cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

secrets/chunk: add missing secrets and rewrite everything to new structure

Browse source
This commit is contained in:
cy 2024-12-16 23:20:51 -05:00
parent 029e608eaa
commit 3d927f8372
11 changed files with 123 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -51,3 +51,11 @@ creation_rules:
key_groups:
- age:
- *chunk
- path_regex: secrets/services/vaultwarden.yaml
key_groups:
- age:
- *chunk
- path_regex: secrets/rclone/chunk.yaml
key_groups:
- age:
- *chunk

10
hosts/chunk/borg.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
services.borgbackup.jobs = {
crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
@ -6,7 +10,7 @@
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
passCommand = "cat ${config.sops.secrets."borg/rsyncnet".path}";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@ -18,7 +22,7 @@
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';

54
hosts/chunk/default.nix
View file

@ -2,7 +2,6 @@
config,
lib,
pkgs,
inputs,
...
}: {
imports = [
@ -24,36 +23,57 @@
./tor.nix
];
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/crash" = {};
"ntfy" = {};
"rclone" = {};
"vaultwarden" = {};
"caddy" = {};
"hedgedoc" = {};
"wireguard/private" = {};
"wireguard/psk" = {};
"wireguard/pskphone" = {};
"miniflux" = {};
"borg/rsyncnet" = {
sopsFile = ../../secrets/borg/chunk.yaml;
};
"services/ntfy" = {
sopsFile = ../../secrets/services/ntfy.yaml;
};
"rclone/env" = {
sopsFile = ../../secrets/rclone/chunk.yaml;
};
"vaultwarden/env" = {
sopsFile = ../../secrets/services/vaultwarden.yaml;
};
"caddy/env" = {
sopsFile = ../../secrets/services/caddy.yaml;
};
"hedgedoc/env" = {
sopsFile = ../../secrets/services/hedgedoc.yaml;
};
"wireguard/private" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-yt" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-phone" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"miniflux/env" = {
sopsFile = ../../secrets/services/miniflux.yaml;
};
"gitlab/root" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/secret" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/jws" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/db" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/otp" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
};
@ -146,7 +166,7 @@
services.caddy = {
enable = true;
configFile = ./Caddyfile;
environmentFile = "/run/secrets/caddy";
environmentFile = config.sops.secrets."caddy/env".path;
logFormat = lib.mkForce "level INFO";
};

12
hosts/chunk/gitlab.nix
View file

@ -1,4 +1,4 @@
{...}: {
{config, ...}: {
services.gitlab = {
enable = true;
https = true;
@ -10,12 +10,12 @@
sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root";
initialRootPasswordFile = config.sops.secrets."gitlab/root".path;
secrets = {
secretFile = "/run/secrets/gitlab/secret";
otpFile = "/run/secrets/gitlab/otp";
jwsFile = "/run/secrets/gitlab/jws";
dbFile = "/run/secrets/gitlab/db";
secretFile = config.sops.secrets."gitlab/secret".path;
otpFile = config.sops.secrets."gitlab/otp".path;
jwsFile = config.sops.secrets."gitlab/jws".path;
dbFile = config.sops.secrets."gitlab/db".path;
};
};
}

4
hosts/chunk/hedgedoc.nix
View file

@ -1,7 +1,7 @@
{...}: {
{config, ...}: {
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
db = {
username = "hedgedoc";

4
hosts/chunk/miniflux.nix
View file

@ -1,7 +1,7 @@
{...}: {
{config, ...}: {
services.miniflux = {
enable = true;
adminCredentialsFile = "/run/secrets/miniflux";
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
PORT = 8080;
BASE_URL = "https://rss.cything.io";

10
hosts/chunk/rclone.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
@ -10,7 +14,7 @@
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
EnvironmentFile = config.sops.secrets."rclone/env".path;
};
};
@ -24,7 +28,7 @@
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
EnvironmentFile = config.sops.secrets."rclone/env".path;
};
};
programs.fuse.userAllowOther = true;

4
hosts/chunk/vaultwarden.nix
View file

@ -1,8 +1,8 @@
{...}: {
{config, ...}: {
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
environmentFile = config.sops.secrets."vaultwarden/env".path;
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";

12
hosts/chunk/wireguard.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
networking.nat = {
enable = true;
enableIPv6 = true;
@ -9,7 +13,7 @@
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private";
privateKeyFile = config.sops.secrets."wireguard/private".path;
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
@ -30,12 +34,12 @@
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk";
presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
}
{
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone";
presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
}
];
};

22
secrets/rclone/chunk.yaml Normal file
View file

@ -0,0 +1,22 @@
rclone:
env: ENC[AES256_GCM,data:e8O4cUbgFMseJTvzGyBhsD/beCkhuh/Sl4ZHqV/kQodcuKi3V9XHyeCAnBb/,iv:rOySfX7vQ1mduFEL4gSbM8rYk9Gp7aEcieV1CW+aGDk=,tag:aWmdde3Xv9IqLRigPZBH1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUnBqMU56ZS9QZnpETmZ6
a2tVRURyTU1LakR3bi90QXNpR21JcEI0ZFZzCm9jTDlCNk1xSTgwcmRqc3ZNbkJG
RzloNTZHQUJXU2J4UUttcjdIdFl6dWMKLS0tIDNaTUpZQ3lwYk1lNTlZMjF5d2VR
U09rb0kvcU1FdVBsanQyM3grTWdKRkEKAxZyWISPu4XUBevUhdOwd6ZJHfbvpAch
+jGrLXGBYlvp2oKdWHBXjv3HZ3N0IyEj07LyYsPBLchmUxhOCn4Piw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T03:32:29Z"
mac: ENC[AES256_GCM,data:TTaw6wv7cidgcB7c2igUPo6urQ87d0btr5puTr9yA8ppJ0iTKdLQT2nIZI0OHnP/cFE/at0YrhDNNk5AL1y9fuATRWveu1Y2KmjlYNXLlZS4PdAr3rsUs3FqSECdTqXR8ZYGodA5mOSjzWu1eYuoubVk2wtXV0alMUY7bwrnr6E=,iv:1zslrT0FX6SIEIRHPloLa2Fy8pVJVqMDIghR46l5+xg=,tag:qpw9iQAetUIoqvDQzufh8w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

22
secrets/services/vaultwarden.yaml Normal file
View file

@ -0,0 +1,22 @@
vaultwarden:
env: ENC[AES256_GCM,data:VBYfmsrB5LLcEyFqKGvMz9U7LRix8Yo5IBoyIelwKY0g/TfaaFO8QTo84CQrkgB1faFex2xX/nbnsaUslSgxYu36f4XmaMUzMJ6FneDUnbAU2wp09bxek7iEqfRSrennfwAa3cTpOr3RkWG8AfW9xDMFhduqSSr3emqrXSGSnPSI5BuDjru5NbVmcPSdw9U396rkGZd5znxnIa+2f63+ox45tHxsOsC9iVlnnX4KMfJl+8QufX19atxGZwH2OVWn7ehesOd+DuvRMWkProoUERbGz51EvBQm3Ixm4WSQ3M9vFSIuup3ppNBYKHG6a9XAGiEyFDZEEiYhVQ==,iv:tCE83OE3c9bUXb8Z4sPJc/YwjOCftj4dmW0M//3ncQU=,tag:TyLR+5hNcQnXLZUxZiIKmg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcFBzNi9lcFNyYVM0VzF2
UGtralRTNi9qVG9waElST05BZTU2U1Y1endvCjFRT2FtbEFKZUt5Wm1WQ2lITzlL
TXNjZlMrNnB4K0NsSVd4TnFKa0thSTQKLS0tIElkR28wMUNKd090Z1M5eG9nVzFO
L0I2TWZackFkbDMzRnN6NXV2eXNjOGMK3jJFBU/aMtH11l9V2FgHgAJdGRJvYfIQ
DAwMwUM+pz7/uJJ/PmDx1aF8SRGPbG+CjcNz2SSo/u99GX5q08jVkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T03:33:07Z"
mac: ENC[AES256_GCM,data:Voh0c1sqoT3CBGyjDXkFAjuHRlQG8JwNLwWF0TMBaQ/Ihz1zplEeHfsM23IceEhBggbEHqhcRipqTkSH24tkXD9wqvg0GsZZLiQ52o+JYPmPCaXZFqfLqjNKFS1y6+rokQaFy4rphWSBv0uS52MaOx8WIZr7m7s3/NNnaEy059E=,iv:Q8EswVeJdsQUDxnj4fTJESCYYHXn648sKVghLtRtBpU=,tag:cveD+MXcTn+xfU8fBkRZYQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2