home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit de6235b125b90cb14f0731097b4d159d5e842b14
parent d23ae183369a1bf99058028dc282159d358bc14b
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Wed, 28 Feb 2024 15:43:45 +0100

Update some secrets and add minica certs…

… to the trusted store

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
M.sops.yaml | 30+++++++++++++-----------------
Asecrets/keys/hosts/athena.asc | 29+++++++++++++++++++++++++++++
Asecrets/keys/hosts/demeter.asc | 29+++++++++++++++++++++++++++++
Msecrets/secrets.yaml | 8+++++---
Msystems/modules/core/default.nix | 15+++++++++++++++
5 files changed, 91 insertions(+), 20 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml @@ -4,11 +4,9 @@ keys: - &wakasu 81f3a3b3720f8cab8c53e2f88fd25835fc9db1e6 - &sakhalin 8b80ab02638ab9c34f6c21bd69928b5908e10cbf - &kerkouane b8b02c0885a74753f8fb53f031f0386f20f3e4ec - - &naruhodo 5722867ac621fd15d2dfc7eab7bfec55a117c1bf - &shikoku c7ebcb8e935bda9466e98b1a659af87ff4f5ab02 - - &k8sn1 298092af3b4de6f5a6cb51a14f2247aa4fa91e04 - - &k8sn2 0ebe388f6827fe2eace1055d0b23ac2723c1de53 - - &k8sn3 95233a9c933a7ff9d7a6ca9a531bfac356b8f712 + - &demeter 131c2eeb1c88c9b8bc76485df4c7efebe0e72441 # ssh root@demeter.home "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o demeter.asc" + - &athena 73cb7209eb57f9450adbaa3a5cdf368d4cf82a42 # ssh root@athena.home "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o demeter.asc" creation_rules: - path_regex: secrets/servers/[^/]+\.yaml$ key_groups: @@ -18,14 +16,12 @@ creation_rules: - *sakhalin - *kerkouane - *shikoku - - *k8sn1 - - *k8sn2 - - *k8sn3 + - *athena + - *demeter - path_regex: secrets/desktops/[^/]+\.yaml$ key_groups: - pgp: - *vincent - - *naruhodo - *aomi - *wakasu - path_regex: secrets/wakasu/[^/]+\.yaml$ @@ -53,18 +49,20 @@ creation_rules: - pgp: - *vincent - *shikoku - - path_regex: secrets/naruhodo/[^/]+\.yaml$ + - path_regex: secrets/athena/[^/]+\.yaml$ key_groups: - pgp: - *vincent - - *naruhodo + - *athena + - path_regex: secrets/demeter/[^/]+\.yaml$ + key_groups: + - pgp: + - *vincent + - *demeter - path_regex: secrets/k8s/[^/]+\.yaml$ key_groups: - pgp: - *vincent - - *k8sn1 - - *k8sn2 - - *k8sn3 - path_regex: secrets/[^/]+\.yaml$ key_groups: - pgp: @@ -73,8 +71,6 @@ creation_rules: - *wakasu - *sakhalin - *kerkouane - - *naruhodo - *shikoku - - *k8sn1 - - *k8sn2 - - *k8sn3 + - *athena + - *demeter diff --git a/secrets/keys/hosts/athena.asc b/secrets/keys/hosts/athena.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADrgDPC6Rgk0D4YpKomsg/edC6y9028A5rSA8ZKcRmJJKlC4IB2 +1laf0N81qOMHE5GGXRLj1ZMK+KAP+n69vmx29v34diJ8vacnvuvtymp1LTJAYgQ+ +045YZsQLvrz7mXVXVIeHUhOGHWBXMmUmtYLGYtHouBIJ81OvX85+8W0NyKSRWkiP +plPkX82hUiwa0d92/lNZGj4/tE1Hlayw8w8Iucj65QieFnarJxrsN9sp/h5J/06e +mCW8ZrVc6uxoIcso20YemltsrdAWoLEV4XSk2Ficzbiqf330+PyF0o/qsMgiSfEB +oSlwih9y7WAWypiDAGT/ZFI9An9UozJG/ydR984NT1am0h5F4134bRYRA7yu/E9P +opOLB9IXgzcch1hqFFQAUTFxDWso1tLQVz9OAYsyWUr6Xi+RBUfO9w+ZYmJJuk7/ +dLTb9kQsbZ1S5AuAiP3rkNixdVYNtMXxWXZh2OcJ9gbe64mZVLkhrrM3qaql+5sI +Xk3AbN2g7qtZ30dsm4xe6ZNLc4RV5+a0LP8qGN1mSZZq101CSDuD92kbU5MEoWNL +SzdDehfV30XatlFj8fylwPlSHymP0ZkGiL0hxRIXly0DmBUubwsskyf1LrE+Lpa+ +Rpj4TfqX8QZ/cngI9TYuz4Ul7DY2UOnam4fkwGB+DGb/S0heudQlYjr74QARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQXN82jUz4KkICGw8CGQEAAFnjEAAaD/XJEz4szl4U7NK4rWHC +CIqf3yEwh/2yUEe8C9t1UosH1h0FmtVGuR8wzwF3Rg7DohIWjKS97FjF3Z6GUwf1 +DVv7pOA3elw5D9LjR6fDZkhANH8TWvb49/KgTLqpGKr+Yq34A6qD7WTEmlL6Radf +3+zjI3CbHTW9U7AF/IKzZkdmgn6f/9XH8G5eCi7ynD9EBwYqNKoxk5w7kmJPLXIW +AkCa0Pfhvhe0eSXY+NzZPK51KmsnRxb8iOkCifiCFxGDIgVA5oIZGJrgTwxXK9wS +KHbHPfQ4cidOpN4nhX18T6F/wj2BmJSWx/AeybL4swHg75Bc2c9vVvAz0I8NbBIj +nKV2dn45vZHYtlYJxdcErzjtwafVxlDR0/UQX3VGQknI+96/u5gRRiQdRyTeWPCQ +AM032u8twQ8cOnIhYYh+ISYZFHhVVwfEfbB4OUucXfNMsUCy/S1Y3PAgQLtd1CoA +5y2+08myJC+FdtafZchxKGQ3MWd07+p1wOGyW3kYw3ah8/Opu77w75OcKnZ0/XhZ +Z92Aha6zbwloL7/nt5ZiP5tPZmaVnGzvYGl56EuRSZzCfty4HKP5/Jf35uQoR/Rs +Mbdeaq4k1S+k1eNqQDta42ENvP/sw+4Fsj+HfYuu9gZ/u/bQ96u7IYO7EeLZuL52 +Wlr7YwTaXEQpa0HfxCJzYg== +=oeLX +-----END PGP PUBLIC KEY BLOCK-----+ \ No newline at end of file diff --git a/secrets/keys/hosts/demeter.asc b/secrets/keys/hosts/demeter.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADYMSck00TqlrsR1imhrxIJL9vFi4joIeTZePkcuTUOlyiuD/Zx +SPuC1k3lmmQ0ZDXSuy8uaAjLnAwoMfKYryc943ZRRT1dVHIq3V4artudLK/nxzno +XFqCZoqacj/6rSFqtVrCwWhSU8d1Anwn7uHFIIOe9z86rqbiVSg4q684s6YurFlD +h5woPEFnEr5wu4+ZAsgIWamyWvS9i8MTp+J5PsnzCNogYGfriT58NH7mQtjqR+p4 +Oiqyr4CtxlQloiO1bEiKF4tYJ4QFwVyjI0Bzx0MTFhgBtdOxA2RcpVIevgnoQlDX +5UI9W+crLnSIPrkVk1HLZIA2MQPgqgg6Zf2Sfy8RIkvrBP/FCjHQhF6mn4dA8uLh +v1rJ+OPlrzJ73PJ6wqj/n/FegdHBLauot6sjL4GgiiG45KpN5CkWJ5IDX2wFELsX +PnEt86V/ZfvSgyhyJ16i8MZ9xhodyM0+e/ykCaO8m3ZoxamkQ1LkUgVSPPoIm5+g +6w9SlmvZprVNtmQPGbnlNxPNMvnUl6YSM7qQvr8CQrxYhJM/SlQSZ/rnM0AS131o +9lAHc+huPZB/bmSoj0sIv+SviS8CTO8CEyxxXc/BlTqI29no2FMAP/0UmqwpJuyl +2hp+T79hGJgAbc2AEVNsL8Tdml+MoyhfJyFo82Z+F2FJFmJkiqiGqh94KQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQ9Mfv6+DnJEECGw8CGQEAAPY2EAC6fbX4NP9BfOHOGwTdzYmA +EZYRIpsQlPwqkKlAU4o4t7nM6NiMfKhEM+1DoRKJm5e0oShCha0pR8TVy9frOg60 +BC6GD+H9IG+DiGB61ETNWShhLWLX14pTv1BAD71753kfX1a2OOc915mw+tevZsIi +Fdfrmk0ye4DBeUpKZu5TNIU8Wum/5+v4R79T4/jjfy5fYOInLTyvY64PA86HyAX+ +FBKWrgIrU2s3jCtaG5hsPmBr+0UYhyaDxC9JHA9K7ykfsD3h5a65qGOGwHUp/JkG +Csy/CGV0XTln9UelbPcgBZtNkUb/Wi0XToZm9Tl7QCkf3T7H6roGq+RxaUyXfeXp +rrHjM07EtYvvItTCFFHbPE11Ryqw+K04ibv8hh1IvMbwgm/atAJTyClITAx43BpS +mEkTNj0XxsLH93aHztIsTERwVKSzbptcGiHV7i+fCAUvi7VHVoWtosyotEzotWZA +3ijbstARcNfIAeYZxHQUzQ+KkZu3Uwp0zKi91DvQeNDZTqOcy8xJPMxXzpHT7zUq +bQVR/hFbTWqcKVO/xc2u2nBTyWd8hd95N+L3QZkUV6jOZ9QLJ+IDDhH+OowCPKaV +XTYvkPSig7by6gTiZ2cU7N8VewoF5DLcSMX6/dOEbW8Bw8DDDowDvP3x7HYvvW/N +h2LBDml4ytbIG4zlmlxl9A== +=hn3C +-----END PGP PUBLIC KEY BLOCK-----+ \ No newline at end of file diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml @@ -1,14 +1,16 @@ #ENC[AES256_GCM,data:7O65j/B/rT8dP+BU,iv:QGJ4COGJnYiT5qNb3wVnrNXOLQkTGXacKiiGS3TQXpk=,tag:McmYodqj55mFa+EchWWIMA==,type:comment] msmtprc: ENC[AES256_GCM,data:+cdsMNfqLUwofXTpszZGT5kFoNMP47TSsEasYQZptLPahlvy56hRkpSNR95l4tzzAhV8aYncXoYX0cd1xScji0OfIK9aPWkGkNTNGFUWrqq6PE6vXnHHv4eLUnjvK5vALwnh4wORIZzxPl9Tb2sa1m821Au+W6rQHth5vpyhaJaE9CzoYZDzsazbJ4vlMDVSMAfd7B9GQlE2hBeHGOFCNeM2BQ3ArMrqAWoT+RteHHfdfLAhSUJEvFvhW0w24gyAod33m3aQa5ej+4j+N17fRHLzeB0EGAra74l7nV0=,iv:IVrcEHnhfFbKF2//rNuofScUAOKLPZNzwDOHuDrE190=,tag:q/iCFA4DMBUflY3GnDjrhA==,type:str] u2f_keys: ENC[AES256_GCM,data:RyJUdCRmDkGNegHCsPjSpcKwnNWgHvceb84rsVGy81Hjrk2lDVj1r57rVNOddqA2Q/NRhfiKYuHDimMoC23G4TGJTcyTYNe6fVbQHEbekBhWdPg88uHrPQq9K3NXI2yv41/4Z5+w7mYhBsLvTnETY6ezQF4fZnrFRN1u2KVwuMfBEm3vJ17lfcrY6rnoyIGyVVZcvcNf17V6molponCRf/HwEWdbYGYc2uwfON7YyGEj3hzag2+UgoO+5WGbJdvtq47y6i+uXs0s1fmTT+PdofdHEKtl/n7Bh4BbCtsrK02zrQ==,iv:WAsRUgsVl5XQm7is2kCJAeKGLDNn9DiWQ4Bo+Ma9CXo=,tag:5w3NMJJjplfFtTdUWtDPZQ==,type:str] +minica.pem: ENC[AES256_GCM,data:iH4zJTYoDvXwZxxefO0Jyyh8n9oROKpir9GaAScNA6QwSrE0qHL10JI5gtanV0N9EaZ4AFKFbPJxPU6ignVlIBKn5ZKAWsxvue5hETT4wL2vSBg2zziJYDuB/P3oOyV5EBVYOM5Tt07IMmlf5EuS++/gX4mtxa4ESm6I7DayYoq8ALhY1FfGFjwJhXHqycgKKkYTI888+rpYJ/abI+q5OgOPlh+NmJD+8KiGT1F0dDJxsHGjt/k3dqWxv3SQsVOp2HOhOALWfQKsjAl4yMD2HFlnLwKhKrmlO6GdNKa1mmY531hAnP84uVVefhDN1rQRH6ENmqb9GWoyFmQkasDzcxN0cvGOI9yCgXWinYMiEvnIafA5iWg7UvTXllzi51HTk0JaAcaKjM1G1wN54xkKFptwI9T71FPTq9s/vLDDHoqvFRttb3du1U/E/VDjWx6e+OLKpN9zxT+8q+Xf+AY2BKyfRkm/OGlW0NDfjt1SY+7ttGyG1aQ5yh2ctZ/6ma70WHXMLDVKuKqml4gBlqAZr9nIYVUk+OEAm1jjZfsSOOAu9kYuHQadAJ4F6ABN6sU4T6QYHzO0TwUFncYb4hAEpDdRxDFyGmLx/EJ4gasEXjLmEIJrYy3LvCq+Kgvi53Ob0JZGG/bJ8vIa7v9hXaBDS0Q8tgTnCG35aEWdpKbwpWyKNf/Jx+uFzoRSGhgFnp+Nkmz0e25LImGJ5ohfL6H921Qtk8STQiH14FKyExx67kYLvRfpVqAfAaEPKwq4472kYhaIkW/+bnegZtevhVie8od1I83ua25CaxIV8kij58WeI11b+OgTX7QErW01eO0xXIWRZVW5sRXA7C7kBqu0fUnY0/m/RK7Z5INfHGXZfCrrNzJEwvIrHq918HvcmeUwyx2y0rm64qziUSCptHoxT4n3dyjdqBuhOpB9hDEaIiq8XV1xsv2ogFkdoJ+vuDEYBHjhAI2azLmWFnN9RiXJjaXp5EN5umOevhnydnZkomWzyWD9HKwaJCSss48kO+W8mI2Wke7FqsJ3mltYAjA1Lz40Ud2oLCoHIB4SqF+p/ePtuJJ9qQ9sZC0pW0Sy5THc9WhmYgOs3u6iCNH4kkZLkBwG0rzhbpczR8BvEcNjjTpJUiTwYMfl2sEcwnlyTgAGgR2ORDgU0MnN4/KJyzkGL0bmpMvr86XpY1KOf76//9p4/jgghwRCPMwmGDM28Zso5CvnaYlFX8h0WbLOEy1HctjsCsGrzP/uMzXcZ2Z97m6mp+Xyd2vBpvdjh22GnIHLTCpbfnDRzcWNj941jMacxUKdN+a+ctSDEe1viBpatLTmMgymasgaU6mfqvo9soxso0V31+xjKNEuLEKSB2CD+SZ/Wtl5sifE8PBOKPbPL15JW/yZzSJIDkUVMRSYwSJEGuwBWfkRgJPaEDFk+xvVxzCm4eqWjKVVYkdblUEozR97iHTBXFbzpO+DKOSvzaKJvsL9TGurEWyuqRtnQ1jDW36oc9pG1N2DatHVvExoYRIX/VuYrI8hF3VRS+/XLcTAeXqUVLpYCrME2A5cZ410RG7KPSiEx449E01AMM90bNbsub6njW3QVu2wfWbbOEVFvVOWtA==,iv:5KCxs7IvYRf/I8arpx/GIp4NWuwpRUPYi5iLF3+7sKQ=,tag:UtZF3AINSzmAzfCO2L35gg==,type:str] +minica-key.pem: ENC[AES256_GCM,data:Lbd+21wxu7bqO6wFcT02gsISlzsBGfazfwpCFKb7Q+Jz1RAEtHIgBbItvp5sy1EATJRaQIE5mda5BLguGnVxv9d60SJNe2kzTjqOWdi5pBiZ3FUZlvbYTJKzrGCgQ6lG/h88bQbHZBNP/9xPWdCgXcu+QewNTjxUWg+C6bw6PxjDGrAQcDCNY/ZwAGbxByOqJUbEgPmBLVx0KteVjqrtguwMXFiDD65jjFmEfxNSUVp/OPjC9ZKrtLjEjDFYG/9tEr7VYBtIlWGcUkskcHzIRbAPdjrbB58yKBxt8qGKtxWjNHmoDGtI5wE7l4Jzlafv3dLT/ubyYnzwL2UiH/TF8LDbHE1DZohSBLPW0RPSkNqGrvdVUGfmd2AooIVa3kprSXoG4+l76J9UuZQQAx4eN21qS18XHxrlvRgv0OG2TKLqYic6jlt8bQcKfJzQm9PJwylIztNqFguI+23no2M92fiC/kd1F+YiyBWg03t1rybRKtSUhhPdNFOeJi9CGIwjbiCgr+GokCCIwd3N87ktGcewRgrGllmBb+FesryFX+idpY6Se1dX6HHUWU1/Q4Y10CZEdalLmUmHxdsgXP0pwStvc0Ssc6rA7J/YNGkiZdhkaU2qZ9wMNzCEUjw5hIGKjrpln7Ssp1gpXNTGF2QXBUP/9tVXBL5cjTb7hR3WzD8uk9OWY7vawDquvDCCyaOIl/vqj7mzfzRfGih61pH1Bnuh3A7FuieC+lUOgwJ9JPZNRCU0ao71qAikZp7LRY3Cl8vLN/qN1gBA9kwgIMKZMlpZg1KPy/PFVRX8FRdnUYBVMS2rpfsH6fIi6cxtPXjTYu/KQ4CwMaqOlotXkx/wJU5Jrico1L9evDb7qbjiz0ae6wLrb9Xh3N270AkLILkOichDLHzQJaOR+bCiyKsdzeOUXznUEoVJ2pIqYmmthzF4FHbwg0gaMhtjOI7iG/THOewPDN2XT++5bBLLuUaWYl0dYJkpY7iPtVFkW00lg+BIMq5XbcY36zrk7W3O7Yr8ay5roNJ0mhnrrTc/ZPQL2sRaTIK0heRo+2szU7dKx7TFO0I1/E/VrR819GYx2LYSxWCqc3EKXT6VPwZors7Y981nCYb2BofY8DMf7ulndIhBlqEg4HM6/7blSmYkHw0terPWaOZegf8jM863FovuyUmiD8usA6uKehDt7UWhTesXYVGISK0cf5pJPMGLf3yoxwBtZCALOvLiMQtWiEJvpgqE+E9vtw/0a5W1eI0AxkHTzQFkryb8BMPnnbNJQTHpqkL0ZC9nuG/Z45yqajaMOb5hUbeRKtK6+hfzaQoeBQoSxVwKe81Sy3mefhmIx4n4mc8xzQ8XrNGDKVUP7ey5Flnp7tWRnj+Lf+zqKcW47BQ/gJWzmr18e/mkfZlDrcXGIzSaYEFHvVIwEgOIbXc9XaZIzJort5j5o6Jzg9YWS/LQlQf6iJlzkMdpxabIyKhyiut5U3EL//c5w85tfVR3OqzGxQfa1EQg1nV6ch6aFGi8gRfiiL1CtSNzHm2Oau2nSozErxlkE183DYBWVH57e/id35uSRrKXpNM7Rl7qbWLfITXlpUSDYoTtvEQHnyxZbLNaBFg5b0iC1Cc24CnebO2djAmleMkKGpH/zcEEifxJq9QhZCd/XNVCqFEwSucIQU5Ibd9h8ImAyOeOJiHGvfNTbmwV5GD+MEnjf3uMsc+dmKhZGndmiy0flfruDfnpomNILgzM5XYSCIg6f211vkCbQW4iG4D9tP2V5ZbrEqi8yLy7HDPUuTZ4xUBxdVMTQldsGbdocfXX+QkJzysJ2ehz1e6Jqe9dlWctA6M1Ufn5oL035MrBJZxHjhy9Qry9J/3SDgvbPmxutUSzoUOHJ8P3nWVIfZch7PvTur4vlhQYi6wp3DfenMV4/ZvTEojU3wRTtqQwRrlE63jzlB9mvDhKs6JYzUncfY21F83VwEew5PYRMrYnFpCh6Sq8wTsPEAxO3o0Mn32cFv1RPR9WAjzHv3dHS66YdT3m3qJDzDIW4S4c0rYt9733KJQKNQ0YtL5G0KFeHkppkR3YzSqgIcbSn0u6xeqsYx8DgqYSASsE7UucyjAQ2P84B2jraKN+DWgJKIZpyyfZ0DOr4uLhB9K2VnPa4u60TBOAPvuNg4yMX9Mz4pApD7nWPErrHMyQnriwWaidBU7IOss/vF7OHEV5TVTw8A9Oi+yYiULSENkG/oUbK7LD05YYn04V7vc=,iv:4SsPbQUFxNhbi3tcN8kJiqBGTazgF5v/+mOeZIp16u8=,tag:Bnp+s6hOyije75LpheWypA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-08-19T15:19:13Z" - mac: ENC[AES256_GCM,data:VQzhbXwSiB1HNMDO/Wx+V0oMjKOXfCXdpsJv6Q4I/oGzxYvDVNOIw68Du69L8zuzZuvAm3PmQnTcnvowf1WOaEoKjOXYbkVfOupTc+ohOq9x6cvSrAbrbXvXdS2CHvYWOMtFHU1tqRtySVsHEHzVcEyHyev/sVNN9EhenNpb3+4=,iv:nA2aPRyIqkr+DzuP4n6vix9kQXyGOCcoqE565IVfDRg=,tag:Rl70x2gWK5aOcBc8D1gJqg==,type:str] + lastmodified: "2024-02-28T09:54:14Z" + mac: ENC[AES256_GCM,data:5K99BVHzeyV21fehznA24K+DSt4xXEXxG9r0wtLZgJmMuSo7EydELi3pU4lGoOeLQ43RpNaKzOhiez2+0rUFUL83RkKX5T6AYqMychl/TIxQvjoLM3L+KJbRHDUoAAW4Tzsto9V4R+oZaWGKjbmTaEmD2+seABq6aHr+WdXEQg8=,iv:1ZUCTz4/XqfOJJ22hIVvARvHhkA+gqI0HmLE7L7Onzk=,tag:QNEU3SZ5iJvz6UMYyS4CFQ==,type:str] pgp: - created_at: "2022-08-22T09:53:19Z" enc: |- @@ -206,4 +208,4 @@ sops: -----END PGP MESSAGE----- fp: 95233a9c933a7ff9d7a6ca9a531bfac356b8f712 unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/systems/modules/core/default.nix b/systems/modules/core/default.nix @@ -1,4 +1,13 @@ { config, lib, pkgs, ... }: + +let + common = { + sopsFile = ../../../secrets/secrets.yaml; + mode = "444"; + owner = "root"; + group = "root"; + }; +in { imports = [ ./boot.nix @@ -20,6 +29,12 @@ ''; }; + sops.secrets."minica.pem" = { + inherit (common) mode owner group sopsFile; + path = "/etc/ssl/certs/minica.pem"; + }; + # security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/minica.pem" ]; + # Only keep the last 500MiB of systemd journal. services.journald.extraConfig = "SystemMaxUse=500M";