From 7711ee80eb8878c7c1dcad6b2ee65a279a0b273b Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Tue, 5 Oct 2021 22:00:44 +0200 Subject: [PATCH] working on sputnik --- flake.lock | 8 ++--- nixos/assets/ssh/jenkins.pub | 1 + nixos/configs/sputnik/configuration.nix | 3 +- nixos/configs/sputnik/nginx.nix | 40 +------------------------ 4 files changed, 8 insertions(+), 44 deletions(-) create mode 100644 nixos/assets/ssh/jenkins.pub diff --git a/flake.lock b/flake.lock index c7e6efb..cd9f949 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1632639184, - "narHash": "sha256-fRLxre+gPxIkjFVj17O68pyAWU1cxT20XFOiulIWzRw=", + "lastModified": 1633267966, + "narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd8a7fd07da0f3fc0e27575891f45c2f88e5dd44", + "rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d", "type": "github" }, "original": { @@ -62,7 +62,7 @@ "secrets": { "flake": false, "locked": { - "narHash": "sha256-MW7SCJb32fcfIagCbaTaRbkzEmwcQ+xdGByFJZjGZ94=", + "narHash": "sha256-XRWlSFaGqmeDstMQS46KUOkIks0wLADTiHC09pYVyMc=", "path": "/home/palo/dev/secrets", "type": "path" }, diff --git a/nixos/assets/ssh/jenkins.pub b/nixos/assets/ssh/jenkins.pub new file mode 100644 index 0000000..c18bcdf --- /dev/null +++ b/nixos/assets/ssh/jenkins.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIZ8ezpjX1nI/Im+krulJNaVd1DZeFvcgX3x197DIbBgCsBjAW8WuV2tzmcrWSjWJ6lfmLlzplOLzhTNG763sbNQ5amfhglYTmQhruGcSXNkdsjOyoxK8SX3wH6Kv/Q0CpoyAYOB9fiJnUyWB9BXSI8VYMMRFj6+cPiZc6NhnnlxU+6uH3VvzV5hsAaT4mpXJJEidMqE9DpGFguOekOUO7HCVcZeQQjazl1u+NhbqRI3CsJjXBqiqAFSMzKOXhTk36xd2WLEmCaPnWuWf7imvR+T3JVPFTNGec3wMbT5nnMiK0/hbowyDQCbtnUVWja9ftVsOH55tLRSY16GnXngUzw+trxWOvX0wOFOhfSZ2k1WtjTlNtOEhne/V0a3bocel/7JuXBX3RvWAEVl1sWS5R9MG8aDB8S2fx8qZirbg0NZticAxcHtg0RyJRzH6DYrkINE6cUgK7qsrUtaY1W6Qj6Jp33Li8KHY2JElDvJLhAx8v7l6BaZkog/Z0raR8RSRefiDQZJ8qiqPXUJG1pQm4Mp8IGL5PAmi0AZg6QL2pkXC0pyg1xE4TdRjOeuV/vdVDX15xCsgOJjK7PGNoNm2JpYA8vaWMHG8Ujk4UBHolooKeuL3g0CcgzfyRMp/Dxlk1BhgRQ17VxWBDuKt3bWuTJIvmrvDuPB3vd+WYNNqskQ== diff --git a/nixos/configs/sputnik/configuration.nix b/nixos/configs/sputnik/configuration.nix index 9b757a0..c5797f0 100644 --- a/nixos/configs/sputnik/configuration.nix +++ b/nixos/configs/sputnik/configuration.nix @@ -13,6 +13,7 @@ ]; + sops.defaultSopsFile = ../../secrets/sputnik.yaml; networking.hostName = "sputnik"; networking.useDHCP = true; @@ -33,7 +34,7 @@ }; services.custom.ssh.sshd.rootKeyFiles = - [ (toString ) ]; + [ ../../assets/ssh/jenkins.pub ]; # make sure ssh is only available trough the tinc networking.firewall.extraCommands = '' diff --git a/nixos/configs/sputnik/nginx.nix b/nixos/configs/sputnik/nginx.nix index 3d36729..8d95696 100644 --- a/nixos/configs/sputnik/nginx.nix +++ b/nixos/configs/sputnik/nginx.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let + # todo create flake for this errorPages = pkgs.fetchgit { url = "https://git.ingolf-wagner.de/palo/http-errors.git"; rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; @@ -358,45 +359,6 @@ in { } // error.locations; }; - #"home.ingolf-wagner.de" = { - # listen = [ - # { - # addr = "0.0.0.0"; - # port = 4443; - # ssl = true; - # } - # { - # addr = "0.0.0.0"; - # port = 80; - # ssl = false; - # } - # ]; - # extraConfig = '' - # proxy_buffering off; - # # client certificate - # ssl_client_certificate ${}; - # # make verification optional, so we can display a 403 message to those - # # who fail authentication - # ssl_verify_client optional; - # ''; - # forceSSL = true; - # enableACME = true; - # locations."/" = { - # proxyPass = "http://pepe.private:8123"; - # proxyWebsockets = true; - # extraConfig = '' - # # if the client-side certificate failed to authenticate, show a 403 - # # message to the client - # if ($ssl_client_verify != SUCCESS) { - # return 403; - # } - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection $connection_upgrade; - # ''; - # }; - #}; - }; };