diff --git a/.sops.yaml b/.sops.yaml index 98aeed8..2145c55 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,32 +11,32 @@ keys: - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg creation_rules: - - path_regex: modules/shared/sops/iriy.ya?ml + - path_regex: modules/shared/sops/private/iriy.[a-z]+ key_groups: - age: - *iriy pgp: - *sora - - path_regex: modules/shared/sops/avalon.ya?ml + - path_regex: modules/shared/sops/private/avalon.[a-z]+ key_groups: - age: - *avalon pgp: - *sora - - path_regex: modules/shared/sops/valinor.ya?ml + - path_regex: modules/shared/sops/private/valinor.[a-z]+ key_groups: - age: - *valinor pgp: - *sora - - path_regex: modules/shared/sops/asgard.ya?ml + - path_regex: modules/shared/sops/private/asgard.[a-z]+ key_groups: - age: - *asgard pgp: - *sora - - path_regex: modules/shared/sops/common.yaml + - path_regex: modules/shared/sops/common.[a-z]+ key_groups: - age: - *valinor @@ -46,7 +46,18 @@ creation_rules: pgp: - *sora - - path_regex: modules/shared/sops/mock.yaml + - path_regex: modules/shared/sops/mock.[a-z]+ key_groups: - age: - - *ci \ No newline at end of file + - *ci + + + - path_regex: modules/server/sops/server.[a-z]+ + key_groups: + - age: + - *valinor + - *iriy + - *avalon + - *asgard + pgp: + - *sora \ No newline at end of file diff --git a/modules/home/cli/zsh/default.nix b/modules/home/cli/zsh/default.nix index b9ef50e..d98eb27 100755 --- a/modules/home/cli/zsh/default.nix +++ b/modules/home/cli/zsh/default.nix @@ -14,7 +14,9 @@ in { "ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh"; "top" = "btop"; }; - shellInit = - "\n sopsu() {nix-shell -p sops --run \"sops updatekeys $1\"}\n "; + initExtra = '' + sopsu() {nix-shell -p sops --run "sops updatekeys $1";} + sopsn() {nix-shell -p sops --run "sops $1";} + ''; }; } diff --git a/modules/server/default.nix b/modules/server/default.nix index 680d1ba..fe0ccb3 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let in { + imports = [ ./sops ]; environment.systemPackages = with pkgs; [ arion ]; virtualisation.arion = { backend = "podman-socket"; @@ -10,4 +11,5 @@ in { import ./docker/authentik.nix { inherit config pkgs lib; }; }; }; + } diff --git a/modules/server/docker/cloud.nix b/modules/server/docker/cloud.nix index 0fdc8ff..77f734a 100644 --- a/modules/server/docker/cloud.nix +++ b/modules/server/docker/cloud.nix @@ -85,7 +85,7 @@ in { networks = [ "external" ]; volumes = [ "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" - "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" + "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" ]; environment = { NODE_ENV = "production"; @@ -119,12 +119,12 @@ in { networks = [ "external" "internal" ]; volumes = [ "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" - "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" + "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" ]; environment = { NODE_ENV = "production"; TITLE = "Helcel-Calc"; - REDIS_PORT_6379_TCP_ADDR = "redis"; + REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis"; REDIS_PORT_6379_TCP_PORT = "6379"; ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD"; SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background"; diff --git a/modules/server/docker/sample.nix b/modules/server/docker/sample.nix index 84610d0..1a20639 100644 --- a/modules/server/docker/sample.nix +++ b/modules/server/docker/sample.nix @@ -1,12 +1,17 @@ -{ pkgs, ... }: { - project.name = "NEW"; +{ config, pkgs, lib, ... }: +let serverCfg = config.syscfg.server; +in { + project.name = "name"; networks = { internal = { + name = lib.mkForce "internal"; internal = true; - external = false; }; - external = { external = true; }; + external = { + name = lib.mkForce "external"; + internal = false; + }; }; services = { diff --git a/modules/server/docker/traefik.nix b/modules/server/docker/traefik.nix new file mode 100644 index 0000000..903864c --- /dev/null +++ b/modules/server/docker/traefik.nix @@ -0,0 +1,81 @@ +{ config, pkgs, ... }: { + project.name = "traefik"; + + networks = { + internal = { + name = lib.mkForce "internal"; + internal = true; + }; + external = { + name = lib.mkForce "external"; + internal = false; + }; + }; + + services = { + + traefik.service = { + image = "traefik:latest"; + container_name = "traefik"; + restart = "unless-stopped"; + networks = [ "internal" "external" ]; + command = [ + "--api" + "--providers.docker=true" + "--entrypoints.web.address=:80" + "--entrypoints.web-secure.address=:443" + ]; + port = [ "443" "80" ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock:ro" + "${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml" + "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log" + "${serverCfg.configPath}/traefik/acme.json:/acme.json" + ]; + environment = { + "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path; + }; + labels = { "traefik.enable" = "false"; }; + }; + + matomo.service = { + image = "matomo:latest"; + container_name = "matomo"; + restart = "unless-stopped"; + networks = [ "external" ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${serverCfg.configPath}/matomo:/var/www/html/config:rw" + "${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro" + ]; + environment = { }; + labels = { + "traefik.http.routers.matomo.rule" = + "Host(`matomo.${serverCfg.hostDomain}`)"; + "traefik.http.routers.matomo.entrypoints" = "web-secure"; + "traefik.http.routers.matomo.tls" = "true"; + }; + }; + + searx.service = { + image = "searxng/searxng:latest"; + container_name = "searx"; + restart = "unless-stopped"; + networks = [ "external" ]; + volumes = [ "/etc/localtime:/etc/localtime:ro" ]; + environment = { + "BASE_URL" = "https://searx.${serverCfg.hostDomain}"; + "AUTOCOMPLETE" = "true"; + "INSTANCE_NAME" = "searx${serverCfg.shortName}"; + }; + labels = { + "traefik.http.routers.matomo.rule" = + "Host(`searx.${serverCfg.hostDomain}`)"; + "traefik.http.routers.matomo.entrypoints" = "web-secure"; + "traefik.http.routers.matomo.tls" = "true"; + }; + }; + + }; +} + diff --git a/modules/server/sops/default.nix b/modules/server/sops/default.nix new file mode 100644 index 0000000..2c380e9 --- /dev/null +++ b/modules/server/sops/default.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: { + sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; + sops.secrets."${config.syscfg.hostname}_ssh_pub" = { + mode = "0400"; + owner = config.users.users.${config.syscfg.defaultUser}.name; + group = config.users.users.${config.syscfg.defaultUser}.group; + }; + sops.secrets."${config.syscfg.hostname}_wg_priv" = { }; + sops.secrets."${config.syscfg.hostname}_wg_pub" = { }; +} diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml new file mode 100644 index 0000000..ed7673c --- /dev/null +++ b/modules/server/sops/server.yaml @@ -0,0 +1,68 @@ +INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03 + OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5 + OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz + QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld + BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB + eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL + NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT + K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt + 03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av + SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3 + UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5 + M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y + QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5 + VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3 + S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN + VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq + VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-08T16:05:46Z" + mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str] + pgp: + - created_at: "2024-05-08T15:46:52Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8 + NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa + rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv + P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum + GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk + DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF + MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy + bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/ + YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62 + fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR + xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS + XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp + AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y= + =cs0r + -----END PGP MESSAGE----- + fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/shared/sops/default.nix b/modules/shared/sops/default.nix index 4270a5f..54ecdc5 100755 --- a/modules/shared/sops/default.nix +++ b/modules/shared/sops/default.nix @@ -8,7 +8,7 @@ let sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml); in { environment.systemPackages = with pkgs; [ sops ]; - environment.sessionVariables.OPS_AGE_KEY_FILE = keyFilePath; + environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath; sops.defaultSopsFile = sopsFilePath; sops.age.keyFile = keyFilePath; diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index f13779b..6c094ae 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -72,6 +72,7 @@ let }; serverOpt = with lib; { hostDomain = mkOption { type = types.str; }; + shortName = mkOption { type = types.str; }; mailDomain = mkOption { type = types.str; }; mailServer = mkOption { type = types.str; };