wire tide service into nixos config
Imports the tide nixos module from the TIDE flake and configures it for tide.yisroelbaum.com (frontend) and apitide.yisroelbaum.com (backend), reusing the existing wildcard ACME cert. Secrets are pulled from sops-encrypted secrets/tide.yaml; replace the placeholder with real encrypted content before deploy.
This commit is contained in:
parent
b7716061e4
commit
d195c6b37c
4 changed files with 75 additions and 0 deletions
23
secrets/README.md
Normal file
23
secrets/README.md
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# Secrets
|
||||
|
||||
Encrypted with [sops](https://github.com/getsops/sops) using the
|
||||
host's age key.
|
||||
|
||||
## First-time setup on the server
|
||||
|
||||
1. Generate an age key for the host:
|
||||
```
|
||||
sudo mkdir -p /var/lib/sops-nix
|
||||
sudo age-keygen -o /var/lib/sops-nix/key.txt
|
||||
sudo chmod 600 /var/lib/sops-nix/key.txt
|
||||
```
|
||||
2. Read the public key:
|
||||
```
|
||||
sudo grep "public key" /var/lib/sops-nix/key.txt
|
||||
```
|
||||
3. On a workstation, put that public key into `.sops.yaml` at
|
||||
the repo root and encrypt `tide.yaml.example` into
|
||||
`tide.yaml`.
|
||||
|
||||
`tide.yaml` is encrypted and committed. `tide.yaml.example` is
|
||||
the plaintext template.
|
||||
Loading…
Add table
Add a link
Reference in a new issue