smg1024/homelab
1
0
Fork 0
mirror of https://github.com/smg1024/homelab.git synced 2026-05-22 20:32:58 +09:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Caddy ingress with sops secrets

Browse source
This commit is contained in:
Poby 2026-05-22 13:45:40 +09:00
parent a06f0fb5f6
commit e70822e6e4
No known key found for this signature in database
6 changed files with 95 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml Normal file
View file

@ -0,0 +1,12 @@
keys:
- &poby age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j
- &yggdrasil age10zgc2lj0j8zfetrysupdumftrq2esmud2xru2hn5228rk6v45p2sa2t4k0
- &midgard age1g2fpds2u6rz02pejpr05uu7r596fz5gvwz4jg7sahjktp67n39psukvng9
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *poby
- *yggdrasil
- *midgard

1
flake.nix
View file

@ -43,6 +43,7 @@
./modules/users.nix ./modules/users.nix
./modules/ssh.nix ./modules/ssh.nix
./modules/tailscale.nix ./modules/tailscale.nix
./modules/secrets.nix
disko.nixosModules.disko disko.nixosModules.disko
sops-nix.nixosModules.sops sops-nix.nixosModules.sops

1
hosts/yggdrasil/default.nix
View file

@ -2,6 +2,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disko.nix ./disko.nix
../../services/ingress.nix
]; ];
networking.hostName = "yggdrasil"; networking.hostName = "yggdrasil";

9
modules/secrets.nix Normal file
View file

@ -0,0 +1,9 @@
{...}: {
sops = {
defaultSopsFile = ../secrets/ingress.yaml;
age.sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key"
];
};
}

35
secrets/ingress.yaml Normal file
View file

@ -0,0 +1,35 @@
cloudflare:
caddy_env: ENC[AES256_GCM,data:MaLxUa/oooLT9VlTQl81q6Q5yOxWuiXbo9Lcrww4sfk2CmbP/Oj0pxqtb7I9c7ge2UNtidnatAFUqLfHXlW3Zt9iENceQVxW3/86,iv:I+qNH4obhnXMpVxhcJgakzsWNj1lMyoN/6UCQ12id2M=,tag:BTD5nvHp1Aj7D7MtxmaoMA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Vy9wMVZwNldSazA1S3cz
TVJuQkhOaDBHN1hJV3NaMHNrSGMzL3VSNmhFCkJVZmxvdzdrTHoxbjBYbHBqa3h6
anQ2enRuU2tpQnBpUUx6L0ErTWhkMUUKLS0tIG4zLzFqMzJ6bG82by9YNzRtQnI4
RXhQYUFMYU9RR1RoRUVnNWlpdGJ5MlEKxlbHUBR/MoDV/nyWeX32m112/BXr32wH
l+50eSrbbpLjD6WSG0i3D7Dxoq5yzkHxGeO40/zZyMsc4OjdqboeqQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bFVUclVDM0lUanYwU3lh
QWZWZmVkQTBnWWx0Z3NaK3NOYTBRaFdtbFdZCmJGdE83Zk50ckRPY2tWT3l4TXoy
ZGJPMkI3dzMxRzRkaG1acTBNWUZWQ2MKLS0tIE16WmxmS1EydTJ1bm1CNmwzeG5q
ZFhtVjVqaUJoRUJ5OXBCQThVUU5HbDAK9P1OnxXycp7Fv4XKIunZpNHR4Os0ocKI
N826u7XI8mEtO2ml6uIe9SITl09c36g32w21oIFHvk6X/rLLmAHA2w==
-----END AGE ENCRYPTED FILE-----
recipient: age10zgc2lj0j8zfetrysupdumftrq2esmud2xru2hn5228rk6v45p2sa2t4k0
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcGoxekJNTUJJQXlxUjlz
NGU2dWZwcHNLbWNXOE5IU3lsNXNMN3dpa2cwCnR2bm9BVFRPRjN6TjQxZVh1NEV2
TW9NNEkzemZRM3NyajlFQ2ZFamptNzAKLS0tIGFzZVgyNVJmNmxudEd2d0JiU0hk
QVUyKzRLMzJWVEJvVDdpYVRSblRVNU0K9W/w/HlX3OlmZsLDkyfhmsZ7nBhVAczj
TdZcEc0hUy/9cIv0v8p6acz2XNgBUYXCF3ORJMOsvH/pLbyoEj3rng==
-----END AGE ENCRYPTED FILE-----
recipient: age1g2fpds2u6rz02pejpr05uu7r596fz5gvwz4jg7sahjktp67n39psukvng9
lastmodified: "2026-05-22T03:50:15Z"
mac: ENC[AES256_GCM,data:Lj/Ff7GjrZLlojVFiNqVWCwmNXD40T43y/fF2G7N1dWrlSafwzG+lOk35uXYn2n+HdrKD8Y2VTywgHX7gZupYOLQjkttrLnKy0/4s2PHpWyaHjE1g/GlIDjRz2VvVGO3w8A6GICNtbMO1HvwT93XFja1dyaRQ9RZ2XmY46FBE2s=,iv:p5NlMSsRCwos3aeCdf7KYuh4bPVWfVEuWpHSINMOC2Y=,tag:7GpIySJIaSj1+KyXYKutVA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

37
services/ingress.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
pkgs,
...
}: {
sops.secrets."cloudflare/caddy_env" = {
owner = config.services.caddy.user;
group = config.services.caddy.group;
mode = "0400";
restartUnits = [
"caddy.service"
];
};
services.caddy = {
enable = true;
enableReload = true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/caddy-dns/cloudflare@v0.2.4"
];
hash = "sha256-vNSHU7txQLs0m0UChuszURXjEoMj4r1902+1ei0/DaI=";
};
environmentFile = config.sops.secrets."cloudflare/caddy_env".path;
globalConfig = ''
email smg981024@gmail.com
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
'';
virtualHosts."http://yggdrasil.tail6fc192.ts.net:8080".extraConfig = ''
respond "yggdrasil caddy ingress ok"
'';
};
}