sora/nixconfig
1
0
Fork 0
Code Issues 1 Pull Requests Actions Releases Activity

Compare commits

base: sora:c636f15689b9cc9be20be86141e4259b8a1bb4df
Branches Tags
sora:main
..
compare: sora:5a50140975668fb7b838a42b87a85c8f8559c23a
Branches Tags
sora:main

No commits in common. "c636f15689b9cc9be20be86141e4259b8a1bb4df" and "5a50140975668fb7b838a42b87a85c8f8559c23a" have entirely different histories.
c636f15689 ... 5a50140975

12 changed files with 18 additions and 201 deletions
Show Stats Expand all files Collapse all files

5
.gitea/workflows/build.yml
View File

@ -17,9 +17,8 @@ jobs:
- name: "Install Nix ❄️" - name: "Install Nix ❄️"
uses: cachix/install-nix-action@v26 uses: cachix/install-nix-action@v26
- uses: DeterminateSystems/nix-installer-action@v4 - uses: DeterminateSystems/magic-nix-cache-action@main
- uses: DeterminateSystems/magic-nix-cache-action@v4 - uses: DeterminateSystems/flake-checker-action@main
- uses: DeterminateSystems/flake-checker-action@v4
- name: "Install Cachix ❄️" - name: "Install Cachix ❄️"
uses: cachix/cachix-action@v14 uses: cachix/cachix-action@v14

23
.sops.yaml
View File

@ -11,32 +11,32 @@ keys:
- &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
creation_rules: creation_rules:
- path_regex: modules/shared/sops/private/iriy.[a-z]+ - path_regex: modules/shared/sops/iriy.ya?ml
key_groups: key_groups:
- age: - age:
- *iriy - *iriy
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/private/avalon.[a-z]+ - path_regex: modules/shared/sops/avalon.ya?ml
key_groups: key_groups:
- age: - age:
- *avalon - *avalon
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/private/valinor.[a-z]+ - path_regex: modules/shared/sops/valinor.ya?ml
key_groups: key_groups:
- age: - age:
- *valinor - *valinor
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/private/asgard.[a-z]+ - path_regex: modules/shared/sops/asgard.ya?ml
key_groups: key_groups:
- age: - age:
- *asgard - *asgard
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/common.[a-z]+ - path_regex: modules/shared/sops/common.yaml
key_groups: key_groups:
- age: - age:
- *valinor - *valinor
@ -46,18 +46,7 @@ creation_rules:
pgp: pgp:
- *sora - *sora
- path_regex: modules/shared/sops/mock.[a-z]+ - path_regex: modules/shared/sops/mock.yaml
key_groups: key_groups:
- age: - age:
- *ci - *ci
- path_regex: modules/server/sops/server.[a-z]+
key_groups:
- age:
- *valinor
- *iriy
- *avalon
- *asgard
pgp:
- *sora

4
modules/home/cli/zsh/default.nix
View File

@ -14,9 +14,5 @@ in {
"ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh"; "ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh";
"top" = "btop"; "top" = "btop";
}; };
initExtra = ''
sopsu() {nix-shell -p sops --run "sops updatekeys $1";}
sopsn() {nix-shell -p sops --run "sops $1";}
'';
}; };
} }

2
modules/home/gui/theme/default.nix
View File

@ -28,7 +28,7 @@ in {
qt = { qt = {
enable = true; enable = true;
platformTheme.name = "gtk3"; platformTheme = "gtk";
}; };
home.packages = [ wallpaperGen pkgs.swww ]; home.packages = [ wallpaperGen pkgs.swww ];

2
modules/server/default.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
in { in {
imports = [ ./sops ];
environment.systemPackages = with pkgs; [ arion ]; environment.systemPackages = with pkgs; [ arion ];
virtualisation.arion = { virtualisation.arion = {
backend = "podman-socket"; backend = "podman-socket";
@ -11,5 +10,4 @@ in {
import ./docker/authentik.nix { inherit config pkgs lib; }; import ./docker/authentik.nix { inherit config pkgs lib; };
}; };
}; };
} }

6
modules/server/docker/cloud.nix
View File

@ -85,7 +85,7 @@ in {
networks = [ "external" ]; networks = [ "external" ];
volumes = [ volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
]; ];
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
@ -119,12 +119,12 @@ in {
networks = [ "external" "internal" ]; networks = [ "external" "internal" ];
volumes = [ volumes = [
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var" "${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt" "/${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
]; ];
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
TITLE = "Helcel-Calc"; TITLE = "Helcel-Calc";
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis"; REDIS_PORT_6379_TCP_ADDR = "redis";
REDIS_PORT_6379_TCP_PORT = "6379"; REDIS_PORT_6379_TCP_PORT = "6379";
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD"; ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background"; SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";

13
modules/server/docker/sample.nix
View File

@ -1,17 +1,12 @@
{ config, pkgs, lib, ... }: { pkgs, ... }: {
let serverCfg = config.syscfg.server; project.name = "NEW";
in {
project.name = "name";
networks = { networks = {
internal = { internal = {
name = lib.mkForce "internal";
internal = true; internal = true;
external = false;
}; };
external = { external = { external = true; };
name = lib.mkForce "external";
internal = false;
};
}; };
services = { services = {

81
modules/server/docker/traefik.nix
View File

@ -1,81 +0,0 @@
{ config, pkgs, ... }: {
project.name = "traefik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
traefik.service = {
image = "traefik:latest";
container_name = "traefik";
restart = "unless-stopped";
networks = [ "internal" "external" ];
command = [
"--api"
"--providers.docker=true"
"--entrypoints.web.address=:80"
"--entrypoints.web-secure.address=:443"
];
port = [ "443" "80" ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
];
environment = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
};
labels = { "traefik.enable" = "false"; };
};
matomo.service = {
image = "matomo:latest";
container_name = "matomo";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
];
environment = { };
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`matomo.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
searx.service = {
image = "searxng/searxng:latest";
container_name = "searx";
restart = "unless-stopped";
networks = [ "external" ];
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
environment = {
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
"AUTOCOMPLETE" = "true";
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
};
labels = {
"traefik.http.routers.matomo.rule" =
"Host(`searx.${serverCfg.hostDomain}`)";
"traefik.http.routers.matomo.entrypoints" = "web-secure";
"traefik.http.routers.matomo.tls" = "true";
};
};
};
}

10
modules/server/sops/default.nix
View File

@ -1,10 +0,0 @@
{ config, pkgs, ... }: {
sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
}

68
modules/server/sops/server.yaml
View File

@ -1,68 +0,0 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-08T16:05:46Z"
mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
pgp:
- created_at: "2024-05-08T15:46:52Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
=cs0r
-----END PGP MESSAGE-----
fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
unencrypted_suffix: _unencrypted
version: 3.8.1

2
modules/shared/sops/default.nix
View File

@ -8,7 +8,7 @@ let
sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml); sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
in { in {
environment.systemPackages = with pkgs; [ sops ]; environment.systemPackages = with pkgs; [ sops ];
environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath; environment.sessionVariables.OPS_AGE_KEY_FILE = keyFilePath;
sops.defaultSopsFile = sopsFilePath; sops.defaultSopsFile = sopsFilePath;
sops.age.keyFile = keyFilePath; sops.age.keyFile = keyFilePath;

1
modules/shared/syscfg/default.nix
View File

@ -72,7 +72,6 @@ let
}; };
serverOpt = with lib; { serverOpt = with lib; {
hostDomain = mkOption { type = types.str; }; hostDomain = mkOption { type = types.str; };
shortName = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; }; mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; }; mailServer = mkOption { type = types.str; };