nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hosts/kazuki/zitadel: add master key

Browse source
This commit is contained in:
Nikodem Rabuliński 2024-03-24 17:56:17 +01:00
parent d57ca9680d
commit db83366f1d
18 changed files with 105 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

51
hosts/kazuki/zitadel.nix
View file

@ -1,30 +1,64 @@
{ config, ... }: { config, inputs, ... }:
{ {
age.secrets.rabulinski-com-cf = { age.secrets.rabulinski-com-cf = {
file = ../../secrets/rabulinski-com-cf.age; file = ../../secrets/rabulinski-com-cf.age;
owner = config.services.nginx.user; owner = config.services.nginx.user;
}; };
settei.containers.zitadel.config = { settei.containers.zitadel.config =
{ config, ... }:
{
imports = [ inputs.agenix.nixosModules.age ];
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
age.secrets.zitadel-master = {
file = ../../secrets/zitadel-master.age;
owner = config.services.zitadel.user;
};
services.zitadel = { services.zitadel = {
enable = true; enable = true;
masterKeyFile = config.age.secrets.zitadel-master.path;
settings = { settings = {
Port = 80; Port = 8080;
Database.postgres = { Database.postgres = {
Host = "localhost"; Host = "/var/run/postgresql/";
Port = 5432; Port = 5432;
Database = "zitadel"; Database = "zitadel";
User = { User = {
Username = "zitadel"; Username = "zitadel";
SSL.Mode = "disable"; SSL.Mode = "disable";
}; };
Admin = {
Username = "zitadel";
SSL.Mode = "disable";
ExistingDatabase = "zitadel";
}; };
ExternalDomain = "zitadel.rabulinski.com"; };
ExternalDomain = "zi.rabulinski.com";
ExternalPort = 443; ExternalPort = 443;
ExternalSecure = true; ExternalSecure = true;
}; };
steps.FirstInstance = {
InstanceName = "zi";
Org = {
Name = "ZI";
Human = {
UserName = "nikodem@rabulinski.com";
FirstName = "Nikodem";
LastName = "Rabulinski";
Email.Verified = true;
Password = "Password1!";
PasswordChangeRequired = true;
};
};
LoginPolicy.AllowRegister = false;
};
openFirewall = true; openFirewall = true;
}; };
systemd.services.zitadel = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -35,6 +69,7 @@
name = "zitadel"; name = "zitadel";
ensureDBOwnership = true; ensureDBOwnership = true;
ensureClauses.login = true; ensureClauses.login = true;
ensureClauses.superuser = true;
} }
]; ];
}; };
@ -52,20 +87,20 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."zitadel.rabulinski.com" = { virtualHosts."zi.rabulinski.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
acmeRoot = null; acmeRoot = null;
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:80; grpc_pass grpc://${config.settei.containers.zitadel.localAddress}:8080;
grpc_set_header Host $host:$server_port; grpc_set_header Host $host:$server_port;
''; '';
}; };
}; };
}; };
security.acme.certs."zitadel.rabulinski.com" = { security.acme.certs."zi.rabulinski.com" = {
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.rabulinski-com-cf.path; credentialsFile = config.age.secrets.rabulinski-com-cf.path;
}; };

BIN
secrets/alert-nrab-lol-pass.age
View file

Binary file not shown.

BIN
secrets/alert-plain-pass.age
View file

Binary file not shown.

BIN
secrets/attic-creds.age
View file

Binary file not shown.

BIN
secrets/github-token.age
View file

Binary file not shown.

BIN
secrets/hercules-cache.age
View file

Binary file not shown.

BIN
secrets/hercules-secrets.age
View file

Binary file not shown.

BIN
secrets/hercules-token.age
View file

Binary file not shown.

BIN
secrets/leet-nrab-lol-pass.age
View file

Binary file not shown.

12
secrets/legion-niko-pass.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ioPMHA Swzz0jWR8ergR4rY0Mht17fW281TfqCIMpCvZihB6Ek -> ssh-ed25519 ioPMHA wC40k2E26e/5foBXXf43FFKYGSlnoQyFzjJtQRshJw0
9ZTI7oWuFheb42d2tHJEH+IITrbLmNeELzQ2st3MuIg F7LlDuPFfyKjKTT9orFBBUqcmON7DSFrsqHC24x/7jc
-> ssh-ed25519 GKhvwg 37Rw1F7e8ZMopUAKhm/L+fwTzAC8wYpNm3Ingt5xXWQ -> ssh-ed25519 GKhvwg LvajdH8hQ9LQ09qgzIjxYyQfoyJJr649Ks41rmFNWEA
g7hTguWj+c/atzV8GvCS0TxAILqEAHijJqsG28FEgoM 8kLSIbryosex94KkLqJILIUWplrf5vtf59QjJdprOTY
--- wp7RhCcX8WQng29KppL/B/4Vn7PbX9YptE15FDOENRU --- 0XLL9dP31jyO/WdtwUu+C38NqCVcOjkdHKhB82rPUiQ
â`lj6ý \ºUD0ù·ë<C2B7>Ì:{Ú0¥ƒ°á`x´ÙŒï¼ïö€gˆÂ.‰ÑÂ?ñEU¶”¹Ħõé©yX§a,ásÂC[üÌáMù Þÿœ‡ÎNŽëXÔ÷…ûùࢉӭ }î§æ5Úày(i~íB+…‰0<11>q¼:!Í-V1ÐΈóçŒ"ÎÓ§F>ÀlÍ “ UäæB¼œÈ7"†eË<>âìo§ˆ»%p<>•+CÞ§˜Ú:,,åüWü¶þT¦Ó3

13
secrets/nrab-lol-cf.age
View file

@ -1,8 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw ILWqHbxvEqIrjjXBJM57buPfjqUzShGomwOsLXP1aCw -> ssh-ed25519 84j9mw ohlOIpKzRlZtkYBMgi1734hmjfOlOmElKSwkDz7Eh2k
JSyo00R8+WemsEX3hnOchb3tPwdATp8pKFyAJxMzqlE 74RT2Nozr3Zv16Ph4UGkVVgmBQmm2YxI15QTyIhINIM
-> ssh-ed25519 GKhvwg k5C6W1n0hD+NPMUXcJF9CHgcUoRGGSmHOd2J3gDFeWU -> ssh-ed25519 GKhvwg i4Ek89wcdeLvPY/U8xgwV6WXJzQOu6NYXqOrN6s3CW4
wXHLNK21wC9nno9CFyRDozFJxikyRdaXyG1vnsn2Hf4 G9gAx1FRpqYxA+JmnFSvRajOHcADu8mYAXcPdOuSymQ
--- 5CTApyYf69lPis/nqSnSez5JZKV/sdG9IxhsRPh97dI --- A+gFn/mv5ThI3Tg+SdQfI49l8PfvcLBWQZBwr3s1S7U
±Bw<42>„^# ÁA+Ôå²Ç <1F>ô·nýC/Èláܬ­œ(Fq~‰jçxÄúJo_ò†eÍøkEÚì Æ¡~V„·Šu1óÂ'sù[-¸a ôQb#ë¶Zö ο R‡ë24ûçPZÍî윲@¦ñ(ŽTTpôrÇÃ˱Õóälåé ûµ©–¯ Å"篊WÑáJð”¥õ8Þèh,ŠÚëÀ1p
”„

BIN
secrets/ntfy-alert-pass.age
View file

Binary file not shown.

13
secrets/ntfy-niko-pass.age
View file

@ -1,8 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw hEtr3ET/9edzqFXoc39m5fmrEF4AA9msJJ6Q7NlPs3w -> ssh-ed25519 84j9mw NPno3Ox+binqR7DxgPLHoPxfp7aScR4bEyR4Sck6VEo
anGy/8/x2OZV6Hvy8qt6uFH5HeDh73hDA0yPn70dwEU jnQrnf7CrWL5nhj/GFEV5mXP8SFQV2EkL9NCV5mhgxU
-> ssh-ed25519 GKhvwg juWch3g5LsM6tz9YCuXx+apVRpmtH2M9hnweKwnoOAg -> ssh-ed25519 GKhvwg v8SFsdzsloII81FQZ89krfNaWEKtfJAK0VuYXHSzfR0
lDiS4TsYik7oM33adKJkaJciT7e5cxdqvf6aXRRuqDo j3sOP5IzAINcai+kGjkCX93bkmM7FWSxj8TseWirOrI
--- tU6RdGReOS8XhGpBjpBJRu6le7xh8u4vJ/wHFeK3ewY --- WsXIVgFQVz5CmYA7d28aanO6iaHb1DP/bcwwmNrdGQw
($ÔI„Ž­ #<!«0†<hŠ¿G]IâS—Ï„ ʪê“æ´3®†}:zì—®>ÉÖÅðŒÀHÜD×9
ÿZëÿaÅù åI81€Tß©"ÎK¥‡™Ç#ڴᙦÏ<C2A6>Q

BIN
secrets/rabulinski-com-cf.age
View file

Binary file not shown.

4
secrets/secrets.nix
View file

@ -80,4 +80,8 @@ in
keys.system.kazuki keys.system.kazuki
keys.other.bootstrap keys.other.bootstrap
]; ];
"zitadel-master.age".publicKeys = [
keys.system.kazuki
keys.other.bootstrap
];
} }

12
secrets/storage-box-creds.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw PC6bFOK3ckx+3BAhkeF4uQFKts+qv0iYBDfGZFvm9lI -> ssh-ed25519 84j9mw Hnei3vVAC9dL9O1H9GIVL0WqR8/rinZ04AM8vwacgwg
qQVTypBokLOfA8Dy731amUqDOMhZW7IAvscVQPpLbrk vPzKjQDCPKdwEHvdDibg6i/LeDjFwXBnINkzwlh0hBk
-> ssh-ed25519 GKhvwg jRZeUjFXgdMC/wPTDTxkcCRBwWvZrrAbOyRXW9/TqWQ -> ssh-ed25519 GKhvwg PAvDfn/sTrH8lhbHZ/l9hmyjNXIPSdN7MCOYkD1ZC1g
Xyfz103+dug2SjKjxCZHLR2diFU4E+CKqOsvdGupbkY Bh+PCt3X89RJZMS6XCQRFCC9dW4BWlWPbZgdzVniW9E
--- 4sX0V7sT9x5VYJhIJFABFDWjdwJkZ1c+tiK8aQXCjGk --- Ad8wu6O3CZUDHmsxhaFiVcpTLHtMmSVENddCD2Ns4r0
W"Ö/|5Ͳ:) °.tñvNSºo¬ÇáoQ†1þ@YÕ]±øÿ<C3BF>ca†5¤N\N="‚ÉçOùááäïòV¯Iåxõ`ý6Ac »•åMgÒÎðÊÜóD_&òý¹ët¯ª]Vœ„"Riá<>K)·?e<>©v™)¦ëƒ zãÒÖ¤“9DNº<ì*1‰Gl

BIN
secrets/storage-box-webdav.age
View file

Binary file not shown.

7
secrets/zitadel-master.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw EBpEqtz2Zh60+OUcGzl2dpVWkOhbf26cW7ftTN0j3l4
chTq+MDv/RiD9hWSwVPY0X/lKp7AW+j0JqRuKOOHuns
-> ssh-ed25519 GKhvwg 2o2gRmU9IrUTGkg2J3YFT7PwwngjXiDQ5T0/C/TKPQM
Wnh+tniVr23bkWHGkeEQkrkuG6henkSC2VNfonMOAZQ
--- ddtNvxlAxHvmsi7nVE5mBc5IYTVT54Sko87EABHQ5fs
Ú–°""ˆƒBU*9­<73>ÁBäÿàåµktË6fzg¦NZPUc3=„¯ÓžÿkÙ9½MŸ‰ËÕÍÄýD²