working on sputnik

flake.lock

@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1632639184,
+        "lastModified": 1633267966,
-        "narHash": "sha256-fRLxre+gPxIkjFVj17O68pyAWU1cxT20XFOiulIWzRw=",
+        "narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fd8a7fd07da0f3fc0e27575891f45c2f88e5dd44",
+        "rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d",
         "type": "github"
       },
       "original": {
@@ -62,7 +62,7 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-MW7SCJb32fcfIagCbaTaRbkzEmwcQ+xdGByFJZjGZ94=",
+        "narHash": "sha256-XRWlSFaGqmeDstMQS46KUOkIks0wLADTiHC09pYVyMc=",
         "path": "/home/palo/dev/secrets",
         "type": "path"
       },

nixos/assets/ssh/jenkins.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIZ8ezpjX1nI/Im+krulJNaVd1DZeFvcgX3x197DIbBgCsBjAW8WuV2tzmcrWSjWJ6lfmLlzplOLzhTNG763sbNQ5amfhglYTmQhruGcSXNkdsjOyoxK8SX3wH6Kv/Q0CpoyAYOB9fiJnUyWB9BXSI8VYMMRFj6+cPiZc6NhnnlxU+6uH3VvzV5hsAaT4mpXJJEidMqE9DpGFguOekOUO7HCVcZeQQjazl1u+NhbqRI3CsJjXBqiqAFSMzKOXhTk36xd2WLEmCaPnWuWf7imvR+T3JVPFTNGec3wMbT5nnMiK0/hbowyDQCbtnUVWja9ftVsOH55tLRSY16GnXngUzw+trxWOvX0wOFOhfSZ2k1WtjTlNtOEhne/V0a3bocel/7JuXBX3RvWAEVl1sWS5R9MG8aDB8S2fx8qZirbg0NZticAxcHtg0RyJRzH6DYrkINE6cUgK7qsrUtaY1W6Qj6Jp33Li8KHY2JElDvJLhAx8v7l6BaZkog/Z0raR8RSRefiDQZJ8qiqPXUJG1pQm4Mp8IGL5PAmi0AZg6QL2pkXC0pyg1xE4TdRjOeuV/vdVDX15xCsgOJjK7PGNoNm2JpYA8vaWMHG8Ujk4UBHolooKeuL3g0CcgzfyRMp/Dxlk1BhgRQ17VxWBDuKt3bWuTJIvmrvDuPB3vd+WYNNqskQ==

nixos/configs/sputnik/configuration.nix

@@ -13,6 +13,7 @@
 
   ];
 
+  sops.defaultSopsFile = ../../secrets/sputnik.yaml;
   networking.hostName = "sputnik";
   networking.useDHCP = true;
 
@@ -33,7 +34,7 @@
   };
 
   services.custom.ssh.sshd.rootKeyFiles =
-    [ (toString <secrets/ssh/jenkins_rsa.pub>) ];
+    [ ../../assets/ssh/jenkins.pub ];
 
   # make sure ssh is only available trough the tinc
   networking.firewall.extraCommands = ''

nixos/configs/sputnik/nginx.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
 
+  # todo create flake for this
   errorPages = pkgs.fetchgit {
     url = "https://git.ingolf-wagner.de/palo/http-errors.git";
     rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
@@ -358,45 +359,6 @@ in {
         } // error.locations;
       };
 
-      #"home.ingolf-wagner.de" = {
-      #  listen = [
-      #    {
-      #      addr = "0.0.0.0";
-      #      port = 4443;
-      #      ssl = true;
-      #    }
-      #    {
-      #      addr = "0.0.0.0";
-      #      port = 80;
-      #      ssl = false;
-      #    }
-      #  ];
-      #  extraConfig = ''
-      #    proxy_buffering off;
-      #    # client certificate
-      #    ssl_client_certificate ${<secrets/client-cert/ca.crt>};
-      #    # make verification optional, so we can display a 403 message to those
-      #    # who fail authentication
-      #    ssl_verify_client optional;
-      #  '';
-      #  forceSSL = true;
-      #  enableACME = true;
-      #  locations."/" = {
-      #    proxyPass = "http://pepe.private:8123";
-      #    proxyWebsockets = true;
-      #    extraConfig = ''
-      #      # if the client-side certificate failed to authenticate, show a 403
-      #      # message to the client
-      #      if ($ssl_client_verify != SUCCESS) {
-      #        return 403;
-      #      }
-      #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      #      proxy_set_header Upgrade $http_upgrade;
-      #      proxy_set_header Connection $connection_upgrade;
-      #    '';
-      #  };
-      #};
-
     };
   };