[vaultwarden] add vaultwarden key and rekey secrets

2026-02-05 18:22:59 +01:00
5 changed files with 8 additions and 75 deletions
--- a/.gitea/workflows/autoupdate.yml
+++ b/.gitea/workflows/autoupdate.yml
@@ -1,42 +0,0 @@
-name: Weekly Flake Update
-
-on:
-    schedule:
-        - cron: "0 0 * * 4"
-    workflow_dispatch:
-
-permissions:
-    contents: write
-
-jobs:
-    update_and_check_flake:
-        runs-on: ubuntu-latest
-        env:
-            NIXPKGS_ALLOW_UNFREE: 1
-        steps:
-            - name: Install sudo
-              run: |
-                  apt-get update
-                  apt-get install -y sudo
-            - uses: https://code.forgejo.org/actions/checkout@v6
-
-            - name: Set up Nix
-              uses: https://github.com/cachix/install-nix-action@v31
-              with: 
-                github_access_token: ${{ secrets.AHTLONS_GITHUB_TOKEN }} #Fuck github
-
-            - name: Run nix flake update
-              run: nix flake update
-            - name: Run nix flake check
-              run: nix flake check --all-systems --verbose
-
-            - name: Create Gitea PR
-              uses: https://github.com/infinilabs/gitea-pr@v0
-              with:
-                url: https://git.dynamicdiscord.de
-                token: ${{ secrets.AHTLONS_GITEA_TOKEN }}
-                commit-message: 'Update flake.lock'
-                committer: 'malobot <malobot@systemli.org>'
-                base: 'master'
-                title: 'Update flake.lock'
-                assignee: 'ahtlon'
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -21,7 +21,6 @@ in
      inputs.self.nixosModules.malobeo.metrics
      inputs.self.nixosModules.malobeo.users
      inputs.self.nixosModules.malobeo.backup
-      ./dyndns.nix
    ];

    virtualisation.vmVariantWithDisko = {
--- a/machines/fanny/dyndns.nix
+++ b/machines/fanny/dyndns.nix
@@ -1,25 +0,0 @@
-{pkgs, ...}:
-{
-  sops.secrets.njalacloud = {};
-  sops.secrets.njalazines = {};
-  systemd.services."dyndns" = {
-    script = ''
-      KEYCLOUD=$(cat /run/secrets/njallacloud)
-      KEYZINES=$(cat /run/secrets/njallazines)
-      ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=cloud.malobeo.org&k="$KEYCLOUD"&auto"
-      ${pkgs.curl}/bin/curl --fail --silent --show-error "https://njal.la/update/?h=zines.malobeo.org&k="$KEYZINES"&auto"
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      User = "root";
-    };
-  };
-  systemd.timers."dyndns" = {
-    wantedBy = ["timers.target"];
-    timerConfig = {
-      OnBootSec = "100s";
-      OnUnitActiveSec = "10m";
-      Unit = "dyndns.service";
-    };
-  };
-}
--- a/machines/fanny/secrets.yaml
+++ b/machines/fanny/secrets.yaml
@@ -1,10 +1,11 @@
 wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
 shop_cleartext: ENC[AES256_GCM,data:sifpX/R6JCcNKgwN2M4Dbflgnfs5CqB8ez5fULPohuFS6k36BLemWzEk,iv:1lRYausj7V/53sfSO9UnJ2OC/Si94JXgIo81Ld74BE8=,tag:5osQU/67bvFeUGA90BSiIA==,type:str]
 shop_auth: ENC[AES256_GCM,data:0NDIRjmGwlSFls12sCb5OlgyGTCHpPQIjycEJGhYlZsWKhEYXV2u3g1RHMkF8Ny913jarjf0BgwSq5pBD9rgPL9t8X8=,iv:3jgCv/Gg93Mhdm4eYzwF9QrK14QL2bcC4wwSajCA88o=,tag:h8dhMK46hABv9gYW4johkA==,type:str]
-njallacloud: ENC[AES256_GCM,data:HBFew0tXEYG34G0N5hab9Q==,iv:q4PgqLJkST5exS3fYOQoAN9AubcfYafdjhhRQAIe0Yc=,tag:SZeM1ZcszSJeNo7uZfS0bQ==,type:str]
-njallazines: ENC[AES256_GCM,data:dySUyb1/IBGfjvyGx4iF1Q==,iv:dq60RACMotAzZoiv3+DTx4X6+HK8Wg4CMVzDi3qr6fA=,tag:niHK/B8xYIcEfjHuPkKaQw==,type:str]
-njala_api_key: ENC[AES256_GCM,data:ohSVzQUvFjia/s9WceqnZCdLyk3N1Lm2BCBmXeBlkWD2dyrohKCnd9GiJ499IORpuYcOXyM=,iv:Uczk8op5mgqe8gefxgU9YuTqOsYvjzHCKvzA7GDsgio=,tag:XA7JRq/LsGkpHcQSO36Whg==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
    age:
        - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
          enc: |
@@ -24,8 +25,8 @@ sops:
            QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP
            SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-20T19:08:38Z"
-    mac: ENC[AES256_GCM,data:PnCsmzbOji2iD3cwOl3vkXNMZJjxXqfxLuzlQgczwbHzDRXS9Xma2HuoQ9rnraA4CGc0LCgD/E2X0/LlL2lYks2Rh5Axd1kuBIn3pg2ihvzEAb+zBfnLzFGJW7xq4XJHB+OOnr4301cGFD8aPxlI6wrPeY6qu06rx7hGjsKrNTE=,iv:lhsVRbUUvUYrvC5EutX5Hn9O4tzfmED9TvRpt75qY9s=,tag:fs90cns6OeCaKUE6L0sG/A==,type:str]
+    lastmodified: "2025-04-14T10:34:55Z"
+    mac: ENC[AES256_GCM,data:vcDXtTi0bpqhHnL6XanJo+6a8f5LAE628HazDVaNO34Ll3eRyhi95eYGXQDDkVk2WUn9NJ5oCMPltnU82bpLtskzTfQDuXHaPZJq5gtOuMH/bAKrY0dfShrdyx71LkA4AFlcI1P5hchpbyY1FK3iqe4D0miBv+Q8lCMgQMVrfxI=,iv:1lMzH899K0CnEtm16nyq8FL/aCkSYJVoj7HSKCyUnPg=,tag:mEbkmFNg5VZtSKqq80NrCw==,type:str]
    pgp:
        - created_at: "2025-02-11T18:32:49Z"
          enc: |-
@@ -66,4 +67,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
    unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.9.4
--- a/machines/vaultwarden/configuration.nix
+++ b/machines/vaultwarden/configuration.nix
@@ -38,7 +38,7 @@ with lib;
    backupDir = "/var/local/vaultwarden/backup";
    environmentFile = config.sops.secrets.vaultwarden_env.path;
    config = {
-      DOMAIN = "https://keys.malobeo.org";
+      DOMAIN = "http://keys.malobeo.org";
      SIGNUPS_ALLOWED = true;
      #WEBSERVER
      ROCKET_ADDRESS = "127.0.0.1";