From d55438f104683955be6f81e9a521a32347c48b5a Mon Sep 17 00:00:00 2001 From: June Date: Sun, 19 Jan 2025 20:28:05 +0100 Subject: [PATCH 1/4] public-web-static: remove irc from spaceapi response as it's deprecated --- .../hosts/public-web-static/spaceapid-config/ccchh-response.json | 1 - 1 file changed, 1 deletion(-) diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json index 9a5793e..b49b2da 100644 --- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json +++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json @@ -14,7 +14,6 @@ }, "contact": { "phone": "+49 40 23830150", - "irc": "ircs://irc.hackint.org:6697/#ccchh", "mastodon": "@ccchh@chaos.social", "email": "mail@hamburg.ccc.de", "ml": "talk@hamburg.ccc.de", From 2904ebee158b1c3f447dea79417f2635dbd5a4e5 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sat, 8 Jun 2024 22:18:23 +0200 Subject: [PATCH 2/4] add yate service for autostart introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling --- .sops.yaml | 17 ++ config/hosts/yate/configuration.nix | 2 + config/hosts/yate/default.nix | 1 + config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++ config/hosts/yate/service.nix | 39 ++++- config/hosts/yate/sops.nix | 7 + config/hosts/yate/yate.nix | 15 ++ flake.nix | 1 + 8 files changed, 309 insertions(+), 6 deletions(-) create mode 100644 config/hosts/yate/secrets.yaml create mode 100644 config/hosts/yate/sops.nix diff --git a/.sops.yaml b/.sops.yaml index ec660ec..dedf3c1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 + - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r @@ -147,6 +148,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_penpot + - path_regex: config/hosts/yate/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_yate - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 6b4bb71..f350966 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,5 +6,7 @@ domain = "z9.ccchh.net"; }; +# users.users.chaos.password = "yes"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 5304abd..009e1a1 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -6,5 +6,6 @@ ./networking.nix ./yate.nix ./service.nix + ./sops.nix ]; } diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml new file mode 100644 index 0000000..6235c17 --- /dev/null +++ b/config/hosts/yate/secrets.yaml @@ -0,0 +1,233 @@ +git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP + TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw + KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS + bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 + xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-08T18:35:07Z" + mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] + pgp: + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg + do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL + r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 + cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl + Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa + JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi + ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk + YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa + QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy + aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg + GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U + ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ + ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ + et8Y1DEjVg== + =u7aP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 + Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S + YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 + twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 + uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx + Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ + gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU + JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng + mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji + yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp + E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S + XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq + vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX + =advR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz + 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec + ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa + RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty + y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE + L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 + glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ + B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl + L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl + o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO + Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS + XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb + fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy + =vqhH + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd + +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 + Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 + LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un + kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 + cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn + 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh + 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU + K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb + QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 + Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S + XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj + IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C + =hGXq + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg + YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi + LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ + +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG + SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io + 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq + 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 + 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll + CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U + pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF + EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS + XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 + uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 + =vZLC + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x + p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 + XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa + oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB + SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS + 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG + oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ + XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo + IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc + 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa + XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS + XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ + fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I + =SLD4 + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp + 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ + 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 + sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB + NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI + K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX + 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 + SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 + TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva + 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR + oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S + XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t + LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII + =MQ9C + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF + XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe + 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ + Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc + abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di + +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk + nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 + BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf + T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 + VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm + jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS + XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY + 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ + =uyf4 + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st + V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 + 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ + i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d + V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE + zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz + TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p + FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF + aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO + 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym + NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS + XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn + kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr + =7R+0 + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw + cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 + 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi + I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== + =0G+m + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX + KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l + MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy + p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k + YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs + yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O + oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv + 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre + FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF + 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm + k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS + XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh + B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI + =ZgbM + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index e031d4d..9013060 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -1,21 +1,48 @@ { config, pkgs, ... }: { +# systemd.managerEnvironment = { +# SYSTEMD_LOG_LEVEL = "debug"; +# }; + + + + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "yate"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; +}; + systemd.services.yate = { enable = true; description = "Yate telehony engine"; unitConfig = { - Type = "simple"; - After = "network.target"; + After= "network-online.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; - Type = "simple"; - Restart = "always"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + Type="simple"; + Restart="always"; + User="yate"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; # ... }; wantedBy = [ "default.target" ]; - requiredBy = [ "network.target" ]; + requires = [ "network-online.target" ]; + preStart = "echo \"\n\" >> /run/secrets/git_clone_key + sleep 5 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + fi"; + # ... }; } diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix new file mode 100644 index 0000000..38b06f9 --- /dev/null +++ b/config/hosts/yate/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index c4834bb..3f9b054 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -10,4 +10,19 @@ # Just disable it for now. networking.firewall.enable = false; + + users.users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; + + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + + environment.etc.yate.user = "yate"; + environment.etc.yate.group = "yate-config"; + environment.etc.yate.mode = "symlink"; + environment.etc.yate.source = "/var/lib/yate"; } diff --git a/flake.nix b/flake.nix index fb4ed26..5ecee98 100644 --- a/flake.nix +++ b/flake.nix @@ -174,6 +174,7 @@ modules = [ self.nixosModules.common self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops ./config/hosts/yate ]; }; From 8045681bb5ab6896cf6fb30a30c47b507c29e589 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 19 Jan 2025 19:05:15 +0100 Subject: [PATCH 3/4] yate: clean up and nicely format nix configuration --- config/hosts/yate/configuration.nix | 4 +- config/hosts/yate/default.nix | 3 +- config/hosts/yate/service.nix | 48 ---------------------- config/hosts/yate/yate.nix | 64 ++++++++++++++++++++++++----- 4 files changed, 55 insertions(+), 64 deletions(-) delete mode 100644 config/hosts/yate/service.nix diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index f350966..6b1fa99 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { networking = { @@ -6,7 +6,5 @@ domain = "z9.ccchh.net"; }; -# users.users.chaos.password = "yes"; - system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 009e1a1..66738e8 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -1,11 +1,10 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ ./configuration.nix ./networking.nix ./yate.nix - ./service.nix ./sops.nix ]; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix deleted file mode 100644 index 9013060..0000000 --- a/config/hosts/yate/service.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -{ -# systemd.managerEnvironment = { -# SYSTEMD_LOG_LEVEL = "debug"; -# }; - - - - sops.secrets."git_clone_key" = { - mode = "0600"; - owner = "yate"; - group = "yate-config"; - restartUnits = [ "yate.service" ]; -}; - - systemd.services.yate = { - enable = true; - description = "Yate telehony engine"; - unitConfig = { - After= "network-online.target"; - }; - serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; - Type="simple"; - Restart="always"; - User="yate"; - Group="yate-config"; - StateDirectory = "yate"; - StateDirectoryMode = "0775"; - # ... - }; - wantedBy = [ "default.target" ]; - requires = [ "network-online.target" ]; - preStart = "echo \"\n\" >> /run/secrets/git_clone_key - sleep 5 - SSH_SUCCESS=1 - ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 - if [ $SSH_SUCCESS = 1 ]; then - rm -rf /var/lib/yate/* - rm -rf /var/lib/yate/.* - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - fi"; - - # ... - }; -} diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 3f9b054..d3ed2f9 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { environment.systemPackages = [ @@ -11,18 +11,60 @@ # Just disable it for now. networking.firewall.enable = false; - users.users.yate = { - description = "yate service user"; - group = "yate-config"; - isNormalUser = true; + users = { + users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; + + groups.yate-config = { + members = [ "colmema-deploy" "chaos" "root" "yate"]; + }; }; + environment.etc.yate = { + user = "yate"; + group = "yate-config"; + mode = "symlink"; + source = "/var/lib/yate"; + }; - users.groups.yate-config = {}; - users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "yate"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; + }; - environment.etc.yate.user = "yate"; - environment.etc.yate.group = "yate-config"; - environment.etc.yate.mode = "symlink"; - environment.etc.yate.source = "/var/lib/yate"; + systemd.services.yate = { + enable = true; + description = "Yate telehony engine"; + unitConfig = { + After= "network-online.target"; + }; + serviceConfig = { + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + Type="simple"; + Restart="always"; + User="yate"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; + }; + wantedBy = [ "default.target" ]; + requires = [ "network-online.target" ]; + preStart = '' + echo \"\n\" >> /run/secrets/git_clone_key + sleep 5 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + fi + ''; + }; } From d57c47437ff20dcb3c0008ab666b927de1181121 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Thu, 23 Jan 2025 20:15:37 +0100 Subject: [PATCH 4/4] Add reload script for refreshing config during runtime --- config/hosts/yate/yate.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index d3ed2f9..d5e64f1 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -45,6 +45,11 @@ }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + ExecReload= '' + ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate + /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main + ''; Type="simple"; Restart="always"; User="yate";