nixos/frp: don't expose secrets
This commit is contained in:
parent
ad037b6f6a
commit
301d91ec13
4 changed files with 24 additions and 7 deletions
|
@ -43,6 +43,9 @@
|
||||||
"mastodon/environment" = {
|
"mastodon/environment" = {
|
||||||
restartUnits = ["mastodon-web.service"];
|
restartUnits = ["mastodon-web.service"];
|
||||||
};
|
};
|
||||||
|
"frp/environment" = {
|
||||||
|
restartUnits = ["frp.service"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -61,7 +64,7 @@
|
||||||
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
|
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
|
||||||
serverPort = 7000;
|
serverPort = 7000;
|
||||||
auth.method = "token";
|
auth.method = "token";
|
||||||
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
|
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||||
proxies = [
|
proxies = [
|
||||||
{
|
{
|
||||||
name = "synapse";
|
name = "synapse";
|
||||||
|
@ -113,7 +116,10 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon" "matrix-synapse"];
|
systemd.services.frp.serviceConfig = {
|
||||||
|
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||||
|
SupplementaryGroups = ["mastodon" "matrix-synapse"];
|
||||||
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -5,6 +5,8 @@ syncv3:
|
||||||
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
|
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
|
||||||
mastodon:
|
mastodon:
|
||||||
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
|
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
|
||||||
|
frp:
|
||||||
|
environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -29,8 +31,8 @@ sops:
|
||||||
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||||
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-21T10:09:01Z"
|
lastmodified: "2024-06-20T08:12:17Z"
|
||||||
mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
|
mac: ENC[AES256_GCM,data:kkQnNrldWFWCORK4eeVDg4fUQ/FNUPjxHpZb9i+okxlTHpYOPLHf1oDWpOTvUyIE7gHPkU0Knb7bD5OL3g/40O2/MjXzNTNWBws94NNRrY2Z6V6ixSI58tNT2NRSFqQFcDHx8Cvte+7rJoElN15Ejh3a4Pmm+ID70iSQu7mdFAI=,iv:jCTsHhY2HQjE3GvG0S/twSojuyX9e4LfhHTxRY3k8Tg=,tag:x2PkHgYi0XheTqC95BTGHA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -39,6 +39,9 @@
|
||||||
"searx/environment" = {
|
"searx/environment" = {
|
||||||
restartUnits = ["searx.service"];
|
restartUnits = ["searx.service"];
|
||||||
};
|
};
|
||||||
|
"frp/environment" = {
|
||||||
|
restartUnits = ["frp.service"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
templates = {
|
templates = {
|
||||||
|
@ -121,10 +124,14 @@
|
||||||
settings = {
|
settings = {
|
||||||
bindPort = 7000;
|
bindPort = 7000;
|
||||||
auth.method = "token";
|
auth.method = "token";
|
||||||
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
|
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.frp.serviceConfig = {
|
||||||
|
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||||
|
};
|
||||||
|
|
||||||
# `journalctl -u murmur.service | grep Password`
|
# `journalctl -u murmur.service | grep Password`
|
||||||
services.murmur = {
|
services.murmur = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -4,6 +4,8 @@ searx:
|
||||||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||||
pixivfe:
|
pixivfe:
|
||||||
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
|
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
|
||||||
|
frp:
|
||||||
|
environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -28,8 +30,8 @@ sops:
|
||||||
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
||||||
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-15T07:19:59Z"
|
lastmodified: "2024-06-20T08:14:22Z"
|
||||||
mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
|
mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in a new issue