nixos/frp: don't expose secrets

This commit is contained in:
Guanran Wang 2024-06-20 16:35:49 +08:00
parent 1e51748533
commit 41cc9217c8
4 changed files with 24 additions and 7 deletions

View file

@ -43,6 +43,9 @@
"mastodon/environment" = {
restartUnits = ["mastodon-web.service"];
};
"frp/environment" = {
restartUnits = ["frp.service"];
};
};
};
@ -61,7 +64,7 @@
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
serverPort = 7000;
auth.method = "token";
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
proxies = [
{
name = "synapse";
@ -118,7 +121,10 @@
};
};
systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon" "matrix-synapse"];
systemd.services.frp.serviceConfig = {
EnvironmentFile = [config.sops.secrets."frp/environment".path];
SupplementaryGroups = ["mastodon" "matrix-synapse"];
};
services.postgresql = {
enable = true;

View file

@ -5,6 +5,8 @@ syncv3:
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
mastodon:
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
frp:
environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
sops:
kms: []
gcp_kms: []
@ -29,8 +31,8 @@ sops:
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-21T10:09:01Z"
mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
lastmodified: "2024-06-20T08:12:17Z"
mac: ENC[AES256_GCM,data:kkQnNrldWFWCORK4eeVDg4fUQ/FNUPjxHpZb9i+okxlTHpYOPLHf1oDWpOTvUyIE7gHPkU0Knb7bD5OL3g/40O2/MjXzNTNWBws94NNRrY2Z6V6ixSI58tNT2NRSFqQFcDHx8Cvte+7rJoElN15Ejh3a4Pmm+ID70iSQu7mdFAI=,iv:jCTsHhY2HQjE3GvG0S/twSojuyX9e4LfhHTxRY3k8Tg=,tag:x2PkHgYi0XheTqC95BTGHA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -39,6 +39,9 @@
"searx/environment" = {
restartUnits = ["searx.service"];
};
"frp/environment" = {
restartUnits = ["frp.service"];
};
};
templates = {
@ -121,10 +124,14 @@
settings = {
bindPort = 7000;
auth.method = "token";
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
};
};
systemd.services.frp.serviceConfig = {
EnvironmentFile = [config.sops.secrets."frp/environment".path];
};
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;

View file

@ -4,6 +4,8 @@ searx:
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
pixivfe:
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
frp:
environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +30,8 @@ sops:
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-15T07:19:59Z"
mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
lastmodified: "2024-06-20T08:14:22Z"
mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1