From b6bd47b9c347e25af49537e7b75c0ee0c91b431f Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 13:47:55 +0200 Subject: [PATCH] feat: mastodon --- hosts/nachtigall/default.nix | 2 + hosts/nachtigall/mastodon.nix | 97 +++++++++++++++++++++++++ hosts/nachtigall/postgresql.nix | 5 ++ secrets/mastodon-extra-env-secrets.age | Bin 0 -> 1768 bytes secrets/mastodon-otp-secret.age | 27 +++++++ secrets/mastodon-secret-key-base.age | 29 ++++++++ secrets/mastodon-smtp-password.age | Bin 0 -> 1516 bytes secrets/mastodon-vapid-private-key.age | Bin 0 -> 1456 bytes secrets/mastodon-vapid-public-key.age | 30 ++++++++ secrets/secrets.nix | 37 ++++++++++ 10 files changed, 227 insertions(+) create mode 100644 hosts/nachtigall/mastodon.nix create mode 100644 hosts/nachtigall/postgresql.nix create mode 100644 secrets/mastodon-extra-env-secrets.age create mode 100644 secrets/mastodon-otp-secret.age create mode 100644 secrets/mastodon-secret-key-base.age create mode 100644 secrets/mastodon-smtp-password.age create mode 100644 secrets/mastodon-vapid-private-key.age create mode 100644 secrets/mastodon-vapid-public-key.age create mode 100644 secrets/secrets.nix diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 12e5229..9b017a2 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -5,5 +5,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./configuration.nix + ./mastodon.nix + ./postgresql.nix ]; } diff --git a/hosts/nachtigall/mastodon.nix b/hosts/nachtigall/mastodon.nix new file mode 100644 index 0000000..a40d0cf --- /dev/null +++ b/hosts/nachtigall/mastodon.nix @@ -0,0 +1,97 @@ +{ config, pkgs, flake, ... }: + +{ + age.secrets."mastodon-secret-key-base" = { + file = "${flake.self}/secrets/mastodon-secret-key-base.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + age.secrets."mastodon-otp-secret" = { + file = "${flake.self}/secrets/mastodon-otp-secret.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + age.secrets."mastodon-vapid-private-key" = { + file = "${flake.self}/secrets/mastodon-vapid-private-key.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + age.secrets."mastodon-vapid-public-key" = { + file = "${flake.self}/secrets/mastodon-vapid-public-key.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + age.secrets."mastodon-smtp-password" = { + file = "${flake.self}/secrets/mastodon-smtp-password.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + age.secrets."mastodon-extra-env-secrets" = { + file = "${flake.self}/secrets/mastodon-extra-env-secrets.age"; + mode = "400"; + owner = config.services.mastodon.user; + }; + + services.opensearch.enable = true; + + services.mastodon = { + enable = true; + # Different from WEB_DOMAIN in our case + localDomain = "pub.solar"; + # We use caddy, see caddy.nix + configureNginx = false; + enableUnixSocket = true; + #streamingSocket = "/run/mastodon-streaming/streaming.socket"; + #webSocket = "/run/mastodon-web/web.socket"; + #sidekiqPort = 55002; + # Processes used by the mastodon-streaming service. Defaults to the number + # of CPU cores minus one + streamingProcesses = 5; + # Processes used by the mastodon-web service + webProcesses = 2; + # Threads per process used by the mastodon-web service + webThreads = 5; + secretKeyBaseFile = "/run/agenix/mastodon-secret-key-base"; + otpSecretFile = "/run/agenix/mastodon-otp-secret"; + vapidPrivateKeyFile = "/run/agenix/mastodon-vapid-private-key"; + vapidPublicKeyFile = "/run/agenix/mastodon-vapid-public-key"; + smtp = { + createLocally = false; + host = "mx2.greenbaum.cloud"; + port = 587; + authenticate = true; + user = "admins@pub.solar"; + passwordFile = "/run/agenix/mastodon-smtp-password"; + fromAddress = "mastodon-notifications@pub.solar"; + }; + extraEnvFiles = [ + "/run/agenix/mastodon-extra-env-secrets" + ]; + extraConfig = { + WEB_DOMAIN = "mastodon.pub.solar"; + ES_HOST = "127.0.0.1"; + # S3 File storage (optional) + # ----------------------- + S3_ENABLED = "true"; + S3_BUCKET = "pub-solar-mastodon"; + S3_REGION = "europe-west-1"; + S3_ENDPOINT = "https://gateway.tardigradeshare.io"; + S3_ALIAS_HOST = "files.pub.solar"; + # Translation (optional) + # ----------------------- + DEEPL_PLAN = "free"; + # OpenID Connect + # -------------- + OIDC_ENABLED = "true"; + OIDC_DISPLAY_NAME = "pub.solar ID"; + OIDC_ISSUER = "https://auth.pub.solar/realms/pub.solar"; + OIDC_DISCOVERY = "true"; + OIDC_SCOPE = "openid,profile,email"; + OIDC_UID_FIELD = "preferred_username"; + OIDC_REDIRECT_URI = "https://mastodon.pub.solar/auth/auth/openid_connect/callback"; + OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; + # only use OIDC for login / registration + OMNIAUTH_ONLY = "true"; + }; + }; +} diff --git a/hosts/nachtigall/postgresql.nix b/hosts/nachtigall/postgresql.nix new file mode 100644 index 0000000..0fa8f84 --- /dev/null +++ b/hosts/nachtigall/postgresql.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + services.postgresql.enable = true; +} diff --git a/secrets/mastodon-extra-env-secrets.age b/secrets/mastodon-extra-env-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..5b92a585e132d4de8d3d1ad8364af7766db1b494 GIT binary patch literal 1768 zcmZ9M?d#kI0mobMG13>E59o{O!H}{ZKa*UNO9K9?$tAhV-R1e|l4&K+m*g(VU2=EH zxgrxRZa&maWTOmGe6dZ3QlwbKZGxK)wIJ%7Ss#W2t5aq-5r?*F5&EWoz?aX9@8|n< z4LzxT^$hBP?)ntiIOnhi%5+|1IW0Y zwy}Li+;vtu?NBRXq86)RFjFLJHAdydigsAp<{{37^fJjgskIkA07E95gPgW2LmFfV z3N3fubc;}-ut>=awV*x$&8v2&2K+7Bx^g=i$7m1*%-prUNk^sTS29h8NvTaoO}mO{ z6qM*Nw$`AuoVG-6z;)Lcd85&sgb*x^XT^YWa#{o$kB8|g!wsC4UJ13r4wuckF`C-< zI6A-!bd8oN6rmy(OHr0YJf1K6O@WnpST;i<03bS(!Vne2IXp1H0F1gQT{pvTfM`3-lK(K8w;mp-drHBN4~x+q$dPD(>rJS*;*1 z?D7bb_>;8IX%Xidq)huUWxB=&O?n(ap=8f3iLNlhBAC?N?PM<1qD>T1g0Pk&OS@p- zWNZe5+8vrxuCPXGcJ$a~(6}`u)8mUd73K_~1FX1b{HPW) zkTr=a$p`k3yII0bHBs2^E`gS&Ete{ByHYn6q0BZcwjZ%9+=w)o`$JeyLTI_G83%8? zO3^J{NJhlGFLdK9RWX4EK#5W2)kNbAN!L=SQ7cmtpm^ujTn!_JI_K6AU+PgX6mEHZ zYoj)&NmbkdId!t>mCf7;w1C4AP*<1nqVg8$Kp5H-rRrpo@72M4UIB_bYIYTjFSKQz zg%ZATR*KDG%HDyYSoEX4dNW<6R7McD(~^h$)X9fEzI3M6?U+VQ9;y7~g$ zuGW$=4@%Y|gJM9aR?#yJ93L)+Ub~=tPHquzOF5!qE`fuCgAQm|+nFNh)?_aUdkmGk zW71r2Ok!rR31Ws!I^kK~#SlmV9{=!5|2*=C6O&UXh4&u6@X~8M^}{2_<|lshX#c4j z*01Tw+~3jk$|sK> zp+EDvkIuvIzwLc0^KbH*Ym+O#=FY-jTwQ(O-uC|V#%~vA-o;%0D|`6kzkKNOxx?=Y zPrPOO1vh{2kAFJ!4zJ^H9N%?g);W0YZ_N*09QUT%FJl*f@xr4Y*9&fX=eg@c@xo&M z^Dh+-U3*NqSf4-l)(iI?d-dVFU$}fedF+*UK6vSQ@eOC4?_Gc3?JuK0y7%cbm;Q0} zv;X;Je)6kdfA;m{>YeAGee ssh-ed25519 iDKjwg MIpZgS2K0KZ6NXSvHKaUs5IOwMK8C+THuH+OXGKgpk4 +rwBSIPZ6pHczmeEuNsPgTJIdzE7yHBglYHGbOSd772I +-> ssh-ed25519 uYcDNw EY2Zk/jYWxYBPY/g6IH7aSIFvMuOwSplkmaeRC1aNSU +YCSThBBXbmozEZmUDgjA8xuFG9D2lGENZcWvCnRQk+c +-> ssh-rsa kFDS0A +Z8Xs3hFGUElQdNlxlcnJIA8814TZJYqga/SUXjxG/uvdzv9uExEiNp8FJ5emnT0u +zAaFv5aYiBa1b7aYEVdk30wjmWPT7leOPTFF5qAUdiPHxII+jHtx+eCnum72po42 +SR03IjznH9fKaKiT0VNXDIVZnkP2SaAKhIj57XSUeE/weiU5apBmTMPzMQAkz7KR +sm7uFYYv8zY7LFC0ByPnFkYi6O+mc9LzunlGQVMAQe/fmoEfzI2dmrGhcG2iUbM5 +6Oegjh5B4iKc/fktouHhh3Wc/K63DM9C0A9mkqtqrQJPfV+FseQoQbFwvInXY4u6 +HMT4oymagXt5ifcc1WzyTde+Dz6OIOowpIXXJ0PjQ+KOn0PTG7+OfU/h1Hh/ozg4 +G+finffzeffxdXSjITi+lmoWUFaZAwiico2IjH8cqDWnl8XGNfukZbsNsI6CukY2 +aqffAZiu7MR1+kcMUjjG4OF1S4bRNYkqQej7GUdDmHn+dkJEuiN3ggXt+TW/mYPb +xPvPGOqDxwdOiyViZFBvZ+0ZAij8rnMdToNsY7x68B7C+Ew+cVomiIIkT1ghzmTu +T/ymvlqFlXIS3PFdUPQYd/+Ttw22n72yVxHH+61Ze/aQlt0nKdViEn4D03k3uNVg +K8VYuDwXIFdFIga5Hsw/ozp6tKZdxSzJsQJvAm0JFVk +-> ssh-ed25519 YFSOsg M0H0AhDNYpa8nD2nrDyFJOsm/SpfJ7YJXYyKZMIyxl4 +YiocldCbP7HwuRi3AWfnFkqpWhuIuAwjjTzV2utwmn8 +-> ssh-ed25519 iHV63A xhkCLcpQhqQxWacnI1M1652hNc/MaeCXL3e5fPGhXHo +0G5lFUE/gGHIz5giRjQPVWAIrHQ8LvxPpfVSBM3GEBM +-> ssh-ed25519 BVsyTA aAdMnpKatd4CTcFhtqSj+fiA0ofy+zhbnuN5nk5/umA +LuidYMCiM7IvA/M7k7pMqo5HJmNNmHrzl6kcud+ZS74 +-> 0d%YFa-grease |F +fhLc8y67dmyhWtiOEKrZThfm4sTsNP8 +--- /qZszkP7mR5whTTbCQ6JKKh2Ce+aySjeDX3HdDZag1g +~an@ܩ>x$sk)[JHFEhd^3A5_QpLNR*[]GXY\atU+\9bN6B\Wĉ.?N'Hf jcTAWAOM X݅"v \ No newline at end of file diff --git a/secrets/mastodon-secret-key-base.age b/secrets/mastodon-secret-key-base.age new file mode 100644 index 0000000..609e9ae --- /dev/null +++ b/secrets/mastodon-secret-key-base.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg hUHxNz0ZfR/cgTXIfrOobhUPxcFo8zyxD3idF/bpP3E +H6aIW7YO27ONIIcnmViIWaXiByJMmPFo6E8jsH1Xq2Q +-> ssh-ed25519 uYcDNw +D81Yz9zAmCEeIUIxLirpd/OVnWmHQnALp3GWyxUshc +reldI2bJQ2Jq3JxHZ7wWnm6I1pTISQ9G+jjupCrhQ0Q +-> ssh-rsa kFDS0A +BYla6U3WqibQOXQFIQrs0d37pmGNvVulP0p18jjTXfA61vth/icCTu3V5VAHz5ST +A8o2gHhQfGXpFm9GMPMVe+OKHnD4Ws4cWowW8/GLMg2XgqPBdvownVwl6hspjmwr +Mxrw1PQL63fiYmCiB49UFaQV0OIxyo3mo7kmF9KKRfdTQ1kF/vjiZuw3Tiz8ubDk +DoaK0g062iI1/GPeGH3blaZj6cFstT9UjoPbdOU9WLkDMUc0d73ih1u6a3VmIY/B +tToYCJuwcjAUvX9Y3Xolx9vKpg8dVD48T1GlPADZCyajY2fEPbJdS29jP7NwQsZ2 +8sgmFkNzUq3Okjbz4lem/g4nlXQN++wdRIYgTLUfJWKOx5+bxSneRvvP6p4HyKZJ +O0OzJTg2ZUTqcpHvxj6DBTbg0e2KW44AkjMLIBwGxdfz3ogrfM2au0bA4SizXCsA +XL03eRmVbzgrBKNUUi6UbQ7iKp+OjWbM6jyZuNEwfepbedLqwDeTXHfm2gZBxUyM +JTk7iTERU5908VhlbNZY5rjXShkPzB9L5jgV23I9CwFlzYSC3mvPS7HMtWcgo8e4 +EBBH5QptHOvaZtDtDqYia8tzKG1KUg75fP4PzKB7+DjGv1phvTyzJDd51qAVrdJH +PheURbBliQOQaqNnTdYfpBC4tdHAMYEp85Y8uMMihYc +-> ssh-ed25519 YFSOsg SJDEy0M+3X5SmXsr9C3CDbpWfyhnmu8IUIzNOshE830 +g7jSKtpI+jUO5OC7vd6TJWOTWsIk/x9yL4RKL1lAv5g +-> ssh-ed25519 iHV63A tSREgTvnNiKMGWldq/Pp2EVWBmcs18j3zFDwtoBrQiM +kT4SzAuXqbdQSgmxbAy3BogMbh5tOPI3fuGWWQMK7fk +-> ssh-ed25519 BVsyTA k4rwyukpUYOGvtG9bm2dpw51P2udNnFSSldm8eCJP0E +C4Cm0eFg0KeXNf/BGX+vXIeAbsdYmN/97gj5snvRSzs +-> `rk-grease +Y6ohmk9v8XByEpy/oqM1aXpmeFS2ynIRyGiHfMMez4ONC54ZGOCmr1xUwEGxv7BG +SOltfLTf/rk/0ibNlvMoTqbUUhT1A/CBzSUH1tBy1w +--- DB1jba9WqtcKIEXV24rL0XmFmv1U23dEYaOYd1w9B4E +{.hP;v' ֍mFftʒn +4Z !E+B Lr"ȿCT''wɶj>bf;˕T˩ru;j&b14;&ң81_"o8]_  kbVAGy8Y|g \ No newline at end of file diff --git a/secrets/mastodon-smtp-password.age b/secrets/mastodon-smtp-password.age new file mode 100644 index 0000000000000000000000000000000000000000..90ca4a0b7be7054b538aef518c064bef98d330b3 GIT binary patch literal 1516 zcmZA0xz6Kc0EJ-$oohgXDjgbGKVIThNFdwslEm>EFG&I8eThFi@otL?03@i8kfx)f z;tHmuK~#v_proLnU?_%SuHZSvd4nu@O6sUx?tRhJA2)4=j2QIv>89)QrzFNn5@R>T z?pRLQhTHbKj|n{IyRNdI^z~r?0vVkZU?Hp?naP=5fyNwLIzdruX8bep*>KWpj+Hi?>+O*ltpY?Q2B9Qadk*<-A{#kzuqs%>J< z2Tsls(jT0K+`_Cahpt!Ka$+h+ZmEO>4MUk|z*@+?XEQ+2>9LI%xZ4Uj1u5bP)D-OW zNF=P9Rq~VA1W{(@lLuME zz&%BQY?prYf;6-yMv8MN0wCC8@~`P);O+`87aujsA<=f5eqWEK*(LG_Y8I?Nt2IULdH#D zcI3whPDHs^NBq$wd< zVPWy?^#_zc3x~w-NG(!iVNcWTMZXohqSi~cHF2mZyei8RZm--9T$4~VZSq^gYH6Nr-pPqHR z7Z(CN1hS3j)yCscRa$V;^25|tFdryB56STwhh!fO{Ekufz1R%!eeng7&zqM@QqT6ACL$W?$p|q;GsBd{0zjfF)$9;`KYl%5iFdag3+uLKU3k1kd zMh*`nQ}p~}b_>=nc4ZLL2;aM&76->ym2uG1)6)jC25?j5$tPrFDTI3P&RsEkC*TRx zVIe1XxL}79t^^bT)vmX^uzvsP$KSp_{`%IJzr6SUH~)O~;rD;N`1_9md-wS}KTGkq RFF)u1{N#tXKX_Sw_b*D+?*RY+ literal 0 HcmV?d00001 diff --git a/secrets/mastodon-vapid-private-key.age b/secrets/mastodon-vapid-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..64d2541164aa06c9b91bc4dbf6b421bec499d33e GIT binary patch literal 1456 zcmZXUxz6Kc07dB#?tp2KK*}%CnIA8SHwiJa<0W2_*iIbBhQ|96+p#}yu^Xy^j)o3V z@d8MoDM8RqhoC{4j*=1y1O;L!rWu~#=w6+By(GGissK!NmtCuOuOLAN47z`R(YEP* z6ygMdF^h~>^D$Wn@^G0)#g!UqMH$;*sW6v1Fe)EqL3*L^wwupFSd4RSK)!}u-PO9# zQ?|*4+CN&s&FgrKj*vCDuF|5zg_DUav$}ne);j^e8yDA+M7MYllC5F}XFf6{;k0w? zlZfnOR-63w4d1~8-D@KYT~(vO3Jp7?v=w@UKuk-DA_8fLR&mj=cBpW6fHAFv3(skw z^%fVAKcFmR?f@pOlmT&cS}A`tM(BX&Nh;*)?FurHl!idwtQjz5X#&MzqKHt>3&-&_&eM_OJ4 z9;;FOa#W|axhnJ7msExg_(^G83fQUMsM0|x$+A>~edb66gHf36S>hp+Av$0V{ot$v zcuLp|W8tKew&#P_O+v{PDYv^;Hp-j;);7*&RM6v*%!#Few`2@aX%k;yvEJI` zWZeR$*U7_G?g%3d1c7RdGgWF$VY)fmsr4Q(RklXJO0cA?*DW(?AbW(HIVuMXREKLw z&v`Yo(Rmmz8;m|kv(&F8zvM`4VA)>TYgv^Wi0!bxf@#s_3P`9p&UH=g%-Jc}#GTif z%=dA4j^etc5Y=e)l?sA0&ZpyQ%e&UaYMa1PlRBteGeW!);t+qipKQ^vYk{uHt^ncc zD7SraW`oQ(;C9vH6#Go(ZuQ*b=Nomz!@f-x^<+~S9aNawP0!lRof_3|w|#Zt{cg@s z&$aM|ad2GaS}6BiIREq#NRMUK8m%Qh!+$u2qv zCXeO-FjPBL{&75#vWDtNWy4Nf5ApzjGp6zeujT~ehCz|eyXEc1NuDW*xoU75AC3|a zkMX9q5+_dmh92YF{~m!mwbPMZh`H39uUJVdoao9n(A`sBs_A)p*0;Z!_KnBSSJ)D` z$$}I`WIfy{WE$1#3+xDuTszgY+_yuJq;jm|%~Fw>DG-wXvLz4Y`vgQ@8!hgpyBOL! z4L+=f-3hg&l;N`qBhIQ~HwR*b?(gpxtuqMy5#G|v`DnX3Kyis_WsS^vcT*#zr$mJ9 z4Z(rGjnHSmp+C33{`KQepBt~~uY|uCA7+n#DF1kSFMN0R(nsHq&Ib?Py8JmTpM3Jh q;?Xzh*Yp>^Kl;ai`sU*YpMKlD^JJU6`t&{J%h&&wzk2!M$NvJm#^!7Q literal 0 HcmV?d00001 diff --git a/secrets/mastodon-vapid-public-key.age b/secrets/mastodon-vapid-public-key.age new file mode 100644 index 0000000..d2321eb --- /dev/null +++ b/secrets/mastodon-vapid-public-key.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg d2X1HF25fwdoxTgl76Y+IaLTaWmVgQECffHczTwAIhg +2Ze0HC2AE/vNh2yeUeByem8R3q+NdQdSbiMne3skYNI +-> ssh-ed25519 uYcDNw j0LY/+qchCFRbQNzDEXIK/ij6FfH4NpG/37vM+B1TlM +cmkBSn4pZgq9M4L8MzlSLKuyItgn3TolJ6v7a6wLnJw +-> ssh-rsa kFDS0A +DyP1Aa8XXbZoRpWFmEojepWlO95Ob3VVQO+9JK/uif4cs2cYkLJmUM/tkc2GeYYg +fDzlgNtdb8w28HHFInd1aYFC3fjW2JQ0sYmnTlsFNvCcopnIWgOVbsM3wxY9a2Z1 +hnZb7ADPJJBoOO6E55apqSpYSCwgD9UTodSNDBvrGsxQcZem6KVQFXC2UBPS+xmz +IdSyiECPwjuH0wSa5NQ/jnJXQSxStLh1mPiM2SHwJh8P7EwICwfLGR7RbRj6gRYC +E9XXDh/tBx9wz8MrgPVGvv795KXvyh3DVXWNOewQBONHhyddQ0bds3g9FOKh46dJ +zZ16MXLhXA94MvZeR4pfQ00KYrtwsUmorKDHdDblfPlhYFF1V+LXiP+PgbM+IHHk +TRI/9sJHQqCi3sAqdKTHOfGJHoAWcwMtTt1gntbH1m4B3HcsO0yPAYT0fItQzlxm +9VNjfqrXhea67oxmbgpV1Gdw9Xl1sj65sUJTuOqhDMHxi4sjQlIZ1RB5sh5UEIVz +W66u3CHVhz3zCoI86RRkeIh7DYj59tQV5UWYvdpISxKwuq8Y8Y40bwHPN2lMym3Q +inE2G4+ysHbLL67uAg6cZ7gp0gLLabNh+1UxAZhP2SUKrXHnZYZciRlssnnTs2zo +QmmJqlCjSw5lCsxzbP/4yZ98PNpMmyiLk9ZsF6JnYFk +-> ssh-ed25519 YFSOsg Qt3U6zLbC5Es/HEB0LmxbdMr1UC4b6e1aEpiUsSDjAg +1JoH4tohBK6o0sBf+kPsoWms198u5cZ0d6xXWYe5M1g +-> ssh-ed25519 iHV63A E+hjbICVUQMYiKA8dm+e/wxeNQxYhSGkAtgqpZ52hF8 +dUGkk3yTgGoGefx8jmDLnPcqwcm3/urAU9npWbiMyd0 +-> ssh-ed25519 BVsyTA Ofa561Rugw6bu3V3zy/0UJHOfj0ojA2yqcs1Jof1dlI +SpFNg09o/JGQwzqSLWXGYelPf8H7ShX18CLqjuTa884 +-> uk_7a:i-grease +4huOY9tBYiXrgI5G3041MDe/IF5AZA9eTnbKjOgbz5N2xb6KeuOWmIogctdxXhF0 +nABs+TtIFJCXSLH3a53LEut7V1OHtwpO9hrUED2snhIi/SV3MIQvhTIRnQZ5eIxn +jqs +--- trgjIArcyooHt4cupN4Tm8rUihSUopfkZrLE1tOA7Yo +ᆾxxB@%@"찲!Hum.Xs +<Qn2;ThLXNOzk!ߠ)KL)bלa_e4 OE.( \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..c740098 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,37 @@ +let + # set ssh public keys here for your system and user + axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"; + bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com"; + hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb"; + hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy"; + teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + + nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; + #nachtigall-user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos"; + + baseKeys = [ + axeman-1 + bbcom + hensoko-1 + hensoko-2 + teutat3s-1 + ]; + + nachtigallKeys = [ + nachtigall-host + #nachtigall-user + ]; +in { + + "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys; + + "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys; + + "mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys; + + "mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys; + + "mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys; + + "mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; +}