diff --git a/hosts/lio/i3_customizations.nix b/hosts/lio/i3_customizations.nix index d53cb44..c125e8c 100644 --- a/hosts/lio/i3_customizations.nix +++ b/hosts/lio/i3_customizations.nix @@ -14,7 +14,8 @@ let ''; bg1 = ../_shared_assets/wallpapers/pixel_neon.png; bg2 = ../_shared_assets/wallpapers/pixel_neon_v.png; - xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 97.98 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1"; + # xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 97.98 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1"; + xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 60 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1"; xwallpaperCmd = "xwallpaper --output DP-1 --zoom ${bg1} --output DP-2 --zoom ${bg2}"; startupCmd = "sh -c 'sleep 0.2; i3-msg workspace number 7; sleep 0.2; i3-msg workspace number 1'"; i3ExtraOptions = { diff --git a/secrets_epic.md b/secrets_epic.md index faef05d..630bfc7 100644 --- a/secrets_epic.md +++ b/secrets_epic.md @@ -54,7 +54,7 @@ services.openbao = { **Expected config:** ```nix -services.nginx.virtualHosts."vault.joshuabell.xyz" = { +services.nginx.virtualHosts."sec.joshuabell.xyz" = { addSSL = true; sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem"; sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem"; @@ -76,12 +76,12 @@ services.nginx.virtualHosts."vault.joshuabell.xyz" = { ### 1.4 Initial Deployment **Tasks:** -- [ ] Deploy to h001 with `nixos-rebuild switch` -- [ ] Verify OpenBao service is running -- [ ] Access UI at `https://vault.joshuabell.xyz` -- [ ] Initialize OpenBao (generates root token and unseal keys) -- [ ] Save unseal keys and root token securely (LastPass/Bitwarden) -- [ ] Unseal the vault +- [x] Deploy to h001 with `nixos-rebuild switch` +- [x] Verify OpenBao service is running +- [x] Access UI at `https://sec.joshuabell.xyz` +- [x] Initialize OpenBao (generates root token and unseal keys) +- [x] Save unseal keys and root token securely (LastPass/Bitwarden) +- [x] Unseal the vault **Commands:** ```bash @@ -106,7 +106,7 @@ openbao operator unseal **Commands:** ```bash -export VAULT_ADDR='https://vault.joshuabell.xyz' +export VAULT_ADDR='https://sec.joshuabell.xyz' openbao login openbao secrets enable -version=2 kv openbao kv put kv/test password=hello @@ -277,7 +277,7 @@ in { **Tasks:** - [ ] Import vault-agent module - [ ] Configure vault-agent for h001: - - vault address: `https://vault.joshuabell.xyz` + - vault address: `https://sec.joshuabell.xyz` - role: `nixos-h001` - JWT path: `/etc/vault/h001-jwt` - [ ] Define secrets needed by h001 services @@ -287,7 +287,7 @@ in { ```nix services.vault-agent = { enable = true; - vaultAddress = "https://vault.joshuabell.xyz"; + vaultAddress = "https://sec.joshuabell.xyz"; role = "nixos-h001"; secrets = { postgres-password = { @@ -515,7 +515,7 @@ openbao kv put kv/hosts/h001/openwebui \ ## Success Criteria -- [ ] OpenBao running and accessible at `https://vault.joshuabell.xyz` +- [ ] OpenBao running and accessible at `https://sec.joshuabell.xyz` - [ ] Zitadel OIDC authentication working for machine users - [ ] At least 3 secrets migrated from agenix to OpenBao - [ ] Services on h001 starting successfully with vault-agent secrets