diff --git a/capytal/network.nix b/capytal/network.nix index 39d7fd0..1105798 100644 --- a/capytal/network.nix +++ b/capytal/network.nix @@ -30,7 +30,7 @@ }; }; - virtualisation.oci-containers.containers.cloudflare-funnel = let + virtualisation.oci-containers.containers.cloudflare-tunnel = let secrets = config.spacestation-secrets.lesser; in { image = "cloudflare/cloudflared:latest"; @@ -42,10 +42,11 @@ "tunnel" "--no-autoupdate" "run" - "--token" - secrets.capytal.cloudflare-funnel + # secrets.capytal.cloudflare-funnel + ]; + environmentFiles = [ + config.sops.secrets."cloudflared/tunnel-env".path ]; - environment = {}; }; networking.firewall.allowedTCPPorts = [ diff --git a/capytal/websites.nix b/capytal/websites.nix index a7fb436..a8e9f80 100644 --- a/capytal/websites.nix +++ b/capytal/websites.nix @@ -21,7 +21,7 @@ services.keikos.web = { enable = true; port = 7030; - envFile = config.sops.secrets."keiko/envFile".path; + envFile = config.sops.secrets."keiko/env-file".path; }; services.caddy.virtualHosts.":${toString (config.services.keikos.web.port + 1)}" = { extraConfig = '' diff --git a/secrets.nix b/secrets.nix index b355d06..6fc6aca 100644 --- a/secrets.nix +++ b/secrets.nix @@ -34,7 +34,7 @@ in { owner = config.users.users."guz".name; }; - sops.secrets."keiko/envFile" = { + sops.secrets."keiko/env-file" = { owner = config.services.keikos.web.user; }; @@ -51,11 +51,7 @@ in { owner = config.services.forgejo.user; }; - sops.secrets."discord/muse-bot/environment" = {}; - - sops.secrets."caddy/capytal/env" = mkIf config.services.caddy.enable { - owner = config.services.caddy.user; - }; + sops.secrets."cloudflared/tunnel-env" = {}; sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt"; }; diff --git a/secrets/spacestation.yaml b/secrets/spacestation.yaml index f9e629b..53d5bd0 100644 --- a/secrets/spacestation.yaml +++ b/secrets/spacestation.yaml @@ -1,7 +1,9 @@ +cloudflared: + tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str] guz: password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str] keiko: - envFile: ENC[AES256_GCM,data:CNDVam0LFlk/Fdtd/xB1m6krZbC1Tm3bYqn1Iyl59oDdigd8xNnougzzzFYVpn12mUg/obBcWcjkX0Ft1JYV2YDpHseVIm4z9jb0ISIeD7IsAZcWx0CImq4DjHqhmrBff5boruTHSC2uJFf9AIv4/SGnpd1QZLPWfZslxcA5Ky4h0aPsSsBKv+KTgQtANq3diRgGJw1IoMZurzzC,iv:mZN0RkkZoOQ46yZ95BBq8pTnQbxew9JjmLBMPb96dzY=,tag:HV1Bz/vZF0NUmnYdtnGQMQ==,type:str] + env-file: ENC[AES256_GCM,data:up0VMFlG92ZAmnDk1b3DNrGJ9zUoyu3pi5poP1cgaYMAaVotRtrQkDAWLPdMKrRaXZlMFhmR0Vmy4n5wauZwiUN6nhMQOEkLZ5QOa8wiyA93JTmu0982bvMeZ+dk1HTy7nU1UI1OaejjEoGFlFV5g06qGfXnC1CFHyqwM1WeTgI6Syv431q0wutz2J6lcDvyxOU8zem3zSOpf5fg,iv:hxixIs/OoUS8Cntr7yJXZxeo5PpyPGfQLfDROQ07mr4=,tag:YUgrrP/C0ZY/SIs/wszW/w==,type:str] network: ip: ENC[AES256_GCM,data:AkbNOQLXRKLYjU2ywg==,iv:xqdTPCUYiT/cPe2zAbBJ7fUiEMViW9LZND4j0DdydLY=,tag:tq6nA5fGH4/mAvF6InUFgQ==,type:str] localIp: ENC[AES256_GCM,data:PK8THL9NW//2sal1,iv:9h3f255rIgedYToVaUGuQ9RzD33V8sczRWsZe+rTyC0=,tag:OoJbes6k0FqxXzGQ8ZG0aA==,type:str] @@ -11,12 +13,6 @@ forgejo: name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str] password: ENC[AES256_GCM,data:9nMuj2/VIB7Pbw==,iv:+96/NZ+gmRkpXr05nFuUfRl2rGqElUA/LuMBYBQHCHQ=,tag:hMEO40iGeyWsMd8VPOV4Yg==,type:str] email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str] -discord: - muse-bot: - environment: ENC[AES256_GCM,data:014h9/uoqKr6LDd4eDK/Ji91i8MR42q+p3sS4U2fx3VgjX34Xlx1KHxdXaX6BF4QBO9saQNfW2QjN/qE6qILDEGd9uZA4DiRnjoJCOYAETWyiMiK9Se6kE4QbN33IwpIphcxpRm+HP0x5R08WIbWJ+CHSoSpgEcez8iuwqTdK1sC7jrILmqQLMGPmF+yYZcxbaPfNRj0mu0jPpRt6fnhDuHvJ00wXHDC1n5bgsxi7oUdsGYJegLhFcRqAsdgq5qB/vO+d5GVJ9IkF0CsYiSUQVvUVdbOHvcA657jLjB8Fz+KIqW/AM2mMcgRdpRReOLYEsVAaS6gRdZr,iv:hdhTSfBZHgabivcAQTtL8Nfy+Pog+OD5SOJTtL8sJJA=,tag:JxUgFpiHG+55OWOb5TCnKw==,type:str] -caddy: - capytal: - env: ENC[AES256_GCM,data:7t9Vv+S9LFzNIR/STpXzVeH9MCnog9Yb27gvrV3HGCWwN0139qvX36ja95iwLPpRK9SLFYTA+ToiMLiU4HK+imBC/4ZXbxKIPFGCoEx44fwxFrri/2s74BHLzGvo8kJujZ2GX+3TGSYxzqMB7VSIeBgefl9qu3Byn/hMJ4bTsBLjIrSAtlnhGbbGsU5xbU+sjPeqFHLmQm0vPYovW437j3/Ok+NxvxquKr+iPiCOuysldzaccOmuflrG8NhKZSAcAzJCiMVMyj7ERtUL6M4s+vdImVW1cDqavvXmt97v+pZPzGjrEeIzn8k9YUppvWYgN0tlL76mm4C9CbS6dMpaOXW6+s1ylPzdykhZ9Gq+Ye33qSs4Sw7taCplZr9T6c/UmBZ5ouABLHxiOuWPjUjyABhLvkMd2SLCsANOJOzgHWNpFERX5PFqeUWlSSVWoprWclUgBQ==,iv:pgEzAQHH/Vm66W+/QYulQc37/m3XJwY7krEBwgK0cTY=,tag:8BHfKFElXTFLRK6SINuRxw==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +28,8 @@ sops: amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-30T20:59:44Z" - mac: ENC[AES256_GCM,data:n+NFOq2K+8mhKlWw3jnTcY0L37YhxEKfbovHYOqhvMsss9DI5UxnCGOkkFpCcTzoYGur17SYa9m52twy2bLOhUXw3YwPK+NeA3fIzp6QYHsxjdR88KmIVsQT0JbPdztOK7WVplNXqIZP3jZ62R06Uug66ZQLtKwWoPeFS+lVxZA=,iv:njOfRED0pyKkqd4biwPVmhyprgBL05biDfE1GkJ6wyM=,tag:drHZYAmrzQl7p/kH3h1zNA==,type:str] + lastmodified: "2025-04-04T23:36:47Z" + mac: ENC[AES256_GCM,data:CkcI8nfzNw9aBPDxyWdVAVXTjy5vIrRwgVfTtRGwPL2BlX8K6kOehSfCOgSv0LMGgKfhUeB//0AxFnuwUFU2r91jLFeFefNkXUung2VwlxBCE9WG6O2h3IHjysdlVcOs9+ljvTvelADqYYGTgIUAjPnbzT2EyA9C+qGC9+IqbXo=,iv:dpcd0BJbpYS6MjjFv1XUKfvo4vUYZTuNqaHaMYft23U=,tag:9XHQX2mt6rN1JSiy+7IfKQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4