaaZS11ZoLPsQVmzeBqOr4m2Q==,iv:IiW5X67mtkGenGGLkQxqMnK4IwIsOcptuTnGUiAdmUg=,tag:ufV8dmOL3mP76ssqL53r/g==,type:comment]
example: ENC[AES256_GCM,data:ZuUX5vadaSXv9QgPdhOa,iv:6EykcZ/7pE8aHGfw3P0V4c3iptCVFX9N7qPGaQXtpsk=,tag:aaVv2FilGUP++mVlJZGRAA==,type:str]
sops:
age:
- recipient: age12hw3c0qfhl2ezk4aawgax3qu3a6gt5vm300xqtzwsl5l7mj903pq4kw8pf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMUFFSm1hK1k2R2NLMjFI
cXZtamRUaWpJZ2VwUWxxZCtxNWpIenkyYlVVCmpQSkJLTDVtRkxpVmhWbFhZZGtN
UGh1VkdwTThCZjhTc0tOdXQyK0VwVnMKLS0tIERyV1V1TFdZS2grMmdGM01mTnRG
eWM0SUZjWVB3UEQyWlkyZkpPVTNLVzgKPPDYWvMhlW1AutxX4In4RKD6ThQNYWd6
tcri8OW3WXeVsaZu3oG0Lk+dic1W+Ii/FDY9huXjTzg65e2JViEF2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ck8zheqpudkc6zsgfujyf287zte3q07fa05wkqwfv3raz7snsf9sk7s8zf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRjlCcWh0UXhqaHFoTTUv
cTJFdmEwSWpqcDgvR1RSNVM4M0xnSUE1eHc4ClFTN2MxdDV4VW0wc1B0dE1IN1Bu
MVl4Um9xd3hYTEJGTHFkVVdwdEJuUDgKLS0tIE5PNmFxR1N4Z293ckRaZ3cvVm12
MFlOWWtQYUZjcGhNOTAwWWwzWFRqZFUK7kxjCXAreCIgqhZiKmdwVQg5hGm+b0/J
0Zw7zf1OWwV5o3qI5V6MLEUT5QYVy6QJQ56zFvi/fCmjr+ET3QC57g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-06-16T21:44:28Z"
mac: ENC[AES256_GCM,data:HhFyw1zNlMfvSshC9xX6YIZ95TUMZnG2ug7Gt9U5Kny5hZg5S5NsGM8/jlmaYejDESyxBsHFW6i+9hzFOeTnGdL6ou3LVJslJGGjS0x9PU13VaqaGAMKlDNWIz5XWNFOt6tue8i1JQE8h2iDHHlN2SDgYEGzVyPMl4hSxc+BoXI=,iv:9xZbfJS6m9xnOHwAvwLP6OLqxyNmzKEh3l/zawN4Jks=,tag:fS/b3x3CqlPAq3eT6bBjdA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0
Reference in a new issue View git blame Copy permalink