From af233793fbcaf824f2b38b8580e5c364da1fd002 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Wed, 22 May 2024 21:49:34 +0200 Subject: [PATCH] initial work on mail --- flake.lock | 104 ++++++++++++++++++++++ flake.nix | 7 ++ hosts/default.nix | 13 +++ hosts/metronom/backups.nix | 13 +++ hosts/metronom/configuration.nix | 34 +++++++ hosts/metronom/default.nix | 13 +++ hosts/metronom/hardware-configuration.nix | 48 ++++++++++ hosts/metronom/mail.nix | 26 ++++++ hosts/metronom/networking.nix | 19 ++++ hosts/metronom/wireguard.nix | 54 +++++++++++ lib/deploy.nix | 2 +- secrets/mail/hensoko.age | 44 +++++++++ secrets/metronom-wg-private-key.age | 43 +++++++++ secrets/secrets.nix | 7 ++ 14 files changed, 426 insertions(+), 1 deletion(-) create mode 100644 hosts/metronom/backups.nix create mode 100644 hosts/metronom/configuration.nix create mode 100644 hosts/metronom/default.nix create mode 100644 hosts/metronom/hardware-configuration.nix create mode 100644 hosts/metronom/mail.nix create mode 100644 hosts/metronom/networking.nix create mode 100644 hosts/metronom/wireguard.nix create mode 100644 secrets/mail/hensoko.age create mode 100644 secrets/metronom-wg-private-key.age diff --git a/flake.lock b/flake.lock index 592f3eed..9d18f91b 100644 --- a/flake.lock +++ b/flake.lock @@ -27,6 +27,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -128,6 +144,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -328,6 +360,21 @@ "type": "github" } }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1714640452, @@ -340,6 +387,21 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -354,10 +416,37 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "simple-nixos-mailserver": "simple-nixos-mailserver", "triton-vmtools": "triton-vmtools", "unstable": "unstable" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_2", + "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": [ + "nixpkgs" + ], + "utils": "utils_2" + }, + "locked": { + "lastModified": 1706219574, + "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -475,6 +564,21 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f66a4b7e..a9e1e6d1 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,9 @@ element-stickers.url = "git+https://git.pub.solar/pub-solar/maunium-stickerpicker-nix?ref=main"; element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker"; element-stickers.inputs.nixpkgs.follows = "nixpkgs"; + + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; + simple-nixos-mailserver.inputs.nixpkgs-23_11.follows = "nixpkgs"; }; outputs = @@ -123,6 +126,10 @@ hostname = "10.7.6.2"; sshUser = username; }; + metronom = { + hostname = "49.13.236.167"; + sshUser = username; + }; tankstelle = { hostname = "80.244.242.5"; sshUser = username; diff --git a/hosts/default.nix b/hosts/default.nix index 429730cf..8ded7cc3 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -59,6 +59,19 @@ ]; }; + metronom = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./metronom + self.nixosModules.overlays + self.nixosModules.unlock-zfs-on-boot + self.nixosModules.core + + self.inputs.simple-nixos-mailserver.nixosModule + ]; + }; + tankstelle = self.nixos-flake.lib.mkLinuxSystem { imports = [ self.inputs.agenix.nixosModules.default diff --git a/hosts/metronom/backups.nix b/hosts/metronom/backups.nix new file mode 100644 index 00000000..c5bf79b8 --- /dev/null +++ b/hosts/metronom/backups.nix @@ -0,0 +1,13 @@ +{ flake, ... }: +{ + age.secrets."restic-repo-droppie" = { + file = "${flake.self}/secrets/restic-repo-droppie.age"; + mode = "400"; + owner = "root"; + }; + age.secrets."restic-repo-storagebox" = { + file = "${flake.self}/secrets/restic-repo-storagebox.age"; + mode = "400"; + owner = "root"; + }; +} diff --git a/hosts/metronom/configuration.nix b/hosts/metronom/configuration.nix new file mode 100644 index 00000000..a423d4e3 --- /dev/null +++ b/hosts/metronom/configuration.nix @@ -0,0 +1,34 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + boot.loader.systemd-boot.enable = true; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + boot.initrd.availableKernelModules = [ "igb" ]; + + # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets + systemd.services.zfs-mount.enable = false; + + # Declarative SSH private key + #age.secrets."metronom-root-ssh-key" = { + # file = "${flake.self}/secrets/metronom-root-ssh-key.age"; + # path = "/root/.ssh/id_ed25519"; + # mode = "400"; + # owner = "root"; + #}; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix new file mode 100644 index 00000000..c6e90714 --- /dev/null +++ b/hosts/metronom/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + ./mail.nix + ./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/metronom/hardware-configuration.nix b/hosts/metronom/hardware-configuration.nix new file mode 100644 index 00000000..f891016e --- /dev/null +++ b/hosts/metronom/hardware-configuration.nix @@ -0,0 +1,48 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "root_pool/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2083-C68E"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/metronom/mail.nix b/hosts/metronom/mail.nix new file mode 100644 index 00000000..a68351ed --- /dev/null +++ b/hosts/metronom/mail.nix @@ -0,0 +1,26 @@ +{ config, flake, ... }: + +{ + age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age"; + + mailserver = { + enable = true; + fqdn = "metronom.pub.solar"; + domains = [ "pub.solar" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' + loginAccounts = { + "hensoko@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-hensoko.path; + aliases = [ "postmaster@pub.solar" ]; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@pub.solar"; +} diff --git a/hosts/metronom/networking.nix b/hosts/metronom/networking.nix new file mode 100644 index 00000000..8d57a051 --- /dev/null +++ b/hosts/metronom/networking.nix @@ -0,0 +1,19 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + + networking.hostName = "metronom"; + networking.domain = "pub.solar"; + networking.hostId = "00000002"; + + networking.enableIPv6 = true; + networking.useDHCP = false; + networking.interfaces."enp1s0".useDHCP = true; + + # TODO: ssh via wireguard only + services.openssh.openFirewall = true; +} diff --git a/hosts/metronom/wireguard.nix b/hosts/metronom/wireguard.nix new file mode 100644 index 00000000..ff736a01 --- /dev/null +++ b/hosts/metronom/wireguard.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + { + # nachtigall.pub.solar + endpoint = "138.201.80.102:51820"; + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + } + ]; + }; + }; + + #services.openssh.listenAddresses = [ + # { + # addr = "10.7.6.3"; + # port = 22; + # } + # { + # addr = "[fd00:fae:fae:fae:fae:3::]"; + # port = 22; + # } + #]; +} diff --git a/lib/deploy.nix b/lib/deploy.nix index 7f49289f..0cdb0eb4 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -8,7 +8,7 @@ { lib, inputs }: let # https://github.com/serokell/deploy-rs#overall-usage - system = "x86_64-linux"; + system = "aarch64-linux"; pkgs = import inputs.nixpkgs { inherit system; }; deployPkgs = import inputs.nixpkgs { inherit system; diff --git a/secrets/mail/hensoko.age b/secrets/mail/hensoko.age new file mode 100644 index 00000000..7a613f11 --- /dev/null +++ b/secrets/mail/hensoko.age @@ -0,0 +1,44 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg F7J2BMCNuOUcZhcbEyXBbFHkOI4sVA0qXbRmCWYNBAE +Na/iuNS8cxz0qEiosflBEB9TAF87sQgwBbUl0/fhmZo +-> ssh-ed25519 uYcDNw Xd8D3eCNMcXrxlYef4kj1N4CD16b5Xs3pfA/J8RJQDk +UoBSRBj4wS1cxnDV37JjW5kBP2XWWo7seJJsU0y0cEA +-> ssh-rsa f5THog +OxPFa8NRWqy2ShVfYtxqZWfJAmgkYd2xg2E8vNCPoWafo/6hBob7C+4hDiKRZPZa +EVLw0wgTe/nlMzBLOO3FlgZ0Ceb/uA2n4nu7st6mjwYQpsmVXwZoap88B2b+GYCs +GG4sgybkZ/BrfFgm94TIcC1lr2lMjA6C4xhC9Mphf2iEQf1wjL4N1msOC4gTAW8Q +zaH+K+qNEbTXne5Pox9wp6FjApSx33ldqRxOSzcf7RUuL2ew/63fTywW8ZdHcUgm +usKqBZX9vyhLdsHzZWSXwetybMfKWs1ry5kU3ekf9EmAAkSiukFxFdr7PON3l+VV ++hNFxi7RBKGC2u+ZE2Oh/MdXkKHMIVuJE1yhUJyiirH9/Mj2S6gOpSL7pjXIQdbC +RoGoE4fHWtp14Yn5X2YQCeGYPS+y87md9qKlVTzf29u95UjVkN4V8xwquOssWp/P +qlBJscmU3cp+U3W4Gzh1k1IwdBQ7B26rUOFEwa2/DI8VsBd/x4WmLQGiIe0VnOIB +YCekxeLrl4AAf/XTEc/qNTaXcn3OguMMq6KzyeWMTdKsrcw7/P7j+06SbK+Co57D +7zt/h2dDeAEz1eo7yGLu/zd2s2iyEBNxnzvSqvRpYAkcNNI7DvNfdotDYWj0kbuW +rKfPKnXOUvf9tKsjbd1BRI563TpcoL3ebnokhBfu+v4 +-> ssh-rsa kFDS0A +k8vywS465lFJyN/RvPMx3OUSl3UG2phrlZ0QY9BL2Gqf79tiSqMrWFCKqeZ8Djg6 +yDNC8F62IwWSQB030iWQMhQfI3FM9BFepmMpVE3zviyg1WRTNgLl9vdpjLP4FuNi +Il5S3T49RmUgAzsPGMs0UWLhEudm9tJOU3tI3XD32tG7mYVrMcimtog8/1zasFf1 +GE3H3MyBiuawfSu0uMnQ267rxYiGF75bI8Er1nI7zIF55Lw7twHLjN+KOlSed3Vk +VU7tNeRKfbircTrfxXo0I6SVPuX21SfBP5RWq4KrO/h4chW36OLxza2eiRvy74lY +/MekrH3PgO0q7y+uqeSbiGAcvL1UXeZFFdItv5pKxMC95vpdsEhoywO8Rj6dd+9q +iQjmy5RS/HC6uDzbqAl0HQSq1fZXO3UO0fQg5Rv3whpKMBHVMTU/PVimP93oAu4J +rXnUUpqpKJqecVDYQT4XSuMDK5Iw+S+7RLxBk6hIYsg0jtywqgwD+zF1S8RHi9kK +BEX5mR3NC/B+LdHAzphYQkHuY6UOk5AcgMO5jYCLtVK4vqlvTJPVbTSgdO86rmdy +nZXZmi0Uqgz8QEdOgIp0ego8WdqGkZF0aQwMUw11Bi+78Asx5+hy+fUncw0qZndZ +04ayMacztVL0cEaQ1AeOf85z0MPOugcVYFvih/XkgjE +-> piv-p256 vRzPNw AyKY9szzF5MMfOBUISqtfu4EVk3GWOQ2WSqwgn8tCE9B +uoSrnNdzVP1WO3uZflc+Va6cT8y5AfUpm8P3njiSQzo +-> piv-p256 zqq/iw Atu7Vk8b6dyNLZcLFtnOkAlYxOMN033PV/bv8O77LORR +jbYx5/YXY6LwoFvOfXHHPhTiMOMLwgbENvFzFmGf6ak +-> ssh-ed25519 YFSOsg BCuhqDI2VVkG3gk927TjEOLLOQNeURfxVbGodW/Xh2c +lUEeZrF5FSC/e6XRxWNQq5B7oC70mKit56AIrWMTKCY +-> ssh-ed25519 iHV63A Job9bw0T6OJpmgeizCOyNGqA9YHrcbml8sj+9kadKVw +4+pfaDyrgXuj8DKQzMj04nk2KRfobvQ6Z+E7RDOUm24 +-> ssh-ed25519 BVsyTA 2cN+HWBYc7mSbSEziFpyuDfHs7cbVd5Vdfj7NYNJ6Uk +8+APjCiQmu9hoqffuqdJKk09wtk0Ywa3NqeURnP+n+M +-> ssh-ed25519 +3V2lQ h+MbnwkJqmQbk2gtkyWvU/8gqJHYIG90lUH3AMENonk +wXsXHxzIsP9kSsi3mxmr5oujWL0Grj7y5inECZNSuIk +--- hkrqXuu9Lldhr675cyYUX5peiFT2s5ZMjIrOi7oRIyw +ê®è( <¾i0þøÃk$bL +ø+ë©€¯ï¬]–†úß…ÑÇEÄ¢¦wêíÆÈ »µ¬YÞ†é!0$šiôKÜà0DXæJdBÍÕ¦O.V×S¿‚ºd€Ä8çSƒ©¢ \ No newline at end of file diff --git a/secrets/metronom-wg-private-key.age b/secrets/metronom-wg-private-key.age new file mode 100644 index 00000000..538424bb --- /dev/null +++ b/secrets/metronom-wg-private-key.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg 1YUuuRDXFkGG2ZNYrRUro+Bx2GNGVTTCha+P9+T46DE +gTxW/j5xNSxjSq5wze7fhNJm1SB5/YEizO65jG4Q9Tw +-> ssh-ed25519 uYcDNw 7lGPy/ykR0Vnye8NYSBKcTRR2UzJ0lw2EXY6d/5gBjQ +SHbqjmcN4TNzFbQb3AgHgzzm8Yhr0LHSFQHXMLyTDVM +-> ssh-rsa f5THog +IKJVe3MhHIFyivBHwYuf+COke576b1h0ARtu44ycuLSS71C2kteigviIwstXz97M +GIHz9+aC0xJCa/gZ4WWZ5t5qO4XSmkIYCHPsV5UhjCEj6AAL27rP5oqXZKCTvPV6 +7bEw4dNJmVyjAGYP0h4M+HaAFwe8nlKO291lyJ3NoyZcMR+KjEFiBK22W0oEqvS6 +tvh3GgPp1iiHUvhF5uSUTxOqu30S7ogY1jtPLxQvEEJZwbXdCKZ/0BltfRGqKUWu +DKBcKERUeEa+fSYRtxZqd0GGGOi0Xq3UKjTSmt5w58cBkrntbQeRTNYfnvvqXJJ7 +a0uRylsK2vnMjLXjlZryvL3ug+Ylpup/BuIMwzwpNEjasCqQt97v066Ho0qB0uej +rwslyXSjwlOsvblf6UovUzQ3GIG17X9POOavsW6md7wxZFCNtioo+qb7fegKK5Tr +W/H5GoB7g79pCbBUCMJP6MgPpMUVGH+5jDkWAQbik4lTH9ehD4Wu9V2hnyBub6fW +CjEtrWzpwH+yHFkm7R5IjI8DWoE4CWsb8KI+GUgr2R3AjdNuXINbJy+ya+wpuMLh +d5Q5tQbteQ2uBKJxXRrR8nNiiLqtQvRYsyF5G+BdXmAqAB0cBuH8yMmjUKju5tH9 +lSmdqUScCcVY11T6Hccath065f8Jtvwj3nJE9f2iPfo +-> ssh-rsa kFDS0A +RVoy79ijvAmU9XlEsbmiOOWUfenL+hITb6tXELUGjZjYIg+JPDneg7m1plUnRpBM +sfLrTSzOLisWfct5rbXWb4QbNnD7biX0/uAPk8Jk3tmUfJsM1oLmNaRGGgo7RkFh +J28PG0n5+eumauoS0Yf11GIgWUpC8FeVJMrNM5r4yV65EJEyyjRxFHjIGl5Jh6Rq +bkJWpDsuFb2eb2BdZACV/M/aDYn+XGJW0oozNW91rryrQfsAHc3GzKoX2HtqNxua +3Z348+NTS7jCKKhEwwNwibgTSz1PT2ynyaXi2N60KZ8IDc1xwtn1Ybj2/S1no64h +P1GCjzKmwizgINoWQ8LYQ3nHxRXQjFdS4X63YUSXKcZ2TKMNydlB3IGL9N+xKflo +w5EMqFTuHInpyOfz73WDg2LKuzlWabjn8KIlx2bYG8Etn5alSX+oQGD5zTUkDt4p +/J3b8kLCdRSfVxwBudftXnk8CDg5gzM7LD0NOQ8/VK8lyTVE1dCCty1NUcM0o4mc +VgdlcJn9ISZSd3UAt6BDUHEMYdxktJnlPr8Gsw1iDU44Gu2fPUY2OpmAnIz6FshR +KkSThN08FL2EgEO99fbJ/8NiD+bml5duUNJQnjlQ8NC9w1S/4ADXpHSrJARQY0pn +DfTvCz2CJnPqojb2vDb0knqvhPNLu1lmtrlyqMygmLg +-> piv-p256 vRzPNw AlRMMj08FZgVJAcUdKDVtQzrrZWqOah1fq0xeLFOFYh/ +fySXnGSZYyKOX75bwaByIAqaiatXpFF4zsuE7JEH//c +-> piv-p256 zqq/iw A7dI4n0fDq3z6OG/iuU8z4euPvx77lJJC9OlZG/RMPRc +waoyEH8qBDeUmCugy7ZnMj6tgLx/1+slhJTAJ4uXMNQ +-> ssh-ed25519 YFSOsg 99jNRmoZlrfV1ytKu8Pj41vBTNHED3dG99mjWnYe9Ec +p+Q3Dik27t8LRb5Mr17EzVwxdSQIZBeO+ezJVvFqg00 +-> ssh-ed25519 iHV63A 1V4hJI/P7TkMWDbZb0NMdCSULS8XddPl6gGvc1gJ91I +CKzsgmbASOGWYRFSyYBvY90HrmLfQNKcrTPLvf5m0es +-> ssh-ed25519 BVsyTA tJu2Y42CtsqGMLf5VObT+nEMYHyujU2nmJQfWOTZsg8 +MGxxNMPHyRNRDVurqovUkptzqfsemX9mCLSLu0RL7b4 +-> ssh-ed25519 +3V2lQ vHPgK6xOUrH/1fqjkw2rhg10O0izPSTPX7b02v7J22A +A/V11elKo6YNiFHYMQrWBnUTsaz21MNH9jcY78dTlmU +--- QV+btlc1pzitb681enVVR/tT/kwE3s2sV1qB7yYJ/3Q +Y¥DgIx,ìµ´âÙËœ!à¢ptë m•ŠÂòä"$ú•‚™€¿¦aZTÔ4'Äû`õejüÊúKøAÕ£t×WÚS÷&){i–_íSŽ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2f19b430..9d48d8f5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; + metronom-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLX6UvvrKALKL0xsNnytLPHryzZF5evUnxAgGokf14i root@metronom"; tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle"; adminKeys = builtins.foldl' ( @@ -14,6 +15,8 @@ let tankstelleKeys = [ tankstelle-host ]; flora6Keys = [ flora-6-host ]; + + metronomKeys = [ metronom-host ]; in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall @@ -22,6 +25,7 @@ in "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; + "metronom-wg-private-key.age".publicKeys = metronomKeys ++ adminKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys; @@ -72,4 +76,7 @@ in "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys; + + # mail + "mail/hensoko.age".publicKeys = metronomKeys ++ adminKeys; }