upgrade mastodon, enable db encryption
Some checks failed
use nix / build (push) Failing after 9m46s
Some checks failed
use nix / build (push) Failing after 9m46s
This commit is contained in:
parent
248542eee3
commit
a8a2393357
2 changed files with 69 additions and 0 deletions
56
nixos/boxes/cupsnet/mastodon.encryption.env.sops
Normal file
56
nixos/boxes/cupsnet/mastodon.encryption.env.sops
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:CJuq9LW/PF/mUFJ5zB8Gs2rIre3gV++EmEd2GpSXEQ0Rt5UJckkQE2+yMunJqzS9c9s67Iu9R5i1o5nMd5Pze6I0nYmgVhi4aHOqpbdZLn+HuPmmSce+y/w4pEiAGyi8WlWpBTGIgBS5oNDZA0QYoC6rBw6COw4FKsDqj76MYDpT7IxN+PSn7Qs4yctfADQvyMoGw2E3YQKEoU1sGu/TvjRcze50sUNGIEAIiZMtPwAPUwPJ+QBc7LFudBTSc42nIVcsNMneRwx7OEl1zC0gOgzFLTPXP4RmrjYsnaAYY9I=,iv:kwpHJnM9gjFZbU3i4TsPZs0LV+1Sc/UWbpuv5ZKAhao=,tag:I3UNHBCt0nNsi0kDFsQO1w==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2OXREa2hMR1k2aU9SYU1j\nbW9BcVgrZHFObUREU2VPWHVFcE5JbEcxRUdVCkFJRlN0VDVuOTBSbjNqa2oxNGRn\nb3pQaXcrbWhvc2NDRFRQL0JuZi9mOEkKLS0tIGhiNDdEYkJhY1hsc1JMa2RSUU54\nVDlaMndvZktzMjZiNUJ1MXdmNzRjNlkKjpGT5a9GtrPMorOpyIDaXC9ZVbIiB4Er\ncWVdG9Gyaq2SXDs0PXVlHETXqgDwCq1+NAm2L5Nr6y09PxHpr8HcHQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdTJocllDTDUrUWJWTllB\nUmQ2MUI4YlJWcVR4eTVmS205bHZnOENVTlJjCnoxaEd1c0dkQlM3dG12N2VIb1RL\nYnhhYXl6Z1cwaHlqUXhaRlluZVp2V1EKLS0tIDhSWU9XWGJqZGFiZUpGRGx5bU1p\nRDVMeGFiZ1B4czdQVVMxZ1RkMVh3WlUKrnh4gc++tmHf9jSAbNMoeKF8r14Qr55f\ndqTEAfZXA5LwL322e4Dk9O7Ul9dYB3qqel71a/xpY/pop9wexArtlg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidEJ3ZXpreTNjRXVxSkQv\nbENpblBDREY1RVhJY29aWWlvYjkvOW9qVlZBCm1uUmJhWk5tMFlJdXZWalZ4Zmdk\nWmMxdHJUZmJnVnZCeTZGTlZMcG9PQ00KLS0tIHN4OFcxdW1HMEx0NmVsSERIWXJU\nU3dMbEZlTmtTYjFSRGN5Vi9FaWFUdkkKmzAqONXmgsLJWzNRu87NzV4n9i7EfZ5M\nKGtlJcJ950ZepLTcjbjEedWdrtW5OaHxtfqfoBfzuaUKad0wqNyp0w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVmJHMmxBc1BhQ0ZGVjkw\nbWlQT2JhUzJyZzhjeDFkRnpCUTdSL0xWZEN3Ckx4SUs1VmdnSEdxdnA0ZCtINERt\nY1gvWTNSMmtHVWoyN2VKa2d0Qm52SU0KLS0tIG0zZ1RUaE9rMWY2MSs4RFFvUnZC\nenpJQWVwT2hBV2RVbHdPdDBiTWdVVDgK/8i1xDSpyoTDxEjzDFfhXf07guG8qKBU\n+htXOmuqMayYaRYyXUnY64swMg3BFVBCngxVstnB0rvgFis8mk5Zqg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNG9SeE9GUVh0WCs1UFpL\nOEFFUzBiUXFyTy9CeWNCKzZSTmFVb0lxQVg0CkM4QW5vM0N3WStBZEVvTGhRSnR4\nTkVyQm9zOFZrVmJiYzFHR0RyZGt4dE0KLS0tIGV1NFQ3YTdjeEtQeG5lL0txR1Nk\nYUhTQzBWQnE3YUFzZy9OSWFoKzZXVVUKSUzhS+/BDiyqV6BOai9mzTpAkL0rEX4f\nx+NL/7IlHjcT5eABG9RyY1BZV2qi30M3B3Y8IVsoHeTxgYNCaqsCtA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmeXlaMmUyMHE4UUFCRlVY\nMWFRUGhLcUFGVC9icTcrdjNIaGNmaDBqUFFBCjFvMElxRjNYRzE5ckZHa3hYV1hY\ndFo2WnZZWFdSaUtxZ1N4SDZSNHpDbjAKLS0tIEdrN1pUcTg1TlM0dHhQU0VLRFNo\nMkJmTWtUTmhiZHpyTTYxUXJ3M2ZSRWcKZI1hR4vVUlj/zPSbQYOszl8d4nLMakmd\nTys856uXePkcdIpO1/zzDnnY8yi2etZ+Lnih8qwtesGw56/qiozLYg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWemd2QlhtdVNhVlkxK29E\nS3ptcXBuSnIyb2FPMXUwdzlrckNPRXcxbkZRCnhSTE0wNDNJR3Vsc2RURVVVYWo0\nY0NwRzlNa2lNT3J4QWJObUJJVUgvRGMKLS0tIDFJNVg1Ti9ubVpmR0MxQUVodlpm\nYVI3ZEdlcmxsR2c2c2Nya0FkOW8rUnMK5l9AMoFrR6p7jLzZR9utBScCO7/bVBow\n7KuuqzP4AsTAVPrl4MX5cFW05xDQeXW0yTxx72jF0aEPRmFT4+f5VQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age108m6yx77k7aqcyesy4zmkulryzvyep6m92pflmldcnv3w5a0k9xqn5h7cx",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SWFUV1dIYU5WNUYxZHNK\nZ3B2ZVBrM3hqaXNCT1l3MUdqNUVPKzNTVmswCmNneW5tN3o0VmViejVTL3g0NVFt\nOEQ3VWMraWcxT250Vmc5ZlVQY0JQOGMKLS0tIEJtU3o3UXVQTlc0T1BXaTFuTFVY\na2hOTkdEWml4WE5xOEFVSnc0VHNhczgK3fKsIrr4/YESkOrSUC8XRnjMmlzbe95X\nBaguzZCEv6gOK16BMNFSZmPiW8dmDFQf12YAuFsYkJu6kA5p2N5cNg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFNEZmJxVUR5UzNMUjN4\naHYyKzZrNG8xazVZeFlEcjE3RFJZd2tXNFVnCktidThVQzZHaUdZRjBRcHVHRXp6\nNHdHNDBQU05iTEs0cEdNWFdJTmpQYkkKLS0tIFlFNXYrYlhXbXk1eGxwMmxaaDdr\nUlNmbE1MUGsyTUVpVm91a1lNY1JoNVEKfAywYmQyNMxnJ62X9qS5TaepRHNJ88Ew\ntTTFkevwgsVkKN094zV/dIguA/q36D0Mf5GzujoOMgC2L8GmAPUJuw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW12M1NSQ0RtSnRBaXpn\nT2tQWlBpT0dXVXVNQVZleDI1M3RXZmhWa0VzCjB2Qk1OZHBaajhYU3pqRy9jQ2Y3\nayt3cksvZml4WjFacUw0MnRudGZtNkUKLS0tIFhtYXdLQUdIV0hsVVp1RU5sTENs\nbmpVYXJFalZPYXN5M1lkek5JbVNQRE0KXJwFOAJ8yH6eKbDimB0wDhp6urSDM+Kc\nj+7yMIvgVdJTvxBgDH4sWr8snJWpjIYuNZLcCquzr7V/IUfTumPghQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-11-03T14:54:01Z",
|
||||
"mac": "ENC[AES256_GCM,data:usxqirIUsVZVeTtITVyyXgqf+Exm0rA4x+iwY5en+yMHxkEoFeMCuQ7FZTwSAq6AiMORgdyKNVzl+slPEnRC8Le2tYcWI7mtzWgZv36Ou3p9V035bI9Ev2XPDeKHr2u++sabv6ZS6FT7gfZROHwWNnmpZ7F1YVSjN4K8RcZpsTg=,iv:H29Hhc9/w8q/MeCupamKahAXMGvrvdhfUsgkwNmEJ5w=,tag:t/YSG6xrYDiLyVaDZHVHaA==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.9.1"
|
||||
}
|
||||
}
|
||||
|
|
@ -13,6 +13,8 @@
|
|||
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
|
||||
mastodonDbSecretName = "mastodon-db";
|
||||
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
|
||||
mastodonEncryptionSecretName = "mastodon-encryption";
|
||||
mastodonEncryptionSecretPath = "/run/secrets/${mastodonEncryptionSecretName}";
|
||||
uid = 2049;
|
||||
gid = 3049;
|
||||
systemUserName = "mastodon";
|
||||
|
|
@ -51,6 +53,14 @@ in {
|
|||
}
|
||||
// secretSettings;
|
||||
|
||||
sops.secrets."${mastodonEncryptionSecretName}" =
|
||||
{
|
||||
sopsFile = ./mastodon.encryption.env.sops;
|
||||
format = "binary";
|
||||
path = "${mastodonEncryptionSecretPath}";
|
||||
}
|
||||
// secretSettings;
|
||||
|
||||
inherit users;
|
||||
|
||||
systemd.services.mastodon-make-path = {
|
||||
|
|
@ -111,6 +121,9 @@ in {
|
|||
AUTHORIZED_FETCH = "true";
|
||||
DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
|
||||
};
|
||||
extraEnvFiles = [
|
||||
"${mastodonEncryptionSecretPath}"
|
||||
];
|
||||
configureNginx = true;
|
||||
enableUnixSocket = true;
|
||||
database = {
|
||||
|
|
|
|||
Loading…
Reference in a new issue