commit de6235b125b90cb14f0731097b4d159d5e842b14
parent d23ae183369a1bf99058028dc282159d358bc14b
Author: Vincent Demeester <vincent@sbr.pm>
Date: Wed, 28 Feb 2024 15:43:45 +0100
Update some secrets and add minica certs…
… to the trusted store
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
5 files changed, 91 insertions(+), 20 deletions(-)
diff --git a/.sops.yaml b/.sops.yaml
@@ -4,11 +4,9 @@ keys:
- &wakasu 81f3a3b3720f8cab8c53e2f88fd25835fc9db1e6
- &sakhalin 8b80ab02638ab9c34f6c21bd69928b5908e10cbf
- &kerkouane b8b02c0885a74753f8fb53f031f0386f20f3e4ec
- - &naruhodo 5722867ac621fd15d2dfc7eab7bfec55a117c1bf
- &shikoku c7ebcb8e935bda9466e98b1a659af87ff4f5ab02
- - &k8sn1 298092af3b4de6f5a6cb51a14f2247aa4fa91e04
- - &k8sn2 0ebe388f6827fe2eace1055d0b23ac2723c1de53
- - &k8sn3 95233a9c933a7ff9d7a6ca9a531bfac356b8f712
+ - &demeter 131c2eeb1c88c9b8bc76485df4c7efebe0e72441 # ssh root@demeter.home "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o demeter.asc"
+ - &athena 73cb7209eb57f9450adbaa3a5cdf368d4cf82a42 # ssh root@athena.home "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o demeter.asc"
creation_rules:
- path_regex: secrets/servers/[^/]+\.yaml$
key_groups:
@@ -18,14 +16,12 @@ creation_rules:
- *sakhalin
- *kerkouane
- *shikoku
- - *k8sn1
- - *k8sn2
- - *k8sn3
+ - *athena
+ - *demeter
- path_regex: secrets/desktops/[^/]+\.yaml$
key_groups:
- pgp:
- *vincent
- - *naruhodo
- *aomi
- *wakasu
- path_regex: secrets/wakasu/[^/]+\.yaml$
@@ -53,18 +49,20 @@ creation_rules:
- pgp:
- *vincent
- *shikoku
- - path_regex: secrets/naruhodo/[^/]+\.yaml$
+ - path_regex: secrets/athena/[^/]+\.yaml$
key_groups:
- pgp:
- *vincent
- - *naruhodo
+ - *athena
+ - path_regex: secrets/demeter/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *vincent
+ - *demeter
- path_regex: secrets/k8s/[^/]+\.yaml$
key_groups:
- pgp:
- *vincent
- - *k8sn1
- - *k8sn2
- - *k8sn3
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- pgp:
@@ -73,8 +71,6 @@ creation_rules:
- *wakasu
- *sakhalin
- *kerkouane
- - *naruhodo
- *shikoku
- - *k8sn1
- - *k8sn2
- - *k8sn3
+ - *athena
+ - *demeter
diff --git a/secrets/keys/hosts/athena.asc b/secrets/keys/hosts/athena.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADrgDPC6Rgk0D4YpKomsg/edC6y9028A5rSA8ZKcRmJJKlC4IB2
+1laf0N81qOMHE5GGXRLj1ZMK+KAP+n69vmx29v34diJ8vacnvuvtymp1LTJAYgQ+
+045YZsQLvrz7mXVXVIeHUhOGHWBXMmUmtYLGYtHouBIJ81OvX85+8W0NyKSRWkiP
+plPkX82hUiwa0d92/lNZGj4/tE1Hlayw8w8Iucj65QieFnarJxrsN9sp/h5J/06e
+mCW8ZrVc6uxoIcso20YemltsrdAWoLEV4XSk2Ficzbiqf330+PyF0o/qsMgiSfEB
+oSlwih9y7WAWypiDAGT/ZFI9An9UozJG/ydR984NT1am0h5F4134bRYRA7yu/E9P
+opOLB9IXgzcch1hqFFQAUTFxDWso1tLQVz9OAYsyWUr6Xi+RBUfO9w+ZYmJJuk7/
+dLTb9kQsbZ1S5AuAiP3rkNixdVYNtMXxWXZh2OcJ9gbe64mZVLkhrrM3qaql+5sI
+Xk3AbN2g7qtZ30dsm4xe6ZNLc4RV5+a0LP8qGN1mSZZq101CSDuD92kbU5MEoWNL
+SzdDehfV30XatlFj8fylwPlSHymP0ZkGiL0hxRIXly0DmBUubwsskyf1LrE+Lpa+
+Rpj4TfqX8QZ/cngI9TYuz4Ul7DY2UOnam4fkwGB+DGb/S0heudQlYjr74QARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQXN82jUz4KkICGw8CGQEAAFnjEAAaD/XJEz4szl4U7NK4rWHC
+CIqf3yEwh/2yUEe8C9t1UosH1h0FmtVGuR8wzwF3Rg7DohIWjKS97FjF3Z6GUwf1
+DVv7pOA3elw5D9LjR6fDZkhANH8TWvb49/KgTLqpGKr+Yq34A6qD7WTEmlL6Radf
+3+zjI3CbHTW9U7AF/IKzZkdmgn6f/9XH8G5eCi7ynD9EBwYqNKoxk5w7kmJPLXIW
+AkCa0Pfhvhe0eSXY+NzZPK51KmsnRxb8iOkCifiCFxGDIgVA5oIZGJrgTwxXK9wS
+KHbHPfQ4cidOpN4nhX18T6F/wj2BmJSWx/AeybL4swHg75Bc2c9vVvAz0I8NbBIj
+nKV2dn45vZHYtlYJxdcErzjtwafVxlDR0/UQX3VGQknI+96/u5gRRiQdRyTeWPCQ
+AM032u8twQ8cOnIhYYh+ISYZFHhVVwfEfbB4OUucXfNMsUCy/S1Y3PAgQLtd1CoA
+5y2+08myJC+FdtafZchxKGQ3MWd07+p1wOGyW3kYw3ah8/Opu77w75OcKnZ0/XhZ
+Z92Aha6zbwloL7/nt5ZiP5tPZmaVnGzvYGl56EuRSZzCfty4HKP5/Jf35uQoR/Rs
+Mbdeaq4k1S+k1eNqQDta42ENvP/sw+4Fsj+HfYuu9gZ/u/bQ96u7IYO7EeLZuL52
+Wlr7YwTaXEQpa0HfxCJzYg==
+=oeLX
+-----END PGP PUBLIC KEY BLOCK-----+
\ No newline at end of file
diff --git a/secrets/keys/hosts/demeter.asc b/secrets/keys/hosts/demeter.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADYMSck00TqlrsR1imhrxIJL9vFi4joIeTZePkcuTUOlyiuD/Zx
+SPuC1k3lmmQ0ZDXSuy8uaAjLnAwoMfKYryc943ZRRT1dVHIq3V4artudLK/nxzno
+XFqCZoqacj/6rSFqtVrCwWhSU8d1Anwn7uHFIIOe9z86rqbiVSg4q684s6YurFlD
+h5woPEFnEr5wu4+ZAsgIWamyWvS9i8MTp+J5PsnzCNogYGfriT58NH7mQtjqR+p4
+Oiqyr4CtxlQloiO1bEiKF4tYJ4QFwVyjI0Bzx0MTFhgBtdOxA2RcpVIevgnoQlDX
+5UI9W+crLnSIPrkVk1HLZIA2MQPgqgg6Zf2Sfy8RIkvrBP/FCjHQhF6mn4dA8uLh
+v1rJ+OPlrzJ73PJ6wqj/n/FegdHBLauot6sjL4GgiiG45KpN5CkWJ5IDX2wFELsX
+PnEt86V/ZfvSgyhyJ16i8MZ9xhodyM0+e/ykCaO8m3ZoxamkQ1LkUgVSPPoIm5+g
+6w9SlmvZprVNtmQPGbnlNxPNMvnUl6YSM7qQvr8CQrxYhJM/SlQSZ/rnM0AS131o
+9lAHc+huPZB/bmSoj0sIv+SviS8CTO8CEyxxXc/BlTqI29no2FMAP/0UmqwpJuyl
+2hp+T79hGJgAbc2AEVNsL8Tdml+MoyhfJyFo82Z+F2FJFmJkiqiGqh94KQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ9Mfv6+DnJEECGw8CGQEAAPY2EAC6fbX4NP9BfOHOGwTdzYmA
+EZYRIpsQlPwqkKlAU4o4t7nM6NiMfKhEM+1DoRKJm5e0oShCha0pR8TVy9frOg60
+BC6GD+H9IG+DiGB61ETNWShhLWLX14pTv1BAD71753kfX1a2OOc915mw+tevZsIi
+Fdfrmk0ye4DBeUpKZu5TNIU8Wum/5+v4R79T4/jjfy5fYOInLTyvY64PA86HyAX+
+FBKWrgIrU2s3jCtaG5hsPmBr+0UYhyaDxC9JHA9K7ykfsD3h5a65qGOGwHUp/JkG
+Csy/CGV0XTln9UelbPcgBZtNkUb/Wi0XToZm9Tl7QCkf3T7H6roGq+RxaUyXfeXp
+rrHjM07EtYvvItTCFFHbPE11Ryqw+K04ibv8hh1IvMbwgm/atAJTyClITAx43BpS
+mEkTNj0XxsLH93aHztIsTERwVKSzbptcGiHV7i+fCAUvi7VHVoWtosyotEzotWZA
+3ijbstARcNfIAeYZxHQUzQ+KkZu3Uwp0zKi91DvQeNDZTqOcy8xJPMxXzpHT7zUq
+bQVR/hFbTWqcKVO/xc2u2nBTyWd8hd95N+L3QZkUV6jOZ9QLJ+IDDhH+OowCPKaV
+XTYvkPSig7by6gTiZ2cU7N8VewoF5DLcSMX6/dOEbW8Bw8DDDowDvP3x7HYvvW/N
+h2LBDml4ytbIG4zlmlxl9A==
+=hn3C
+-----END PGP PUBLIC KEY BLOCK-----+
\ No newline at end of file
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
@@ -1,14 +1,16 @@
#ENC[AES256_GCM,data:7O65j/B/rT8dP+BU,iv:QGJ4COGJnYiT5qNb3wVnrNXOLQkTGXacKiiGS3TQXpk=,tag:McmYodqj55mFa+EchWWIMA==,type:comment]
msmtprc: ENC[AES256_GCM,data:+cdsMNfqLUwofXTpszZGT5kFoNMP47TSsEasYQZptLPahlvy56hRkpSNR95l4tzzAhV8aYncXoYX0cd1xScji0OfIK9aPWkGkNTNGFUWrqq6PE6vXnHHv4eLUnjvK5vALwnh4wORIZzxPl9Tb2sa1m821Au+W6rQHth5vpyhaJaE9CzoYZDzsazbJ4vlMDVSMAfd7B9GQlE2hBeHGOFCNeM2BQ3ArMrqAWoT+RteHHfdfLAhSUJEvFvhW0w24gyAod33m3aQa5ej+4j+N17fRHLzeB0EGAra74l7nV0=,iv:IVrcEHnhfFbKF2//rNuofScUAOKLPZNzwDOHuDrE190=,tag:q/iCFA4DMBUflY3GnDjrhA==,type:str]
u2f_keys: ENC[AES256_GCM,data:RyJUdCRmDkGNegHCsPjSpcKwnNWgHvceb84rsVGy81Hjrk2lDVj1r57rVNOddqA2Q/NRhfiKYuHDimMoC23G4TGJTcyTYNe6fVbQHEbekBhWdPg88uHrPQq9K3NXI2yv41/4Z5+w7mYhBsLvTnETY6ezQF4fZnrFRN1u2KVwuMfBEm3vJ17lfcrY6rnoyIGyVVZcvcNf17V6molponCRf/HwEWdbYGYc2uwfON7YyGEj3hzag2+UgoO+5WGbJdvtq47y6i+uXs0s1fmTT+PdofdHEKtl/n7Bh4BbCtsrK02zrQ==,iv:WAsRUgsVl5XQm7is2kCJAeKGLDNn9DiWQ4Bo+Ma9CXo=,tag:5w3NMJJjplfFtTdUWtDPZQ==,type:str]
+minica.pem: ENC[AES256_GCM,data:iH4zJTYoDvXwZxxefO0Jyyh8n9oROKpir9GaAScNA6QwSrE0qHL10JI5gtanV0N9EaZ4AFKFbPJxPU6ignVlIBKn5ZKAWsxvue5hETT4wL2vSBg2zziJYDuB/P3oOyV5EBVYOM5Tt07IMmlf5EuS++/gX4mtxa4ESm6I7DayYoq8ALhY1FfGFjwJhXHqycgKKkYTI888+rpYJ/abI+q5OgOPlh+NmJD+8KiGT1F0dDJxsHGjt/k3dqWxv3SQsVOp2HOhOALWfQKsjAl4yMD2HFlnLwKhKrmlO6GdNKa1mmY531hAnP84uVVefhDN1rQRH6ENmqb9GWoyFmQkasDzcxN0cvGOI9yCgXWinYMiEvnIafA5iWg7UvTXllzi51HTk0JaAcaKjM1G1wN54xkKFptwI9T71FPTq9s/vLDDHoqvFRttb3du1U/E/VDjWx6e+OLKpN9zxT+8q+Xf+AY2BKyfRkm/OGlW0NDfjt1SY+7ttGyG1aQ5yh2ctZ/6ma70WHXMLDVKuKqml4gBlqAZr9nIYVUk+OEAm1jjZfsSOOAu9kYuHQadAJ4F6ABN6sU4T6QYHzO0TwUFncYb4hAEpDdRxDFyGmLx/EJ4gasEXjLmEIJrYy3LvCq+Kgvi53Ob0JZGG/bJ8vIa7v9hXaBDS0Q8tgTnCG35aEWdpKbwpWyKNf/Jx+uFzoRSGhgFnp+Nkmz0e25LImGJ5ohfL6H921Qtk8STQiH14FKyExx67kYLvRfpVqAfAaEPKwq4472kYhaIkW/+bnegZtevhVie8od1I83ua25CaxIV8kij58WeI11b+OgTX7QErW01eO0xXIWRZVW5sRXA7C7kBqu0fUnY0/m/RK7Z5INfHGXZfCrrNzJEwvIrHq918HvcmeUwyx2y0rm64qziUSCptHoxT4n3dyjdqBuhOpB9hDEaIiq8XV1xsv2ogFkdoJ+vuDEYBHjhAI2azLmWFnN9RiXJjaXp5EN5umOevhnydnZkomWzyWD9HKwaJCSss48kO+W8mI2Wke7FqsJ3mltYAjA1Lz40Ud2oLCoHIB4SqF+p/ePtuJJ9qQ9sZC0pW0Sy5THc9WhmYgOs3u6iCNH4kkZLkBwG0rzhbpczR8BvEcNjjTpJUiTwYMfl2sEcwnlyTgAGgR2ORDgU0MnN4/KJyzkGL0bmpMvr86XpY1KOf76//9p4/jgghwRCPMwmGDM28Zso5CvnaYlFX8h0WbLOEy1HctjsCsGrzP/uMzXcZ2Z97m6mp+Xyd2vBpvdjh22GnIHLTCpbfnDRzcWNj941jMacxUKdN+a+ctSDEe1viBpatLTmMgymasgaU6mfqvo9soxso0V31+xjKNEuLEKSB2CD+SZ/Wtl5sifE8PBOKPbPL15JW/yZzSJIDkUVMRSYwSJEGuwBWfkRgJPaEDFk+xvVxzCm4eqWjKVVYkdblUEozR97iHTBXFbzpO+DKOSvzaKJvsL9TGurEWyuqRtnQ1jDW36oc9pG1N2DatHVvExoYRIX/VuYrI8hF3VRS+/XLcTAeXqUVLpYCrME2A5cZ410RG7KPSiEx449E01AMM90bNbsub6njW3QVu2wfWbbOEVFvVOWtA==,iv:5KCxs7IvYRf/I8arpx/GIp4NWuwpRUPYi5iLF3+7sKQ=,tag:UtZF3AINSzmAzfCO2L35gg==,type:str]
+minica-key.pem: ENC[AES256_GCM,data:Lbd+21wxu7bqO6wFcT02gsISlzsBGfazfwpCFKb7Q+Jz1RAEtHIgBbItvp5sy1EATJRaQIE5mda5BLguGnVxv9d60SJNe2kzTjqOWdi5pBiZ3FUZlvbYTJKzrGCgQ6lG/h88bQbHZBNP/9xPWdCgXcu+QewNTjxUWg+C6bw6PxjDGrAQcDCNY/ZwAGbxByOqJUbEgPmBLVx0KteVjqrtguwMXFiDD65jjFmEfxNSUVp/OPjC9ZKrtLjEjDFYG/9tEr7VYBtIlWGcUkskcHzIRbAPdjrbB58yKBxt8qGKtxWjNHmoDGtI5wE7l4Jzlafv3dLT/ubyYnzwL2UiH/TF8LDbHE1DZohSBLPW0RPSkNqGrvdVUGfmd2AooIVa3kprSXoG4+l76J9UuZQQAx4eN21qS18XHxrlvRgv0OG2TKLqYic6jlt8bQcKfJzQm9PJwylIztNqFguI+23no2M92fiC/kd1F+YiyBWg03t1rybRKtSUhhPdNFOeJi9CGIwjbiCgr+GokCCIwd3N87ktGcewRgrGllmBb+FesryFX+idpY6Se1dX6HHUWU1/Q4Y10CZEdalLmUmHxdsgXP0pwStvc0Ssc6rA7J/YNGkiZdhkaU2qZ9wMNzCEUjw5hIGKjrpln7Ssp1gpXNTGF2QXBUP/9tVXBL5cjTb7hR3WzD8uk9OWY7vawDquvDCCyaOIl/vqj7mzfzRfGih61pH1Bnuh3A7FuieC+lUOgwJ9JPZNRCU0ao71qAikZp7LRY3Cl8vLN/qN1gBA9kwgIMKZMlpZg1KPy/PFVRX8FRdnUYBVMS2rpfsH6fIi6cxtPXjTYu/KQ4CwMaqOlotXkx/wJU5Jrico1L9evDb7qbjiz0ae6wLrb9Xh3N270AkLILkOichDLHzQJaOR+bCiyKsdzeOUXznUEoVJ2pIqYmmthzF4FHbwg0gaMhtjOI7iG/THOewPDN2XT++5bBLLuUaWYl0dYJkpY7iPtVFkW00lg+BIMq5XbcY36zrk7W3O7Yr8ay5roNJ0mhnrrTc/ZPQL2sRaTIK0heRo+2szU7dKx7TFO0I1/E/VrR819GYx2LYSxWCqc3EKXT6VPwZors7Y981nCYb2BofY8DMf7ulndIhBlqEg4HM6/7blSmYkHw0terPWaOZegf8jM863FovuyUmiD8usA6uKehDt7UWhTesXYVGISK0cf5pJPMGLf3yoxwBtZCALOvLiMQtWiEJvpgqE+E9vtw/0a5W1eI0AxkHTzQFkryb8BMPnnbNJQTHpqkL0ZC9nuG/Z45yqajaMOb5hUbeRKtK6+hfzaQoeBQoSxVwKe81Sy3mefhmIx4n4mc8xzQ8XrNGDKVUP7ey5Flnp7tWRnj+Lf+zqKcW47BQ/gJWzmr18e/mkfZlDrcXGIzSaYEFHvVIwEgOIbXc9XaZIzJort5j5o6Jzg9YWS/LQlQf6iJlzkMdpxabIyKhyiut5U3EL//c5w85tfVR3OqzGxQfa1EQg1nV6ch6aFGi8gRfiiL1CtSNzHm2Oau2nSozErxlkE183DYBWVH57e/id35uSRrKXpNM7Rl7qbWLfITXlpUSDYoTtvEQHnyxZbLNaBFg5b0iC1Cc24CnebO2djAmleMkKGpH/zcEEifxJq9QhZCd/XNVCqFEwSucIQU5Ibd9h8ImAyOeOJiHGvfNTbmwV5GD+MEnjf3uMsc+dmKhZGndmiy0flfruDfnpomNILgzM5XYSCIg6f211vkCbQW4iG4D9tP2V5ZbrEqi8yLy7HDPUuTZ4xUBxdVMTQldsGbdocfXX+QkJzysJ2ehz1e6Jqe9dlWctA6M1Ufn5oL035MrBJZxHjhy9Qry9J/3SDgvbPmxutUSzoUOHJ8P3nWVIfZch7PvTur4vlhQYi6wp3DfenMV4/ZvTEojU3wRTtqQwRrlE63jzlB9mvDhKs6JYzUncfY21F83VwEew5PYRMrYnFpCh6Sq8wTsPEAxO3o0Mn32cFv1RPR9WAjzHv3dHS66YdT3m3qJDzDIW4S4c0rYt9733KJQKNQ0YtL5G0KFeHkppkR3YzSqgIcbSn0u6xeqsYx8DgqYSASsE7UucyjAQ2P84B2jraKN+DWgJKIZpyyfZ0DOr4uLhB9K2VnPa4u60TBOAPvuNg4yMX9Mz4pApD7nWPErrHMyQnriwWaidBU7IOss/vF7OHEV5TVTw8A9Oi+yYiULSENkG/oUbK7LD05YYn04V7vc=,iv:4SsPbQUFxNhbi3tcN8kJiqBGTazgF5v/+mOeZIp16u8=,tag:Bnp+s6hOyije75LpheWypA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-08-19T15:19:13Z"
- mac: ENC[AES256_GCM,data:VQzhbXwSiB1HNMDO/Wx+V0oMjKOXfCXdpsJv6Q4I/oGzxYvDVNOIw68Du69L8zuzZuvAm3PmQnTcnvowf1WOaEoKjOXYbkVfOupTc+ohOq9x6cvSrAbrbXvXdS2CHvYWOMtFHU1tqRtySVsHEHzVcEyHyev/sVNN9EhenNpb3+4=,iv:nA2aPRyIqkr+DzuP4n6vix9kQXyGOCcoqE565IVfDRg=,tag:Rl70x2gWK5aOcBc8D1gJqg==,type:str]
+ lastmodified: "2024-02-28T09:54:14Z"
+ mac: ENC[AES256_GCM,data:5K99BVHzeyV21fehznA24K+DSt4xXEXxG9r0wtLZgJmMuSo7EydELi3pU4lGoOeLQ43RpNaKzOhiez2+0rUFUL83RkKX5T6AYqMychl/TIxQvjoLM3L+KJbRHDUoAAW4Tzsto9V4R+oZaWGKjbmTaEmD2+seABq6aHr+WdXEQg8=,iv:1ZUCTz4/XqfOJJ22hIVvARvHhkA+gqI0HmLE7L7Onzk=,tag:QNEU3SZ5iJvz6UMYyS4CFQ==,type:str]
pgp:
- created_at: "2022-08-22T09:53:19Z"
enc: |-
@@ -206,4 +208,4 @@ sops:
-----END PGP MESSAGE-----
fp: 95233a9c933a7ff9d7a6ca9a531bfac356b8f712
unencrypted_suffix: _unencrypted
- version: 3.7.3
+ version: 3.8.1
diff --git a/systems/modules/core/default.nix b/systems/modules/core/default.nix
@@ -1,4 +1,13 @@
{ config, lib, pkgs, ... }:
+
+let
+ common = {
+ sopsFile = ../../../secrets/secrets.yaml;
+ mode = "444";
+ owner = "root";
+ group = "root";
+ };
+in
{
imports = [
./boot.nix
@@ -20,6 +29,12 @@
'';
};
+ sops.secrets."minica.pem" = {
+ inherit (common) mode owner group sopsFile;
+ path = "/etc/ssl/certs/minica.pem";
+ };
+ # security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/minica.pem" ];
+
# Only keep the last 500MiB of systemd journal.
services.journald.extraConfig = "SystemMaxUse=500M";