oizys/hosts/algiz
2024-12-12 16:54:41 -06:00
..
caddy tidy up caddy setup with alternate frontend to match dayl.in 2024-11-15 14:51:53 -06:00
default.nix simplify modules included in generator 2024-12-12 16:54:41 -06:00
hardware-configuration.nix nixfmt-rfc-style now 2024-05-06 14:32:00 -05:00
pkgs.nix only use flake jj 2024-12-06 11:17:20 -06:00
README.md setup attic on algiz 2024-10-29 16:58:36 -05:00
secrets.yaml add public key for algiz; fix keys for each file 2024-11-28 21:33:47 -06:00
services.nix tidy up caddy setup with alternate frontend to match dayl.in 2024-11-15 14:51:53 -06:00
system.nix setup attic on algiz 2024-10-29 16:58:36 -05:00

algiz

Setting up git user for use with gitea originally

sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
sudo -u git chmod 600 /home/git/.ssh/authorized_keys

/home/git/.ssh/authorized_keys should look like this:

# SSH pubkey from git user
ssh-rsa <Gitea Host Key>

# other keys from users
command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <user pubkey>

To point gitea/forgejo to the shim gitea binary for SSH I symlink the current system version to /usr/local/bin/gitea.

ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea

Setting up Attic

Generated a key using command provided in attic docs:

nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0

And wrote ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above" to /etc/attic.env

I generated a token to configure the caches using the following command:

atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*"

If I handled secrets via sops or agenix I think this could be stored directly in the repo. I also had to modify the firewall so that docker would forward along the requests by caddy to host.docker.internal correctly.