chore: rekey immich secrets, allow influx access from local service net

2025-10-10 14:50:40 +02:00 · 2025-09-14 17:31:40 +02:00 · 2025-09-14 17:31:40 +02:00 · 3dc6133a1a
commit 3dc6133a1a
parent 0537f69d5e
20 changed files with 51 additions and 43 deletions
--- a/flake/agenix-rekey.nix
+++ b/flake/agenix-rekey.nix
@ -12,7 +12,7 @@
    # The identities that are used to rekey agenix secrets and to
    # decrypt all repository-wide secrets.
    secretsConfig = {
-      masterIdentities = [ "\"$PRJ_ROOT\"/secrets/yk1-nix-rage.pub" ];
+      masterIdentities = [ ../secrets/yk1-nix-rage.pub ];
      extraEncryptionPubkeys = [ ../secrets/backup.pub ];
    };
  };
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -52,11 +52,14 @@ in
  services.immich = {
    enable = true;
    host = "0.0.0.0";
    # We use VectorChord from the beginning
    database.enableVectors = false;
    environment = {
      IMMICH_LOG_LEVEL = "verbose";
      IMMICH_TRUSTED_PROXIES = lib.concatStringsSep "," [
        globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
        globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
      ];
    };
    settings = {
@ -269,9 +272,9 @@ in
          client_max_body_size 50G;
          proxy_buffering off;
          proxy_request_buffering off;
-          proxy_read_timeout 600s;
+          proxy_read_timeout 1200s;
-          proxy_send_timeout 600s;
+          proxy_send_timeout 1200s;
-          send_timeout       600s;
+          send_timeout       1200s;
          allow ${globals.net.home-lan.vlans.home.cidrv4};
          allow ${globals.net.home-lan.vlans.home.cidrv6};
          # Firezone traffic
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -105,6 +105,8 @@ in
      virtualHosts.${influxdbDomain} =
        let
          accessRules = ''
            allow ${globals.net.home-lan.vlans.services.cidrv4};
            allow ${globals.net.home-lan.vlans.services.cidrv6};
            allow ${globals.wireguard.proxy-home.cidrv4};
            allow ${globals.wireguard.proxy-home.cidrv6};
            deny all;
--- a/hosts/sire/secrets/immich/host.pub
+++ b/hosts/sire/secrets/immich/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAKUJTsBJfQTTVZMS2qTYYIBe2sM56XYRCrvlUm/UtF
--- a/modules/ente.nix
+++ b/modules/ente.nix
@ -48,6 +48,7 @@ in
      domains = {
        api = mkOption {
          type = types.str;
          example = "api.ente.example.com";
          description = ''
            The domain under which the api is served. This will NOT serve the api itself,
            but is a required setting to host the frontends! This will automatically be set
@ -57,21 +58,25 @@ in
        accounts = mkOption {
          type = types.str;
          example = "accounts.ente.example.com";
          description = "The domain under which the accounts frontend will be served.";
        };
        cast = mkOption {
          type = types.str;
          example = "cast.ente.example.com";
          description = "The domain under which the cast frontend will be served.";
        };
        albums = mkOption {
          type = types.str;
          example = "albums.ente.example.com";
          description = "The domain under which the albums frontend will be served.";
        };
        photos = mkOption {
          type = types.str;
          example = "photos.ente.example.com";
          description = "The domain under which the photos frontend will be served.";
        };
      };
@ -85,17 +90,18 @@ in
      user = mkOption {
        type = types.str;
        default = defaultUser;
-        description = "User under which museum runs.";
+        description = "User under which museum runs. If you set this option you must make sure the user exists.";
      };
      group = mkOption {
        type = types.str;
        default = defaultGroup;
-        description = "Group under which museum runs.";
+        description = "Group under which museum runs. If you set this option you must make sure the group exists.";
      };
      domain = mkOption {
        type = types.str;
        example = "api.ente.example.com";
        description = "The domain under which the api will be served.";
      };
@ -182,6 +188,7 @@ in
      services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
      services.ente.api.settings = {
        # This will cause logs to be written to stdout/err, which then end up in the journal
        log-file = mkDefault "";
        db = mkIf cfgApi.enableLocalDB {
          host = "/run/postgresql";
@ -245,6 +252,7 @@ in
          BindReadOnlyPaths = [
            "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
            "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
            "${cfgApi.package}/share/museum/web-templates:${dataDir}/web-templates"
          ];
          User = cfgApi.user;
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age
--- a/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 08+xhQ AZXVC7nTbtFBasccwllDvt3ic4NMeJu73tkzTooLORs
 2yGRtqkypbochm/I1CowFSJZZ8qNPulmApP4ABlKvsU
 -> 4`V#:p2-grease
 yhfMojghx2Ne+5JDobIA
 --- fH0ZmRzP4/lsJ9ykQVGDEPlyUohPuKJPgqXOlIilyL4
 êvïì7TÓ—“¸¾º^þ¡SÏN#œ…¬ÁN&u§‘ƒ_bx&êÃU¥9
DJ
 ðL®{QÔ À½ÝF[G™&×B´
--- a/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
+++ b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 08+xhQ zg3qtzqOOj46luUhOUenMw3dfVz/PafKgVhj+7vljmY
 hKRXQOn+qJ2qe82pIqbFqU7dkNt5p0zq6lC9q8vI0ys
 -> E-grease 8#' Em.z$3-F
 qNx4gWPSptpfLup7uDupqbkB0MoCBsFn7ZJhAILgRnzgkLYlG8rTSbxT
 --- rEocn7eWbz8gSpaJOnC7YswKcci0Jmy87dxABXILzqg
 Ëç´cV>Òž~N¨Õ÷0Rá6n“/Z˜[m¦�.3Gž'\$ÌõüCÕŒÍ£¶y‡Á¿c kÁ±°G¥è.åQlñÈ�]äE/
 9
--- a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
--- a/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age
--- a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
+++ b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 U8ytLQ veKTrJX4Srbh92lE3hPO4NTpeNzP/NuUmfZHWIAcTEU
 jW3uyW7qos8LSsAyQ56gZa5NBCJVUqZVu8KZHe0v0iE
 -> sVVZ{H-grease ~J3,Ud i+P
 wb4kp+Ii
 --- PJ20pWfjTwBwh2Dr+q6Gob16aGbH61ilptbCzQn0jEQ
 ;˜VvK¬â_œs‚÷õ«�qå“àP0=QbóX¤õ��ö¬s.É.i]vüÒùAï�Žè¦í->m©ŸF“ÉSxT|;{vUÇìµjfs
--- a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
+++ b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 U8ytLQ kjGqE0PbVbxIqRS4RdHdmhNFr8Sv3jDfFPdjnnlVj0Q
 lz5h6PSyLBXMTUTdS4uzBiPi3yNXdhsxvYw5TT3i8Uc
 -> ?~Rt$#-grease uWLiw,w> ZfFM;)
 guaxvIRwfg
 --- UFQfXS855+dhnxARJ4M5W0qHdsgTjkfgRu0yjd/tBYU
 ÑxÆ( Z¸‰TVÛJ<K"?(Y?¯TWga.°Ä¼áÝ*ŸÙ÷d6 TQ™Ö�<éŒ^ŒG,gÏƒŸÕB¾+ŽU¦-te¤
--- a/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 U8ytLQ 1x2w+U7iZ59hW1cymklltoWgBoo9Iao1YnsP0dYsJyE
 8Yax1Uq2UZCEPysMfcu/mvkO0cLdnTFJ+lLTglZEhD0
 -> Mo>ig-grease
 gyxTtneFjCxPTo53gPgqBMm/dUTNqw7SSGXZ9wFTK3I
 --- 2kvAlqhkxaAZcY0qewhgWahfiafgZSKZm7T3x8O5wxI
 û,ÂC¤¶c-œz#ð5#,¾úUVÀ¶ev®;NŒó"¶¦Õ¢ÌÝÉ¬Èi±\(¥ê)[îÍÐR\Èò7@†¾véÜ²¯Æ¾NÏ¹ÎŽ{©4
--- a/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 08+xhQ GOn8a+tEBtiwUxioNd2fk5PrWNkT+awF+XzbClQJ6Qg
 xltPAmFpS3qUO8sNKRuvsdSaf72RvDnZO+RijXg6Qg0
 -> 39!T/O'-grease ~v?U;y
 egK+Kho4rgecwrv9gmcK/C2dJnbd+SGF73FGl3XIzlJwfkRzRvamV978lA4uyrcF
 vw
 --- Nkp782AMG8OclXPvKR7fy334Umjsa/x1jXe6MA1q6CM
 Ü[ùÌ>@QR‡áMmïG`Ÿ*×ÑOT;xöö° !ûT?¹_,Ç„Ö¶{'ž€‰Õ¬Y&Gkf»M¡˜éH|UÎ  ì_áóbÕ
--- a/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 08+xhQ CFoQPo0bwvS1VyUbOOq4fk/DHs6EZNoxf9patvaAyis
 2U2S/yiSKY7+eE28APeakHdTrVTp4BAb9T2T0G26wfU
 -> g8r-grease :K-IEEo5
 PQV599Ol7XmAsiS5r6E86w
 --- 6iGZ2tBk1eTu+zztYN2oLUXZr5vb8iYCQR92gqf50zo
 ¸¯Áµ”�gó0à‹ÐÅ[ŸBî´?§¼n'xÃÀo:ìÞæž¾	wÈú'AÓ¨Öa—<vXdÙâÄž˜D:bÎùñª¯�™…¡"ÖƒDß(—Æ˜>
--- a/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age
+++ b/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age
--- a/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
--- a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 U8ytLQ QRKqBGrzPBO8uDJtAjIpOVcir6L5beNr0wS3iVXQFiY
 YjTxSInhMSU0yogxBupf2311z5OXeNrSSkQpU4d34OM
 -> o3E-grease ~ E<I*AS 1> Y+:|pOC
 /8vpx1EmpwyfX3vwNpjAMMFCoRuoP3w1RLWAgqj5J1tIb48O0Wc
 --- EIeRKimHpArrdLioRUJ2rEa6uBOiAolXK1J1Sej37WE
 9¥CõKÚ•OíÐù´uŽ¯1ŒGú1ï†Fü/0¹b=Lß0dsAèjSØ€¡Þ|^ö1E�ÍªËà�ÁCöõî(±9Sc:Ì
--- a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 U8ytLQ odwIDreVyKb1UHckjz1/1PKET4rluHdxFVJ2naBOKhM
 PJyoiRA65kd2272oq3Irup5gBq9sWDMgkIbkPbIa+IU
 -> HDe/yru:-grease ee~+
 g5uaAbBGEy/dJPeFuKdCqdvlIbcxeoVQMQ/y7hwgJQI68DOwpdAggi12cMYt+mlM
 yNE2Lb6p4xO8BRF0
 --- Xl6hjCyuuxnKdBNe3/x6jqvDsoaHDBYIzO8nV0DRuVs
 í¥f¤ÚÛÿ01VázµçVsæitúÁ%áœ}HùÓ
ìòåÛ�=«ó¸èFá¾›:
_�Ùwy±)v²”ª0Plý"%-y¼ëbQì¤œK
--- a/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age
`@ -1 +1 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAKUJTsBJfQTTVZMS2qTYYIBe2sM56XYRCrvlUm/UtF`