diff --git a/.woodpecker/sync.yml b/.woodpecker/sync.yml index 2e27599a..c8667d21 100644 --- a/.woodpecker/sync.yml +++ b/.woodpecker/sync.yml @@ -4,10 +4,11 @@ pipeline: image: nixpkgs/nix-flakes:latest pull: true commands: - - export AWS_ACCESS_KEY_ID="nix-builder" - export AWS_ACCESS_KEY_ID="nix-builder" - export AWS_SECRET_ACCESS_KEY="$MINIO_NIX_BUILDER_KEY" - - nix copy --all --to 's3://nix-store?endpoint=bolty:10000&schema=http' - secrets: [ github_token minio-nix-builder-key ] - volumes: - - /var/lib/woodpecker/nix-store:/var/build-nix-store \ No newline at end of file + - echo $AWS_SECRET_ACCESS_KEY | sha256sum + - echo $AWS_SECRET_ACCESS_KEY | wc + - echo $GITHUB_TOKEN | sha256sum + - echo $GITHUB_TOKEN | wc + - nix copy --all --to 's3://nix-store?endpoint=objects.cyplo.dev&scheme=https®ion=cyplodev' + secrets: [ github_token , minio_nix_builder_key ] diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index 1e60e376..94305bae 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -11,7 +11,6 @@ ../cli.nix ./home-assistant.nix ./matrix-server.nix - ./nix-store-server.nix ./print-server.nix ./restic-server.nix ./woodpecker-agent.nix diff --git a/nixos/boxes/bolty/nix-store-server.nix b/nixos/boxes/bolty/nix-store-server.nix deleted file mode 100644 index 37faa40e..00000000 --- a/nixos/boxes/bolty/nix-store-server.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - pkgs, - ... -}: { - networking.firewall.allowedTCPPorts = [10000 10001]; - services.minio = { - enable = true; - region = "home"; - dataDir = ["/var/lib/minio/data"]; - configDir = "/var/lib/minio/config"; - listenAddress = ":10000"; - consoleAddress = ":10001"; - }; -} diff --git a/nixos/boxes/vpsfree1/default.nix b/nixos/boxes/vpsfree1/default.nix index 4e99e1e3..dc26ca7f 100644 --- a/nixos/boxes/vpsfree1/default.nix +++ b/nixos/boxes/vpsfree1/default.nix @@ -24,6 +24,7 @@ ./ssh.nix ./syncthing-relay.nix ./woodpecker.nix + ./nix-store-server.nix ]; systemd.extraConfig = '' diff --git a/nixos/boxes/vpsfree1/minio.sops b/nixos/boxes/vpsfree1/minio.sops new file mode 100644 index 00000000..12348043 --- /dev/null +++ b/nixos/boxes/vpsfree1/minio.sops @@ -0,0 +1,52 @@ +{ + "data": "ENC[AES256_GCM,data:rV9BvMKjwi5ZRPXnM3AM2hIm/+jBfAH9/qHiSP8/cfK+/9GbQekBqg1EllR9Bih3ozIt/B804rVD+RfzgpTghjcJF3b0G1oIICaZGpWeVsw/rhV9/kPGgpl7N9buxMA=,iv:6VCjNaqO8gCxvdPPPf4vr76O7lRFSY+sDxgj7jXTK+0=,tag:UeIT7zd/bmYHhtuWuutuLQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdWxTMktqSzdPRGZwNUNL\nY093cUZQTjdneUNzKzhKQktNSm9zelBkWkVNCmRMcG1PMDlXWjJzeWMydFJZVXFO\ndWFqY3l5ZVRwL1QxTG1LdXhFbTcxaGcKLS0tIEdxU3llYnM2WTcreDJ5ZUpIdHli\nTG9NMk43UjYxMmJjUEFRWXllZm9waW8KcnUXPHfN6EKjqM545Zcn+P4IQvRwRIGt\nUcnAy0EcjbuORFccNVzAGHxEmgRK5tTgQg74tmILae/gJBuWx0NSZg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZR1krYUdrQzBxYmNreTN3\neGQ5enB1WlNSMVl2WFBtUVJMckRVN25Uakd3CnMzb05ML2hkbDhIb0VrQVYwbkhm\neXoxWUJMLzdTRU94cDNRT2dOYjdjM1EKLS0tIDdyOXZyVEJIb1VOd3Y0Mzk0ZDNw\nSTFXcFF1Ry85Tm1HaUllQ0tYTXlOV2MKqew16SiHRmcRpZuTthzc/g4NTEXhzPvm\nHR2v9BQ4fITSCBPztIGBGqQpAcgowVVX0mK+rwUqPzQF1MFHXZWg8g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aWptd0FnVERsMjJDLzBo\nQlVVTXZNUzZkWUNLc1dTamI0czI3MHduRW04Cm9mc211REt1cDVJZVhKNkJiMENv\nakozQ0pyWFpRd01PR0NTenJtNDNna0EKLS0tIHZ3Zlk1R1FUVEdkenVDQlJoRVQv\nTXJBbktZdDBFWGhjOFZQVmY1UkZmWUUKsvLDTknIrV1ek6ZSfVimvkOg1A/mvb1u\n4wj4tTgmWPURHzuN1h6TrwitTI65ai+TkxT3EHpHg2RdVxdAL3RwVg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYWliWGRVc3BLQ005cFlX\nRmNISDhiRnNmYk5vUFZ4NW9wYnp3ekZYWnk0CktHQm1MakZFaFlWRUlZUlNCOXl4\neGphNzZaWnIzL1hieWp0c0xvakJETzQKLS0tIFBuc3o0eFU3U0pkR1A4R1Bvdmc2\neURUbHhLM3dDcGJzOUFFWmtZZHJhY2cKOXjOUhXCd6e5YBxtAchLo/v46rAXMznX\n9xfVwdiNQtdGzOjG0zhXuvh/TzJfPUJ9f4UcwlhxxQXyHrVIsN+NNQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZGphdFkvTXBjMXBuR3F0\nejBNZmtDT0tUdTVWeURvNmxNWUVWb3NQK3dvCmVJV2dlMWlQMTNRVWtZTlRUblgy\nWWRkUk9zU1luUk9vRkhzVDFab2NYMzAKLS0tIHlzOTc0R0lYTDhTQ1lRL1ZHL0NP\nUytTRXhqdlE2MnlsMlNTamt3OS9LVEEKqlqd08N0hWdLmf3UqD12bVLm4AAGHYa1\n/iUgvJycBhm1j/GjhRDfUz5vTnlIiaDqb/J7dNjZduE0shWQiHDsiA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqN1RrL3VSSkpmZXVlUWtE\nVDBnTUlhUE9UNjhreDRrckZIODBZb3I5WDBZClFYM0FnN05ob0crS3VSeEtPNVhP\ndWRoL0E1SXNOcU5pSS9ES01IWHpDKzAKLS0tIFZJRmROV21nQUhWOE9xVklaS0JI\nSmxDZDJTckY2MiszdlJXbmdDU3k4R2MKhRJVDbfDgiXjWz+pi8dPA7Cj6JvdAFfa\nX/a3LTC1vM9Qok1X0Tm9P/UFRg1+Njf/3p1LH7JwWZWEIk2upmztvQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VmpqOVdRL09BRDRob0t3\nK2NvZGFvcndNdFFNNGFsVnA3U2RlekE0YVFBClA1aHBrYmFGdnFWYVhSS1RpWGdo\nZC80aDA1YUgxa0QrMi9Xa0NFV29pa3MKLS0tIGY3dzY3M01ad0kzcjJxalE4R2tM\nQlZqeUZqeHF4bG5qQ3FJcm01QmRyTEkKDEH0DE+p7OlmR+SrUmzVL1/rNE/NBH+n\nsRUKodw+/k4b+qlLFl6TBL/OJ8zBi+WlxcKCCfaKldYUZK8tBQL0pQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRjVPOHJoMlFZRUdHNFRm\nY084NXNWOVhEUmZwRXlmS29JN2YraFJaaFU4ClkvSkNHZExYQXp3VGVSbmJXeHBZ\nVGdvL2VnWG80Sk5OS1NMQWpVVEhySm8KLS0tICtiSU9OYk51RGtYYTR4WTg5UEJZ\nV1FZZWpWejVBYXE5cnkvbHY2SG1LUGcKLQpYLeyjI7o5/g6BZTxpeGyTgZ2y6PRm\nxqe1BEYru4DOZ24W10ivUh+K2R6KC0SM0e3sQoDilPKG+n4wmEr1bw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscy9rSytHd0VrM0VrcHo4\nMUtIT3BZYWtvb3RJNER2Ykx4TGlHcFZDM1Y4CkhOWTlPN0ZwRjdJN2JnMnF4MkZG\nODE2VGlqZXRKS2lEdXJBVXY5SHpsbjQKLS0tIFAra1JWNzVXVWpnaHlDamFnK29k\nUzgwdE5oU3c1dXhuUmJ0a3Jpc2JNQnMKmj8TU894VDHC37IqwFXn6WxmcNZXZwd+\npgyhIJMsK0fxihYOFk8HP0yVu6LHWT5VwEk3y6obiH/e79bFqoacww==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-12-25T21:58:29Z", + "mac": "ENC[AES256_GCM,data:6+iTqSB22pIGWnpH2BoyA/NKul99wzYjc2XkhgIhHyOks77A8Q/5Al2Cx+0nPO/c/CDHzLmmgq1u+mu93S9hyAyUgdeH5ZYLxZAUHa1E+YKuAkMOHfv4F3H75K7PWoToZpoRLDMo7Kx7YXfx8MKFnKr9bOTSvc0DUFI9nmyIKLw=,iv:CCqNpmAb2Y/yQx2YaQ2LfmvvZnNCmqKZECzHuWRXJVo=,tag:mDSgzazfJKqXIrYfPypiIA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/nixos/boxes/vpsfree1/nix-store-server.nix b/nixos/boxes/vpsfree1/nix-store-server.nix new file mode 100644 index 00000000..1e8d18e9 --- /dev/null +++ b/nixos/boxes/vpsfree1/nix-store-server.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + ... +}: let + domain = "objects.cyplo.dev"; + adminDomain = "objects-admin.cyplo.dev"; + objectsPort = 10000; + adminPort = 10001; +in { + services.nginx = { + virtualHosts = { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = {proxyPass = "http://127.0.0.1:" + toString objectsPort;}; + }; + "${adminDomain}" = { + forceSSL = true; + enableACME = true; + locations."/" = {proxyPass = "http://127.0.0.1:" + toString adminPort;}; + }; + }; + }; + sops.secrets."minio-env" = { + sopsFile = ./minio.sops; + format = "binary"; + }; + services.minio = { + enable = true; + region = "cyplodev"; + dataDir = ["/var/lib/minio/data"]; + configDir = "/var/lib/minio/config"; + listenAddress = ":${toString objectsPort}"; + consoleAddress = ":${toString adminPort}"; + rootCredentialsFile = "${config.sops.secrets.minio-env.path}"; + }; +}