diff --git a/flake.nix b/flake.nix index 1c448e7..d1436d3 100644 --- a/flake.nix +++ b/flake.nix @@ -362,8 +362,9 @@ lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys ) ); - update-gitea-keys = pkgs.callPackage ./scripts/update-gitea-keys.nix { inherit (plain) config; }; + update-git-keys = pkgs.callPackage ./scripts/update-git-keys.nix { inherit (plain) config; }; inherit (plain.config.vacu) sopsConfig wrappedSops; + dns = import ./scripts/dns { inherit pkgs; inherit (plain) config; }; nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule { extraSpecialArgs = { inputs = { }; diff --git a/scripts/dns/default.nix b/scripts/dns/default.nix new file mode 100644 index 0000000..2b6523d --- /dev/null +++ b/scripts/dns/default.nix @@ -0,0 +1,23 @@ +{ + pkgs, + config, + ... +}: +pkgs.writers.writePython3Bin "dns" { + libraries = [ pkgs.python3Packages.httpx ]; +} '' +# flake8: noqa +import httpx +import os +from pprint import pp +auth_id = os.environ["CLOUDNS_AUTH_ID"] +auth_password = os.environ["CLOUDNS_AUTH_PASSWORD"] + +base_url = "https://api.cloudns.net" +auth_params = { + "auth-id": auth_id, + "auth-password": auth_password, +} +res = httpx.get(base_url + "/dns/records.json", params={"domain-name": "jean-luc.org", "rows-per-page": 100, **auth_params}).json() +pp(res) +'' diff --git a/scripts/update-git-keys.nix b/scripts/update-git-keys.nix new file mode 100644 index 0000000..efb3717 --- /dev/null +++ b/scripts/update-git-keys.nix @@ -0,0 +1,53 @@ +{ + config, + writers, + curl, + lib, + ... +}: +writers.writeBashBin "update-git-keys" '' + set -xev + domain="$1" + api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${../secrets/misc/git-keys.json})" + if [ $domain = github.com ]; then + url_base="https://api.github.com" + elif [ $domain = gitlab.com ]; then + url_base="https://$domain/api/v4" + else + url_base="https://$domain/api/v1" + fi + url_keys="$url_base/user/keys" + if [ $domain = "git.uninsane.org" ]; then + authorization_name="token" + else + authorization_name="Bearer" + fi + curl_common=( \ + ${lib.getExe curl} \ + --fail \ + --header "Authorization: $authorization_name $api_key" \ + --header "Content-Type: application/json" \ + ) + if [ $domain = "github.com" ]; then + curl_common+=(\ + --header "Accept: application/vnd.github+json" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + ) + fi + # declare -p curl_common + echo GET "$url_keys" + resp="$("''${curl_common[@]}" "$url_keys")" + for url in $(echo "$resp" | jq .[].url -r); do + echo DELETE "$url" + "''${curl_common[@]}" "$url" -X DELETE + done + + new_keys=(${lib.escapeShellArgs (lib.mapAttrsToList (label: sshKey: builtins.toJSON { + key = sshKey; + title = label; + }) config.vacu.ssh.authorizedKeys)}) + for keydata in "''${new_keys[@]}"; do + echo POST "$api_keys" + "''${curl_common[@]}" "$url_keys" -X POST --data "$keydata" + done +'' diff --git a/scripts/update-gitea-keys.nix b/scripts/update-gitea-keys.nix deleted file mode 100644 index 4c33662..0000000 --- a/scripts/update-gitea-keys.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - writers, - curl, - lib, - ... -}: -writers.writeBashBin "update-gitea-keys" '' - set -xev - gitea_api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["git.uninsane.org"]' -d ${../secrets/misc/git-keys.json})" - api_base="https://git.uninsane.org/api/v1" - api_keys="$api_base/user/keys" - curl_common=( \ - ${lib.getExe curl} \ - --header "Authorization: token $gitea_api_key" \ - --header "Content-Type: application/json" \ - ) - # declare -p curl_common - echo GET "$api_keys" - resp="$("''${curl_common[@]}" "$api_keys")" - for url in $(echo "$resp" | jq .[].url -r); do - echo DELETE "$url" - "''${curl_common[@]}" "$url" -X DELETE - done - - new_keys=(${lib.escapeShellArgs (lib.mapAttrsToList (label: sshKey: builtins.toJSON { - key = sshKey; - read_only = false; - title = label; - }) config.vacu.ssh.authorizedKeys)}) - for keydata in "''${new_keys[@]}"; do - echo POST "$api_keys" - "''${curl_common[@]}" "$api_keys" -X POST --data "$keydata" - done -'' diff --git a/secrets/misc/cloudns.json b/secrets/misc/cloudns.json new file mode 100644 index 0000000..ea1381d --- /dev/null +++ b/secrets/misc/cloudns.json @@ -0,0 +1,53 @@ +{ + "auth_password": "ENC[AES256_GCM,data:UD8l+CrofmN9g439uTOtCyP5378VX+f856dxuFDTzfCa8B+7,iv:6hgG+py3EC4cMLkhG72O5HJfbQF5Q+APq6wBsMQVRjw=,tag:KA4AupZKFdHEBzEBnd3/1A==,type:str]", + "auth_id": "ENC[AES256_GCM,data:4cBXpVc=,iv:WPh6+xp02CMBohmxWu6UdNA3KMRSghbSQYuU0lZyUMo=,tag:+zU0EBEwLgqYC0NmW31Qtw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YW9haUtvVVRkZWVqa1Zv\nOERucllIenc3VFJkMzAvM1paTWxNaVA4MlhRCmZVNGpvdmhrUnJDYTMyWExNVVNW\nQWw2MDBPUnozTWpzTERiaExYVkJUd0kKLS0tIEFPRUhjZVdBTXZQdFFUQ0NnYU5P\nYlkvaUgzQjVORTNvTDFKYXJJYW1pTGMKW2rUNzNWsvQ9vzf+jwSBOC8OjVL30HDZ\nK8QC30Z4PUtKTk5HA7KcFfGVT8UbJc6Z4IRm6dIV6lczmctZiuAXLQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdGxOMkNFcnRWd2EzaGVV\nNGdxTDUzM1FnY21tUUtJOEhaM0RFU2ZZbXc0CkIzVXBNY0Z4dmlVRnpHZGt6dzY4\ncW80b0lCdCtJMnQ2aXJyclpiT1BlWG8KLS0tIE4vV2gwZjBVSmc0Y3ExZUdXQnJL\nMU9EOWNNRDJualAvUjNOWlZCMjdHSU0K33nP6rM7k9er+8gC2cozXF3M7WNAPb3y\ny5ecWeGnIJe1Q3BwpqXUmxWswE95VYq6g4RCJ2TbHIJWgK6HLJoamg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM0kyMHZ2UEpaYzMzMFRo\nV3IvYVI0RTVUM29pSnhYUFBpUlVnM3BUcEZBClpCL1c1cmFaRzZDU2tQY2hJQzNx\nb2ZvdTRBMVNTS01XdTJiYnljMzhiUFkKLS0tIGFuR05CYTZhbVdZMERCVUcrRTFO\nQWREQW9DU3pmOFRJczVBdTA0VFdwZ0UKuhijkZjfHrOrQ28WF0lsrh1YYcDjohJF\nHimoJrsMFf21bsWMPGsRXvvQWouMhhzDtp3ZzaR/jhwzqnNp6I2gWw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcHlmTVJ1d3ZRc09WMU5p\nbmd4TzZNVisyWm1PZFBmMXpBcmd6N3ZmL0JBCnBqZzZCNVFObHpZZzd3cXBuaEVR\nZjJCdTRLalhBTnpEN21NYzRQUnFrbjgKLS0tIDJIVDlFZzJuK1pnYklaZnRWOEgz\nNkxLNSsxbzR4cUo0TVVsajNLeXZvZEkKCqo8Hw+CoO+lpKXxI1+3Pkw6iNcaJlzU\n7HE78dhMH2C01Phn9BOFY3FATxo68wYxzLWUt90iGwtnxT1K509GGg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWnlkYUI3ZFIxR1dBZzNi\nNDRGT2xIZFhyWCs3SHk5Q0toWmZUc3F3RTFVCnZtZUFzNDdOMnlQWVlYVjJnYlJN\nV2xXM3F4N3RVTzVFZE5Zb1BkcjI1cUUKLS0tIHdiQTJTQlpJQlNycElCamN5MGth\nWnNKMnlEQTExbis3dktsWDliaU9IelUK/fxqRPnRbD+KCvYMI4m5K17cLI2/xEbL\nbsGdj8E0TAtzqRL4iBOQfb6xJC5AqcmHEhvFnnxEouNUXMsw5/1Ggg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Zi80ZHU0WnVjMlpycVov\nWE9UNldKRmdMR2xkNVNuQ0NPWHNzTUg4cEU0CmhjdGhEdG5GWkxKUUdRUzMzN0RL\nRHo1QkdSaDNxTy9RVDd5TGtpZUpaRmMKLS0tIG1TTFdrNC9MREd2K0NIdmNscjB5\nQlpGMVdmK2wvQnVxMXJkeTdYbXJtZ0EK12lVIHRp/GxD4F0oMsiOmy4RC5iJEkle\ngvTGPFJkiJJJe36vMx34WdKq++6fwma624E75S4P5qmiVIeadDihGw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYm5Ca0NId3AyRUwxRU1q\nR0NvSUk3YmJvOVRvbTVkVjZ0ZzVxaEFtcGpFCjg3V2ZhUk9RM09ZNVRGVEhUZHZ0\nekNid3NtUVZyTTlZSFU1QkQ0amtEcUkKLS0tIDlTdTBpdDE3VHkyVHhHekZDUEdP\nRUNpdm9ENHhCWCsxbk9aOVFmeFBwUzQKJzTxCMPaYYsmjoGyEbuimDWpq5Oq8oMx\n2LXkQHYdmBi090o4ocfkHiR1SS3w6XNI8IBcQK1flobXYejI9E5yKA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR21LYis4SXFxcE1PeXQ3\nelpxRTJ3Y2svRnc1ZTkvVk9lTUhFSmVneWc4CnJMT05ZQnBySDBuZ2lqcnc3eHlv\neWdKUi81aWlhY3pySzhoSjdwUlhMN0kKLS0tIDRWWFR5Q0oyZ09GdlF1a0JmeVdl\nOTV4TUhWdVBVRFhxQlB0ajFSS1FnNHcKMq1FSE3OecwHopvkShKQYSFQihzFkMrG\nFRpPqWcUzaXpib8f4YQrYmLJiihGCpfovv5+NHEQB8BMEu7UNY/emw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YnJVMmpSNDlicUh6UEJR\nL1JUZVlxeUhmTGpUeXNtUmc2NmZGc3NObldVCitHOUgyOXFibnR3WUZRdjc3TExZ\nK0lxRUJCY3ozZExlNzRack5jTTR4aFkKLS0tIGVoOTRCNW5Yb2NVd09ZU0kzSlNV\nVWxuYjVCM3lvZHhQeU05R09WNWQwU2MKNM9VU6KE/0AUzww/qdMQoXMpZ9MT5rIK\nOvltRcVvQR1lZqiox4W1zYfw3JTlficQ31C+wSMHy4aBSlnik7hzxw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-24T06:58:19Z", + "mac": "ENC[AES256_GCM,data:P5ipojcOVW0V/4J7Txj9v4RONAzqIIG71guYkqHZ/yJNrFIjVn+db3qLNbNmeKz73rbPdXYpZGM5dIwXiF9pzLAW+t3pYABGvnBT/l1cN1tYS4BCs+e6n0KqKho/Aust/QTDIuYkoAyRwD7HD/OXW8V5SJtiuaqAlX9gzDLILs8=,iv:oUxrQbPTgL/RfdGvw9rnx/mU4RklD2uet/3XRQH0pq4=,tag:wj3ehRASFcW1g6Yf8XxSKQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/secrets/misc/git-keys.json b/secrets/misc/git-keys.json index fbf6f5f..cd29395 100644 --- a/secrets/misc/git-keys.json +++ b/secrets/misc/git-keys.json @@ -1,6 +1,7 @@ { "git.uninsane.org": "ENC[AES256_GCM,data:g1oZA7s16sl6tBsUy+aAUChYBomgxht08dzghBakmJ/13YrM/Pf7WQ==,iv:v3CXUaLwIdEtg6ZWiCqqZ1JSkWOlnWnGSOzNVAx5gvs=,tag:jkQGgxRMBggokRNUdW2jLQ==,type:str]", "gitlab.com": "ENC[AES256_GCM,data:A2+dsAgvVJsqgGOHcPsw7F5bSTg8H3icd+g=,iv:v9QVy7vP/XEHw0lHBjedvWFrsGvyDlAEF+yFL1voiQc=,tag:0kqgQOIn90MBjiNRHjiRrg==,type:str]", + "github.com": "ENC[AES256_GCM,data:fpY8KxwIYGvIWAHKH7cmwCO4j7fPx+625Buvhu4OdJIpcDXJrpjTsQ==,iv:4W2YvZ01XjzJUX3yXx9H+kxtylYRma4wA/YWL2W6kPc=,tag:WswVoBWgzjrpz9nPQfVV3w==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -44,8 +45,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPek9CVk5pQW1EUUhabW5E\nTWFjdFdlVVFnZlcvQWlOTk5YZTVTRWdMMmtRCkJwWjlWREdjRUhEL2R4bFRBQ3Aw\nZjdJMCtVZDErZE5wcnloR2lvVnJHSDgKLS0tIDAwajE2YTA4UFo1SmJEVUtpN2hX\nMkkzYjZOVDYvSlRGT3RJTzdySlJleXMKor4NR2gIkfvDi25eKrzLki+biWf3dVZS\niCSBxy+tpbtiO9fK8LPrz9jJp1tBism7VTIF6WBuj97GjMGHIOz43Q==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-10-24T05:45:04Z", - "mac": "ENC[AES256_GCM,data:YDaQymYafZxGSlQSE7k68nBXqfTt2RIXueXVP1qA776MdZU1RP9Iyay3+2a5JmH4nSmoziU4y0kEEkmz0+22cmtHxzp+RafDcgdBld3qTtNqrM+u7PN0jxa3+41nk/P/YytezW1xwtVOJ/kMQS2fBuQiBixzAwT9EAme9IudyhA=,iv:d4mq3CIRg6hXIp1HBm5zFHNkIlDI6gDjiXv0IqW9o6s=,tag:9lg47/MiL23MSAEkVF2uwQ==,type:str]", + "lastmodified": "2024-10-24T05:55:24Z", + "mac": "ENC[AES256_GCM,data:ntQuFNOlw0CqRQO6hLOwocSyNs04KzlPlpr4k+Vxw5BOoRhDeLAvyrcrfduDw2vh9OUhHaNyc15j5J8s5akAVsf1DSfnK5HUbBB6Qp4W8YkCCAP+S8d6/iBniqlWsJeioVAX/mNXwUaFe7zZ2WDp1s/LebO2hSld1MHkW+uZGXQ=,iv:7pgK+ZqWEgWY01ugIzR5EuK4TljdFkrRvayN5AOh0Qs=,tag:zt1EaL86geu0ucHZR6WHIQ==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/sops b/sops new file mode 100755 index 0000000..22e9cad --- /dev/null +++ b/sops @@ -0,0 +1,2 @@ +#!/bin/sh +nix run "$(dirname "$0")#sops" -- "$@"