Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-03-25 21:30:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: move to agenix secrets

Browse source
This commit is contained in:
Julien Malka 2024-05-09 00:48:35 +02:00
parent e392ca9001
commit 8ee88f922c
Signed by: Luj
GPG key ID: 6FC74C847011FD83
11 changed files with 214 additions and 253 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
home-manager-modules/git/default.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.luj.programs.git; cfg = config.luj.programs.git;
in in
@ -18,9 +23,7 @@ with lib;
key = "6FC74C847011FD83"; key = "6FC74C847011FD83";
}; };
delta.enable = true; delta.enable = true;
ignores = [ ignores = [ ".direnv" ];
".direnv"
];
extraConfig = { extraConfig = {
init.defaultBranch = "main"; init.defaultBranch = "main";
diff.colorMoved = "zebra"; diff.colorMoved = "zebra";
@ -32,11 +35,10 @@ with lib;
}; };
home.extraActivationPath = [ pkgs.gnupg ]; home.extraActivationPath = [ pkgs.gnupg ];
home.activation = home.activation = {
{ myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] '' gpg --import /run/agenix/git-gpg-private-key
gpg --import /run/secrets/git-gpg-private-key '';
''; };
};
}; };
} }

59
machines/base.nix
View file

@ -13,9 +13,6 @@
luj.programs.mosh.enable = true; luj.programs.mosh.enable = true;
luj.deployment.enable = true; luj.deployment.enable = true;
sops.defaultSopsFile = ../secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
console = { console = {
@ -42,32 +39,36 @@
systemd.services.NetworkManager-wait-online.enable = false; systemd.services.NetworkManager-wait-online.enable = false;
age.identityPaths = [
security.pki.certificates = [ "/etc/ssh/ssh_host_ed25519_key"
''-----BEGIN CERTIFICATE----- "/persistent/etc/ssh/ssh_host_ed25519_key"
MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
-----END CERTIFICATE-----''
''-----BEGIN CERTIFICATE-----
MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
-----END CERTIFICATE-----''
]; ];
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
-----END CERTIFICATE-----''
''
-----BEGIN CERTIFICATE-----
MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
-----END CERTIFICATE-----''
];
} }

105
machines/core-security/default.nix
View file

@ -1,11 +1,15 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
imports = imports = [
[ ./hardware.nix
./hardware.nix ./home-julien.nix
./home-julien.nix ];
];
# Bootloader. # Bootloader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -18,7 +22,6 @@
systemd.network.enable = true; systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
networkConfig = { networkConfig = {
@ -31,7 +34,6 @@
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
@ -66,15 +68,20 @@
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [
networking.firewall.allowedUDPPorts = [ 80 443 ]; 80
443
];
networking.firewall.allowedUDPPorts = [
80
443
];
networking.firewall.checkReversePath = "loose"; networking.firewall.checkReversePath = "loose";
systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
luj.nginx.enable = true; luj.nginx.enable = true;
services.nginx.virtualHosts."vaults.malka.family" = { services.nginx.virtualHosts."vaults.malka.family" = {
forceSSL = true; forceSSL = true;
@ -99,7 +106,7 @@
services.keycloak = { services.keycloak = {
enable = true; enable = true;
database.createLocally = true; database.createLocally = true;
database.passwordFile = "/run/secrets/keycloak"; database.passwordFile = "/run/agenix/keycloak-db";
settings = { settings = {
hostname = "auth.julienmalka.me"; hostname = "auth.julienmalka.me";
hostname-admin-url = "https://auth.julienmalka.me"; hostname-admin-url = "https://auth.julienmalka.me";
@ -107,7 +114,9 @@
hostname-strict-backchannel = true; hostname-strict-backchannel = true;
proxy = "edge"; proxy = "edge";
}; };
themes = { keywind = pkgs.keycloak-keywind; }; themes = {
keywind = pkgs.keycloak-keywind;
};
}; };
services.nginx.virtualHosts."auth.julienmalka.me" = { services.nginx.virtualHosts."auth.julienmalka.me" = {
@ -115,22 +124,15 @@
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8080"; proxyPass = "http://127.0.0.1:8080";
extraConfig = '' extraConfig = ''
proxy_buffer_size 128k; proxy_buffer_size 128k;
proxy_buffers 4 256k; proxy_buffers 4 256k;
proxy_busy_buffers_size 256k; proxy_busy_buffers_size 256k;
''; '';
}; };
}; };
age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age;
sops.secrets.keycloak = {
owner = "root";
sopsFile = ../../secrets/keycloak-db;
format = "binary";
};
services.openssh.extraConfig = '' services.openssh.extraConfig = ''
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
@ -139,8 +141,6 @@
MaxAuthTries 20 MaxAuthTries 20
''; '';
services.step-ca.enable = true; services.step-ca.enable = true;
services.step-ca.intermediatePasswordFile = "/root/capw"; services.step-ca.intermediatePasswordFile = "/root/capw";
services.step-ca.address = "100.100.45.14"; services.step-ca.address = "100.100.45.14";
@ -162,38 +162,37 @@
}; };
}; };
security.acme.certs."ca.luj".server = "https://127.0.0.1:8444/acme/acme/directory"; security.acme.certs."ca.luj".server = "https://127.0.0.1:8444/acme/acme/directory";
systemd.services."step-ca".after = [ "keycloak.service" ]; systemd.services."step-ca".after = [ "keycloak.service" ];
security.pki.certificates = [ security.pki.certificates = [
''-----BEGIN CERTIFICATE----- ''
MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw -----BEGIN CERTIFICATE-----
EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
-----END CERTIFICATE-----'' oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
''-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----''
MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES ''
MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe -----BEGIN CERTIFICATE-----
Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
-----END CERTIFICATE-----'' jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
-----END CERTIFICATE-----''
]; ];
system.stateVersion = "22.11"; system.stateVersion = "22.11";
} }

21
machines/lisa/home-julien.nix
View file

@ -1,25 +1,20 @@
_: _: {
{
sops.secrets.ssh-lisa-pub = { age.secrets.ssh-lisa-pub = {
file = ../../secrets/ssh-lisa-pub.age;
mode = "0644";
owner = "julien"; owner = "julien";
path = "/home/julien/.ssh/id_ed25519.pub"; path = "/home/julien/.ssh/id_ed25519.pub";
mode = "0644";
format = "binary";
sopsFile = ../../secrets/ssh-lisa-pub;
}; };
sops.secrets.ssh-lisa-priv = { age.secrets.ssh-lisa-priv = {
file = ../../secrets/ssh-lisa-priv.age;
mode = "0600";
owner = "julien"; owner = "julien";
path = "/home/julien/.ssh/id_ed25519"; path = "/home/julien/.ssh/id_ed25519";
mode = "0600";
format = "binary";
sopsFile = ../../secrets/ssh-lisa-priv;
}; };
luj.hmgr.julien = {
luj.hmgr.julien = {
luj.programs.neovim.enable = true; luj.programs.neovim.enable = true;
luj.programs.ssh-client.enable = true; luj.programs.ssh-client.enable = true;
luj.programs.git.enable = true; luj.programs.git.enable = true;

49
modules/buildbot/default.nix
View file

@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }: { lib, config, ... }:
with lib; with lib;
let let
cfg = config.luj.buildbot; cfg = config.luj.buildbot;
@ -14,12 +14,15 @@ in
services.buildbot-nix.master = { services.buildbot-nix.master = {
enable = true; enable = true;
domain = "ci.julienmalka.me"; domain = "ci.julienmalka.me";
workersFile = config.sops.secrets.buildbot-nix-workers.path; workersFile = config.age.secrets.buildbot-nix-workers.path;
buildSystems = [ "x86_64-linux" "aarch64-linux" ]; buildSystems = [
"x86_64-linux"
"aarch64-linux"
];
github = { github = {
tokenFile = config.sops.secrets.github-token.path; tokenFile = config.age.secrets.github-token.path;
webhookSecretFile = config.sops.secrets.github-webhook-secret.path; webhookSecretFile = config.age.secrets.github-webhook-secret.path;
oauthSecretFile = config.sops.secrets.github-oauth-secret.path; oauthSecretFile = config.age.secrets.github-oauth-secret.path;
oauthId = "bba3e144501aa5b8a5dd"; oauthId = "bba3e144501aa5b8a5dd";
user = "JulienMalka"; user = "JulienMalka";
admins = [ "JulienMalka" ]; admins = [ "JulienMalka" ];
@ -33,37 +36,21 @@ in
enableACME = true; enableACME = true;
}; };
sops.secrets = { age.secrets = {
github-token = { github-token.file = ../../secrets/github-token-secret.age;
format = "binary"; github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
sopsFile = ../../secrets/github-token-secret; github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
}; buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
github-webhook-secret = { buildbot-nix-worker-password = {
format = "binary"; file = ../../secrets/buildbot-nix-worker-password.age;
sopsFile = ../../secrets/github-webhook-secret; owner = "buildbot-worker";
};
github-oauth-secret = {
format = "binary";
sopsFile = ../../secrets/github-oauth-secret;
};
buildbot-nix-workers = {
format = "binary";
sopsFile = ../../secrets/buildbot-nix-workers;
}; };
}; };
systemd.services.buildbot-worker.environment.WORKER_COUNT = "14"; systemd.services.buildbot-worker.environment.WORKER_COUNT = "14";
services.buildbot-nix.worker = { services.buildbot-nix.worker = {
enable = true; enable = true;
workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path; workerPasswordFile = config.age.secrets.buildbot-nix-worker-password.path;
}; };
sops.secrets.buildbot-nix-worker-password = {
format = "binary";
owner = "buildbot-worker";
sopsFile = ../../secrets/buildbot-nix-worker-password;
};
}; };
} }

25
modules/deluge/default.nix
View file

@ -22,19 +22,15 @@ in
}; };
nginx.enable = mkEnableOption "activate nginx"; nginx.enable = mkEnableOption "activate nginx";
nginx.subdomain = mkOption { nginx.subdomain = mkOption { type = types.str; };
type = types.str;
};
}; };
config = mkIf cfg.enable ( config = mkIf cfg.enable (mkMerge [
mkMerge [{ {
sops.secrets.deluge = { age.secrets.deluge-webui-password = {
owner = cfg.user; owner = cfg.user;
format = "binary"; file = ../../secrets/deluge-webui-password.age;
sopsFile = ../../secrets/deluge-login;
}; };
services.deluge = { services.deluge = {
@ -42,21 +38,16 @@ in
inherit (cfg) user group; inherit (cfg) user group;
openFirewall = true; openFirewall = true;
declarative = true; declarative = true;
authFile = "/run/secrets/deluge"; authFile = "/run/agenix/deluge-webui-password";
web.enable = true; web.enable = true;
config = { config = {
download_location = "/home/mediaserver/downloads/complete/"; download_location = "/home/mediaserver/downloads/complete/";
allow_remote = true; allow_remote = true;
}; };
dataDir = "/home/mediaserver/deluge"; dataDir = "/home/mediaserver/deluge";
}; };
} }
(mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
]);
(mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
} }

68
modules/mailserver/default.nix
View file

@ -8,45 +8,45 @@ with lib;
enable = mkEnableOption "Enable mailserver"; enable = mkEnableOption "Enable mailserver";
}; };
config = mkIf cfg.enable config = mkIf cfg.enable {
{ mailserver = {
mailserver = { enable = true;
enable = true; fqdn = "mail.julienmalka.me";
fqdn = "mail.julienmalka.me"; domains = [
domains = [ "malka.sh" "ens.school" ]; "malka.sh"
"ens.school"
];
enableManageSieve = true; enableManageSieve = true;
# A list of all login accounts. To create the password hashes, use
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
loginAccounts = {
"julien@malka.sh" = {
hashedPasswordFile = "/run/secrets/malkash-pw";
aliases = [ "@malka.sh" ];
sieveScript = builtins.readFile ./malka-sh.sieve;
};
"julien.malka@ens.school" = {
hashedPasswordFile = "/run/secrets/ensmailmalka-pw";
};
"camille.mondon@ens.school" = {
hashedPasswordFile = "/run/secrets/ensmailmondon-pw";
};
# A list of all login accounts. To create the password hashes, use
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
loginAccounts = {
"julien@malka.sh" = {
hashedPasswordFile = "/run/agenix/malkash-pw";
aliases = [ "@malka.sh" ];
sieveScript = builtins.readFile ./malka-sh.sieve;
}; };
extraVirtualAliases = { "julien.malka@ens.school" = {
"postmaster@ens.school" = "julien.malka@ens.school"; hashedPasswordFile = "/run/agenix/ensmailmalka-pw";
};
"camille.mondon@ens.school" = {
hashedPasswordFile = "/run/agenix/ensmailmondon-pw";
}; };
certificateScheme = "acme-nginx";
}; };
extraVirtualAliases = {
services.roundcube = { "postmaster@ens.school" = "julien.malka@ens.school";
enable = true;
hostName = "webmail.julienmalka.me";
}; };
certificateScheme = "acme-nginx";
sops.secrets.malkash-pw = { };
sops.secrets.ensmailmalka-pw = { };
sops.secrets.ensmailmondon-pw = { };
}; };
services.roundcube = {
enable = true;
hostName = "webmail.julienmalka.me";
};
age.secrets.malkash-pw.file = ../../secrets/julien-malka-sh-mail-password.age;
age.secrets.ensmailmalka-pw.file = ../../secrets/malka-ens-school-mail-password.age;
age.secrets.ensmailmondon-pw.file = ../../secrets/mondon-ens-school-mail-password.age;
};
} }

36
modules/navidrome/default.nix
View file

@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }: {
lib,
pkgs,
config,
...
}:
with lib; with lib;
let let
cfg = config.luj.navidrome; cfg = config.luj.navidrome;
@ -22,23 +27,12 @@ in
description = "Group under which Navidrome runs."; description = "Group under which Navidrome runs.";
}; };
nginx.enable = mkEnableOption "activate nginx"; nginx.enable = mkEnableOption "activate nginx";
nginx.subdomain = mkOption { nginx.subdomain = mkOption { type = types.str; };
type = types.str;
};
}; };
config = mkIf cfg.enable ( config = mkIf cfg.enable (mkMerge [
mkMerge [{ {
sops.secrets."navidrome.json" = {
owner = cfg.user;
format = "binary";
sopsFile = ../../secrets/navidrome-config;
};
systemd.services.navidrome = { systemd.services.navidrome = {
@ -55,16 +49,10 @@ in
WorkingDirectory = "/var/lib/navidrome"; WorkingDirectory = "/var/lib/navidrome";
}; };
}; };
} }
(mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))
(mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
(mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port)) ]);
(mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
} }

29
modules/secrets/default.nix
View file

@ -8,24 +8,19 @@ with lib;
enable = mkEnableOption "Create secrets"; enable = mkEnableOption "Create secrets";
}; };
config = mkIf cfg.enable config = mkIf cfg.enable {
{
sops.secrets.ens-mail-passwd = {
owner = "julien";
path = "/home/julien/.config/ens-mail-passwd";
};
sops.secrets.sendinblue-mail-passwd = { };
sops.secrets.git-gpg-private-key = {
owner = "julien";
mode = "0440";
group = config.users.groups.keys.name;
sopsFile = ../secrets/git-gpg-private-key;
format = "binary";
};
age.secrets.ens-mail-password = {
file = ../../secrets/ens-mail-password.age;
owner = "julien";
path = "/home/julien/.config/ens-mail-passwd";
}; };
age.secrets.git-gpg-private-key = {
file = ../../secrets/git-gpg-private-key.age;
owner = "julien";
mode = "0440";
group = config.users.groups.keys.name;
};
};
} }

19
users/default.nix
View file

@ -1,20 +1,27 @@
{ config, pkgs, lib, ... }: { {
config,
pkgs,
lib,
...
}:
{
users.mutableUsers = false; users.mutableUsers = false;
users.defaultUserShell = pkgs.fish; users.defaultUserShell = pkgs.fish;
sops.secrets.user-root-password.neededForUsers = true;
programs.fish.enable = true; programs.fish.enable = true;
age.secrets.user-root-password.file = ../secrets/user-root-password.age;
users.users.root = { users.users.root = {
uid = config.ids.uids.root; uid = config.ids.uids.root;
description = "System administrator"; description = "System administrator";
home = "/root"; home = "/root";
shell = lib.mkForce config.users.defaultUserShell; shell = lib.mkForce config.users.defaultUserShell;
group = "root"; group = "root";
hashedPasswordFile = config.sops.secrets.user-root-password.path; hashedPasswordFile = config.age.secrets.user-root-password.path;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" ]; openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
}; };
} }

34
users/julien.nix
View file

@ -1,30 +1,26 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
sops.secrets.user-julien-password.neededForUsers = true;
users.users.julien = { users.users.julien = {
isNormalUser = true; isNormalUser = true;
home = "/home/julien"; home = "/home/julien";
extraGroups = [ "wheel" config.users.groups.keys.name "networkmanager" "davfs2" "adbusers" "audio" "pipewire" "dialout" "video" ]; extraGroups = [
"wheel"
config.users.groups.keys.name
"networkmanager"
"davfs2"
"adbusers"
"audio"
"pipewire"
"dialout"
"video"
];
shell = pkgs.fish; shell = pkgs.fish;
hashedPasswordFile = config.sops.secrets.user-julien-password.path; hashedPasswordFile = config.age.secrets.julien-password.path;
}; };
nix.settings.allowed-users = [ "julien" ]; nix.settings.allowed-users = [ "julien" ];
nix.settings.trusted-users = [ "julien" ]; nix.settings.trusted-users = [ "julien" ];
sops.secrets.ens-mail-passwd = { age.secrets.julien-password.file = ../secrets/user-julien-password.age;
owner = "julien";
path = "/home/julien/.config/ens-mail-passwd";
};
sops.secrets.git-gpg-private-key = {
owner = "julien";
mode = "0440";
group = config.users.groups.keys.name;
sopsFile = ../secrets/git-gpg-private-key;
format = "binary";
};
} }