Refactor secrets
This commit is contained in:
parent
6fc4eb9e65
commit
39f0f6963a
3
.git-crypt/.gitattributes
vendored
3
.git-crypt/.gitattributes
vendored
|
@ -1,3 +0,0 @@
|
|||
# Do not edit this file. To specify the files to encrypt, create your own
|
||||
# .gitattributes file in the directory where your files are.
|
||||
* !filter !diff
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -4,8 +4,6 @@ with lib;
|
|||
|
||||
{
|
||||
|
||||
imports = [ ./secret ];
|
||||
|
||||
config = {
|
||||
m-0.monitoring = [{
|
||||
host = "apollo:9100";
|
||||
|
|
2
common/secret/.gitattributes
vendored
2
common/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
|||
* filter=git-crypt diff=git-crypt
|
||||
.gitattributes !filter !diff
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
7
common/wireguard.nix
Normal file
7
common/wireguard.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
port = 51318;
|
||||
pub = {
|
||||
hera = "npDW4BUiXcxPXQ/MObP6PlK8/PcMlz/Bwo5FlCCUx3E=";
|
||||
apollo = "hYziEwk74g7v7GpIafLvC95dje2BI4saoEtJXXu2txs=";
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, ... }: {
|
||||
home.file.".config/jali/config.py".source = ../../common/secret/jaliconfig.py;
|
||||
home.file.".config/jali/config.py".source = pkgs.privateFile "jaliconfig.py";
|
||||
home.packages = builtins.attrValues pkgs.accounting-pkgs;
|
||||
}
|
||||
|
|
|
@ -48,7 +48,7 @@ in
|
|||
home.packages = builtins.attrValues {
|
||||
factorio = pkgs.factorio.override {
|
||||
username = "maralorn";
|
||||
token = import ../../nixos/machines/apollo/secret/factory.nix;
|
||||
token = pkgs.privateValue "" "factorio";
|
||||
experimental = true;
|
||||
};
|
||||
inherit (pkgs) steam minetest;
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
let
|
||||
inherit (config.m-0.private) sendmail me;
|
||||
inherit (config.m-0.private.mail_filters) sortLists stupidLists notifications;
|
||||
gpg = "6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9";
|
||||
name = "Malte Brandy";
|
||||
mail = "malte.brandy@maralorn.de";
|
||||
alternates = pkgs.privateValue [] "mail/alternates";
|
||||
lists = pkgs.privateValue { sortList = []; stupidLists = []; notifications = []; } "mail/filters";
|
||||
maildir = config.accounts.email.maildirBasePath;
|
||||
# mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort
|
||||
# To find candidates
|
||||
|
@ -114,7 +117,7 @@ in {
|
|||
};
|
||||
systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m";
|
||||
|
||||
accounts.email.accounts = config.m-0.private.mail_accounts;
|
||||
accounts.email.accounts = pkgs.privateValue {} "mail/accounts";
|
||||
systemd.user.services = let
|
||||
mkService = name: account:
|
||||
let
|
||||
|
@ -180,7 +183,7 @@ in {
|
|||
packages = [ sortMail ];
|
||||
file = let
|
||||
mutt_alternates = "@maralorn.de "
|
||||
+ (builtins.concatStringsSep " " me.alternates);
|
||||
+ (builtins.concatStringsSep " " alternates);
|
||||
show-sidebar = pkgs.writeText "show-sidebar" ''
|
||||
set sidebar_visible=yes
|
||||
bind index <up> sidebar-prev
|
||||
|
@ -229,9 +232,9 @@ in {
|
|||
set pgp_replyencrypt = yes
|
||||
set crypt_replysignencrypted = yes
|
||||
set crypt_verify_sig = yes
|
||||
set pgp_sign_as="${me.gpg}"
|
||||
set pgp_sign_as="${gpg}"
|
||||
set pgp_use_gpg_agent = yes
|
||||
set pgp_default_key="${me.gpg}"
|
||||
set pgp_default_key="${gpg}"
|
||||
set timeout = 5
|
||||
|
||||
set abort_noattach = ask-yes
|
||||
|
@ -244,7 +247,7 @@ in {
|
|||
set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from"
|
||||
set sort=threads
|
||||
set sort_aux=date-sent
|
||||
set realname="${me.name}"
|
||||
set realname="${name}"
|
||||
set from=fill-later
|
||||
set use_from=yes
|
||||
set fast_reply=yes
|
||||
|
@ -277,11 +280,11 @@ in {
|
|||
color sidebar_highlight white blue
|
||||
set sidebar_format = "%B%* %?N?%N/?%S"
|
||||
|
||||
alias f__0 ${me.name} <${me.mail}>
|
||||
alias f__0 ${name} <${mail}>
|
||||
${builtins.concatStringsSep "\n"
|
||||
(lib.imap1 (n: x: "alias f__${toString n} ${me.name} <${x}>")
|
||||
me.alternates)}
|
||||
send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${me.mail}<enter>"
|
||||
(lib.imap1 (n: x: "alias f__${toString n} ${name} <${x}>")
|
||||
alternates)}
|
||||
send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${mail}<enter>"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -118,10 +118,10 @@
|
|||
dataLocation = "${config.home.homeDirectory}/.task";
|
||||
config = {
|
||||
taskd = {
|
||||
certificate = builtins.toFile "public.cert" cfg.publicCert;
|
||||
credentials = cfg.credentials;
|
||||
ca = builtins.toFile "ca.cert" cfg.caCert;
|
||||
key = builtins.toFile "private.key" cfg.privateKey;
|
||||
certificate = pkgs.privatePath "taskwarrior/public.cert";
|
||||
credentials = pkgs.privateValue "" "taskwarrior/credentials";
|
||||
ca = pkgs.privatePath "taskwarrior/ca.cert";
|
||||
key = pkgs.privatePath "taskwarrior/private.key";
|
||||
server = "hera.m-0.eu:53589";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -87,7 +87,7 @@ in {
|
|||
${server}.autoconnect = on
|
||||
${server}.username = "${serverConfig.user}"
|
||||
${server}.password = "${serverConfig.password}"
|
||||
'') weechatConfig.matrix)}
|
||||
'') pkgs.privateValue { } "weechat/matrix")}
|
||||
'';
|
||||
};
|
||||
irc = {
|
||||
|
@ -107,7 +107,7 @@ in {
|
|||
${server}.autoconnect = on
|
||||
${server}.username = "${serverConfig.user}"
|
||||
${server}.autojoin = "${serverConfig.channels}"
|
||||
'') weechatConfig.irc)}
|
||||
'') pkgs.privateValue { } "weechat/irc")}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -3,6 +3,7 @@ mkdir -p /var/run/user/$UID/tmp/downloads
|
|||
setopt prompt_subst
|
||||
autoload -U colors && colors # Enable colors in prompt
|
||||
|
||||
alias nix-build-remote="nix-build --builders '@/etc/nix/machines' --max-jobs 0"
|
||||
alias cat=bat
|
||||
alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E'
|
||||
alias o=xdg-open
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
||||
|
||||
let
|
||||
inherit (config.m-0) hosts prefix private;
|
||||
inherit (private) me wireguard;
|
||||
wireguard = import ../../../common/wireguard.nix;
|
||||
inherit (config.m-0) hosts prefix;
|
||||
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
||||
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
||||
in {
|
||||
|
@ -12,7 +12,6 @@ in {
|
|||
imports = [
|
||||
"${nixos-hardware}/lenovo/thinkpad"
|
||||
"${nixos-hardware}/common/pc/ssd"
|
||||
"${(builtins.fetchGit "ssh://git@git.darmstadt.ccc.de/cdark.net/nixdark")}"
|
||||
./hardware-configuration.nix
|
||||
../../roles
|
||||
../../roles/fonts.nix
|
||||
|
@ -28,15 +27,15 @@ in {
|
|||
m0wire = {
|
||||
allowedIPsAsRoutes = false;
|
||||
ips = [ "${hosts.apollo-wg}/112" ];
|
||||
privateKeyFile =
|
||||
"/etc/nixos/nixos/machines/apollo/secret/wireguard-private";
|
||||
privateKeyFile = pkgs.privatePath "wireguard/apollo-private";
|
||||
peers = [{
|
||||
publicKey = wireguard.pub.hera;
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
endpoint =
|
||||
"[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
# If v6 is not available:
|
||||
# endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
||||
presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
|
||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
||||
persistentKeepalive = 25;
|
||||
}];
|
||||
postSetup =
|
||||
|
@ -80,9 +79,8 @@ in {
|
|||
openDefaultPorts = true;
|
||||
declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media"
|
||||
// {
|
||||
cert = "/etc/nixos/nixos/machines/apollo/secret/syncthing/cert.pem";
|
||||
key = "/etc/nixos/nixos/machines/apollo/secret/syncthing/key.pem";
|
||||
};
|
||||
cert = pkgs.privatePath "syncthing/apollo/cert.pem";
|
||||
key = pkgs.privatePath "syncthing/apollo/key.pem";
|
||||
};
|
||||
gnome3.chrome-gnome-shell.enable = true;
|
||||
xserver = {
|
||||
|
|
2
nixos/machines/apollo/secret/.gitattributes
vendored
2
nixos/machines/apollo/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
|||
* filter=git-crypt-apollo diff=git-crypt-apollo
|
||||
.gitattributes !filter !diff
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,6 @@
|
|||
{ ... }: {
|
||||
{ pkgs, ... }: {
|
||||
|
||||
m-0.server.initSSHKey = "/etc/nixos/nixos/machines/hera/secret/ssh_boot_rsa";
|
||||
m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
|
|
|
@ -66,8 +66,11 @@ let
|
|||
dbname = "nextcloud";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "localhost";
|
||||
inherit (cloud) adminpass dbpass adminuser;
|
||||
};
|
||||
} // pkgs.privateValue {
|
||||
adminpass = "";
|
||||
dbpass = "";
|
||||
adminuser = "";
|
||||
} "nextcloud-admin";
|
||||
autoUpdateApps = {
|
||||
enable = true;
|
||||
startAt = "20:30";
|
||||
|
|
|
@ -55,41 +55,7 @@ in {
|
|||
startAt = "23:00";
|
||||
};
|
||||
services = {
|
||||
borgbackup.jobs = let
|
||||
passphrases = (import secret/secrets.nix).borgbackup;
|
||||
defaultBackup = {
|
||||
doInit = false;
|
||||
compression = "zstd,5";
|
||||
exclude = [ "/var/lib/containers/*/var/lib/nextcloud/data/appdata_*" ];
|
||||
paths = [
|
||||
"/media"
|
||||
"/var/lib/containers/mail/var/vmail"
|
||||
"/var/lib/containers/chor-cloud/var/lib/nextcloud/data"
|
||||
"/var/lib/containers/cloud/var/lib/nextcloud/data"
|
||||
"/var/lib/matrix-synapse"
|
||||
"/var/lib/db-backup-dumps/cur"
|
||||
"/var/lib/gitolite"
|
||||
"/var/lib/taskserver"
|
||||
];
|
||||
};
|
||||
in {
|
||||
fb04217 = defaultBackup // {
|
||||
encryption = {
|
||||
mode = "keyfile-blake2";
|
||||
passphrase = passphrases.fb04217;
|
||||
};
|
||||
extraArgs = "--remote-path=bin/borg";
|
||||
repo =
|
||||
"brandy@fb04217.mathematik.tu-darmstadt.de:/media/maralorn-backup/hera-borg-repo";
|
||||
};
|
||||
cysec = defaultBackup // {
|
||||
encryption = {
|
||||
mode = "keyfile-blake2";
|
||||
passphrase = passphrases.cysec;
|
||||
};
|
||||
repo = "maralorn@borg.cysec.de:/srv/cube/maralorn/hera-borg-repo";
|
||||
};
|
||||
};
|
||||
borgbackup.jobs = pkgs.privateValue {} "borgbackup";
|
||||
taskserver = {
|
||||
enable = true;
|
||||
fqdn = "hera.m-0.eu";
|
||||
|
@ -102,8 +68,8 @@ in {
|
|||
user = "maralorn";
|
||||
openDefaultPorts = true;
|
||||
declarative = syncthing.declarativeWith [ "apollo" ] "/media" // {
|
||||
cert = "/etc/nixos/nixos/machines/hera/secret/syncthing/cert.pem";
|
||||
key = "/etc/nixos/nixos/machines/hera/secret/syncthing/key.pem";
|
||||
cert = pkgs.privatePath "syncthing/hera/cert.pem";
|
||||
key = pkgs.privatePath "syncthing/hera/key.pem";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -116,7 +82,7 @@ in {
|
|||
isNormalUser = true;
|
||||
uid = 1001;
|
||||
extraGroups = [ "wheel" "systemd-journal" ];
|
||||
passwordFile = "/etc/nixos/nixos/machines/hera/secret/pw-choreutes";
|
||||
passwordFile = pkgs.privatePath "pam-login-password-choreutes";
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
|
|
|
@ -80,11 +80,8 @@ in {
|
|||
postfix = {
|
||||
networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ];
|
||||
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
|
||||
virtual = attrsToAliasList (config.m-0.private.lists // {
|
||||
"weather-channel@maralorn.de" = "weather@email2matrix.maralorn.de";
|
||||
"subjects-channel@maralorn.de" =
|
||||
"subjects@email2matrix.maralorn.de";
|
||||
"notify-channel@maralorn.de" = "notify@email2matrix.maralorn.de";
|
||||
virtual = attrsToAliasList (pkgs.privateValue {} "mailing-lists"
|
||||
// {
|
||||
});
|
||||
};
|
||||
opendkim.keyPath = "/var/dkim";
|
||||
|
@ -94,7 +91,7 @@ in {
|
|||
enableImapSsl = true;
|
||||
fqdn = "hera.m-0.eu";
|
||||
domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ];
|
||||
loginAccounts = config.m-0.private.mailUsers;
|
||||
loginAccounts = pkgs.privateValue {} "mail-users";
|
||||
hierarchySeparator = "/";
|
||||
certificateScheme = 1;
|
||||
certificateFile = "${certPath}/fullchain.pem";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs, config, ... }:
|
||||
let
|
||||
wireguard = import ../../../common/wireguard.nix;
|
||||
inherit (config.m-0) hosts;
|
||||
inherit (config.m-0.private) wireguard;
|
||||
in {
|
||||
networking = {
|
||||
hostName = "hera";
|
||||
|
@ -54,15 +54,16 @@ in {
|
|||
nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ];
|
||||
firewall.allowedTCPPorts = [ 8666 ];
|
||||
firewall.allowedUDPPorts = [ wireguard.port ];
|
||||
wireguard.interfaces = {
|
||||
wireguard.interfaces = let
|
||||
{
|
||||
m0wire = {
|
||||
ips = [ "${hosts.hera-wg}/112" ];
|
||||
privateKeyFile = "/etc/nixos/nixos/machines/hera/secret/wireguard-private";
|
||||
privateKeyFile = pkgs.privatePath "wireguard/hera-private";
|
||||
listenPort = wireguard.port;
|
||||
peers = [{
|
||||
publicKey = wireguard.pub.apollo;
|
||||
allowedIPs = [ "${hosts.apollo-wg}/128" ];
|
||||
presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
|
||||
presharedKeyFile = pkgs.privatePath "wireguard-psk";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
|
2
nixos/machines/hera/secret/.gitattributes
vendored
2
nixos/machines/hera/secret/.gitattributes
vendored
|
@ -1,2 +0,0 @@
|
|||
* filter=git-crypt-hera diff=git-crypt-hera
|
||||
.gitattributes !filter !diff
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,4 +1,4 @@
|
|||
{ config, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
locations = {
|
||||
"/" = {
|
||||
|
@ -18,7 +18,7 @@ in {
|
|||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."tasks.maralorn.de" = {
|
||||
basicAuth.kassandra = (import secret/kassandra.nix).password;
|
||||
basicAuthFile = pkgs.privatePath "basic-auth/kassandra";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
|
|
|
@ -1,11 +1,5 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
let me = config.m-0.private.me;
|
||||
in {
|
||||
imports = [
|
||||
../../common
|
||||
./modules/laptop.nix
|
||||
./modules/loginctl-linger.nix
|
||||
];
|
||||
{ pkgs, config, lib, ... }: {
|
||||
imports = [ ../../common ./modules/laptop.nix ./modules/loginctl-linger.nix ];
|
||||
|
||||
i18n = { defaultLocale = "en_US.UTF-8"; };
|
||||
|
||||
|
@ -27,10 +21,7 @@ in {
|
|||
acceptTerms = true;
|
||||
};
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.root.openssh.authorizedKeys = { inherit (me) keys; };
|
||||
};
|
||||
users.mutableUsers = false;
|
||||
|
||||
environment = {
|
||||
etc = lib.mapAttrs'
|
||||
|
@ -43,15 +34,22 @@ in {
|
|||
(_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt");
|
||||
};
|
||||
|
||||
system.activationScripts =
|
||||
lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; };
|
||||
|
||||
nix = {
|
||||
binaryCaches =
|
||||
[ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ];
|
||||
binaryCachePublicKeys =
|
||||
[ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
|
||||
nixPath = [ "/etc/nix-path" ];
|
||||
trustedUsers = [ "maralorn" ];
|
||||
buildMachines = pkgs.privateValue [ ] "remote-builders";
|
||||
extraOptions = ''
|
||||
fallback = true
|
||||
keep-outputs = true
|
||||
auto-optimise-store = true
|
||||
builders-use-substitutes = true
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -54,7 +54,7 @@ in {
|
|||
services.gitolite = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
adminPubkey = builtins.elemAt me.keys 0;
|
||||
adminPubkey = builtins.elemAt (pkgs.privateValue [""] "ssh-keys" )0;
|
||||
commonHooks = [ "${post-update}/bin/post-update" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let inherit (config.m-0.private) mathechor-pw me;
|
||||
in {
|
||||
{
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
@ -20,15 +19,14 @@ in {
|
|||
virtualHosts."intern.mathechor.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
basicAuth.mathechor = mathechor-pw;
|
||||
basicAuthFile = pkgs.privatePath "basic-auth/mathechor.de";
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "/var/www/mathechor/intern";
|
||||
index = "index.html";
|
||||
};
|
||||
"/mathechor.ics" = {
|
||||
proxyPass =
|
||||
"https://cloud.mathechor.de/remote.php/dav/public-calendars/nebsfFTzQKGSSsDc?export";
|
||||
proxyPass = pkgs.privateValue "" "mathechor-ics";
|
||||
extraConfig = ''
|
||||
proxy_ssl_name cloud.mathechor.de;
|
||||
proxy_ssl_server_name on;
|
||||
|
|
|
@ -19,11 +19,8 @@ in {
|
|||
return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }";
|
||||
'';
|
||||
};
|
||||
extraConfig = "
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
|
||||
";
|
||||
extraConfig =
|
||||
"\n add_header 'Access-Control-Allow-Origin' '*';\n add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';\n add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';\n ";
|
||||
};
|
||||
virtualHosts."${hostName}" = {
|
||||
forceSSL = true;
|
||||
|
@ -41,7 +38,13 @@ in {
|
|||
postgresql.enable = true;
|
||||
|
||||
# Synapse
|
||||
matrix-synapse = {
|
||||
matrix-synapse = let
|
||||
server-secrets = pkgs.privateValue {
|
||||
registration_shared_secret = "";
|
||||
macaroon_secret_key = "";
|
||||
turn_shared_secret = "";
|
||||
} "matrix/server-secrets";
|
||||
in server-secrets // {
|
||||
enable = true;
|
||||
package = pkgs.matrix-synapse;
|
||||
enable_metrics = true;
|
||||
|
@ -51,11 +54,7 @@ in {
|
|||
database_type = "psycopg2";
|
||||
max_upload_size = "30M";
|
||||
dynamic_thumbnails = true;
|
||||
registration_shared_secret =
|
||||
config.m-0.private.matrix_registration_secret;
|
||||
macaroon_secret_key = config.m-0.private.macaroon_secret;
|
||||
turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ];
|
||||
turn_shared_secret = config.m-0.private.turn_secret;
|
||||
turn_user_lifetime = "5h";
|
||||
allow_guest_access = true;
|
||||
logConfig = ''
|
||||
|
|
|
@ -32,6 +32,7 @@ in {
|
|||
};
|
||||
programs.dconf.enable = true;
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
services = {
|
||||
upower.enable = true;
|
||||
printing = {
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
smtp_smarthost = "hera.m-0.eu:587";
|
||||
smtp_from = "alertmanager@m-0.eu";
|
||||
smtp_auth_username = "alertmanager@m-0.eu";
|
||||
smtp_auth_password = config.m-0.private.alertmanager-mail-pw;
|
||||
smtp_auth_password = pkgs.privateValue "" "alertmanager/mail-pw";
|
||||
};
|
||||
route = {
|
||||
group_by = [ "alert_type" ];
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
inherit (config.m-0.private) monitoring-guest-pw monitoring-pw;
|
||||
commonOptions = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -9,10 +8,7 @@ let
|
|||
allow ${config.m-0.prefix}::/64;
|
||||
deny all;
|
||||
'';
|
||||
basicAuth = {
|
||||
guest = monitoring-guest-pw;
|
||||
maralorn = monitoring-pw;
|
||||
};
|
||||
basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
{ config, lib, ... }:
|
||||
with lib;
|
||||
let me = config.m-0.private.me;
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
passwordFile = pkgs.privatePath "pam-login-password";
|
||||
openssh.authorizedKeys.keys = pkgs.privateValue [ ] "ssh-keys";
|
||||
in {
|
||||
users.users = {
|
||||
"${me.user}" = {
|
||||
maralorn = {
|
||||
linger = true;
|
||||
description = me.name;
|
||||
description = "maralorn";
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups =
|
||||
[ "wheel" "systemd-journal" "networkmanager" "docker" "video" ];
|
||||
openssh.authorizedKeys.keys = me.keys;
|
||||
passwordFile = me.pw-file;
|
||||
inherit openssh passwordFile;
|
||||
};
|
||||
root = { passwordFile = me.pw-file; };
|
||||
root = { inherit openssh passwordFile; };
|
||||
};
|
||||
}
|
||||
|
|
16
overlays/private.nix
Normal file
16
overlays/private.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
final: prec: {
|
||||
withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out;
|
||||
in builtins.trace
|
||||
(if val then "Building _with_ secrets!" else "Building _without_ secrets!")
|
||||
val;
|
||||
privatePath = name:
|
||||
let path = "/etc/nixos/private/${name}";
|
||||
in if final.withSecrets then
|
||||
assert builtins.pathExists path; path
|
||||
else
|
||||
path;
|
||||
privateValue = default: name:
|
||||
if final.withSecrets then import (../private + "/${name}.nix") else default;
|
||||
privateFile = name:
|
||||
if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" "";
|
||||
}
|
|
@ -5,7 +5,6 @@ let
|
|||
configPath = "/etc/nixos";
|
||||
systems = [ "apollo" "hera" ];
|
||||
homes = self.lib.attrNames (import ../home-manager/machines.nix);
|
||||
keys = [ "default" "apollo" "hera" ];
|
||||
imports = [ "Control.Exception (onException)" ];
|
||||
haskellBody = name: commandline: ''
|
||||
main = do
|
||||
|
@ -55,9 +54,6 @@ in {
|
|||
bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs
|
||||
bracket checkout (rm "-rf") $ \repoDir -> do
|
||||
withCurrentDirectory repoDir $ do
|
||||
mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${
|
||||
self.haskellList keys
|
||||
}
|
||||
when bump $ ignoreFailure $ niv "update"
|
||||
changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim)
|
||||
when changed $ do
|
||||
|
|
Loading…
Reference in a new issue