chore: rekey immich secrets, allow influx access from local service net

2025-10-10 14:50:40 +02:00 · 2025-09-14 17:31:40 +02:00 · 2025-09-14 17:31:40 +02:00 · 3dc6133a1a
commit 3dc6133a1a
parent 0537f69d5e
20 changed files with 51 additions and 43 deletions
--- a/flake/agenix-rekey.nix
+++ b/flake/agenix-rekey.nix
@ -12,7 +12,7 @@
    # The identities that are used to rekey agenix secrets and to
    # decrypt all repository-wide secrets.
    secretsConfig = {
-      masterIdentities = [ "\"$PRJ_ROOT\"/secrets/yk1-nix-rage.pub" ];
+      masterIdentities = [ ../secrets/yk1-nix-rage.pub ];
      extraEncryptionPubkeys = [ ../secrets/backup.pub ];
    };
  };
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -52,11 +52,14 @@ in

  services.immich = {
    enable = true;
+    host = "0.0.0.0";
    # We use VectorChord from the beginning
    database.enableVectors = false;
    environment = {
      IMMICH_LOG_LEVEL = "verbose";
      IMMICH_TRUSTED_PROXIES = lib.concatStringsSep "," [
+        globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
+        globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
      ];
    };
    settings = {
@ -269,9 +272,9 @@ in
          client_max_body_size 50G;
          proxy_buffering off;
          proxy_request_buffering off;
-          proxy_read_timeout 600s;
-          proxy_send_timeout 600s;
-          send_timeout       600s;
+          proxy_read_timeout 1200s;
+          proxy_send_timeout 1200s;
+          send_timeout       1200s;
          allow ${globals.net.home-lan.vlans.home.cidrv4};
          allow ${globals.net.home-lan.vlans.home.cidrv6};
          # Firezone traffic
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -105,6 +105,8 @@ in
      virtualHosts.${influxdbDomain} =
        let
          accessRules = ''
+            allow ${globals.net.home-lan.vlans.services.cidrv4};
+            allow ${globals.net.home-lan.vlans.services.cidrv6};
            allow ${globals.wireguard.proxy-home.cidrv4};
            allow ${globals.wireguard.proxy-home.cidrv6};
            deny all;
--- a/hosts/sire/secrets/immich/host.pub
+++ b/hosts/sire/secrets/immich/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKE+geXK2RVVNwZVoYOuX7pW+6mbgCa9SIghJCdHmbSB
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAKUJTsBJfQTTVZMS2qTYYIBe2sM56XYRCrvlUm/UtF
--- a/modules/ente.nix
+++ b/modules/ente.nix
@ -48,6 +48,7 @@ in
      domains = {
        api = mkOption {
          type = types.str;
+          example = "api.ente.example.com";
          description = ''
            The domain under which the api is served. This will NOT serve the api itself,
            but is a required setting to host the frontends! This will automatically be set
@ -57,21 +58,25 @@ in

        accounts = mkOption {
          type = types.str;
+          example = "accounts.ente.example.com";
          description = "The domain under which the accounts frontend will be served.";
        };

        cast = mkOption {
          type = types.str;
+          example = "cast.ente.example.com";
          description = "The domain under which the cast frontend will be served.";
        };

        albums = mkOption {
          type = types.str;
+          example = "albums.ente.example.com";
          description = "The domain under which the albums frontend will be served.";
        };

        photos = mkOption {
          type = types.str;
+          example = "photos.ente.example.com";
          description = "The domain under which the photos frontend will be served.";
        };
      };
@ -85,17 +90,18 @@ in
      user = mkOption {
        type = types.str;
        default = defaultUser;
-        description = "User under which museum runs.";
+        description = "User under which museum runs. If you set this option you must make sure the user exists.";
      };

      group = mkOption {
        type = types.str;
        default = defaultGroup;
-        description = "Group under which museum runs.";
+        description = "Group under which museum runs. If you set this option you must make sure the group exists.";
      };

      domain = mkOption {
        type = types.str;
+        example = "api.ente.example.com";
        description = "The domain under which the api will be served.";
      };

@ -182,6 +188,7 @@ in

      services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;
      services.ente.api.settings = {
+        # This will cause logs to be written to stdout/err, which then end up in the journal
        log-file = mkDefault "";
        db = mkIf cfgApi.enableLocalDB {
          host = "/run/postgresql";
@ -245,6 +252,7 @@ in
          BindReadOnlyPaths = [
            "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"
            "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"
+            "${cfgApi.package}/share/museum/web-templates:${dataDir}/web-templates"
          ];

          User = cfgApi.user;
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age
--- a/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/272a347ebd724a722fe452ccf88c5717-wireguard-proxy-sentinel-priv-sire-immich.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ AZXVC7nTbtFBasccwllDvt3ic4NMeJu73tkzTooLORs
+2yGRtqkypbochm/I1CowFSJZZ8qNPulmApP4ABlKvsU
+-> 4`V#:p2-grease
+yhfMojghx2Ne+5JDobIA
+--- fH0ZmRzP4/lsJ9ykQVGDEPlyUohPuKJPgqXOlIilyL4
+êvïì7TÓ—“¸¾º^þ¡SÏN#œ…¬ÁN&u§‘ƒ_bx&êÃU¥9
DJ
+ðL®{QÔ À½ÝF[G™&×B´
--- a/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
+++ b/secrets/rekeyed/sire-immich/473bd83be339750b7105eecefcaef7f1-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ zg3qtzqOOj46luUhOUenMw3dfVz/PafKgVhj+7vljmY
+hKRXQOn+qJ2qe82pIqbFqU7dkNt5p0zq6lC9q8vI0ys
+-> E-grease 8#' Em.z$3-F
+qNx4gWPSptpfLup7uDupqbkB0MoCBsFn7ZJhAILgRnzgkLYlG8rTSbxT
+--- rEocn7eWbz8gSpaJOnC7YswKcci0Jmy87dxABXILzqg
+Ëç´cV>Òž~N¨Õ÷0Rá6n“/Z˜[m¦�.3Gž'\$ÌõüCÕŒÍ£¶y‡Á¿c kÁ±°G¥è.åQlñÈ�]äE/
+9
--- a/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/5070709ada98675000d61ce0cae80b46-wireguard-proxy-sentinel-priv-sire-immich.age
--- a/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/sire-immich/5a140530eeaf232ef669c3bf14336924-wireguard-proxy-home-psks-sire-immich+ward.age
--- a/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
+++ b/secrets/rekeyed/sire-immich/6055cb73daacbb7a0841103ca454174a-immich-oauth2-client-secret.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 U8ytLQ veKTrJX4Srbh92lE3hPO4NTpeNzP/NuUmfZHWIAcTEU
-jW3uyW7qos8LSsAyQ56gZa5NBCJVUqZVu8KZHe0v0iE
-> sVVZ{H-grease ~J3,Ud i+P
-wb4kp+Ii
--- PJ20pWfjTwBwh2Dr+q6Gob16aGbH61ilptbCzQn0jEQ
-;˜VvK¬â_œs‚÷õ«�qå“àP0=QbóX¤õ��ö¬s.É.i]vüÒùAï�Žè¦í->m©ŸF“ÉSxT|;{vUÇìµjfs
--- a/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
+++ b/secrets/rekeyed/sire-immich/6d6412638f56d57f4ca694913136adfb-wireguard-proxy-sentinel-psks-sentinel+sire-immich.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 U8ytLQ kjGqE0PbVbxIqRS4RdHdmhNFr8Sv3jDfFPdjnnlVj0Q
-lz5h6PSyLBXMTUTdS4uzBiPi3yNXdhsxvYw5TT3i8Uc
-> ?~Rt$#-grease uWLiw,w> ZfFM;)
-guaxvIRwfg
--- UFQfXS855+dhnxARJ4M5W0qHdsgTjkfgRu0yjd/tBYU
-ÑxÆ( Z¸‰TVÛJ<K"?(Y?¯TWga.°Ä¼áÝ*ŸÙ÷d6 TQ™Ö�<éŒ^ŒG,gÏƒŸÕB¾+ŽU¦-te¤
--- a/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/sire-immich/6d800e1415841a524ca00a4bc0886b28-promtail-loki-basic-auth-password.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 U8ytLQ 1x2w+U7iZ59hW1cymklltoWgBoo9Iao1YnsP0dYsJyE
-8Yax1Uq2UZCEPysMfcu/mvkO0cLdnTFJ+lLTglZEhD0
-> Mo>ig-grease
-gyxTtneFjCxPTo53gPgqBMm/dUTNqw7SSGXZ9wFTK3I
--- 2kvAlqhkxaAZcY0qewhgWahfiafgZSKZm7T3x8O5wxI
-û,ÂC¤¶c-œz#ð5#,¾úUVÀ¶ev®;NŒó"¶¦Õ¢ÌÝÉ¬Èi±\(¥ê)[îÍÐR\Èò7@†¾véÜ²¯Æ¾NÏ¹ÎŽ{©4
--- a/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/sire-immich/7390493ba0250d48db36b91e78cd5367-promtail-loki-basic-auth-password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ GOn8a+tEBtiwUxioNd2fk5PrWNkT+awF+XzbClQJ6Qg
+xltPAmFpS3qUO8sNKRuvsdSaf72RvDnZO+RijXg6Qg0
+-> 39!T/O'-grease ~v?U;y
+egK+Kho4rgecwrv9gmcK/C2dJnbd+SGF73FGl3XIzlJwfkRzRvamV978lA4uyrcF
+vw
+--- Nkp782AMG8OclXPvKR7fy334Umjsa/x1jXe6MA1q6CM
+Ü[ùÌ>@QR‡áMmïG`Ÿ*×ÑOT;xöö° !ûT?¹_,Ç„Ö¶{'ž€‰Õ¬Y&Gkf»M¡˜éH|UÎ  ì_áóbÕ
--- a/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/sire-immich/7c45bd9af65e9bf02c6c86b417719fdb-telegraf-influxdb-token.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 08+xhQ CFoQPo0bwvS1VyUbOOq4fk/DHs6EZNoxf9patvaAyis
+2U2S/yiSKY7+eE28APeakHdTrVTp4BAb9T2T0G26wfU
+-> g8r-grease :K-IEEo5
+PQV599Ol7XmAsiS5r6E86w
+--- 6iGZ2tBk1eTu+zztYN2oLUXZr5vb8iYCQR92gqf50zo
+¸¯Áµ”�gó0à‹ÐÅ[ŸBî´?§¼n'xÃÀo:ìÞæž¾	wÈú'AÓ¨Öa—<vXdÙâÄž˜D:bÎùñª¯�™…¡"ÖƒDß(—Æ˜>
--- a/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age
+++ b/secrets/rekeyed/sire-immich/9654640f4ad0b7a78ce21df9c5bf33b8-immich-oauth2-client-secret.age
--- a/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/sire-immich/ab981c567dd4581cbe78c994777bcc62-telegraf-influxdb-token.age
--- a/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/b50e7c654824daae359bcf87642131de-wireguard-proxy-home-priv-sire-immich.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 U8ytLQ QRKqBGrzPBO8uDJtAjIpOVcir6L5beNr0wS3iVXQFiY
-YjTxSInhMSU0yogxBupf2311z5OXeNrSSkQpU4d34OM
-> o3E-grease ~ E<I*AS 1> Y+:|pOC
-/8vpx1EmpwyfX3vwNpjAMMFCoRuoP3w1RLWAgqj5J1tIb48O0Wc
--- EIeRKimHpArrdLioRUJ2rEa6uBOiAolXK1J1Sej37WE
-9¥CõKÚ•OíÐù´uŽ¯1ŒGú1ï†Fü/0¹b=Lß0dsAèjSØ€¡Þ|^ö1E�ÍªËà�ÁCöõî(±9Sc:Ì
--- a/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
+++ b/secrets/rekeyed/sire-immich/bbbf9beb0367145565e8795b2f8e8b23-wireguard-proxy-home-psks-sire-immich+ward.age
@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 U8ytLQ odwIDreVyKb1UHckjz1/1PKET4rluHdxFVJ2naBOKhM
-PJyoiRA65kd2272oq3Irup5gBq9sWDMgkIbkPbIa+IU
-> HDe/yru:-grease ee~+
-g5uaAbBGEy/dJPeFuKdCqdvlIbcxeoVQMQ/y7hwgJQI68DOwpdAggi12cMYt+mlM
-yNE2Lb6p4xO8BRF0
--- Xl6hjCyuuxnKdBNe3/x6jqvDsoaHDBYIzO8nV0DRuVs
-í¥f¤ÚÛÿ01VázµçVsæitúÁ%áœ}HùÓ
ìòåÛ�=«ó¸èFá¾›:
_�Ùwy±)v²”ª0Plý"%-y¼ëbQì¤œK
--- a/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age
+++ b/secrets/rekeyed/sire-immich/ea03e492361c8f9b4c8df68598f02edf-wireguard-proxy-home-priv-sire-immich.age