sora/nixconfig
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Releases Activity

sops&server
Some checks failed
Nix Build / build-nixos (push) Failing after 20s
Details

Browse Source
This commit is contained in:
soraefir 2024-05-08 18:47:42 +02:00
parent 16540a9327
commit c636f15689
Signed by: sora
GPG Key ID: A362EA0491E2EEA0
10 changed files with 197 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.sops.yaml
View File

@ -11,32 +11,32 @@ keys:
- &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
creation_rules: creation_rules:
- path_regex: modules/shared/sops/iriy.ya?ml - path_regex: modules/shared/sops/private/iriy.[a-z]+
key_groups: key_groups:
- age: - age:
- *iriy - *iriy
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/avalon.ya?ml - path_regex: modules/shared/sops/private/avalon.[a-z]+
key_groups: key_groups:
- age: - age:
- *avalon - *avalon
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/valinor.ya?ml - path_regex: modules/shared/sops/private/valinor.[a-z]+
key_groups: key_groups:
- age: - age:
- *valinor - *valinor
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/asgard.ya?ml - path_regex: modules/shared/sops/private/asgard.[a-z]+
key_groups: key_groups:
- age: - age:
- *asgard - *asgard
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/common.yaml - path_regex: modules/shared/sops/common.[a-z]+
key_groups: key_groups:
- age: - age:
- *valinor - *valinor
@ -46,7 +46,18 @@ creation_rules:
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/mock.yaml - path_regex: modules/shared/sops/mock.[a-z]+
key_groups: key_groups:
- age: - age:
- *ci - *ci
- path_regex: modules/server/sops/server.[a-z]+
key_groups:
- age:
- *valinor
- *iriy
- *avalon
- *asgard
pgp:
- *sora

6
modules/home/cli/zsh/default.nix
View File

@ -14,7 +14,9 @@ in {
"ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh"; "ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh";
"top" = "btop"; "top" = "btop";
}; };
shellInit = initExtra = ''
"\n sopsu() {nix-shell -p sops --run \"sops updatekeys $1\"}\n "; sopsu() {nix-shell -p sops --run "sops updatekeys $1";}
sopsn() {nix-shell -p sops --run "sops $1";}
'';
}; };
} }

2
modules/server/default.nix
View File

@ -1,6 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
in { in {
imports = [ ./sops ];
environment.systemPackages = with pkgs; [ arion ]; environment.systemPackages = with pkgs; [ arion ];
virtualisation.arion = { virtualisation.arion = {
backend = "podman-socket"; backend = "podman-socket";
@ -10,4 +11,5 @@ in {
import ./docker/authentik.nix { inherit config pkgs lib; }; import ./docker/authentik.nix { inherit config pkgs lib; };
}; };
}; };
} }

6
modules/server/docker/cloud.nix
View File

@ -85,7 +85,7 @@ in {
networks = [ "external" ]; networks = [ "external" ];
volumes = [ volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
]; ];
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
@ -119,12 +119,12 @@ in {
networks = [ "external" "internal" ]; networks = [ "external" "internal" ];
volumes = [ volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" "${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
]; ];
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
TITLE = "Helcel-Calc"; TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "redis"; REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
REDIS_PORT_6379_TCP_PORT = "6379"; REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD"; ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background"; SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";

13
modules/server/docker/sample.nix
View File

@ -1,12 +1,17 @@
{ pkgs, ... }: { { config, pkgs, lib, ... }:
project.name = "NEW"; let serverCfg = config.syscfg.server;
in {
project.name = "name";
networks = { networks = {
internal = { internal = {
name = lib.mkForce "internal";
internal = true; internal = true;
external = false;
}; };
external = { external = true; }; external = {
name = lib.mkForce "external";
internal = false;
};
}; };
services = { services = {

81
modules/server/docker/traefik.nix Normal file
View File

@ -0,0 +1,81 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}

10
modules/server/sops/default.nix Normal file
View File

@ -0,0 +1,10 @@
{ config, pkgs, ... }: {
sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
}

68
modules/server/sops/server.yaml Normal file
View File

@ -0,0 +1,68 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-08T16:05:46Z"
mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
pgp:
- created_at: "2024-05-08T15:46:52Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
=cs0r
-----END PGP MESSAGE-----
fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
unencrypted_suffix: _unencrypted
version: 3.8.1

2
modules/shared/sops/default.nix
View File

@ -8,7 +8,7 @@ let
sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml); sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
in { in {
environment.systemPackages = with pkgs; [ sops ]; environment.systemPackages = with pkgs; [ sops ];
environment.sessionVariables.OPS_AGE_KEY_FILE = keyFilePath; environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;
sops.defaultSopsFile = sopsFilePath; sops.defaultSopsFile = sopsFilePath;
sops.age.keyFile = keyFilePath; sops.age.keyFile = keyFilePath;

1
modules/shared/syscfg/default.nix
View File

@ -72,6 +72,7 @@ let
}; };
serverOpt = with lib; { serverOpt = with lib; {
hostDomain = mkOption { type = types.str; }; hostDomain = mkOption { type = types.str; };
shortName = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; }; mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; }; mailServer = mkOption { type = types.str; };