From c2a8f8475f086ab955a9f4c16847662cb8d2b471 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sun, 7 Sep 2025 23:36:37 +0200 Subject: [PATCH] caddy: Make tailscale hosts ephemeral --- hosts/observer/secrets.json | 6 +++--- hosts/srv-private/secrets.json | 6 +++--- modules/system/services/caddy.nix | 1 + 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/hosts/observer/secrets.json b/hosts/observer/secrets.json index b296c22..bf4736b 100644 --- a/hosts/observer/secrets.json +++ b/hosts/observer/secrets.json @@ -2,7 +2,7 @@ "seb-password": "ENC[AES256_GCM,data:laGJomW5c5TB3alpPgZKElQ3Y46OBxPrA0AxVNgx/09oSuG0EM63cnnkwZkrTeZxqjBH2UOryLqCr9DUr9mhZsovqNtZ2t8Uzg==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:2nARGI9XwzLfJFRhDyGBSw==,type:str]", "tailscale": { "auth-key": "ENC[AES256_GCM,data:UYOACjPi7HKh3qB0yD5N8PlzvTXfzNr7qNfmLrj/KbBb4S0KDTI5xIFHpk3wkTwc+0d2RMMfpoJEnM68x5c=,iv:o36k4vtsnSThDQNIMIPBQHJ92WodbIyVC42L1t8Fvzg=,tag:6RqIP+fAv/ByYhxF12P4qg==,type:str]", - "service-auth-key": "ENC[AES256_GCM,data:xM5+oTT6UBS+eE2hibdxFSWXz6al3fdDpq6vglJjwjTPSg1RF7VrVKZuczJqefD+y7/1GkRLiX5Lx5tSwA==,iv:vYZExfvn2C6ZEPqORAOFtpkXr7Kfc1JTdlhOIFhK3Rk=,tag:PrqQ/VnQveypEfUaCBEPpQ==,type:str]" + "service-auth-key": "ENC[AES256_GCM,data:2CO5QN0SSwzD6IIxjRNyUdG8n7kaNbpCVvvZh0ZXBNRC2x+smXWXCv9vPMYB8R3VCcWFTpF17J/8njqyfH4=,iv:e55ow3YQh6hd7FkTu09fMN8XgBk5ZsuHCtRDb5Q2sDI=,tag:zXXdoe1HD8Kl+kJ9NueT5A==,type:str]" }, "healthchecks": { "ping-key": "ENC[AES256_GCM,data:wlrgEbJ9B57kjmB+0hof/fJOBb4tcA==,iv:ibMBpcrSocLBhtumsSV00+KVN6Pi4SzE7soCkZcU4fY=,tag:wqYBB0Bi3M+UYinhd8pY+w==,type:str]" @@ -21,8 +21,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByczNyTzlPSXVZZ1hmbm1W\nM0l2c1ZXcXVxdGpNSUVZZzBtaktBVWo4cFYwCmU1bVdpNktiWCtlWFpOZ3UzOWhY\nY2NlS1g4dXhaNmRLVFhSR3BBQ1IvNnMKLS0tIEFZRGhzQ3dKV2pWUWpSbmRkaWFO\nMFcwWXlsTVJsSk1vZ1E3NGx5ZVBieGsKaz0euqXQzjqwVExTcg37uyiM0bPl3Pkh\n943SCEiQ/nWrhaLl0jQ4Xvoh2d8ylkDWLa79hz/e1s6NtuoJYjj40g==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-08-17T19:05:59Z", - "mac": "ENC[AES256_GCM,data:iZfbKq3DbJjY+Lb55ZhPEzHyQZbQ2efgqPo5DGiCTRuYjGroJgoZ+tF290NtGpGd8C8dWch2sOsDuMXTRrflE5XmlXl66itjGNi/3T/a/3H89AbXfeFoPK7QwiE88zoOqbBO8fDr40SvPtn70w1gxmoCFR7RPbZdY9ZvQr1SbSI=,iv:jRzSxMi3DWEbmkA1QVvQny1viswbyU8pFld6gWA5U5s=,tag:vZaJu/KpITME+YJ0MJxuaw==,type:str]", + "lastmodified": "2025-09-07T21:04:40Z", + "mac": "ENC[AES256_GCM,data:nXUfYEqhNL3BKbrI/MqJ0Vi5f+pWwzZkkw8cCFDuFcYK8C4e8LNUp+rnzQE71QIsxmqaEEnZqyb/eBZOxZgoM4f7lh9PgDdb8btq5PGIkDk2JkKaJYEVHzjmkYnlegrptEWtntm6aYbzsO4NEhXsa3ub7R9jpPvJOH/XEpsLWXI=,iv:Z3FPPegOn732fYexsv5jQDRm0vpYJT/ArQCK/PnQa5g=,tag:uE+pSxZmTFPEXNEJOseMtA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } diff --git a/hosts/srv-private/secrets.json b/hosts/srv-private/secrets.json index e7c5532..faaa1a5 100644 --- a/hosts/srv-private/secrets.json +++ b/hosts/srv-private/secrets.json @@ -2,7 +2,7 @@ "seb-password": "ENC[AES256_GCM,data:oGrXukkbK9qYYo0ci+F4RwiwlRyme/+ypJozgiqH2DFd33SyjYnzX6u2f6a0+rIfwxO45dUrXCJyidWE2Fw26xE/uH9nPmDzuw==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag://NpB2SnxWlJPHNp92hdVA==,type:str]", "tailscale": { "auth-key": "ENC[AES256_GCM,data:oQuRcU6zZ07SsZ7C5AFikrtzYPm6mUsVRR4XusEbRua3ftn3DlY45b5MnvCi6slLfu9kD/ZxKf3bT0D+VA==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:IwZRUnNckLI3jU16xZ2eFg==,type:str]", - "service-auth-key": "ENC[AES256_GCM,data:0G2eZ6ch8tkDAbdtfbvjI/0PRhOCSVl31tKe51jrzcGtAXLz2cbJ3CtoE4v7E1Sj6eJNqLg7uKadTwNTGg==,iv:EEy2Z0ITF8gBNl4m9+qNOL0BRkmJnVO03qmAdMqD3xU=,tag:XoCogWibZt9xQEooTzzt2g==,type:str]" + "service-auth-key": "ENC[AES256_GCM,data:4WEAie9hguMOrDm/Fwgs/e9omesnLxHnvraY9sqjrRTvrZvT7WwKWwgJr/HQELWGiJoB1qmO6cfnTpdW9Rg=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:rJ2s5+rdav7Rp9ja/pxZRA==,type:str]" }, "restic": { "password": "ENC[AES256_GCM,data:0tQzfrSShJ6mrwjB7LRdO2LTRUxgTwn4mkA4Sze6,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:GzqZtsHQ+7+uZkXp0fUheg==,type:str]" @@ -32,8 +32,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac0VBTXZVdmpjc29oMkJT\nVXhoZnJaWkFjVEVtelphMzlBM1BaNjM3VjBNCjV3U2JwUnRjeEhWWVlMbmZHcjJP\nT1VNUDlNUTM1UjlVdkNGN1BrWHNpVTQKLS0tIDkyWGZVTWFIQzJrVDQ2U0ErQXRm\ndEhnSkQ5SDlnbmhGSVdYaDNuc3ZkM00K7WPEZRYWAd7uGY0IcDwGgQVPrpkF/tnz\nncj03JXM4BXwvEQOmD/i6wS4U4WCwkh9EauGJljVFTeu6TciomDULQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-09-02T19:43:42Z", - "mac": "ENC[AES256_GCM,data:1+j8+SjHlL6/FEKrcbSOYnLVVoOFDyobBV2FJ5U8c2UEAwb0ehoVkRuKDWE5IfEio8Q5L2UH5YX93djYIa/PqQy8vn/Yev4sB39Pwv9ZArL3nHAp1O0TINx41rVLxUAqMy0mcGvTX9w3k87q0xfw26FXcAAnx/m4DDUmO0KmorQ=,iv:NMC7j8EKqPOwHTLImGSt9AzodfTt0gWj6SqI67WGmDU=,tag:RQX4Ec0mdaUyKPvPdkB2VQ==,type:str]", + "lastmodified": "2025-09-07T21:34:09Z", + "mac": "ENC[AES256_GCM,data:9k1QGlpeVICsN1cKj+TMGZJv0O9avXTkG3Bb8w4Vjbq3y4I3rtMm4EF72nZzytKa3UmX/QhTcwWD+/Ju2SIHThicU8w9mPZy3WdHce86mzAncSClwm/tddK/X5+cVaq8HiouFrMQHaCeMKfATKjZyZQZgRtt3x2Mf2ucMPD6kQE=,iv:BA3vBdQ5D5kQQAfLJgrKzx/Dy4mMNXfgB04HPDI8dHw=,tag:PYhsYJy6uDuPf6T6En8ILQ==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix index bd924fe..c0231a3 100644 --- a/modules/system/services/caddy.nix +++ b/modules/system/services/caddy.nix @@ -106,6 +106,7 @@ in globalConfig = '' tailscale { auth_key {file.${config.sops.secrets."tailscale/service-auth-key".path}} + ephemeral true } ''; };