megamanmalte/nixos
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

[host/achatina-fulica] R.I.P

Browse source 
I dropped the VPS instance.
Grafana and Radicale have been moved to cornu-aspersum.
[module/radicale] Improved the module, used secrets.
This commit is contained in:
Malte Tammena 2022-01-14 17:24:43 +01:00
parent 3a3c8ef354
commit fd7550b7f1
8 changed files with 76 additions and 131 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -5,6 +5,7 @@ keys:
- &achatina-fulica age1320r0g70sgmprz0dzk9n7nkuhcmf3ju0pmv002mgd5rgghvazyxqtt9c80
- &trochulus-hispidus age1un55h66zlhm4vmf7800q0c5n24zwpwvyllhmu68x33kkf2kwu9dsts8ztg
- &murex-pecten age1txlfvwlahwjy3ujeefsp7ket5c575schwc24a07j4twu0jxzqgwse4n78a
- &cornu-aspersum age1vrdd5yese20vcklv4dkclhfwhs5r9vufka8mevdxkt57fmukld5qj5r342
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
@ -46,6 +47,12 @@ creation_rules:
- *malte
age:
- *murex-pecten
- path_regex: secrets/hosts/cornu-aspersum/[^/]+\.yaml$
key_groups:
- pgp:
- *malte
age:
- *cornu-aspersum
# Home-manager secrets
# TODO: Improve

29
flake.nix
View file

@ -87,14 +87,6 @@
};
};
achatina-fulica = { ... }: {
imports = [ self.nixosModules.achatina-fulica ];
config.deployment = {
targetHost = "cal.tammena.rocks";
targetUser = "root";
};
};
cornu-aspersum = { ... }: {
imports = [ self.nixosModules.cornu-aspersum ];
config.deployment = {
@ -179,18 +171,6 @@
config = { nixpkgs.overlays = [ inputs.fenix.overlay ]; };
};
achatina-fulica = { ... }: {
imports = [
self.nixosModules.x86_64-linux-basics
inputs.glados.nixosModules.glados
./hosts/achatina-fulica.nix
./hardware/netcup-minimal.nix
./modules/nginx-reverse-proxy.nix
./modules/radicale.nix
./modules/grafana.nix
];
};
cornu-aspersum = { ... }: {
imports = [
self.nixosModules.x86_64-linux-basics
@ -198,6 +178,9 @@
./hardware/netcup-rs-2000-g9.nix
./modules/nginx-reverse-proxy.nix
./modules/ccqcraft.nix
inputs.glados.nixosModules.glados
./modules/radicale.nix
./modules/grafana.nix
];
};
@ -309,12 +292,6 @@
};
# Currently hosted by NetCup
nixosConfigurations.achatina-fulica = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ self.nixosModules.achatina-fulica ];
};
# Currently hosted by NetCup (mostly Minecraft server)
nixosConfigurations.cornu-aspersum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ self.nixosModules.cornu-aspersum ];

44
hosts/achatina-fulica.nix
View file

@ -1,44 +0,0 @@
{ config, pkgs, ... }:
{
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostId = "a858b3c5";
networking.hostName = "achatina-fulica";
networking.interfaces.ens3.useDHCP = true;
users.users = {
root = {
hashedPassword =
"$6$/gxjjeCV.l8P$ClK7EH96tERP8SmXMMxCDfiNSlQZ65xQXVTDz4KOqVXJ0aBP7nFW5pfd.Yffxmow8C5DnAq1tilQs37DPBo0S/";
};
};
services.qemuGuest.enable = true;
services.glados = {
enable = true;
dataCollector.enable = true;
envFile = config.sops.secrets.gladosEnv.path;
};
systemd.services.glados.serviceConfig.SupplementaryGroups =
[ config.users.groups.keys.name ];
sops.defaultSopsFile = ../secrets/hosts/achatina-fulica/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is the actual specification of the secrets.
sops.secrets.gladosEnv = { };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

17
hosts/cornu-aspersum.nix
View file

@ -16,11 +16,20 @@
};
};
services.qemuGuest.enable = true;
sops.defaultSopsFile = ../secrets/hosts/cornu-aspersum/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.defaultSopsFile = ../secrets/achatina-fulica/secrets.yaml;
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# # This is the actual specification of the secrets.
sops.secrets.gladosEnv = {};
services.glados = {
enable = true;
dataCollector.enable = true;
envFile = config.sops.secrets.gladosEnv.path;
};
systemd.services.glados.serviceConfig.SupplementaryGroups =
[ config.users.groups.keys.name ];
services.qemuGuest.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions

2
modules/grafana.nix
View file

@ -12,7 +12,7 @@
services.nginx.virtualHosts.${config.services.grafana.domain} = {
enableACME = true;
forceSSL = true;
serverAliases = [ "data.tammena.rocks" "grafana.tammena.rocks" ];
serverAliases = [ "data.tammena.rocks" ];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;

25
modules/radicale.nix
View file

@ -51,27 +51,22 @@ in {
logging = { mask_passwords = true; };
};
};
# Make sure our service user can access the `htpasswd_filename` file
systemd.services.radicale.serviceConfig.SupplementaryGroups =
[ config.users.groups.keys.name ];
sops.secrets."radicale-htpasswd" = {
owner = config.systemd.services.radicale.serviceConfig.User;
mode = "0400";
path = htpasswd_filename;
};
# Enable nginx proxy with ACME
services.nginx.virtualHosts."cal.tammena.rocks" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${builtins.toString internalPort}";
#proxyWebsockets = true; # needed if you need to use WebSocket
#extraConfig =
# required when the target is also TLS server with multiple hosts
#"proxy_ssl_server_name on;" +
# required when the server wants to use HTTP Authentication
#"proxy_pass_header Authorization;";
};
};
environment.systemPackages = [
# Add a script to easily add users
(pkgs.writeScriptBin "radicale-set-user" ''
#!${pkgs.stdenv.shell}
mkdir -p $(dirname "${htpasswd_filename}")
${pkgs.apacheHttpd}/bin/htpasswd -Bc "${htpasswd_filename}" $1
'')
];
}

41
secrets/hosts/achatina-fulica/secrets.yaml
View file

@ -1,41 +0,0 @@
gladosEnv: ENC[AES256_GCM,data:ID7S6P//KrD/eprgNNRV/P2NwIwJu0h6blZX89ovgg9YexYgqSUdIxc9S9WCSKHWQjX4JUUMjQmDMg5pnFx9cCDtECz7r536fhuDrl1CAqtR2MbsD6a78rysDMGuJvZiyoRcaFwwUDMXN3Hw+aSTogUDlEg0CojZ3qFpW4Cp5W5yojSR8wZC2w+tjb53MeeTXxNJL78zKJ7sMOdHEk5lEHO8/hI/pb48vHBMS7wn4/bWHo2KRX4v2XxqAT0XHB0/nAYO7YIIk96ObZc9G85SnRCCXb+YlSQ5Y64Ffb2CxV+FfWDjmUvVBXPPP1qBRcbcea/7KXrRQG/LarFPJqg+uypLcO+1OL3R0609MRfCgtUk3WMVJ5d+emHPv4i0faxI3GNYf3IaIkSeZhhBtSwu79ihNfm8B14WpJOMVRQ7pU6uXpmcTRv3NYO4v/MLw87QHEQh+de52s4J8FPm3+IMxqocAIQVmnwAqlIRhh/+nPhmndhl2p7wyO4TcYMldKeepJ+KxjZMwoEYfi90f/xwqF5voUKViDw7wI1Y9x1qdWJnZr8cKckruGYrZDHeAxAaFgHG1WvpMVw=,iv:uxQ+P1355lbJhD0BZecjcUfjBVf0Pysddyu+MnaY59o=,tag:yZziizbPBy4nmb2gIQJBVw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1320r0g70sgmprz0dzk9n7nkuhcmf3ju0pmv002mgd5rgghvazyxqtt9c80
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb29wWitiZnJBN1dQV0gw
SkRmamh1SThLRWdEcFJHMlZyRDB6NmdXUHlJCjJUMkIwL3RDQ0NvQ3JvMmR3Z01H
alY0czg1Q2NMenZvVldWM2swVk41V0EKLS0tIEtmRHN6MlFQZ2M2TUliM29BY3Zi
WXhMUmY4cUUrcWMxSVRBaVZhZ1lMMk0KGnODEBERnEJVZ2jwd/JITnaQfHdVOAFg
Nvlu1LvTNBN/fYtDhsj1T0JWqRRSZ8DbYfLxKCKwWgu/z7++rOR1/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-12-20T20:29:34Z"
mac: ENC[AES256_GCM,data:QLfAQ/KhZQj/uLk7HiNDhR8W33LTioree9CSw4k1p0lMPLxzFmcbB0DFrO24kezcG+jvr9dYEajMmK7SUyFL1H+DVNo1tJNBLaEzRlu2KEok56pcXTiuGdZ0wCNnQvvnZP4Oe/tQZR/yeDTJpvRufVUAXP7F8j+qyvZEhER0gf8=,iv:O9SUXhquji2BUjpm+I4NSMvGoAGKXqwARSDUqMgjOOk=,tag:UD6vTIVb04L6IMmo/mTlEw==,type:str]
pgp:
- created_at: "2021-12-06T08:25:13Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/qNfAqOZjDMAQ//QKJ9dIazR4oZS6L5r1THhTfTt6G2pfE4iC+cezlg9Vxt
L3EFSFUJVWJ7JdRglujW2rlgJTra+mEGSO5Rk+DzpZNBYulSxDJI4TyIidY+S4sM
L8EJhWpJPry6WiyulVdlIq6c1ZWJj819j4XcmPQVNM4KKB46jVF9XWLNIWUGU3oM
jDkJKufXqN78MtU01F0ONAxBhI6W9KaeaH/xwZsj2wJjdSVTc9QFWlzMfezsAU0n
yWRuE6+Vo4E1riSXa0oUL8bZQJdthxiI4kg11GgemdZWGSngLizohMdSKvTmyV0z
uaRgHx1QC6h0usZ5WFmrUVp2XEv0h9ePEt5B/70mcaBGBc1bo1viP44pWNxy+VS/
nUPw4NTVvw//edYgkBJLgKqWq0DaOCPI/qu7ud+GlNv6CXpifmgmB0a54TO6BS6K
uS46dxTBS25eFIwqoWj6ETkF5ie45H3yUzXIQHLwyWtq5UXLQpdzX/tAbob8X0M7
c9C1VjHkYWWXTvipSMlGlBBXsGNDjT7wGpxfnAqYY4HtQNNSBpBKEbd7kKFZbYpA
pyZsm2sG3gFIxumk33qyr9YwOCvsUNHwXH1JlzpRIqTuv9JLfgNtLQdvyfDKY6yK
nKVMj810KbtmEg8aNH8A4fOckBikY8IOnifzABNWLzLO1YeiRlJC++ZtM2XcbefS
XgHTlQXcJ0eNuNUfiqM6ZnnFqM8b1hB/7oVyJccZuNsZaYD7zrcGsHxp05MwxLdB
5vsfIaGMXiNc+BhHLQevbcPe7OK5Z3hbt19QWy4E5+s4fe5enbI/Zth7wQhqvSM=
=waZh
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.1

42
secrets/hosts/cornu-aspersum/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
radicale-htpasswd: ENC[AES256_GCM,data:8AfEvYYvPjgthdxVGOQ4CzxhKtkRZHNFutWgmkXk9AMBfJi1DWr+dGj6ZqbnK7jteZ9Tnq6aZGEOkpKoVAV+tN/N,iv:6fCsTira+tiZagXPf+vqTr8lOqJmIKgRJ86RQHedReo=,tag:GHo/v9lGLmZtvm2311Qfqw==,type:str]
gladosEnv: ENC[AES256_GCM,data:EXUbwXX9fM4OcLoWaXAVgnpT8WDXJ5Fl8JjbXagL2ThsObsO0/v5s15X6XapIMRD1Tdf9pAkhzd8KgsxgljcaRCu1VlmI289rptys9u5Ajn6ZMFfoTdRcM8u5nM2VEKBrK+Zov4TQpNBZdU+W44KnIwnr/bH3GPHkzUvMJxT2qu/a20Cp+Kxp+FDPUp8FZDWVT7iuLEtwwqy9oCQG2vFCUTbgMo9lyh40bG6eObkiKZ2UhaAo1p0shH/SgHMIWY++psynH4HtJX6sqR37sa7PTsa2SQZ6+WYWrbx55ud1fIVuHhFoAhny1GT7DOavGmd856xIF53XqSnbTiUJwdUoL568rhsUGGMg+LZTfSNUMhxIKLELsGBX86HNQHWjyQPq6oUS0JSHBBPx+Qyd9ie1whVC+PwxVMatD8Ull7S9LyFtJzU+buG4Ey+Uk7XRNU0hE0hGVysHFu7TqzIHNLvaVnYIonL349vsUUv8cO+k9VVVyBcist6YZV1nOB5InXoVe6Kh0XyWs9BtCKBPcKRGCwGybi3/EPQEWhMYZF/paKFl0/DIw93QUDbOnxJOHvebVy02iWVqGA=,iv:JmNRE6CBHOROyUSJ0h0XlXJ6aW/3mOj7IHgbTDAsS30=,tag:EcQ23XGYPjDDNxIAYUL33w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vrdd5yese20vcklv4dkclhfwhs5r9vufka8mevdxkt57fmukld5qj5r342
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMlJSaVhDZUNKVjJjNk5F
emY2bVhDdEJudlZnU3NnUEVEcm42bUtmWWpRCkV1d1ZJTGQ4Y2VjQ1p5ZHJWRnBo
MWJaZy84TlQ1OUZ0MndMNFBrbjg4eVUKLS0tIFRFVE9lRzk2MG5KUlU1SUFnN24z
WlMwS0J4WGhIL2tDcW5HMWhIdU1jVVEKEYC4OhrpqzyGiGvjkk61wY36T+AP9RjY
5Y64AY9c1cq23np0uUUoSdYL91gV1XmNX+0bwTZpiXASHJx0uZQwHA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-01-14T13:47:25Z"
mac: ENC[AES256_GCM,data:sZdNGaK/yO4Q9rEa+8U5U/mWKXU+/dHlvFpur0LvCtiVbQ79QEOcnJu3BAbiBj+Jda8j2ClI6HaivP12MVh0a0KpaaaE+tAO6WMhoF6TXLCCmR/1h8o8NoUwp21hzaLjCt0y8ckWXWAU9NMPc2siKA74sGEP9ORbOjnBvLGHLJM=,iv:OwbN3OsSunJib11bZN6CQ/vej75j4bPGxQtzasv9Y78=,tag:RZvr0JbTDdfESPR8XyJIHQ==,type:str]
pgp:
- created_at: "2022-01-14T13:38:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/qNfAqOZjDMARAAnIvy1y/A7BeoiQ4o2xlkH30J3BXDvx+c4vMxRgoCKwAg
Lz50kYeneCmzuDp03QiQI3G/QFXPiCBKccZJLDKE6xc/w31gPIFK2lBk1t9Y+0Tp
3OF0h2BiAbzllAfcnS/Nz06j0at1WEpPIBLyuAOCd2dIaDfjG/aonutnwQUNv5yp
UIcAgq64S/V5XngjZI9Vl5SZzmT+ragLqS0exu607DVk8L1KndEm41//bFFF80NF
J7xlJn0rmhy/NtVFI9mQ61XwltYfsp9MdFf2t3xZAzsTSmSo6XgY8ETtGcGz7wOg
knfO8O0LNXHMxRGgCRNU/+RxNO4qyCAuEXqCLp50kbn0HRerMz0hkpVkC2bLeUIV
EskFripLMGRWrMpPEipj0fJRct0N/EFkPGPgNWfOli/WHptjLT/3OSy5gY6HOEsI
IJrIwZCHggYdCtXpN+sj/SRm3yYZlC/XMFKt6ba632gZ04uPk+6M9gz/uOShcfsz
ijmKeCk0G2Bp4m1G5yQ2NNL50lpyaIi5SaVYx5vx0/ZZLyMDnaCnq2rb3uZY7GnQ
IFyijy5cLSqLPdDnxbQBwHBXTF/9vCD1ohjuk8XCnDJZ6Xi+CM/6szPp9HexvmGL
e7gkoxX6HoPOL2KD9wGuQxm2O8R85j+vpWcnwWKiDf/AO/4PilE4nE7QaScGmqXS
XAEbBgErtnu5tNeGycdwMEQRO+LQBxMZEQcWs19s7DSA1X7OhA31I8z2vxVWXcC6
nZTeY7x6ZqoC2nb+teByKNM7GnT/AKZ1rkkKQFGlAQXv7MEFdKnFtu8xuJxe
=1W8R
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.1