diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index fbfb7c1..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -keys: - - &primary age156gze6ecg8xpgg3gc049tqprts5dl5apr7020cu70ukpsta3qvpsldd6kh -creation_rules: - - path_regex: ./.*$ - key_groups: - - age: - - *primary diff --git a/deemz.org/configuration.nix b/deemz.org/configuration.nix index 6921fa5..52b0dc4 100644 --- a/deemz.org/configuration.nix +++ b/deemz.org/configuration.nix @@ -2,38 +2,14 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, sops-nix, icomidal, ... }: +{ config, pkgs, icomidal, ... }: let secrets = import ../secrets.nix; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - sops-nix.nixosModules.sops ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - sops.age.keyFile = "/home/maestro/.config/sops/age/keys.txt"; - - sops.secrets."nginx-users" = { - owner = "nginx"; - group = "nginx"; - sopsFile = ./secrets/nginx-users; - format = "binary"; - }; - sops.secrets."duckdns_token" = { - owner = "duckdns"; - }; - sops.secrets."cloudflare_zone_id" = { - owner = "cloudflare-dns"; - }; - sops.secrets."cloudflare_dns_record_id" = { - owner = "cloudflare-dns"; - }; - sops.secrets."cloudflare_api_token" = { - owner = "cloudflare-dns"; - }; - hardware.firmware = [ ( pkgs.runCommand "edid.bin" { } '' @@ -254,10 +230,10 @@ let secrets = import ../secrets.nix; in enable = true; systemCronJobs = [ # Update DuckDNS - use 'journalctl -e' to see logged output (should log 'OK' every 5 minutes) - "*/5 * * * * duckdns curl 'https://www.duckdns.org/update?domains=mstro&token=$(cat ${config.sops.secrets.duckdns_token.path})&ip=' | systemd-cat -t 'duckdns'" + "*/5 * * * * duckdns curl 'https://www.duckdns.org/update?domains=mstro&token=${secrets.duckdns_token}&ip=' | systemd-cat -t 'duckdns'" # Update CloudFlare DNS - "*/1 * * * * cloudflare-dns curl --request PUT --url https://api.cloudflare.com/client/v4/zones/$(cat ${config.sops.secrets.cloudflare_zone_id.path})/dns_records/$(cat ${config.sops.secrets.cloudflare_dns_record_id.path}) --header 'Content-Type: application/json' --header 'Authorization: Bearer $(cat ${config.sops.secrets.cloudflare_api_token.path})' --data '{ \"comment\": \"Domain verification record\", \"name\": \"@\", \"proxied\": false, \"settings\": {}, \"tags\": [], \"ttl\": 60, \"content\": \"'$(curl https://ipinfo.io/ip)'\", \"type\": \"A\" }' | jq -r '.success' | systemd-cat -t 'cloudflare-dns'" + "*/1 * * * * cloudflare-dns curl --request PUT --url https://api.cloudflare.com/client/v4/zones/${secrets.cloudflare_zone_id}/dns_records/${secrets.cloudflare_dns_record_id} --header 'Content-Type: application/json' --header 'Authorization: Bearer ${secrets.cloudflare_api_token}' --data '{ \"comment\": \"Domain verification record\", \"name\": \"@\", \"proxied\": false, \"settings\": {}, \"tags\": [], \"ttl\": 60, \"content\": \"'$(curl https://ipinfo.io/ip)'\", \"type\": \"A\" }' | jq -r '.success' | systemd-cat -t 'cloudflare-dns'" ]; }; @@ -288,12 +264,12 @@ let secrets = import ../secrets.nix; in # NGINX services.nginx = let - userlistFile = config.sops.secrets."nginx-users".path; + userlist = secrets.nginx_userlist; commonConfig = { root = "/schijf"; locations."/" = { - basicAuthFile = userlistFile; + basicAuth = userlist; extraConfig = '' autoindex on; add_header Cache-Control max-age=172800; @@ -318,14 +294,12 @@ let secrets = import ../secrets.nix; in }; locations."/transmission/web/" = { - basicAuthFile = userlistFile; - #basicAuth = userlist; + basicAuth = userlist; proxyPass = "http://127.0.0.1:9091/transmission/web/"; proxyWebsockets = true; }; locations."/transmission/rpc" = { - #basicAuth = userlist; - basicAuthFile = userlistFile; + basicAuth = userlist; proxyPass = "http://127.0.0.1:9091/transmission/rpc"; proxyWebsockets = true; }; diff --git a/deemz.org/secrets/nginx-users b/deemz.org/secrets/nginx-users deleted file mode 100644 index 2e2aa3a..0000000 --- a/deemz.org/secrets/nginx-users +++ /dev/null @@ -1,14 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:vobRo+g4doHaXCSd5YLF/hmIrTDM/uMXDQ3s2guCTxU4hAAHczzIhbdwIkQBWRI=,iv:Zg7yLzY6xHDNrIH1mp+yYjc86aFT0FN7Z+WQ6Fw0foo=,tag:lSGhRH5jXRkgbsweS4Xb5g==,type:str]", - "sops": { - "age": [ - { - "recipient": "age156gze6ecg8xpgg3gc049tqprts5dl5apr7020cu70ukpsta3qvpsldd6kh", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFpaNzBWeEc0M0kxbGYz\nY3MwOUVsSjRYUEc3YTN1a2ZJdGlQcXB5R0I0Ck1hQWR1cUFhNWxSb2NYcG1kTG9S\naGQxNjEvRy9MaWpjL09KUTI1akVLd0UKLS0tIDNVYnBEL1lWZFQ4NFRtb05kZEk0\ncXRhTzMrSEpNVFlKMEoxbGx4d2J2UGcKNW/9gFikfgFwpH5J7whVWYfjj38io/Tt\n03R35Xt8igkaR6zMUBVCWYlK8gTvNcXLIzwhd4InyY3e6WNQ5gXniA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-11-13T13:57:32Z", - "mac": "ENC[AES256_GCM,data:gcfYnQ18CCFPYSTSsYAvnHL3AcIDVaUs/gkvCE+cNse7z8VbuRN8PKUhCziqA0/ubENcg0oFMmd1Bzh1PR16FF/uFaKfssTr3HTyygwDYlFpIVbHcAhi1Sx9clQRojVAWOadYbYOfWOiKau+kh0u7uUs+JoKErM48ooDu4KTaow=,iv:X21Y+pIoazeA6PhvhM+xr0klUPLpHDBRUiK6RLrBJJ0=,tag:fcJiC+GIEEsik1SJkl7ovA==,type:str]", - "version": "3.11.0" - } -} diff --git a/deemz.org/secrets/secrets.yaml b/deemz.org/secrets/secrets.yaml deleted file mode 100644 index d037d6c..0000000 --- a/deemz.org/secrets/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -duckdns_token: ENC[AES256_GCM,data:0baTWilND6Sz7G2tcrVivLuHEfWVZdDF0MMEKL3GdI42zN6J,iv:TUJfxWmFVsRIz4YGh/l618S33w0hK/gndDl7qRIvXj8=,tag:godLQL7pcg0dBJpt4ar5oQ==,type:str] -cloudflare_zone_id: ENC[AES256_GCM,data:M16f9pPua1jTSeaI+QTuyonkm07b4QtJyLwq46BHVnQ=,iv:hHiiLeDYBJyKsaT4pNtAm2OACHLxXhSP4ccCsPARuqE=,tag:eYcVhdNblYDTsVgmLqRFRA==,type:str] -cloudflare_dns_record_id: ENC[AES256_GCM,data:uWmc89xaIa9MjuvGge3aIDFdXxYzVWmZRf+JV/t89+o=,iv:+4RyCvqEjryw2vO15hETkbvJUT3KleKN1lu2zRATS+s=,tag:BPCb1gd/4gdMokPtn3SZng==,type:str] -cloudflare_api_token: ENC[AES256_GCM,data:8CnqBvjbvD741TRJ9QD4ZSwcIyS7uzgSSGsISq1+w4Llmuh+K2npYQ==,iv:7CqdNAWfvLYJPtk4L8G+HbYoBf5cmxeQ8sRD0uFl4AM=,tag:mbcCNlEOgNC5e/SWIaGP/w==,type:str] -sops: - age: - - recipient: age156gze6ecg8xpgg3gc049tqprts5dl5apr7020cu70ukpsta3qvpsldd6kh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNd1c0bG9xdmdkRzlhbjZ1 - VEZtemZmcUp4L0V3Z3hJUXd2R2xoZjdEaHk0CmNpRlpza2cyVUFZMDVSNW05bmc0 - b053UU42QWlkVEQwUVBaeDJLNlMwRjQKLS0tIDlPT2UzK2xHZGxrRERJVlZzNFZU - MzJQK1JxT3NtdXQvRVN5Y1dZT0V1MGcKAkdsMIcS9C9VIWVPWIMv3dZC0gTlSBD3 - tf3xQh6MS2DiIqgxoG+ijRpkWKkraianlD4oZRh8mWHew9g3/IK4yw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-13T14:07:01Z" - mac: ENC[AES256_GCM,data:MA++TKCts2zWSEYTDoNF/lnyxa4TEEb1h1iOn0OctHv9vAaVHCwmkE5bjUfddakRa3zIMZ4nXX0bS1jOa1BYMfvVAYmwviyFejx6lsCZ4/6b9ptK5aO0nwlFZy7WDIIWb7AHdTTGInSU0JQx6emPzUXzsfjfOPAvImLTjhrsqmc=,iv:hM6MkmEb8Mrk8UouzLtECafocFo3yDK7c4iyTWDLe5A=,tag:8kA9j27kBRO3UubRNVKBlw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/flake.lock b/flake.lock index a69b7a1..78b6df5 100644 --- a/flake.lock +++ b/flake.lock @@ -130,28 +130,7 @@ "icomidal": "icomidal", "mtl-aas": "mtl-aas", "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-stable" - ] - }, - "locked": { - "lastModified": 1763023272, - "narHash": "sha256-TCVNCn/GcKhwm+WlSJEZEPW4ISQdU9ICIU3lTiOLBYc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "b80c966e70fa0615352c9596315678df1de75801", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs-unstable": "nixpkgs-unstable" } }, "uv2nix": { diff --git a/flake.nix b/flake.nix index 43d0338..329a43e 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,6 @@ inputs = { nixpkgs-stable.url = "github:nixos/nixpkgs?ref=nixos-25.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs-stable"; - }; icomidal = { url = "git+https://deemz.org/git/joeri/icomidal"; inputs.nixpkgs.follows = "nixpkgs-stable"; @@ -18,7 +14,7 @@ }; }; - outputs = { self, nixpkgs-stable, nixpkgs-unstable, sops-nix, icomidal, mtl-aas }: + outputs = { self, nixpkgs-stable, nixpkgs-unstable, icomidal, mtl-aas }: let system = "x86_64-linux"; in { @@ -38,7 +34,6 @@ mtl-aas=mtl-aas.packages.${system}.default; mtlAasHost = "deemz.org"; mtlAasBaseUrl = "/apis/mtl-aas/"; - sops-nix = sops-nix; }; modules = [ ./deemz.org/configuration.nix