rekey secrets and update mini pc config

modules/collections/server.nix

@@ -28,7 +28,6 @@
     ../hdd-spindown.nix
     ../logging.nix
     ../motd.nix
-    ../static-ip.nix
   ];
 
   custom = {
@@ -44,7 +43,10 @@
       settings.enable = true;
     };
     services = {
-      kavita.enable = true;
+      kavita = {
+        enable = true;
+        dir = "/mnt/1tbssd/kavita";
+      };
     };
     hardware = {
       firmware.enable = true;

modules/misc/static-ip.nix

@@ -11,11 +11,11 @@ in
         description = "ipv4 address";
       };
       dns = lib.mkOption {
-        default = types.str;
+        type = types.str;
         description = "ip of the dns server";
       };
       interface = lib.mkOption {
-        default = types.str;
+        type = types.str;
         description = "interface to apply the change to";
       };
    };

modules/services/kavita.nix

@@ -6,13 +6,23 @@ in
 {
   options.custom.services.kavita = {
       enable = mkEnableOption "Enables kavita";
+      https = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Should it use https?";
+      };
+      dir = mkOption {
+        default = "/data/kavita";
+        type = types.path;
+        description = "data path";
+      };
   };
   config =
 let
   fqdn = "kavita-kopatz.duckdns.org";
   useStepCa = false; #config.services.step-ca.enable;
-  useHttps = true;
-  baseDir = "/mnt/1tbssd/kavita";
+  useHttps = cfg.https;
+  baseDir = cfg.dir;
   mangal = "${pkgs.mangal}/bin/mangal";
   githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
 in lib.mkIf cfg.enable {

secrets/create_secrets.md

@@ -1,4 +1,5 @@
-agenix -e secret1.age
+# create secrets
+`agenix -e secret1.age`
 
 
 example secrets.nix file
@@ -29,3 +30,6 @@ services.nextcloud = {
   config.adminpassFile = config.age.secrets.nextcloud.path;
 };
 ```
+
+# rekeying
+`agenix -r`

secrets/duckdns.age

@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw bknEVINSpmzqbs669XXGW10WlRU2eYqM21nCra4Grm0
-UH/rieabfARVLfMojUzRpMV8OgQQegmkERr3OsudizI
--> ssh-ed25519 IV3DkQ ae0X4te6ZevvoybUP20LgE4ymTiisoBMfrZQBm0LHEo
-f9VxOHjo6W349d/T9DuH0KbQRHj+EXa+yascxnG/oEA
--> ssh-ed25519 DCzi1A vBpgN1TwpEv+mJNIMoHitLshG0q1RDTz3WrvRbRGnno
-Nc9I8WWXDDzCfOHkcbhqXjk0Fvp23f8QxiW6bdPix3Q
--> 5-grease ;gX' KVd. S[Du |%f:LC8
-g5R1yuzS9892Jf0N+RsaVg77389vLxeowKKcD/PM962AMYCe4iHdCw
---- u/d/x8qCopx23d4TiecnfbaL+l+JJu5i+yJqmU6XH/c
-4”‘n„~¡Xv€6ŒÉjÌ80ÄÚã}	_›=$H@ÒuÕ{Àqú·É/<2F>¬^+vÔ¹ÁOyˆ³‹E—p¢K3ª<33>L²âZ
+-> ssh-ed25519 su0Eyw abgbb/Gl03Gkn8FXt8OWvsQZIIkmp+9OJYJBARfuMHE
+C6btapYsEstmrPfOSzApBxo88PCVG0ECbJJ9ATvHwSo
+-> ssh-ed25519 IV3DkQ r1h8O7eotpWQ7R2MC/EgWsndd+V+YNJs6SEQqxY4DHk
+FRuoj1KMLoHYGYk+78cgQbtH6QN0LQX69LzS72zTeLA
+-> ssh-ed25519 DCzi1A S5japvaVIvNF8gB8d6lDMniYvWDhPXKxdHIypoYQiho
+us1sOKs3YwTQZEbgh3YgN6GgRDP7Na3KGdzTSqzENrA
+--- Nq1cKNge2TngWd41zf1sTneHozmQzGrFQ6y6qtXzRDs
+9<EFBFBD>1
+<EFBFBD>ºU ¤6¤®eد0n×¹‰çvª›¢[ðªfZ½ž(~½sY'™SG‰±fí€
û¯cÐ$ùŠÆ#yÚÓDk

secrets/secrets.nix

@@ -1,26 +1,26 @@
 let
   kop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2 lukas@Kopatz-PC2";
-  nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server";
   server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
+  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKla9+Gj2i9Ax7cIdnTM6zsmze3g1N/qCPqhga0P+toU root@mini-pc";
   users = [ kop ];
-  systems = [ nix-test-vm server ];
+  systems = [ mini-pc server ];
 in
 {
-  "github-runner-token.age".publicKeys = [ nix-test-vm server kop ];
-  "github-runner-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "duckdns.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-admin.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-cert.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-key.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-s3.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-gdrive.age".publicKeys = [ nix-test-vm server kop ];
-  "wireguard-private.age".publicKeys = [ nix-test-vm server kop ];
-  "coturn-secret.age".publicKeys = [ nix-test-vm server kop ];
-  "matrix-registration.age".publicKeys = [ nix-test-vm server kop ];
-  "paperless.age".publicKeys = [ nix-test-vm server kop ];
-  "kavita.age".publicKeys = [ nix-test-vm server kop ];
-  "step-ca-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "step-ca-key.age".publicKeys = [ nix-test-vm server kop ];
-  "grafana-contact-points.age".publicKeys = [ server kop];
+  "github-runner-token.age".publicKeys = [ mini-pc server kop ];
+  "github-runner-pw.age".publicKeys = [ mini-pc server kop ];
+  "duckdns.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-admin.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-cert.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-key.age".publicKeys = [ mini-pc server kop ];
+  "restic-pw.age".publicKeys = [ mini-pc server kop ];
+  "restic-s3.age".publicKeys = [ mini-pc server kop ];
+  "restic-gdrive.age".publicKeys = [ mini-pc server kop ];
+  "wireguard-private.age".publicKeys = [ mini-pc server kop ];
+  "coturn-secret.age".publicKeys = [ mini-pc server kop ];
+  "matrix-registration.age".publicKeys = [ mini-pc server kop ];
+  "paperless.age".publicKeys = [ mini-pc server kop ];
+  "kavita.age".publicKeys = [ mini-pc server kop ];
+  "step-ca-pw.age".publicKeys = [ mini-pc server kop ];
+  "step-ca-key.age".publicKeys = [ mini-pc server kop ];
+  "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
 }

secrets/step-ca-pw.age

@@ -1,12 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw OgXEZi4GHlh0htigcyT0c86ZlZvmv5ve6g0Dnk9mhS8
-57hPI3DO/2Lic5JZ/4Cgq1y0tYoZKc+E6LwS62Zi0kg
--> ssh-ed25519 IV3DkQ YG3gxtuOx5sfD7rwAClr+MrFzEgw2sgfpxzZDyT9nj4
-VIP3Hkk9ZBG9BHNPHt4C6LazylU6htJ6gmdamqAYLUw
--> ssh-ed25519 DCzi1A DcsbrGWEyzUB7QKGvlMU9CMB/bq7JVz/aSz7uJprQRg
-NpBDT786hL0GZNaY1IsDnU9iFxlYZs8ti1FAfBeHBIQ
--> z-grease |WDf ~K7q9K *xzH^n6{
-6G9KAajGo/o6dcYb/MAOE7AIIZKTTMrN9fh9ACkINLB38ZrREUCsrJDE90sx62nX
-MOJKZ3k4
---- ExlgUArhnqSMlZwWWoFdM/Ugc3fLKbQ9ZCguzqUIlkM
-ò<EFBFBD>F!º<>à0QÀ†¶ÎQm¾[ öeç«Ü6–M“ýÕûéxB
+-> ssh-ed25519 su0Eyw 6vviSJcXLLG9cOZb1owE2oudEYGqRfq9lk8Ulq9Gmj0
+OHuZl76lF83C8kMhoRMV6cMLR0LXVim/vG5hm+MqnCM
+-> ssh-ed25519 IV3DkQ DKxFE4xir6ykfEohvZOE/zh5dqb05mRRksapheXSfUM
+HkdZI6L96PLSXvnnfcMhaxB67JBjFr6pdfShB0FeBpY
+-> ssh-ed25519 DCzi1A kHrUepWwMDt6pgmETeclWpscQdWS/X0744mKn1C7kjU
+vrWA1Dapi5APp2EDXccCEEGV0j8YrRrC2e2Wfp75Vko
+--- StnQRDu2BAUK36iyf9lOUtWOwwwcNA7De2G3tSd1L2M
+c2“ímÚŸŸ¢Á}bö†EüßÖßFä"÷YVâìD_àSØE fhGû¡îJ63Íw:ëO§<4F>ùhu²2Í

secrets/wireguard-private.age

@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw HoX1AI2rIYDJbfKRDRXr1ZRsNM1OVRVrr0XRnBD29FQ
-aM3HP0kxq9ACb2TFcb7f9rxKXFoT2Y9nEjL+XD3nHIM
--> ssh-ed25519 IV3DkQ EKn/xr5EWEev3stYXDGrzfLtwt2thJ+34e5eP1v4l0g
-raaOM6zpmokVCBKNWx9xHpsQJSpTbHHQeRbz2+wC3+0
--> ssh-ed25519 DCzi1A mVLJ1c2e1UOsTuDCKIwLliBz3OVBH8vGp/gICb8cyQY
-dXok0Tr56SdW5sf74IYk7rDnim/s7vZI/PZIGKvNuaM
--> ;mHckk.i-grease [&? MW78 %Ee4m
-LebJ6ZshTkkY+fM5zI/sbQzGpcKN5oGiEu5tWSPnmeQQxJrjT7Utqf3KAfI
---- 6HedZR4VvouzHmjeV9DY6BsybKcainxK9fro9MSjpxg
-h‚ÔqÂÇ<3<>:7{,Á9'Ä<1A>š„öw¾(FVGuLAA0“̽üÿa|½õKwµ?–¥!\Z’-\¼³$ü<>ä6yÖÖ§¿xý
+-> ssh-ed25519 su0Eyw 9mpUnyWpauqdSlrjHZb2uyTG5U7wyWesQz0WfNms1nc
+652z/tIinaCwhBQitxSLWMl1n9FCEaRKC6F/h9c4rzk
+-> ssh-ed25519 IV3DkQ esDKdA6+78STpPx2kCRbRCjJ7w5+YCRwR9G5IHusRl8
+cFc2EJE+gfY7YJzindI+3Q7Eum/D02GetqjHjaZUQzk
+-> ssh-ed25519 DCzi1A meR8aXi4kq1xxSdGvieMZ0tcrgT4Ifo2fRoR6v7wP1U
+rULzoIdJyh/MwDXGfI9Nh3nPfqdUBoQHV7s15cYpKsw
+--- 6cTo396+lzrd+YrQnEU3GvW6gPLo4rVaukpx48QdGGY
+ˆšœØäÈhдfF¼¥š8Fö~õ˜¼0ò^|™Éu«_aãIvy!ýeVCdj2º™v?+*úß8€‡g0¸›½F©CZróŽ‡7K¤

systems/mini-pc/configuration.nix

@@ -29,6 +29,12 @@
       firmware.enable = true;
       ssd.enable = true;
     };
+    services = {
+      kavita = {
+        enable = true;
+        dir = "/data/kavita";
+      };
+    };
     nftables.enable = true;
     cli-tools.enable = true;
     nix = {