cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

secrets/chunk: add missing secrets and rewrite everything to new structure

Browse source
This commit is contained in:
cy 2024-12-16 23:20:51 -05:00
parent 029e608eaa
commit 3d927f8372
11 changed files with 123 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -51,3 +51,11 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *chunk - *chunk
- path_regex: secrets/services/vaultwarden.yaml
key_groups:
- age:
- *chunk
- path_regex: secrets/rclone/chunk.yaml
key_groups:
- age:
- *chunk

10
hosts/chunk/borg.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: { {
pkgs,
config,
...
}: {
services.borgbackup.jobs = { services.borgbackup.jobs = {
crashRsync = { crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
@ -6,7 +10,7 @@
repo = "de3911@de3911.rsync.net:borg/crash"; repo = "de3911@de3911.rsync.net:borg/crash";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash"; passCommand = "cat ${config.sops.secrets."borg/rsyncnet".path}";
}; };
environment = { environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@ -18,7 +22,7 @@
# warnings are often not that serious # warnings are often not that serious
failOnWarnings = false; failOnWarnings = false;
postHook = '' postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk https://ntfy.cything.io/chunk
''; '';

54
hosts/chunk/default.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
pkgs, pkgs,
inputs,
... ...
}: { }: {
imports = [ imports = [
@ -24,36 +23,57 @@
./tor.nix ./tor.nix
]; ];
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = { sops.secrets = {
"borg/crash" = {}; "borg/rsyncnet" = {
"ntfy" = {}; sopsFile = ../../secrets/borg/chunk.yaml;
"rclone" = {}; };
"vaultwarden" = {}; "services/ntfy" = {
"caddy" = {}; sopsFile = ../../secrets/services/ntfy.yaml;
"hedgedoc" = {}; };
"wireguard/private" = {}; "rclone/env" = {
"wireguard/psk" = {}; sopsFile = ../../secrets/rclone/chunk.yaml;
"wireguard/pskphone" = {}; };
"miniflux" = {}; "vaultwarden/env" = {
sopsFile = ../../secrets/services/vaultwarden.yaml;
};
"caddy/env" = {
sopsFile = ../../secrets/services/caddy.yaml;
};
"hedgedoc/env" = {
sopsFile = ../../secrets/services/hedgedoc.yaml;
};
"wireguard/private" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-yt" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"wireguard/psk-phone" = {
sopsFile = ../../secrets/wireguard/chunk.yaml;
};
"miniflux/env" = {
sopsFile = ../../secrets/services/miniflux.yaml;
};
"gitlab/root" = { "gitlab/root" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name; owner = config.users.users.git.name;
group = config.users.users.git.group;
}; };
"gitlab/secret" = { "gitlab/secret" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name; owner = config.users.users.git.name;
group = config.users.users.git.group;
}; };
"gitlab/jws" = { "gitlab/jws" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name; owner = config.users.users.git.name;
group = config.users.users.git.group;
}; };
"gitlab/db" = { "gitlab/db" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name; owner = config.users.users.git.name;
group = config.users.users.git.group;
}; };
"gitlab/otp" = { "gitlab/otp" = {
sopsFile = ../../secrets/services/gitlab.yaml;
owner = config.users.users.git.name; owner = config.users.users.git.name;
group = config.users.users.git.group;
}; };
}; };
@ -146,7 +166,7 @@
services.caddy = { services.caddy = {
enable = true; enable = true;
configFile = ./Caddyfile; configFile = ./Caddyfile;
environmentFile = "/run/secrets/caddy"; environmentFile = config.sops.secrets."caddy/env".path;
logFormat = lib.mkForce "level INFO"; logFormat = lib.mkForce "level INFO";
}; };

12
hosts/chunk/gitlab.nix
View file

@ -1,4 +1,4 @@
{...}: { {config, ...}: {
services.gitlab = { services.gitlab = {
enable = true; enable = true;
https = true; https = true;
@ -10,12 +10,12 @@
sidekiq.concurrency = 10; sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io"; initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root"; initialRootPasswordFile = config.sops.secrets."gitlab/root".path;
secrets = { secrets = {
secretFile = "/run/secrets/gitlab/secret"; secretFile = config.sops.secrets."gitlab/secret".path;
otpFile = "/run/secrets/gitlab/otp"; otpFile = config.sops.secrets."gitlab/otp".path;
jwsFile = "/run/secrets/gitlab/jws"; jwsFile = config.sops.secrets."gitlab/jws".path;
dbFile = "/run/secrets/gitlab/db"; dbFile = config.sops.secrets."gitlab/db".path;
}; };
}; };
} }

4
hosts/chunk/hedgedoc.nix
View file

@ -1,7 +1,7 @@
{...}: { {config, ...}: {
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
environmentFile = "/run/secrets/hedgedoc"; environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = { settings = {
db = { db = {
username = "hedgedoc"; username = "hedgedoc";

4
hosts/chunk/miniflux.nix
View file

@ -1,7 +1,7 @@
{...}: { {config, ...}: {
services.miniflux = { services.miniflux = {
enable = true; enable = true;
adminCredentialsFile = "/run/secrets/miniflux"; adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = { config = {
PORT = 8080; PORT = 8080;
BASE_URL = "https://rss.cything.io"; BASE_URL = "https://rss.cything.io";

10
hosts/chunk/rclone.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: { {
pkgs,
config,
...
}: {
systemd.services.immich-mount = { systemd.services.immich-mount = {
enable = true; enable = true;
description = "Mount the immich data remote"; description = "Mount the immich data remote";
@ -10,7 +14,7 @@
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos "; ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos"; ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone"; EnvironmentFile = config.sops.secrets."rclone/env".path;
}; };
}; };
@ -24,7 +28,7 @@
Type = "notify"; Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud"; ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud"; ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone"; EnvironmentFile = config.sops.secrets."rclone/env".path;
}; };
}; };
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;

4
hosts/chunk/vaultwarden.nix
View file

@ -1,8 +1,8 @@
{...}: { {config, ...}: {
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden"; environmentFile = config.sops.secrets."vaultwarden/env".path;
config = { config = {
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081"; ROCKET_PORT = "8081";

12
hosts/chunk/wireguard.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: { {
pkgs,
config,
...
}: {
networking.nat = { networking.nat = {
enable = true; enable = true;
enableIPv6 = true; enableIPv6 = true;
@ -9,7 +13,7 @@
networking.wg-quick.interfaces.wg0 = { networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820; listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private"; privateKeyFile = config.sops.secrets."wireguard/private".path;
postUp = '' postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
@ -30,12 +34,12 @@
{ {
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk"; presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
} }
{ {
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone"; presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
} }
]; ];
}; };

22
secrets/rclone/chunk.yaml Normal file
View file

@ -0,0 +1,22 @@
rclone:
env: ENC[AES256_GCM,data:e8O4cUbgFMseJTvzGyBhsD/beCkhuh/Sl4ZHqV/kQodcuKi3V9XHyeCAnBb/,iv:rOySfX7vQ1mduFEL4gSbM8rYk9Gp7aEcieV1CW+aGDk=,tag:aWmdde3Xv9IqLRigPZBH1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUnBqMU56ZS9QZnpETmZ6
a2tVRURyTU1LakR3bi90QXNpR21JcEI0ZFZzCm9jTDlCNk1xSTgwcmRqc3ZNbkJG
RzloNTZHQUJXU2J4UUttcjdIdFl6dWMKLS0tIDNaTUpZQ3lwYk1lNTlZMjF5d2VR
U09rb0kvcU1FdVBsanQyM3grTWdKRkEKAxZyWISPu4XUBevUhdOwd6ZJHfbvpAch
+jGrLXGBYlvp2oKdWHBXjv3HZ3N0IyEj07LyYsPBLchmUxhOCn4Piw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T03:32:29Z"
mac: ENC[AES256_GCM,data:TTaw6wv7cidgcB7c2igUPo6urQ87d0btr5puTr9yA8ppJ0iTKdLQT2nIZI0OHnP/cFE/at0YrhDNNk5AL1y9fuATRWveu1Y2KmjlYNXLlZS4PdAr3rsUs3FqSECdTqXR8ZYGodA5mOSjzWu1eYuoubVk2wtXV0alMUY7bwrnr6E=,iv:1zslrT0FX6SIEIRHPloLa2Fy8pVJVqMDIghR46l5+xg=,tag:qpw9iQAetUIoqvDQzufh8w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

22
secrets/services/vaultwarden.yaml Normal file
View file

@ -0,0 +1,22 @@
vaultwarden:
env: ENC[AES256_GCM,data:VBYfmsrB5LLcEyFqKGvMz9U7LRix8Yo5IBoyIelwKY0g/TfaaFO8QTo84CQrkgB1faFex2xX/nbnsaUslSgxYu36f4XmaMUzMJ6FneDUnbAU2wp09bxek7iEqfRSrennfwAa3cTpOr3RkWG8AfW9xDMFhduqSSr3emqrXSGSnPSI5BuDjru5NbVmcPSdw9U396rkGZd5znxnIa+2f63+ox45tHxsOsC9iVlnnX4KMfJl+8QufX19atxGZwH2OVWn7ehesOd+DuvRMWkProoUERbGz51EvBQm3Ixm4WSQ3M9vFSIuup3ppNBYKHG6a9XAGiEyFDZEEiYhVQ==,iv:tCE83OE3c9bUXb8Z4sPJc/YwjOCftj4dmW0M//3ncQU=,tag:TyLR+5hNcQnXLZUxZiIKmg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcFBzNi9lcFNyYVM0VzF2
UGtralRTNi9qVG9waElST05BZTU2U1Y1endvCjFRT2FtbEFKZUt5Wm1WQ2lITzlL
TXNjZlMrNnB4K0NsSVd4TnFKa0thSTQKLS0tIElkR28wMUNKd090Z1M5eG9nVzFO
L0I2TWZackFkbDMzRnN6NXV2eXNjOGMK3jJFBU/aMtH11l9V2FgHgAJdGRJvYfIQ
DAwMwUM+pz7/uJJ/PmDx1aF8SRGPbG+CjcNz2SSo/u99GX5q08jVkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T03:33:07Z"
mac: ENC[AES256_GCM,data:Voh0c1sqoT3CBGyjDXkFAjuHRlQG8JwNLwWF0TMBaQ/Ihz1zplEeHfsM23IceEhBggbEHqhcRipqTkSH24tkXD9wqvg0GsZZLiQ52o+JYPmPCaXZFqfLqjNKFS1y6+rokQaFy4rphWSBv0uS52MaOx8WIZr7m7s3/NNnaEy059E=,iv:Q8EswVeJdsQUDxnj4fTJESCYYHXn648sKVghLtRtBpU=,tag:cveD+MXcTn+xfU8fBkRZYQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2