Add Cloudflare API keys to hetznix server with

...agenix
2024-12-26 00:13:42 +00:00 · 2024-12-26 00:13:42 +00:00 · dcb3f90393
parent 50c8d8ae18
commit dcb3f90393
6 changed files with 46 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -94,7 +94,9 @@
          };

          modules = [
+            agenix.nixosModules.default
            disko.nixosModules.disko
+
            ./nix/hosts/hetznix/configuration.nix
          ];
        };
--- a/nix/hosts/hetznix/configuration.nix
+++ b/nix/hosts/hetznix/configuration.nix
@ -12,6 +12,7 @@

    ./disks.nix
    ./hardware-configuration.nix
+    ./secrets.nix

    ./modules/acme.nix
    ./modules/nginx
--- a/nix/hosts/hetznix/modules/acme.nix
+++ b/nix/hosts/hetznix/modules/acme.nix
@ -1,10 +1,16 @@
+{ config, ... }:
+
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "oliver@oliverdavies.uk";
+    defaults.environmentFile = config.age.secrets.cloudflare.path;

    certs."oliverdavies.uk" = {
      domain = "oliverdavies.uk";
+      dnsProvider = "cloudflare";
+      webroot = null;
+
      extraDomainNames = [
        # TODO Refactor to use a wildcard certificate.
        "2020.oliverdavies.uk"
--- a/nix/hosts/hetznix/secrets.nix
+++ b/nix/hosts/hetznix/secrets.nix
@ -0,0 +1,5 @@
+{
+  age.secrets = {
+    cloudflare.file = ../../secrets/cloudflare.age;
+  };
+}
--- a/nix/secrets/cloudflare.age
+++ b/nix/secrets/cloudflare.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 nmofLg ulxze6jNUmIB72CLo23yqmx7he8mPqTcLR0oHJaHr0k
+qhi20IiROe9RNO949XNR6iqAf6KvXqfXl7u7WiqIaH8
+-> ssh-rsa +vTWQw
+VtDyb9urRPA7Hh+2Kb+cw8Dlo5lPCExHwH9Iw/XMbYGn/jvATdS/T4tMsLIwgctA
+xCBHMtMeXuCEX9bybrr9r+Azf/5zQqs/I1QN5USnyRtjmaWDonDtGlGIPXfZBlCU
+slUi1yWk1Jm8sadwQqrw1YLvGpszn1iPpnLhmdBvEoC3LSYI4Wib4kYU6QhirJfe
+flW8GMkZtr96ozmyJswXRFr6Zf7XUUd3TTeCPahkzoE4Un8NFDmviBEjeqvMYE1h
+5KoLQwdVo8P8IPnDmTAd5Rpb/bbEQ3OWt5xNd2ZYtL5lGEJ9gg9S+pgTR+WOL1UZ
+UOuBE2u71df5tjTg4OEa05TWB93he0wURjT+mmJARebNWqlGtpsEVhLF6rYAfrMB
+9ywUqbCV3WRS8a3EpI5wSPmAQZLeWE/L0+gH17qatM+dzf2jkIRZZCWiIVFDFDyA
+s2cMk5Gya44I5RM9CjjHr3Zpq2poixNYsg1opaVByrgsPZrxetGXaKSzt+VRTXV
+H/jx9/zqSruY1An0RnFo4DnKQ5vA3YgJK3NbiSMjayUtN9sAWZ7dDONkOdTBTDSX
+wM1D4bY688ajHSHvsteeVIDBpDVpUl6pn5GUqcV1cRCV8dHXBxzYiNWjVVAxLXwk
+Y4le2oI1w6Ak9nNLY1N2311X3EFZqxTyJIPBvv3yZnw
+--- cc2VwKFT2Dqo/TYLZ/vPcWAkHoi/h6P1XrDmN2ymyXU
+	ˆ¯ÚÿÍÕO£x¯éöz’xþ`ô2³µì–<C3AC>´ç×Šÿ]W,ðcš p+òfÄq¤¬Dé–hÙ–ó€kÙòÝXMÌô‰"áp‡dX…åwÃB9µŠ‡zsÕ,pJá,úä¹þÚµ6<C2B5>}x¦úÛâA¨VªÛq›-Â2{¢<Ü<
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -1,6 +1,19 @@
 let
-  lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+  hosts = {
+    hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk8n03VeShc0q4ztcaNrmScwM7u0j6fFVtmupy2RlM2";
+    lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+    t490 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage";
+  };
+
+  users = {
+    opdavies = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDkkbYaCD9NUIQT0NnsmlyfepwjxBYeiJSBCotOpdPTyc5inFAd29DiVw98j4skfaHdzjcqWmMFmDQWM6tGkK7eg8n0WuaABmsjdEbzTtfjHwM0tRDCIh5AtoT4IvoLhwLjEI2jKM05BGCQ2m5lS//AYJK1DjiV4UH+IjXHz6oy/3eFzQwANjxWS+mbR565p21yuAu1DKEyaGeVzT1xDhgzlnZG7Cys/rFgUYpIvYDHMOFxG6hsDB8vqyHiTXniniti5tdvGGYHgRGQcynRTU12aerrqHTIOefrElXJdf3/PA8FIY/Pd3MmZocY/vvQe0EVHXWrNtnHOF3MFQ1tFyfubKO51Dcp9KmzHnyBvO4CtvGVr/upSVWfo0I/EqkIqvCvBbdSIPeH9V5hAcyWENGF4Wf0/Yqtc0dBhfXJmPVBsC2ghZp9oERK+h5Xs7DpzkT0vtkN+wjgA5weIuG8e2UVNO29LWASzlychVqb7BVa6kNn5CyGwauyIGsYvAFnUjkyJpK8qleNM3VO5x9aw26IhSKlnSE9PAdX8p7PpdoWfxWRekKTc4h6iAe7pFOENvuokAvCNsE5LolR4VrYKXjA0m3nupDNWYexAWfR3lSeSlKd9nD3OENS0biJKayZHs11iDUTxm5u5gm/U60b4z0zDXjh1H/DI/pSCG6jjaXDpw==";
+  };
 in
 {
-  "tubearchivist.age".publicKeys = [ lemp11 ];
+  "cloudflare.age".publicKeys = [
+    hosts.hetznix
+    users.opdavies
+  ];
+
+  "tubearchivist.age".publicKeys = [ hosts.lemp11 ];
 }