traefik ssl and sops-nix

system-config/configuration/homebox/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

system-config/configuration/homebox/default.nix

@@ -86,9 +86,9 @@
         hostName = "homebox";
         nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
         networkmanager.enable = true;
-        firewall.allowedTCPPorts = [ 22 80 443 9080 9443 8080 ];
+        firewall.allowedTCPPorts = [ 22 80 443 8000 ];
         hosts = {
-            "127.0.0.1" = [ "blunkall.us" "www.blunkall.us" ];
+            "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ];
         };
         nftables = {};
         nat = {
@@ -102,7 +102,7 @@
 
   users.users."nathan" = {
     isNormalUser = true;
-    initialPassword = "7567";
+    hashedPasswordFile = config.sops.secrets.nathan_pass.path;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
@@ -151,7 +151,7 @@
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
-      { directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; }
+      { directory = "/var/lib/sops"; user = "root"; group = "root"; mode = "u=rwx,g=,o="; }
     ];
     files = [
       "/etc/machine-id"
@@ -159,10 +159,20 @@
       "/etc/ssh/ssh_host_ed25519_key.pub"
       "/etc/ssh/ssh_host_rsa_key"
       "/etc/ssh/ssh_host_rsa_key.pub"
-      { file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
     ];
   };
 
+    sops = {
+        defaultSopsFile = ./secrets/secrets.yaml;
+        defaultSopsFormat = "yaml";
+
+        secrets = {
+            nathan_pass = {
+                neededForUsers = true;
+            };
+        };
+    };
+
   programs.fuse.userAllowOther = true;
 
   home-manager = {
@@ -209,7 +219,7 @@
 
         virtualization = {
       
-            traefik.enable = false;
+            traefik.enable = true;
             
             gitlab.enable = false;
         };

system-config/configuration/homebox/secrets/secrets.yaml

@@ -0,0 +1,21 @@
+nathan_pass: ENC[AES256_GCM,data:9DUrW2JFWwwscRmMgNoYrMU0nrSDbz37tw+wershMsRxhSavUmQCVEkz8zZ71OguAh+2vIxWBaVk9lzL/wOMFY/vPX7Z5Jq4og==,iv:rDxMkKDVxcrehzM0MKN0nQ/+WW8MA69qiNNoeTHJ2h0=,tag:VMGwTtbPwjIhyfuhc2ArGA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUnNKWUVkV1d0STBNSFR4
+            c2RTRTN4K2x0Q2R2QzZoYzNOd2RGNk10SkFFCkxlTDduZzhZeHNSd2JmVjgwVzVW
+            SGozTFVpNW9kaUIvWEtWb3BGeGtrTVUKLS0tIHBXYS9xK2ZuUnZ6UTBFV3Y3MWU4
+            SGxFWjlLSVVNVDAwRTdXWENLK2x0ekEKh7NiaCQn6yvT6kyYFOXCiGv6C3PSOAky
+            Od5kW3fBMftfv1qrlhA4svT8s6KeM0ynbfNgb5wKtpZ/nfXYkcrmGw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-02T22:56:51Z"
+    mac: ENC[AES256_GCM,data:PVwC5OP3CDiCUTxNwPrxSgWbMp9EuAKP88tmHvrrxnT2IQ68V9THFjajnuNiEkkVvHG9FPp/R0in8nT1NoepaDEZkheyUYq1hKzRoGWxjwQwsvrjeTyUP50++Z/zW2KkOdqaB3r+eblpCxzgyd8FH8LcXRCeC9xq4p0mub3MNSs=,iv:jTIgFV0NydDOJ8cESsiY4mvQc76MbNfi8cM4CrWY2P8=,tag:6u90UUoTBA7lXlkfKoiI8g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1