From 26747bd639b15355aca8488485140f65fd8288cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Fri, 14 Apr 2023 14:12:45 +0300 Subject: [PATCH] flakes --- .envrc | 2 - .sops.yaml | 10 - README.md | 22 +- data.nix | 65 +++++- flake.nix | 23 ++- .../hel1-a/configuration.nix | 194 ++++-------------- .../hel1-a/hardware-configuration.nix | 0 hosts/hel1-a/secrets.yaml | 41 ---- zfs.nix => hosts/hel1-a/zfs.nix | 1 - hosts/vm/configuration.nix | 5 +- krops.nix | 27 --- modules/base/default.nix | 135 ++++++++++++ modules/base/initrd/default.nix | 31 +++ modules/base/sshd/default.nix | 18 ++ modules/default.nix | 6 + modules/services/default.nix | 9 + secrets.nix | 18 ++ secrets/hel1-a/borgbackup/password.age | 11 + secrets/hel1-a/borgbackup/password.gpg | Bin 604 -> 0 bytes secrets/hel1-a/postfix/sasl_passwd.age | 12 ++ secrets/hel1-a/postfix/sasl_passwd.gpg | Bin 679 -> 0 bytes .../hel1-a/synapse/jakstys.lt.signing.key.gpg | Bin 693 -> 0 bytes .../hel1-a/synapse/jakstys_lt_signing_key.age | 12 ++ .../hel1-a/synapse/macaroon_secret_key.age | 11 + .../hel1-a/synapse/macaroon_secret_key.gpg | Bin 696 -> 0 bytes .../synapse/registration_shared_secret.age | Bin 0 -> 553 bytes .../synapse/registration_shared_secret.gpg | Bin 703 -> 0 bytes secrets/hel1-a/turn/static-auth-secret.gpg | Bin 648 -> 0 bytes secrets/hel1-a/turn/static_auth_secret.age | 12 ++ secrets/motiejus_bk1.pub.txt | 2 + secrets/motiejus_passwd_hash.age | Bin 0 -> 566 bytes secrets/{identity.txt => motiejus_yk1.txt} | 0 secrets/root_passwd_hash.age | 12 ++ secrets/sendgrid.gpg | Bin 694 -> 0 bytes 34 files changed, 430 insertions(+), 249 deletions(-) delete mode 100644 .sops.yaml rename configuration.nix => hosts/hel1-a/configuration.nix (76%) rename hardware-configuration.nix => hosts/hel1-a/hardware-configuration.nix (100%) delete mode 100644 hosts/hel1-a/secrets.yaml rename zfs.nix => hosts/hel1-a/zfs.nix (87%) delete mode 100644 krops.nix create mode 100644 modules/base/default.nix create mode 100644 modules/base/initrd/default.nix create mode 100644 modules/base/sshd/default.nix create mode 100644 modules/default.nix create mode 100644 modules/services/default.nix create mode 100644 secrets.nix create mode 100644 secrets/hel1-a/borgbackup/password.age delete mode 100644 secrets/hel1-a/borgbackup/password.gpg create mode 100644 secrets/hel1-a/postfix/sasl_passwd.age delete mode 100644 secrets/hel1-a/postfix/sasl_passwd.gpg delete mode 100644 secrets/hel1-a/synapse/jakstys.lt.signing.key.gpg create mode 100644 secrets/hel1-a/synapse/jakstys_lt_signing_key.age create mode 100644 secrets/hel1-a/synapse/macaroon_secret_key.age delete mode 100644 secrets/hel1-a/synapse/macaroon_secret_key.gpg create mode 100644 secrets/hel1-a/synapse/registration_shared_secret.age delete mode 100644 secrets/hel1-a/synapse/registration_shared_secret.gpg delete mode 100644 secrets/hel1-a/turn/static-auth-secret.gpg create mode 100644 secrets/hel1-a/turn/static_auth_secret.age create mode 100755 secrets/motiejus_bk1.pub.txt create mode 100644 secrets/motiejus_passwd_hash.age rename secrets/{identity.txt => motiejus_yk1.txt} (100%) create mode 100644 secrets/root_passwd_hash.age delete mode 100644 secrets/sendgrid.gpg diff --git a/.envrc b/.envrc index 0142354..4c92382 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,3 @@ -export PASSWORD_STORE_DIR=$PWD - if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs=" fi diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index a601aeb..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,10 +0,0 @@ -keys: - - &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7 - - &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q -creation_rules: - - path_regex: hosts/hel1-a/secrets.yaml$ - key_groups: - - pgp: - - *motiejus - age: - - *server_hel1a diff --git a/README.md b/README.md index c4926d9..9250e87 100644 --- a/README.md +++ b/README.md @@ -12,18 +12,28 @@ Upcoming flakes: $ nix build .#deploy.nodes.hel1-a.profiles.system.path -Managing secrets ----------------- +VM: + + $ nix build .#nixosConfigurations.vm.config.system.build.vm + +Encoding host-only secrets +-------------------------- Encode a secret on host: - rage -e -r $(ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub) -o secret.age /etc/plaintext + rage -e -r "$(cat /etc/ssh/ssh_host_ed25519_key.pub)" -o secret.age /path/to/plaintext Decode a secret on host (to test things out): - age -d -i <(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) secret.age + rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age -If/when [str4d/rage#379](https://github.com/str4d/rage/issues/379) is fixed, we -can replace the above command to `rage`. +Bootstrapping +------------- + +Prereqs: + + mkdir -p /etc/secrets/initrd + ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519 [1]: https://cgit.krebsco.de/krops/about/ + diff --git a/data.nix b/data.nix index 3cd582d..a44ece6 100644 --- a/data.nix +++ b/data.nix @@ -1,3 +1,64 @@ -{ - pubkeys = {}; # TODO +rec { + ips = { + vno1 = "88.223.107.21"; + hel1a = "65.21.7.119"; + }; + + ssh_pubkeys = { + motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ=="; + vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh"; + }; + + systems = { + "vno1-oh2.servers.jakst" = { + extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY"; + }; + "hel1-a.servers.jakst" = { + extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu"; + }; + "mtwork.motiejus.jakst" = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb"; + }; + "zh2769.rsync.net" = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd"; + }; + "github.com" = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + "git.sr.ht" = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"; + }; + }; + + tailscale_subnet = { + cidr = "100.89.176.0/20"; + range = "100.89.176.0-100.89.191.255"; + }; + + jakstysLTZone = '' + $ORIGIN jakstys.lt. + $TTL 86400 + @ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400) + @ NS ns1.jakstys.lt. + @ NS ns2.jakstys.lt. + @ A ${ips.hel1a} + www A ${ips.hel1a} + ns1 A ${ips.vno1} + ns2 A ${ips.hel1a} + beta A ${ips.hel1a} + turn A ${ips.hel1a} + vpn A ${ips.hel1a} + git A ${ips.hel1a} + auth A ${ips.hel1a} + dl A ${ips.vno1} + hel1-a A ${ips.hel1a} + vno1 A ${ips.vno1} + @ MX 10 aspmx.l.google.com. + @ MX 20 alt1.aspmx.l.google.com. + @ MX 20 alt2.aspmx.l.google.com. + @ MX 30 aspmx2.googlemail.com. + @ MX 30 aspmx3.googlemail.com. + ''; } diff --git a/flake.nix b/flake.nix index 970f8d2..e651fe3 100644 --- a/flake.nix +++ b/flake.nix @@ -49,12 +49,27 @@ nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - ./configuration.nix - ./hardware-configuration.nix - ./zfs.nix + ./hosts/hel1-a/configuration.nix + ./hosts/hel1-a/hardware-configuration.nix + ./hosts/hel1-a/zfs.nix + + ./modules + + agenix.nixosModules.default + + { + age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; + age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age; + age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age; + age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age; + age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age; + age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age; + age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; + age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; + } ]; - specialArgs = inputs; + specialArgs = {inherit myData;} // inputs; }; deploy.nodes.hel1-a = { diff --git a/configuration.nix b/hosts/hel1-a/configuration.nix similarity index 76% rename from configuration.nix rename to hosts/hel1-a/configuration.nix index 3885c83..bc12223 100644 --- a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -2,25 +2,10 @@ config, pkgs, lib, + agenix, + myData, ... }: let - gitea_uidgid = 995; - - tailscale_subnet = { - cidr = "100.89.176.0/20"; - range = "100.89.176.0-100.89.191.255"; - }; - - ips = { - vno1 = "88.223.107.21"; - hel1a = "65.21.7.119"; - }; - - ssh_pubkeys = { - motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ=="; - vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh"; - }; - backup_paths = { var_lib = { mountpoint = "/var/lib"; @@ -45,6 +30,7 @@ }; turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt"; + gitea_uidgid = 995; # functions mountLatest = ( @@ -72,40 +58,30 @@ in { enable = true; ssh = { enable = true; - port = 22; - authorizedKeys = builtins.attrValues ssh_pubkeys; + authorizedKeys = builtins.attrValues myData.ssh_pubkeys; hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; }; }; - security = { - sudo = { - wheelNeedsPassword = false; - execWheelOnly = true; + mj = { + stateVersion = "22.11"; + timeZone = "UTC"; + + base.initrd = { + enable = true; + authorizedKeys = builtins.attrValues myData.ssh_pubkeys; + hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; }; }; - time.timeZone = "UTC"; - users = { - mutableUsers = false; - - users = { - git = { - description = "Gitea Service"; - home = "/var/lib/gitea"; - useDefaultShell = true; - group = "gitea"; - isSystemUser = true; - uid = gitea_uidgid; - }; - - motiejus = { - isNormalUser = true; - extraGroups = ["wheel"]; - uid = 1000; - openssh.authorizedKeys.keys = [ssh_pubkeys.motiejus]; - }; + users.git = { + description = "Gitea Service"; + home = "/var/lib/gitea"; + useDefaultShell = true; + group = "gitea"; + isSystemUser = true; + uid = gitea_uidgid; }; groups.gitea.gid = gitea_uidgid; @@ -113,16 +89,9 @@ in { environment = { systemPackages = with pkgs; [ - jq git - dig - wget - tree - lsof - file tmux htop - rage #ncdu nmap ipset @@ -135,56 +104,25 @@ in { tcpdump vimv-rs openssl - ripgrep bsdgames - binutils - moreutils headscale mailutils nixos-option - unixtools.xxd graphicsmagick ]; - variables = { - EDITOR = "nvim"; - }; - }; - - programs = { - mtr.enable = true; - mosh.enable = true; - neovim = { - enable = true; - defaultEditor = true; - }; - - ssh.knownHosts = { - "vno1-oh2.servers.jakst" = { - extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY"; - }; - "hel1-a.servers.jakst" = { - extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu"; - }; - "mtwork.motiejus.jakst" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb"; - }; - "zh2769.rsync.net" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd"; - }; - "github.com" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - "git.sr.ht" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"; - }; - }; }; services = { tailscale.enable = true; + nsd = { + enable = true; + interfaces = [ "0.0.0.0" "::" ]; + zones = { + "jakstys.lt.".data = myData.jakstysLTZone; + }; + }; + zfs = { autoScrub.enable = true; trim.enable = true; @@ -192,11 +130,6 @@ in { }; openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; extraConfig = '' AcceptEnv GIT_PROTOCOL ''; @@ -240,7 +173,7 @@ in { repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst"; encryption = { mode = "repokey-blake2"; - passCommand = "cat /var/src/secrets/borgbackup/password"; + passCommand = "cat ${config.age.secrets.borgbackup-password.path}"; }; paths = value.paths; extraArgs = "--remote-path=borg1"; @@ -267,7 +200,7 @@ in { settings = { server_url = "https://vpn.jakstys.lt"; ip_prefixes = [ - tailscale_subnet.cidr + myData.tailscale_subnet.cidr "fd7a:115c:a1e0:59b0::/64" ]; log.level = "warn"; @@ -407,7 +340,7 @@ in { denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=${tailscale_subnet.range} + denied-peer-ip=${myData.tailscale_subnet.range} ''; }; @@ -419,7 +352,7 @@ in { admin_contact = "motiejus@jakstys.lt"; enable_registration = false; report_stats = true; - signing_key_path = "/run/matrix-synapse/jakstys.lt.signing.key"; + signing_key_path = "/run/matrix-synapse/jakstys_lt_signing_key"; extraConfigFiles = ["/run/matrix-synapse/secrets.yaml"]; log_config = pkgs.writeText "log.config" '' version: 1 @@ -509,13 +442,13 @@ in { "127.0.0.1/8" "[::ffff:127.0.0.0]/104" "[::1]/128" - tailscale_subnet.cidr + myData.tailscale_subnet.cidr ]; hostname = "${config.networking.hostName}.${config.networking.domain}"; relayHost = "smtp.sendgrid.net"; relayPort = 587; mapFiles = { - sasl_passwd = "/var/src/secrets/postfix/sasl_passwd"; + sasl_passwd = config.age.secrets.sasl-passwd.path; }; extraConfig = '' smtp_sasl_auth_enable = yes @@ -549,52 +482,10 @@ in { blocktime = 900; whitelist = [ "192.168.0.0/16" - tailscale_subnet.cidr - ips.vno1 + myData.tailscale_subnet.cidr + myData.ips.vno1 ]; }; - - knot = let - jakstysLTZone = pkgs.writeText "jakstys.lt.zone" '' - $ORIGIN jakstys.lt. - $TTL 86400 - @ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400) - @ NS ns1.jakstys.lt. - @ NS ns2.jakstys.lt. - @ A ${ips.hel1a} - www A ${ips.hel1a} - ns1 A ${ips.vno1} - ns2 A ${ips.hel1a} - beta A ${ips.hel1a} - turn A ${ips.hel1a} - vpn A ${ips.hel1a} - git A ${ips.hel1a} - auth A ${ips.hel1a} - dl A ${ips.vno1} - fwmine A ${ips.hel1a} - hel1-a A ${ips.hel1a} - vno1 A ${ips.vno1} - recordrecap A ${ips.hel1a} - www.recordrecap A ${ips.hel1a} - @ MX 10 aspmx.l.google.com. - @ MX 20 alt1.aspmx.l.google.com. - @ MX 20 alt2.aspmx.l.google.com. - @ MX 30 aspmx2.googlemail.com. - @ MX 30 aspmx3.googlemail.com. - ''; - in { - enable = true; - extraConfig = '' - server: - listen: 0.0.0.0@53 - listen: ::@53 - version: 42 - zone: - - domain: jakstys.lt - file: ${jakstysLTZone} - semantic-checks: on - ''; - }; }; networking = { @@ -683,7 +574,7 @@ in { "${turn_cert_dir}/turn.jakstys.lt.crt" ]; serviceConfig.LoadCredential = [ - "static-auth-secret:/var/src/secrets/turn/static-auth-secret" + "static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}" "tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key" "tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt" ]; @@ -704,7 +595,7 @@ in { secretsScript = pkgs.writeShellScript "write-secrets" '' set -euo pipefail umask 077 - ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys.lt.signing.key /run/matrix-synapse/jakstys.lt.signing.key + ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys_lt_signing_key /run/matrix-synapse/jakstys_lt_signing_key cat > /run/matrix-synapse/secrets.yaml < ssh-ed25519 vDjOfg yV3BxKKBmsDJJDpTbTpW8ZQBEw1dzsAZcEhlcr1efwA +WPG4olU+AEQOPOXCGVYyN9J/h5jItJkQilUr5x/3UqQ +-> X25519 k28YknTZR1ETWY1PhXwmRv/rAmvsL0YVzV5/x2qHGX0 +ooqcWrdQ4gBxq6Y0WNVr41NJFarC5g+3xZDdo1NKooo +-> piv-p256 +y2G/w AlBGJoImuKrcEvQCLwk8NJX+YwzpaTSX7rT01NAbYp6f +ihlhk5+itPJ3skH/4Rkx+Taq+JboQ0s+6My86WSaCmg +-> c-grease +1P4Pqguo6ZtYcXzdDQVm26RGywukVnkR0Mnk/lzXkjtr4Sk +--- xMODuPBdbFKgzh1mWly/CGFwUFA/10L1z3EQiDDNYD0 +P8icB%)nuz!gOA|3#AIr^vfq;_7Jhp)AeK9hj(0Uv9ytUH`YSWqOO}*>MFEgpe zGp41FsKXDhjUfmY!7Be2I9oCY$1>Rz=4b+t#aRM;ZCSCaWiWqPyggrI>+ zN7mj=by}4>3_ISQ4#arEM#NKi+*H}n!olX{&QOZs=%99877cZaDNRasC-mt1t=h#0w z`%Tvb-@>vs%3ytlR^TUWM{D=1L`VpS8fHBb7KCZzW$22H5u1u>Z5yrZ4J($z8NcMq zvr8Ho+Kh9K1KT-3tbWo<0m2xQp(T{-jtT1yIVtAV>ADkFs_X{m)222@E2Ui!fSzPd q&_Y8fPC-DfAgubA^mdchAtzaZ2!OCJ#|vc)k}@EvLtw*MUU5uZgdt`C diff --git a/secrets/hel1-a/postfix/sasl_passwd.age b/secrets/hel1-a/postfix/sasl_passwd.age new file mode 100644 index 0000000..66a34db --- /dev/null +++ b/secrets/hel1-a/postfix/sasl_passwd.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 vDjOfg b1Zx1w3fzcOwPX6PPgXEGP9fNMu2G+9GP21ozLAdpFw +H9WBB2lD83ZaU7EeNBjH3FmAMcArO/58IvMltFCI+R0 +-> X25519 eHDSOyattfnleSYopf54sbh0ZBsJkBYHTwKiIrAIoHo +Zq3Ic+MuhT8apWBXFSvipCGMIpgi0VD3cogXSqXUKQA +-> piv-p256 +y2G/w Ay1FiQ7KMDPuGVc1JM0IQGf5Nuf+veaeO2V9TnxGE0Zt +agLLHpBgOM+hQSci8S/nKlMa5EMsAQhQaOc2XET7dx4 +-> pI8`h-grease Y}P!N p[ +7ecvACao/g +--- udtUjLi1oDBLTDbEm/jD2T43Vd8uCPXIVBDhVaL0CVU +b5/b ӽ< ܂Z_T5,Ú=J^Nɍ;BaıQkͧwON8\̘n(w:*>830VA'P~̚bl,ר +7 \ No newline at end of file diff --git a/secrets/hel1-a/postfix/sasl_passwd.gpg b/secrets/hel1-a/postfix/sasl_passwd.gpg deleted file mode 100644 index 5312168671d8c553b28ac99653b8ba427f99e46c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 679 zcmV;Y0$BZp0t^EH00000000015C28*KH$qb>(LROkqaisZKsuSJo#KaeYcnD)3=ax zPHOy|Q~HmUyoX>#A>a~ood9yKs+U^I^`y1?{G--?tVc%)GNGAZCRjkj0GQht-?COf z^$+V$U}JOv)Anw;$JV-SQf*q&_X`Tt0c!^x_Cn!_%N%Ul;`Vj&%5NO^VGv!IA0dK{O3`OYr4;AQK6Or zS2kxiuQUijpKAb&TG`Z2BKo^Qz8YraDbG=Ur_lPkFDI+OkX-YTB}zxXXKbi@{Us$j zNRpYcJ<@b4K#A^H^slvi3tl_CygPgW*(6NN zylsU0ng1+oQ=^_0+LzT&kw32HTM7)@_wiBmegDodG|d|QP~A6Nud4`|s{nbf$RJ6H zSM0&|;a`gAiY&-gRd$q9G5>`rxRWfjCv{K#lU|u1i2m=J42Pwwrkx!JsR*qI`WKe{*P77fa+On4fE3c z{*ZOVpCpI!Wl;AA(iR9y4@|=@xm2>`JRa6=llkv_uoRy!UyMv2*m{%H>=`AF!W~Mod?(HS7V=qp@4+0Vs zn}Y@`-l}l3!7WaQ_^#N?cU?$=el0mjl2MGa!-Vrwcf&5}U!Ss=QU0Zif`P))6BZSI zj)sR##*b|XwOWteu3gjoVz_GfDC`9!Xo4SRHA*<-c7xP{TTxRz3Zbs*s~Ay9c49b1 zIfcS(n4%L@rbOu71=-T10UBtme0oRENHwDsEF37{aL>7)oi3ClU-sE~j#KuOTOl0lSVKim7wzpIf?`0VFHR&-utF3N_3=QAGktj9HOI=z#SF7q^Y{N zkpv&U)iK!noFl?`djo?YK_?77PgluFip4v!OmA9K&gYRpOY+M#3Q)|^m2O$Bcf%jY bsP>WWPUO8QidkW@6et-y`EgDCG|C<6s{>dF diff --git a/secrets/hel1-a/synapse/jakstys_lt_signing_key.age b/secrets/hel1-a/synapse/jakstys_lt_signing_key.age new file mode 100644 index 0000000..cfbc9ce --- /dev/null +++ b/secrets/hel1-a/synapse/jakstys_lt_signing_key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 vDjOfg FDCOq/6TT4MiTydElRtbJYGQkf5Dp9Rz+pGJbGNyEUk +w3FZziEXQZdhesTjJ1klAHoIOSKdgXBwBoLys60BjJE +-> X25519 RzOTSjA6boL+kwZ4F7TZkuzhP8HIXNDzIfM3tgLAURw +ThbibWPRI3F1PwlXls96SDeTMLpUau/freOw/rCdadE +-> piv-p256 +y2G/w ArbH4qK3h6v1FmARFCMivDuJ8zeA85sP6NrpPDuiI8se +zskm+i/Ox8DlhZplggvBBN3Nb9mEIsgcLsNR1/hejoY +-> n.bS-grease .8*'{}4t +/QdO2N7yjPjur3KSMV/Se/hASwhzjPXbz+wlI6UbJnxkbmSer+wdg9nYMbBtINU7 +aHsmE/Sm1fWeLKP7T4RvftqJtLZWDkn6BG4PA6sxqzQV +--- IU8CbpKKUO1yxNKrOSwKDZ7thZ3D4CKjA1H6N/Fw+fs +<*qL3,@OAMb=jn1Qبizn3emQ!:o1䭹\=mnGaM>Tͥ fNSy \ No newline at end of file diff --git a/secrets/hel1-a/synapse/macaroon_secret_key.age b/secrets/hel1-a/synapse/macaroon_secret_key.age new file mode 100644 index 0000000..27f0afc --- /dev/null +++ b/secrets/hel1-a/synapse/macaroon_secret_key.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 vDjOfg 99J07yNSb9UAfoiGi3ABFV6M4xl3iApYRv1HGNdQgT8 +LBMxQ+eAizZ2nWVQyD7lOzJfe8+3wPv+vNgxw/WEKk0 +-> X25519 FLS0fXs2R32jedMkvavMYoc+pZBfaOPfkm1qCc+RJjY +g9YlhVMu2DZ5GjBXCF51g0VY8STp0wbMI+lS0GQ4k2o +-> piv-p256 +y2G/w A9bUaREVnU6o1QAyqaCs5y5T+jQHbYvQQqOs8NRAe7mQ +8Z3p5ZpyI3O1peY8E6OGUyMUONlMEVDrfOVLMcJhzeY +-> L?a5-grease +A0lbHu5aBHSBIrwMz+QG4Mc6m2sEl/Z5TBmTsf1h +--- Df+ap67pp9N2RGb9OCkd5gVogMfXXqSJPeHMNk98TdU +5rL(uZbқ{;V8Ah`h sP--uuJ)XwX6"Tdnm*bi&)ƏK \ No newline at end of file diff --git a/secrets/hel1-a/synapse/macaroon_secret_key.gpg b/secrets/hel1-a/synapse/macaroon_secret_key.gpg deleted file mode 100644 index bde02cd1af29a6657c42570652d362ce8567cf8a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 696 zcmV;p0!RIY0t^E=$g65lMTV#W5B(o!%&nP%*YdiYAS!4UL=ccdA{_epma>4M@Oq1^ z_j}pl6D?{LWIVJ*S9iNzZ(DZ&vOy#kl&|dRS0Lf5B|{Wui&nCf;9cjuOC(m3n9WO9 zp`egOAYdNV5JIO*(H_T7XaqL)ob~XS3j4M9i1vNSGxx%vvJAXUiBUv%6KIr!o9o4Z z9EF)9s429{^t}G~-W`(xMc+B?xGKaD2C&y_g(Dh(f)i4Sd%24Fck0H6sB;TqCFV2N z;PTpn-U1%e;WOd9O^v;`YJ9_%K{T6MSkTlN-`x#tH`t=y8K=roM-`kRYOxAsDNAde zvV)vq=CdZs->0DA_NwPhbkZrHVIWzm8`6uigZ!#pf# z=IY&b*v`y>EEUV~WaaJ6?RIcC0(2ohB|`m6(Q%~2>Z)|=7@4hHuw12l^0_r3vI0!E zTZHTyZ!x?h%$*A#q7l{)TMn^VEBNh<%qVhSUs6D9;G`wR?z4$@b|+I1-=^dOgeO;k3yZ1; z?`_?35}#iSw-+Qy%M8+|0a+GjO`C59BXuwAc=p6Oy^*uN1XfB$q)l`5R{h$o+!84@ z7wbVUX6qiimM0=6n;kAAzUMWF7@^CsbW#F6FxOdH&-#s=JF?eIgAho$@g0Ktn2?@e zbLag`m!iKC5QaA*_yC>@75$SPhpJz^dgu+tR1&g5I&003Y=m`FeoJP4j5Wef~io1{&XDPq^8t!a{GOS?36f@$(LZQ3Sp^LDAJ zE#g6_2k|t9vXkJ)9}vNV9z9jO$iT}Oc-uie3!=qe@bFkJAc1d(F&uURe>Di*WJF=) z4IH612^>0;p?EwJyh_W(`&=s+4~6bP8wwH16EVlM#*U%Y#7yL;}V(Ny54kPwNEk5x+^I|vyc~TrrD0on(kLEIknL0{~>9I?KKdr8(BV!cscI- zBZ-Tm&@)V1bu3k&JUtshU#CS(AUcTO%BPxkde}>gu|OcnZEWg6qwWZtZ-B7NnQ6vV zyp4qbI}r)#42u&nT}+PfT*{T`EuVrsS0IR_q$WkJN#*=HqSH!IRDe>l2V+mmDx8It zMMabeenhMFQk+5Udtzu&SvJftRtc){$Q+Klw^*}PX(SQVm;`Yy0X+$yacd={BAAZbUuN?fofInK1&y9}Z`G>XLXM3fC`J2y& zyH~1>{ldq|&+Fg4%Xg=HZ_)etso9B_XV#Xsk2jwrzP-Eo>FCSRRrA5CJE!N9wf(dD V#m6U~E+?M90Jpzhn*Cb(^B1pAz6k&T literal 0 HcmV?d00001 diff --git a/secrets/hel1-a/synapse/registration_shared_secret.gpg b/secrets/hel1-a/synapse/registration_shared_secret.gpg deleted file mode 100644 index da4859b2e3e9a24fc3f2ea46cebb73edd95bbf27..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 703 zcmV;w0zmzR0t^E=$g65lMTV#W5C3fna&*`BK5Y)|R1;!G!G=munl5QHf0OlFh5SLx zN$T!$q88bL&xq(CW`fzZ%ai!~n-BJ?uEG#34pU zy05cNyEz?x#-qJ26Pz&>R5?yW-zU@ZORYOvy3aQ59ZTpuCm-_90HPIsC=ec~S%&eS zn*)8CdByhFlB~X);4>^rI^2R&*#0M?7kGJcj@j<%V~9hf|8lz@B6{DAUcE6Z8>nzK}K475d*x;vO8&yOUEu=`7P^ zTlgkx6@0k*Sb;E1X_y63Q_@P zsfj{sHK3ud!|f%7`WmPaPp&20O1uS4SCB!Rw$cz+BbI?;atpjw+cnJ4k(~bibS&;#t(cbr()B-A%%i^?Amm3FLM! zi55H8<%$DE)O~{)^S*+as+hvuz@sYkJ`!qijC{PFDVJ9oO}aGGwD`VivVhh@8A$B6 zj8Wn7lsxY2aql|nDZ{7N2 zWlnMWqN%Y+CqOX+-qk1%T#L9!B8+ diff --git a/secrets/hel1-a/turn/static_auth_secret.age b/secrets/hel1-a/turn/static_auth_secret.age new file mode 100644 index 0000000..8128652 --- /dev/null +++ b/secrets/hel1-a/turn/static_auth_secret.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 vDjOfg DGNmUpEoo4KB2XQG7bOC9m81RHSK19Rg/UKzXVV4oRI +WWrASGb+TwRmVW57v/CjhHvkwbJ8N6JFKuzEgSnujzk +-> X25519 m9VcMyeq72eZJWl9DU6W5Tg/fPthO6mjyevoAgtG4CU +x7rBS+gYeM0vZ/ZBV9O9wpoW3x+RX9D4xkfCJ4ddBfg +-> piv-p256 +y2G/w A+q8rvVRfAP/PjfCtRFhvX7FmtYMeIjucSbQKU0o9Shx +k9uFNzhWZQfaMKUx6nXiKXf9fVFrE4y6ybmnXpeiblk +-> 3">;=-grease +wEXSvaFLu5VvuoelMWG1GMyGnHIEkBo +--- pTNrYbbGlOhK7RhK1VkzaNoCcEMa/e5pYwxSf5/sIj8 +W-PH'[@-xW +`p t4< \ No newline at end of file diff --git a/secrets/motiejus_bk1.pub.txt b/secrets/motiejus_bk1.pub.txt new file mode 100755 index 0000000..cc060a0 --- /dev/null +++ b/secrets/motiejus_bk1.pub.txt @@ -0,0 +1,2 @@ +# created: 2023-04-08T13:24:01Z +# public key: age1kyehn8yr9tfu3w0z4d9p9qrj0tjjh92ljxmz2nyr6xnm7y8kpv5spwwc9n diff --git a/secrets/motiejus_passwd_hash.age b/secrets/motiejus_passwd_hash.age new file mode 100644 index 0000000000000000000000000000000000000000..8b8a476441cff1caece2dc8bab4e6f31f9f994a5 GIT binary patch literal 566 zcmXBNO>5I&003YMUJQaD9@K;8FjN*|+qX@cASz9oG-;dkBWZ2o2F5H+yS7Q2q=_kl z%0LnHB!Zr0h#<%Y8+h?J59(mxPQ!_~sUYYI^Dq$9;vaY(%`{NM(w(s9wQTFG?U+$N z4xtxd*KMN448X8B3HzDZV#9>3M!-2`gW&338~5Xtsz(qUiyKAT?NG&VCf8-teqIq- zNr3{smN%GGJ_wcSKpBSmOo_9!8m*W3u*#+a9&yMX-zye%d%V^EM}q>6nB)*h@yY;^ z719&Dzz>sGX{Fl;FZn9LFkzkOWQLg-B*&w4NuUU+!1gJOu7UEfnjA20R3Q0UCTM`D zAvH0f-*ou#&};c<4`4WqgdiIY;I!ueO^MSg)0Ma+N#^|8tc&Z41`MWi4RG~gU=`GI znQ&4`NVGt*5~eW5{O8$06X10@=I291r(0eHV@s0U%mGRBY-W5-Q!&(Z49zv*1T3m< zhcyrnPMjtYN`%;Qno7`Y8$wYOrp0QW!a&w6GXODD!hJl~r;DS5y7hWY|N qwL8Li*V+1Hz2BU7*Ot$}`?J3tJ#Z_Gl+HXn@#Of{%4n{$y80J ssh-ed25519 vDjOfg khtSufKQJkOUzpMxwhDgxqumAGCeFc/n1X3onrS6Gzw +qGIW0wJmOxMqLNzKzm7jOxBXwInU52l63Rsk2q48srw +-> X25519 bsbdwq/bgJJZITDid5cEvLTs6qRBpMhYGREnecMbuTw +YsIPaszuaxNx3hDFkvTR9sNhMBnVrWiaQkig9F/3lS4 +-> piv-p256 +y2G/w AuO3mkk1M4svQFyyOVt5JyDJHUKtBmUJVaWQ/fENJ6jA +0A2qkDLeKMS0zCTHRkqrGmDj3GkBeWfeFNd8FZpzviw +-> 3ZriuP-grease nfB3p3"V m +9pCGB1gfXUQwKgGkvSSeai6scEUhso9ibWwALW5b2erPGzB5hmZaHyhFE3tEn68 +--- NqN1QH25TJMyVgJn/6iLUrfEMBL3iJzJIemJpH2hOfE +NAFL8Ÿ}ON_2NIj$>5F +f4#o|p h{;5@P&EsZGRKC~??:Qd(IS}j@BOKy1AؖAɓXYGRNE \ No newline at end of file diff --git a/secrets/sendgrid.gpg b/secrets/sendgrid.gpg deleted file mode 100644 index 6c45657a7b63da569d5e8fc0dbf616e20407e15d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 694 zcmV;n0!jUa0t^EH00000000015CE2kxN{HtjT$gd4)orR=bSQB&?Bp>qh~T4wJHl-6-|t z(BU?5q9ih#DS8k)!^4H=-G+#USF&0g9l-gL4AT^5)@TxdWJ-b!X|78bG-$YJIr?T< zXEcp?>BWuOdr8X0#2+?xSPu5nov**VF*as&zXQKsYWOB($8dlqLA@YKpcc8t4Id%( zf|?TEx?(?o8(Fq+GC%8ks0U-L^zX}&2}U`V9lkI7TCj$ZFQ00*ae9-~=HYU+M<-mFC% zCOMfOeHX(3!Lk$=Dr@7tcEJ5aV@wn2Brru!;+I3li20qX^&c?bAK>L0pEr-1(I#w^ zOvbnG&W$NOJM&Pw!|VZquTVY3FJH@Rj`I)!i9C@>uFuUfy&Sz_gPA_xICy7w2)1C9 zQ=q>NFITZaSG*nkTOOAO;3Xt~_dgm#9SICFv5px2FE^{R77r?O>J>RseOO{p-Z{pL z{KWM+e)I258ur^@+ROcx`VzmslQu4}UU-nBE1ep^{w8`8S?&q6abn$FSw>g~E-2CF zR_xTbCYsFaVv=0iCIQl=0R|IWS|GIdluLiu|DR~JlDa4CnO(3I`BV^NK4vHRxApMF zvRO0YS!-SdWLBPSINRnXZ>z@bzP_~yx-i9kmI|sp;6=``{pwJG5?P-}>aPu{y~_Cb zhP(Y@GimZwyq;W+G9EiVCyrul*91!SU>en>07#DXj_%}qitwX>)YHIH(Y*%%&`S0_ cPZRj2d<)(}Q93y0hMMVo%^C^&un