Add new secrets to config

Update diphda and add port to firewall
More acme setup
2024-08-13 14:33:41 -05:00 · 2024-08-13 14:33:41 -05:00 · 2024-08-13 14:33:41 -05:00 · 2024-08-13 14:33:41 -05:00 · 2024-08-13 14:33:41 -05:00 · 2024-08-13 14:33:41 -05:00
3 changed files with 44 additions and 28 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1722555600,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "lastModified": 1719994518,
+        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
        "type": "github"
      },
      "original": {
@@ -64,11 +64,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723015306,
-        "narHash": "sha256-jQnFEtH20/OsDPpx71ntZzGdRlpXhUENSQCGTjn//NA=",
+        "lastModified": 1722462338,
+        "narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b3d5ea65d88d67d4ec578ed11d4d2d51e3de525e",
+        "rev": "6e090576c4824b16e8759ebca3958c5b09659ee8",
        "type": "github"
      },
      "original": {
@@ -83,11 +83,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1723297330,
-        "narHash": "sha256-IcoAEj83iXvYfCDJ8o2D59o653Et/9z8/BxzmVEJZqI=",
+        "lastModified": 1722588653,
+        "narHash": "sha256-ecdFExRGQchpYG2T4A53GCcCJ+2xIEklcYGIBhpuI+s=",
        "owner": "ggerganov",
        "repo": "llama.cpp",
-        "rev": "6e02327e8b7837358e0406bf90a4632e18e27846",
+        "rev": "e09a800f9a9b19c73aa78e03b4c4be8ed988f3e6",
        "type": "github"
      },
      "original": {
@@ -98,11 +98,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1722421184,
-        "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=",
+        "lastModified": 1722062969,
+        "narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58",
+        "rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3",
        "type": "github"
      },
      "original": {
@@ -114,23 +114,23 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1722555339,
-        "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
+        "lastModified": 1719876945,
+        "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1722987190,
-        "narHash": "sha256-68hmex5efCiM2aZlAAEcQgmFI4ZwWt8a80vOeB/5w3A=",
+        "lastModified": 1722372011,
+        "narHash": "sha256-B2xRiC3NEJy/82ugtareBkRqEkPGpMyjaLxaR8LBxNs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "21cc704b5e918c5fbf4f9fff22b4ac2681706d90",
+        "rev": "cf05eeada35e122770c5c14add958790fcfcbef5",
        "type": "github"
      },
      "original": {
@@ -158,11 +158,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1723175592,
-        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
+        "lastModified": 1722421184,
+        "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
+        "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58",
        "type": "github"
      },
      "original": {
@@ -205,11 +205,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1722897572,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "lastModified": 1722114803,
+        "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -166,7 +166,7 @@

                        networking = {
                            firewall = {
-                                allowedTCPPorts = [ 80 443 4533 7878 8096 8089 8902 8989 9000 9696 11112 24454 25565 25600 ];
+                                allowedTCPPorts = [ 80 443 4533 6722 7878 8080 8081 8083 8089 8096 8181 8787 8902 8989 9000 9696 11112 24454 25565 25600 ];
                            };
                        };
                    };
--- a/hosts/diphda/system.nix
+++ b/hosts/diphda/system.nix
@@ -21,6 +21,12 @@
        age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

        secrets."mc-arcadia/repo_password" = {};
+        secrets."tandoor/secret_key" = {};
+        secrets."tandoor/db_password" = {};
+        secrets."porkbun.keytab" = {
+            format = "binary";
+            sopsFile = ../../secrets/diphda/porkbun.keytab;
+        };
    };

    systemd.timers."mc-arcadia-backup" = {
@@ -59,17 +65,27 @@
        serviceConfig = {
            Type = "simple";
            User = "eesim";
+            Group = "acme";
            WorkingDirectory = "/home/eesim/scripts";
            ExecStart = ''
                /home/eesim/scripts/dl_manager_tokio -vv \
-                    -c /home/eesim/scripts/certs/fullchain.cer \
-                    -k /home/eesim/scripts/certs/download.simmer505.com.key \
+                    -c /var/lib/acme/download.simmer505.com/cert.pem \
+                    -k /var/lib/acme/download.simmer505.com/key.pem \
                    --script-dir /home/eesim/scripts/ \
                    0.0.0.0:11112
            '';
        };
    };

+    security.acme = {
+        acceptTerms = true;
+        defaults.email = "eesimmons9105@gmail.com";
+        certs."download.simmer505.com" = {
+            dnsProvider = "porkbun";
+            environmentFile = "${config.sops.secrets."porkbun.keytab".path}";
+        };
+    };
+
    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
Author	SHA1	Message	Date
Ethan Simmons	5128e70e35	Add new secrets to config	2024-08-13 14:33:41 -05:00
Ethan Simmons	cde0f30b68	Update diphda and add port to firewall	2024-08-13 14:33:41 -05:00
Ethan Simmons	bbf3f37bac	More acme setup	2024-08-13 14:33:41 -05:00
Ethan Simmons	3f739e3b32	Finish acme setup	2024-08-13 14:33:41 -05:00
Ethan Simmons	339d4af34c	Update diphda	2024-08-13 14:33:41 -05:00
Ethan Simmons	254b591a80	Update diphda	2024-08-13 14:33:41 -05:00
Ethan Simmons	a07fb93bfe	Update diphda	2024-08-13 14:33:41 -05:00