diff --git a/.sops.yaml b/.sops.yaml index 4c17c75..dc2021d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,7 @@ keys: - &tlater 535B61015823443941C744DD12264F6BBDFABA89 - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b - - &server_staging 7762ec55a5727cabada621d961e53f94caa314e4 + - &server_staging 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc creation_rules: - path_regex: keys/production.yaml diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 8c93f30..3d0a499 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -16,6 +16,17 @@ networkConfig.DHCP = "yes"; }; + # Both so we have a predictable key for the staging env, as well as + # to have a static key for decrypting the sops secrets for the + # staging env. + services.openssh.hostKeys = lib.mkForce [ + { + type = "rsa"; + bits = 4096; + path = ../../keys/hosts/staging.key; + } + ]; + # # Set up VM settings to match real VPS # virtualisation.memorySize = 3941; # virtualisation.cores = 2; diff --git a/keys/hosts/staging.asc b/keys/hosts/staging.asc index fbabfe2..4b376fe 100644 --- a/keys/hosts/staging.asc +++ b/keys/hosts/staging.asc @@ -1,28 +1,28 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -xsFNBAAAAAABEAC32/CXnt4LDPdPZppQ0GcJAxVFHFu8SCl5WnU/PVPEnwgRkV8V -ZeyQN4qgT5LPWgPYyDyAqUHBUwRxvVcguw0fOlDBZ3nECKQxZ53OVlay7xfhgXO1 -luNu657u5VYtxfLqx7lVHfY/TWp5DBOOEpOtoKfz031Zbg11+kdxW5eEg2ypCTvn -+MVQgRH9AQI+0+jegQ9On3X9UaVdc8etuY/F8BAEwLCCbYpLUEUXwOo4YLB36Kg3 -P27q15Nl6g5P/oFEdS3fhHbh9636lJnxJcTTjAfJaDoQJ5rGDASiT8HJnkNWfrf/ -yzLMOiy6fRRIz8HTXKeZNeRvCPu1uHaWYi0RprWMu1HZ0cLzr5N2lHKcWgL8En5b -fPyqldFfJBlY36L59F7hTk10QBgqFhibcXB44iK96jnYw6LgSuFkbfrJr7fx67JN -lM2Xi4WXvzkp3gboDxd2Xy3ChQrQXmXcVAl8XNs78f5AQh5MJP6iC7ayiIsHq4aH -rGVLhbncfKpw4OL9jVNTyRinwpvl5qibLAJbDA7arn8XqT6FT0KjeLa91jTFLHGn -9IkJol+L0/zYrpyiid5ZKNJMousxJoXymzRkeYllr+nLjKNLv0L3MCnsiPEZ23iL -y2/UZ6Vcjrs50L46VuiewCEaVbBp1H9Ps5eUa2YoJ65sfe7wnscXI8oOpQARAQAB +xsFNBAAAAAABEADFaVmT5Xt4+nCM2hZ+Zq7Uybg26TISSrpU/3nZ+qxZSC65mqfB +qWNR1kCpJpDvhwUhaTC2x00L/ckRoPcF60AqYR632owQ0AgyuG+xR0HJR5rpWzRs +cMINk1NOLQ4Vw9IaRykfx5YtKL3mPo8iLNQom6SkFG1hPqwoAzzWNLBLKMfKrDtW +uBnsbGLrkAB/2eJBw9xDmpMpLV5f2lJDA89RQYV8YQhe4TBL9B0WSSc9CqX9TP6m +30zY6jCWvfYL+Hi+YiR2K+dp9qXB55ViYcw8hRG99n5fSyZSB0hyttnIV76G0I27 +McFueWu6LzZ/lMEJM8OeFVgyMJFMVXHCBxLYHLqlJvxk4tV43Jkl4IOn4gBgG2oS +7Sk1woz57UNug/AGcGAHL/YAbk+WcEut2RiwoTUEyQpRrP4QPnZivEkeTs0H4lf3 +3SHW6snMdcCDkjO6VCo9DTsSpX8eNLj9hW8UMuUMsU3jLtV4L2TMoDnqRHO7icbC +r+3CIi/yA5EWry/AReOPTFY+etX3XrVUUdA/SJL/OXLB8QD2jW0XbVeaHLgdhlt5 +UeDwSWDYHn4LXYr8SXa3YKC2OmIAU8yNInPCGizHPm8IZVG4zjzPNjM3BihxpZjj +IVajFe07INd8sM6RXE+YA0QTmEDoGW2QcltRyHdAPz5XVkRypbV5ONZLTQARAQAB zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQYeU/lMqjFOQCGw8CGQEAAEKvEABZo9JRHnwrKr7UGmynctmF -aR+1KApeWrqahhobgfvMjJLfnUV7UDSeiuf3juoZC+L1d8LqEp0czcqU1YuGtjTT -Yk/4WDwc7G9MjHDgVXPZlQ/qxSYBFwowbUkfhj49UA4Np2PW3yLtoZnBHLz6tmaD -mTtdNjzEw+L0GQ9Wi2pQYSUV4I9URF/NH7NGmurNl8Y5SHb3rqFQ4CPGXk5UQYL5 -s0ZdArwgWNH+ceC1Kq0baKu5WJINFfCIJbJajATBqgPy6FPEmhUdgt8awOp01oEc -zs2930sc6YY5GJVEGnxR/qBLTA5lANS1mpqHd9s4YF7jj8h/q8SV4iegTeKHrLox -v1bP+QzHquCn7BpO9V6GD/eaqBKfx6k6+HDb5YmKnBvBV/c3yJ6wiv1H32nauWs1 -CgiJNYV+A/+YnWf0uPRqelAzT06JUtnSBZ0ppKLR68X3IKisXVNzW/3pM/ZWWfFM -uKHCoppH2iuStn2wPkdjJD4UHduAFyF1oj1jFwP9r+EuhhPH1qr40405jRdOR98P -RuPhrSkLBdWiUlNintDOyFzNbKXMZlreZeATeT5y/H+IF3CDvgAhBo7KqhfBfgUK -6P/1xk8DozTmlsKY/cOsK0aL47CJcg8LU6tHrxa8uP6qV2HbUD31WbCRr1eL8k2G -xszxEVPuKG8ckw58WpT4vA== -=kJ/7 ------END PGP PUBLIC KEY BLOCK----- +AQgAFgUCAAAAAAkQ/eWH5nN9LbwCGw8CGQEAAM6kEACsZmMOZd5qMOOJReo/cu5p +8JcXZ1c3wAUGm/Nw7xN68AGxHHWqUJqs5hGqICqSxnjtDD95H5tb9ahrEIxszfVd +fj/CR1XRu4Scu7MZ45u4q/whLIwe1vqROmL1G0bR52WVvaHjcS+2h3NlxauO8bld +uCwwQrCEBv86XjCZNtcVWEjqBffIfJQYAywyprqL3LGB5ypuW1tb/fnTZSd/1k9D +3LZ26FRvPd8XsBAZ5zSilpTdE9yhDPQb49VLP4iVwPkIjbw0us1KxlGJapU1nYfx +pX23F1f3tRGah/QOuZYa9J2dnr8A9FJQ+x616nrxnJ4DIRsS/mG+ES1HiVKa9u+2 +ZHxXqRHY+eb2QYaWI25F4BYrADOMcDLHvNL4T8E21Nt7QJ0hUeTeMCROICoVOtF9 +JNaHwD7AhOIwZHA28WNcrDoOpYmXXeRd+Vohvx5LO0loq/3dQdr5KMH/VGVP0VzK +YgPjh+z7HT66oMUz1fOeWtIqzLj7Un6rfodfq50OouDwhkAGseupDHnY2MBrfi6v +fexpttnBuOx5NSeuYYxkWK8cUfAFVFO5bFCb3MW1e2waaiceS1vq3dXiZx3l23Pr +qOs7Ahdz5P4/GZGjIDKNrdLid5tfBI12hxFOSuXoF7G9Ak24a77A9qks40NL6TMi +hK7IB8p3wuRzngwa0WY3QQ== +=6Ym/ +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/keys/hosts/staging.key b/keys/hosts/staging.key new file mode 100644 index 0000000..1cec290 --- /dev/null +++ b/keys/hosts/staging.key @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAxWlZk+V7ePpwjNoWfmau1Mm4NukyEkq6VP952fqsWUguuZqnwalj +UdZAqSaQ74cFIWkwtsdNC/3JEaD3BetAKmEet9qMENAIMrhvsUdByUea6Vs0bHDCDZNTTi +0OFcPSGkcpH8eWLSi95j6PIizUKJukpBRtYT6sKAM81jSwSyjHyqw7VrgZ7Gxi65AAf9ni +QcPcQ5qTKS1eX9pSQwPPUUGFfGEIXuEwS/QdFkknPQql/Uz+pt9M2Oowlr32C/h4vmIkdi +vnafalweeVYmHMPIURvfZ+X0smUgdIcrbZyFe+htCNuzHBbnlrui82f5TBCTPDnhVYMjCR +TFVxwgcS2By6pSb8ZOLVeNyZJeCDp+IAYBtqEu0pNcKM+e1DboPwBnBgBy/2AG5PlnBLrd +kYsKE1BMkKUaz+ED52YrxJHk7NB+JX990h1urJzHXAg5IzulQqPQ07EqV/HjS4/YVvFDLl +DLFN4y7VeC9kzKA56kRzu4nGwq/twiIv8gORFq8vwEXjj0xWPnrV9161VFHQP0iS/zlywf +EA9o1tF21Xmhy4HYZbeVHg8Elg2B5+C12K/El2t2CgtjpiAFPMjSJzwhosxz5vCGVRuM48 +zzYzNwYocaWY4yFWoxXtOyDXfLDOkVxPmANEE5hA6BltkHJbUch3QD8+V1ZEcqW1eTjWS0 +0AAAdAO1rPtDtaz7QAAAAHc3NoLXJzYQAAAgEAxWlZk+V7ePpwjNoWfmau1Mm4NukyEkq6 +VP952fqsWUguuZqnwaljUdZAqSaQ74cFIWkwtsdNC/3JEaD3BetAKmEet9qMENAIMrhvsU +dByUea6Vs0bHDCDZNTTi0OFcPSGkcpH8eWLSi95j6PIizUKJukpBRtYT6sKAM81jSwSyjH +yqw7VrgZ7Gxi65AAf9niQcPcQ5qTKS1eX9pSQwPPUUGFfGEIXuEwS/QdFkknPQql/Uz+pt +9M2Oowlr32C/h4vmIkdivnafalweeVYmHMPIURvfZ+X0smUgdIcrbZyFe+htCNuzHBbnlr +ui82f5TBCTPDnhVYMjCRTFVxwgcS2By6pSb8ZOLVeNyZJeCDp+IAYBtqEu0pNcKM+e1Dbo +PwBnBgBy/2AG5PlnBLrdkYsKE1BMkKUaz+ED52YrxJHk7NB+JX990h1urJzHXAg5IzulQq +PQ07EqV/HjS4/YVvFDLlDLFN4y7VeC9kzKA56kRzu4nGwq/twiIv8gORFq8vwEXjj0xWPn +rV9161VFHQP0iS/zlywfEA9o1tF21Xmhy4HYZbeVHg8Elg2B5+C12K/El2t2CgtjpiAFPM +jSJzwhosxz5vCGVRuM48zzYzNwYocaWY4yFWoxXtOyDXfLDOkVxPmANEE5hA6BltkHJbUc +h3QD8+V1ZEcqW1eTjWS00AAAADAQABAAACAFMv1CQK+U9e9UudYQotufGH+V0GQmfL3p4P +s+jDhZnv3WSwA44Lk4M6TjAZRMzysBpGqdTzwgdSD8cidcWkPvs8xsWBzjENgM7iwopJNT +Mcve4k1T/2+gbfdKTGPp+0T1ZscytlnuZzuyYJaaZkjph4EdZklzz5vHD2AE5hkIJzclF4 +515hIOdsOvj5ywQVLA87ehdwzR92c0TgCncb5WJfwmDJwM2+hewTt6ga9nJ2CMFnDw4Bne +/wK75x2PttXnAXijbTxGX2Hh5KOLxm6rn79yB9/P2p/MFnOUPBwp72Pp6vxnHCAzlK6Dbi +S0xSwk9e5Uk5xFsN9URd4xx4f5scwxyk8RQCh/sMqn3JIOwodNwVjv+AWc3YNFR+aP+qXR +wggXSypKDbVIAp2+cGKCobktNBiM/fEPMHe20Ssn+SBclUSeAYMpjRrn8Kxwb2oSMASrsV +1ykyY+/j+Xb3jC2V+/XTV+5WtKt4SW4RV45g/+C65H+zy+56BoyPqJKyI8d3FB0dp/ICwo +zfrmo/X00XF77d3ZThLoapSnOVeaNIiFtG5Ia635gNUyr/81xNhOeX5NMBUHSqdxrtZfC2 +PeuBcspWOg2tp/6UPjBppwrT3VnM/K27lqmDx9jPE4tMY4kl55KdSJ4uBr7H5Lu6w2zNnZ +zGYToWbhXNDHqm9PqPAAABAQCCBatZmvEyP+7+qBFkvU1t8nseupa/Lu6Va5qV9ZLvUI0Q +8nMYMZ/lMMB6TROyy9OJY59srkCjyF7COqNH6A/eo2XBCVdkAEBpUta8gzbLTtzRaDY+tH +64tzDJYTLPumfE1M2IfztVwVgJuwrz/t6eAtakXfjNRG8nKVlTI5UALRLIIqVK5ReDs5NU +7FbO5MwYtrsVHmpiXqNA8d1pZkjXNmU+I67DblPTCWraNnEC6mcIgau9n+mGuQjrHzpUqn +kbQF3GSJTwgJSlKhkNGLyH4qrFsK0yemCkxKtzi1fXy/iLKXUG2A1uovuugXwQZmV7nHRM ++oDKZz13CWk14kDtAAABAQD07kRtO22XTklTf3w/cC67aVj+Ltifl0bVwbsFgY9zu0F7yl +odYYfxV/rDn639V80JoAaTZ3lSuBvOwgtGWr298rwkkkV4CLKu7+bTLdS2L9YScKmKL8N+ +FGoYgVCTZZxaUe49eUdLaUcjxYTPC5FWGFCztLG7uAvydIbTFKG6++j4poow6q2AwejC8f +ZiO2r0srZM1ouYW5j+6YCbLCKKcgJdZvZFBhDXyHwQXF5rCtB8htg6BgsTu3Fx6oZR3PXc +RoO5A2CmoZ3bUSAzUOH4g80yB6Fq0dvpFr1CtzzNCda5TLNS6ediLqlP62NEez+wduv+Rs +Xd+EhFect0lmETAAABAQDOVU7PqTLZFTxUx++JVFmdrd5FqTHwOrnEYWo8Hzx8X4RomIBg +kY4oIGLXsBfZINyWKOKjQqhfh+nRgsCR7OQ9IjeWh/0eRma6b9kjBQT4UKYvylBjchoVci +6DrxXWhwbRTCV2Vxpn/+Bx2JexUJx5oQ8yZ7a/H/w9J5GjgT3OR6d/ogzHr3FqdeAnvUle +PBlaCZUQxuI2ADmdWpzxwmCalAxrLQiUCdRtY6X8TWYi35DWvGgVU1nz5VWYRvI1/+pQdt +Qe9lP4uFNOpc05G7xcloEe+wE4aIqL4fLGVOrOqtHOps1W62Owk8iU7OFXw6Aoc4yjNWcj +SEsRv2HtGI4fAAAACnRsYXRlckB5dWk= +-----END OPENSSH PRIVATE KEY----- diff --git a/keys/hosts/staging.key.pub b/keys/hosts/staging.key.pub new file mode 100644 index 0000000..7704002 --- /dev/null +++ b/keys/hosts/staging.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFaVmT5Xt4+nCM2hZ+Zq7Uybg26TISSrpU/3nZ+qxZSC65mqfBqWNR1kCpJpDvhwUhaTC2x00L/ckRoPcF60AqYR632owQ0AgyuG+xR0HJR5rpWzRscMINk1NOLQ4Vw9IaRykfx5YtKL3mPo8iLNQom6SkFG1hPqwoAzzWNLBLKMfKrDtWuBnsbGLrkAB/2eJBw9xDmpMpLV5f2lJDA89RQYV8YQhe4TBL9B0WSSc9CqX9TP6m30zY6jCWvfYL+Hi+YiR2K+dp9qXB55ViYcw8hRG99n5fSyZSB0hyttnIV76G0I27McFueWu6LzZ/lMEJM8OeFVgyMJFMVXHCBxLYHLqlJvxk4tV43Jkl4IOn4gBgG2oS7Sk1woz57UNug/AGcGAHL/YAbk+WcEut2RiwoTUEyQpRrP4QPnZivEkeTs0H4lf33SHW6snMdcCDkjO6VCo9DTsSpX8eNLj9hW8UMuUMsU3jLtV4L2TMoDnqRHO7icbCr+3CIi/yA5EWry/AReOPTFY+etX3XrVUUdA/SJL/OXLB8QD2jW0XbVeaHLgdhlt5UeDwSWDYHn4LXYr8SXa3YKC2OmIAU8yNInPCGizHPm8IZVG4zjzPNjM3BihxpZjjIVajFe07INd8sM6RXE+YA0QTmEDoGW2QcltRyHdAPz5XVkRypbV5ONZLTQ== tlater@yui diff --git a/keys/staging.yaml b/keys/staging.yaml index 73f0f94..193cc27 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -1,5 +1,5 @@ -gitea: - metrics-token: ENC[AES256_GCM,data:J4QdfI1wKyM=,iv:8fqCbftyhj90eIVFxjEp9RXKC1y1IaLnV1r2MOdY15M=,tag:8W/juv1OZh4hJco02qXO6g==,type:str] +forgejo: + metrics-token: ENC[AES256_GCM,data:fy+RsphQT9E=,iv:/7dvDv/VLZHceTijRXJ69ELna5PbyVDmW1rVS7hquZI=,tag:dL2OBUshmoQafyExrjJwWA==,type:str] grafana: adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str] secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str] @@ -26,8 +26,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-10-07T02:17:50Z" - mac: ENC[AES256_GCM,data:vZDq33YIn0Nf1FQ2+ySezox6igiw6zNFCu3l3kaIsBKo1797pohmAxj2Lcc+OmlBjj98khaBIlbQuA5ULM+uPN5ILaz3NuXD5PZtsV+rL2PsLNMW9FBSmJ0m0YQrt0nZ0tpzifn12XghcSK2IXv+FnxlfrAJCxDvr5tRm90uUwU=,iv:ct8CzIWjaoJ1UjZcdFSr8lZ626vA0RvM883V6H5plWc=,tag:waJNtp/UbRDOfyzNElrung==,type:str] + lastmodified: "2023-12-28T00:07:15Z" + mac: ENC[AES256_GCM,data:WRwC7ETtL5yUIgmNk+ktxtHTnDcS7dx07KAfgn8w8V/OAaNDaaTeNU99V2Sgk5emhlSr5PyHaAARpJk8SBYhmJZo/iIcG65yhsnv9D7/JFzBMjuoin3qIeGCZ2Yzagpospd1e1YB/cDATfPug3+iMxLysQSKBd5zRgeYPACZwMU=,iv:iSj+J239khh5PS5ZK6vqgHpD/SSJ+DYMeledOEXhcB0=,tag:UkK3/aoTBquY1cGlxjSGOQ==,type:str] pgp: - created_at: "2022-10-12T16:48:23Z" enc: | @@ -65,4 +65,4 @@ sops: -----END PGP MESSAGE----- fp: 7762ec55a5727cabada621d961e53f94caa314e4 unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1