cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

secrets/chunk: add missing secrets and rewrite everything to new structure

Browse source
This commit is contained in:
cy 2024-12-16 23:20:51 -05:00
parent 029e608eaa
commit 3d927f8372
11 changed files with 123 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/chunk/borg.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
services.borgbackup.jobs = {
crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
@ -6,7 +10,7 @@
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
passCommand = "cat ${config.sops.secrets."borg/rsyncnet".path}";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@ -18,7 +22,7 @@
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';

54
hosts/chunk/default.nix
View file

@ -2,7 +2,6 @@
config,
lib,
pkgs,
inputs,
...
}: {
imports = [
@ -24,36 +23,57 @@
./tor.nix
];
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/crash" = {};
"ntfy" = {};
"rclone" = {};
"vaultwarden" = {};
"caddy" = {};
"hedgedoc" = {};
"wireguard/private" = {};
"wireguard/psk" = {};
"wireguard/pskphone" = {};
"miniflux" = {};
"borg/rsyncnet" = {
sopsFile = ../../secrets/borg/chunk.yaml;
};
"services/ntfy" = {
sopsFile = ../../secrets/services/ntfy.yaml;
};
"rclone/env" = {
sopsFile = ../../secrets/rclone/chunk.yaml;
};
"vaultwarden/env" = {
sopsFile = ../../secrets/services/vaultwarden.yaml;
};
"caddy/env" = {
sopsFile = ../../secrets/services/caddy.yaml;
};
"hedgedoc/env" = {
sopsFile = ../../secrets/services/hedgedoc.yaml;
};
"wireguard/private" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-yt" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-phone" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"miniflux/env" = {
sopsFile = ../../secrets/services/miniflux.yaml;
};
"gitlab/root" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/secret" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/jws" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/db" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/otp" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
};
@ -146,7 +166,7 @@
services.caddy = {
enable = true;
configFile = ./Caddyfile;
environmentFile = "/run/secrets/caddy";
environmentFile = config.sops.secrets."caddy/env".path;
logFormat = lib.mkForce "level INFO";
};

12
hosts/chunk/gitlab.nix
View file

@ -1,4 +1,4 @@
{...}: {
{config, ...}: {
services.gitlab = {
enable = true;
https = true;
@ -10,12 +10,12 @@
sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root";
initialRootPasswordFile = config.sops.secrets."gitlab/root".path;
secrets = {
secretFile = "/run/secrets/gitlab/secret";
otpFile = "/run/secrets/gitlab/otp";
jwsFile = "/run/secrets/gitlab/jws";
dbFile = "/run/secrets/gitlab/db";
secretFile = config.sops.secrets."gitlab/secret".path;
otpFile = config.sops.secrets."gitlab/otp".path;
jwsFile = config.sops.secrets."gitlab/jws".path;
dbFile = config.sops.secrets."gitlab/db".path;
};
};
}

4
hosts/chunk/hedgedoc.nix
View file

@ -1,7 +1,7 @@
{...}: {
{config, ...}: {
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
db = {
username = "hedgedoc";

4
hosts/chunk/miniflux.nix
View file

@ -1,7 +1,7 @@
{...}: {
{config, ...}: {
services.miniflux = {
enable = true;
adminCredentialsFile = "/run/secrets/miniflux";
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
PORT = 8080;
BASE_URL = "https://rss.cything.io";

10
hosts/chunk/rclone.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
@ -10,7 +14,7 @@
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
EnvironmentFile = config.sops.secrets."rclone/env".path;
};
};
@ -24,7 +28,7 @@
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
EnvironmentFile = config.sops.secrets."rclone/env".path;
};
};
programs.fuse.userAllowOther = true;

4
hosts/chunk/vaultwarden.nix
View file

@ -1,8 +1,8 @@
{...}: {
{config, ...}: {
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
environmentFile = config.sops.secrets."vaultwarden/env".path;
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";

12
hosts/chunk/wireguard.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
networking.nat = {
enable = true;
enableIPv6 = true;
@ -9,7 +13,7 @@
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private";
privateKeyFile = config.sops.secrets."wireguard/private".path;
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
@ -30,12 +34,12 @@
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk";
presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
}
{
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone";
presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
}
];
};