VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Lock down cert-store configuration

Browse source
This commit is contained in:
Vili Sinervä 2025-07-04 18:17:49 +03:00
parent c2d7adeeaa
commit 08fe3acc3e
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
2 changed files with 27 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

8
secrets/cert.yaml
View file

@ -1,5 +1,5 @@
cert-fullchain: ENC[AES256_GCM,data:n/d0lrFRKlwpcuq1AgTylS0vBjEbzeNV/+h6ypuz72XZroDy8ZOhpQAnhuO53jOMQveB8R9I6cZN+U9xnyhHcosj5eun/IZTdbBtZN00FGZk/+1SnOKZLh2xS56qiOlazuwlZiuvIH2diNrStg0+Y/vrS7co8AG2cADQJo6kN6s2C5UqZqplMTcRFSmy+c/DkwwgKeka/2ADfsivdxyy/4nk8GZoKHeRq7plyVXRg2apcQx/eBnP7xteOVBx0D24lSsBskpAi9y7NdObsCq8ppXtmjZhnBvj+Lb9a1cniBqmX7IiaLsL2LAuSBvh5UK9KblM8DrE+h4pv36lBDP4wVCk3wNjyVssba5ySUGSjfe0mcq6W2Ixj6yyyZx/4J8QdzAM9X6gLX3Kxf2CXiQDggqfI8lP+Y4j5aGtZULUl0aE9RuZ7YI5uLSX7Yexx59ZkNsjjTpUOrDc6x9WMKOO5vwjyxNWycnSjdHUf1nuEzON8yehNcsOrAxQl0X7NlhsNjdQdgs9YbG/7Z+pYlu1TV/FbVv1WTeZ0p8tgXBNLMmXt+HaLd5cJIi8dLK/Gqe3nNChGLjA5sETYZXQ+Gf+ZaSmzBAnwUzm6ENj7gkOIZA5q6AthTaoT6wLFAiP1LnI290qEtIp1kp98/GmhpLwhIqTsPohNia7SPtfkA1PHn4uhTZXxVsjBV3994SK1yrpx4Wr/JlSzdPzfhnKR12D0HSVVBtPHIGjrMnUo/pDmQOjoL+jzowMbwwuARrO3cCvM+gSJYHUxuUOSNiz7vBFwtrSgs8uER8yh4i5ODImLGDh9/HpYyh69BmYIxn8SNygZCdMpJsc05r1Nt6aWwAugYYv85JEhhLHIGs3Xsas8sPRUboLA8hiVwubUFkBOLCbck/PqMGL7/R9Hrime7oyUq9nKyH9Z8Ad/AmljxYMK3RaCkkK8bNwuH7WnmvN/VRj4LsnYrSDuYUIU+g9F1nOEHFKyHnG9lPlXaYtiobucMyHNyBtGS3QQ+Bx70yU6OHjOarmFuSc9LpYosh5tDORbdInW4cG0wE/fbz0iqEQpdtAERBk5fzQ8Ovif0lNDwJuyvhsOhoTa3rWUHAa+AUUgzV/IDwi/0rZZrymXgvV1c3bqDR9UKsoaqt1ibvjlVG9TcJNfWUgPPkYIWUcBTb+YcD18hb/XKrH7Z+WnRQWOr1IvkZxLGnt3A+7m1ckilU15hcrLN9rz+Hxt9rJcpNLpn0HXrMYVQRhN1jTFJ890ASHAU1MfHKCArL64r3imTX/1VxelQwVJRgqZrbAXc0X2Iijstsj6OkO4runBtjUNV0+nQgQl2QNTHpemzKkom1vAF99KdHFA8dLQrsZRWz4tSkNJqE82wKDOZ2SP7qlrNCaJGOLZuOddOwhBQjHJT6jZH9OFN3Y45aMjVDD3cayqJeVMEJXEnreEB+f4Va/ydh9JQ3wsdQ1155fAlcmJqnaXGmdOsC+2NSjPbSbT6mvhI08zyMZj/UM1j94aFRfN7fianbM8lNgCvXjUGFujsNNqw4vesbLJ44Hp4fV9ZkWwRs1MJkNOcf/n9HOXLMvRXpvd+Aa30ZtxikdT2/xgRJXvsN/s+4tV6aKwtBrwoqx2xNqJjoOdy9tI8oL8z+E2yI7iZYQvyI9a+M5gOEtpWSjxTAqH7lYx3fZSYNx6/DcAmAFRjwzXHrEabp0+ANvHHfFi4XwJ579s3+H5sjqkjOieaKoN5NBsrl1QWaS7yaAeGuIvH2Wv6yLJ0ErQ+tHPajmPyUasviN0K5/Du0oON80BLhrBSZ7tYyNOFUB5cn0KcM/rw/x0DRG5H+TPbRwqOQ2akSllb6sUENP149ki3xA2K1Odya7VF9z4DmgDB7vjA1YQPisPtmEtaMMHmT7UelPNddQAlcBffB3mwCiL+vuiKG2Tw9w8jo9sybtZdmxTOG01lAiYbBiBxTOad08+/G44uY6vtwiL46dA4B12cJPwlZIjGmrTJxqOoVDaqtcqXRVqYMDrvcBMKOsEU9eOns7xRj/rlg09+cDTDa4H22PuIc50rIfJitsx0nNRkKfH82AyCrESNWy9NtYHHVcyKRSIDUA9YPq+8/oaU0Mjfi1UkMar8e1S8lVuCT8BuaHJgpxGGoN3aYtR04y6nY90I/1Zm0immJUvZyhhFUOO5fQ798ngPXQvHcMU8q4+B+o4iCu7o29ASYWmkEl/Pdw/loS3IcJeIGuErSzgtE+sRPPOc/aaLahzP4edLVt6GwOyrHPjomjuPpd9x/8kMcdG+Jt5NYVFp/YAXPCMCTD1g2hlPNZYX4O75Wo/ZLmg+B+Ml31NuEvmXB/QeC6cz7XmJV6jGGwzZcDzK+4xLYQ21rrhLJuePqaepllBqzuitjPxTYmHWcSor2AEk2tTzR0qdYfGH612kOQlnr5m9ForrMkYo4qkEaS36G0/kk4TCYWyYQ1amtkDDgeYOV//EM9nDA+I9Y2cCv1t2OP5los/k4W/Q5w2FjyKMeUGybYCbewvN0JdNsJdcIdZh9Pz81AJeVnuYc+eGQDIf7tDd9+4BB38P8/kKVVkQiBrfzdVORc6neK6t8v6LfrXinhDo2W9qxA1M34X2wonrZAwDbfnfJmQkVAuaWNbaLI66eYCFoFNJ12K0EjywX7Yo77fEqnsv1s22jfeS8M1TCqDBQh1un0ls/qiGoxaH/eQUQRm1S2r5r+1Oix2FJNbI1mz+imbmd+7fzjfzCfWB5515Hkf/oByhvriyBWKPiuOz+wEdt4BTTsldL/uELiGd085lch35s36oa8vydsUumyRT0bGogzazfoUVclx7f+4UwXduZF21/WWPHDroVfUT6S1EvXXD37gYFdJ81+tdrmKyRMfJUgbZRKJApr5zAVM1XhmbKtfH3DEsx2tV3EOaQ6pba8SsASi1vmxIv0cxAF7Ne1bOJKeeS0i35Ntv8jqB0+30X/aH6m6QEIj0GPkC4Tvk4V6OjhneIkzBj7oEG10wCNjZx/hbEHwns+PDX1E8QG1MZp/Eh/Nd4+KKg9JJOqc1DOTLrubtOnUy9XGszKWqdDvW7PqwG9fcqb4xAJaqz5kIlBDbvrsyMkCjFL49U2nlOGmpfHcgli2qXqvS8ihJKznoREOiPcMwOQAb41CGX1iRY1ZVlspBuDN7zAMCxjtwzMLKT46oMexNGOxe54/M+37azbHdqFrLOuHcnrSYvv9KbCeXqNbN2LsvqKUbM3fDe2o+gW0V1Qk6V3ycdWTc/Scpcb/ycqJJOIfkAnj97e9JKbDZqCDfMDWlhgVYxWiuoo5dy7vlq7SgI42ysW/Uge7uEmch4xWweXBui7d+TQqGqgohzgr7REuKG8xpib4Zo8EpBMJqx6lxa4lZdjQfPQiwDYpH3IZLGGLZa8PzKXPxZFhWP6Cz2ikyt4Js2AromV+tXwV6xYQIqWawkmC4qKPOv/ZysJ0vgKqPbVdJxFuaue6FbY6NgoSMO5UyCv8uVQoNLp6pm2JnN2pPLGLPjenZyCD+Bc11+lk3s/1yp9kFn1UKwNOHReO88tc+6mcwPyDxQfhGZD/uhisBQqPERmX3ozUN0ahFQVy8eabvELg42rrJ7XmFZuBF/QnsNXzOcAAviRT13JHcgBXrJOYYy+ZcLkzl+0MZNhmzHzIbNC6nRIXr4ZRW9dxqGifhc0ioC5a/BQe1aZz6nKDR0FZzuKT8f9/1Hjiwh8eRzX0l6KyV0oAcKZOjcNi/DzmZu2IggoJ4QStb9QLIX9pnsxgjk0AYpLMGpbTOcq6JjWJOQXPoMy/mulUW+rgrsmlvTW6mSyBW6EnjdxvGVvjjyyWXI78nciA8UgUvYfktigwe/2CBm+7bn27IZAJKYYIl2uXA==,iv:hNkoARfvWv+HY6quh7RZ9RrHmAdeUvuugmzqrs5co9s=,tag:Oz11ZZNiHzeS0dwrLle5Ww==,type:str]
cert-key: ENC[AES256_GCM,data:TdX5og58bjLff/+MNFCykpBp/c2TNXE3m8fJhXsh8yqlhtKNf22iZKdEg2SwEioMZXsniNYtw9zOpr101EZt4paiOehnuN80aTSw/ZLdqTbRb4S5K2fmeKTBx3sgrNCjuJK2g0vwF10qnrsYybqoNnvs7Ee77En245QlwYskt0PEVmFjMKZ45ba9ydGZoSH3vnRl0i1L58gA3UZR7R3zApBguQNFnZ7fvCoM4/6HCTgrdos5adJBjxSOzr7DZc8AtcUV3oNzOiEvtWJs+Ssf55ugMjH2uuTaxZFtBHPbzwHNahYHOJd7Nf1YMTugMw2M40bc90mDiAoeW93rHKPOsuf26zPN/MxY129MZmkgoLEeRssB88i69mLCAiyVrQ2v,iv:hZBs9WUBgaux/dw0I0TwZFtsXrBuDxwsBJw7KQGxCJ8=,tag:C0/955Kec/O78xadypUHbA==,type:str]
cert-fullchain: ENC[AES256_GCM,data:Je+VXA==,iv:L7Etp0jtZ3Mbbe7F6MkYWVlMASobG9BTdwHzbr50Wic=,tag:+gZClJLaIWXyuKUzuk5vLQ==,type:str]
cert-key: ENC[AES256_GCM,data:TMy5OA==,iv:2+uIS4apAwKJBu9CsFEImf2VGiuEcAqq9c53elsWpfg=,tag:NT6ubuX5J8td6wl102gQAg==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
@ -47,7 +47,7 @@ sops:
WERpVXdtSmIxZWZFbC9WMlpNVTU2MGMKt+25OBE3DEwsY5ZfEvejMZOvpJOj/FL9
qZr12aRaU4aoccwCZjjJsKwwqiaZnYdPJ5ShFsZXSMcSfik3dnY03Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-02T21:11:59Z"
mac: ENC[AES256_GCM,data:an4y6gci+Cm6RpJuFV9OUcUmZrMXUMFUD91BzWMFKTEDSgvdmh7BjuVFITlF2hR2HCOmGGjmosglqsQwMt46SNfRlFW8bcQUSh+NUbxa0YRNd84nZAtW2u8G7D48mZ0ajrUmkFyCa1WcIcY8fmwx0hKl/WOHMjeNouZVu3RzDSk=,iv:idzW6mjP2iUKeIW9LHxgRgm2M7EtXR5SOjPgmrBYJjY=,tag:XctkRR27gX21U8ndnVxYGg==,type:str]
lastmodified: "2025-07-04T15:17:24Z"
mac: ENC[AES256_GCM,data:c5J+9ElKKImHc9aBvyKOaagHciise0nffK7XzNsFHHLo5sPeYjSYwe+eHbGY7RbBSuwWN7DiFFthoh/hXNAP2ZLJbq7WtdnM+mDPEouqSmo01fy+DZWqliys/DbyYcyzF8mh27Ppkau+UY+cLQ4Zf+ZCHk7E6chc8T2BNXkM1+M=,iv:jLsEYL+HFf0oo1Lf1xjNM7wVkjWMgqOrxaodPDHTDPo=,tag:194ltngy2T6Kq6wZBf/6Lw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

30
servers/acme-cert-store.nix
View file

@ -1,10 +1,18 @@
{ config, pkgs, ... }:
let
update-cert = pkgs.writeScriptBin "update-cert" ''
cd ${config.users.users."cert-store".home}
rm -rf nixos-conf
rm -rf ./-.vsinerva.fi
if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then
eval "$SSH_ORIGINAL_COMMAND"
fi
export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}'
export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes'
cd ${config.users.users."cert-store".home}
git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
cd nixos-conf
@ -14,15 +22,11 @@ let
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key
if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
echo "Old and new fullchain are the same, skipping!"
else
if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
fi
if ${pkgs.diffutils}/bin/cmp new-key old-key; then
echo "Old and new key are the same, skipping!"
else
if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then
${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
fi
@ -30,6 +34,7 @@ let
git push
cd ${config.users.users."cert-store".home}
rm -rf nixos-conf
rm -rf ./-.vsinerva.fi
'';
in
{
@ -72,4 +77,15 @@ in
};
};
};
services.openssh.extraConfig = ''
Match User cert-store
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
PermitTunnel no
X11Forwarding no
ForceCommand ${update-cert}/bin/update-cert
Match All
'';
}