Refactor secrets
This commit is contained in:
parent
6fc4eb9e65
commit
39f0f6963a
3
.git-crypt/.gitattributes
vendored
3
.git-crypt/.gitattributes
vendored
|
@ -1,3 +0,0 @@
|
||||||
# Do not edit this file. To specify the files to encrypt, create your own
|
|
||||||
# .gitattributes file in the directory where your files are.
|
|
||||||
* !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -4,8 +4,6 @@ with lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [ ./secret ];
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
m-0.monitoring = [{
|
m-0.monitoring = [{
|
||||||
host = "apollo:9100";
|
host = "apollo:9100";
|
||||||
|
|
2
common/secret/.gitattributes
vendored
2
common/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
||||||
* filter=git-crypt diff=git-crypt
|
|
||||||
.gitattributes !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
7
common/wireguard.nix
Normal file
7
common/wireguard.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
port = 51318;
|
||||||
|
pub = {
|
||||||
|
hera = "npDW4BUiXcxPXQ/MObP6PlK8/PcMlz/Bwo5FlCCUx3E=";
|
||||||
|
apollo = "hYziEwk74g7v7GpIafLvC95dje2BI4saoEtJXXu2txs=";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, ... }: {
|
{ pkgs, ... }: {
|
||||||
home.file.".config/jali/config.py".source = ../../common/secret/jaliconfig.py;
|
home.file.".config/jali/config.py".source = pkgs.privateFile "jaliconfig.py";
|
||||||
home.packages = builtins.attrValues pkgs.accounting-pkgs;
|
home.packages = builtins.attrValues pkgs.accounting-pkgs;
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,7 +48,7 @@ in
|
||||||
home.packages = builtins.attrValues {
|
home.packages = builtins.attrValues {
|
||||||
factorio = pkgs.factorio.override {
|
factorio = pkgs.factorio.override {
|
||||||
username = "maralorn";
|
username = "maralorn";
|
||||||
token = import ../../nixos/machines/apollo/secret/factory.nix;
|
token = pkgs.privateValue "" "factorio";
|
||||||
experimental = true;
|
experimental = true;
|
||||||
};
|
};
|
||||||
inherit (pkgs) steam minetest;
|
inherit (pkgs) steam minetest;
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
{ lib, config, pkgs, ... }:
|
{ lib, config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (config.m-0.private) sendmail me;
|
gpg = "6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9";
|
||||||
inherit (config.m-0.private.mail_filters) sortLists stupidLists notifications;
|
name = "Malte Brandy";
|
||||||
|
mail = "malte.brandy@maralorn.de";
|
||||||
|
alternates = pkgs.privateValue [] "mail/alternates";
|
||||||
|
lists = pkgs.privateValue { sortList = []; stupidLists = []; notifications = []; } "mail/filters";
|
||||||
maildir = config.accounts.email.maildirBasePath;
|
maildir = config.accounts.email.maildirBasePath;
|
||||||
# mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort
|
# mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort
|
||||||
# To find candidates
|
# To find candidates
|
||||||
|
@ -114,7 +117,7 @@ in {
|
||||||
};
|
};
|
||||||
systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m";
|
systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m";
|
||||||
|
|
||||||
accounts.email.accounts = config.m-0.private.mail_accounts;
|
accounts.email.accounts = pkgs.privateValue {} "mail/accounts";
|
||||||
systemd.user.services = let
|
systemd.user.services = let
|
||||||
mkService = name: account:
|
mkService = name: account:
|
||||||
let
|
let
|
||||||
|
@ -180,7 +183,7 @@ in {
|
||||||
packages = [ sortMail ];
|
packages = [ sortMail ];
|
||||||
file = let
|
file = let
|
||||||
mutt_alternates = "@maralorn.de "
|
mutt_alternates = "@maralorn.de "
|
||||||
+ (builtins.concatStringsSep " " me.alternates);
|
+ (builtins.concatStringsSep " " alternates);
|
||||||
show-sidebar = pkgs.writeText "show-sidebar" ''
|
show-sidebar = pkgs.writeText "show-sidebar" ''
|
||||||
set sidebar_visible=yes
|
set sidebar_visible=yes
|
||||||
bind index <up> sidebar-prev
|
bind index <up> sidebar-prev
|
||||||
|
@ -229,9 +232,9 @@ in {
|
||||||
set pgp_replyencrypt = yes
|
set pgp_replyencrypt = yes
|
||||||
set crypt_replysignencrypted = yes
|
set crypt_replysignencrypted = yes
|
||||||
set crypt_verify_sig = yes
|
set crypt_verify_sig = yes
|
||||||
set pgp_sign_as="${me.gpg}"
|
set pgp_sign_as="${gpg}"
|
||||||
set pgp_use_gpg_agent = yes
|
set pgp_use_gpg_agent = yes
|
||||||
set pgp_default_key="${me.gpg}"
|
set pgp_default_key="${gpg}"
|
||||||
set timeout = 5
|
set timeout = 5
|
||||||
|
|
||||||
set abort_noattach = ask-yes
|
set abort_noattach = ask-yes
|
||||||
|
@ -244,7 +247,7 @@ in {
|
||||||
set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from"
|
set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from"
|
||||||
set sort=threads
|
set sort=threads
|
||||||
set sort_aux=date-sent
|
set sort_aux=date-sent
|
||||||
set realname="${me.name}"
|
set realname="${name}"
|
||||||
set from=fill-later
|
set from=fill-later
|
||||||
set use_from=yes
|
set use_from=yes
|
||||||
set fast_reply=yes
|
set fast_reply=yes
|
||||||
|
@ -277,11 +280,11 @@ in {
|
||||||
color sidebar_highlight white blue
|
color sidebar_highlight white blue
|
||||||
set sidebar_format = "%B%* %?N?%N/?%S"
|
set sidebar_format = "%B%* %?N?%N/?%S"
|
||||||
|
|
||||||
alias f__0 ${me.name} <${me.mail}>
|
alias f__0 ${name} <${mail}>
|
||||||
${builtins.concatStringsSep "\n"
|
${builtins.concatStringsSep "\n"
|
||||||
(lib.imap1 (n: x: "alias f__${toString n} ${me.name} <${x}>")
|
(lib.imap1 (n: x: "alias f__${toString n} ${name} <${x}>")
|
||||||
me.alternates)}
|
alternates)}
|
||||||
send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${me.mail}<enter>"
|
send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${mail}<enter>"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -118,10 +118,10 @@
|
||||||
dataLocation = "${config.home.homeDirectory}/.task";
|
dataLocation = "${config.home.homeDirectory}/.task";
|
||||||
config = {
|
config = {
|
||||||
taskd = {
|
taskd = {
|
||||||
certificate = builtins.toFile "public.cert" cfg.publicCert;
|
certificate = pkgs.privatePath "taskwarrior/public.cert";
|
||||||
credentials = cfg.credentials;
|
credentials = pkgs.privateValue "" "taskwarrior/credentials";
|
||||||
ca = builtins.toFile "ca.cert" cfg.caCert;
|
ca = pkgs.privatePath "taskwarrior/ca.cert";
|
||||||
key = builtins.toFile "private.key" cfg.privateKey;
|
key = pkgs.privatePath "taskwarrior/private.key";
|
||||||
server = "hera.m-0.eu:53589";
|
server = "hera.m-0.eu:53589";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -87,7 +87,7 @@ in {
|
||||||
${server}.autoconnect = on
|
${server}.autoconnect = on
|
||||||
${server}.username = "${serverConfig.user}"
|
${server}.username = "${serverConfig.user}"
|
||||||
${server}.password = "${serverConfig.password}"
|
${server}.password = "${serverConfig.password}"
|
||||||
'') weechatConfig.matrix)}
|
'') pkgs.privateValue { } "weechat/matrix")}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
irc = {
|
irc = {
|
||||||
|
@ -107,7 +107,7 @@ in {
|
||||||
${server}.autoconnect = on
|
${server}.autoconnect = on
|
||||||
${server}.username = "${serverConfig.user}"
|
${server}.username = "${serverConfig.user}"
|
||||||
${server}.autojoin = "${serverConfig.channels}"
|
${server}.autojoin = "${serverConfig.channels}"
|
||||||
'') weechatConfig.irc)}
|
'') pkgs.privateValue { } "weechat/irc")}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -3,6 +3,7 @@ mkdir -p /var/run/user/$UID/tmp/downloads
|
||||||
setopt prompt_subst
|
setopt prompt_subst
|
||||||
autoload -U colors && colors # Enable colors in prompt
|
autoload -U colors && colors # Enable colors in prompt
|
||||||
|
|
||||||
|
alias nix-build-remote="nix-build --builders '@/etc/nix/machines' --max-jobs 0"
|
||||||
alias cat=bat
|
alias cat=bat
|
||||||
alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E'
|
alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E'
|
||||||
alias o=xdg-open
|
alias o=xdg-open
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (config.m-0) hosts prefix private;
|
wireguard = import ../../../common/wireguard.nix;
|
||||||
inherit (private) me wireguard;
|
inherit (config.m-0) hosts prefix;
|
||||||
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
||||||
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
||||||
in {
|
in {
|
||||||
|
@ -12,7 +12,6 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
"${nixos-hardware}/lenovo/thinkpad"
|
"${nixos-hardware}/lenovo/thinkpad"
|
||||||
"${nixos-hardware}/common/pc/ssd"
|
"${nixos-hardware}/common/pc/ssd"
|
||||||
"${(builtins.fetchGit "ssh://git@git.darmstadt.ccc.de/cdark.net/nixdark")}"
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../roles
|
../../roles
|
||||||
../../roles/fonts.nix
|
../../roles/fonts.nix
|
||||||
|
@ -28,15 +27,15 @@ in {
|
||||||
m0wire = {
|
m0wire = {
|
||||||
allowedIPsAsRoutes = false;
|
allowedIPsAsRoutes = false;
|
||||||
ips = [ "${hosts.apollo-wg}/112" ];
|
ips = [ "${hosts.apollo-wg}/112" ];
|
||||||
privateKeyFile =
|
privateKeyFile = pkgs.privatePath "wireguard/apollo-private";
|
||||||
"/etc/nixos/nixos/machines/apollo/secret/wireguard-private";
|
|
||||||
peers = [{
|
peers = [{
|
||||||
publicKey = wireguard.pub.hera;
|
publicKey = wireguard.pub.hera;
|
||||||
allowedIPs = [ "::/0" ];
|
allowedIPs = [ "::/0" ];
|
||||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
endpoint =
|
||||||
|
"[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||||
# If v6 is not available:
|
# If v6 is not available:
|
||||||
# endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
# endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
||||||
presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
|
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}];
|
}];
|
||||||
postSetup =
|
postSetup =
|
||||||
|
@ -80,9 +79,8 @@ in {
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media"
|
declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media"
|
||||||
// {
|
// {
|
||||||
cert = "/etc/nixos/nixos/machines/apollo/secret/syncthing/cert.pem";
|
cert = pkgs.privatePath "syncthing/apollo/cert.pem";
|
||||||
key = "/etc/nixos/nixos/machines/apollo/secret/syncthing/key.pem";
|
key = pkgs.privatePath "syncthing/apollo/key.pem";
|
||||||
};
|
|
||||||
};
|
};
|
||||||
gnome3.chrome-gnome-shell.enable = true;
|
gnome3.chrome-gnome-shell.enable = true;
|
||||||
xserver = {
|
xserver = {
|
||||||
|
@ -94,14 +92,14 @@ in {
|
||||||
boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
|
boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
|
||||||
|
|
||||||
#cdark_net = {
|
#cdark_net = {
|
||||||
#enable = true;
|
#enable = true;
|
||||||
#hostName = "${me.user}_${config.networking.hostName}";
|
#hostName = "${me.user}_${config.networking.hostName}";
|
||||||
#ed25519PrivateKeyFile = /etc/nixos/nixos/machines
|
#ed25519PrivateKeyFile = /etc/nixos/nixos/machines
|
||||||
#+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv;
|
#+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv;
|
||||||
#hostsDirectory =
|
#hostsDirectory =
|
||||||
#pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; };
|
#pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; };
|
||||||
#ip6address = "fd23:42:cda:4342::2";
|
#ip6address = "fd23:42:cda:4342::2";
|
||||||
#ip4address = "172.20.71.2";
|
#ip4address = "172.20.71.2";
|
||||||
#};
|
#};
|
||||||
system.stateVersion = "19.09";
|
system.stateVersion = "19.09";
|
||||||
}
|
}
|
||||||
|
|
2
nixos/machines/apollo/secret/.gitattributes
vendored
2
nixos/machines/apollo/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
||||||
* filter=git-crypt-apollo diff=git-crypt-apollo
|
|
||||||
.gitattributes !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,6 @@
|
||||||
{ ... }: {
|
{ pkgs, ... }: {
|
||||||
|
|
||||||
m-0.server.initSSHKey = "/etc/nixos/nixos/machines/hera/secret/ssh_boot_rsa";
|
m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader.grub = {
|
loader.grub = {
|
||||||
|
|
|
@ -66,8 +66,11 @@ let
|
||||||
dbname = "nextcloud";
|
dbname = "nextcloud";
|
||||||
dbuser = "nextcloud";
|
dbuser = "nextcloud";
|
||||||
dbhost = "localhost";
|
dbhost = "localhost";
|
||||||
inherit (cloud) adminpass dbpass adminuser;
|
} // pkgs.privateValue {
|
||||||
};
|
adminpass = "";
|
||||||
|
dbpass = "";
|
||||||
|
adminuser = "";
|
||||||
|
} "nextcloud-admin";
|
||||||
autoUpdateApps = {
|
autoUpdateApps = {
|
||||||
enable = true;
|
enable = true;
|
||||||
startAt = "20:30";
|
startAt = "20:30";
|
||||||
|
|
|
@ -55,41 +55,7 @@ in {
|
||||||
startAt = "23:00";
|
startAt = "23:00";
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
borgbackup.jobs = let
|
borgbackup.jobs = pkgs.privateValue {} "borgbackup";
|
||||||
passphrases = (import secret/secrets.nix).borgbackup;
|
|
||||||
defaultBackup = {
|
|
||||||
doInit = false;
|
|
||||||
compression = "zstd,5";
|
|
||||||
exclude = [ "/var/lib/containers/*/var/lib/nextcloud/data/appdata_*" ];
|
|
||||||
paths = [
|
|
||||||
"/media"
|
|
||||||
"/var/lib/containers/mail/var/vmail"
|
|
||||||
"/var/lib/containers/chor-cloud/var/lib/nextcloud/data"
|
|
||||||
"/var/lib/containers/cloud/var/lib/nextcloud/data"
|
|
||||||
"/var/lib/matrix-synapse"
|
|
||||||
"/var/lib/db-backup-dumps/cur"
|
|
||||||
"/var/lib/gitolite"
|
|
||||||
"/var/lib/taskserver"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
fb04217 = defaultBackup // {
|
|
||||||
encryption = {
|
|
||||||
mode = "keyfile-blake2";
|
|
||||||
passphrase = passphrases.fb04217;
|
|
||||||
};
|
|
||||||
extraArgs = "--remote-path=bin/borg";
|
|
||||||
repo =
|
|
||||||
"brandy@fb04217.mathematik.tu-darmstadt.de:/media/maralorn-backup/hera-borg-repo";
|
|
||||||
};
|
|
||||||
cysec = defaultBackup // {
|
|
||||||
encryption = {
|
|
||||||
mode = "keyfile-blake2";
|
|
||||||
passphrase = passphrases.cysec;
|
|
||||||
};
|
|
||||||
repo = "maralorn@borg.cysec.de:/srv/cube/maralorn/hera-borg-repo";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
taskserver = {
|
taskserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "hera.m-0.eu";
|
fqdn = "hera.m-0.eu";
|
||||||
|
@ -102,8 +68,8 @@ in {
|
||||||
user = "maralorn";
|
user = "maralorn";
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
declarative = syncthing.declarativeWith [ "apollo" ] "/media" // {
|
declarative = syncthing.declarativeWith [ "apollo" ] "/media" // {
|
||||||
cert = "/etc/nixos/nixos/machines/hera/secret/syncthing/cert.pem";
|
cert = pkgs.privatePath "syncthing/hera/cert.pem";
|
||||||
key = "/etc/nixos/nixos/machines/hera/secret/syncthing/key.pem";
|
key = pkgs.privatePath "syncthing/hera/key.pem";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -116,7 +82,7 @@ in {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
uid = 1001;
|
uid = 1001;
|
||||||
extraGroups = [ "wheel" "systemd-journal" ];
|
extraGroups = [ "wheel" "systemd-journal" ];
|
||||||
passwordFile = "/etc/nixos/nixos/machines/hera/secret/pw-choreutes";
|
passwordFile = pkgs.privatePath "pam-login-password-choreutes";
|
||||||
};
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
|
|
@ -80,11 +80,8 @@ in {
|
||||||
postfix = {
|
postfix = {
|
||||||
networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ];
|
networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ];
|
||||||
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
|
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
|
||||||
virtual = attrsToAliasList (config.m-0.private.lists // {
|
virtual = attrsToAliasList (pkgs.privateValue {} "mailing-lists"
|
||||||
"weather-channel@maralorn.de" = "weather@email2matrix.maralorn.de";
|
// {
|
||||||
"subjects-channel@maralorn.de" =
|
|
||||||
"subjects@email2matrix.maralorn.de";
|
|
||||||
"notify-channel@maralorn.de" = "notify@email2matrix.maralorn.de";
|
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
opendkim.keyPath = "/var/dkim";
|
opendkim.keyPath = "/var/dkim";
|
||||||
|
@ -94,7 +91,7 @@ in {
|
||||||
enableImapSsl = true;
|
enableImapSsl = true;
|
||||||
fqdn = "hera.m-0.eu";
|
fqdn = "hera.m-0.eu";
|
||||||
domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ];
|
domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ];
|
||||||
loginAccounts = config.m-0.private.mailUsers;
|
loginAccounts = pkgs.privateValue {} "mail-users";
|
||||||
hierarchySeparator = "/";
|
hierarchySeparator = "/";
|
||||||
certificateScheme = 1;
|
certificateScheme = 1;
|
||||||
certificateFile = "${certPath}/fullchain.pem";
|
certificateFile = "${certPath}/fullchain.pem";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, ... }:
|
||||||
let
|
let
|
||||||
|
wireguard = import ../../../common/wireguard.nix;
|
||||||
inherit (config.m-0) hosts;
|
inherit (config.m-0) hosts;
|
||||||
inherit (config.m-0.private) wireguard;
|
|
||||||
in {
|
in {
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "hera";
|
hostName = "hera";
|
||||||
|
@ -54,15 +54,16 @@ in {
|
||||||
nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ];
|
nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ];
|
||||||
firewall.allowedTCPPorts = [ 8666 ];
|
firewall.allowedTCPPorts = [ 8666 ];
|
||||||
firewall.allowedUDPPorts = [ wireguard.port ];
|
firewall.allowedUDPPorts = [ wireguard.port ];
|
||||||
wireguard.interfaces = {
|
wireguard.interfaces = let
|
||||||
|
{
|
||||||
m0wire = {
|
m0wire = {
|
||||||
ips = [ "${hosts.hera-wg}/112" ];
|
ips = [ "${hosts.hera-wg}/112" ];
|
||||||
privateKeyFile = "/etc/nixos/nixos/machines/hera/secret/wireguard-private";
|
privateKeyFile = pkgs.privatePath "wireguard/hera-private";
|
||||||
listenPort = wireguard.port;
|
listenPort = wireguard.port;
|
||||||
peers = [{
|
peers = [{
|
||||||
publicKey = wireguard.pub.apollo;
|
publicKey = wireguard.pub.apollo;
|
||||||
allowedIPs = [ "${hosts.apollo-wg}/128" ];
|
allowedIPs = [ "${hosts.apollo-wg}/128" ];
|
||||||
presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
|
presharedKeyFile = pkgs.privatePath "wireguard-psk";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
2
nixos/machines/hera/secret/.gitattributes
vendored
2
nixos/machines/hera/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
||||||
* filter=git-crypt-hera diff=git-crypt-hera
|
|
||||||
.gitattributes !filter !diff
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,4 +1,4 @@
|
||||||
{ config, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
|
@ -18,7 +18,7 @@ in {
|
||||||
nginx = {
|
nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."tasks.maralorn.de" = {
|
virtualHosts."tasks.maralorn.de" = {
|
||||||
basicAuth.kassandra = (import secret/kassandra.nix).password;
|
basicAuthFile = pkgs.privatePath "basic-auth/kassandra";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations = {
|
locations = {
|
||||||
|
|
|
@ -1,11 +1,5 @@
|
||||||
{ pkgs, config, lib, ... }:
|
{ pkgs, config, lib, ... }: {
|
||||||
let me = config.m-0.private.me;
|
imports = [ ../../common ./modules/laptop.nix ./modules/loginctl-linger.nix ];
|
||||||
in {
|
|
||||||
imports = [
|
|
||||||
../../common
|
|
||||||
./modules/laptop.nix
|
|
||||||
./modules/loginctl-linger.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
i18n = { defaultLocale = "en_US.UTF-8"; };
|
i18n = { defaultLocale = "en_US.UTF-8"; };
|
||||||
|
|
||||||
|
@ -27,10 +21,7 @@ in {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
users.mutableUsers = false;
|
||||||
mutableUsers = false;
|
|
||||||
users.root.openssh.authorizedKeys = { inherit (me) keys; };
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
etc = lib.mapAttrs'
|
etc = lib.mapAttrs'
|
||||||
|
@ -43,15 +34,22 @@ in {
|
||||||
(_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt");
|
(_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt");
|
||||||
};
|
};
|
||||||
|
|
||||||
|
system.activationScripts =
|
||||||
|
lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; };
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
binaryCaches =
|
binaryCaches =
|
||||||
[ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ];
|
[ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ];
|
||||||
binaryCachePublicKeys =
|
binaryCachePublicKeys =
|
||||||
[ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
|
[ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
|
||||||
nixPath = [ "/etc/nix-path" ];
|
nixPath = [ "/etc/nix-path" ];
|
||||||
|
trustedUsers = [ "maralorn" ];
|
||||||
|
buildMachines = pkgs.privateValue [ ] "remote-builders";
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
fallback = true
|
fallback = true
|
||||||
keep-outputs = true
|
keep-outputs = true
|
||||||
|
auto-optimise-store = true
|
||||||
|
builders-use-substitutes = true
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -54,7 +54,7 @@ in {
|
||||||
services.gitolite = {
|
services.gitolite = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "git";
|
user = "git";
|
||||||
adminPubkey = builtins.elemAt me.keys 0;
|
adminPubkey = builtins.elemAt (pkgs.privateValue [""] "ssh-keys" )0;
|
||||||
commonHooks = [ "${post-update}/bin/post-update" ];
|
commonHooks = [ "${post-update}/bin/post-update" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let inherit (config.m-0.private) mathechor-pw me;
|
{
|
||||||
in {
|
|
||||||
services = {
|
services = {
|
||||||
nginx = {
|
nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -20,15 +19,14 @@ in {
|
||||||
virtualHosts."intern.mathechor.de" = {
|
virtualHosts."intern.mathechor.de" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
basicAuth.mathechor = mathechor-pw;
|
basicAuthFile = pkgs.privatePath "basic-auth/mathechor.de";
|
||||||
locations = {
|
locations = {
|
||||||
"/" = {
|
"/" = {
|
||||||
root = "/var/www/mathechor/intern";
|
root = "/var/www/mathechor/intern";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
};
|
};
|
||||||
"/mathechor.ics" = {
|
"/mathechor.ics" = {
|
||||||
proxyPass =
|
proxyPass = pkgs.privateValue "" "mathechor-ics";
|
||||||
"https://cloud.mathechor.de/remote.php/dav/public-calendars/nebsfFTzQKGSSsDc?export";
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_ssl_name cloud.mathechor.de;
|
proxy_ssl_name cloud.mathechor.de;
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
|
|
|
@ -19,11 +19,8 @@ in {
|
||||||
return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }";
|
return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
extraConfig = "
|
extraConfig =
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
"\n add_header 'Access-Control-Allow-Origin' '*';\n add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';\n add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';\n ";
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
|
|
||||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
|
|
||||||
";
|
|
||||||
};
|
};
|
||||||
virtualHosts."${hostName}" = {
|
virtualHosts."${hostName}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -41,7 +38,13 @@ in {
|
||||||
postgresql.enable = true;
|
postgresql.enable = true;
|
||||||
|
|
||||||
# Synapse
|
# Synapse
|
||||||
matrix-synapse = {
|
matrix-synapse = let
|
||||||
|
server-secrets = pkgs.privateValue {
|
||||||
|
registration_shared_secret = "";
|
||||||
|
macaroon_secret_key = "";
|
||||||
|
turn_shared_secret = "";
|
||||||
|
} "matrix/server-secrets";
|
||||||
|
in server-secrets // {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.matrix-synapse;
|
package = pkgs.matrix-synapse;
|
||||||
enable_metrics = true;
|
enable_metrics = true;
|
||||||
|
@ -51,11 +54,7 @@ in {
|
||||||
database_type = "psycopg2";
|
database_type = "psycopg2";
|
||||||
max_upload_size = "30M";
|
max_upload_size = "30M";
|
||||||
dynamic_thumbnails = true;
|
dynamic_thumbnails = true;
|
||||||
registration_shared_secret =
|
|
||||||
config.m-0.private.matrix_registration_secret;
|
|
||||||
macaroon_secret_key = config.m-0.private.macaroon_secret;
|
|
||||||
turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ];
|
turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ];
|
||||||
turn_shared_secret = config.m-0.private.turn_secret;
|
|
||||||
turn_user_lifetime = "5h";
|
turn_user_lifetime = "5h";
|
||||||
allow_guest_access = true;
|
allow_guest_access = true;
|
||||||
logConfig = ''
|
logConfig = ''
|
||||||
|
|
|
@ -32,6 +32,7 @@ in {
|
||||||
};
|
};
|
||||||
programs.dconf.enable = true;
|
programs.dconf.enable = true;
|
||||||
|
|
||||||
|
virtualisation.docker.enable = true;
|
||||||
services = {
|
services = {
|
||||||
upower.enable = true;
|
upower.enable = true;
|
||||||
printing = {
|
printing = {
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
smtp_smarthost = "hera.m-0.eu:587";
|
smtp_smarthost = "hera.m-0.eu:587";
|
||||||
smtp_from = "alertmanager@m-0.eu";
|
smtp_from = "alertmanager@m-0.eu";
|
||||||
smtp_auth_username = "alertmanager@m-0.eu";
|
smtp_auth_username = "alertmanager@m-0.eu";
|
||||||
smtp_auth_password = config.m-0.private.alertmanager-mail-pw;
|
smtp_auth_password = pkgs.privateValue "" "alertmanager/mail-pw";
|
||||||
};
|
};
|
||||||
route = {
|
route = {
|
||||||
group_by = [ "alert_type" ];
|
group_by = [ "alert_type" ];
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
let
|
let
|
||||||
inherit (config.m-0.private) monitoring-guest-pw monitoring-pw;
|
|
||||||
commonOptions = {
|
commonOptions = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -9,10 +8,7 @@ let
|
||||||
allow ${config.m-0.prefix}::/64;
|
allow ${config.m-0.prefix}::/64;
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
basicAuth = {
|
basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
|
||||||
guest = monitoring-guest-pw;
|
|
||||||
maralorn = monitoring-pw;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
{ config, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
with lib;
|
let
|
||||||
let me = config.m-0.private.me;
|
passwordFile = pkgs.privatePath "pam-login-password";
|
||||||
|
openssh.authorizedKeys.keys = pkgs.privateValue [ ] "ssh-keys";
|
||||||
in {
|
in {
|
||||||
users.users = {
|
users.users = {
|
||||||
"${me.user}" = {
|
maralorn = {
|
||||||
linger = true;
|
linger = true;
|
||||||
description = me.name;
|
description = "maralorn";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
extraGroups =
|
extraGroups =
|
||||||
[ "wheel" "systemd-journal" "networkmanager" "docker" "video" ];
|
[ "wheel" "systemd-journal" "networkmanager" "docker" "video" ];
|
||||||
openssh.authorizedKeys.keys = me.keys;
|
inherit openssh passwordFile;
|
||||||
passwordFile = me.pw-file;
|
|
||||||
};
|
};
|
||||||
root = { passwordFile = me.pw-file; };
|
root = { inherit openssh passwordFile; };
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
16
overlays/private.nix
Normal file
16
overlays/private.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
final: prec: {
|
||||||
|
withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out;
|
||||||
|
in builtins.trace
|
||||||
|
(if val then "Building _with_ secrets!" else "Building _without_ secrets!")
|
||||||
|
val;
|
||||||
|
privatePath = name:
|
||||||
|
let path = "/etc/nixos/private/${name}";
|
||||||
|
in if final.withSecrets then
|
||||||
|
assert builtins.pathExists path; path
|
||||||
|
else
|
||||||
|
path;
|
||||||
|
privateValue = default: name:
|
||||||
|
if final.withSecrets then import (../private + "/${name}.nix") else default;
|
||||||
|
privateFile = name:
|
||||||
|
if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" "";
|
||||||
|
}
|
|
@ -5,7 +5,6 @@ let
|
||||||
configPath = "/etc/nixos";
|
configPath = "/etc/nixos";
|
||||||
systems = [ "apollo" "hera" ];
|
systems = [ "apollo" "hera" ];
|
||||||
homes = self.lib.attrNames (import ../home-manager/machines.nix);
|
homes = self.lib.attrNames (import ../home-manager/machines.nix);
|
||||||
keys = [ "default" "apollo" "hera" ];
|
|
||||||
imports = [ "Control.Exception (onException)" ];
|
imports = [ "Control.Exception (onException)" ];
|
||||||
haskellBody = name: commandline: ''
|
haskellBody = name: commandline: ''
|
||||||
main = do
|
main = do
|
||||||
|
@ -55,9 +54,6 @@ in {
|
||||||
bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs
|
bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs
|
||||||
bracket checkout (rm "-rf") $ \repoDir -> do
|
bracket checkout (rm "-rf") $ \repoDir -> do
|
||||||
withCurrentDirectory repoDir $ do
|
withCurrentDirectory repoDir $ do
|
||||||
mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${
|
|
||||||
self.haskellList keys
|
|
||||||
}
|
|
||||||
when bump $ ignoreFailure $ niv "update"
|
when bump $ ignoreFailure $ niv "update"
|
||||||
changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim)
|
changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim)
|
||||||
when changed $ do
|
when changed $ do
|
||||||
|
|
Loading…
Reference in a new issue