[host/elysia-clarki,user/malte] Setup taskserver pki
This commit is contained in:
parent
093e6c59e9
commit
5881aa60c7
|
|
@ -38,7 +38,6 @@
|
|||
rootDir = "/srv/hnd/photoprism";
|
||||
environmentFile = config.sops.secrets."photoprism-env".path;
|
||||
};
|
||||
sops.secrets."photoprism-env" = {};
|
||||
|
||||
services.resticConfigured = {
|
||||
enable = true;
|
||||
|
|
@ -46,9 +45,23 @@
|
|||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.taskserverConfigured = {
|
||||
#### TASKSERVER ####
|
||||
services.taskserver = {
|
||||
enable = true;
|
||||
dataDir = "/srv/hnd/taskserver";
|
||||
fqdn = "elysia-clarki";
|
||||
listenHost = "0.0.0.0";
|
||||
organisations.default = {
|
||||
users = ["malte"];
|
||||
};
|
||||
pki.manual = let
|
||||
sopsPath = key: config.sops.secrets.${key}.path;
|
||||
in {
|
||||
ca.cert = sopsPath "taskserver-ca-cert";
|
||||
server.key = sopsPath "taskserver-server-key";
|
||||
server.crl = sopsPath "taskserver-server-crl";
|
||||
server.cert = sopsPath "taskserver-server-cert";
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: This will not work until a few PRs are merged:
|
||||
|
|
@ -65,13 +78,7 @@
|
|||
useSubstitutes = true;
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [config.services.hydra-dev.port];
|
||||
sops.secrets."hydra-admin-password" = {
|
||||
owner = config.users.users.hydra.name;
|
||||
mode = "0400";
|
||||
};
|
||||
sops.secrets."hydra-signing-key" = {
|
||||
mode = "0440";
|
||||
};
|
||||
|
||||
nix.extraOptions = ''
|
||||
allowed-uris = http:// https://
|
||||
'';
|
||||
|
|
@ -103,8 +110,29 @@
|
|||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
#### RUNTIME SECRETS ####
|
||||
sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
|
||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||
sops.secrets = let
|
||||
taskserverSecretConfig = {
|
||||
owner = config.users.users.taskd.name;
|
||||
group = config.users.groups.taskd.name;
|
||||
mode = "0440";
|
||||
};
|
||||
in {
|
||||
taskserver-ca-cert = taskserverSecretConfig;
|
||||
taskserver-server-key = taskserverSecretConfig;
|
||||
taskserver-server-crl = taskserverSecretConfig;
|
||||
hydra-admin-password = {
|
||||
owner = config.users.users.hydra.name;
|
||||
mode = "0400";
|
||||
};
|
||||
hydra-signing-key = {
|
||||
mode = "0440";
|
||||
};
|
||||
taskserver-server-cert = taskserverSecretConfig;
|
||||
photoprism-env = {};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
|
|
|
|||
|
|
@ -35,17 +35,26 @@ in {
|
|||
home-manager.users.malte.imports = [../users/malte/home.nix];
|
||||
programs.fish.enable = true;
|
||||
|
||||
sops.secrets = {
|
||||
"restic-backup-malte" = {
|
||||
sopsFile = ../secrets/users/malte/secrets.yaml;
|
||||
owner = "malte";
|
||||
mode = "0400";
|
||||
sops.secrets = let
|
||||
sopsFile = ../secrets/users/malte/secrets.yaml;
|
||||
owner = "malte";
|
||||
mode = "0400";
|
||||
in {
|
||||
restic-backup-malte = {
|
||||
inherit sopsFile owner mode;
|
||||
key = "restic-backup";
|
||||
};
|
||||
"radicale-password" = {
|
||||
sopsFile = ../secrets/users/malte/secrets.yaml;
|
||||
owner = "malte";
|
||||
mode = "0400";
|
||||
radicale-password = {
|
||||
inherit sopsFile owner mode;
|
||||
};
|
||||
taskserver-private-key = {
|
||||
inherit sopsFile owner mode;
|
||||
};
|
||||
taskserver-certificate = {
|
||||
inherit sopsFile owner mode;
|
||||
};
|
||||
taskserver-ca-certificate = {
|
||||
inherit sopsFile owner mode;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -24,6 +24,5 @@ in {
|
|||
users = ["malte"];
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [config.services.taskserver.listenPort];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -2,6 +2,7 @@
|
|||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
nixosConfig,
|
||||
...
|
||||
}: let
|
||||
# Data storage location for taskwarrior
|
||||
|
|
@ -62,9 +63,9 @@ in {
|
|||
filter = "( reviewed.none: or reviewed.before:now-6days ) and ( +PENDING )";
|
||||
};
|
||||
taskd = {
|
||||
certificate = "~/Tasks/pem/public.cert";
|
||||
key = "~/Tasks/pem/private.key";
|
||||
ca = "~/Tasks/pem/ca.cert";
|
||||
certificate = nixosConfig.sops.secrets.taskserver-certificate.path;
|
||||
key = nixosConfig.sops.secrets.taskserver-private-key.path;
|
||||
ca = nixosConfig.sops.secrets.taskserver-ca-certificate.path;
|
||||
server = "elysia-clarki:53589";
|
||||
credentials = "default/malte/cdbff0ec-8b40-400f-990b-7c57d0b3a499";
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue