nixos/frp: don't expose secrets
This commit is contained in:
parent
1e51748533
commit
41cc9217c8
4 changed files with 24 additions and 7 deletions
|
@ -43,6 +43,9 @@
|
|||
"mastodon/environment" = {
|
||||
restartUnits = ["mastodon-web.service"];
|
||||
};
|
||||
"frp/environment" = {
|
||||
restartUnits = ["frp.service"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -61,7 +64,7 @@
|
|||
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
|
||||
serverPort = 7000;
|
||||
auth.method = "token";
|
||||
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
|
||||
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||
proxies = [
|
||||
{
|
||||
name = "synapse";
|
||||
|
@ -118,7 +121,10 @@
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon" "matrix-synapse"];
|
||||
systemd.services.frp.serviceConfig = {
|
||||
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||
SupplementaryGroups = ["mastodon" "matrix-synapse"];
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
|
|
@ -5,6 +5,8 @@ syncv3:
|
|||
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
|
||||
mastodon:
|
||||
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
|
||||
frp:
|
||||
environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -29,8 +31,8 @@ sops:
|
|||
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-21T10:09:01Z"
|
||||
mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
|
||||
lastmodified: "2024-06-20T08:12:17Z"
|
||||
mac: ENC[AES256_GCM,data:kkQnNrldWFWCORK4eeVDg4fUQ/FNUPjxHpZb9i+okxlTHpYOPLHf1oDWpOTvUyIE7gHPkU0Knb7bD5OL3g/40O2/MjXzNTNWBws94NNRrY2Z6V6ixSI58tNT2NRSFqQFcDHx8Cvte+7rJoElN15Ejh3a4Pmm+ID70iSQu7mdFAI=,iv:jCTsHhY2HQjE3GvG0S/twSojuyX9e4LfhHTxRY3k8Tg=,tag:x2PkHgYi0XheTqC95BTGHA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
@ -39,6 +39,9 @@
|
|||
"searx/environment" = {
|
||||
restartUnits = ["searx.service"];
|
||||
};
|
||||
"frp/environment" = {
|
||||
restartUnits = ["frp.service"];
|
||||
};
|
||||
};
|
||||
|
||||
templates = {
|
||||
|
@ -121,10 +124,14 @@
|
|||
settings = {
|
||||
bindPort = 7000;
|
||||
auth.method = "token";
|
||||
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
|
||||
auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig = {
|
||||
EnvironmentFile = [config.sops.secrets."frp/environment".path];
|
||||
};
|
||||
|
||||
# `journalctl -u murmur.service | grep Password`
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
|
|
|
@ -4,6 +4,8 @@ searx:
|
|||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||
pixivfe:
|
||||
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
|
||||
frp:
|
||||
environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -28,8 +30,8 @@ sops:
|
|||
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
||||
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-15T07:19:59Z"
|
||||
mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
|
||||
lastmodified: "2024-06-20T08:14:22Z"
|
||||
mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
Loading…
Reference in a new issue