nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hosts/kazuki/ntfy: set up users declaratively

Browse source
This commit is contained in:
Nikodem Rabuliński 2024-02-25 23:02:15 +01:00
parent 6558fdb739
commit f7e385d696
17 changed files with 122 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

38
hosts/kazuki/ntfy.nix
View file

@ -1,14 +1,27 @@
{ config, ... }: {
config,
lib,
pkgs,
...
}:
{ {
age.secrets.nrab-lol-cf = { age.secrets.nrab-lol-cf = {
file = ../../secrets/nrab-lol-cf.age; file = ../../secrets/nrab-lol-cf.age;
owner = config.services.nginx.user; owner = config.services.nginx.user;
}; };
age.secrets.ntfy-niko-pass = {
file = ../../secrets/ntfy-niko-pass.age;
owner = config.services.ntfy-sh.user;
};
age.secrets.ntfy-alert-pass = {
file = ../../secrets/ntfy-alert-pass.age;
owner = config.services.ntfy-sh.user;
};
services.ntfy-sh = { services.ntfy-sh = {
enable = true; enable = true;
settings = { settings = {
base-url = "ntfy.nrab.lol"; base-url = "https://ntfy.nrab.lol";
listen-http = "127.0.0.1:9800"; listen-http = "127.0.0.1:9800";
behind-proxy = true; behind-proxy = true;
upstream-base-url = "https://ntfy.sh"; upstream-base-url = "https://ntfy.sh";
@ -16,6 +29,27 @@
}; };
}; };
systemd.services.ntfy-sh.postStart =
let
ntfy = lib.getExe' config.services.ntfy-sh.package "ntfy";
script = pkgs.writeShellScript "ntfy-setup-users.sh" ''
${ntfy} access everyone '*' deny
if ! ${ntfy} user list | grep -q 'user alert'; then
NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-alert-pass.path})" \
${ntfy} user add alert
${ntfy} access alert '*' write-only
fi
if ! ${ntfy} user list | grep -q 'user niko'; then
NTFY_PASSWORD="$(cat ${config.age.secrets.ntfy-niko-pass.path})" \
${ntfy} user add niko
${ntfy} access niko '*' read-only
fi
'';
in
toString script;
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80

12
secrets/alert-nrab-lol-pass.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw E/UAAPU36fEbTLcJqSHuXLkT9gM9SKJc69lHYZ6vsxA -> ssh-ed25519 84j9mw 4n/zqW5iLJrCV7DkJjWVLqznKo5tCAtS3Ps42D3pGlA
qtW5rBrMVMZlB9QAl1dJQW5wlXL9Xzzb6v0TgsVUH+I DikYMkhNvvXqVpuzLbKYrILImwYow6yS9zHHBEQbEi8
-> ssh-ed25519 GKhvwg LVyoMAJOOeyBUUDvehyKVCMyaECs5f5nFiWFIWVcXlM -> ssh-ed25519 GKhvwg ZQmLaXauWbnXb/4/MSbYB5h9usBY02oowXNEkixBgRc
zvoD1iS6LkgcuBwRlq8I7dL0js/881Flutn+aiWk4x8 LEV0jDifVtosFZYVOk5jBrd+koAh/B0uXnYO18HDU4g
--- qQutAtaqLW7+tjxs/t34QquhxIg+OZiGTmjGW4okQc8 --- Uwt3RGREkK2dHLhhhjz+kGzAL8ik/mA3oPWnEuocXhk
œ£0N“G%…*m²Ž]~§°<C2A7>½óŒT¹P]CšÓšÃL³fŒaãì‡To÷T”ÒEçû¨ž{ÀºµX‡´}¬9ª¬_€ ÞåØ nÏ<6E>|(fé -„  MÌeÍ5~#ézBØ]îåFâ¿€Ýk¼7Œ5ò%÷·Ã!t|ÝTßëë¾ãÉ–ÑÜù"cüõKÏ8éI<01>áëÁÑniÀè§SÚÏØ™ÉýÉaìÁ¬]ˆºœ¶¬Ó

12
secrets/alert-plain-pass.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ioPMHA bzpHiPf01dn6o2RorgjHtJLxEXTdX2vk5gzqeurKYWY -> ssh-ed25519 ioPMHA 631XxPesBw0DC687j0Du8gyvwHuN8DrRMtVVVPJ3kEA
PCZiMqJOHaVUfTmQAxfSi4R4K9EJv9lRlvzifcZBdlg A0zq6X8YgNVGMUBtpozcwXmy8pVQwtJRpelSPVywJ+Q
-> ssh-ed25519 GKhvwg 9LIgHkI9ai9sG5105/cckINKLZG1ZDLJoK4VseW4+Vo -> ssh-ed25519 GKhvwg NPPNc8ZreWcjYkriM0fn76AoYO5HSFmGY2Dnbhjchlg
cRJkPh2P1qIeLiC8FBMaf3Q0mdcH6KMmhKIZ8AE7oxk fpchA60ze8fx3ooQlyRk9lapL+m90NLn+p6eKRoyy64
--- ak5uMosvoFn03re13Wvb5izecSpHrrtmJ21YdWAvNs0 --- KYS9LOiN9+RIlzyPZ71iqQ0c6I7MptxKzjfZzrEeAhs
ç¿tû<0­C2×QϾäG„(´¥þ$½ÿ”GGwBƒÈç H3±•Â<1A>rK²† z [´iè1x¯ >Ž®ÏG7ì2ÖLžØ!¨K,”™ãê[7ô¦˜ì

BIN
secrets/attic-creds.age
View file

Binary file not shown.

26
secrets/github-token.age
View file

@ -1,14 +1,14 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 IFuY+w BRVOB+nGZJ/43pUOJBXtYN9x65vGz+PeFBpUta4E7kM -> ssh-ed25519 IFuY+w G6FFvEMeBtfhAyS2FxF+uxxd3DlYAGepXDEPR9NdBEA
an/9NC1sk2IzT+YdaPYvGfdn5ZR8eU21/h5OjL4yddE ClECByd51Kby8eoJFWbzbVedoH/ouz+BMehRKMVOQqw
-> ssh-ed25519 84j9mw ndRBUsTQo3k/MQeQALBWZ8ZV86I+TjXbImDqm/ogMwU -> ssh-ed25519 84j9mw b4eFV+AZ3ubWWoRGTF6IFOxsoAuBkCTyz5QzsVDsagA
eTyKCxGOLdq+mVq88cqSn5Y8tPQx3tcOk2B41uCf3KM k+rDZ8aFgDRvqIyWGFiKkYPePBWbMERWGPDYUfwWZTc
-> ssh-ed25519 ioPMHA He7pM+kv7Mix/TsjevaXNnFt+a6uKAHdgqi/crJeIWQ -> ssh-ed25519 ioPMHA W4jTnofv9qZxft/PlGbH9uS+KBgUXL86vB1B2MEO8Cg
0YWZf3na17QYViOVG3D7h7S/jgXWwZrslYHD+uFq3U4 7/ZcbO2YqMCJX9NGuyG4t0+svkGxkE9MaylmpGuIQKQ
-> ssh-ed25519 5A7peQ lNXbVWvO6oJyvuYZBzJOsgSSCW3jKqKU/FHiVStKfGw -> ssh-ed25519 5A7peQ 7AzjFajaowcZCLrASPJbYbV+OPSZ8UZyxzy8B0kCqj8
DckkP45wQ6i6vOqknKKoEYnERzBydM8Mgjt/17bPKc0 LNWG6lA5XRp25bBj/OJ6591780BM56tS8Cb85QcbdQw
-> ssh-ed25519 GKhvwg Y+VUXd0xlQ5FdCb+cWDO8Gb6ATHRpxrnJqsh5FXWnzU -> ssh-ed25519 GKhvwg f5gR3WtCGEk/7XpB6Ah3Ns4TegcTFq8+2JuWCC0pU2U
q/g44328iKsulGNpZXW0FIPL59JBjJLVV8bH+WuNKkg tG1C60WknYYWwYe23pxlud1hT9uBEHaVYjF4sX5sTYg
--- P6ctzFyIxW72c+hxF6UaR3J8bCUHPql0IsNI6TktKxg --- yMoAb6D7Q9IOOR9l3gnQnbxuKoCZI0HR5+PZLGjYmKk
¶ âŒYÐûGl^iÕ½eg÷«öT<t]YaJ|uY>ßÓw‰{äçy— r&p!vu¬“µ:Vüú= ßœYbq¸7»(®$²§•¾Q Äá÷|î2û<32>cAó·­EÕ¹Ìï?ª·o<E280B9>²QZ߈>
CïLj<4C>žž£gáO‡@b q¦W5Aaª3Žf¬“%F

BIN
secrets/hercules-cache.age
View file

Binary file not shown.

27
secrets/hercules-secrets.age
View file

@ -1,15 +1,14 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw SzwJ0Fb3oan5QQXr10AEQzdg1Q4LNgUxPpYDftHywwo -> ssh-ed25519 84j9mw vY3nxZWjk7h4F4hZBkp2NJrC9HULrOJ4b9nVcix3LAA
lt+uQHpu9u1wu1UEq3aSJZ++sBpoeX/PhCRqNoZ3vN8 G9PQPGVI8g61fAFUs8FWKajmPOti5hCgNladdAlo0h0
-> ssh-ed25519 ioPMHA OQe9Skg2JjtWT/YnOlOexhxifueYp4sMMCuokxg0NEQ -> ssh-ed25519 ioPMHA Y/qWQGVvQhri80M7Ci+CF85VCbKJRVZ1AF3ueQzVTCo
g2AaKoA8KBkpl7twrn/CL5YipDZ2vKiHCjF72D0dVYE gcjYjXLqxvnD12wV5zhl9ELvaX987EyBAHL7nuUmdEE
-> ssh-ed25519 IFuY+w exr87EhCeLY9Zlrxi10d9K5a2WtLXZYSbxSKUvAJ7ys -> ssh-ed25519 IFuY+w bl9m9HfnL/aGEe0TrjJMChNgFS1Ox2NsffazhmA4ZUU
GK9FiOWDtOWBfck0BoWt4GiCPhMysDyiUu2zDcminII p4PqXZGk1pNF6Bdbh504I324OErbiwZgwKI1+bwUCJg
-> ssh-ed25519 5A7peQ FI5uoSKhGYWXnZyA9rcKK5N0x7+8wrHY/pCoYdOCY1g -> ssh-ed25519 5A7peQ h6kXKa9g0WbUbAExL53Z3KO/8J3q/75ERJqpTj0kGCA
JRJc8uz5GgVkHCLdxfQdPFEEaRVHAzL791bYAw4DePM nSKw2+ehVY9ZAFYLHGNPtykSn7GpYm5hSHWrosZtsAM
-> ssh-ed25519 GKhvwg ffDs2wAJAgQt9s2R4v1UAWg5vxC5c+TnfjYJ6RRw53s -> ssh-ed25519 GKhvwg KOG4A6BbJdE95hHbUTlSGz+VleTXDzPjmlPGFMtrPls
BjF6ExVMjFmdc3WizPsH2XRqdI3vOjz9ffnsLvGeJws /mGzr+PynGrELwJsV+KTupzLfbG+eLisOtwWvOL2ZfY
--- hiMPtBqjjdtSDBXaG+ZPlKr3l75B3vS0m98y3yemh4E --- iioMB0ae1QZccJnjieAjCxIbbj7SPfiMu+G99WjEM/o
6è Ú¥®dÐëXø,/œ`ê>Ì-ÆaÖe ÍÆË`Yƒ¥phz:™ŒVl<56>&k J{¸UðmM—)ŠÒóÛ»k`$+QuëBAÛXE¢IOP~Én)<29>¢hÈáÈÑÁv-/xNÐí4ÞÂÐp>}ÐÅv0å¹<C3A5>Ök%ÕíôA¶ R+³Iò.¯- &6µiôTýąŹŤaů#<VëfGZŇ!:Ĺč bÄŘŔ·-ĄE¸)~+z«Ů!}±Äľš˝,ďöĄZ Ř4IpúZKĂ<ńĽs˝ˇű07YćśfBňYniŐ<78>>ÎÔŮţËł}ŮĎpAxc{÷HH<48>Ů îŽńcA-°í–-âë4žŽ˙ŕő§©.C­igŕ0kD>±WRˇĐ
1<EFBFBD>Ñ·>Œ6gÚ3„Vâæ˜<1B>ähÈ0>ÑèŸ'šð‰N8<4E><1B>ÏY62*«ŠÖÙåµW“Ö™£ÁÖ ¯</- $'~üm<C3BC>dŔJč“JŞ<˝!ě#Ôę”Îm¦PóűĂJ CŢT˝<¨—ňŢqZcń6™¨˙Eôä9~î&šCôÓB—jOŕ®O…ÄÂxşé˛XdžÓłź—ŠěŻ{n«¬YÚ„ĹeÖv˝y•SÚ¶·ŽČţ.ź|´8É˝érTĹö  Ëş«ÓŻo@«ˇ~
>ÆLI{uì?[&S¶¤jcSáKEœÙ2žkUì~b™5<E284A2>(B3Ûð~ÌT)ÑA&€ì<E282AC>¸¿yþ^ΞŒÏé#ùÊÇÚyE9mçd”µâ¤rͣܣ`{®Ý+c

BIN
secrets/hercules-token.age
View file

Binary file not shown.

BIN
secrets/leet-nrab-lol-pass.age
View file

Binary file not shown.

12
secrets/legion-niko-pass.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 ioPMHA pWCwNDvXfVMuPXbMw4cvdz8iztUdPcJZcYBUU6Hfg34 -> ssh-ed25519 ioPMHA jkLofh/bWIQ2C6GuMO2rj3txFSZqbygxmw2Wqf6BRnI
NW49fnk6FjLMbkDBeXnGylXpdOecHxrFjlkv+4lSde0 cEN5l7MtRup7CrcvErWqQkjoswJhHVSwLYHlwbVHHGU
-> ssh-ed25519 GKhvwg bqVjtgocY6+SPikUfDOn/7gUmEIsMG7Rq0A0dyxdcn8 -> ssh-ed25519 GKhvwg sLzHoAm6XHQnOdZLNkjyMgNcV1LCzH5JoYprzu0bgEs
EHbB9KLG3S/skQOKCKtJC4VXL2bz9sO0Lym9uI+hz6c uDrJR546WgW8PBoKRg+hZYzNwRtwUErT6jWFj9pDHlo
--- EUFvmoeavLuLPnufqmgtwEPKoK3HEgMhgBKCaD4FDho --- N8Tmhynh1k7quJdAgqNPnsa7tjkt/Ev5LrdhojbiM9E
ëõD¸ãÃ9ÃŒ{*X¤˜ùÄ©UfhÓÆy»¦¡C²RØhÚZ~·k¥F‰¡)UP<Dj½+q® "'éÞµùº¹®„öÝà(b;<3B>4黨)>}Ȗ࣪ÊS+"ØlmÉÕKý¾<C3BD>[<5B> ¤´A hWÜÍó”€Â+¯X岆G•*Ó<>ŸLŠ¢¶Možµ¥U+mÌ/%zP¨õ¦¾.ûœo¤î‰ö%þmcŠU;¹~[¤gáÏ°5ï82O¨-\ L•°ÿ2MX£JÃ2nÏfÎô þ?O

13
secrets/nrab-lol-cf.age
View file

@ -1,7 +1,8 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw meAuaVxNefi92UFGVqX2tKHu5XSIWDykpmiM7zjtMlM -> ssh-ed25519 84j9mw J8KF1LlgpFaq/LBh5/4H+RZ6et86bdDFOvi8+kpZXRA
wcI5WePiDt9IuC9RH06PH30Sn7wbkDDk9ZEt/iQkeTA gs3mQE2r0uizPXVhiOv93DpIWFkQ8KkmNqEZ71p8KFk
-> ssh-ed25519 GKhvwg 6AcyxHMd2g99rdhd/s4e95LU7PtMesyD2kd7Rt6u3yg -> ssh-ed25519 GKhvwg xh1ZHY499FomptXCxj5a1NO3j0KtIKXpsYZFF5erXik
KXPAV17yyq94pTJdmNGVowO6DVoDLhC9UlCyAmSk59I bmDBVcJLUzrDPEGzZO0kVgXDaWXbm5RpyCq8/A+Zk4I
--- mR8BQg3dMF2IqUqDmrWIvD7hOfTeJYCpR5QlPXNcgzM --- TIKd5u8wRwrMAeDIkm9sIzeW2m+jXuzBewAVd5w5iqk
qI¼£l _ïAˆ<41>;‘ÆÚ~<7E>­O<C2AD>4„noݳ*;“[<;{í<>Ì¥·Žð- Z`°*ÿò!ív<C3AD>îÒmx£-VÍ Éôl¬ÐÔ«]|¥%%¡ºxŠžš;5 <EFBFBD>Èâ1I¥È4œçqÓÔ™?b¡oUÔÇ2ùÙ<C3B9>eC:Ôû«PšÃè›
‡ªL#ÐYž+°R…,<2C>ö·CbŸö‡X„EuRD i,Ø1ÀÀoùZìx&

17
secrets/ntfy-alert-pass.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 H0Rg/A JBVUqzrPx6XwOHdMl5Qp/doUyJUwchW/GeXu50f24Fo
ISVMQtq9mpkRshvwamwmWwYeyKZFgtyWtw+IiaQYuB4
-> ssh-ed25519 84j9mw XiH+tWfMOZQFJmS0QyQxOe9VjTaMo9kvU3rDSu4kdyM
dZ5P8ndFUR2yU5J8D1m3eaGQd1CVzNKtT4VowXdFtrQ
-> ssh-ed25519 5A7peQ UytC66TWuyHd5TepfV6EIvYuyUXKXoFBctYB8cfgU1M
sWIqvAqUJvN0J+Je3WBFFYRAff2+CexAagd4+VR37Yw
-> ssh-ed25519 ioPMHA 7QcH5Wyljwhoj0jLMQz977gFggfehG7f2ugmnfX+tCI
Dfe6BwfLoDRmfV8O5COBMqBYWaanC2I32OU3+ldaKig
-> ssh-ed25519 g2vRWw 1pnce+XKob7qrB0ufkdZvHucvk9NiXATRUmczvNGMhA
zf0ak4p+qYCtsdnWZwHtTnfjn75WPzdc+hEHk7H0exw
-> ssh-ed25519 IFuY+w 6ujRC18VThMj4ocX3loqq2DISxS68aVu9T2w7kiKhhw
j8ZgoMH0DIS21bDeLdRPeCRO01hX+MAv6YYpvNMLkFk
-> ssh-ed25519 GKhvwg O+JfpLfrxaIl8PL+StLA8hb2fADlgUTOn0lujlu4k2M
YZ03palVRAtSvldZQatrl45EvuIIkdd45IZZKjZO7js
--- 40DpLeXN4B2bpTfcakCZ8CdUzOGREmAba4atOzsyGiM
f_õE®šòd>÷"ežyÃLšþ¥{šlnÆÆüæÙ5W3·-IÿÒÏBƒO7}9'î#=Uü˜‘áA5±))¸

7
secrets/ntfy-niko-pass.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw 9fO0Uss0X8+FmibHo84aRYKDB+Mavp9X2Cg9lqGTixc
SnOdbe+GzL01jJ4rSSh+4Xb/CIJ/23bb0/+D686TnTU
-> ssh-ed25519 GKhvwg u3V5o3Mtk5YiwzETseVfBYlPT29HS1mwheCUCyJUh2M
jko5Sdf+4E61I5dpjH4bUth60B8BnnOsOcAIdcMzBFw
--- CO2Ky/1xxfSu/Tb3f0a8ORtCoRkfeh1cDtJiaP/1MDI
l*[—'ïA™Ùu27¢ý#u 趶³IQmå,XC7°|Ùž/Ήrÿ¾æ-¢<

5
secrets/secrets.nix
View file

@ -67,4 +67,9 @@ in
keys.system.kazuki keys.system.kazuki
keys.other.bootstrap keys.other.bootstrap
]; ];
"ntfy-niko-pass.age".publicKeys = [
keys.system.kazuki
keys.other.bootstrap
];
"ntfy-alert-pass.age".publicKeys = (builtins.attrValues keys.system) ++ [ keys.other.bootstrap ];
} }

12
secrets/storage-box-creds.age
View file

@ -1,7 +1,7 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 84j9mw g6s+z6YHbfOvZI7ZDp18eMu5Cjz+BoFXMx51+2lxUFY -> ssh-ed25519 84j9mw cEEM1sFBEx0VLeOpToON4hb6d21gJEYMMn/vlHu/wBs
3q/ymTUaBQz1ZzexbPOyfIuqDa6RaXpjECfVo5wfXak khAgpAFxFGKBIG2z0f5qqh122KGsrlkt5FM+5daqQcY
-> ssh-ed25519 GKhvwg F/e+lEu0+0pKBRRrbZJV3Dd2OaKcAwHrQAAtABrezRQ -> ssh-ed25519 GKhvwg Zac7w0M77F9n0QjqEFe/mpyjanhH6YH2fc1UPPapx2o
LcWXLsWe+izfAkA1CI6l1672SPhaEk4Kp/rHjIQtJCQ 6AvDBxnlMZhQ/6inLj7d72k1P0EI43wBniwa5ieTgYk
--- YxR7bdc//u/axG37zmoSav5YBwhBqjti1aKLF4l4X2o --- zEz2LeBNXbH433jUfugEYHVMeEB64yq2/01Xd18tPgg
í<EFBFBD>0ᨾªÞ©Ì¢°Ÿÿªè-çA%V2Ÿ1ÅÎz ~š¥Æ˜ÌÄhõšfóñ†y<>±· D¿šŒ™ c="QnC14l§£ €åg„]ººi°7±ŽËRñl4åõ÷p ö¿C&<26>)oÅ^Ê…IsÄi¨:««[É¥7w ŽïyeXàš6$ ¢¬åÙ—´° 

BIN
secrets/storage-box-webdav.age
View file

Binary file not shown.

BIN
secrets/vault-cert-env.age
View file

Binary file not shown.